kb.vmware.com
Open in
urlscan Pro
2a02:26f0:f500:4a0::2ef
Public Scan
URL:
https://kb.vmware.com/s/article/89583
Submission: On April 27 via api from US — Scanned from NL
Submission: On April 27 via api from US — Scanned from NL
Form analysis 0 forms found in the DOM
Text Content
Loading
×Sorry to interrupt
This page has an error. You might just need to refresh it. [Cannot read
properties of undefined (reading 'email')] Failing descriptor:
{markup://c:kM_ArticleSubscribe}
Refresh
Products and Accounts
Knowledge
Communities
Support
Success
Learning
SearchLoading
My Subscriptions
Loading
Knowledge Base
CONFIGURE A CERTIFICATE FOR USE WITH VMWARE ARIA OPERATIONS CLOUD PROXY (89583)
--------------------------------------------------------------------------------
Last Updated: 4/15/2023Categories: How toTotal Views: 1135Language: English
subscribe
PURPOSE
This article provides instructions for using OpenSSL to configure a certificate
for use with VMware Aria Operations Cloud Proxy for VMware Aria Operations
(formerly known as vRealize Operations) or VMware Aria Operations (SaaS)
(formerly known as vRealize Operations Cloud).
IMPACT / RISKS
The finished PEM file should look similar to the following example, where the
number of CERTIFICATE sections depends on the length of the issuing chain:
-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: your_domain_name.key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: DigiCertCA.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----
Failure to comply with the above format may result in Cloud Proxy collections
being affected.
RESOLUTION
To configure a certificate PEM file with VMware Aria Operations:
1. Generate a new Certificate PEM for VMware Aria Operations Cloud Proxy.
2. Install the Certificate PEM in the VMware Aria Operations Cloud Proxy.
Note: The certificates applied will be used only for inward traffic from
endpoints. We do not allow custom updates of the certificates for specific
components of VMware Aria Operations such as Java or Gemfire.
GENERATE A NEW CERTIFICATE PEM FILE
1. Log into the Cloud Proxy as root via SSH or Console.
2. Run the following command to make the /cert directory, then change to that
directory:
mkdir /cert && cd /cert
3. In the /cert directory, create a new file called vrops.cnf:
vi vrops.cnf
4. The contents of the file should be as follows for a 3 node cluster:
[req]
prompt = no
distinguished_name = dn
req_extensions = ext
default_bits = 2048
default_md = sha256
encrypt_key = no
[dn]
CN = Primary_Node_FQDN
[ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = Primary_Node_FQDN
DNS.2 = Node_2_FQDN
DNS.3 = Node_3_FQDN
DNS.4 = Primary_Node_Shortname
DNS.5 = Node_2_Shortname
DNS.6 = Node_3_Shortname
IP.1 = Primary_Node_IP
IP.2 = Node_2_IP
IP.3 = Node_3_IP
Notes:
* The CN is required to be listed in the subjectAltName section for web browser
compatibility.
* If using a load balancer, the CN should be the IP/FQDN of the load balancer.
* The certificate will be valid for any FQDN/IP that is added to subjectAltName
section. Follow your company's security policy for the SAN field, but it is
advised to include the IP addresses or FQDN's for each node in the cluster.
* For VMware Aria Operations (SaaS), only include the details for each Cloud
Proxy.
