Run the following command to use OpenSSL to connect to the PSC HA VIP, dump the certificate received and then print the certificate information to screen.
echo | openssl s_client -connect psc-ha-vip.domain.com:443 2>&1 | sed --quiet '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/psc-ha-vip_validate.crt; openssl x509 -in /tmp/psc-ha-vip_validate.crt -noout -text
The output should print the PSC HA VIP Certificate that contains all required FQDN.
Make a note of the Serial Number value.
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d2:d0:8e:fb:89:92:59:3c
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=psc-ha-a1.domain.com, OU=VMware Engineering
Validity
Not Before: Aug 26 10:03:00 2016 GMT
Not After : Aug 24 10:03:00 2026 GMT
Subject: C=IE, ST=Cork, L=Cork, O=VMware, OU=vTSU, CN=psc-ha-vip.domain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c4:38:fc:33:24:fa:cc:7a:6d:a9:93:63:16:f4:
90:02:da:c6:5b:26:35:c3:b0:76:12:8f:b8:25:a2:
28:45:ad:7d:ea:30:e3:c2:83:cb:5a:cf:fa:36:fc:
e8:1e:4e:8a:4f:e0:5c:6b:94:08:f2:6f:55:fa:bd:
1d:84:97:a5:24:86:69:39:82:61:20:b2:e9:6e:2b:
61:73:6b:13:35:1f:8e:15:59:af:ee:a8:4a:bf:3c:
a7:91:2b:55:77:d4:37:92:2e:c2:7a:9d:51:65:f0:
9a:05:ab:20:4d:f2:cf:5d:16:5f:7d:df:ed:19:a0:
6d:f7:58:76:fa:cb:d2:44:61:3f:a7:c0:88:14:97:
3f:3b:6b:b0:06:02:3a:27:23:ee:79:7e:fa:63:23:
5c:59:d1:80:cb:7b:19:d6:cb:c9:38:f7:16:b1:ce:
3f:f0:c9:98:4d:2c:d6:5c:84:dc:08:50:13:f7:b8:
1e:57:bb:69:ed:6c:75:eb:34:a8:41:b2:b6:aa:16:
69:95:80:41:5e:0e:92:a8:21:12:a0:7d:bc:0c:13:
4b:85:54:ca:fb:11:fd:d1:e2:b6:85:54:29:17:17:
17:41:a4:9e:74:d3:ba:09:0c:eb:bf:fc:4e:bc:1e:
9e:dd:35:46:76:62:5b:ab:4f:38:7f:2a:e6:e3:0f:
f3:3b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:psc-ha-a1.domain.com, DNS:psc-ha-a2.domain.com, DNS:psc-ha-vip.domain.com
Signature Algorithm: sha256WithRSAEncryption
7e:cd:c0:98:0d:72:02:ee:4b:c1:01:36:45:f7:4b:2d:a2:ee:
9b:58:1c:fa:79:b3:b6:56:f1:8f:b3:dd:b4:5d:22:df:01:53:
f3:56:cf:1b:c3:60:5c:30:38:de:a3:55:2d:b4:27:13:c7:6e:
d9:0c:e6:ee:78:49:47:f5:8f:a2:e8:97:98:c2:c8:85:2a:c5:
34:1e:c2:fa:45:5f:cb:ef:e5:51:eb:2a:62:b0:ac:75:8b:3f:
94:f9:34:49:97:6e:eb:60:d6:d2:46:0d:15:0a:9f:06:bf:41:
a8:53:3f:98:10:b7:37:f4:f0:43:7d:6a:28:36:db:cf:0b:95:
cc:95:e5:7e:ac:4c:2a:00:29:53:38:3c:b5:9f:86:61:d8:e1:
b2:71:16:fd:4c:72:a9:84:a9:fa:39:c2:47:c4:48:68:73:f8:
ca:b8:9d:ca:56:a8:a5:36:f4:b0:1f:63:56:88:cf:5b:1d:21:
eb:ca:c7:b5:67:14:b3:cc:d5:0a:e0:67:13:f6:44:86:ec:51:
0e:83:fb:db:db:b9:05:fd:21:41:a4:13:95:26:60:5c:c2:77:
a3:fa:e3:25:60:52:d4:df:f0:18:1a:4a:e1:d0:0e:3c:1b:7d:
b2:cc:b7:bd:67:99:f3:7c:34:08:96:02:14:63:3a:6e:a3:a4:
c8:b3:77:56
Get PSC Site ID
Connect to one of the PSC’s participating in PSC HA
Run the following command to return the Site ID
python /usr/lib/vmidentity/tools/scripts/lstool.py get-site-id --url http://localhost:7080/lookupservice/sdk 2> /dev/null
For example
python /usr/lib/vmidentity/tools/scripts/lstool.py get-site-id --url http://localhost:7080/lookupservice/sdk 2> /dev/null pscha-a
Verify the cs.license endpoints
A total of 8 cs.license endpoints should be updated with the PSC HA VIP (4 per PSC). Run the following command to list the cs.identity endpoints, passing in the site name recorded in the previous section.
