Shulou(Shulou.com)05/31 Report--

This article is to share with you about how Certificate Authority in VMware vCenter works. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

VMware vSphere vCenter Server Appliance (VCSA for short) contains a series of Platform Service Controller services. VMware Certificate Authority (VMCA for short) is one of the indispensable members. The authentication service of the vCenter Server core consists of the following three components:

1) VMCA,VMware Certificate Management Service

2) VMAFD,VMware Authentication Framework Daemon

3) VMDIR,VMware Directory Service, directory service

1 、 VMCA

VMCA provides e-Cert services for VMware products in a VMware environment, and its command-line tools are stored on vCenter Server, as shown below:

# / usr/lib/vmware-vmca/certificate-manager / / after running the above command line The following appears: _ | | * * Welcome to the vSphere 6.7Certificate Manager * * |-- Select Operation-- | | 1. Replace Machine SSL certificate with Custom Certificate | 2. Replace VMCA Root certificate with Custom Signing | | Certificate and replace all Certificates | 3. Replace Machine SSL certificate with VMCA Certificate | | | | 4. Regenerate a new VMCA Root Certificate and | | replace all certificates | | | | 5. Replace Solution user certificates with | | Custom Certificate | | | | 6. Replace Solution user certificates with VMCA certificates | 7. Revert last performed operation by re-publishing old | | certificates | | 8. Reset all Certificates | | _ _ _ | Note: Use Ctrl-D to exit.

VMCA issues certificates for the following users:

1) system user, SAML certificate, which is used to verify identity and is stored in VECS (Endpoint Certificate Store, certificate store). Generally speaking, the certificate is valid for 2592000 seconds, that is, 30 days.

2) ESXi host, SSL certificate, used for communication encryption, stored in the host local disk

3) the server running related services, SSL certificate, used for communication encryption, stored in VECS

That is, VMCA only issues certificates to clients within the same domain that want to log on using SSO (single sign-on). VMware products use standard X.509 version 3 (X.509v3) certificates to hold Session certificates. These certificates are also sent over a SSL encrypted network connection.

On November 5, 2019, Kou Xuexu, a teacher at ICW,VMware Beijing Company in Beijing with four other people, said that the login ports of both vCenter Server login customers seem to be 443, but in fact one is 5443 and the other is 9443. I don't believe it. Log in to vCenter Server and see the following result:

Netstat-nlp | grep 443tcp 0 0 0.0 0. 0 grep 443tcp 443 0 0 0. 0 LISTEN 2196/rhttpproxy tcp 0 0 0. 0. 0. 0. 0. 0. 0. 0. 0. 0. 0.0 * LISTEN 2396/vsphere-ui.lautcp6 0 0: 443:: * LISTEN 2196/rhttpproxy

In the above results, the one responsible for displaying the web page is rhttpproxy, and the vsphere-client is an old-fashioned Adobe Flex-based client that is about to retire from history. Vsphere-ui.lau is the new client based on HTML 5.

2 、 VMAFD

/ usr/lib/vmware-vmadir-cli, certool, and vecs-cl

3 、 VMDIR

It provides a directory service (Active Directory).

Certificate related Command Windows

C:\ Program Files\ VMware\ vCenter Server\ vmafdd\ vecs-cli.exe

C:\ Program Files\ VMware\ vCenter Server\ vmafdd\ dir-cli.exe

C:\ Program Files\ VMware\ vCenter Server\ vmcad\ certool.exe

C:\ Program Files\ VMware\ VCenter server\ VMware Identity Services\ sso-config

VCENTER_INSTALL_PATH\ bin\ service-control

Linux

/ usr/lib/vmware-vmafd/bin/vecs-cli

# / usr/lib/vmware-vmafd/bin/vecs-cli store list gets the following results: MACHINE_SSL_CERTTRUSTED_ROOTSTRUSTED_ROOT_CRLSmachinevsphere-webclientvpxdvpxd-extensionAPPLMGMT_PASSWORDdata-enciphermentSMS# / usr/lib/vmware-vmafd/bin/vecs-cli entry list-- store vpxd

/ usr/lib/vmware-vmafd/bin/dir-cli

/ usr/lib/vmware-vmca/bin/certool

/ opt/vmware/bin

This is how the Certificate Authority in VMware vCenter works. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.