Configure a Certificate For Use With VCF Operations

Products

VMware Aria Suite

Issue/Introduction

This article provides instructions for using OpenSSL to configure an authentication certificate for use with VCF Operations (formerly known as Aria Operations).

See VCF Operations Certificates documentation for further details.

Note: The certificate cannot be changed on the internal ports: for example port 6061, 10000 and 20000 ranges.

Environment

VCF Operations 9.x
VMware Aria Operations 8.x

Resolution

To configure a certificate PEM file with VCF Operations:

Generate a new Certificate PEM for VCF Operations.
Install the Certificate PEM in the VCF Operations Admin UI.

Note: Certificates applied through the VCF Operations Admin UI are only used for securing user interface connections to external clients, and custom certificate updates for specific components like Java or Gemfire (Port 10000) are not permitted. Refer to the Network Port Access Requirements for VCF Operations documentation for more information

Generate a new Certificate PEM file

Log into the Primary node as root via SSH or Console.
Run the following command to make the /cert directory, then change to that directory:

mkdir /cert && cd /cert

In the /cert directory, create a new file called aops.cnf:

vi /cert/aops.cnf

The contents of the file should be as follows for a 3 node cluster:

[req]
prompt = no
distinguished_name = dn
req_extensions = ext
default_bits = 2048
default_md = sha256
encrypt_key = no

[dn]
CN = Primary_Node_FQDN

[ext]
subjectAltName = @alt_names

[alt_names]
DNS.1 = Primary_Node_FQDN
DNS.2 = Node_2_FQDN
DNS.3 = Node_3_FQDN
DNS.4 = Primary_Node_Shortname
DNS.5 = Node_2_Shortname
DNS.6 = Node_3_Shortname
IP.1 = Primary_Node_IP
IP.2 = Node_2_IP
IP.3 = Node_3_IP

Notes:

The CN is required to be listed in the subjectAltName section for web browser compatibility.
If using a load balancer, the CN should be the IP/FQDN of the load balancer.
The certificate will be valid for any FQDN/IP that is added to subjectAltName section. Follow your company's security policy for the SAN field, but it is advised to include the IP addresses or FQDN's for each node in the cluster.

In the example above, replace the following with values relevant to your environment. Remove or add nodes relevant to your environment:

Primary_Node_FQDN
Node_2_FQDN
Node_3_FQDN
Primary_Node_Shortname
Node_2_Shortname
Node_3_Shortname
Primary_Node_IP
Node_2_IP
Node_3_IP

Save and close the file:

:wq!

Using the aops.cnf file, run the following command to create the CSR to send to your Certificate Authority:

openssl req -new -config /cert/aops.cnf -keyout /cert/aops.key -out /cert/aops.csr

Run the following to verify the information in the CSR is correct:

openssl req -in /cert/aops.csr -noout -text

If all information is correct, send the CSR (aops.csr) to your Certificate Authority and inform them of the details you have configured in the subjectAltName line of aops.cnf.

Once the Certificate Authority signs your CSR, they will return to you the signed cert based on this CSR and their root cert (along with any intermediate certs). Ensure that you download them in Base64 format if given an option.

To construct the PEM file to upload to VCF Operations, you need to combine these files in a specific order:

The signed cert returned to you by the CA, based on the CSR you created.
The private key you generated earlier (aops.key in above example).
Intermediate certs returned by CA (only if applicable)
The CA's root cert

Add the files downloaded from your CA to the VCF Operations Primary node's /cert directory using an SCP utility.
Log into the Primary node as root via SSH or Console, pressing ALT+F1 in a Console to log in.
To combine these files, run the cat command as follows (Replacing the filenames as necessary):

cat /cert/signed_cert.crt /cert/aops.key /cert/cacerts.crt > /cert/multi_part.pem

Note: If your CA also provided you with intermediate certs the command would look similar to the following:

cat /cert/signed_cert.crt /cert/aops.key /cert/intermediate.crt /cert/cacerts.crt > /cert/multi_part.pem

The PEM file can now copied from the VCF Operations Primary node using an SCP utility.

Note: If you have trouble applying the newly created certificate in VCF Operations, see the Troubleshooting PEM file issues section of this article. You can also see Using the Custom Certificate Tool in VCF Operations to help troubleshoot the certificate.

Install a New Certificate in VCF Operations

In a Web browser, navigate to the VCF Operations administration interface at https://vcfops-node-FQDN-or-ip-address/admin.
Log in with the local admin username and password.
If you are on VCF Operations 8.10 or later, click Take Offline under Cluster Status.

Note: Wait for Cluster Status to show as Offline.

At the upper right, click the yellow SSL Certificate icon.
In the SSL Certificate window, click Install New Certificate.
Click Browse for certificate.
Locate the certificate .pem file, and click Open to load the file in the Certificate Information text box.

Note: The certificate file must contain a valid private key and a valid certificate chain.

Click Install.
If you are on VCF Operations 8.10 or later, once the certificate is installed, click Bring Online under Cluster Status.

Note: Wait for Cluster Status to show as Online.

Troubleshooting PEM file issues:

If issues are encountered applying the new certificate, the VCF Operations Custom Certificate Tool can be utilized to help determine the issue: Using the Custom Certificate Tool in VCF Operations
If an invalid certificate has been applied and functionality of VCF Operations has been impacted, you can revert to the default certificate to keep the cluster functional while troubleshooting of the new certificate is ongoing: Reload the default certificate in VCF Operations
To decode each entry of the PEM file, using one of the available online decoders

Note: Paste each --BEGIN and --END portion of the PEM file into a decoder and then verify that they are in the correct order in the PEM file.

Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.

Additional Information

Disclaimer: Creating custom certificates for use in VCF Operations is out of scope for support. For additional support in creating a custom certificate for use in VCF Operations, contact your account manager or Technical account manager.

For steps on how to configure a certificate for use with VCF Operations Cloud Proxy, see Configure a Certificate For Use With VCF Operations Cloud Proxy (89583).

Impact/Risks:
Attempting to apply an invalid certificate may result in any of the following:

VCF Operations certificate wizard shows the certificate as valid but does not accept the certificate.
The default certificate is still shown after applying the new certificate.
You do not see any errors in the VCF Operations UI.
You are unable to log into the VCF Operations UI or Admin UI after applying the new certificate.

The finished PEM file should look similar to the following example, where the number of CERTIFICATE sections depends on the length of the issuing chain:

-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: your_domain_name.key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: DigiCertCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----

Failure to comply with the above format may result in the cluster being affected or even harmed.