I'm having some trouble getting this to work and I was hoping that someone could tell me if I'm going about this the wrong way.
I'm using vCenter 5.0 running on Windows 2008 and a Centos VM that was created using VMWare Studio 2.1 (with the OVF file modified by hand, post-build).
What I've got so far:
(Following the instructions at http://pubs.vmware.com/vsphere-50/index.jsp?topic=/com.vmware.vsphere.ext_solutions.doc_50/GUID-22078B3C-F9ED-4069-97C2-779E51C591D7.html )
1. Create OVF with vCenter Extension vService called out as a dependency.
2. Create a script in my vm that reads the evs:token from the ovf environment and calls the registerExtension method and passes in the key for my plugin as well as a PEM encoded copy of my public key.
These two steps succeed and I try to move on to updating the extension with all the implementation details.
3. I now try to connect to vCenter and use the LoginExtensionByCertificate method on the SessionManager to authenticate my extension, but I recieve back the error:
Exception in thread "main" AxisFault
faultCode: ServerFaultCode
faultSubcode:
faultString: Client connected without supplying a certificate.
faultActor:
faultNode:
faultDetail:
{urn:vim25}NoClientCertificateFault:null
If I use wireshark, I can see that this isn't a lie. My java code isn't sending the client certificate up to vCenter... but I also see that vCenter doesn't include a CertificateRequest in their half of the SSL handshake, which is why it's not being sent up.
To troubleshoot this I tried using the openssl s_client tool to determine what was going on. Connecting to port 443 on the vCenter host will never request my client certificate, whether I supply one to the openssl tool or not. My next step was to go to the tomcat instance on the vCenter Server and adjust the connector definition for port 8443 (this appears to be where vpxd proxies sdk calls to, but I may be wrong) and turn on clientAuth for it. If I now connect to port 8443 on the vCenter host using the openssl s_client tool, it does request my client certificate. Unfortunately, this doesn't change the behavior at all for connections to port 443.
Does anyone know if there is a step that I am missing or some configuration option that may need to be changed in order for this to work?
If you need more information or an example of the code that I'm using, I can supply that as well, but it is essentially the same as the eam sample code.