Refreshing Security Token Service (STS) Root Certificate in vSphere Web Client

Refreshing Security Token Service (STS) Root Certificate in vSphere Web Client

This blog is one of the shortest blog i have written so far , however i have seen a lot of confusion around certificates in vSphere 6 so thought of writing a quick one on this.

The vCenter Single Sign-On server includes a Security Token Service (STS). The Security Token Service is a Web service that issues, validates, and renews security tokens.

You can manually refresh the existing Security Token Service certificate from the vSphere Web Client when the certificate expires or changes.

You can replace the existing STS signing certificate vSphere Web Client if your company policy requires it, or if you want to update an expired certificate.


1 Log in to the vSphere Web Client as administrator@vsphere.local or as another user with vCenter Single Sign-On administrator privileges.

Users with vCenter Single Sign-On administrator privileges are in the Administrators group in the vsphere.local domain.

2 Browse to Administration > Single Sign-On > Configuration.

3 Select the Certificates tab, then the STS Signing sub tab, and click the Add STS Signing Certificate icon.1

4 Click Browse to browse to the key store JKS file that contains the new certificate and  click  open.


If the key store file is valid, the STS certificate table is populated with the certificate information.

5 Click OK.

The new certificate information appears on the STS Signing tab.

Now you should Restart the vSphere Web Client service. You can find all services in the System Configuration area of Administration.

Port Mirroring in vSphere Distributed Switch(VDS)

In this blog, I will shows how to configure and use the Port Mirroring functionality in the vSphere Distributed Switch.

Port mirroring is the capability on a network switch to send a copy of network packets seen on a switch port to a network-monitoring device connected to another switch port. Port mirroring is also referred to as Switch Port Analyzer (SPAN) on Cisco switches. In VMware vSphere, a Distributed Switch provides a similar port mirroring capability that is available on a physical network switch. After a port mirror session is configured with a destination—a virtual machine, a vmknic or an uplink port—the Distributed Switch copies packets to the destination.

In this blog I will use Linux01 VM to capture and monitor mirrored traffic of Linux02 VM.

  1. In the vSphere web client , go to VM and Templates in the inventory tree and open the console of Linux01 machine which I will configure to capture the traffic from Linux02 VM1
  2. Monitor the command output for a few seconds and verify that ICMP traffic is not being captured. tcpdump output remains silent until ICMP traffic is detected on the network
  3. Leave the console window open, with the tcpdump command running uninterrupted
  4. In vSphere Web Client under VM and Templates, Right-click the Linux02 virtual machine and select Power > Power On.
  5. After the Linux02 virtual machine starts, sign on as root. The Linux02 virtual machine is used as the traffic source to be monitored.
  6. At the Linux02 command prompt, ping the default router. In my case my router in on
  7. Go back to Linux01 VM again and click the Linux01 console tab.
  8. In the console window, verify that the running tcpdump command is the same as before and has not captured any ICMP traffic

Now i will configure the Distributed Switch for port mirroring

  • In the Web Client on the left pane, click the Networking icon.
  • In the Networking inventory tree, select the dvs-Lab distributed switch.
  • In the middle pane, click the Manage tab and click the Settings tab.
  • Click the Port mirroring link.
  • In the Port mirroring panel, click the New link.


  • In the Add Port Mirroring Session dialog box, leave the Distributed Port Mirroring     radio button selected and click Next.4
  • Under Edit properties, select Enabled from the Status drop-down menu.
  • From the Normal I/O on destination ports drop-down menu, select Allowed.
  • Click Next5
  • Under Select sources, click the Select distributed ports icon.6
  • In the Select Ports dialog box, select the check box for the row with a connected entity of Linux02 and click OK.7.png
  • click Next8
  • Under Select destinations, click the Select distributed ports icon.9
  • In the Select Ports dialog box, select the check box for the row with a connected entity of Linux01 and click OK.10
  • Click Next11.png
  • Under Ready to complete, review settings and click Finish.12
  • In the Firefox window, click theLinux02 console tab.
  • Verify that the ping command is still reaching the default router at
  • In the Linux01 console, examine the tcpdump output in the terminal window.
  • The output looks similar to the following example13.png
  • You can see Now that the Linux01 (destination) has started mirroring the ICMP pings from Linux02 VM (Source).