Certificate Replacement for VMware Identity Manager deployed from Aria Suite Lifecycle
book
Article ID: 372708
calendar_today
Updated On:
Products
VMware Aria Suite
Issue/Introduction
This Article aims to provide the complete process for a clean certificate replacement task for VMware Identity Manager
Environment
VMware Identity Manager
Resolution
VMware Identity Manager certificate replacement stages. Note: This is the ideal process to be followed given that the certificate replacement is being conducted prior to certificate expiry.
Stage 1 : Certificate creation
Self Signed Certificate
1. Create certificate from Aria Suite Lifecycle locker with correct details and SANs. 2. Download the PEM. Structure of .pem downloaded: --server certificate --- --root ca cert-- --private key--
CA-Signed Certificate
1. Generate a CSR from Aria Suite Lifecycle and download it. 2. Have it submitted and signed by the CA. 3. Upload it into the Aria Suite Lifecycle Locker.
Custom certificate
1. Upload the custom signed certificate into Aria Suite lifecycle for consumption.
Stage 2: Update Load balancer certificates - Applicable for clustered VMware Identity Manager set up. Proceed to next stage if it is a single node set up. - This is a critical requirement as ideally the SSL configuration for Load balancing virtual server would be set to SSL terminated for VMware Identity Manager. - The steps below outline the procedure for certificate replacement for virtual servers configured on VMware NSX. Parallel steps can be followed if other support load balancers are used in the set up instead of NSX.
Preparing the certificates for NSX upload
Partition the .pem downloaded from Aria Suite Lifecycle into 2 files:
a. root.cer --root ca cert--
b. Server certificate with key --server cert--- --private key--
Import CA certificate into NSX Manager
- Certificates > Import > Import ca certificate. - Load the root.cer and ensure check box for service certificate is checked as this is for Load balancing for a service and import.
Import Server certificate with key into NSX Manager
- certificates > import > import certificate. - Load the --server cert-- in the server certificate section. - Load the --private key-- in the private key section.
Apply the updated certificates on the NSX virtual server for VMware Identity Manager
- Networking: Load balancing : virtual servers :select the virtual server for VMware Identity Manager. - Click on 3 dots and click edit. - Click on ssl configuration and edit. - For server certificate select the new certificate uploaded. - Click on advance configurations. - Click on drop down for trusted root ca certificate and select the new Aria Suite Lifecycle root ca certificate. - Click on save. - Save the configurations for virtual servers. - Now the VMware Identity Manager Load balancer virtual-ip should show updated certificates.
Re-trust with Load Balancer
- Trigger a re-trust with load balancer for VMware Identity Manager from Aria Suite Lifecycle. - This is to make the nodes aware of the Load balancer certificate. Note: If the certificate is already expired, then Follow steps from Stage 3 - B first and then re-trust with Load Balancer.
Stage 3 Replace certificates on VMware Identity Manager nodes
Certificate replacement prior to certificate expiry:
- If certificates are being replaced from Aria Suite Lifecycle before expiry. - Select replace certificates. - Review current certificates. - Select newly generated certificates from locker. - Click submit. This will replace the certificates on all 3 nodes, if it is a clustered set up.
Certificate Replacement post certificate expiry:
In this scenario, as the VMware Identity Manager certificates are already expired, Aria Suite Lifecycle would not be able to connect to the nodes for day 2 operations. - Log in to the connector admin pages, https://vIDM_node_FQDN:8443/cfg/login, as the admin user. - Select custom SSL Certificates. - In the SSL Certificate chain, from the .pem file, paste the entire chain as : --server certificate --- --root ca cert-- - In the private key section paste the --private key-- - Click Apply. - If it is a clustered set up, then perform repeat this for all three nodes. - Log in to the Aria Suite Lifecycle and trigger an Inventory Sync for VMware Identity Manager Followed by a Re-trust with Load Balancer if it is a clustered set up and we followed steps from Stage 2.
Stage 4 Update Aria Automation to trust VMware Identity Manager with new certificates - This is required as Aria Automation seeks VMware Identity Manager for all permissions and currently holds old VMware Identity Manager certs. Thus, this step would update the Aria Automation appliances with the new Identity Manager certificates and rebuild the Aria Automation services.
1. Trigger inventory sync for Aria Automation. 2. Trigger re-trust with VMware Identity Manager. Aria Automation can now connect with VMware Identity Manager successfully.