python /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost/lookupservice/sdk --site site_name --type cs.license 2> /dev/null | grep URL
For example:
python /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost/lookupservice/sdk --site pscha-a --type cs.license 2> /dev/null | grep URL URL: https://psc-ha-vip.domain.com:443/ls/sdk URL: https://psc-ha-vip.domain.com:443/ls/ph/sdk URL: https://psc-ha-vip.domain.com:443/ls/healthstatus URL: https://psc-ha-vip.domain.com:443/ls/resourcebundle URL: https://psc-ha-vip.domain.com:443/ls/resourcebundle URL: https://psc-ha-vip.domain.com:443/ls/sdk URL: https://psc-ha-vip.domain.com:443/ls/healthstatus URL: https://psc-ha-vip.domain.com:443/ls/ph/sdk
Note: You will not see the URLs ending in /ls/ph/sdk if you have not enabled the CEIP (Customer Experience Improvement Program)
You can pipe the command to wc -l to count the endpoints.
python /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost/lookupservice/sdk --site pscha-a --type cs.license 2> /dev/null | grep URL | wc -l 8
Verify the cs.license SSL Trust
Run the following command to export and print the certificate Information for the cs.license endpoint. The resulting certificate should be the PSC HA VIP Certificate. Compare the Serial Number value with that of the earlier step. It should be identical.
echo "-----BEGIN CERTIFICATE-----" >> /tmp/cs.license_endpoint.crt; echo | python /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost:7080/lookupservice/sdk --site site_name --type cs.license 2> /dev/null | grep "SSL trust" | uniq | awk '{ print $3 }' >> /tmp/cs.license_endpoint.crt; echo "-----END CERTIFICATE-----" >> /tmp/cs.license_endpoint.crt; openssl x509 -in /tmp/cs.license_endpoint.crt -noout -text; rm /tmp/cs.license_endpoint.crt
For example:
echo "-----BEGIN CERTIFICATE-----" >> /tmp/cs.license_endpoint.crt; echo | python /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost:7080/lookupservice/sdk --site pscha-a --type cs.license 2> /dev/null | grep "SSL trust" | uniq | awk '{ print $3 }' >> /tmp/cs.license_endpoint.crt; echo "-----END CERTIFICATE-----" >> /tmp/cs.license_endpoint.crt; openssl x509 -in /tmp/cs.license_endpoint.crt -noout -text; rm /tmp/cs.license_endpoint.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d2:d0:8e:fb:89:92:59:3c
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=psc-ha-a1.domain.com, OU=VMware Engineering
Validity
Not Before: Aug 26 10:03:00 2016 GMT
Not After : Aug 24 10:03:00 2026 GMT
Subject: C=IE, ST=Cork, L=Cork, O=VMware, OU=vTSU, CN=psc-ha-vip.domain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c4:38:fc:33:24:fa:cc:7a:6d:a9:93:63:16:f4:
90:02:da:c6:5b:26:35:c3:b0:76:12:8f:b8:25:a2:
28:45:ad:7d:ea:30:e3:c2:83:cb:5a:cf:fa:36:fc:
e8:1e:4e:8a:4f:e0:5c:6b:94:08:f2:6f:55:fa:bd:
1d:84:97:a5:24:86:69:39:82:61:20:b2:e9:6e:2b:
61:73:6b:13:35:1f:8e:15:59:af:ee:a8:4a:bf:3c:
a7:91:2b:55:77:d4:37:92:2e:c2:7a:9d:51:65:f0:
9a:05:ab:20:4d:f2:cf:5d:16:5f:7d:df:ed:19:a0:
6d:f7:58:76:fa:cb:d2:44:61:3f:a7:c0:88:14:97:
3f:3b:6b:b0:06:02:3a:27:23:ee:79:7e:fa:63:23:
5c:59:d1:80:cb:7b:19:d6:cb:c9:38:f7:16:b1:ce:
3f:f0:c9:98:4d:2c:d6:5c:84:dc:08:50:13:f7:b8:
1e:57:bb:69:ed:6c:75:eb:34:a8:41:b2:b6:aa:16:
