Install a custom certificate in VMware Aria Operations for Logs 8.12 and Later
Article ID: 315949
Updated On:
Products
Issue/Introduction
Starting in VMware Aria Operations for Logs 8.12 there is a new script (/usr/lib/loginsight/application/sbin/custom-ssl-cerf) shipped with the appliance which can be used to change the UI, API, syslog and internal certificate.
Symptoms might vary :
- UI is unavailable after rebooting the cluster
- UI is unavailable after upgrading from 8.12 to a later version
- Running the below command on each cluster node, the certificate shows expired :
echo "" | keytool -list -keystore /usr/lib/loginsight/application/etc/3rd_config/keystore -rfc 2> /dev/null | openssl x509 -noout -enddate
- An error as below could be seen in the
/storage/core/loginsight/var/cassandra.log:
Caused by: java.security.cert.CertificateExpiredException: NotAfter: {Date/Time in the past}
Environment
VMware Aria Operations for Logs 8.12.x and later.
Resolution
Quick Links:
- Prerequisites
- Generate a self-signed certificate
- Install Custom Certificate
Prerequisites
- This workaround requires a .pem certificate file to be uploaded.
- If you have a custom certificate, using an SCP utility like WinSCP, upload the .pem file to the /tmp directory on all nodes in the VMware Aria Operations for Logs cluster.
-
-
- If the above command returns SSL client : Yes, then you can proceed to the Install Certificate section.
- If the above command returns SSL client : No, then you must regenerate your custom certificate with Client Auth enabled.
-
- See Install a Custom SSL Certificate for more details on certificate requirements, or follow the below steps to generate a self signed certificate
Generate a self-signed certificate
- Log into the Primary node as root via SSH or Console.
- Run the following command to generate a self-signed certificate:
Note: This command will generate a self-signed certificate that is valid for 3650 days (10 years). You may alter the -days value as needed per your organization's security requirements.
Note: When prompted by openssl, provide the required values for your company. If you want to use the default certificate options, enter the following values:
| Prompt | Value |
|---|---|
| Country | US |
| State Or Province | California |
| Locality | Palo Alto |
| Organization | VMware, Inc. |
| Organization Unit | vCenter Log Insight |
| Common Name | VMware vCenter Log Insight |
3. Run the following command to concatenate the key and certificate into a .pem file, which you can then use in the next Prerequisites section
- Using an SCP utility like WinSCP, copy the /tmp/cert.pem file to the /tmp directory on all other nodes in the cluster.
Install Custom Certificate
- Log into the Primary node as root via SSH or Console.
- Run the following command to copy the newly generated or uploaded certificate to the following location:
Note: Replace /tmp/cert.pem with the path and file name of the custom certificate you uploaded in the section.
- Run the following command to use the custom-ssl-cerf script:
- Repeat steps 2 and 3 on all remaining nodes in the cluster
- Run the following command to restart the loginsight service on all nodes, one at a time
Note: Once the service has restarted, wait a few minutes until the ingestion rate is back to normal, then proceed to restart the service on the next node
Additional Information
Openssl is installed on default VMware virtual appliance, please make sure you generate CSR and key based on your requirement.
For more information on the sequence of certificate replacement and CSR generation steps, refer the below documents:
Certificate replacement sequence
Generate a CSR and key
Feedback
