Create and replace the vCloud director with self-signed certificates

-



vCloud director looks for 2 certificates within the configured keystore. One for http and the other is consoleproxy.

The below keytool create commands create a keystore with the certificate for specified alias, keystore type, keystore name, keystore password, validity, Org information and SAN field details.

Keytool location
/opt/vmware/vcloud-director/jre/bin

Step 0 : cd /opt/vmware/vcloud-director/jre/bin

 Step 1 : Command to create certificate for http : 

 ./keytool -keystore /opt/vmware/certificates.ks -alias http -storepass passwd -keypass passwd -storetype JCEKS -genkeypair -keyalg RSA -keysize 2048 -validity 730 -dname "CN=vcd91.vCloud.local, OU=GSS, O=VMware, L=Bengaluru, S=Karnataka, C=IN" -ext "san=dns:vcd91.vCenter.local,dns:vcd91,ip:10.109.28.100"


  • Here the command creates the keystore named certificates.ks in the /opt/vmware directory 
  • The alias is http 
  • Validity of 2 years 
  • password is passwd 


Step 2 : Command to create certificate for consoleproxy : 

 ./keytool -keystore /opt/vmware/certificates.ks -alias consoleproxy -storepass passwd -keypass passwd -storetype JCEKS -genkeypair -keyalg RSA -keysize 2048 -validity 730 -dname "CN=vcd91-con.vCloud.local, OU=GSS, O=VMware, L=Bengaluru, S=Karnataka, C=IN" -ext "san=dns:vcd91-con.vCenter.local,dns:vcd91-con,ip:10.109.28.101"

  • Since the certifiates.ks already exists, it just imports the certificate but this time for consoleproxy. As you can see that the alias parameter has consoleproxy as the input 
  • the SAN field and dname would be the console IP & fqdn information 

Step 3 (Optional) : To check the certificates in the newly created keystore : 

 After the above commands, you can use the below command to check whats loaded into the keystore.

./keytool --storetype JCEKS --storepass passwd --keystore /opt/vmware/certificates.ks --list

Step 4 : Configure the cell to use the new certificates in the keystore : 
./cell-management-tool certificates -j -p -k /opt/vmware/certificates.ks -w passwd

Here,
-j :   Replace the keystore file named certificates used by the http endpoint.
-p :   Replace the keystore file named proxycertificates used by the console proxy endpoint.
-k :   Full pathname to a JCEKS keystore containing the signed certificates. Deprecated -sshort form                replaced by -k.
-w :  Password for the JCEKS keystore referenced by the --keystore option. Replaces deprecated -                  kspassword and --keystorepwd options.

 Reference article : 
https://docs.vmware.com/en/vCloud-Director/9.5/com.vmware.vcloud.admin.doc/GUID-349882AE-1864-4BCE-BECA-F9EAF785AA06.html
The certificate will look like this 



Hope this helps :) 

Comments

Post a Comment

Popular posts from this blog

vCloud director 9.7 appliance deployment step by step guide

-
Image
With the new vCloud director releasing and making it full appliance with embedded vpostgres, I though I will put up a post with the complete installation guide. There have been some challenges in the getting the deployment successful. Prerequisite : Reverse DNS proxy must be configured for the eth0 ipaddress. This is to get the correct hostname for the appliance.  The NFS share is setup for the VCD transfer directory. It is recommended to have the eth0 and eth1 in different subnets. eth0 is for the vcd cell and eth1 is for the vPostgres .The reason for the having 2 subnets is to avoid duplicate entries in the route table.  Installing vCloud director step by step guide :  I should ideally be using different submets as per the VMware documentation but since I do not have a different portgroup setup, I am going with the same subnet.  As mentioned in the prereq section, the reason for the having 2 subnets is to avoid duplicate entries in the route tab
Read more

How to Install and Uninstall Guest agent for vRA Windows machines

-
Image
Connect to the vRA appliance using the IP or hostname  Choose the appropriate setup for your Windows server  Extract the files to C:\VRMGuestAgent\ . In my case, I have already extracted it.  Before you install the guest agent download and install the IAAS manager server certificate into the windows machine  Save the file as Cert.cer  Install the Cert into the Local machine and Trusted root store Rename the cert.cer to cert.pem and move it to folder C:\VRMGuestAgent\ Now, copy the certificate file into the vRMGuestAgent Extracted folder  Open the command prompt as admin and navigate to C:\VRMGuestAgent. In this case 192.168.2.15 is my Manager server . The default port is 443.  You will see the Guest agent service in the services list. Manually start the service.  Your windows guest agent is installed :)  How to Uninstall Guest agent on windows machine  To uninsta
Read more

VM console fails to connect - vCloud director 9.7

-
Image
I deployed a new vCloud director 9.7 and the VM console fails to connect even though the certificates and URLs are updated correctly in Public Addresses. The chrome browser console (ctrl+shift+j) fails like below :  failed: Error during WebSocket handshake: Unexpected response code: 404 After reading the VMware documentation which says " For an installation with a single IP address, you can customize the console proxy address from the  vCloud Director  Web Console. For example, for the  vCloud Director  appliance, you must customize the console proxy address to  vcloud.example.com :8443 " From vCloud director 9.7, the second network (eth1) is dedicated to vpostgres database and console proxy uses (eth0) with a custom port 8443 Fix :  Update the console proxy address with custom port 8443 under vCD portal --> Administrator --> Public addresses Tadaa!  Thanks for reading. Hope it helps :) 
Read more