After replacing the default VUM certificate with our own certificate, UpdateManager no longer connects to VirtualCenter.
What I did:
- Replaced the rui.* files on the VUM server in O:\Program Files\VMware\Infrastructure\Update Manager\SSL
- Replaced the file public.key (containing the VUM public key) on the VirtualCenter server in
C:\Program Files\VMware\Infrastructure\VirtualCenter Server\extensions\com.vmware.vcIntegrity
- Restarted the VC and VUM services.
However VirtualCenter comes up with the error:
"The VMware Update Manager cannot accept requests now because VirtualCenter server cannot be reached, or the database cannot be reached, or it is in the process of stopping"
The VUM Log file shows the following:
If the original rui.* files on VUM and public.key on VC are restored and the services restarted everything works again.
What is the correct way to replace the certificates of UpdateManager?
Those certs are from the vc server for secure communications. If you remove them, and restart VC and VUM, I believe they should be copied down from VC, as they do on ESX.
Sorry, this is not the solution. If the certificate on VUM is removed the VUM service does not start correctly. It shows the following log information:
This confirms what I had seen earlier: the default VUM certificate is generated at VUM install time and self-signed by VMware. At install time the VUM registers its extension at the VC and uploads its public key to the VC (I have installed VC and VUM in different VMs).
It would be good if I could repeat the registration process once the certificates are updated, however I cannot find any documentation how this is done.
The VUM service is using the certificate and the private key. Are those the two files you are replacing when you create your new certificate? Also, if you are not keeping the same name as the existing files, you will have to modify at least 3 different files. From what I noticed, the certificate appears to be used for extension authentication. Is this what you are trying to modify? Just wanted to be clear on the intent.
It is correct that I am replacing the certificates to authenticate the VUM extension to the VC.
I have replaced the following files on the VUM server:
C:\Program Files\VMware\Infrastructure\Update Manager\ssl\rui.key
C:\Program Files\VMware\Infrastructure\Update Manager\ssl\rui.crt
C:\Program Files\VMware\Infrastructure\Update Manager\ssl\rui.pfx
These were newly generated (and signed), with the same names as the original files.
The rui.pfx file uses the password ("testpassword") specified in the documentation for replacing the VC and ESX certificates. I am not sure this is correct but there is no other documentation.
Then I have extracted the public key from the certificate (rui.crt) and put in on the VC server in:
C:\Program Files\VMware\Infrastructure\VirtualCenter Server\extensions\com.vmware.vcIntegrity\public.key
I have also imported the CA certificate in the machine certificate store (on both servers) to make sure the certificates can be validated without errors.
Finally the VC service and the VUM service were stopped and started.
I verified testpassword is correct in the original vc pfx file, so that looks good. I'd open an SR with vmware.
Message was edited by: kjb007 : Removed the client cert comment
Move to Update Manager forum.
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]
Just solved the Problem, but it's more or less only a workaround. To change the Update Manager Certificate up to Version 3.5 you can use the repair Function in the Update Manager MSI Package.
Change the Update Manager Certificates in Update Manager Folder: Default: C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL (all the rui.* files ).
The Certificates have to be the same format like the ones from Virtual Center with testpassword and so on.
Use the Repair Function under Start > Settings > Control Panel > Add Remove Programs.
Click on VMware Update Manager component and click Change.
Follow the wizard and when prompted, choose Repair.
In Vsphere you have to uninstall the Update Manager...because of missing repair function (Maybe that this is because i use 64 Bit Win 2008) The SSL Folder will be present afterwards...
change the rui.* files
Install Update Manager...
I think it should be possible to update the rui.* files before installing the Update Manager by copying them in place before a fresh installation. Even if i did not try it.
The above steps did not fully resolve the issue on a vCenter4.1 / VUM 4.1 install. I opened a SR with VMware and received the following that successfully resolved the issue.
Here are the steps to import your custom SSL keys into the Update Manager keystore and then re-register the extension with VC
1. On the Windows machine where Update Manager is installed, import the certificates into vmware-vum.keystore.
Open a command prompt and navigate to the Update Manager installation directory.
To import certificates, run a command with the following syntax:
vciInstallUtils.exe -v -S "c:\Program Files\VMware\Infrastructure\Update Manager\extension.xml" -C "c:\Program Files\VMware\Infrastructure\Update Manager" -L "c:\Documents and Settings\All Users\Application Data\VMware\VMware Update Manager\Logs" --op extupdate