We recently upgraded to vCloud Director 10.6.1. With this upgrade, system alerts are generated for the SAML configuration for every organisation, even if they've never used SAML before. Broadcom have an article on dealing with Expired SAML Certificate emails. The problem with this, is management of them requires you to log into every Organisation, go to the administration page of that organisation and then renew the SAML Certificate and remove the old ones. The following is a PowerCLI script that will loop through all the organisations, renew any expired SAML certificates and remove the unused ones (it will not touch any custom uploaded certificates by a tenant). This does not cover off the "SYSTEM" tenant
Run this section first to create credentials to Login:
$VCD = "Insert VCD name here"$api_version = "39.1" #give a valid compatibility
$creds = Get-Credential #username@system
Run this to connect to vCloud Director, loop through all the Organisations, it will only renew if the SAML certificate is expired (this means SAML would be broken anyways) and then only removes certificates from the tenant library that are not bound to any service and have "SAML" in the alias.
$UnsecurePassword = $Creds.GetNetworkCredential().password
$pair = "${user}:${UnsecurePassword}"
$bytes = [System.Text.Encoding]::ASCII.GetBytes($pair)
$base64 = [System.Convert]::ToBase64String($bytes)
$basicAuthValue = "Basic $base64"
$webdataheaders = @{"Accept" = "application/*;version=$api_version"; "Authorization" = "$basicAuthValue"}
$VCDLogin = Invoke-WebRequest -uri ("https://" + $VCD + "/cloudapi/1.0.0/sessions/provider") -Headers $webdataheaders -method POST -UseBasicParsing
$token = ($VCDLogin.headers.GetEnumerator() | Where-Object {$_.key -eq "X-VMWARE-VCLOUD-ACCESS-TOKEN"}).Value
$token_type = ($VCDLogin.headers.GetEnumerator() | Where-Object {$_.key -eq "X-VMWARE-VCLOUD-TOKEN-TYPE"}).Value
$webdataheaders = @{"Accept" = "application/*;version=$api_version"; "Authorization" = "$token_type $token"}
$orglist = Invoke-RestMethod -Uri $("https://" + $VCD + "/api/admin/orgs/query") -Method GET -Headers $webDataHeaders -UseBasicParsing
$orglist = $orglist.QueryResultRecords.orgrecord
foreach ($org in $orglist){
[xml]$federationdetail = Invoke-RestMethod -Uri ("https://" + $VCD + "/api/admin/org/$($org.href.split('/')[-1])/settings/federation") -Method GET -Headers $webDataHeaders -UseBasicParsing
$certexpiry = get-date -date $federationdetail.orgfederationsettings.certificateexpiration
if ($certexpiry -lt (get-date)){ #certificate has expired
# renew the certificate
Invoke-RestMethod -Uri ("https://" + $VCD + "/api/admin/org/" + $($org.href.split('/')[-1]) + "/settings/federation/action/regenerateFederationCertificate") -Method POST -Headers $webDataHeaders -UseBasicParsing
write-host "$($org.name) has expired certificate and will be replaced"
}
# Need to set context library to return items under tenant context, without the additional headers this will not work, but for some reason once you get the id of the item, the admin can delete it.
$clientwebdataheaders = @{"Accept" = "application/*;version=$api_version"; `
"Authorization" = "$token_type $token"; `
"Referer" = "https://" + $VCD + "/tenant/$($org.name)/administration/certificate-management/certificate-library";
"x-vmware-vcloud-auth-context" = "$($org.name)";
"x-vmware-vcloud-tenant-context" = "$($org.href.split('/')[-1])"
}
$clientcerts = Invoke-RestMethod -Uri ("https://" + $VCD + "/cloudapi/1.0.0/ssl/certificateLibrary") -Method GET -Headers $clientwebdataheaders -UseBasicParsing
# Get the certificates under the client that have consumerCount of 0 (so not bound to anything, these can be deleted) and have SAML in the name
$certstoremove = $clientcerts.values | where {$_.consumerCount -eq 0 -and $_.alias -like "*SAML*"}
if ($certstoremove){ # there are items to delete
foreach ($certtodelete in $certstoremove){
write-host "Removing unused SAML certificate $($certtodelete.alias)"
$delete = Invoke-RestMethod -Uri ("https://" + $VCD + "/cloudapi/1.0.0/ssl/certificateLibrary/" + $certtodelete.id) -Method DELETE -Headers $clientwebdataheaders -UseBasicParsing
}
}
}
No comments:
Post a Comment