Renewal of Certificates for HCX Fleet Appliances
search cancel

Renewal of Certificates for HCX Fleet Appliances

book

Article ID: 433252

calendar_today

Updated On:

Products

VMware HCX

Issue/Introduction

This KB explains the process for renewing SSL certificates across various VMware HCX fleet appliances.

HCX utilizes SSL certificates for secure communication and data encryption between all components. Because the certificate architecture varies by appliance type, the renewal process differs depending on whether you are managing Interconnect, Network Extension, or OSAM appliances.

Environment

VMware HCX 4.11.x, 9.x

Cause

HCX Fleet appliances utilize several specific certificates to secure different communication channels. These certificates have finite lifespans and must be rotated to maintain a secure and functional environment.

The certificates are categorized by appliance type:

  1. Interconnect (IX) Appliance: The IX appliance carries the heaviest certificate load due to its role in data migration:
    1. LWD Proxy & HBR Certificates: Used for communication with vCenter services (specifically for Bulk and Replication-assisted vMotion).
    2. Datapath API & IPsec Certificates: Secure the data tunnel and control plane between sites.
    3. HCX Manager to Appliance Link Certificate: Secures the management link between the HCX Manager and the IX appliance.
  1. Network Extension (NE):
    1. Datapath API & IPsec Certificates: Secure the data tunnel and control plane between sites.
    2. HCX Manager to Appliance Link Certificate: Secures the management link between the HCX Manager and the IX appliance.
  1. Sentinel ( SRG/SGW ) Appliances:
    1. Datapath API & IPsec Certificates: Secure the data tunnel and control plane between sites.
    2. HCX Manager to Appliance Link Certificate: Secures the management link between the HCX Manager and the IX appliance.
    3. Sentinel Agent to SRG/SGW certificate: Used for communication of windows/linux machine with SRG/SGW appliance

Resolution

  1. For most certificates (LWD, HBR, Datapath API, and IPsec), the renewal is triggered by refreshing the appliance software or configuration:
    1. Redeploy: Use the Redeploy option within the HCX Service Mesh interface.
    2. Upgrade: Alternatively, performing a version Upgrade on the Fleet appliances will automatically rotate these certificates.
  2. Renewal of "HCX Manager to Appliance Link" Certificate (IX Appliance): This specific certificate requires a strict sequence of operations because it governs the communication channel between the manager and the managed appliance.
    1. Upgrade HCX Manager: You must first upgrade the HCX Manager to the latest supported version. This ensures the Manager has the necessary authorities and bundles to issue the new link certificate.
    2. Upgrade/Redeploy Fleet Appliances: Once the Manager is updated, proceed to Upgrade or Redeploy the IX, NE, and SGW/SDR appliances. This second step pushes the new Link Certificate to the appliances.
  3. Sentinel Gateway (SGW) / Sentinel Receiver (SRG): For appliances supporting OS Assisted Migration (OSAM), the renewal process requires a reconfiguration of the Service Mesh:
    1. Uninstall the sentinel agents connected to SGW/SRG.
    2. Remove the SGW/SRG appliances by editing the Service Mesh and deselecting the OS Assisted Migration feature.
    3. Once the removal task is complete, Add the OS Assisted Migration feature back to the same Service Mesh, or create a new Service Mesh to trigger a fresh deployment with updated certificates.

Additional Information

Reference Docs:
Upgrading HCX fleet appliances
Redeploying HCX fleet appliances

Powered by Wolken Software