Certificate Replacement for VMware Identity Manager deployed from Aria Suite Lifecycle
search cancel

Certificate Replacement for VMware Identity Manager deployed from Aria Suite Lifecycle

book

Article ID: 372708

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

This Article aims to provide the complete process for a clean certificate replacement task for VMware Identity Manager.

  • Aria Suite Lifecycle Manager Locker>Certificates shows a yellow exclamation point in a triangle, and upon inspecting the current certificate the expiration date is within 4 weeks from now.  If this is the case, please schedule a maintenance window to run through this process as soon as possible.
  • Triggering VIDM sync in LCM gives error LCMVIDM71059 with full error snippet reporting similar error as Exception message: vIDM GET Association Ruleset failed with status code : 401. API Response : Unauthorized
  • Sign into workspace one with VIDM user or other Broadcom Products using VIDM authentication results in Error similar to the error in the screenshot below
  • Sign into workspace one with system domain admin user may show the error An Unexpected error has occurred. Please try again later.  
  • VIDM health reports error connecting to the identity manager FQDN that does not resolve when applying the kb Identity Manager FQDN health reports error connecting to the identity manager fqdn 
  • The UI fails to load and the URL redirects to https://<vIDM_LB_FQDN>/hc/error, potentially displaying an error like: "Error: You do not have permission to access this page: /hc/3104/authenticate/". However, when accessing the VIDM nodes directly using their individual URLs, the UI loads correctly and config-state.json file is not corrupted. This issue only occurs when accessing the VIDM UI through the load balancer's FQDN

  • Error "pkix path validation failed: java.security.cert.certpathvalidationexception: could not validate certificate: certificate expired" while accessing VMware Identity Manager.

Environment

VMware Identity Manager 3.3.x
Aria Suite Lifecycle Manager 8.x
Aria Automation 8.x

Resolution

VMware Identity Manager certificate replacement stages.
Note: This is the ideal process to be followed given that the certificate replacement is being conducted prior to certificate expiry. 

Stage 1 : Certificate creation

  1.  Self Signed Certificate

    1. Create certificate from Aria Suite Lifecycle locker with correct details and SANs.
    2. Download the PEM. 
    Structure of .pem downloaded:
    --server certificate ---
    --root ca cert--
    --private key--

  2. CA-Signed Certificate

    1. Generate a CSR from Aria Suite Lifecycle and download it.
    2. Have it submitted and signed by the CA.
    3. Upload it into the Aria Suite Lifecycle Locker.

  3. Custom certificate

    1. Upload the custom signed certificate into Aria Suite lifecycle for consumption. 

Stage 2: Update Load balancer certificates
- Applicable for clustered VMware Identity Manager set up. Proceed to next stage if it is a single node set up. 
- This is a critical requirement as ideally the SSL configuration for Load balancing virtual server would be set to SSL terminated for VMware Identity Manager. 
- The steps below outline the procedure for certificate replacement for virtual servers configured on VMware NSX. Parallel steps can be followed if other support load balancers are used in the set up instead of NSX. 

  1. Preparing the certificates for NSX upload

    Partition the .pem downloaded from Aria Suite Lifecycle into 2 files:

    a. root.cer
        --root ca cert--  

    b. Server certificate with key
        --server cert---
        --private key-- 

  2. Import CA certificate into NSX Manager

    - Certificates > Import > Import ca certificate.
    - Load the root.cer and ensure check box for service certificate is checked as this is for Load balancing for a service 
    and import.

  3. Import Server certificate with key into NSX Manager

    - certificates > import > import certificate.
    - Load the --server cert-- in the server certificate section. 
    - Load the --private key-- in the private key section.

    Important: In some cases, it is not required to import the Server and Root certs separately as mentioned above in Steps 2 & 3. Rather, the entire certificate chain (Server/Leaf, Intermediate (if any) and Root) can just be added only once, from System > Certificate > Import > Certificate page. Follow the KB How to replace a vIDM cluster load balancer certificate in NSX-T and update Aria Suite Lifecycle for steps.

  4. Apply the updated certificates on the NSX virtual server for VMware Identity Manager 

    - Networking > Load balancing > Virtual Servers and Networking > Load Balancing > Monitor : Select the virtual server for VMware Identity Manager.
    - Click on 3 dots and click edit.
    - Click on ssl configuration and edit. 
    - For server certificate select the new certificate uploaded.
    - Click on advance configurations.
    - Click on drop down for trusted root ca certificate and select the new Aria Suite Lifecycle root ca certificate. 
    - Click on save. 
    - Save the configurations for virtual servers.
    - Now the VMware Identity Manager Load balancer virtual-ip should show updated certificates.

  5. Re-trust with Load Balancer

    - Trigger a re-trust with load balancer for VMware Identity Manager from Aria Suite Lifecycle.
    - This is to make the nodes aware of the Load balancer certificate.
    Note: If the certificate is already expired, then Follow steps from Stage 3 - B first and then re-trust with Load Balancer.



Stage 3 Replace certificates on VMware Identity Manager nodes 

  1. Certificate replacement prior to certificate expiry:

    - If certificates are being replaced from Aria Suite Lifecycle before expiry.
    - Select replace certificates.
    - Review current certificates.
    - Select newly generated certificates from locker.
    - Click submit.
    This will replace the certificates on all 3 nodes, if it is a clustered set up.  

  2. Certificate Replacement post certificate expiry:

    In this scenario, as the VMware Identity Manager certificates are already expired, Aria Suite Lifecycle would not be able to connect to the nodes for day 2 operations.
    - Log in to the connector admin pages, https://vIDM_node_FQDN:8443/cfg/login, as the admin user.
    - Select custom SSL Certificates.
    - In the SSL Certificate chain, from the .pem file, paste the entire chain as : 
           --server certificate ---
           --root ca cert--
    - In the private key section paste the --private key--
    - Click Apply.
    - If it is a clustered set up, then perform repeat this for all three nodes. 
    - Log in to the Aria Suite Lifecycle and trigger an Inventory Sync for VMware Identity Manager Followed by a Re-trust with Load Balancer if it is a clustered set up and we followed steps from Stage 2. 

Stage 4 Update Aria Automation to trust VMware Identity Manager  with new certificates 
- This is required as Aria Automation seeks VMware Identity Manager for all permissions and currently holds old VMware Identity Manager certs. Thus, this step would update the Aria Automation appliances with the new Identity Manager certificates and rebuild the Aria Automation services.

1. Trigger inventory sync for Aria Automation. 
2. Trigger re-trust with VMware Identity Manager.
Aria Automation can now connect with VMware Identity Manager  successfully. 

Note: If you find that you are still unable to sign into workspace one using the VIDM LB with a VIDM user please apply the steps in kb Troubleshooting LCMVIDM71077: Unable to trust the load balancer certificate assigned to VIDM

Powered by Wolken Software