Handy Command and Articles to troubleshoot PSC and Certificate related query in vCenter

-

List of commands:

To find the PNID:

  • /usr/lib/vmware-vmafd/bin/vmafd-cli get-pnid --server-name localhost
  • "C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli.exe" get-pnid --server-name localhost
Which PSC is my VC pointing to:

  • /usr/lib/vmware-vmafd/bin/vmafd-cli get-ls-location --server-name localhost
  • C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli get-ls-location --server-name localhost
Get the site name where my PSC/VC is:

  • /usr/lib/vmware-vmafd/bin/vmafd-cli get-site-name --server-name localhost
  • C:\Program Files\VMware\vCenter Server\vmafdd\vmafd-cli get-site-name  --server-name localhost
SSO Domain name:

  • /etc/vmware/install-defaults/vmdir.domain-name
  • C:\ProgramData\VMware\vCenterServer\cfg\install-defaults\vmdir.domain-name

Certificate Manager Location:

  • Windows vCenter Server:  C:\Program Files\VMware\vCenter Server\vmcad\certificate-manager
  • vCenter Server Appliance:  /usr/lib/vmware-vmca/bin/certificate-manager

Location for the cert store:

  • /usr/lib/vmware-vmafd/bin à includes vecs-cli , dir-cli, vmafd-cli

Hard copy of the certificate available in:

  • /var/lib/vmware/vmca/root.cer
  • ProgramData\VMware\CIS\data\vmca\root.cer

To get the copy of the MACHINE_SSL_CERT and the KEY used :

  • /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/Machine_SSL.crt
  • /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store MACHINE_SSL_CERT --alias __MACHINE_CERT --output /var/tmp/Machine_SSL.key
  •  
Location for certificates that we most commonly use :

  1. STS certificate : etc/vmware-sso/keys/ssoserver.crt
  2. VMDIRD certificate : /usr/lib/vmware-vmdir/share/config/vmdircert.pem

Location for the certs in jexlorer:

     >>Trusted roots ====>ConfigurationàCertificate authority
     >>Lookup service ==>ConfigurationàSitesà”Site-name”àLookupserviceàService Registrations
    >>Solution users =====>Service Principals
    >>STS certs -->Services-->Identity manager-->Tenants-->vsphere.local-->TenanatCredential-1

To view the certificates using openssl command:

  • openssl x509 -in certificate.crt -noout -text | less
  • openssl s_client -connect “Server FQDN”:443
Eg: To get the machine SSL for vcsa1.gsslabs.org:
      openssl s_client -connect ORLpD1PSC-VIP.catmktg.com:443


Get the lstool output:



Different scenarios lstool is used:
  • To output vCenter's service ID only in a particular site:

à/usr/lib/vmidentity/tools/scripts/lstool.py list --url https://PSC.FQDN/lookupservice/sdk --site <site-name> --type vcenterserver --id-only


  • To export the inforation as spec file(text file):

         à/usr/lib/vmidentity/tools/scripts/lstool.py get --url https://PSC.FQDN/lookupservice/sdk --id      "vCenter's service-id" --as-spec > /tmp/vcenterserver.txt
  • How to edit the spec file and re-register back:

à/usr/lib/vmidentity/tools/scripts/lstool.py reregiter --url https://PSC.FQDN/lookupservice/sdk --id "vCenter's service-id --spec /tmp/vcenterserver.txt --user administrator@vsphere.local --password "VMware!"

  • Get the service ID associated with the NODE ID:
              /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost:7080/lookupservice/sdk --node "NODE ID of the PSC/VC" --id-only >/tmp/node.txt

     To get the node ID: /etc/vmware/install-defaults  -à vmdir.ldu-guid


  • Determining replication agreements and status with the Platform Services Controller 6.x 
                   https://kb.vmware.com/s/article/2127057

  • Manually reviewing certificates in VMware Endpoint Certificate Store

   https://kb.vmware.com/s/article/2111411

  • Updating SSL Trust Anchors (When there is a thumbprint mismatch )
                   https://kb.vmware.com/s/article/50112066

  • Removing expired certs from trusted roots:
            https://kb.vmware.com/s/article/2146011

  • Feature walkthrough for cert replacement:

     https://featurewalkthrough.vmware.com/t/vsphere-6-5/ssl-certificate-replacement-hybrid-mode/19

  • Obtaining vSphere certificates from a Microsoft Certificate Authority and creating templates for SSL cert creation
                    https://kb.vmware.com/s/article/2112014
                    https://kb.vmware.com/s/article/2112009

  • The steps for the certificate generation/replacement in the Load balancer environment:

      https://kb.vmware.com/s/article/2147627 

  • Generating the STS certificates:

   https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-497233EA-AEF9-464B-A9C3-CCAEEA90C801.html

  • Replacing the vmdird certificates :
                  https://docs.vmware.com/en/VMware-vSphere/6.0/com.vmware.vsphere.security.doc/GUID-585CF428-2BBC-47CE-A386-9A39D3DFE0BF.html

  • Removing the Service ID :
                https://kb.vmware.com/s/article/2050273 

  • Using the cmsso command to unregister vCenter Server from Single Sign-On :

  https://kb.vmware.com/s/article/2106736

  • Repoint vCenter Server 6.x between External PSC within a site
                 https://kb.vmware.com/s/article/2113917

Comments

Post a Comment

Popular posts from this blog

VAPI Endpoint service failure

-
VAPI Endpoint service failure  ERROR | state-manager1            | StsBuilder                     | Failed to acquire token for the solution user 2018-11-15T21:50:42.647Z | ERROR | state-manager1            | DefaultStateManager            | Could not initialize endpoint runtime state. com.vmware.vapi.endpoint.config.ConfigurationException: com.vmware.vim.sso.client.exception.AuthenticationFailedException: Provided credentials are not valid.         at com.vmware.vapi.endpoint.cis.StsBuilder.createToken(StsBuilder.java:182)         at com.vmware.vapi.endpoint.cis.StsBuilder.rebuild(StsBuilder.java:77)      ...
Read more

Replacing vROPS Certificates

-
Image
Issue:  When using default certificates in vROPS  Due to security requirements it was necessary to replace the default self-signed certificates with a trusted certificate signed by an internal CA. Unlike vCenter, vROPS uses a common name vc-ops-slice-1 followed by slice-2 for data and other node, where vCenter has SAN names in the default certificate so when you add the root of the local machine trusted store then the vCenter url shows secured. In order to make the secure SSL we have to generate the CSR and get it signed by any third party SSL vendors or our own Microsoft CA.  I will be generating a CSR and getting signed by internal Microsoft CA .We can refer this below article from VMware as reference.  https://kb.vmware.com/s/article/2046591?lang=en_us Steps:  1.The first step is to create a new private key from taking a SSH session to master node vROPS. openssl genrsa -out vrops.key 2048 2. Using the configuration file below make sure to provide de...
Read more

vPostgres service fails to start with Fatal error : bogus postmaster.pid

-
I came across this issue today where vPostgres service was failing on VCSA with error Fatal Error. # service-control --start vmware-vpostgres Perform start operation. vmon_profile=None, svc_names=['vmware-vpostgres'], include_coreossvcs=False, include_leafossvcs=False 2019-11-06T21:38:14.283Z   Service vmware-vpostgres state STOPPED Error executing start on service vmware-vpostgres. Details {     "resolution": null,     "detail": [         {             "args": [                 "vmware-vpostgres"             ],             "id": "install.ciscommon.service.failstart",             "localized": " A...
Read more