PSC HA 6.5: 5b – Validate PSC HA 6.5

Run the following command to use OpenSSL to connect to the PSC HA VIP, dump the certificate received and then print the certificate information to screen.

echo | openssl s_client -connect psc-ha-vip.domain.com:443 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/psc-ha-vip_validate.crt; openssl x509 -in /tmp/psc-ha-vip_validate.crt -noout -text

The output should print the PSC HA VIP Certificate that contains all required FQDN.

Make a note of the Serial Number value.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d2:d0:8e:fb:89:92:59:3c
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=psc-ha-a1.domain.com, OU=VMware Engineering
        Validity
            Not Before: Aug 26 10:03:00 2016 GMT
            Not After : Aug 24 10:03:00 2026 GMT
        Subject: C=IE, ST=Cork, L=Cork, O=VMware, OU=vTSU, CN=psc-ha-vip.domain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c4:38:fc:33:24:fa:cc:7a:6d:a9:93:63:16:f4:
                    90:02:da:c6:5b:26:35:c3:b0:76:12:8f:b8:25:a2:
                    28:45:ad:7d:ea:30:e3:c2:83:cb:5a:cf:fa:36:fc:
                    e8:1e:4e:8a:4f:e0:5c:6b:94:08:f2:6f:55:fa:bd:
                    1d:84:97:a5:24:86:69:39:82:61:20:b2:e9:6e:2b:
                    61:73:6b:13:35:1f:8e:15:59:af:ee:a8:4a:bf:3c:
                    a7:91:2b:55:77:d4:37:92:2e:c2:7a:9d:51:65:f0:
                    9a:05:ab:20:4d:f2:cf:5d:16:5f:7d:df:ed:19:a0:
                    6d:f7:58:76:fa:cb:d2:44:61:3f:a7:c0:88:14:97:
                    3f:3b:6b:b0:06:02:3a:27:23:ee:79:7e:fa:63:23:
                    5c:59:d1:80:cb:7b:19:d6:cb:c9:38:f7:16:b1:ce:
                    3f:f0:c9:98:4d:2c:d6:5c:84:dc:08:50:13:f7:b8:
                    1e:57:bb:69:ed:6c:75:eb:34:a8:41:b2:b6:aa:16:
                    69:95:80:41:5e:0e:92:a8:21:12:a0:7d:bc:0c:13:
                    4b:85:54:ca:fb:11:fd:d1:e2:b6:85:54:29:17:17:
                    17:41:a4:9e:74:d3:ba:09:0c:eb:bf:fc:4e:bc:1e:
                    9e:dd:35:46:76:62:5b:ab:4f:38:7f:2a:e6:e3:0f:
                    f3:3b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:psc-ha-a1.domain.com, DNS:psc-ha-a2.domain.com, DNS:psc-ha-vip.domain.com
    Signature Algorithm: sha256WithRSAEncryption
         7e:cd:c0:98:0d:72:02:ee:4b:c1:01:36:45:f7:4b:2d:a2:ee:
         9b:58:1c:fa:79:b3:b6:56:f1:8f:b3:dd:b4:5d:22:df:01:53:
         f3:56:cf:1b:c3:60:5c:30:38:de:a3:55:2d:b4:27:13:c7:6e:
         d9:0c:e6:ee:78:49:47:f5:8f:a2:e8:97:98:c2:c8:85:2a:c5:
         34:1e:c2:fa:45:5f:cb:ef:e5:51:eb:2a:62:b0:ac:75:8b:3f:
         94:f9:34:49:97:6e:eb:60:d6:d2:46:0d:15:0a:9f:06:bf:41:
         a8:53:3f:98:10:b7:37:f4:f0:43:7d:6a:28:36:db:cf:0b:95:
         cc:95:e5:7e:ac:4c:2a:00:29:53:38:3c:b5:9f:86:61:d8:e1:
         b2:71:16:fd:4c:72:a9:84:a9:fa:39:c2:47:c4:48:68:73:f8:
         ca:b8:9d:ca:56:a8:a5:36:f4:b0:1f:63:56:88:cf:5b:1d:21:
         eb:ca:c7:b5:67:14:b3:cc:d5:0a:e0:67:13:f6:44:86:ec:51:
         0e:83:fb:db:db:b9:05:fd:21:41:a4:13:95:26:60:5c:c2:77:
         a3:fa:e3:25:60:52:d4:df:f0:18:1a:4a:e1:d0:0e:3c:1b:7d:
         b2:cc:b7:bd:67:99:f3:7c:34:08:96:02:14:63:3a:6e:a3:a4:
         c8:b3:77:56

