VMworld 2015 INF4529 - VMware vSphere Certificate Management for Mere Mortals

Transcript

1. VMware vSphere Certificate Management for Mere Mortals Ryan Johnson, VMware,

   Inc @tenthirtyam Adam Eckerle, VMware, Inc @eck79 vmware.com/go/podcast INF4529 #INF4529

2. • This presentation may contain product features that are currently

   under development. • This overview of new technology represents no commitment from VMware to deliver these features in any generally available product. • Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind. • Technical feasibility and market demand will affect final delivery. • Pricing and packaging for any new technologies or features discussed or presented have not been determined. Disclaimer 2

3. 3

4. Certificate Lifecycle Management VMware vSphere 6.0 Solutions for Complete Certificate

   Lifecycle Management VMware Certificate Authority VMCA VMware Endpoint Certificate Store VECS Located on: Embedded Deployment, and Platform Services Controller Located on: Embedded Deployment, and vCenter Management Node 4

5. VMware Certificate Authority (VMCA) 5 Dual Operational Modes Root CA

   • During installation, VMCA automatically creates a root CA certificate. • This certificate is capable of issuing other certificates. • All solutions and endpoint certificates are created and trusted through to this certificate. Issuer CA • Can replace the default root CA certificate created during installation. • Requires a CSR issued from VMCA to be used by an enterprise or 3rd party CA to generate a new issuing certificate. • Requires replacement of all issued default certificates after implementation.

6. VMware Endpoint Certificate Store (VECS) § Repository for Certificates and

   Private Keys § Mandatory Component (Used even if you don’t sign your certificates with the VMCA… ) § Key Stores: – Machine SSL Certificates – Trusted Roots – Certificate Revocation Lists (CRLs) – Solution Users Certificates – Others (e.g. Virtual Volumes) § Managing VECS is done via vecs-cli (Or better yet, use the vSphere 6.0 Certificate Manager… coming up in a bit… ) § Does Not Manage Single Sign-On Certificates 6 VMware vSphere 6.0

7. VECS VMCA VMware Endpoint Certificate Store (VECS) 7 VMware vSphere

   6.0 Signed VMCA Certificate Machine SSL Certificate

8. VMware vSphere 6.0 Certificate Types § ESXi Certificates § Machine

   SSL Certificate § Solution User Certificates § Single Sign-On Certificates 8

9. ESXi Certificates 9 VMware vSphere 6.0 § Post-install, ESXi always

   has an auto-generated certificate § VMCA will provision a signed certificate when host is joined to vCenter (default mode) § Custom certificates can be use if desired (custom mode) § ESXi certificates are stored locally on each host in the /etc/vmware/ssl § VMCA issued certificates can be renewed via the vSphere Web Client or PowerCLI

10. ESXi Certificates 10 VMware vSphere 6.0 Example: function refreshcerts {

    process { $hostid = Get-VMHost $vmhost | Get-View $hostParam = New-Object VMware.Vim.ManagedObjectReference[] (1) $hostParam[0] = New-Object VMware.Vim.ManagedObjectReference $hostParam[0].value = $hostid.moref.value $hostParam[0].type = 'HostSystem' $_this = Get-View -Id 'CertificateManager-certificateManager' $_this.CertMgrRefreshCertificates_Task($hostParam) } }

11. Machine SSL Certificates § Creates a server-side SSL socket §

    Server verification and secure communication e.g. HTTPS or LDAPS § Each node has its own Machine SSL Certificate. i.e. Embedded Deployment; Management Node; or Platform Services Controller § All services use a Machine SSL Certificate for endpoint encryption. § All services communicate through the reverse proxy § Traffic does not go to the services themselves e.g. The vpxd service uses the MACHINE_SSL_CERT to expose its endpoint. 11 VMware vSphere 6.0

12. Solution User Certificate Certificate stores are located in VECS on

    each management node and embedded deployment: § machine – Used by component manager, license server, and the logging service § vpxd – vCenter service daemon (vpxd) store on management nodes and embedded deployments. vpxd uses the solution user certificate to authenticate to vCenter Single Sign-On § vpxd-extensions – Includes the Auto Deploy service, inventory service, and other services that are not part of other solution users § vsphere-webclient – Includes the vSphere Web Client and some additional services such as the performance chart service 12 VMware vSphere 6.0 – More Services but Consolidated Behind Solution Users that Hold the Certificate

