Create and replace the vCloud director with self-signed certificates

-



vCloud director looks for 2 certificates within the configured keystore. One for http and the other is consoleproxy.

The below keytool create commands create a keystore with the certificate for specified alias, keystore type, keystore name, keystore password, validity, Org information and SAN field details.

Keytool location
/opt/vmware/vcloud-director/jre/bin

Step 0 : cd /opt/vmware/vcloud-director/jre/bin

 Step 1 : Command to create certificate for http : 

 ./keytool -keystore /opt/vmware/certificates.ks -alias http -storepass passwd -keypass passwd -storetype JCEKS -genkeypair -keyalg RSA -keysize 2048 -validity 730 -dname "CN=vcd91.vCloud.local, OU=GSS, O=VMware, L=Bengaluru, S=Karnataka, C=IN" -ext "san=dns:vcd91.vCenter.local,dns:vcd91,ip:10.109.28.100"


  • Here the command creates the keystore named certificates.ks in the /opt/vmware directory 
  • The alias is http 
  • Validity of 2 years 
  • password is passwd 


Step 2 : Command to create certificate for consoleproxy : 

 ./keytool -keystore /opt/vmware/certificates.ks -alias consoleproxy -storepass passwd -keypass passwd -storetype JCEKS -genkeypair -keyalg RSA -keysize 2048 -validity 730 -dname "CN=vcd91-con.vCloud.local, OU=GSS, O=VMware, L=Bengaluru, S=Karnataka, C=IN" -ext "san=dns:vcd91-con.vCenter.local,dns:vcd91-con,ip:10.109.28.101"

  • Since the certifiates.ks already exists, it just imports the certificate but this time for consoleproxy. As you can see that the alias parameter has consoleproxy as the input 
  • the SAN field and dname would be the console IP & fqdn information 

Step 3 (Optional) : To check the certificates in the newly created keystore : 

 After the above commands, you can use the below command to check whats loaded into the keystore.

./keytool --storetype JCEKS --storepass passwd --keystore /opt/vmware/certificates.ks --list

Step 4 : Configure the cell to use the new certificates in the keystore : 
./cell-management-tool certificates -j -p -k /opt/vmware/certificates.ks -w passwd

Here,
-j :   Replace the keystore file named certificates used by the http endpoint.
-p :   Replace the keystore file named proxycertificates used by the console proxy endpoint.
-k :   Full pathname to a JCEKS keystore containing the signed certificates. Deprecated -sshort form                replaced by -k.
-w :  Password for the JCEKS keystore referenced by the --keystore option. Replaces deprecated -                  kspassword and --keystorepwd options.

 Reference article : 
https://docs.vmware.com/en/vCloud-Director/9.5/com.vmware.vcloud.admin.doc/GUID-349882AE-1864-4BCE-BECA-F9EAF785AA06.html
The certificate will look like this 



Hope this helps :) 

Comments

Post a Comment

Popular posts from this blog

vCloud director 9.7 appliance deployment step by step guide

-
Image
With the new vCloud director releasing and making it full appliance with embedded vpostgres, I though I will put up a post with the complete installation guide. There have been some challenges in the getting the deployment successful.

Prerequisite :
Reverse DNS proxy must be configured for the eth0 ipaddress. This is to get the correct hostname for the appliance. The NFS share is setup for the VCD transfer directory.It is recommended to have the eth0 and eth1 in different subnets. eth0 is for the vcd cell and eth1 is for the vPostgres .The reason for the having 2 subnets is to avoid duplicate entries in the route table. 
Installing vCloud director step by step guide






I should ideally be using different submets as per the VMware documentation but since I do not have a different portgroup setup, I am going with the same subnet. As mentioned in the prereq section, the reason for the having 2 subnets is to avoid duplicate entries in the route table


Here we come to the main section. The NTP …
Read more

How to Install and Uninstall Guest agent for vRA Windows machines

-
Image
Connect to the vRA appliance using the IP or hostname 




Choose the appropriate setup for your Windows server 


Extract the files to C:\VRMGuestAgent\ . In my case, I have already extracted it. 


Before you install the guest agent download and install the IAAS manager server certificate into the windows machine 



Save the file as Cert.cer 



Install the Cert into the Local machine and Trusted root store



Rename the cert.cer to cert.pem and move it to folder C:\VRMGuestAgent\


Now, copy the certificate file into the vRMGuestAgent Extracted folder 


Open the command prompt as admin and navigate to C:\VRMGuestAgent. In this case 192.168.2.15 is my Manager server . The default port is 443. 


You will see the Guest agent service in the services list. Manually start the service. 




Your windows guest agent is installed :) 

How to Uninstall Guest agent on windows machine 
To uninstall the service 
Stop the VCACGuestAgentService  Run the below command through Command Prompt as Admin   WinService…
Read more

Unable to change Provider VDC virtual hardware support beyond version 10

-
Image
My environment:

vCloud Director 9.1.0.3 and ESXi 6.5.0.

 This could happen regardless of what vCloud director and ESXi version you are on.




Provider VDC config: 


ESXi Version : 



So ideally I should be able to see the hardware version 13 in the vCloud director but I see only till version 10


Why does this happen : 

It’s most likely a user error depending on how vCenter is set up and what vCenter has reported to VCD as far as available HW versions

How to fix ? 

 From vCenter FLEX UI, go to Datacenter, right click and select 'Edit Default VM Compatibility' and there select 'ESX 6.5 and later' (This config depends on your environment)
Then go to the cluster and right click and select 'Edit Default VM Compatibility' and there the value selected would be 'Use datacenter setting and host version'. This setting would take it from datacenter setting done above.

From the vCloud director , perform and refresh of the vCenter and try to create the Provider VDC and check the…
Read more