Get PSC Site ID

Connect to one of the PSC’s participating in PSC HA

Run the following command to return the Site ID

python /usr/lib/vmidentity/tools/scripts/lstool.py get-site-id --url http://localhost:7080/lookupservice/sdk 2> /dev/null

For example

python /usr/lib/vmidentity/tools/scripts/lstool.py get-site-id --url http://localhost:7080/lookupservice/sdk 2> /dev/null
pscha-a

Verify the cs.license endpoints

A total of 8 cs.license endpoints should be updated with the PSC HA VIP (4 per PSC). Run the following command to list the cs.identity endpoints, passing in the site name recorded in the previous section.

python /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost/lookupservice/sdk --site site_name --type cs.license 2> /dev/null | grep URL

For example:

python /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost/lookupservice/sdk --site pscha-a --type cs.license 2> /dev/null | grep URL
                URL: https://psc-ha-vip.domain.com:443/ls/sdk
                URL: https://psc-ha-vip.domain.com:443/ls/ph/sdk
                URL: https://psc-ha-vip.domain.com:443/ls/healthstatus
                URL: https://psc-ha-vip.domain.com:443/ls/resourcebundle
                URL: https://psc-ha-vip.domain.com:443/ls/resourcebundle
                URL: https://psc-ha-vip.domain.com:443/ls/sdk
                URL: https://psc-ha-vip.domain.com:443/ls/healthstatus
                URL: https://psc-ha-vip.domain.com:443/ls/ph/sdk

Note: You will not see the URLs ending in /ls/ph/sdk if you have not enabled the CEIP (Customer Experience Improvement Program)

You can pipe the command to wc -l to count the endpoints.

python /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost/lookupservice/sdk --site pscha-a --type cs.license 2> /dev/null | grep URL | wc -l
8

Verify the cs.license SSL Trust

Run the following command to export and print the certificate Information for the cs.license endpoint. The resulting certificate should be the PSC HA VIP Certificate. Compare the Serial Number value with that of the earlier step. It should be identical.

echo "-----BEGIN CERTIFICATE-----" >> /tmp/cs.license_endpoint.crt; echo | python /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost:7080/lookupservice/sdk --site site_name --type cs.license 2> /dev/null | grep "SSL trust" | uniq | awk '{ print $3 }' >> /tmp/cs.license_endpoint.crt; echo "-----END CERTIFICATE-----" >> /tmp/cs.license_endpoint.crt; openssl x509 -in /tmp/cs.license_endpoint.crt -noout -text; rm /tmp/cs.license_endpoint.crt

For example:

