Replacing the SSL certificate for vCenter Update Manager does not replace the certificate used by Update manager on Port 9087
Article ID: 338378
Updated On:
Products
VMware vCenter Server
VMware vSphere ESXi
Issue/Introduction
Symptoms:
- When replacing the SSL certificate for Update manager using the Update Manager utility, the certificate used on Port 9087 is not replaced.
Note: For more information, see:
- For vCenter Server 5.0 and 4.x: Replacing SSL certificates for VMware vCenter Update Manager by using the Update Manager Utility (1023011).
- For vCenter Server 5.1 and 5.5: Configuring CA signed SSL certificates for vSphere Update Manager in vCenter Server 5.1 and 5.5 (2037581)
- The default VMware certificates are used in port 9087.
Environment
VMware vCenter Update Manager 5.1.x
VMware vSphere Update Manager 5.5.x
VMware vSphere Update Manager 5.1.x
VMware vCenter Update Manager 5.5.x
VMware vSphere Update Manager 5.0.x
VMware vCenter Update Manager 5.0.x
VMware vCenter Update Manager 4.1.x
VMware vSphere Update Manager 5.5.x
VMware vSphere Update Manager 5.1.x
VMware vCenter Update Manager 5.5.x
VMware vSphere Update Manager 5.0.x
VMware vCenter Update Manager 5.0.x
VMware vCenter Update Manager 4.1.x
Resolution
Port 9087 in Update Manager is used to send the Jetty Session ID and is used for importing offline bundles or upgrade release files.
Prerequisites:
- OpenSSL will need to be installed on the machine running VMware Update Manager, available at Welcome to the OpenSSL Project.
Note: The preceding link was correct as of April 06, 2015. If you find the link is broken, provide feedback and a VMware employee will update the link.
- The CA provided/custom certificates to replace the default certificate (.crt and .key files).
To replace the Certificate proceed through these steps:
- Backup the SSL folder in the Update Manager install directory.
The default path in 64-bit Windows is C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL - Stop the vSphere Updated Manager service. For more information, see Stopping, starting, or restarting the vSphere Update Manager service (1039328).
- Open the C:\Program Files (x86)\VMware\Infrastructure\Update Manager\jetty-vum-ssl.xml file in a text editor.
- Record the information in the string that begins with <Set name="Password"> and ends with </Set>
For example:
<Set name="Password">OBF:1vu51xg31sw41zen1svu1xez1vv5 </Set>
- Download the attached .zip file and extract the.jar file to C:\Program Files (x86)\VMware\Infrastructure\Update Manager\jre\bin\
- Open a command prompt by clicking Start > Run and type cmd and press Enter.
- From a command prompt change the directory to: C:\Program Files (x86)\VMware\Infrastructure\Update Manager\jre\bin
- Run this command using the information gathered in step 4:
java -jar jetty_deobfuscate.jar keystore_password
For example:
java -jar jetty_deobfuscate.jar OBF:1vu51xg31sw41zen1svu1xez1vv5
- Copy the output for later use.
- From the command prompt change to the directory OpenSSL is installed in
Note: The default is C:\OpenSSL-Win32\bin
- Run this command to create the .p12 file from your replacement .crt and .key file:
openssl pkcs12 -export -in crt_file_location -inkey key_file_location -out p12_file_path\keyname.p12 -name vum-jetty
- Enter the password from step 8 when prompted.
- Once completed change the directory to: C:\Program Files (x86)\VMware\Infrastructure\Update Manager\jre\bin
- To verify the password, run this command:
keytool -list -storepass keystore_password -keystore ..\..\SSL\vmware-vum.keystore
Note: Use the password gathered in step 8
- The output should contain two alias entries, one for vum-server and a second for vum-jetty.
- To delete vum-jetty alias, run this command:
keytool -delete -alias vum-jetty -storepass keysore_password -keystore ..\..\SSL\vmware-vum.keystore
- Verify there is only one entry for vum-server when running the command in step 14.
- Run this command to import the vum-jetty alias:
keytool -importkeystore -srckeystore p12_file_path -srcstoretype PKCS12 -destkeystore ..\..\SSL\vmware-vum.keystore -storepass keystore_password
- Enter the keystore password when prompted.
- Run this command to confirm there are now two entries again:
keytool -list -storepass keystore_password -keystore ..\..\SSL\vmware-vum.keystore
- Restart the vCenter Update Manager service. For more information, see Stopping, starting, or restarting the vSphere Update Manager service (1039328).
- To verify if the certificates are involved, open a web browser and navigate to https://vCenter_Update_Manager_FQDN:9087 and verify the information of the certificate when prompted.
Additional Information
Replacing SSL certificates for VMware vCenter Update Manager by using the Update Manager Utility
Stopping, starting, or restarting the vSphere Update Manager service
Configuring CA signed SSL certificates for vSphere Update Manager in vCenter Server 5.1 and 5.5
vCenter Update Manager の SSL 証明書を置き換えてもポート 9087 で Update Manager が使用する証明書が置き換わらない
替换 vCenter Update Manager 的 SSL 证书时不会替换端口 9087 上 Update Manager 使用的证书
Stopping, starting, or restarting the vSphere Update Manager service
Configuring CA signed SSL certificates for vSphere Update Manager in vCenter Server 5.1 and 5.5
vCenter Update Manager の SSL 証明書を置き換えてもポート 9087 で Update Manager が使用する証明書が置き換わらない
替换 vCenter Update Manager 的 SSL 证书时不会替换端口 9087 上 Update Manager 使用的证书
Attachments
Feedback
Yes
No
Powered by
