Skip navigation
VMware
Up to Discussions in Update Manager

This Question is Possibly Answered

1 "correct" answer available (10 pts) 2 "helpful" answers available (6 pts)
2,237 Views 14 Replies Last post: Oct 4, 2010 10:44 AM by geirsjo RSS
kvv Novice
kvv
9 posts since
Feb 25, 2006
Currently Being Moderated

May 8, 2008 6:23 AM

Replace UpdateManager PKI certificate

After replacing the default VUM certificate with our own certificate, UpdateManager no longer connects to VirtualCenter.

 

What I did:

- Replaced the rui.* files on the VUM server in O:\Program Files\VMware\Infrastructure\Update Manager\SSL

- Replaced the file public.key (containing the VUM public key) on the VirtualCenter server in

C:\Program Files\VMware\Infrastructure\VirtualCenter Server\extensions\com.vmware.vcIntegrity

- Restarted the VC and VUM services.

 

However VirtualCenter comes up with the error:

"The VMware Update Manager cannot accept requests now because VirtualCenter server  cannot be reached, or the database cannot be reached, or it is in the process of stopping"

 

The VUM Log file shows the following:

Replace UpdateManager PKI certificate Connecting to host  on port 443 using protocol https

 

Replace UpdateManager PKI certificate Authenticating extension com.vmware.vcIntegrity

Replace UpdateManager PKI certificate FormatField: Optional unset (integrity.fault.NoVcConnection.vcServer)

 

 

If the original rui.* files on VUM and public.key on VC are restored and the services restarted everything works again.

 

What is the correct way to replace the certificates of UpdateManager?

kjb007 Guru vExpert
kjb007
6,682 posts since
Sep 18, 2006
Currently Being Moderated
1. May 8, 2008 11:15 AM in response to: kvv
Re: Replace UpdateManager PKI certificate

 

Those certs are from the vc server for secure communications.  If you remove them, and restart VC and VUM, I believe they should be copied down from VC, as they do on ESX.

 

 

 

 

 

-KjB

 

 

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
kvv Novice
kvv
9 posts since
Feb 25, 2006
Currently Being Moderated
2. May 9, 2008 12:36 AM in response to: kjb007
Re: Replace UpdateManager PKI certificate

Sorry, this is not the solution. If the certificate on VUM is removed the VUM service does not start correctly. It shows the following log information:

 

Re: Replace UpdateManager PKI certificate  Re: Replace UpdateManager PKI certificate O:\Program Files\VMware\Infrastructure\Update Manager\ssl\rui.key: open: Could not find the file.

 

Re: Replace UpdateManager PKI certificate  Re: Replace UpdateManager PKI certificate Error importing key: I/O error

Re: Replace UpdateManager PKI certificate  Re: Replace UpdateManager PKI certificate Failed to create secure event for event prefix VMware-rdevServer-exit-event. System error: 0

Re: Replace UpdateManager PKI certificate  Re: Replace UpdateManager PKI certificate Error starting Process monitor: System error 0: The operation completed successfully.; Context: Failed to create secure windows event

 

This confirms what I had seen earlier: the default VUM certificate is generated at VUM install time and self-signed by VMware. At install time the VUM registers its extension at the VC and uploads its public key to the VC (I have installed VC and VUM in different VMs).

It would be good if I could repeat the registration process once the certificates are updated, however I cannot find any documentation how this is done.

kjb007 Guru vExpert
kjb007
6,682 posts since
Sep 18, 2006
Currently Being Moderated
3. May 9, 2008 5:51 AM in response to: kvv
Re: Replace UpdateManager PKI certificate

 

The VUM service is using the certificate and the private key.  Are those the two files you are replacing when you create your new certificate?  Also, if you are not keeping the same name as the existing files, you will have to modify at least 3 different files.  From what I noticed, the certificate appears to be used for extension authentication.  Is this what you are trying to modify?  Just wanted to be clear on the intent.

 

 

 

 

 

-KjB

 

 

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
kvv Novice
kvv
9 posts since
Feb 25, 2006
Currently Being Moderated
4. May 12, 2008 8:58 AM in response to: kjb007
Re: Replace UpdateManager PKI certificate

It is correct that I am replacing the certificates to authenticate the VUM extension to the VC.

 

I have replaced the following files on the VUM server:

C:\Program Files\VMware\Infrastructure\Update Manager\ssl\rui.key

C:\Program Files\VMware\Infrastructure\Update Manager\ssl\rui.crt

C:\Program Files\VMware\Infrastructure\Update Manager\ssl\rui.pfx

These were newly generated (and signed), with the same names as the original files.

The rui.pfx file uses the password ("testpassword") specified in the documentation for replacing the VC and ESX certificates. I am not sure this is correct but there is no other documentation.

 

Then I have extracted the public key from the certificate (rui.crt) and put in on the VC server in:

C:\Program Files\VMware\Infrastructure\VirtualCenter Server\extensions\com.vmware.vcIntegrity\public.key

 

I have also imported the CA certificate in the machine certificate store (on both servers) to make sure the certificates can be validated without errors.

Finally the VC service and the VUM service were stopped and started.

kjb007 Guru vExpert
kjb007
6,682 posts since
Sep 18, 2006
Currently Being Moderated
5. May 12, 2008 12:57 PM in response to: kvv
Re: Replace UpdateManager PKI certificate

I verified testpassword is correct in the original vc pfx file, so that looks good. I'd open an SR with vmware.