Example:
[req]
prompt = no
distinguished_name = dn
req_extensions = ext
default_bits = 2048
default_md = sha256
encrypt_key = no
[dn]
CN = Cloud_Proxy_1_FQDN
[ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = Cloud_Proxy_1_FQDN
DNS.2 = Cloud_Proxy_2_FQDN
DNS.3 = Cloud_Proxy_3_FQDN
DNS.4 = Cloud_Proxy_1_Shortname
DNS.5 = Cloud_Proxy_2_Shortname
DNS.6 = Cloud_Proxy_3_Shortname
IP.1 = Cloud_Proxy_1_IP
IP.2 = Cloud_Proxy_2_IP
IP.3 = Cloud_Proxy_3_IP
5. In the examples above, replace the following with values relevant to your
environment. Remove or add nodes relevant to your environment:
* Primary_Node_FQDN
* Node_2_FQDN
* Node_3_FQDN
* Cloud_Proxy_1_FQDN
* Cloud_Proxy_2_FQDN
* Cloud_Proxy_3_FQDN
* Primary_Node_Shortname
* Node_2_Shortname
* Node_3_Shortname
* Cloud_Proxy_1_Shortname
* Cloud_Proxy_2_Shortname
* Cloud_Proxy_3_Shortname
* Primary_Node_IP
* Node_2_IP
* Node_3_IP
* Cloud_Proxy_1_IP
* Cloud_Proxy_1_IP
* Cloud_Proxy_1_IP
6. Save and close the file:
:wq
7. Using the vrops.cnf file, run the following command to create the CSR to
send to your Certificate Authority:
openssl req -new -subj "/" -config /cert/vrops.cnf -keyout /cert/vrops.key -out
/cert/vrops.csr
8. Run the following to verify the information in the CSR is correct:
openssl req -in /cert/vrops.csr -noout -text
If all information is correct, send the CSR (vrops.csr) to your Certificate
Authority and inform them of the details you have configured in the
subjectAltName line of vrops.cnf.
Once the Certificate Authority signs your CSR, they will return to you the
signed cert based on this CSR and also their own root cert (along with any
intermediate certs). Ensure that you download them in Base64 format if given an
option.
9. To construct the PEM file to upload to VMware Aria Operations, you need to
combine these files in a specific order:
* The signed cert returned to you by the CA, based on the CSR you created.
* The private key you generated earlier (vrops.key in above example).
* Intermediate certs returned by CA (only if applicable)
* The CA's root cert
10. Add the files downloaded form your CA to the VMware Aria Operations Primary
node's /cert directory using an SCP utility.
11. Log into the Cloud Proxy as root via SSH or Console, pressing ALT+F1 in a
Console to log in.
12. To combine these files, run the cat command as follows (Replacing the
filenames as necessary):
cat /cert/signed_cert.crt /cert/vrops.key /cert/cacerts.crt >
/cert/multi_part.pem
Note: If your CA also provided you with intermediate certs the command would
look similar to the following:
cat /cert/signed_cert.crt /cert/vrops.key /cert/intermediate.crt
/cert/cacerts.crt > /cert/multi_part.pem
INSTALL A NEW CERTIFICATE IN VMWARE ARIA OPERATIONS CLOUD PROXY
1. Log into the Cloud Proxy as root via SSH or Console.
2. Run the following command to import the certificate:
cprc-cli -rc /cert/multi_part.pem
Note: If the imported certificates already exist, dialog will appear asking to
overwrite the existing one.
The cprc-cli -rc command workflow will automatically:
* Check if the imported certificate has a valid format and contains all
necessary components in the chain.
* Get the certificate and private key from the full chain and create separate
.pem files which are needed by httpd config.
* Back up existing httpd.conf and update httpd.conf SSL configuration with new
certificates paths.
* Restart the httpd-south service.
RELATED INFORMATION
Disclaimer: VMware Global Support does not assist in creating custom
certificates for use in VMware Aria Operations. For additional support in
creating a custom certificate for use in VMware Aria Operations, contact VMware
Professional Services.
For steps on how to configure a certificate for use with VMware Aria Operations
on-premises, see Configure a Certificate For Use With VMware Aria Operations
(2046591).
TROUBLESHOOTING PEM FILE ISSUES:
* If issues are encountered applying the new certificate, the VMware
Aria Operations Custom Certificate Tool can be utilized to help determine the
issue: How to use the VMware Aria Operations Custom Certificate Tool
(2135521)
* If an invalid certificate has been applied and functionality of VMware
Aria Operations has been impacted, you can revert to the default certificate
to keep the cluster functional while troubleshooting of the new certificate
is ongoing by running the following command on affect Cloud Proxies:
cprc-cli -rc reset
* To decode each entry of the PEM file, using one of the following links:
* https://certlogik.com/decoder/
* https://www.sslshopper.com/certificate-decoder.html
* https://redkestrel.co.uk/products/decoder/
Note: Paste each --BEGIN and --END portion of the PEM file into a decoder and
then verify that they are in the correct order in the PEM file.
