How to import Proxy server certificate to SDDC manager trust store.
search cancel

How to import Proxy server certificate to SDDC manager trust store.

book

Article ID: 316072

calendar_today

Updated On:

Products

VMware Cloud Foundation VMware SDDC Manager

Issue/Introduction

This article describes how to import Proxy server certificates to SDDC manager trust store.

Environment

VMware Cloud Foundation 5.x
VMware Cloud Foundation 4.x

Resolution

The following steps can be used to update the SDDC Manager trust store with the Proxy server certificate.

  1. Take Snapshot of SDDC Manager VM
  2. Use a file transfer utility to copy the Proxy certificate file to the /tmp directory on the SDDC Manager VM.
  3. SSH to the SDDC Manager VM as the vcf user and then issue the su - command to switch to the root user
  4. Obtain the trusted certificates key by issuing the following command
    KEY=$(cat /etc/vmware/vcf/commonsvcs/trusted_certificates.key)
  5. Confirm the output by using the below command
    echo $KEY

     

    Sample output
    root@sddc01 [ /home/vcf ]# echo $KEY
    iDxxxxxxxxxxxxxxx6_m
  6. Run the below command to import the Proxy certificate into the SDDC Manager trust store
    keytool -importcert -alias <aliasname> -file <certificate file> -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store --storepass $KEY

     

    Notes:

    Type yes when prompted to trust the certificate
    Enter something meaningful, like ProxyServer for the <aliasname> value.
    Replace <certificate file> with the full path to the certificate file that was uploaded in Step 1


  7. Run the below command to import the Proxy certificate into the java trust store
    keytool -importcert -alias <aliasname> -file <certificate file> -keystore /etc/alternatives/jre/lib/security/cacerts --storepass changeit

    The keystore file is changed from /usr/java/jre-vmware/lib/security/cacerts to /etc/alternatives/jre/lib/security/cacerts

  8. Restart SDDC services
    /opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh
  9. Import the Proxy certificate into the java trust store
    keytool -importcert -alias <aliasname> -file <certificate file> -keystore /etc/alternatives/jre/lib/security/cacerts --storepass changeit
  10. Restart SDDC services with
    /opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh
  11. Verify that the new Proxy certificate has been added to the SDDC Manager trust store
    keytool -list -v -keystore /etc/vmware/vcf/commonsvcs/trusted_certificates.store -storepass $KEY