Hello,
For about 2 weeks I am struggling with this problem and now have become desperate enough to post it here.
When I want to register vShield Manager with vSphere SSO it gives me the error "The SSL certificate of STS service cannot be verified".
Registering with vCenter 5.1 worked without Problems, also using vShield is no problem. I just can't integrate it with the WebClient and also can't use vCloud Director without registering it with the SSO.
I replaced all the vSphere Certificates according to this document: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2035011
I also installed a SSL Certificate from the same Intermediate CA on the vShield Manager which worked without a problem (and it is using this Certificate without complaining).
The Root CA of all our Certificates is our own Windows Server 2008 R2 CA. All vSphere Certificates are from the Same Subordinate CA.
I don't understand why vShield Manager isn't complaining about the vCenter Server Certificate or about its own Certificate which follow the same Model and are from the same CA but does not accept the STS Certificate. The Only difference is the Name and the OU (and of course Fingerprint etc.)
From the Logs:
2012-10-25 16:44:23.360 GMT INFO pool-25-thread-1 RegistrationProviderImpl:217 - Intializing registration provider...
2012-10-25 16:44:23.360 GMT INFO pool-25-thread-1 RegistrationProviderImpl:291 - Getting SSL certificates for https://vmcontrol1.vnet.net:7444/lookupservice/sdk
2012-10-25 16:44:23.846 GMT INFO pool-25-thread-1 RegistrationProviderImpl:291 - Getting SSL certificates for https://vmcontrol1.vnet.net:7444/sso-adminserver/sdk
2012-10-25 16:44:24.298 GMT INFO pool-25-thread-1 AdminClientImpl:151 - Client was created successfully
2012-10-25 16:44:25.141 GMT INFO pool-25-thread-1 SamlTokenImpl:215 - SAML token for subject {Name: vshield, Domain: System-Domain} successfully parsed from Element
2012-10-25 16:44:25.142 GMT INFO pool-25-thread-1 SecurityTokenServiceImpl:125 - Successfully acquired token for user: vshield
2012-10-25 16:44:25.560 GMT INFO pool-25-thread-1 AdminClientImpl:151 - Client was created successfully
2012-10-25 16:44:25.679 GMT INFO pool-25-thread-1 RegistrationProviderImpl:217 - Intializing registration provider...
2012-10-25 16:44:25.680 GMT INFO pool-25-thread-1 RegistrationProviderImpl:291 - Getting SSL certificates for https://vmcontrol1.vnet.net:7444/lookupservice/sdk
2012-10-25 16:44:26.160 GMT INFO pool-25-thread-1 RegistrationProviderImpl:291 - Getting SSL certificates for https://vmcontrol1.vnet.net:7444/sso-adminserver/sdk
2012-10-25 16:44:26.626 GMT INFO pool-25-thread-1 AdminClientImpl:151 - Client was created successfully
2012-10-25 16:44:27.273 GMT INFO pool-25-thread-1 SamlTokenImpl:215 - SAML token for subject {Name: VSM_SOLUTION_e29582c5-ee9d-4d78-82ec-9ae3ba1bd81c, Domain: System-Domain} successfully parsed from Element
2012-10-25 16:44:27.274 GMT INFO pool-25-thread-1 SecurityTokenServiceImpl:379 - Successfully acquired token for user: {Name: VSM_SOLUTION_e29582c5-ee9d-4d78-82ec-9ae3ba1bd81c, Domain: System-Domain}
2012-10-25 16:44:27.789 GMT INFO pool-25-thread-1 AdminClientImpl:151 - Client was created successfully
2012-10-25 16:44:29.207 GMT ERROR pool-25-thread-1 SoapBindingImpl:278 - The SSL certificate of STS service cannot be verified
com.vmware.vim.sso.client.impl.ssl.UntrustedSslCertificateException: The SSL certificate of STS service cannot be verified
at com.vmware.vim.sso.client.impl.ssl.StsSslTrustManager.validateServerIdentityWithThumbprint(StsSslTrustManager.java:182)
