Procedure to update VMware Identity Manager Certificate in VCF Automation Using Tenant Manager

search cancel

Procedure to update VMware Identity Manager Certificate in VCF Automation Using Tenant Manager

book

Article ID: 437529

calendar_today

Updated On:

Products

VCF Automation

Issue/Introduction

In environments where VMware Identity Manager is integrated with VCF Automation 9.x, updating or renewing the VIDM certificate requires re-establishing trust between components.

Previously, in VMware Aria Automation 8.x, this was handled using a retrust / re-register workflow during certificate replacement. However, in VCF Automation 9.0, this workflow has changed and now relies on Tenant Manager APIs.

Environment

VCF Automation 9.x

Cause

After upgrading to VCF Automation 9.0, the traditional retrust/re-register workflow used in Aria Automation 8.x is no longer available. As a result, newly replaced VIDM certificates are not automatically trusted by VCF Automation components.

Resolution

To re-establish trust after replacing the vIDM certificate in VCF Automation 9.x, manually add the issuing CA certificate to Tenant Manager

Steps (UI Method):

Log in to the VCFA Provider Org.
Navigate to Certificate Management.
Click Test Remote Connection.
Enter https://<vidm-fqdn> and click Connect.
Follow the prompt to trust the certificate presented by vIDM.

Alternative(API Method):

Retrieve the CA certificate that signed the new vIDM certificate (from Fleet Management Locker).
Generate an access token for API authentication using here
SSH into the VCF Automation appliance.
Execute the following API to add the certificate to the trusted store:

curl --location 'https://localhost:8443/cloudapi/1.0.0/ssl/trustedCertificates' \
--header 'X-VMWARE-VCLOUD-AUTH-CONTEXT: System' \
--header 'Authorization: Bearer {{access_token}}' \
--header 'Content-Type: application/json' \
--header 'Accept: application/json;version=41.0.0-alpha' \
--data '{
"id": null,
"alias": "<alias-from-the-certificate>",
"certificate": "<vIDM-certificate>"
}'

Note: alias and vIDM-certificate should be taken from Fleet management Locker.

5. Verify that the certificate has been successfully added to the trusted store.

Additional Information

In earlier versions, certificate replacement and trust establishment were handled via VMware Aria Suite Lifecycle workflows.
Reference documentation:
https://techdocs.broadcom.com/es/es/vmware-cis/aria/aria-automation/all/replace-certificate-for-vrslcm-products.html
The new approach ensures that Tenant Manager trusts the Certificate Authority (CA) rather than requiring per-product retrust operations.

Feedback

thumb_up Yes

thumb_down No