 

 

 

 

 

-KjB

 

Message was edited by: kjb007 : Removed the client cert comment

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
kvv Novice
kvv
9 posts since
Feb 25, 2006
Currently Being Moderated
6. May 12, 2008 12:57 PM in response to: kjb007
Re: Replace UpdateManager PKI certificate

OK,

I will open an SR

Thanks for your help

kjb007 Guru vExpert
kjb007
6,682 posts since
Sep 18, 2006
Currently Being Moderated
7. May 12, 2008 1:00 PM in response to: kvv
Re: Replace UpdateManager PKI certificate

 

No problem.  Make sure to post any resolution.

 

 

 

 

 

-KjB

 

 

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
SCampbell Enthusiast
SCampbell
124 posts since
Apr 18, 2005
Currently Being Moderated
8. Oct 14, 2008 9:01 AM in response to: kjb007
Re: Replace UpdateManager PKI certificate

 

Was this issue resolved?

 

 

If so, how?

 

 

Thanks!!!

 

 

 

 

 

A13x Enthusiast
A13x
116 posts since
Jan 2, 2007
Currently Being Moderated
9. May 6, 2009 1:32 PM in response to: SCampbell
Re: Replace UpdateManager PKI certificate

argh i am having the exact same issue, does anyone know the fix?

joshp Hot Shot
joshp
122 posts since
Sep 30, 2005
Currently Being Moderated
10. Aug 30, 2009 6:11 PM in response to: kvv
Re: Replace UpdateManager PKI certificate

I too am having this exact same problem.  I have an open SR but no help yet from VMware tech.  Was there a resolution for this post?

VCP 3, 4 www.vstable.com
Texiwill Guru User Moderators vExpert
Texiwill
11,345 posts since
Jan 13, 2004
Currently Being Moderated
11. Sep 20, 2009 1:36 PM in response to: joshp
Re: Replace UpdateManager PKI certificate

Hello,

 

Move to Update Manager forum.

 


Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, url=http://www.virtualizationpractice.comVirtualization Practice Analyst[/url]
Now Available: url=http://www.astroarch.com/wiki/index.php/VMware_Virtual_Infrastructure_Security'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available url=http://www.astroarch.com/wiki/index.php/VMWare_ESX_Server_in_the_Enterprise'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|url=http://www.astroarch.com/blogBlue Gears[/url]|url=http://www.astroarch.com/wiki/index.php/Top_Virtualization_Security_LinksTop Virtualization Security Links[/url]|url=http://www.astroarch.com/wiki/index.php/Virtualization_Security_Round_Table_PodcastVirtualization Security Round Table Podcast[/url]

Rossignol Lurker
Rossignol
2 posts since
Jul 17, 2009
Currently Being Moderated
12. Oct 19, 2009 8:02 AM in response to: Texiwill
Re: Replace UpdateManager PKI certificate

 

Just solved the Problem, but it's more or less only a workaround. To change the Update Manager Certificate up to Version 3.5 you can use the repair Function in the Update Manager MSI Package.

 

 

Change the Update Manager Certificates  in Update Manager Folder: Default: C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL (all the rui.* files ).

 

 

The Certificates have to be the same format like the ones from Virtual Center with testpassword and so on.

 

 

Use the Repair Function under  Start > Settings > Control Panel > Add Remove Programs.

 

 

Click on VMware Update Manager component and click Change.

 

 

Follow the wizard and when prompted, choose Repair.

 

 

Done...

 

 

In Vsphere you have to uninstall the Update Manager...because of missing repair function (Maybe that this is because i use 64 Bit Win 2008) The SSL Folder will be present afterwards...

 

 

change the rui.* files

 

 

Install Update Manager...

 

 

Done

 

 

I think it should be possible to update the rui.* files before installing the Update Manager by copying them in place before a fresh installation. Even if i did not try it.

 

 

touimet Enthusiast
touimet
61 posts since
Feb 21, 2006
Currently Being Moderated
13. Sep 15, 2010 2:21 PM in response to: Rossignol
Re: Replace UpdateManager PKI certificate

The above steps did not fully resolve the issue on a vCenter4.1 / VUM 4.1 install.  I opened a SR with VMware and received the following that successfully resolved the issue.

 

Here are the steps to import your custom SSL keys into the Update Manager keystore and then re-register the extension with VC

 

1. On the Windows machine where Update Manager is installed, import the certificates into vmware-vum.keystore.

 

Open a command prompt and navigate to the Update Manager installation directory.

To import certificates, run a command with the following syntax:

 

vciInstallUtils.exe -v  -S "c:\Program Files\VMware\Infrastructure\Update Manager\extension.xml"  -C "c:\Program Files\VMware\Infrastructure\Update Manager" -L "c:\Documents and Settings\All Users\Application Data\VMware\VMware Update Manager\Logs" --op extupdate

geirsjo Novice
geirsjo
23 posts since
Apr 6, 2010
Currently Being Moderated
14. Oct 4, 2010 10:44 AM in response to: touimet
Re: Replace UpdateManager PKI certificate

Hi touimet and thank you for posting this , saved me for a call to Vmware support...

 

 

/gekken

Bookmarked By (0)

Share This Page

Communities