Smart cards

A smart card is a small plastic card with an embedded integrated circuit chip that can be read by a smart card reader (many laptops may have one integrated). To enable smart card authentication for vCenter authentication, you must first set up your clients before users can log in using a smart card:

  • With vSphere 6.0: Verify that the Client Integration Plugin is installed.
  • With vSphere 6.5 and 6.7: Verify that the Enhanced Authentication Plugin is installed.

Then the configuration of the PSC is a little different in versions 6.0 and 6.5. For the latest version, before you can enable smart card authentication, you must correctly configure the reverse proxy from the command line on the PSC (or the vCenter if you have an embedded deployment). You have to create a trusted client Certificate Authority (CA) store that contains the trusted issuing CA's certificates for the client certificate.

For a Linux-based PSC, these are the possible commands:

cd /usr/lib/vmware-sso/
openssl x509 -inform PEM -in xyzCompanySmartCardSigningCA.cer >> /usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem

Then you have to modify the config.xml file with the following changes:

<http>
 <maxConnections> 2048 </maxConnections>
 <requestClientCertificate>true</requestClientCertificate>
 <clientCertificateMaxSize>4096</clientCertificateMaxSize>
 <clientCAListFile>/usr/lib/vmware-sso/vmware-sts/conf/clienttrustCA.pem</clientCAListFile>
 </http>

And finally, restart the service:

/usr/lib/vmware-vmon/vmon-cli --restart rhttpproxy

Then verify that an enterprise Public Key Infrastructure (PKI) is set up in your environment and that certificates meet the following requirements:

  • A User Principal Name (UPN) must correspond to an AD account in the Subject Alternative Name (SAN) extension
  • The certificate must specify client authentication in the Application Policies or Enhanced Key Usage fields, or the browser does not show the certificate

At this point, you can enable smart card authentication from the SSO configuration menu.

Starting with ESXi 6.0, it's also possible to use smart card authentication to log in to the ESXi DCUI by using a Personal Identity Verification (PIV), CAC, or SC650 smart card instead of specifying a username and password.

Under Configure | System, select the authentication services (described before for AD authentication) and you will see the current Smart Card Authentication status and a list of imported certificates:

In the Smart Card Authentication panel, you can click the EDIT... button and select the Certificates page to add trusted CA certificates, for example, root and intermediary CA certificates.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.218.48.62