7.0
Table Of Contents
- Deploying and Configuring Access Point
- Contents
- Deploying and Configuring Access Point
- Introduction to Access Point
- System Requirements and Deployment
- Configuring Access Point
- Collecting Logs from the Access Point Appliance
- Setting Up Smart Card Authentication
- Setting Up Two-Factor Authentication
- Index
4 Use the following UNIX command to convert each .pem file to a value that can be passed in a JSON
string to the Access Point REST API:
awk 'NF {sub(/\r/, ""); printf "%s\\n",$0;}' cert-name.pem
In this example, cert-name.pem is the name of the certificate file.
The new format places all the certificate information on a single line with embedded newline
characters. If you have an intermediate certificate, that certificate must also be in one-line format and
add to the first certificate so that both certificates are on the same line.
You can now configure certificates for Access Point by using these .pem files with the PowerShell scripts
attached to the blog post "Using PowerShell to Deploy VMware Access Point," available at
https://communities.vmware.com/docs/DOC-30835. Alternatively, you can create and use a JSON request to
configure the certificate.
What to do next
If you converted an TLS/SSL server certificate, see “Replace the Default TLS/SSL Server Certificate for
Access Point,” on page 42. For smart card certificates, see Chapter 5, “Setting Up Smart Card
Authentication,” on page 49.
Replace the Default TLS/SSL Server Certificate for Access Point
To store a trusted CA-signed TLS/SSL server certificate on the Access Point appliance, you must convert the
certificate to the correct format and use PowerShell scripts or the Access Point REST API to configure the
certificate.
For production environments, VMware strongly recommends that you replace the default certificate as soon
as possible. The default TLS/SSL server certificate that is generated when you deploy an Access Point
appliance is not signed by a trusted Certificate Authority.
IMPORTANT Also use this procedure for periodically replacing a certificate that has been signed by a trusted
CA before the certificate expires, which might be every two years.
This procedure describes how to use the REST API to replace the certificate. An easier alternative might be
to use the PowerShell scripts attached to the blog post "Using PowerShell to Deploy VMware Access Point,"
available at https://communities.vmware.com/docs/DOC-30835. If you have already deployed the named
Access Point appliance, then running the script again will power off the appliance, delete it, and redeploy it
with the current settings you specify.
Prerequisites
n
Unless you already have a valid TLS/SSL server certificate and its private key, obtain a new signed
certificate from a Certificate Authority. When you generate a certificate signing request (CSR) to obtain
a certificate, make sure that a private key is generated also. Do not generate certificates for servers using
a KeyLength value under 1024.
To generate the CSR, you must know the fully qualified domain name (FQDN) that client devices will
use to connect to the Access Point appliance and the organizational unit, organization, city, state, and
country to complete the Subject name.
n
Convert the certificate to PEM-format files and convert the .pem files to one-line format. See “Convert
Certificate Files to One-Line PEM Format,” on page 41.
n
Familiarize yourself with the Access Point REST API. The specification for this API is available at the
following URL on the virtual machine where Access Point is installed: https://access-point-
appliance.example.com:9443/rest/swagger.yaml.
Deploying and Configuring Access Point
42 VMware, Inc.