VMware Cloud Community
JohnGibson
Hot Shot
Hot Shot
Jump to solution

vRops SSL Certs

Hi

So ive recently deployed a 8 node vRops enviromnemt, and finally got around to requesting internal CA signed SSL Certs, got them created, converted them to PEM format, uploaded the 1st cert, looked ok, then did the 2nd, node, checked it and it looked ok, I then checked the 1st node, that reported an error and said it had the same SSL cert as the 2nd node.

Now I need to check as the documentation doesnt seem to say this and dont see anything on the web that is clear either.

For a vROps enviromnemt is the SSL Certificate the same SSL certifiate for each and every node?

If so do I need to create a single SSL cert and put a subjectAltName for each node intot he cert request.

i.e. do i need to put a section like this into my openssl.cnf

[ v3_req ]

subjectAltName = @alt_names

[alt_names]

DNS.1 = vropsnode1.internal.domain

DNS.2 = vropsnode2.internal.domain

DNS.3 = vropsnode3.internal.domain

DNS.4 = vropsnode4.internal.domain

DNS.5 = vropsnode5.internal.domain

DNS.6 = vropsnode6.internal.domain

DNS.7 = vropsnode7.internal.domain

DNS.8 = vropsnode8.internal.domain

IP.1 = 192.168.1.1

IP.2 = 192.168.1.2

IP.3 = 192.168.1.3

IP.4 = 192.168.1.4

IP.5 = 192.168.1.5

IP.6 = 192.168.1.6

IP.7 = 192.168.1.7

IP.8 = 192.168.1.8

cheers

John

Reply
0 Kudos
1 Solution

Accepted Solutions
JohnGibson
Hot Shot
Hot Shot
Jump to solution

Documentation really is poor in this area. but got this from VMware "A single certificate will be used by the web server on all nodes, so for this to work the certificate must be valid for all nodes.  One way to make this happen is with multiple Subject Alternative Name (SAN) entries."  So looks like im on the right track.

Which is sort of weird, but works as that says, when you look at the self signed ssl certs they have different names vc-ops-slice-1, vc-ops-slice-2 etc but then you upload a SSL cert the same cert is on all nodes.

Update: Ive had a SSL cert generated with the subjectAltName's as in the example above with fqdn and IPs for each node in the cluster and created the appropriate PEM file from this, and imported, this works and the certificate is valid on all nodes, so thats the solution.

Also of impact is the issue that vRops registeres itself to vCenter with the IP and not FQDN, the SSL cert needs the IP, but in my case it also causes connectivity issues from browsers due to our proxy settings, so this needs to be considered if its needed...

  • vRealize Operations Manager extension is registered using the IP address instead of DNS name
    By default, vRealize Operations Manager registers its extension with vCenter using the vRealize Operations Manager IP address and not the DNS name. Users who click to open vRealize Operations Manager from the Monitor tab in vCenter open a URL based on the vRealize Operations Manager IP address and not the DNS name.
    Workaround: To allow registration of the vRealize Operations Manager extention with the DNS name, follow these steps:
    1. On every node in the vRealize Operations Manager cluster, follow these steps:
      1. From the console, open the following file in a text editor.
        $ALIVE_BASE/user/conf/configuration.properties
      2. Add the following line to the properties.
        extensionUseDNS=true
        Note: You can return to using the IP address by changing the property to false.
      3. Save and close configuration.properties.
    2. Log in to the vRealize Operations Manager administration interface, and restart the cluster.

John

View solution in original post

Reply
0 Kudos
4 Replies
JohnGibson
Hot Shot
Hot Shot
Jump to solution

Documentation really is poor in this area. but got this from VMware "A single certificate will be used by the web server on all nodes, so for this to work the certificate must be valid for all nodes.  One way to make this happen is with multiple Subject Alternative Name (SAN) entries."  So looks like im on the right track.

Which is sort of weird, but works as that says, when you look at the self signed ssl certs they have different names vc-ops-slice-1, vc-ops-slice-2 etc but then you upload a SSL cert the same cert is on all nodes.

Update: Ive had a SSL cert generated with the subjectAltName's as in the example above with fqdn and IPs for each node in the cluster and created the appropriate PEM file from this, and imported, this works and the certificate is valid on all nodes, so thats the solution.

Also of impact is the issue that vRops registeres itself to vCenter with the IP and not FQDN, the SSL cert needs the IP, but in my case it also causes connectivity issues from browsers due to our proxy settings, so this needs to be considered if its needed...

  • vRealize Operations Manager extension is registered using the IP address instead of DNS name
    By default, vRealize Operations Manager registers its extension with vCenter using the vRealize Operations Manager IP address and not the DNS name. Users who click to open vRealize Operations Manager from the Monitor tab in vCenter open a URL based on the vRealize Operations Manager IP address and not the DNS name.
    Workaround: To allow registration of the vRealize Operations Manager extention with the DNS name, follow these steps:
    1. On every node in the vRealize Operations Manager cluster, follow these steps:
      1. From the console, open the following file in a text editor.
        $ALIVE_BASE/user/conf/configuration.properties
      2. Add the following line to the properties.
        extensionUseDNS=true
        Note: You can return to using the IP address by changing the property to false.
      3. Save and close configuration.properties.
    2. Log in to the vRealize Operations Manager administration interface, and restart the cluster.

John

Reply
0 Kudos
Zsoldier
Expert
Expert
Jump to solution

I don't think the alternative names are necessary since the only one producing the Web-UI is the master node.  As long as that has the correct cert, you should be set.

Chris Nakagaki (中垣浩一)
Blog: https://tech.zsoldier.com
Twitter: @zsoldier
Reply
0 Kudos
JohnGibson
Hot Shot
Hot Shot
Jump to solution

Thanks

After testing yes we did need to put in the Subject alternative names, as we are connecting to each node via the node name... the master node does replicate a single cert to each node, but I needed to use a Subnet Alternative Name in the Cert... doesn't seem to need IP addresses though.  although there are some issues with vROps using the IP even though its supposed to use the FQDN in places.

John

Reply
0 Kudos
mark_j
Virtuoso
Virtuoso
Jump to solution

You need the subject alt names for each node to prevent cert errors when you access the Admin UI (/admin) portals in each node. When you load the cert on the master node, it'll replicate to all other nodes within the Analytic cluster. Do not use IPs or shortname in the subject alt names for the nodes, just use the FQDNs since that's how you'll be likely referring to each node.

If you find this or any other answer useful please mark the answer as correct or helpful.
Reply
0 Kudos