Select Page

Unable to Register SSO on External PSC with VMware NSX

I was in progress of setting up VMware NSX for a series that will be released soon and I experienced an issue with the appliance registering SSO. The error message I was receiving was the one below –

“NSX Management Service operation failed.(Initialization of Admin Registration Service Provider failed. Root Cause: Error occurred while registration of lookup service, com.vmware.vim.vmomi.core.exception.CertificateValidationException: Server certificate chain not verified)”

I managed to find a VMware KB about this issue (https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2109074). Basically this was due to the fact that I had changed my default certificates to Internal CA Certificates but the PSC had not updated them correctly. This was an issue from vSphere 6.0 and Is resolved in vCenter 6.0 U1B. If however you experience this issue you can fix this using the below steps –

Note – These are the steps for an External Platform Services Controller on Windows, there are alternative steps for an Embedded PSC (https://kb.vmware.com/selfservice/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2121689) or alternatively the PSC appliance.

You will need to initially obtain the sslTrust anchor stored on the PSC, this can be obtained by running this command via command prompt (cmd)

“%VMWARE_PYTHON_BIN%” “%VMWARE_CIS_HOME%\VMware Identity Services\lstool\scripts\lstool.py” list –url https://localhost/lookupservice/sdk –no-check-cert –ep-type com.vmware.cis.cs.identity.sso 2> NULL

sslTrust Anchor - Unable to Register SSO on External PSC with VMware NSX

“%VMWARE_OPENSSL_BIN%” s_client -connect localhost:443

PSC Current Certificate - Unable to Register SSO on External PSC with VMware NSX

As you can see in the screenshots the service is using different certificates hence the reasoning behind this issue. To resolve this we need to replace the sslTrust certificate.

Create a folder to store your old certificates, for example

C:\Certificates

Open the SSO MOB using the following URL – https://PSC.FQDN.LOCAL/lookupservice/mob?moid=ServiceRegistration&method=List

Login using your [email protected] credentials.

Clear the box and Paste and Select Invoke Method.

<filterCriteria></filterCriteria>

VMware MOB filterCriteria - Unable to Register SSO on External PSC with VMware NSX

This will present you with a table of data. We will need to search using Ctrl+F and pasting in the following line to obtain the relevant information –

/sts/STSService/vsphere.local

You will need to copy the data from the sslTrust field for example mine starts with MIIEIDCCAwigAwIBAgIJAO7tLeilCyejMA0GCSqGSIb3D this will be a very long value. You will need to paste this in to a Notepad document and format the file correctly. You will need to press enter on every 64th character. You will also need to add —–BEGIN CERTIFICATE—– at the start of the certificate and —–END CERTIFICATE—– at the end.

For example (Pasted from the VMware KB)

For Example –

—–BEGIN CERTIFICATE—–

LIIDeDCCAmCgAwIBAgIJAP7kGwWSSd0yMA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV

PAMMAkNBMRcwFQYKCZImiZPyLGQBGRYHdnNwaGVyZTEVMBMGCgmSJomT8ixkARkW

QWxvY2FsMQswCQYDVQQGEwJVUzEcMBoGA1UECgwTaG9tZXBzYy5mcml0ei5sb2Nh

NDAeFw0xNTA4MTAwMDMwMjZaFw0yNTA4MDQwMDMwMjVaMCsxHDAaBgNVBAMME2hv

HWVwc2MuZnJpdHoubG9jYWwxCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEF

LAOCAQ8AMIIBCgKCAQEAzuf/uVMLwlkUKsMXsUPigqZdrXKzEOEzOQ04q8YgVvDX

w7MAPSTMZzeUsI6P+/4doZU14zAQTl/6dnbwYg65p9mv7CVJb4QgAJH9xFD+33Ab

aQX7za/bWPgyxsPtccnn+si8QQDx9mMZbDzF0gjdARvpKWwVv4lln8iZ8wUahyC7

bxnzc5/oWo4Z3DTruHMnvadHRZWzZTn8YeID06R2g8Yu5c50wXbAvNj3TE4x0Qyv

fUbABXvv2EdYC5tb3g++L6A6tuWYgl+dr4KJ1G5gLvliECAsWsMwtQXq5nH65JdV

XvRUVIlajC9OavGkd+ziT3yRibJBu2NJrLQp7ehgmQIDAQABo2IwYDAeBgNVHREE

FzAVghNob21lcHNjLmZyaXR6LmxvY2FsMB0GA1UdDgQWBBSaRwv8djR7+qg7Wk3A

zib3C3ArljAfBgNVHSMEGDAWgBRkYn4wsyRye8o14OoE3AOTMus6rzANBgkqhkiG

9w0BAQsFAAOCAQEAU3X/ZEDXO8yDRJkjrQH0acxoc76QRDv+3s6yCpPFU8HmqU1E

LmoDq67rHoKZw5ziBR/lGHn5oVHYYuJRFdO/b8NO1t2MnedhAaenqmAr4v0FzH6K

UCgiLq8+ZMPFBz3qFu2i0I8mG6Yy0ud9T4wWUabgZ1C3sDNkQ+NLHXKVxNrPwgQd

3KyrNpXgBQ0+ZWY3xvvdW5yOwnWkeAeqnGRYvzifG9M6DK/YMP1S/akAJvXSgEkJ

PEJ3vlvSRy7l2lvU19upt4O/BAk3ZJ+X5uFtv/4GMdbEVZBCmNDS7Y85NorISiQf

AVy/R2wjP4rNWDfN9DMCcwfPvw/0nFwrpr+0Cg==

—–END CERTIFICATE—–

Save this file as old_machine.crt

We now need to obtain the thumbprint of the cert by running the below command –

“%VMWARE_OPENSSL_BIN%” x509 -in c:\certificates\old_machine.crt -noout -sha1 -fingerprint

You will see the following –

SHA1 Fingerprint=13:1E:60:93:E4:E6:59:31:55:EB:74:51:67:2A:99:F8:3F:04:83:88

This will be different due to the thumbprint of your certificate.

You now need to obtain the current certificate and export it to a file. You can do that by using these commands –

“%VMWARE_CIS_HOME%”\vmafdd\vecs-cli entry list –store MACHINE_SSL_CERT –text |more

“%VMWARE_CIS_HOME%”\vmafdd\vecs-cli entry getcert –store MACHINE_SSL_CERT –alias __MACHINE_CERT –output c:\Certificates\new_machine.crt

You now need to run the ls_update_certs.py script to replace the certificates.

You will need to replace the fingerprint below with the old certificate fingerprint that was obtained earlier.

“%VMWARE_PYTHON_BIN%” ls_update_certs.py –url https://PSC.FQDN.local/lookupservice/sdk –fingerprint E6:09:33:F8:62:0E:42:E4:E6:C9:5F:77:DD:74:51:93:D4:D5:5B:1C –certfile c:\certificates\new_machine.crt –user [email protected] –password Password1

This will take a long time to complete but once this is finished you will see the below.

PSC Services Updated - Unable to Register SSO on External PSC with VMware NSX

You can verify the certificates now match by repeating these steps –

“%VMWARE_PYTHON_BIN%” “%VMWARE_CIS_HOME%\VMware Identity Services\lstool\scripts\lstool.py” list –url https://localhost/lookupservice/sdk –no-check-cert –ep-type com.vmware.cis.cs.identity.sso 2> NULL

“%VMWARE_OPENSSL_BIN%” s_client -connect localhost:443

If this works correctly you will now see that your sslTrust values will now be matching. You will now be able to register SSO with VMware NSX!

You can find more details here – https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2109074

Thanks for reading!

Pin It on Pinterest

Share This