at com.vmware.vim.sso.client.impl.ssl.StsSslTrustManager.checkServerTrusted(StsSslTrustManager.java:80)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(Unknown Source)
at com.sun.xml.internal.ws.transport.http.client.HttpClientTransport.getOutput(Unknown Source)
at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.process(Unknown Source)
at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.processRequest(Unknown Source)
at com.sun.xml.internal.ws.transport.DeferredTransportPipe.processRequest(Unknown Source)
at com.sun.xml.internal.ws.api.pipe.Fiber.__doRun(Unknown Source)
at com.sun.xml.internal.ws.api.pipe.Fiber._doRun(Unknown Source)
at com.sun.xml.internal.ws.api.pipe.Fiber.doRun(Unknown Source)
at com.sun.xml.internal.ws.api.pipe.Fiber.runSync(Unknown Source)
at com.sun.xml.internal.ws.client.Stub.process(Unknown Source)
at com.sun.xml.internal.ws.client.dispatch.DispatchImpl.doInvoke(Unknown Source)
at com.sun.xml.internal.ws.client.dispatch.DispatchImpl.invoke(Unknown Source)
at com.vmware.vim.sso.client.impl.SoapBindingImpl.sendMessage(SoapBindingImpl.java:131)
at com.vmware.vim.sso.client.impl.SoapBindingImpl.sendMessage(SoapBindingImpl.java:82)
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor.sendRequest(SecurityTokenServiceImpl.java:672)
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor.executeRoundtrip(SecurityTokenServiceImpl.java:606)
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl.acquireTokenByCertificate(SecurityTokenServiceImpl.java:372)
at com.vmware.vshield.vsm.sso.utils.SSOUtils.initializeSTSClients(SSOUtils.java:204)
at com.vmware.vshield.vsm.sso.utils.tasks.InitializeSSOTask.run(InitializeSSOTask.java:107)
at com.vmware.vshield.vsm.task.service.Worker.runtask(Worker.java:169)
at com.vmware.vshield.vsm.task.service.Worker.access$0(Worker.java:153)
at com.vmware.vshield.vsm.task.service.Worker$1.call(Worker.java:122)
at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
2012-10-25 16:44:29.215 GMT ERROR pool-25-thread-1 Worker:196 - BaseException thrown while executing task instance taskinstance-4359
com.vmware.vshield.vsm.sso.exceptions.STSClientInitializeException:
core-services:4004:Initialization of STS Clients failed.:The SSL certificate of STS service cannot be verified
at com.vmware.vshield.vsm.sso.utils.SSOUtils.initializeSTSClients(SSOUtils.java:212)
at com.vmware.vshield.vsm.sso.utils.tasks.InitializeSSOTask.run(InitializeSSOTask.java:107)
at com.vmware.vshield.vsm.task.service.Worker.runtask(Worker.java:169)
at com.vmware.vshield.vsm.task.service.Worker.access$0(Worker.java:153)
at com.vmware.vshield.vsm.task.service.Worker$1.call(Worker.java:122)
at java.util.concurrent.FutureTask$Sync.innerRun(Unknown Source)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: com.vmware.vim.sso.client.exception.CertificateValidationException: The SSL certificate of STS service cannot be verified
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor.sendRequest(SecurityTokenServiceImpl.java:680)
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor.executeRoundtrip(SecurityTokenServiceImpl.java:606)
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl.acquireTokenByCertificate(SecurityTokenServiceImpl.java:372)
at com.vmware.vshield.vsm.sso.utils.SSOUtils.initializeSTSClients(SSOUtils.java:204)
... 9 more
I really hope you guys can help me. Since our beloved Management does not want to spend money on "this tiny little detail issue" I am not allowed to open a Case with VMware Support (I could really stick a fist into each of their faces for this!), so you are my only hope!
Many many thanks in Advance!