69:95:80:41:5e:0e:92:a8:21:12:a0:7d:bc:0c:13:
4b:85:54:ca:fb:11:fd:d1:e2:b6:85:54:29:17:17:
17:41:a4:9e:74:d3:ba:09:0c:eb:bf:fc:4e:bc:1e:
9e:dd:35:46:76:62:5b:ab:4f:38:7f:2a:e6:e3:0f:
f3:3b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:psc-ha-a1.domain.com, DNS:psc-ha-a2.domain.com, DNS:psc-ha-vip.domain.com
Signature Algorithm: sha256WithRSAEncryption
7e:cd:c0:98:0d:72:02:ee:4b:c1:01:36:45:f7:4b:2d:a2:ee:
9b:58:1c:fa:79:b3:b6:56:f1:8f:b3:dd:b4:5d:22:df:01:53:
f3:56:cf:1b:c3:60:5c:30:38:de:a3:55:2d:b4:27:13:c7:6e:
d9:0c:e6:ee:78:49:47:f5:8f:a2:e8:97:98:c2:c8:85:2a:c5:
34:1e:c2:fa:45:5f:cb:ef:e5:51:eb:2a:62:b0:ac:75:8b:3f:
94:f9:34:49:97:6e:eb:60:d6:d2:46:0d:15:0a:9f:06:bf:41:
a8:53:3f:98:10:b7:37:f4:f0:43:7d:6a:28:36:db:cf:0b:95:
cc:95:e5:7e:ac:4c:2a:00:29:53:38:3c:b5:9f:86:61:d8:e1:
b2:71:16:fd:4c:72:a9:84:a9:fa:39:c2:47:c4:48:68:73:f8:
ca:b8:9d:ca:56:a8:a5:36:f4:b0:1f:63:56:88:cf:5b:1d:21:
eb:ca:c7:b5:67:14:b3:cc:d5:0a:e0:67:13:f6:44:86:ec:51:
0e:83:fb:db:db:b9:05:fd:21:41:a4:13:95:26:60:5c:c2:77:
a3:fa:e3:25:60:52:d4:df:f0:18:1a:4a:e1:d0:0e:3c:1b:7d:
b2:cc:b7:bd:67:99:f3:7c:34:08:96:02:14:63:3a:6e:a3:a4:
c8:b3:77:56
Verify the cs.identity endpoints
A total of 16 cs.identity endpoints should be updated with the PSC HA VIP (8 per PSC). Run the following command to list the cs.identity endpoints, passing in the site name recorded earlier.
python /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost/lookupservice/sdk --site site_name --type cs.identity 2> /dev/null | grep URL
For example:
python /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost/lookupservice/sdk --site pscha-a --type cs.identity 2> /dev/null | grep URL URL: https://psc-ha-vip.domain.com/sso-adminserver/sdk/vsphere.local URL: https://psc-ha-vip.domain.com/openidconnect/vsphere.local/.well-known/openid-configuration URL: https://psc-ha-vip.domain.com/sso-adminserver/sdk/vsphere.local URL: https://psc-ha-vip.domain.com/websso/SAML2/Metadata/vsphere.local URL: https://psc-ha-vip.domain.com/sso-adminserver/idp URL: https://psc-ha-vip.domain.com/sts/STSService/vsphere.local URL: https://psc-ha-vip.domain.com/websso/HealthStatus URL: https://psc-ha-vip.domain.com/idm URL: https://psc-ha-vip.domain.com/sts/STSService/vsphere.local URL: https://psc-ha-vip.domain.com/sso-adminserver/sdk/vsphere.local URL: https://psc-ha-vip.domain.com/sso-adminserver/sdk/vsphere.local URL: https://psc-ha-vip.domain.com/websso/SAML2/Metadata/vsphere.local URL: https://psc-ha-vip.domain.com/websso/HealthStatus URL: https://psc-ha-vip.domain.com/sso-adminserver/idp URL: https://psc-ha-vip.domain.com/openidconnect/vsphere.local/.well-known/openid-configuration URL: https://psc-ha-vip.domain.com/idm
You can pipe the command to wc -l to count the endpoints.
python /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost/lookupservice/sdk --site pscha-a --type cs.identity 2> /dev/null | grep URL | wc -l 16
Verify the cs.identity SSL Trust
Run the following command to export and print the certificate Information for the cs.identity endpoint. The resulting certificate should be the PSC HA VIP Certificate. Compare the Serial Number value with that of the earlier step. It should be identical.
