VMware vSphere vCenter Server Appliance (简称为VCSA)中包含一个Platform Service Controller的系列服务。VMware Certificate Authority(简称VMCA)就是其中不可或缺的一员。vCenter Server 核心的身份认证服务包括以下3个组件:

1)VMCA,VMware证书管理服务

2)VMAFD,VMware Authentication Framework Daemon

3)VMDIR,VMware Directory Service,目录服务

1、VMCA

VMCA面向VMware环境中的VMware产品提供的电子证书服务,其命令行工具存放在vCenter Server上,见下文:

#/usr/lib/vmware-vmca/certificate-manager

//运行上述的命令行后,会出现以下内容:
		 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
		|                                                                     |
		|      *** Welcome to the vSphere 6.7 Certificate Manager  ***        |
		|                                                                     |
		|                   -- Select Operation --                            |
		|                                                                     |
		|      1. Replace Machine SSL certificate with Custom Certificate     |
		|                                                                     |
		|      2. Replace VMCA Root certificate with Custom Signing           |
		|         Certificate and replace all Certificates                    |
		|                                                                     |
		|      3. Replace Machine SSL certificate with VMCA Certificate       |
		|                                                                     |
		|      4. Regenerate a new VMCA Root Certificate and                  |
		|         replace all certificates                                    |
		|                                                                     |
		|      5. Replace Solution user certificates with                     |
		|         Custom Certificate                                          |
		|                                                                     |
		|      6. Replace Solution user certificates with VMCA certificates   |
		|                                                                     |
		|      7. Revert last performed operation by re-publishing old        |
		|         certificates                                                |
		|                                                                     |
		|      8. Reset all Certificates                                      |
		|_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _|
Note : Use Ctrl-D to exit.

VMCA为以下用户签发证书:

1)系统用户,SAML证书,用于验证身份,存放在VECS(Endpoint Certificate Store ,证书存放点)内,一般来说其证书有效期为2592000秒,即30天

2)ESXi主机,SSL证书,用于通信加密,存放在主机本地磁盘中

3)运行相关服务的服务器,SSL证书,用于通信加密,存放在VECS内

即,VMCA只向同一个域内、想要使用SSO(single sign-on,单点登录)登录的客户端发放证书。VMware产品则使用标准的X.509 version 3 (X.509v3)证书来存放Session证书。这些证书也要通过SSL加密过的网络连接发送。

2019年11月5日,我与其他4人在北京参加ICW,VMware北京公司的寇学旭老师说,vCenter Server两个登录客户的登录端口看上去似乎都是443,但实际上一个是5443,一个9443。我不相信,登录到vCenter Server,看到如下结果:

netstat -nlp |grep 443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      2196/rhttpproxy
tcp        0      0 0.0.0.0:9443            0.0.0.0:*               LISTEN      2374/vsphere-client
tcp        0      0 0.0.0.0:5443            0.0.0.0:*               LISTEN      2396/vsphere-ui.lau
tcp6       0      0 :::443                  :::*                    LISTEN      2196/rhttpproxy 

上面的结果中,负责展示网页的是rhttpproxy,那个叫vsphere-client的是老式的、即将退出历史舞台的、基于Adobe Flex的客户端。vsphere-ui.lau则是那个基于HTML 5的新式客户端。

2、VMAFD

/usr/lib/vmware-vmadir-cli, certool, and vecs-cl

3、VMDIR

它提供的是目录服务(Active Directory)。

证书相关命令

Windows

C:\Program Files\VMware\vCenter Server\vmafdd\vecs-cli.exe
C:\Program Files\VMware\vCenter Server\vmafdd\dir-cli.exe
C:\Program Files\VMware\vCenter Server\vmcad\certool.exe
C:\Program Files\VMware\VCenter server\VMware Identity Services\sso-config
VCENTER_INSTALL_PATH\bin\service-control

Linux

/usr/lib/vmware-vmafd/bin/vecs-cli

# /usr/lib/vmware-vmafd/bin/vecs-cli store list


得到如下结果:
MACHINE_SSL_CERT
TRUSTED_ROOTS
TRUSTED_ROOT_CRLS
machine
vsphere-webclient
vpxd
vpxd-extension
APPLMGMT_PASSWORD
data-encipherment
SMS


# /usr/lib/vmware-vmafd/bin/vecs-cli entry list --store vpxd


/usr/lib/vmware-vmafd/bin/dir-cli
/usr/lib/vmware-vmca/bin/certool
/opt/vmware/bin
 

VMware vCenter中的 Certificate Authority是如何工作的-LMLPHP

参考资料:

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.psc.doc/GUID-16947630-6378-4021-A5D3-B9F16187EF80.html

https://blogs.vmware.com/vsphere/2015/03/vmware-certificate-authority-overview-using-vmca-root-certificates-browser.html

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.psc.doc/GUID-3D0DE463-D0EC-442E-B524-64759D063E25.html

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.psc.doc/GUID-DB55A84F-8405-49AB-89B5-04FE3A5CD03C.html#GUID-DB55A84F-8405-49AB-89B5-04FE3A5CD03C

https://docs.vmware.com/en/VMware-vSphere/6.7/com.vmware.psc.doc/GUID-779A011D-B2DD-49BE-B0B9-6D73ECF99864.html#GUID-779A011D-B2DD-49BE-B0B9-6D73ECF99864

https://docs.vmware.com/en/VMware-Identity-Manager/19.03/idm-administrator/GUID-592CC646-894F-403D-8A96-1851D7DBE598.html

11-06 03:28