echo "-----BEGIN CERTIFICATE-----" >> /tmp/cs.license_endpoint.crt; echo | python /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost:7080/lookupservice/sdk --site pscha-a --type cs.license 2> /dev/null | grep "SSL trust" | uniq | awk '{ print $3 }' >> /tmp/cs.license_endpoint.crt; echo "-----END CERTIFICATE-----" >> /tmp/cs.license_endpoint.crt; openssl x509 -in /tmp/cs.license_endpoint.crt -noout -text; rm /tmp/cs.license_endpoint.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d2:d0:8e:fb:89:92:59:3c
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=psc-ha-a1.domain.com, OU=VMware Engineering
        Validity
            Not Before: Aug 26 10:03:00 2016 GMT
            Not After : Aug 24 10:03:00 2026 GMT
        Subject: C=IE, ST=Cork, L=Cork, O=VMware, OU=vTSU, CN=psc-ha-vip.domain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c4:38:fc:33:24:fa:cc:7a:6d:a9:93:63:16:f4:
                    90:02:da:c6:5b:26:35:c3:b0:76:12:8f:b8:25:a2:
                    28:45:ad:7d:ea:30:e3:c2:83:cb:5a:cf:fa:36:fc:
                    e8:1e:4e:8a:4f:e0:5c:6b:94:08:f2:6f:55:fa:bd:
                    1d:84:97:a5:24:86:69:39:82:61:20:b2:e9:6e:2b:
                    61:73:6b:13:35:1f:8e:15:59:af:ee:a8:4a:bf:3c:
                    a7:91:2b:55:77:d4:37:92:2e:c2:7a:9d:51:65:f0:
                    9a:05:ab:20:4d:f2:cf:5d:16:5f:7d:df:ed:19:a0:
                    6d:f7:58:76:fa:cb:d2:44:61:3f:a7:c0:88:14:97:
                    3f:3b:6b:b0:06:02:3a:27:23:ee:79:7e:fa:63:23:
                    5c:59:d1:80:cb:7b:19:d6:cb:c9:38:f7:16:b1:ce:
                    3f:f0:c9:98:4d:2c:d6:5c:84:dc:08:50:13:f7:b8:
                    1e:57:bb:69:ed:6c:75:eb:34:a8:41:b2:b6:aa:16:
                    69:95:80:41:5e:0e:92:a8:21:12:a0:7d:bc:0c:13:
                    4b:85:54:ca:fb:11:fd:d1:e2:b6:85:54:29:17:17:
                    17:41:a4:9e:74:d3:ba:09:0c:eb:bf:fc:4e:bc:1e:
                    9e:dd:35:46:76:62:5b:ab:4f:38:7f:2a:e6:e3:0f:
                    f3:3b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:psc-ha-a1.domain.com, DNS:psc-ha-a2.domain.com, DNS:psc-ha-vip.domain.com
    Signature Algorithm: sha256WithRSAEncryption
         7e:cd:c0:98:0d:72:02:ee:4b:c1:01:36:45:f7:4b:2d:a2:ee:
         9b:58:1c:fa:79:b3:b6:56:f1:8f:b3:dd:b4:5d:22:df:01:53:
         f3:56:cf:1b:c3:60:5c:30:38:de:a3:55:2d:b4:27:13:c7:6e:
         d9:0c:e6:ee:78:49:47:f5:8f:a2:e8:97:98:c2:c8:85:2a:c5:
         34:1e:c2:fa:45:5f:cb:ef:e5:51:eb:2a:62:b0:ac:75:8b:3f:
         94:f9:34:49:97:6e:eb:60:d6:d2:46:0d:15:0a:9f:06:bf:41:
         a8:53:3f:98:10:b7:37:f4:f0:43:7d:6a:28:36:db:cf:0b:95:
         cc:95:e5:7e:ac:4c:2a:00:29:53:38:3c:b5:9f:86:61:d8:e1:
         b2:71:16:fd:4c:72:a9:84:a9:fa:39:c2:47:c4:48:68:73:f8:
         ca:b8:9d:ca:56:a8:a5:36:f4:b0:1f:63:56:88:cf:5b:1d:21:
         eb:ca:c7:b5:67:14:b3:cc:d5:0a:e0:67:13:f6:44:86:ec:51:
         0e:83:fb:db:db:b9:05:fd:21:41:a4:13:95:26:60:5c:c2:77:
         a3:fa:e3:25:60:52:d4:df:f0:18:1a:4a:e1:d0:0e:3c:1b:7d:
         b2:cc:b7:bd:67:99:f3:7c:34:08:96:02:14:63:3a:6e:a3:a4:
         c8:b3:77:56