Disclaimer: VMware is not responsible for the reliability of any data, opinions,
advice, or statements made on third-party websites. Inclusion of such links does
not imply that VMware endorses, recommends, or accepts any responsibility for
the content of such sites.
Detectable by VMware SkylineTM
ACTIONS
Copy To Clipboard Copy link to clipboard copied!
Print Print
Language Language: English
ATTACHMENTS
Additional Resources
KB • Downloading and licensing vSphere Hypervisor (ESXi 7.x and 8.x) (2107518)
KB • Downloading and Installing the standalone VMware Remote Console (VMRC) in
vSphere (2091284)
Results 1-2 of 2
Ask The Community
Get answers quickly from VMware experts in the community
Post Subject
CONTINUE IN COMMUNITIES
Clear
SearchLoading
RELATED PRODUCTS:
* VMware vRealize Operations Cloud
* VMware vRealize Operations
* VMware Aria Operations
RELATED VERSIONS:
* VMware vRealize Operations 8.10.x
* VMware Aria Operations 8.12.x
* Take Our Survey
*
*
*
*
* Copyright © 2023 VMware, Inc. All rights reserved.
* Terms of Use
* Your California Privacy Rights
* Privacy
* Accessibility
* Cookie Settings
Loading
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word word word word word word word word word
word word word word word word word word
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
mmMwWLliI0fiflO&1
COOKIE PREFERENCE CENTER
GENERAL INFORMATION ON COOKIES
GENERAL INFORMATION ON COOKIES
When you visit our website, we use cookies to ensure that we give you the best
experience. This information does not usually directly identify you, but it can
give you a more personalized web experience. Because we respect your right to
privacy, you can choose not to allow some types of cookies by clicking on the
different category headings to find out more and change your settings. However,
blocking some types of cookies may impact your experience on the site and the
services we are able to offer. Further information can be found in our
Cookie Policy.
* STRICTLY NECESSARY
STRICTLY NECESSARY
Always Active
Strictly Necessary
Strictly necessary cookies are always enabled since they are essential for
our website to function. They enable core functionality such as security,
network management, and website accessibility. You can set your browser to
block or alert you about these cookies, but this may affect how the website
functions. For more information please visit www.aboutcookies.org or
www.allaboutcookies.org.
Cookie Details
* PERFORMANCE
PERFORMANCE
Performance
Performance cookies are used to analyze the user experience to improve our
website by collecting and reporting information on how you use it. They allow
us to know which pages are the most and least popular, see how visitors move
around the site, optimize our website and make it easier to navigate.
Cookie Details
PLEASE CONFIRM YOUR SETTINGS BY REFRESHING THE PAGE.
* FUNCTIONAL
FUNCTIONAL
Functional
Functional cookies help us keep track of your past browsing choices so we can
improve usability and customize your experience. These cookies enable the
website to remember your preferred settings, language preferences, location
and other customizable elements such as font or text size. If you do not
allow these cookies, then some or all of these services may not function
properly.
Cookie Details
PLEASE CONFIRM YOUR SETTINGS BY REFRESHING THE PAGE.
* ADVERTISING
ADVERTISING
Advertising
Advertising cookies are used to send you relevant advertising and promotional
information. They may be set through our site by third parties to build a
profile of your interests and show you relevant advertisements on other
sites. These cookies do not directly store personal information, but their
function is based on uniquely identifying your browser and internet device.
Cookie Details
PLEASE CONFIRM YOUR SETTINGS BY REFRESHING THE PAGE.
* SOCIAL MEDIA
SOCIAL MEDIA
Social Media
Social media cookies are intended to facilitate the sharing of content and to
improve the user experience. These cookies can sometimes track your
activities. We do not control social media cookies and they do not allow us
to gain access to your social media accounts. Please refer to the relevant
social media platform’s privacy policies for more information.
Cookie Details
PLEASE CONFIRM YOUR SETTINGS BY REFRESHING THE PAGE.
Back Button
ADVERTISING COOKIES
Filter Button
Consent Leg.Interest
Select All Vendors
Select All Vendors
Select All Hosts
Select All
* REPLACE-WITH-DYANMIC-HOST-ID
View Third Party Cookies
* Name
cookie name
Clear Filters
Information storage and access
Apply
Confirm My Choices Allow All
Support Assistant