Install a custom certificate in VMware Aria Operations for Logs 8.12 and Later
search cancel

Install a custom certificate in VMware Aria Operations for Logs 8.12 and Later

book

Article ID: 315949

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

Starting in VMware Aria Operations for Logs 8.12 there is a new script (/usr/lib/loginsight/application/sbin/custom-ssl-cerf) shipped with the appliance which can be used to change the UI, API, syslog and internal certificate. The purpose of this article is to outline the steps to apply to utilize this script.  

You may need to apply the steps outlined below if you notice an issue with accessing the UI after upgrading from 8.12 to a later version and when running the command echo "" | keytool -list -keystore /usr/lib/loginsight/application/etc/3rd_config/keystore -rfc 2> /dev/null | openssl x509 -noout -enddate on each node the certificate shows as expired. 

Environment

VMware Aria Operations for Logs 8.12.x and later 

Resolution

To install a new custom certificate in VMware Aria Operations for Logs 8.12 or later to replace the UI, API, syslog and internal certificate, follow the steps below.

Quick Links:  

Prerequisites

  • This workaround requires a .pem certificate file to be uploaded.
    • If you have a custom certificate, using an SCP utility like WinSCP, upload the .pem file to the /tmp directory on all nodes in the VMware Aria Operations for Logs cluster.
Note: VMware Aria Operations 8.12 build 21618456 requires Client Auth usage.  Build 21696970 and later drop this requirement.  If you are on build 21618456, ensure your custom certificate meets this requirement.  You can run the echo | openssl s_client -connect localhost:443 2>/dev/null | openssl x509 -noout -purpose | grep 'SSL client :' command on a node with your custom certificate installed to confirm.
If the above command returns SSL client : Yes, then you can proceed to the Install Certificate section.
If the above command returns SSL client : No, then you must regenerate your custom certificate with Client Auth enabled.

Generate a self-signed certificate

  1. Log into the Primary node as root via SSH or Console.
  2. Run the following command to generate a self-signed certificate:
openssl req -newkey rsa:2048 -keyout domain.key -x509 -days 3650 -out domain.crt -nodes

Note: This command will generate a self-signed certificate that is valid for 3650 days (10 years). You may alter the -days value as needed per your organization's security requirements.

Note: When prompted by openssl, provide the required values for your company.  If you want to use the default certificate options, enter the following values:
 
PromptValue
CountryUS
State Or ProvinceCalifornia
LocalityPalo Alto
OrganizationVMware, Inc.
Organization UnitvCenter Log Insight
Common NameVMware vCenter Log Insight
  1. Run the following command to concatenate the key and certificate into a .pem file, which you can then use in the next section
cat domain.key domain.crt > /tmp/cert.pem
  1. Using an SCP utility like WinSCP, copy the /tmp/cert.pem file to the /tmp directory on all other nodes in the cluster.

Install Custom Certificate

  1. Log into the Primary node as root via SSH or Console.
  2. Run the following command to copy the newly generated or uploaded certificate to the following location:
cp /tmp/cert.pem /usr/lib/loginsight/application/etc/certs/custom.pem

Note: Replace /tmp/cert.pem with the path and file name of the custom certificate you uploaded in the Prerequisites section.
  1. Run the following command to use the custom-ssl-cerf script:
/usr/lib/loginsight/application/sbin/custom-ssl-cerf
  1. Repeat steps 2 and 3 on all remaining nodes in the cluster
  2. Run the following command to restart the loginsight service on all nodes, one at a time
systemctl restart loginsight

Note: Once the service has restarted, wait a few minutes until the ingestion  rate is back to normal, then proceed to restart the service on the next node 

 

Powered by Wolken Software