Verify the cs.identity endpoints

A total of 16 cs.identity endpoints should be updated with the PSC HA VIP (8 per PSC). Run the following command to list the cs.identity endpoints, passing in the site name recorded earlier.

python /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost/lookupservice/sdk --site site_name --type cs.identity 2> /dev/null | grep URL

For example:

python /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost/lookupservice/sdk --site pscha-a --type cs.identity 2> /dev/null | grep URL
                URL: https://psc-ha-vip.domain.com/sso-adminserver/sdk/vsphere.local
                URL: https://psc-ha-vip.domain.com/openidconnect/vsphere.local/.well-known/openid-configuration
                URL: https://psc-ha-vip.domain.com/sso-adminserver/sdk/vsphere.local
                URL: https://psc-ha-vip.domain.com/websso/SAML2/Metadata/vsphere.local
                URL: https://psc-ha-vip.domain.com/sso-adminserver/idp
                URL: https://psc-ha-vip.domain.com/sts/STSService/vsphere.local
                URL: https://psc-ha-vip.domain.com/websso/HealthStatus
                URL: https://psc-ha-vip.domain.com/idm
                URL: https://psc-ha-vip.domain.com/sts/STSService/vsphere.local
                URL: https://psc-ha-vip.domain.com/sso-adminserver/sdk/vsphere.local
                URL: https://psc-ha-vip.domain.com/sso-adminserver/sdk/vsphere.local
                URL: https://psc-ha-vip.domain.com/websso/SAML2/Metadata/vsphere.local
                URL: https://psc-ha-vip.domain.com/websso/HealthStatus
                URL: https://psc-ha-vip.domain.com/sso-adminserver/idp
                URL: https://psc-ha-vip.domain.com/openidconnect/vsphere.local/.well-known/openid-configuration
                URL: https://psc-ha-vip.domain.com/idm

You can pipe the command to wc -l to count the endpoints.

python /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost/lookupservice/sdk --site pscha-a --type cs.identity 2> /dev/null | grep URL | wc -l
16

Verify the cs.identity SSL Trust

Run the following command to export and print the certificate Information for the cs.identity endpoint. The resulting certificate should be the PSC HA VIP Certificate. Compare the Serial Number value with that of the earlier step. It should be identical.

echo "-----BEGIN CERTIFICATE-----" >> /tmp/cs.identity_endpoint.crt; echo | python /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost:7080/lookupservice/sdk --site site_name --type cs.identity 2> /dev/null | grep "SSL trust" | uniq | awk '{ print $3 }' >> /tmp/cs.identity_endpoint.crt; echo "-----END CERTIFICATE-----" >> /tmp/cs.identity_endpoint.crt; openssl x509 -in /tmp/cs.identity_endpoint.crt -noout -text; rm /tmp/cs.identity_endpoint.crt

For example:

