6.7
Table Of Contents
- Platform Services Controller Administration
- Contents
- About Platform Services Controller Administration
- Getting Started with Platform Services Controller
- vCenter Server and Platform Services Controller Deployment Types
- Deployment Topologies with External Platform Services Controller Instances and High Availability
- Understanding vSphere Domains, Domain Names, and Sites
- Platform Services Controller Capabilities
- Managing Platform Services Controller Services
- Managing the Platform Services Controller Appliance
- vSphere Authentication with vCenter Single Sign-On
- Understanding vCenter Single Sign-On
- Configuring vCenter Single Sign-On Identity Sources
- Understanding vCenter Server Two-Factor Authentication
- Using vCenter Single Sign-On as the Identity Provider for Another Service Provider
- Security Token Service STS
- Managing vCenter Single Sign-On Policies
- Managing vCenter Single Sign-On Users and Groups
- Add vCenter Single Sign-On Users
- Disable and Enable vCenter Single Sign-On Users
- Delete a vCenter Single Sign-On User
- Edit a vCenter Single Sign-On User
- Add a vCenter Single Sign-On Group
- Add Members to a vCenter Single Sign-On Group
- Remove Members from a vCenter Single Sign-On Group
- Delete vCenter Single Sign-On Solution Users
- Change Your vCenter Single Sign-On Password
- vCenter Single Sign-On Security Best Practices
- vSphere Security Certificates
- Certificate Requirements for Different Solution Paths
- Certificate Management Overview
- Managing Certificates with the vSphere Client
- Managing Certificates from the vSphere Web Client
- Managing Certificates with the vSphere Certificate Manager Utility
- Certificate Manager Options and the Workflows in This Document
- Regenerate a New VMCA Root Certificate and Replace All Certificates
- Make VMCA an Intermediate Certificate Authority (Certificate Manager)
- Generate CSR with vSphere Certificate Manager and Prepare Root Certificate (Intermediate CA)
- Replace VMCA Root Certificate with Custom Signing Certificate and Replace All Certificates
- Replace Machine SSL Certificate with VMCA Certificate (Intermediate CA)
- Replace Solution User Certificates with VMCA Certificates (Intermediate CA)
- Replace All Certificates with Custom Certificate (Certificate Manager)
- Revert Last Performed Operation by Republishing Old Certificates
- Reset All Certificates
- Manual Certificate Replacement
- Managing Services and Certificates with CLI Commands
- Troubleshooting Platform Services Controller
- Determining the Cause of a Lookup Service Error
- Unable to Log In Using Active Directory Domain Authentication
- vCenter Server Login Fails Because the User Account Is Locked
- VMware Directory Service Replication Can Take a Long Time
- Export a Platform Services Controller Support Bundle
- Platform Services Controller Service Logs Reference
Table 3‑7. Stores in VECS (Continued)
Store Description
vSphere Certificate Manager Utility backup store
(BACKUP_STORE)
Used by VMCA (VMware Certificate Manager) to support
certificate revert. Only the most recent state is stored as a
backup, you cannot go back more than one step.
Other stores Other stores might be added by solutions. For example, the
Virtual Volumes solution adds an SMS store. Do not modify the
certificates in those stores unless VMware documentation or a
VMware Knowledge Base article instructs you to do so.
Note Deleting the TRUSTED_ROOTS_CRLS store can
damage your certificate infrastructure. Do not delete or modify
the TRUSTED_ROOTS_CRLS store.
The vCenter Single Sign-On service stores the token signing certificate and its SSL certificate on disk.
You can change the token signing certificate from the vSphere Client.
Some certificates are stored on the filesystem, either temporarily during startup or permanently. Do not
change the certificates on the file system. Use vecs-cli to perform operations on certificates that are
stored in VECS.
Note Do not change any certificate files on disk unless instructed by VMware documentation or
Knowledge Base Articles. Unpredictable behavior might result otherwise.
Managing Certificate Revocation
If you suspect that one of your certificates has been compromised, replace all existing certificates,
including the VMCA root certificate.
vSphere 6.0 supports replacing certificates but does not enforce certificate revocation for ESXi hosts or
for vCenter Server systems.
Remove revoked certificates from all nodes. If you do not remove revoked certificates, a man-in-the-
middle attack might enable compromise through impersonation with the account's credentials.
Certificate Replacement in Large Deployments
Certificate replacement in deployments that include multiple management nodes and one or more
Platform Services Controller nodes is similar to replacement in embedded deployments. In both cases,
you can use the vSphere Certificate Management utility or replace certificates manually. Some best
practices guide the replacement process.
Platform Services Controller Administration
VMware, Inc. 87