Rotate expired Locker certificate authority in vRealize Suite Lifecycle Manager
search cancel

Rotate expired Locker certificate authority in vRealize Suite Lifecycle Manager

book

Article ID: 314924

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

The purpose of this article is to rotate the certificate authority so that the certificates generated are valid.


Symptoms:

The Certificate Authority used for signing certificates in LCM is expired after two years of installation.


Environment

VMware vRealize Suite Lifecycle Manager 8.x
VMware vRealize Suite Lifecycle Manager 2.x

Resolution

Recommend to implement the workaround for now. 


Workaround:

Prerequisites

  • Take snapshot of the vRSLCM appliance from vCenter before performing any operation.

For vRSLCM 2.1

  1. SSH as root to the vRSLCM appliance.
  2. Run following commands
    1. rm /data/locker/repo/lcm.local/pki/keystore.pkcs12
    2. systemctl restart vlcm-locker
    3. Wait for 60 - 120 seconds to allow the service to fully initialize
    4. curl -XPOST localhost:9000/api/locker/lcm.local/pki/ca/lcmca

 

For vRSLCM 8.x

  1. SSH as root to the vRSLCM appliance.
  2. Run the below command
curl --insecure -X PATCH https://vRSLCMFQDN/lcm/locker/api/certificates/ca -H "Authorization: Basic Base64 encoded username:password"

Note: The authorization header should have the base64 encoded value of username and password in the format, username:password. For example, if the username is admin@local and password is vmware then the value should be base64 encoded of admin@local:vmware.

Note: When using base64 on the vRSLCM appliance, run the following command to ensure the echo \n is not processed in the encoding by base64 by running the following command

echo -n 'admin@local:vmware' | base64

   

Full example of command using sample credentials above would be:

curl --insecure -X PATCH https://vRSLCMFQDN/lcm/locker/api/certificates/ca -H "Authorization: Basic YWRtaW5AbG9jYWw6dm13YXJl"