echo "-----BEGIN CERTIFICATE-----" >> /tmp/cs.identity_endpoint.crt; echo | python /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost:7080/lookupservice/sdk --site pscha-a --type cs.identity 2> /dev/null | grep "SSL trust" | uniq | awk '{ print $3 }' >> /tmp/cs.identity_endpoint.crt; echo "-----END CERTIFICATE-----" >> /tmp/cs.identity_endpoint.crt; openssl x509 -in /tmp/cs.identity_endpoint.crt -noout -text; rm /tmp/cs.identity_endpoint.crt
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d2:d0:8e:fb:89:92:59:3c
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=psc-ha-a1.domain.com, OU=VMware Engineering
        Validity
            Not Before: Aug 26 10:03:00 2016 GMT
            Not After : Aug 24 10:03:00 2026 GMT
        Subject: C=IE, ST=Cork, L=Cork, O=VMware, OU=vTSU, CN=psc-ha-vip.domain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c4:38:fc:33:24:fa:cc:7a:6d:a9:93:63:16:f4:
                    90:02:da:c6:5b:26:35:c3:b0:76:12:8f:b8:25:a2:
                    28:45:ad:7d:ea:30:e3:c2:83:cb:5a:cf:fa:36:fc:
                    e8:1e:4e:8a:4f:e0:5c:6b:94:08:f2:6f:55:fa:bd:
                    1d:84:97:a5:24:86:69:39:82:61:20:b2:e9:6e:2b:
                    61:73:6b:13:35:1f:8e:15:59:af:ee:a8:4a:bf:3c:
                    a7:91:2b:55:77:d4:37:92:2e:c2:7a:9d:51:65:f0:
                    9a:05:ab:20:4d:f2:cf:5d:16:5f:7d:df:ed:19:a0:
                    6d:f7:58:76:fa:cb:d2:44:61:3f:a7:c0:88:14:97:
                    3f:3b:6b:b0:06:02:3a:27:23:ee:79:7e:fa:63:23:
                    5c:59:d1:80:cb:7b:19:d6:cb:c9:38:f7:16:b1:ce:
                    3f:f0:c9:98:4d:2c:d6:5c:84:dc:08:50:13:f7:b8:
                    1e:57:bb:69:ed:6c:75:eb:34:a8:41:b2:b6:aa:16:
                    69:95:80:41:5e:0e:92:a8:21:12:a0:7d:bc:0c:13:
                    4b:85:54:ca:fb:11:fd:d1:e2:b6:85:54:29:17:17:
                    17:41:a4:9e:74:d3:ba:09:0c:eb:bf:fc:4e:bc:1e:
                    9e:dd:35:46:76:62:5b:ab:4f:38:7f:2a:e6:e3:0f:
                    f3:3b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            X509v3 Subject Alternative Name:
                DNS:psc-ha-a1.domain.com, DNS:psc-ha-a2.domain.com, DNS:psc-ha-vip.domain.com
    Signature Algorithm: sha256WithRSAEncryption
         7e:cd:c0:98:0d:72:02:ee:4b:c1:01:36:45:f7:4b:2d:a2:ee:
         9b:58:1c:fa:79:b3:b6:56:f1:8f:b3:dd:b4:5d:22:df:01:53:
         f3:56:cf:1b:c3:60:5c:30:38:de:a3:55:2d:b4:27:13:c7:6e:
         d9:0c:e6:ee:78:49:47:f5:8f:a2:e8:97:98:c2:c8:85:2a:c5:
         34:1e:c2:fa:45:5f:cb:ef:e5:51:eb:2a:62:b0:ac:75:8b:3f:
         94:f9:34:49:97:6e:eb:60:d6:d2:46:0d:15:0a:9f:06:bf:41:
         a8:53:3f:98:10:b7:37:f4:f0:43:7d:6a:28:36:db:cf:0b:95:
         cc:95:e5:7e:ac:4c:2a:00:29:53:38:3c:b5:9f:86:61:d8:e1:
         b2:71:16:fd:4c:72:a9:84:a9:fa:39:c2:47:c4:48:68:73:f8:
         ca:b8:9d:ca:56:a8:a5:36:f4:b0:1f:63:56:88:cf:5b:1d:21:
         eb:ca:c7:b5:67:14:b3:cc:d5:0a:e0:67:13:f6:44:86:ec:51:
         0e:83:fb:db:db:b9:05:fd:21:41:a4:13:95:26:60:5c:c2:77:
         a3:fa:e3:25:60:52:d4:df:f0:18:1a:4a:e1:d0:0e:3c:1b:7d:
         b2:cc:b7:bd:67:99:f3:7c:34:08:96:02:14:63:3a:6e:a3:a4:
         c8:b3:77:56

 

Next: Deploy vCenter Server 6.5 and other solutions

Advertisements