6.5.1
Table Of Contents
- Platform Services Controller Administration
- Contents
- About Platform Services Controller Administration
- Updated Information
- Getting Started with Platform Services Controller
- vCenter Server and Platform Services Controller Deployment Types
- Deployment Topologies with External Platform Services Controller Instances and High Availability
- Understanding vSphere Domains, Domain Names, and Sites
- Platform Services Controller Capabilities
- Managing Platform Services Controller Services
- Managing the Platform Services Controller Appliance
- vSphere Authentication with vCenter Single Sign-On
- Understanding vCenter Single Sign-On
- Configuring vCenter Single Sign-On Identity Sources
- Identity Sources for vCenter Server with vCenter Single Sign-On
- Set the Default Domain for vCenter Single Sign-On
- Add a vCenter Single Sign-On Identity Source
- Edit a vCenter Single Sign-On Identity Source
- Remove a vCenter Single Sign-On Identity Source
- Use vCenter Single Sign-On With Windows Session Authentication
- vCenter Server Two-Factor Authentication
- Using vCenter Single Sign-On as the Identity Provider for Another Service Provider
- Security Token Service STS
- Managing vCenter Single Sign-On Policies
- Managing vCenter Single Sign-On Users and Groups
- Add vCenter Single Sign-On Users
- Disable and Enable vCenter Single Sign-On Users
- Delete a vCenter Single Sign-On User
- Edit a vCenter Single Sign-On User
- Add a vCenter Single Sign-On Group
- Add Members to a vCenter Single Sign-On Group
- Remove Members From a vCenter Single Sign-On Group
- Delete vCenter Single Sign-On Solution Users
- Change Your vCenter Single Sign-On Password
- vCenter Single Sign-On Security Best Practices
- vSphere Security Certificates
- Certificate Requirements for Different Solution Paths
- Certificate Management Overview
- Managing Certificates with the Platform Services Controller Web Interface
- Explore Certificate Stores from the Platform Services Controller Web Interface
- Replace Certificates with New VMCA-Signed Certificates from the Platform Services Controller Web Interface
- Make VMCA an Intermediate Certificate Authority from the Platform Services Controller Web Interface
- Set up Your System to Use Custom Certificates from the Platform Services Controller
- Managing Certificates from the vSphere Web Client
- Managing Certificates with the vSphere Certificate Manager Utility
- Certificate Manager Options and the Workflows in This Document
- Regenerate a New VMCA Root Certificate and Replace All Certificates
- Make VMCA an Intermediate Certificate Authority (Certificate Manager)
- Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA)
- Replace VMCA Root Certificate with Custom Signing Certificate and Replace All Certificates
- Replace Machine SSL Certificate with VMCA Certificate (Intermediate CA)
- Replace Solution User Certificates with VMCA Certificates (Intermediate CA)
- Replace All Certificates with Custom Certificate (Certificate Manager)
- Revert Last Performed Operation by Republishing Old Certificates
- Reset All Certificates
- Manual Certificate Replacement
- Managing Services and Certificates With CLI Commands
- Troubleshooting Platform Services Controller
- Determining the Cause of a Lookup Service Error
- Unable to Log In Using Active Directory Domain Authentication
- vCenter Server Login Fails Because the User Account Is Locked
- VMware Directory Service Replication Can Take a Long Time
- Export a Platform Services Controller Support Bundle
- Platform Services Controller Service Logs Reference
Understanding vCenter Single Sign-On
To effectively manage vCenter Single Sign-On, you need to understand the underlying architecture and
how it affects installation and upgrades.
vCenter Single Sign-On 6.0 Domains and Sites
(http://link.brightcove.com/services/player/bcpid2296383276001?
bctid=ref:video_sso_6_domains_sites)
How vCenter Single Sign-On Protects Your Environment
vCenter Single Sign-On allows vSphere components to communicate with each other through a secure
token mechanism instead of requiring users to authenticate separately with each component.
vCenter Single Sign-On uses the following services.
n
STS (Security Token Service).
n
SSL for secure traffic.
n
Authentication of human users through Active Directory or OpenLDAP.
n
Authentication of solution users through certificates.
vCenter Single Sign-On Handshake for Human Users
The following illustration shows the handshake for human users.
Figure 2‑1. vCenter Single Sign-On Handshake for Human Users
Kerberos
vSphere Web Client
1
2
3
4
5
6
VMware
Directory
Service
CA
vCenter
Server
vCenter Single
Sign-On
1 A user logs in to the vSphere Web Client with a user name and password to access the
vCenter Server system or another vCenter service.
The user can also log in without a password and check the Use Windows session authentication
check box.
Platform Services Controller Administration
VMware, Inc. 24