I have installed Log Insight on a number of customer sites, since VMware released it with vCenter (25 OSI Pack). If you did not know this. Go ahead and install Log Insight for free. It is a great addition to you trouble shooting toolbox. Also it gets syslogs away from you vCenter, it that is not already the case.
You can setup LI to do AD authentication very easily, but you do not want that to happened on a self signed SSL certificate, since anyone can catch you login credentials. The obvious solution would be to install a SSL certificate from you own approved PKI infrastructure, but wait that is not possible with the Free version!
This is the message you get on the web interface when going to the SSL tab:
Log Insight is currently operating with a license that does not allow using custom SSl certificates.
In order to enable this functionality, you will need to purchase a full-feature license for Log Insight.
Please contact you VMware Account Manager or purchase directly from VMware.
?? WHAT !! Log Insight is running on a Linux Open Source platform on TOMCAT, and you want us to pay for the ability to change the SSL certificate? I can not I my wildest dream imagine who came up with that idea.
Here it my silent protest against this. VMware this is Ludacris! You want you products to be safe, not to have them make the customer network insecure!
I will properly get in trouble for what I am about to post, but I chose to intrepid VMware's License statement, in the sense that you are paying to use the Web interface to change the SSL certificate. I refuse to believe that they are charging you money to use open source tools, on a open source platform, to tighten security on a product that would otherwise be insecure. I got a statement from VMware when asking about this. They responded that "requiring a cost for SSL certificates is a common practice and not specific to VMware"
So here goes. These are the steps to change the certificate the free and manual way:
This guide is based on the script found on the Log Insight Appliance: /opt/vmware/bin/li-ssl-cert.sh
WARNING: Everything you read here is used on you own risk, and I will take no responsebility if it breakes your enrivonment, or any other misfortune it will bring you. I am pretty sure that VMware Support will not be able to help you and you might be in violation of license policy. I other words, I am covered in Teflon.
All commands a run using putty on the log insight (LI) appliance logged in as user root. And requires you to know how the get around in Linux and change files.
TOMCAT=$(basename $(ls -td /usr/lib/loginsight/application/3rd_party/apache-tomcat-* | head -n 1))
cp /root/newCert.pem /usr/lib/loginsight/application/3rd_party/$TOMCAT/conf/custom.pem
rm -f $SSL_API_SCRIPT_IN_PROGRESS_FLAG
You are done!
In reality moving the certificate chain to the appliance, and running the last commands is what you are paying 6000$ for.
If it doesn't work. Revert to snapshot, and try again. Give up or pay for a license to use the web interface to do it.
Log Insight for vCenter is not exactly free as they added $1000 to the cost of vCenter. Since not much else changed with vCenter assume that you are paying $1000 for Log Insight. $1000/25 = $40 per OSI.
MattG -- it is free. vCenter 5 customers also get LI and did not pay more. The price increase is a standard price increase for vSphere and has nothing to do with LI.
4.0 of Log Insight using a vCenter product key allows you to upload a custom cert via the website. No more breaking the EULA by using the CLI
/opt/vmware/bin/./li-ssl-cert.sh –upload /tmp/mycert.pem –force
li-ssl-cert.sh is still handy if you need to rollback.