A Little Known Security Feature in vCenter: Certificate Based Authentication
Although we are all familiar with the username and password based login to the VMware vSphere, it’s also possible to login into vSphere with just certificates. If you are a third party vendor, either IHV (independent hardware vendor) or ISV (independent software vendor), the certificate based login is actually a better and preferred alternative to the one using username and password.
Let me explain why it’s the case, and how it can be done painlessly.
Time to learn how to "Google" and manage your VMware and clouds in a fast and secureHTML5 App
First, why certificate is a better option than the username and password?
- The certificates offer stronger security than the username and password. For one thing, a password can easily be stolen by a simple glimpse. Not so easily with a certificate which is full of hex digits and way too long for anyone to memorize.
- It’s not a good idea to save password with your application, but quite some applications do this anyway. Even worse is that most saved credentials are for the root users. Not because anyone wants to have an insecure product, but for convenience so that users are not required to enter password again and again.
- The password for vCenter can change over the time and obsolete the old password. That means your application has to update the password accordingly as well, or it will break. It won’t be a problem for the certificate. Once you have it registered with the vCenter, it will continue to work with the vCenter forever. That is a big plus from maintenance point of view.
With these in mind, I think every customer should ask for certificate based authentication with any third party server applications for better security and easy maintenance. For VMware partners, you may want to seriously consider to leverage this feature in vCenter.
Upon this point, I hope we all agree that is the direction to go. Now let’s take a look at how to do it with the vSphere APIs. This is going to be a bit techy so bear with me for that.
Before we digging down to the code, let’s be clear that he certificate login only work with vCenter servers, not the ESXi servers. For the very first time, the username and password are still needed so that the registration of the certificate can be done. For the logins to the vSphere afterwards, the same certificate is needed.
The following are the code snippets illustrating how you can use certificate to authenticate with vCenter using vijavaNG:
char password = "doublecloud".toCharArray(); InputStream is = KeyMgrFactoryUtil.getStreamFromJar("mykeystore.jks"); kmFactory = KeyMgrFactoryUtil.createKeyMgrFactory(is, password); Proxy proxy = new Proxy(Type.HTTP, new InetSocketAddress(“vc.doublecloud.net, 80)); serviceInstance = new ServiceInstance(new URL(SDK_TUNNEL_URI), extKey, true, ServiceInstance.VIM25_NAMESPACE, kmFactory, proxy); ...
After the ServiceInstance object is created, you can use it no different from similar one created using username and password. Note that the way how the vCenter handles it is via SDK tunnel with HTTP. This is a pretty complicated topic that deserves its own post.