Exporting vRealize Log Insight custom certificates for use with Audit Log Integration within vRealize Automation
search cancel

Exporting vRealize Log Insight custom certificates for use with Audit Log Integration within vRealize Automation

book

Article ID: 326032

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

If vRealize Log Insight (vRLI) is configured with custom TLS / SSL certificates, then the root certificate from vRLI will need to be imported into vRA.

Symptoms:

You can configure vRealize Automation (vRA) to export audit events to vRealize Log Insight (vRLI) to facilitate viewing audit events.

Audit logging is deactivated by default and you must enable it to generate and view audit logging events.

If used, SSL is configured on the vRealize Automation appliance where the Log Insight agent resides, and it concerns the connection to the Log Insight Syslog server. To use SSL, you must configure the appropriate certificates and connectivity between vRealize Automation and the Log Insight server installed on your deployment.


Environment

VMware vRealize Automation 7.x

Resolution



Workaround:
  1. Follow the instructions to configure Audit Log Integration in vRA:  https://docs.vmware.com/en/vRealize-Automation/7.6/com.vmware.vra.prepare.use.doc/GUID-B4D67EE5-AC9E-458D-A606-FA62BE67E6A0.html
  2. Export the root certificate from vRLI:
    1. SSH to the vRLI node
    2. Change to the following directory:
cd /usr/lib/loginsight/application/3rd_party/apache-tomcat-8.5.43/conf
Note: The tomcat folder version may change for different versions of vRLI.  Modify the line above accordingly.
  1. Export the certificate using the keytool command:
/usr/java/default/bin/keytool -exportcert -keystore keystore -rfc -alias loginsight -file /tmp/rootcert.pem
Note:  The password for the keytool command is blank.  Press Enter when prompted to enter the password.
  1. Using a FTP or SCP utility, copy the /tmp/rootcert.pem to your desktop.
  2. Edit the rootcert.pem file using a text editor and copy the entire contents to clipboard, ensuring that you do not copy any whitespace at the end of the file.
Note:  A truncated example is below:
-----BEGIN CERTIFICATE-----
MIIFwTCCA6mgAwIBAgIEWA+dBjANBgkqhkiG9w0BAQsFADCBkDELMAkGA1UEBhMC
VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVBhbG8gQWx0bzEVMBMG
....
5FaNN4zfBwupWOzy+4sGeF7NEl4mMyXLYp9+xVvYAgb5+0SodWeD6QBSIvS4Klib
YAfgSjqTZpCnZMZVXwLBVMJAPwk/hSZaG2xmINtKk+81QB/W7g==
-----END CERTIFICATE-----
  1. Log into the port 5480 virtual appliance management interface (VAMI) at https://vRAFQDN:5480/ with root credentials.
  2. Navigate to vRA > Logs > SSL Trusted Certificates.
  3. Select Import and paste in the root CA-signed PEM formatted certificate followed by Save Settings under the Actions section.
NoteAccept Any Trusted and Accept Any can be used to circumvent the need to manually import this root CA certificate.


Additional Information

https://docs.vmware.com/en/vRealize-Automation/7.6/com.vmware.vra.prepare.use.doc/GUID-B4D67EE5-AC9E-458D-A606-FA62BE67E6A0.html