VMware vCenter Server STS certificate expiry monitoring in IBM Cloud Pak System

The VMware vCenter Server STS certificate tool helps in monitoring the expiration of the VMware vCenter Server STS certificate.

VMware vCenter Server self-sign certificate

  • The VMware vCenter Server Single Sign-On includes a Security Token Service (STS), which is a web service to issue, validate, and renew security tokens.
  • The VMware vCenter Server Single Sign-On Security Token Service (STS) signing certificate is an internal VMware certificate.
  • It authenticates you on the primary credentials and constructs a SAML token and signs it with an STS signing certificate.

When the VMware vCenter Server services in IBM Cloud Pak System are down due to nonrenewal of STS certificate, manageability of virtual machines is lost, though virtual machines might be running.

The VMware vCenter Server self-signed certificate expires every two years, which affect production instances.

The certificate is extended automatically for two years when the IBM Cloud Pak System version is upgraded. If you did not update to the recent fix pack, as a result, the certificate expires. Also, with no other ways, you cannot know about this certificate expiry and therefore you cannot renew it in time.

This feature validates the expiry of certificate and alerts system users about it after which they can remediate the issue.

Monitoring VMware vCenter Server STS certificate expiry

  • It checks validity of the certificate for every hypervisor in the VMware vCenter Server and gets number of days for expiry.
  • A warning event is displayed as follows: 
    CWZIP1344W VMware STS certificate is going to expire in 90 days, Please engage IBM Cloud Pak System Support team to renew STS Certificate.
    When the threshold of STS certificate expiry is reached, that is, 30 days, the critical event for Call Home is raised every day. This event displays the following message:
    CWZIP1345E: Please renew STS certificate immediately. VMware STS certificate is going to expire in 30 days.
  • You can view the generated Job and Event in the IBM Cloud Pak System user interface either from Problem determination > Job Queue or from Problem determination > Events.
  • The event generates every day until expiry. As a system administrator, you must contact IBM Support to renew the certificate.

Monitor events for the STS certificate

As an admin user, you can monitor the warning and critical events and take appropriate actions to renew the STS certificate. At 30 days expiry, the event is escalated to the Call Home critical event, which is generated daily until the certificates are renewed. A Call Home support ticket is generated.

Check VMware vCenter Server certificate validity

You can check the certificate validity and also check the issued certificate from a web browser by accessing the VMware vCenter Server URL.

IBM Cloud Pak System job to monitor certificate expiry

An internal job “monitor_VMwareSTSCertificate” is run to monitor the certificate expiry. It is an internal job, and is visible when you select the Display Internal Jobs option on the Problem determination > System > Job Queue page of the IBM Cloud Pak System user interface.

For example, see the following logs in the job:
pooljvm.1646992185141.25984 [03-11-22 09:50:53] 0031 virtual_management_instances.VMwareVCenterCLIHelper |         **INVALID** Please renew STS certificate, expires in 90 days.

pooljvm.1646992185141.25984 [03-11-22 09:50:53] 0031 virtual_management_instances.VMwareVCenterCLIHelper |        [] Certificate C5:88:A9:ED:45:A2:93:46:C3:F7:C6:13:98:4F:15:CA:E7:A8:DA:43 will expire in 90 days (10 years).

pooljvm.1646992185141.25984 [03-11-22 09:50:53] 0031 virtual_management_instances.VMwareVCenterCLIHelper |         **INVALID** Please renew STS certificate, expires in 90 days.

pooljvm.1646992185141.25984 [03-11-22 09:50:54] 0031 common.EventUtils | Raising WARNING/ALERT virtual management instance event CWZIP1344W for virtual management instance [id: cd30f188-74c2-40dd-84c8-c50a1c228ab6]

pooljvm.1646992185141.25984 [03-11-22 09:50:54] 0031 common.EventUtils | {created_time=1609588010777, updated_time=1646322151300, role=primary, type=virt_mgmt_node, physical_memory=[], vms_id=null, routes=[], name=pureVCenter-W2012R2, physical_cpus=[], options=, locations=[, 2e4b75b8-7331-463e-b238-53c64c6c6e4e], id=cd30f188-74c2-40dd-84c8-c50a1c228ab6, state=available, software_version=20191122.0000, vms_uuid=null, events=[], virtual_management_systems=74839bbe-e2f0-4497-bc0e-e0d2d2cf56c5, compute_nodes=[]}

pooljvm.1646992185141.25984 [03-11-22 09:50:54] 0031 com.ibm.purescale.event.EventRaiserHelper | raiseEvent Raising event: Parent Type, Virtual Management Instance Parent id, cd30f188-74c2-40dd-84c8-c50a1c228ab6 Detail:CWZIP1344W VMware STS certificate is going to expire in 90 days, Please engage IBM Cloud Pak System Support team to renew STS Certificate.
pooljvm.1646992185141.25984 [03-11-22 09:50:54] 0042 com.ibm.purescale.users.LdapService | <clinit> Optional /etc/purescale/ldap.properties not found
Remember: The VMware vCenter Server STS certificate expiry automated event alerts you on expiry of the certificate in advance. It is to ensure that you can take remedial action and to ensure that production operations are not disrupted. However, you must engage with IBM Support to plan the certificate renewal.