vSphere Plugin: vCenter Strong Security Mode Configuration

User Guides for VMware Solutions

Audience
Public
Content Type
User Guides
Source Type
Documentation

The Everpure vSphere plugin (5.3.10+) is compatible with Strong Security Mode in vCenter (8.0U2+). What is Strong Security Mode?

With an upcoming major release of vSphere, we will introduce the strong security mode for the vCenter, reflecting the security posture VMware recommends to our partners and customers to apply in their infrastructure mgmt. operations. The strong mode does not support SHA-1 as a cryptographic hash function. We recommend to replace it with the supported and more secure SHA-256. The strong mode also supports full SSL certificates as trust exchange mechanism, which may impact some vSphere APIs using certificate thumbprints as arguments, or as part of the API response. Such APIs may not be supported when the strong mode is switched on.
To be compatible with this mode, Everpure has taken the following steps in vSphere plugin 5.3.10 and later:
  • Updated instances of SHA-1 to SHA-256

  • Enabled TLS 1.2 and 1.3

  • Created the pureplugin certificate command space in the VMware appliance

  • Created the pureplugin certificate delete command space in the VMware appliance

    • If no registrations are present, the certificates are deleted and a new certificate will be created

  • Updated the pureplugin certificate create command space to support full certificate registration

    • If no registrations are present, the CLI will prompt the user for a certificate and key

The full certificate type is used for registration by default in vSphere 8.0U2 and later with vSphere plugin 5.3.10 and later.

To work with Strong Security Mode, no modifications are required to the current installation instructions. If there are issues with the certificates used on the vSphere plugin, deleting the certificate(s) and creating certificate(s) are now helpful options. Deleting and creating certificates is only functional if there are no registrations present on the vSphere plugin currently; to use them, remove the current registrations from the vSphere plugin's CLI.

Known issue with vCenters in Enhanced Linked Mode

vSphere 8.0.3 enforces full certificate verification instead of the previous thumbprint verification. The vSphere plugin needs to send a full certificate as part of its registration call to vSphere or vSphere won't let the plugin register.

When the plugin sends a full certificate instead of a thumbprint, vSphere does an additional check to ensure that the certificate subject, or one of the subject alternate names, matches the host the plugin passes for the manifest (i.e. https://plugin-ip-address:8443/plugin-manifest.zip).

Certs generated on older versions of the vSphere plugin do not have their subjects or SANs set correctly, so adding a new vSphere to them after updating runs into the issue where vCenter is unable to validate or connect with the plugin manifest.

This is a problem when using the vSphere Plugin with vCenter Servers running in Linked Mode. The issue will only allow the plugin re-registration to fail with the manifest error. To address this, do the following:

  • Unregister the plugin from all vCenters

  • From the appliance cli, run pureplugin certificate delete on the plugin OVA to reset the cert

  • Rerun pureplugin register for all vCenters

    • It is important to be consistent with the user of the --plugin-fqdn parameter when registering each vCenter. If it is used for one, it must be used for all