Enabling secure backup and restore in the vCenter Server Appliance
search cancel

Enabling secure backup and restore in the vCenter Server Appliance

book

Article ID: 310399

calendar_today

Updated On:

Products

VMware vCenter Server 7.0 VMware vCenter Server 6.0

Issue/Introduction

This article provides information to configure file based backup and restore of the vCenter Server Appliance with secure file transfer.


Environment

VMware vCenter Server Appliance 6.7.x
VMware vCenter Server 7.0.x
VMware vCenter Server Appliance 6.5.x

Resolution

Note: By default, strict certificate validation is not enabled.

To enable strict certificate validation follow these steps to configure VCSA with the certificate for HTTPS / FTPS File-Based Backup or Restore features.

Backup

  1. Connect to the vCenter Server Appliance using SSH with root credentials
  2. Backup the /etc/applmgmt/appliance/appliance.conf file.
root@vcsa1 [ ~ ]# cp /etc/applmgmt/appliance/appliance.conf /etc/applmgmt/appliance/appliance.conf.backup
root@vcsa1 [ ~ ]# cd /etc/applmgmt/appliance
root@vcsa1 [ /etc/applmgmt/appliance ]# ls -lh
total 60K
-rwxr-xr-x 1 root root  841 Oct 12 09:45 appliance.conf
-rwxr-xr-x 1 root root  841 Feb 24 14:30 appliance.conf.backup
  1. Open the /etc/applmgmt/appliance/appliance.conf file:
vi /etc/applmgmt/appliance/appliance.conf
  1. Search for the key validateCerts 
    • if the key exists, change it to "validateCerts": true
    • If the key does not exist, add "validateCerts": true under the backupRestore section.
  2. Restart the appliance management service with these commands:
Caution: Running these commands will cause vCenter Server downtime.
 
service-control --stop applmgmt
service-control --start applmgmt
  1. Add the CA cert or SSH host key thumb print of the target server depending on the transfer method:
    • For FTPS or HTTPS transfers, copy the CA cert to /etc/applmgmt/appliance/br_servercert.crt on the VCSA.
    • For SCP or SFTP based backup restore, copy the ssh host key thumb print of the backup server to /etc/applmgmt/appliance/br_known_hosts on the VCSA.
    • Entries should be in: IP,FQDN algorithm Key format. You may have both IP and FQDN on the same line or have two line entries one for IP and one for FQDN.
  2. Start the backup of vCenter 

Restore

  1. Begin a restore operation stopping at Stage 1.
  2. Open the /etc/applmgmt/appliance/appliance.conf file with a text editor
  3. Search for the key validateCerts 
    • if the key exists, change it to "validateCerts": true
    • If the key does not exist, add "validateCerts": true under the backupRestore section.
  4. Restart the appliance management service with these commands:
Caution: Running these commands will cause vCenter Server downtime.
service-control --stop applmgmt
service-control --start applmgmt
  1. Add the CA cert or SSH host key thumb print depending on the transfer method:
  • For FTPS or HTTPS transfers, copy the CA cert to /etc/applmgmt/appliance/br_servercert.crt on the VCSA.
  • For SCP or SFTP based backup restore, copy the ssh host key thumb print of the backup server to /etc/applmgmt/appliance/br_known_hosts on the VCSA.
    • Copy the ssh host key thumb print of the backup server to /etc/applmgmt/appliance/br_known_hosts on the VCSA by running command: $ ssh -q -p 22 -i /root/.ssh/id_rsa -o UserKnownHostsFile=/root/.ssh/br_temp_known_hosts [email protected] echo ~
    • Now copy this file to the directory as shown : $  cp /root/.ssh/br_temp_known_hosts /etc/applmgmt/appliance/br_known_hosts
    • Remove the temp_known host file :$  rm /root/.ssh/br_temp_known_hosts /
  1. Start the Restore operation with the VAMI UI on port 5480: vCenter FQDN or IP:5480 or alternatively  using the command appliancesh 



Additional Information

For more information on VMware Native File Based Backup/Restore:


Note:

  • If a custom certificate it to be used for FTPS site.
  • Then it is required to provide the entire chain (root + Intermediate + FTPS_ cert ) and name it "br_servercert.crt" as mentioned in Step 5 of KB article.



Impact/Risks:
Warning:
Before making any changes to certificates, ensure you have taken proper snapshots of your SSO domain. This means that you must shut down all vCenter Servers or PSCs that are in the SSO domain at the same time, then snapshot them, and power them on again.  If you need to revert to one of these snapshots, shut all the nodes down, and revert all nodes to the snapshot. Failure to perform these steps will lead to replication problems across the PSC databases.