“nasty” SSL/SSO lab exerices – lab 1
In the last post we finished building the lab, all components are in place to actually follow the lab guide now. So the next couple of posts will consist of shorter lab exercises the students had to do during the actual training to get comfortable with using SSO and replacing/troubleshooting SSL certificates in a vSphere environment.
All exercises will be done on the SSL-VC machine. The lab itself was intended as an introduction to the log file locations and command line interface for SSO which would be helpful in Support Request resolution.
The command line interface will be Java based and VMware does install its own runtime binaries, so figuring out where those are installed is an important step. This can easily be achieved by looking into the registry. HKEY_LOCAL_MACHINE\SOFTWARE\VMware, Inc.\VMware Infrastructure\vJRE will contain the installation path.
This path should then be set as JAVA_HOME using cmd.exe by issuing the following command.
Set JAVA_HOME=C:\Program Files\Common Files\VMware\VMware vCenter Server – Java Components\
Despite the spaces in the file path do not use quotation marks, this will screw up the environment variable on Windows. Next up is the log location folder in a Windows environment.
C:\ProgramData\VMware\CIS is the main path for SSO to log into. From here there are 2 different routes to take.
C:\ProgramData\VMware\CIS\logs contains subfolders for the vmdir service. These can be helpful when troubleshooting SSO replication issues. Additionally the “vmware-sso” folder contains logs for the Identity Manager Service which can be helpful when troubleshooting login issues or connectivity issues for identity sources.
C:\ProgramData\VMware\CIS\runtime\VMwareSTS\logs will contain all logs for the Secure Token Service, this is the interface of which the Lookupservice is a part of and which we will modify using CLI commands in later labs to actually replace certificates and configure the HA configuration for SSO. The Lookupservice is also used to register new components against SSO.
The most important logs in that folder are:
wrapper.log, catalina.log – Logs for the Java wrappers, tend to have a bit of spew in them in 5.5 but if the service completely fails to start using the Windows Server Manager this is the point to look at.
lookupserver.log – Log for the Lookupservice, if components cannot be registered in SSO or certificate replacement for a component fails this is one log to look at.
localhost_access.log – This log will contain data of all calls being made via the different SSO interfaces, so during login issue times or service startup failures of SSO dependent components the HTML error code provided in that log can give hints on what actually is going wrong, 404 is pretty bad for example meaning that one of the SSO sub components failed to start.
ssoAdminServer.log – Log for the admin service of SSO, if configuration fails or dependent services fail to start this is a good log to take a look at.
vmware-identity-sts.log – Main log for the STS service, would be used during login issue troubleshooting.
The most important CLI interfaces can be found in the following path: C:\Program Files\VMware\Infrastructure\VMware\CIS. In the vmdird directory you will find the vdcadmintool allowing you to change the firstname.lastname@example.org password. The syntax can be seen in the screenshot below. There is one thing to note: This tool will create passwords with escape characters which may not be suited for other command line operations, so should only be used to change the password in times when it was lost. To run the utility local administrator rights are needed. If the password simply needs to be changed the vSphere Web Client will provide the proper interface to do so.
The other subfolder of interest is “vmware-sso” which does host the ssolscli.cmd tool. With this add/remove/update operations regarding the Lookupservice are possible. These will be explored in later labs so for now only a listing of all registered endpoints will be demonstrated. This command will fail if the URL does not include any of the subject alternative names of the SSO certificate, therefore it is usually run against the FQDN of the system.
This concludes the first lab for the students.
Recap on what the lab intended to teach:
- Important log file locations and their content
- Commonly used command line interfaces for SSO interaction