After you have generated signed certificates, configure your first vCenter Single Sign-On server to use the certificates.

1

Log in to sso1.acme.local as an administrator, and in a command prompt, set the JAVA_HOME and PATH variables.

set JAVA_HOME=C:\Program Files\Common Files\VMware\VMware vCenter Server - Java Components
set PATH=%PATH%;C:\Program Files\VMware\Infrastructure\VMware\CIS\vmware-sso;%JAVA_HOME%\bin
2

Go to the OpenSSL directory and register the new root certificate in the VMware trust store.

cd \OpenSSL\bin
openssl x509 -noout -subject_hash -in C:\certs\Root64.cer

From the output, copy the eight-digit hexadecimal value to the clipboard.

3

Create an SSL directory and copy the Root64.cer certificate to the SSL folder.

In the second command use the text copied to the clipboard.

mkdir c:\ProgramData\VMware\SSL
copy C:\certs\Root64.cer C:\ProgramData\VMware\SSL\eight_digit_hexadecimal_value.0
4

Copy the Root64.cer file to the SSL folder and rename it.

more C:\certs\Root64.cer >> C:\ProgramData\VMware\SSL\ca_certificates.crt
5

Open Notepad and create three text files in C:\certs to update the Security Token Service, Administrative Service, and Group Check Service of vCenter Single Sign-On so that they use the network load balancer virtual IP.

a

Create C:\certs\admin.properties with the following content:

[service]
friendlyName=The administrative interface of the SSO server
version=1.5
ownerId=
productId=product:sso
type=urn:sso:admin
description=The administrative interface of the SSO server

[endpoint0]
uri=https://sso.acme.local:7444/sso-adminserver/sdk/vsphere.local
ssl=c:\certs\Root64.cer
protocol=vmomi
b

Create C:\certs\gc.properties with the following content:

[service]
friendlyName=The group check interface of the SSO server
version=1.5
ownerId=
productId=product:sso
type=urn:sso:groupcheck
description=The group check interface of the SSO server

[endpoint0]
uri=https://sso.acme.local:7444/sso-adminserver/sdk/vsphere.local
ssl=c:\certs\Root64.cer
protocol=vmomi

c

Create C:\certs\sts.properties with the following content:

[service]
friendlyName=STS for Single Sign On
version=1.5
ownerId=
productId=product:sso
type=urn:sso:sts
description=The Security Token Service of the Single Sign On server.

[endpoint0]
uri=https://sso.acme.local:7444/sts/STSService/vsphere.local
ssl=c:\certs\Root64.cer
protocol=wsTrust
6

List the vCenter Single Sign-On services.

ssolscli listServices https://sso1.acme.local:7444/lookupservice/sdk

The result displays services with additional information including their service name, service ID and value.

7

Save the value of the serviceId for each of the three services, beginning with the localityName, to a separate file.

echo Palo Alto:32_digit_hexadecimal_value_of_group_check_interface >> C:\certs\gc_id
echo Palo Alto:32_digit_hexadecimal_value_of_security_token_service_interface >> C:\certs\sts_id
echo Palo Alto:32_digit_hexadecimal_value_of_administrative_interface >> C:\certs\admin_id
8

Back up the ssoserver.crt, ssoserver.key, and ssoserver.p12 files.

a

Open a Windows Explorer window and navigate to C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf.

b

Create backup folder and copy ssoserver.crt, ssoserver.key, and ssoserver.p12 files there.

9

In the command prompt, copy the three certificates to the vCenter Single Sign-On configuration directories, and confirm overwriting when prompted.

copy C:\certs\sso\ssoserver.p12	C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.p12
copy C:\certs\Root64.cer C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.crt
copy C:\certs\sso\rui.key C:\ProgramData\VMware\CIS\runtime\VMwareSTS\conf\ssoserver.key
10

Update the vCenter Single Sign-On services by using the service files created with the network load balancer configuration.

a

Edit the local hosts file, and add the following entry:

192.168.110.41       sso.acme.local

The entry contains the IP address of the SSO node and the FQDN of the load balancer. This is required to provide the necessary FQDN response to successfully upgrade vCenter Single Sign-On services.

b

In a command prompt, run the commands to update the services, and confirm overwriting when prompted:

ssolscli updateService -d https://sso1.acme.local:7444/lookupservice/sdk -u administrator@vsphere.local -p password -si C:\certs\gc_id -ip C:\certs\gc.properties
ssolscli updateService -d https://sso1.acme.local:7444/lookupservice/sdk -u administrator@vsphere.local -p password -si C:\certs\admin_id -ip C:\certs\admin.properties
ssolscli updateService -d https://sso1.acme.local:7444/lookupservice/sdk -u administrator@vsphere.local -p password -si C:\certs\sts_id -ip C:\certs\sts.properties
11

Verify that the updates to the vCenter Single Sign-On services have been applied.

a

In a command prompt, run the commands to restart the VMware Security Token service.

net stop VMwareSTS
net start VMwareSTS
b

List the vCenter Single Sign-On services to confirm that the updates have been applied.

ssolscli listServices https://sso1.acme.local:7444/lookupservice/sdk

The endpoints entry on line 4 shows the load balancer URL sso.acme.local for each of the three services.

12

Verify the vCenter Single Sign-On configuration on sso1.acme.local.

a

Open a browser window and go to https://sso1.acme.local:7444/websso/SAML2/Metadata/vsphere.local.

b

Download and open the file that prompts for download.

c

Verify that each location attribute of the <ds:x509Certificate> element refers to the host name of the load balancer and not to the host name of the vCenter Single Sign-On server.

Configure the second server to use the signed certificates and delete false entries in the vCenter Single Sign-On configuration.