Unable to remove syslog cert added in Director tile configuration
search cancel

Unable to remove syslog cert added in Director tile configuration

book

Article ID: 374592

calendar_today

Updated On:

Products

Operations Manager

Issue/Introduction

When TLS is enabled on the Director tile for Syslog the customer has to add values for the fields "Permitted Peer" and "SSL Certificate".

Image 1. Syslog TLS configuration

Once all the configuration is completed and saved the values for TLS are visible in this fields and the certificate(s) located in this field are monitored by OpsManager in the Certificates page.

If "Enable TLS" is disabled, the fields will be grayed out, but still visible and the certificate(s) located in this field continue to be monitored in the Certificates page in the OpsManage UI.

Cause

There is a known issue in Ops Manager Syslog configuration for tiles. Once this certificate is added, the tile doesn't allow it to be removed via the UI.

Resolution

The values located in the Syslog -> Enable TLS -> SSL Certificate can be removed using the OpsMan API. The steps below go over the process that needs to be followed in order to remove them.

  • Target the UAAC Implementation.
uaac target --skip-ssl-validation https://OPS-MANAGER-FQDN/uaa
  • To authenticate your UAAC.
$ uaac token owner get 
#Example Output 
Client ID:  opsman 
Client secret: <------ Empty User name:  
admin <--- Your Opsman Login with Administrator scopes 
Password:  	{Password}

 

  • Use the API endpoint to get the current JSON configuration. It should look similar to the example below:
uaac curl https://OPSMAN-FQDN/api/v0/staged/products/director/syslog_configuration
...
RESPONSE BODY:
{
  "syslog_configuration": {
    "enabled": true,
    "address": "xxx.x.x.x",
    "port": "xx",
    "transport_protocol": "tcp",
    "tls_enabled": false,
    "ssl_ca_certificate": "-----BEGIN CERTIFICATE-----
    .
    .
    .
    -----END CERTIFICATE-----\n",
    "permitted_peer": "localhost",
    "queue_size": null,
    "forward_debug_logs": false,
    "custom_rsyslog_configuration": null,
    "environment": null
  }
}

 

  • Take that response, edit the ssl_ca_certificate and permitted_peer fields to be null, then do a PUT request against the endpoint with the updated config. It is important to make sure you adjust the values to your specific values. (address, port, etc). It will look similar to the following:
uaac curl -k https://$OPSMAN_FQDN/api/v0/staged/products/director/syslog_configuration -X PUT -d '{
  "syslog_configuration": {
    "enabled": true,
    "address": "xxx.x.x.x",
    "port": "xx",
    "transport_protocol": "tcp",
    "tls_enabled": false,
    "ssl_ca_certificate": null,
    "permitted_peer": null,
    "queue_size": null,
    "forward_debug_logs": false,
    "custom_rsyslog_configuration": null,
    "environment": null 
     }
  }'

 

If you get a 200 response from the call, please go to your Ops Manager tile -> Syslog and refresh. The fields for Permitted Peer and SSL Certificate should be empty.

Powered by Wolken Software