Some types of security scan tools may scan virtual machines (including appliances such as VCF Operations for Networks Collector nodes, among others), and these scans may produce alerts such as "X.509 Certificate Subject CN Does Not Match the Entity Name".  

NOTE:  VCF Operations for Networks was formerly named Aria Operations for Networks (AON), and prior to that was named vRealize Network Insight (vRNI).

VCF Operations for Networks 

In the VCF Operations for Networks environment, the appliances are deployed with "default" SSL certificates. 

In clustered deployments, and/or where multiple collector nodes have been deployed, the scan tool may produce the alert because the "default" certificate(s) would be based on the same generic hostname.  

Other than seeking an exception from the security team for the Collector appliance IP addresses, there are two options that can be taken.

Option 1:  Request a custom certificate for each Collector appliance from your CA (certificate authority) and then apply the delivered customer certificate to each Collector appliance.

• Please follow the directions in How to install, renew and replace a custom (CA Signed) certificate on VMware Aria Operations for Networks

Option 2:  Generate and then apply a self-signed certificate for each Collector appliance.  

• NOTE:  The web server is not accessible for the Collectors, so this fact tends to mitigate the risk associated with the default cert.

Below are the steps for Option 2 (These must be performed on each Collector appliance).

1. Use Putty or another suitable SSH method to log into the Collector using the support user. 
   
   
2. Enter the command ub to switch to the Ubuntu user.
   
   
3. Create a directory for the new certificate using the command mkdir custom_certs
   
   
4. Change to the newly created directory using the command cd custom_certs
   
   
5. Use the following 2 commands to generate a new self-signed certificate:
   • openssl genrsa -out vnera.com.key 2048
   • openssl req -new -key vnera.com.key -x509 -days 366 -sha256 -subj "/C=US/ST=CA/L=PA/O=VMware/OU=Arkin/CN=aria-networks-collector/[email protected]" -out vnera.com.crt
   • NOTES:
     • If your organization wishes to modify the CN name in the new certificate, replace the text "aria-networks-collector" in the above command with your preference.
     • If your organization wishes to modify the email address in the new certificate, replace the text "[email protected]" with your preference. 
       
       
6. Execute the following command next:
   • ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null support@###.###.###.### 'sudo sed -i "/isThisProxy/,+4d" /home/ubuntu/cli/bin/recertify_host.sh /home/ubuntu/cli/bin/scplocal.sh'
   • NOTES: 
     • Replace ###.###.###.### in the command with the IP address of the Collector node.
     • After entering the command, you will be prompted to enter a password. The password is that of the support user for that Collector node..
       
       
7. Leave that SSH session open, and enter a second SSH session to the Collector using the consoleuser credentials
   
   
8. This will allow you to be in cli mode. Use the following command to list the certificate files that were generated:
   • custom-cert list
   • You should see the two files "vnera.com.key" and "vnera.com.crt"
     
     
9. Next, use the following command to attempt application of the certificate files that were generated
   • custom-cert apply
   • NOTES:
     • If successful, you will see a message containing "Successfully applied new certificate"
     • Alternatively, if you see the message "Failed to find the key file", then leave this cli session open, and switch back to the other SSH session, to enter the next commands:
       • sed -i 's/-----BEGIN PRIVATE KEY-----/-----BEGIN RSA PRIVATE KEY-----/g' vnera.com.key
       • sed -i 's/-----END PRIVATE KEY-----/-----END RSA PRIVATE KEY-----/g' vnera.com.key
     • The above commands simply adjust the file vnera.com.key to change the BEGIN PRIVATE KEY and END PRIVATE KEY strings to BEGIN RSA PRIVATE KEY and END RSA PRIVATE KEY respectively, as VCF Operations for Networks requires this change.
     • After those commands, return to the consoleuser SSH session (cli) and repeat the custom-cert apply command, after which you should see the message containing "Successfully applied new certificate"
       
       
10. The final step for the Collector node is to log into the VCF Operations for Networks GUI, navigate to Settings --> Data Sources, and for each NSX-T Manager listed, shift the "Data Collection" toggle switch to "Off" (to the left), wait 15 minutes, and then shift the toggle switch back to "On" (to the right).  
    
    
11. Repeat each of the above steps, in sequence, for each Collector appliance.