How to import Proxy server certificate to SDDC manager trust store.
search cancel

How to import Proxy server certificate to SDDC manager trust store.

book

Article ID: 316072

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

This article describes how to import Proxy server certificates to SDDC manager trust store.

Environment

VMware Cloud foundation 5.x
VMware Cloud Foundation 4.x

Resolution

The following steps can be used to update the SDDC Manager trust store with the Proxy server certificate.

Note: Take a snapshot of the SDDC Manager VM prior to starting this process. 
 

  1. Use a file transfer utility to copy the Proxy certificate file to the /tmp directory on the SDDC Manager VM.
  2. SSH to the SDDC Manager VM as the vcf user and then issue the su - command to switch to the root user.
  3. Obtain the trusted certificates key by issuing the following command

          cat /etc/vmware/vcf/commonsvcs/trusted_certificates.key

         Note: You will see output similar to the following:

       q_0EZjUI7Z^B7V@2A+ 

  1. Issue a command similar to the following to import the Proxy certificate into the SDDC Manager trust store

keytool -importcert -alias <aliasname> -file <certificate file> -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store --storepass <trust store key>

Notes:

  • Type yes when prompted to trust the certificate
  • Enter something meaningful, like ProxyServer for the <aliasname> value.
  • Replace <certificate file> with the full path to the certificate file that was uploaded in Step 1
  • Replace <trust store key> with the trusted certificates key value returned in Step 3 
  1. Issue a command similar to the following to import the Proxy certificate into the java trust store:

The keystore file is changed from,
/usr/java/jre-vmware/lib/security/cacerts to /etc/alternatives/jre/lib/security/cacerts

a. Import the Proxy certificate into the java trust store:
keytool -importcert -alias <aliasname> -file <certificate file> -keystore /etc/alternatives/jre/lib/security/cacerts --storepass changeit

b. Restart SDDC services with:
/opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh

Notes:

  • If the 'security' folder is not present inside /usr/java/jre-vmware/lib/, create the folder manually before importing the proxy certificate.
  • Type yes when prompted to trust the certificate
  • Replace <certificate file> with the full path to the certificate file that was uploaded in Step 1 
  1. Issue a command similar to the following to verify that the new Proxy certificate has been added to the SDDC Manager trust store:

keytool -list -v -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store -storepass <trust store key>


Note: Replace <trust store key> with the trusted certificates key value returned in Step 3


      7. Issue the following command to restart the SDDC Manager services: 

/opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh

 

Note: Remove the snapshot that was taken prior to starting this procedure.


Powered by Wolken Software