VMware started as a Type 2 Hypervisor for doing a bit of lab/development testing on.

They’ve come a long way since and even started chopping Windows out of the picture whenever possible. VCSA did a great job at removing not just vCenter but a number of the vSphere components like dump collector, log browser, syslog collector and auto deploy.

But to have a fully tidy and enterprise environment you needed certificates. You could buy these from Verisign/Symantec but as only internal people will be accessing your vSphere environment then why go to the expense and faff? The other option is a Windows PKI. Free/Easy and quick to set up (possibly quite badly) but you’ve already got Windows servers, why not just add a role?

So what have VMware done to remove some of this hassle and add to their portfolio? Well a while back they released vSphere 6.0 If you haven’t looked at it I recommend setting it up in a lab and getting familiar. It has one key new component that I think is pretty cool.

The PSC

PSC deals with identity management for administrators and applications that interact with the vSphere platform and more. It hosts a bunch of services, some existing some new
  • VMware Appliance Management Service (only in Appliance-based PSC)
  • VMware License Service
  • VMware Component Manager
  • VMware Identity Management Service
  • VMware HTTP Reverse Proxy
  • VMware Service Control Agent
  • VMware Security Token Service
  • VMware Common Logging Service
  • VMware Syslog Health Service
  • VMware Authentication Framework
  • VMware Certificate Service
  • VMware Directory Service

    • My favourite bit, having become an Identity&Access Management SME by stealth is the Certificate service. In my experience customers struggle to really grasp what a PKI is for and to understand the relatively simple moving parts.

      Certificate Authorities - They issue certs!
      Certificate Revocation lists (CRLs) - Lists of revoked certificates
      Crl Distribution Points (CDPs) - a Point where CRLs are hosted that clients can connect to and download the latest CRL
    That simplifies things down to their minimum. There are other bits but we don't need them yet.

    To secure a connection a service needs an SSL cert. e.g. the Web Client Service. has a cert but it issued it to itself. Nothing trusts it, there’s nowhere to check if it’s been revoked and it’s very likely that you’re accessing it using an ip/name different to the one in the cert.

    The advantage of the Certificate Service or VMCA is that it simplifies or automates a lot of these processes for you, including the setting up of the Root CA.
    Here’s a video overviewing the certificate services in vSphere6.0

    In a follow up post I’ll contrast setting up a windows CA and manually issuing certs out to each versus the PSC.