echo "-----BEGIN CERTIFICATE-----" >> /tmp/cs.identity_endpoint.crt; echo | python /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost:7080/lookupservice/sdk --site site_name --type cs.identity 2> /dev/null | grep "SSL trust" | uniq | awk '{ print $3 }' >> /tmp/cs.identity_endpoint.crt; echo "-----END CERTIFICATE-----" >> /tmp/cs.identity_endpoint.crt; openssl x509 -in /tmp/cs.identity_endpoint.crt -noout -text; rm /tmp/cs.identity_endpoint.crt
For example:
echo "-----BEGIN CERTIFICATE-----" >> /tmp/cs.identity_endpoint.crt; echo | python /usr/lib/vmidentity/tools/scripts/lstool.py list --url http://localhost:7080/lookupservice/sdk --site pscha-a --type cs.identity 2> /dev/null | grep "SSL trust" | uniq | awk '{ print $3 }' >> /tmp/cs.identity_endpoint.crt; echo "-----END CERTIFICATE-----" >> /tmp/cs.identity_endpoint.crt; openssl x509 -in /tmp/cs.identity_endpoint.crt -noout -text; rm /tmp/cs.identity_endpoint.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
d2:d0:8e:fb:89:92:59:3c
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN=CA, DC=vsphere, DC=local, C=US, ST=California, O=psc-ha-a1.domain.com, OU=VMware Engineering
Validity
Not Before: Aug 26 10:03:00 2016 GMT
Not After : Aug 24 10:03:00 2026 GMT
Subject: C=IE, ST=Cork, L=Cork, O=VMware, OU=vTSU, CN=psc-ha-vip.domain.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:c4:38:fc:33:24:fa:cc:7a:6d:a9:93:63:16:f4:
90:02:da:c6:5b:26:35:c3:b0:76:12:8f:b8:25:a2:
28:45:ad:7d:ea:30:e3:c2:83:cb:5a:cf:fa:36:fc:
e8:1e:4e:8a:4f:e0:5c:6b:94:08:f2:6f:55:fa:bd:
1d:84:97:a5:24:86:69:39:82:61:20:b2:e9:6e:2b:
61:73:6b:13:35:1f:8e:15:59:af:ee:a8:4a:bf:3c:
a7:91:2b:55:77:d4:37:92:2e:c2:7a:9d:51:65:f0:
9a:05:ab:20:4d:f2:cf:5d:16:5f:7d:df:ed:19:a0:
6d:f7:58:76:fa:cb:d2:44:61:3f:a7:c0:88:14:97:
3f:3b:6b:b0:06:02:3a:27:23:ee:79:7e:fa:63:23:
5c:59:d1:80:cb:7b:19:d6:cb:c9:38:f7:16:b1:ce:
3f:f0:c9:98:4d:2c:d6:5c:84:dc:08:50:13:f7:b8:
1e:57:bb:69:ed:6c:75:eb:34:a8:41:b2:b6:aa:16:
69:95:80:41:5e:0e:92:a8:21:12:a0:7d:bc:0c:13:
4b:85:54:ca:fb:11:fd:d1:e2:b6:85:54:29:17:17:
17:41:a4:9e:74:d3:ba:09:0c:eb:bf:fc:4e:bc:1e:
9e:dd:35:46:76:62:5b:ab:4f:38:7f:2a:e6:e3:0f:
f3:3b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment
X509v3 Subject Alternative Name:
DNS:psc-ha-a1.domain.com, DNS:psc-ha-a2.domain.com, DNS:psc-ha-vip.domain.com
Signature Algorithm: sha256WithRSAEncryption
7e:cd:c0:98:0d:72:02:ee:4b:c1:01:36:45:f7:4b:2d:a2:ee:
9b:58:1c:fa:79:b3:b6:56:f1:8f:b3:dd:b4:5d:22:df:01:53:
f3:56:cf:1b:c3:60:5c:30:38:de:a3:55:2d:b4:27:13:c7:6e:
d9:0c:e6:ee:78:49:47:f5:8f:a2:e8:97:98:c2:c8:85:2a:c5:
34:1e:c2:fa:45:5f:cb:ef:e5:51:eb:2a:62:b0:ac:75:8b:3f:
94:f9:34:49:97:6e:eb:60:d6:d2:46:0d:15:0a:9f:06:bf:41:
a8:53:3f:98:10:b7:37:f4:f0:43:7d:6a:28:36:db:cf:0b:95:
cc:95:e5:7e:ac:4c:2a:00:29:53:38:3c:b5:9f:86:61:d8:e1:
b2:71:16:fd:4c:72:a9:84:a9:fa:39:c2:47:c4:48:68:73:f8:
ca:b8:9d:ca:56:a8:a5:36:f4:b0:1f:63:56:88:cf:5b:1d:21:
eb:ca:c7:b5:67:14:b3:cc:d5:0a:e0:67:13:f6:44:86:ec:51:
0e:83:fb:db:db:b9:05:fd:21:41:a4:13:95:26:60:5c:c2:77:
a3:fa:e3:25:60:52:d4:df:f0:18:1a:4a:e1:d0:0e:3c:1b:7d:
b2:cc:b7:bd:67:99:f3:7c:34:08:96:02:14:63:3a:6e:a3:a4:
c8:b3:77:56
have you tried reinstalling? 