Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
The vCenter Single Sign-On (SSO) server can be managed via the vSphere Web Client. However, there is a command line option available should you need to troubleshoot/configure SSO without the vSphere Web Client.This article provides a reference for all of the available command line options for the Single Sign-On server.
The rsautil command is used to troubleshoot Single Sign-On, and is located in: For Windows: C:\Program Files\VMware\Infrastructure\SSOServer\utils For Linux: /usr/lib/vmware-sso/utilsCommand:rsautil argumentOptions: -h,-? --help - Display rsautil options in the command line -v --version - Display the product version -S --script-exit - exit with an error code to facilitate scripting -X --debug - Display value of environment variables (RSA_IMS_HOME, JAVA_HOME, etc.) -g --generate-classpath - generate classpath.jar with classpath manifest to locate third-party JAR files -l --list - Display a list of available command line utilitiesRunning the rsautil command with the -l option displays these command line utilities: configure-riat - Install and configuration utility manage-identity-sources - Manage identity sources manage-oc-administrators - Manage users manage-secrets - Manage secrets reset-admin-password - Reset administrator password Configuring RIATCommand:rsautil configure-riat argumentOptions: -h, --help - Display help and exit. If -a/--action argument is specified, the usage for the specified action is printed -X, --debug - Log verbose messages in the log file -S, --script-mode - Do not prompt for missing passwords -s, --silent - Do not print progress messages to the console -v, --version - Display the version and copyright information -a, --action - Actions include: install - Install and configure RIAT uninstall - Uninstall RIAT configure-db - Update server database connection settings configure-ssl - Update server SSL settings configure-sts - Update security token service (STS) settings discover-is - Discover identity source(s) (Windows only) user-cert - Generate or update user's certificate create-instance-pkg - Create package for installing new RIAT instanceNote: This utility does not prompt for missing arguments except for passwords. Managing identity sourcesCommand:rsautil manage-identity-sources -a action[-u username [-p password]]Options: -h, --help - Display help -X, --debug - Display debug messages -v, --version - Display the version and copyright information -S, --script-mode - Do not prompt for missing arguments, just fail -u, --user - Super administrator's user name entered without @system-domain. -p, --password - Super administrator's password -a, --action - Must be present and one of: create - Create a new identity sourcecreate arguments: -r, --url - Primary URL for create action -f, --failover-url - Optional failover URL for create action -L, --ldap-user - Optional LDAP account user name. For Active Directory, specify the user in user@domain format -P, --ldap-password - Optional LDAP administrative account password -d, --domain - Fully qualified domain name associated with this identity source for create action -l, --alias - Optional alias associated with this identity source for create action --principal-base-dn - Optional principal base DN. (Needed if group base DN is specified) Default: Discovered --group-base-dn - Optional group base DN. (Needed if principal base DN is specified) Default: Discovered --cert-path - Optional root CA certificate path for SSL connections. Default: Discovered (Active Directory) --ldap-port - Optional for SSL connections. Non-SSL port if different from standard (389). Used for root CA certificate discovery (Active Directory) --use-gssapi - Optional and only relevant to Active Directory. If specified Connection to AD will use Gssapi. Default to false. --open-ldap - Optional and only relevant to ldap server. If specified the identity source type is open ldap. Otherwise is Active Directory if --url start with "ldap". Default to false. delete - Delete an existing identity sourcedelete argument: -g, --guid - GUID of Identity Source for delete action list - Display all identity sources Managing OC administratorsCommand:rsautil manage-oc-administrators -a action [-g groups] [-n] [username [password]]Options: -h, --help - (optional) Display help -X, --debug - (optional) Display debug messages -v, --version - (optional) Display the version and copyright information -S, --script-mode - (optional) Do not prompt for missing arguments, just fail -a, --action - (required) Must be present and one of: create: create a new user update: update an existing user with a new password delete: delete an existing user. The last user cannot be deleted list: display all users reload: reload all users from database -u, --user - (required) Super administrator's user name -p, --password - (required) Super administrator's password -g, --groups - (optional) List of comma separated group names to assign the user to -r, --remove-groups - (optional) List of comma separated group names to remove the user from -n, --not-empty - (optional) Prevent the specified list of groups from having zero members -d, --default-none - (optional) Make the user have no default group association -D, --disable-password - (optional) Make the user have no password username - (required) User name to create, update, or delete password - (required) Password for user to create or update. Manage SecretsCommand:rsautil manage-secrets [[-m password]|[-u username -p password]] -a action [-n|-N] [-F] [-f -k] [name [value]]Options: -h, --help - Display help -X, --debug - Display debug messages -v, --version - Display the version and copyright information -S, --script-mode - Do not prompt for missing arguments, fail with messages -m, --master-password - Master password for the encrypted properties file -u, --user - User name for the encrypted properties file -p, --password - Password of the user for the encrypted properties file -a, --action - One of these actions: import - Import password-protected file into system fingerprint encrypted file. Also see the "-f" option export - Export system fingerprint encrypted file to password-protected file. Also see the "-f" option change - Change system fingerprint encrypted file password - Also see the "-n" and "-N" options recover - Recover system fingerprint encrypted file using the password load - Load plain text properties file into encrypted file list - Display all properties by English name. listkeys - Display all properties by raw key name set - Set a property to the specified value get - Get the current value for the specified property -n, --new-password - New password for change action -N, --new-master-pwd - New master password for change action -f, --file - Password-protected file to import, export, or load -F, --force - Force overwrite admin credentials with imported file -k, --file-password - Password to use with the specified file name - Name of property to set or get value - Value of property to set Resetting Admin passwordCommand:rsautil reset-admin-passwordThis command updates the current admin password.For more information, see Unlocking and resetting the vCenter Single Sign On (SSO) administrator password (2034608).You can also update the master password that was created during installation using the rsautil manage-secrets -m command. For example: rsautil manage-secrets -m VMware123! -a change -N VMware@12345Note: This command requires the original master password and is used only for changing the master password. If you forgot the master password, reinstall vSphere Single Sign-On. Other Single Sign-On commandsCommand: repoint.cmdLocated in: C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtoolThis command is used to point vCenter Server to the SSO server and lookup service.Command: client-repoint.batLocated in: C:\Program Files\VMware\Infrastructure\vSphereWebClient\scriptsThis command is used to register the vSphere Web Client to the SSO server/lookup service.For more information, see Repointing and reregistering VMware vCenter Server 5.1.x and components (2033620).
When using the rsautil command on the vCenter Server Appliance, it fails with the error:# /usr/lib/vmware-sso/utils/rsautilError: JAVA_HOME or RSA_JAVA_HOME environment variable is not set, or '/bin/java' does not exist.To fix it temporarily, set the JAVA_HOME variable: # export JAVA_HOME="/usr/java/jre-vmware"This resolves the error until the next reboot.To permanently resolve the JAVA_HOME environment variable error, include the variable in the root bash profile: In the root user's home directory, create a file named .bash_profile. Edit the .bash_profile file and add the line:export JAVA_HOME="/usr/java/jre-vmware" Save and close the file. The changes are now kept permanently across reboots.How to repoint and re-register vCenter Server 5.1 / 5.5 and componentsResetting the vCenter SSO administrator passwordvCenter Single Sign-On (SSO) のコマンド ライン オプションについて了解 vCenter Single Sign-On (SSO) 命令行选项