Configuring SAN certificates for vRA instances where the IaaS server domain names differ from the load balancer domain
search cancel

Configuring SAN certificates for vRA instances where the IaaS server domain names differ from the load balancer domain

book

Article ID: 301231

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

In some configurations the domain portion of the IaaS server's individual FQDNs differ from the load balancing FQDN. In such case, when generating the certificate for the web server role, the certificate should contain both the load balancing FQDN and the server's FQDNs as Subject Alternative Names.
 
On some occasions, a SAN certificate cannot be generated and a wildcard certificate representing only the domain of the load balancing FQDN must be used.

For Example:

vRealize Automation Appliance FQDN: appliance01.external.domain.com
vRealize Automation Appliance LB FQDN: vra.external.domain.com
vRealize Automation Web Server FQDN: web01.internal.domain.com
vRealize Automation Web Server LB FQDN: web.external.domain.com
Certificate Subject CN: *.external.domain.com


Environment

VMware vRealize Automation 7.3.x

Cause

The certificate used for Web Server load balancing should contain FQDNs of all the web servers present in the configuration as described. For more information, refer to Certificate Trust Requirements in a Distributed Deployment section of Installing or upgrading vRealize Automation 7.2 Guide .

Resolution

This issue can be resolved by changing the Primary DNS Suffix of each Web server while preserving domain membership. While the proposed solution is assuming there is Microsoft Active Directory in use, it may successfully be applied against other LDAP solutions. For more information consult the documentation of your LDAP solution.

To resolve this issue:
  1. Create DNS entries for each web server in the DNS zone responsible for the domain for which the certificate was issued

    For example: web01.external.domain.com
  2. If vRA Management Agents are installed on the web server machines, uninstall each one of them.
  3. Edit the msDS-AllowedDNSSuffixes attribute in the domain object container in Active Directory so that it includes the domain the load balancing FQDN belongs to. For example: external.domain.com.

    For more information, see the Microsoft TechNet article Configure the Primary DNS Suffix for a client Computer.
     
  4. Change the DNS suffix search list to include the domain the load balancing FQDN belongs to. For example: external.domain.com.

    For more information, see the Microsoft TechNet article Create a Disjoint Namespace .
     
  5. Change the default DNS Suffix of each Web server machine. For example: web01.external.domain.com

    For more information, see the Microsoft TechNet article Configure the Primary DNS Suffix for a Client Computer.
     
  6. Install vRA Management Agent on each web server.
  7. Confirm that the new Management Agent installations report to vRA appliances with updated FQDNs by either going to VAMI > Cluster or to the Installation Prerequisites page on the Installation Wizard.
  8. Import the certificate for the Web role.


Additional Information

To be alerted when this document is updated, click the Subscribe to Article link in the Actions box.

简体中文:在 IaaS 服务器域名不同于负载平衡器域的情况下为 vRA 实例配置 SAN 证书