VMware Cloud Community
kvv
Contributor
Contributor

Replace UpdateManager PKI certificate

After replacing the default VUM certificate with our own certificate, UpdateManager no longer connects to VirtualCenter.

What I did:

- Replaced the rui.* files on the VUM server in O:\Program Files\VMware\Infrastructure\Update Manager\SSL

- Replaced the file public.key (containing the VUM public key) on the VirtualCenter server in

C:\Program Files\VMware\Infrastructure\VirtualCenter Server\extensions\com.vmware.vcIntegrity

- Restarted the VC and VUM services.

However VirtualCenter comes up with the error:

"The VMware Update Manager cannot accept requests now because VirtualCenter server cannot be reached, or the database cannot be reached, or it is in the process of stopping"

The VUM Log file shows the following:

Connecting to host on port 443 using protocol https

Authenticating extension com.vmware.vcIntegrity

FormatField: Optional unset (integrity.fault.NoVcConnection.vcServer)

If the original rui.* files on VUM and public.key on VC are restored and the services restarted everything works again.

What is the correct way to replace the certificates of UpdateManager?

Reply
0 Kudos
14 Replies
kjb007
Immortal
Immortal

Those certs are from the vc server for secure communications. If you remove them, and restart VC and VUM, I believe they should be copied down from VC, as they do on ESX.

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
Reply
0 Kudos
kvv
Contributor
Contributor

Sorry, this is not the solution. If the certificate on VUM is removed the VUM service does not start correctly. It shows the following log information:

O:\Program Files\VMware\Infrastructure\Update Manager\ssl\rui.key: open: Could not find the file.

Error importing key: I/O error

Failed to create secure event for event prefix VMware-rdevServer-exit-event. System error: 0

Error starting Process monitor: System error 0: The operation completed successfully.; Context: Failed to create secure windows event

This confirms what I had seen earlier: the default VUM certificate is generated at VUM install time and self-signed by VMware. At install time the VUM registers its extension at the VC and uploads its public key to the VC (I have installed VC and VUM in different VMs).

It would be good if I could repeat the registration process once the certificates are updated, however I cannot find any documentation how this is done.

Reply
0 Kudos
kjb007
Immortal
Immortal

The VUM service is using the certificate and the private key. Are those the two files you are replacing when you create your new certificate? Also, if you are not keeping the same name as the existing files, you will have to modify at least 3 different files. From what I noticed, the certificate appears to be used for extension authentication. Is this what you are trying to modify? Just wanted to be clear on the intent.

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
Reply
0 Kudos
kvv
Contributor
Contributor

It is correct that I am replacing the certificates to authenticate the VUM extension to the VC.

I have replaced the following files on the VUM server:

C:\Program Files\VMware\Infrastructure\Update Manager\ssl\rui.key

C:\Program Files\VMware\Infrastructure\Update Manager\ssl\rui.crt

C:\Program Files\VMware\Infrastructure\Update Manager\ssl\rui.pfx

These were newly generated (and signed), with the same names as the original files.

The rui.pfx file uses the password ("testpassword") specified in the documentation for replacing the VC and ESX certificates. I am not sure this is correct but there is no other documentation.

Then I have extracted the public key from the certificate (rui.crt) and put in on the VC server in:

C:\Program Files\VMware\Infrastructure\VirtualCenter Server\extensions\com.vmware.vcIntegrity\public.key

I have also imported the CA certificate in the machine certificate store (on both servers) to make sure the certificates can be validated without errors.

Finally the VC service and the VUM service were stopped and started.

Reply
0 Kudos
kjb007
Immortal
Immortal

I verified testpassword is correct in the original vc pfx file, so that looks good. I'd open an SR with vmware.

-KjB

Message was edited by: kjb007 : Removed the client cert comment

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
Reply
0 Kudos
kvv
Contributor
Contributor

OK,

I will open an SR

Thanks for your help

Reply
0 Kudos
kjb007
Immortal
Immortal

No problem. Make sure to post any resolution.

-KjB

vExpert/VCP/VCAP vmwise.com / @vmwise -KjB
Reply
0 Kudos
SCampbell1
Enthusiast
Enthusiast

Was this issue resolved?

If so, how?

Thanks!!!

Reply
0 Kudos
A13x
Hot Shot
Hot Shot

argh i am having the exact same issue, does anyone know the fix?

Reply
0 Kudos
joshp
Enthusiast
Enthusiast

I too am having this exact same problem. I have an open SR but no help yet from VMware tech. Was there a resolution for this post?

VCP 3, 4 www.vstable.com
Reply
0 Kudos
Texiwill
Leadership
Leadership

Hello,

Move to Update Manager forum.


Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
Rossignol
Contributor
Contributor

Just solved the Problem, but it's more or less only a workaround. To change the Update Manager Certificate up to Version 3.5 you can use the repair Function in the Update Manager MSI Package.

Change the Update Manager Certificates in Update Manager Folder: Default: C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL (all the rui.* files ).

The Certificates have to be the same format like the ones from Virtual Center with testpassword and so on.

Use the Repair Function under Start > Settings > Control Panel > Add Remove Programs.

Click on VMware Update Manager component and click Change.

Follow the wizard and when prompted, choose Repair.

Done...

In Vsphere you have to uninstall the Update Manager...because of missing repair function (Maybe that this is because i use 64 Bit Win 2008) The SSL Folder will be present afterwards...

change the rui.* files

Install Update Manager...

Done

I think it should be possible to update the rui.* files before installing the Update Manager by copying them in place before a fresh installation. Even if i did not try it.

Reply
0 Kudos
touimet
Enthusiast
Enthusiast

The above steps did not fully resolve the issue on a vCenter4.1 / VUM 4.1 install. I opened a SR with VMware and received the following that successfully resolved the issue.

Here are the steps to import your custom SSL keys into the Update Manager keystore and then re-register the extension with VC

1. On the Windows machine where Update Manager is installed, import the certificates into vmware-vum.keystore.

Open a command prompt and navigate to the Update Manager installation directory.

To import certificates, run a command with the following syntax:

vciInstallUtils.exe -v -S "c:\Program Files\VMware\Infrastructure\Update Manager\extension.xml" -C "c:\Program Files\VMware\Infrastructure\Update Manager" -L "c:\Documents and Settings\All Users\Application Data\VMware\VMware Update Manager\Logs" --op extupdate

Reply
0 Kudos
geirsjo
Contributor
Contributor

Hi touimet and thank you for posting this Smiley Happy, saved me for a call to Vmware support...

/gekken

Reply
0 Kudos