13. Solution User Certificates § Encapsulates one or more vCenter Server

    services § Certificate authenticated by vCenter Single Sign-On and issued a SAML token to authenticate to other solution user and services § Each solution user must be authenticated to vCenter Single Sign-On § Re-authentication occurs after a reboot and after a timeout § The timeout configurable in the vSphere Web Client and defaults to 2592000 seconds (30 days) Maximum Holder-of-Key Token Lifetime 13 VMware vSphere 6.0 30 DAYS

14. Single Sign-On Certificates VMware Directory Service SSL Certificate – §

    With custom certificates you may need to replace this SSL certificate explicitly. VMware vCenter Single Sign-On Signing Certificate – § Security Token Service (STS) – an identity provider that issues, validates, and renews SAML tokens that are used for authentication throughout vSphere § By default, the STS signing certificate is generated by VMCA § Manually refresh STS certificate via vSphere Web Client when the certificate expires or changes 14 VMware vSphere 6.0

15. Single Sign-On Certificates § Not stored in VECS. § Not

    managed with certificate management tools. § Changes are not necessary, but in special situations, you can replace these certificates. 15 Remember…

16. VMware vSphere 6.0 Certificates 16 Summary Certificate Type Provisioning Storage

    ESXi Certificates VMCA (Default) Locally on ESXi Hosts Machine SSL Certificates VMCA (Default) VECS Solution User Certificates VMCA (Default) VECS Single Sign-On Certificates Provisioned During Installation Manage in vSphere Web Client. Directory Service Certificates Provisioned During Installation In certain custom certificate corner cases, you may need to replace this certificate.

17. Certificate Replacement Options 17 VMware vCenter Server 6.0 VMCA as

    Root CA VMCA as Enterprise CA Subordinate Custom CA Hybrid

18. VMware vSphere 6.0 Certificate Manager 18 Let’s Make Certificate Replacement

    Simple Appliance Deployment /usr/lib/vmware-vmca/ bin/certificate-manager Windows Deployment <Drive>:\Program Files\VMware\ vCenter Server\vmcad\ certificate-manager

19. Common Certificate Manager Use Cases 19 VMCA as Root CA

    (Default or Option 4) VMCA as Enterprise CA Subordinate (Option 2) Custom CA (Option 1 & 5) Hybrid (Combination)

20. VMCA as Root CA 20 VMware KB 2108294

21. VMCA as Enterprise CA Subordinate Private Key Algorithm: RSA with

    2048 bits. Standard: X.509 v3 Format: PEM (PKCS8 and PKCS1) with a header of ---BEGIN CERTIFICATE--- Recommended Signature Algorithms: SHA256, SHA384, or SHA512 § Does NOT support wildcard cards or SubjectAltName § You CANNOT create subsidiary CAs of VMCA. § No explicit limit to the length of the certificate chain. § Synchronize time for all nodes in environment. 21 Requirements

22. VMCA as Enterprise CA Subordinate § Create and publish custom

    Subordinate Certificate Authority template per KB 2112009 § Generate Certificate Signing Request and Key in Certificate Manager with Option 2 § On VCSA run chsh –s /bin/bash root to enable WinSCP file transfers. § Submit Certificate Signing Request – root_signing_cert.csr – to Enterprise Certificate Authority § Create the Full Certificate Chain – root_signing_chain.pem § Import the Full Certificate Chain and Key to Replace VMCA Root Signing Certificate in Certificate Manager with Option 2 § Configure certool.cfg with proper values. § Restart vCenter Services on Connected vCenter to Reflect the Change § service-control –stop | --start –all § Replace Machine SSL Certificate with VMCA Certificate on Connected vCenter(s) with Option 3 § Provide the FQDN or IP of Platform Service Controller § Configure certool.cfg with proper values. § Replace Solution User Certificates with VMCA Certificates on Connected vCenter(s) with Option 6 § Provide the FQDN or IP of Platform Service Controller 22 Workflow

23. Demo Time VMCA as Enterprise CA Subordinate: Certificate Replacement

24. VECS VMCA Demo Scenario VMCA Signing Certificate Machine SSL Certificate

    Root CA Certificate Enterprise CA Certificate Microsoft Enterprise Certificate Authority mgmt01dc01.sddc.local vSphere 6 Platform Services Controller mgmt01psc01.sddc.local Signed Signed Signed VECS Machine SSL Solution Users Certificates vCenter 6 Server mgmt01vc01.sddc.local 24

