vCloud Usage Meter requires a signed Certificate issued by a Certificate Authority (CA).
To resolve this issue, generate and install a compliant certificate:
Generating a Certificate Signing Request
To generate a Certificate Signing Request to send to an Internal CA to issue a signed SSL Certificate:
- Log in to the vCloud Usage Meter appliance as root.
- Stop Tomcat by running the command:
# service tomcat stop
- Add the
keytool
command directory on your path by running the command:
# export PATH=$PATH:/usr/java/latest/bin
- Verify that the
keytool
command is now on your $PATH
by running the command:
# which keytool /usr/java/latest/bin/keytool
- Change directory to
/home/usgmtr/
by running the command:
# cd /home/usgmtr/
- Backup the existing
.keystore
file by running the command:
# cp .keystore .keystore.bak
- Create a new key to be used to generate a new CSR (Certificate Signing request) by running the command:
# keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore .keystore
Notes:
- The keystore password must be
silverpen
. - This must be the keystore in /home/usgmtr. There are multiple on the appliance, and the other keystores will not have the intended effect.
- If the command does not work or you receive the
Key Pair already exists
error message, delete the existing Tomcat alias from the keystore and re-run the previous genkey
command:
# keytool -delete -alias tomcat -keystore .keystore
- Create the Certificate Signing Request (CSR) by running the command:
# keytool -certreq -alias tomcat -keyalg RSA -file example.com.csr -keystore .keystore
Note: Ensure the CN (Common Name) is either the FQDN or IP address of the Usage Meter server.
Obtaining the certificate
To generate a certificate on an Internal CA for use with vCloud Usage Meter:
Open the Certificate Signing Request (CSR) and copy the contents to the Internal CA, then obtain the signed public key, with the CA, in
BASE64 .P7B
format.
Example: Using the Microsoft Windows Certificate Authority
- Using a web browser, go to:
https://Internal_Certificate_Authority_URL/certsrv
- Under Select a Task, click Request a Certificate.Click Advanced Certificate Request.
- Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
- Open the Certificate Signing Request (CSR) file in a plain text editor and copy the contents into the Saved Request section, starting
with:
-----BEGIN CERTIFICATE REQUEST-----
to
-----END CERTIFICATE REQUEST-----
.
- Under Certificate Template, click Web Server then click Submit. You are shown the download options for the issued certificate.
- Click Base 64 Encoded > Download certificate chain.
The certificate to import into the Usage Meter appliance has been generated.
Importing the certificate
To import the certificate into the Usage Meter appliance:
- Import the certificate into the keystore by running the command:
# keytool -import -trustcacerts -alias tomcat -file certificate_from_ca.p7b -keystore .keystore
You see this confirmation message:
Certificate reply was installed in keystore
.
Note: If you are asked if you want to trust the certificate, type y
or yes
.
- Assign ownership of the keystore to the
usgmtr
user by running the command:
# chown usgmtr .keystore
- Copy the new keystore by running the commands:
# service tomcat stop
# service vami-lighttp stop
# cp /home/usgmtr/.keystore /opt/vmware/vfabric-tc-server-standard/um/conf/tcserver.jks.new
Note: In vCloud Usage Meter 3.6.1 and later versions, you can find the .jks file in the following location:
/usr/share/tomcat/conf/webserver_certificate.jks
- Backup the existing keystore by running the command:
# cp /usr/share/tomcat/conf/webserver_certificate.jks /usr/share/tomcat/conf/webserver_certificate.jks.bac
Note: In vCloud Usage Meter 3.5 and older versions, you can find the .jks file in the following location.
/opt/vmware/vfabric-tc-server-standard/um/conf/tcserver.jks - Replace the existing keystore with the newly generated one by running the commands:
# cp /usr/share/tomcat/conf/webserver_certificate.jks.new /opt/vmware/vfabric-tc-server-standard/um/conf/tcserver.jks
# service tomcat start
# service vami-lighttp start - Optionally, add an entry to the /etc/hosts file on the Usage Meter appliance for the Usage Meter FQDN which links to the IP address.
- Verify that Tomcat is now running with new SSL certificate as issued by the internal CA by accessing https://Usage_Meter_appliance_IP:8443 in a web browser.
Note: If the new SSL certificate is not shown, restart the Usage Meter appliance.