How To Install A Signed Certificate On A Usage Meter 4.2 Appliance
search cancel

How To Install A Signed Certificate On A Usage Meter 4.2 Appliance

book

Article ID: 330625

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

These instructions assume:
  • That you know the usagemeter password for the usage meter appliance.
  • That ssh has been enabled for the usage meter appliance (there is a knowledge base article that explains how to enable it if you have not already done so).
  • That you are comfortable using the Linux command line.
  • That you know how to obtain a signed SSL certificate for servers in your organization’s datacenter. Specifically, these instructions assume that you have two files, usagemeter.crt and usagemeter.key, both in PEM format, that hold the SSL certificate and corresponding private key. If, during the process of obtaining the certificate file you are asked what kind of web server it is for you should specify “nginx”—this should help assure that the certificate is encoded in the correct format.


Symptoms:
The Usage Meter appliance generates a self-signed SSL certificate for itself when it is installed. This means that when you first connect to its web interface over HTTPS, you see a security dialog and must manually tell your web browser that you trust the self-signed certificate. If you want to avoid this problem, these instructions explain how to install a signed SSL certificate (and its corresponding private key) on the usage meter appliance.

Resolution

  1. Use scp to copy the usagemeter.key and usagemeter.crt files to the /tmp directory of the appliance: $ scp usagemeter.crt usagemeter.key usagemeter@<umhostname>:/tmp 
If this does not work you will first need to enable ssh for your appliance. 
  1. Log on to the usage meter appliance and change directory to the usage meter config files directory. Please log in using the ‘usagemeter’ account, not the ‘root’ account. These instructions that follow will not work (because of file ownership and permissions issues) if you run them as root.
$ ssh usagemeter@<umhostname>

$ cd /opt/vmware/cloudusagemetering/conf
  1. Create directories to hold your signed certificate and private key files:
$ mkdir nginx

$ mkdir nginx/ssl

 
  1. Move the key and certificate files from the /tmp directory (where you copied them with scp in step 1) to these new directories
$ mv /tmp/usagemeter.crt nginx/ssl

$ mv /tmp/usagemeter.key nginx/ssl

 
  1. Set restrictive permissions on these two files:
$ chmod 600 nginx/ssl/*
  1.  Make a backup copy of the nginx.conf file in case this procedure fails and you need to revert to the self-signed certificate:
$ cp nginx.conf nginx.conf.bak
  1.  Use vi or another editor to edit the nginx.conf file. Near the bottom of the file you will see two lines that look like this:
  ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;

  ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;

 
You need to edit those lines to read as follows:

  ssl_certificate nginx/ssl/usagemeter.crt;

  ssl_certificate_key nginx/ssl/usagemeter.key;

 
Note that nginx.conf is a read-only file. If you edit with vi, you will need to save and quit with :wq!  If you use a different editor you may need to first change the file permissions with chmod, then edit and save and then restore the file permissions with chmod.
  1. Reboot the usage meter appliance to restart the web server. If you know the root password for the appliance, you can reboot like this:
$ su
# reboot

 
If you don’t have the root password, then reboot (or power off/power on) the appliance from vCenter.
  1. After waiting a minute for the appliance to reboot, you can verify that this procedure worked by connecting to the usage meter appliance with a web browser. Use whatever hostname or IP address you specified as the “common name” in your Certificate Signing Request. Use the https protocol and port number 8443, for a URL like https://<hostname>:8443. You should not see any security warnings and your browser should display a padlock or similar icon to indicate that you have established a secure connection.


Additional Information

Impact/Risks:
Take a snapshot of the Usage Meter appliance before following the instructions.