25. ESXi Certificate Management Modes 25 VMware ESXi 6.0 VMCA Authority

    Mode Custom Mode Thumbprint Mode

26. 26 Default Value = vmca Possible Values = vmca |

    custom | thumbprint Serach for certmgmt

27. VMCA Authority Mode § The default mode § Post-install ESXi

    always has an auto-generated certificate § ESXi certificates are stored locally on each host in the /etc/vmware/ssl § VMCA provisions the host a signed certificate when added to vCenter Server § Host certificates include the full chain to VMCA § ESXi certificates can be renewed via the vSphere Web Client or PowerCLI vpxd.certmgmt.mode = vmca § 24 Hour Rule – VMCA as Enterprise CA Subordinate § Signing certificate must have a valid date of 24 hours prior before renewing host certificates or adding new hosts to vCenter § Plan for this aging period when configuring an environment § Replace certificates prior to putting an environment into production 27

28. Custom Mode § Replacement is the same as vSphere 5.5

    – ESXi Shell – HTTPS GET/PUT § vifs will wrap these operations. § Custom / 3rd Party certificates – Must change vpxd.certmgmt.mode to custom or risk replacement by VMCA – Must update TRUSTED_ROOTS store in VECS on vCenter with the custom root certificates to ensure trust relationship – use the vecs-cli entry create command vpxd.certmgmt.mode = custom 28

29. Thumbprint Mode § Legacy mode § Fallback option for vSphere

    6.0 § May be used to retains vSphere 5.5 certificates during an upgrade § DO NOT use this mode unless encountering issues with vmca or custom mode § vCenter 6.0 and later services may not work correctly in thumbprint mode § Switching from thumbprint to vmca mode requires extensive planning 29 vpxd.certmgmt.mode = thumbprint

30. Demo Time VMCA as Enterprise CA Subordinate: ESXi Certificate Replacement

31. VECS VMCA Demo Scenario 31 VMCA Signing Certificate Machine SSL

    Certificate Root CA Certificate Enterprise CA Certificate Microsoft Enterprise Certificate Authority mgmt01dc01.sddc.local vSphere 6 Platform Services Controller mgmt01psc01.sddc.local Signed Signed Signed VECS Machine SSL Solution Users Certificates vCenter 6 Server mgmt01vc01.sddc.local /etc/vmware/ssl/ ESXi Certificate ESXi 6.0 Host mgmt01esx01.sddc.local Signed

32. Upgrades and Operational Considerations VMware vSphere 6.0 Certificate Management

33. Deployment Considerations § VMCA as Enterprise CA Subordinate – Perform

    the signing certificate replacement on all Platform Services Controllers to ensure trusted certificates for all vCenter Server 6.0 installations • Remember the ‘24 Hour Rule’ – Signing certificate must have a valid date of 24 hours prior before renewing host certificates or adding new hosts to vCenter – Plan for this aging period when configuring an existing environment – Replace certificates prior to putting a new environment into production 33 VMware vSphere 6.0

34. Managing Certificates • Supports replacing certificates • No CRL enforcement

    against PKI for vCenter Server and ESXi hosts • If you suspect that one of your certificates has been compromised, revoke and replace all existing certificates, including the VMCA root certificate • If you do not remove revoked certificates, a man-in-the-middle attack might enable compromise through impersonation with the account's credentials. 34 VMware vSphere 6.0

35. Upgrades & Auto Deploy § Host Upgrades and VMCA Signed

    Certificates – Upgrade process replaces self-signed certificates with VMCA-signed certificates – vCenter then monitors certificates and displays details vSphere Web Client § Host Upgrades and Custom Certificates – Custom certificates are retained – even if expired or invalid – Change vxd.certmgmt.mode to custom to ensure certificates are not replaced accidentally § Update Manager – Not compatible with the Machine SSL certificate template in vSphere 6.0. § Use the vSphere 5.5 certificate template for Update Manager 6.0 35

36. A Call to Action Determine the Best Approach for Your

    Organization. VMCA as Root CA (Default or Option 4) VMCA as Enterprise CA Subordinate (Option 2) Custom CA (Option 1 & 5) Hybrid (Combination) 36

37. CONFIDENTIAL 37 vmware.com/go/inf4529

38. Ryan Johnson Senior Technical Marketing Manager @tenthirtyam Adam Eckerle Technical

    Account Manager @eck79 vmware.com/go/podcast
39. None

40. VMware vSphere Certificate Management for Mere Mortals Ryan Johnson, VMware,

    Inc @tenthirtyam Adam Eckerle, VMware, Inc @eck79 vmware.com/go/podcast INF4529 #INF4529