VMware Cloud Community
Rok_P
Contributor
Contributor

LDAP SSL for vRealize Operations

Hi,

I would like to configure secure LDAP connection, but when SSL is checked, I get:
Test unsuccessful for ldap: dc01.<domain> Reason: Certificate is missing or invalid. Importing CA certificate may resolve the issue.
Test unsuccessful for ldap: dc02.<domain> Reason: Certificate is missing or invalid. Importing CA certificate may resolve the issue.
Test unsuccessful for ldap: dc03.<domain> Host Unreachable. Reason: SocketTimeoutException: connect timed out

LDAP without SSL is working.

In manual is said: You do not need to install the SSL/TLS certificate. Instead, vRealize Operations prompts you to view and verify the thumbprint, and accept the LDAP server certificate - but this never happens
https://docs.vmware.com/en/vRealize-Operations/8.6/com.vmware.vcom.config.doc/GUID-B978F4AB-91D8-499...

I have configured HTTPS and hoped when root certificate from signed CA will be in keystore it will help, but issue is still persistent. I have not found any way I could import CA certificate using GUI or in SSH session. Can you please advice how to forwards.

Regards

Tags (4)
Reply
0 Kudos
9 Replies
Lalegre
Virtuoso
Virtuoso

@Rok_P,

I believe this issue is related to the Domain Controllers not having the proper LDAPs configuration set and the dc03 is actually failing to connect. You need to check that your certificate includes the domain controllers in it.

Reply
0 Kudos
ramajay12345
Enthusiast
Enthusiast

Hello,

Please follow the below articles, I hope this will help. Thanks.

https://thesleepyadmins.com/2021/02/14/install-and-configure-vrealize-operations-manager-8-2-part-3-...


https://docs.vmware.com/en/vRealize-Operations/8.6/com.vmware.vcom.core.doc/GUID-5B5BC860-128C-4A87-....

 

 

 

 

Regards,
Jayendra 

Note: I have recently started my blogs please review and give your feedback so that I can improve
Link:  https://www.vrealizeworld.net/

Jayendra
Rok_P
Contributor
Contributor

Hi,

issue is when auto is used for host, if I chose server from dropdown it is offer me to accept cert. But with manual selection you are connected to only one DC, what happens if this DC does not work? How can it connect to second DC, do I need to add additional source? Why does it needs server cert and not root cert, which has longer life time? What happens when server cert expires?

Regards, Rok

Reply
0 Kudos
Lalegre
Virtuoso
Virtuoso

@Rok_P,

This manual selection works with all the DCs?

Reply
0 Kudos
Rok_P
Contributor
Contributor

Hi,

It does not work for dc3 - will need to review, but whole concept is strange, based on the last post I wrote.

Regards

Reply
0 Kudos
Lalegre
Virtuoso
Virtuoso

@Rok_P,

As mentioned before by @ramajay12345, follow the steps here: https://docs.vmware.com/en/vRealize-Operations/8.6/com.vmware.vcom.core.doc/GUID-5B5BC860-128C-4A87-...

If you check on Step 10, it mentions importing the SSL Certificate, and that the PEM certificate can be modified to have not only the ROOT but each of the DCs. Essentially if you are load-balancing LDAPs authentication it should work automatically.

Reply
0 Kudos
FredGSanford
Enthusiast
Enthusiast

Do you have the .pem CA chain certs that vrops and the dc use imported into certificates?  That way it will auto-accept certs when the dc changes or any other adapters that use the same chain.

E.g. vROps has cluster cert of https://vrops.local.net

local.net CA chain:

root ca

intermediate ca

issuing ca

Import root, intermediate and issuing CA .pem certs.

FredGSanford_0-1680284591822.png

 

Reply
0 Kudos
ramajay12345
Enthusiast
Enthusiast

Hi.

- Apologies for the delay in response.

- Based on my experience we can add a DC and if the DC is not working then we need to manually update the new DC details, accept the thumbprint and save.

- Suggestion: - I would suggest enable VIDM authentication.

Jayendra
Reply
0 Kudos
ramajay12345
Enthusiast
Enthusiast

Hi,


Blog: https://thesleepyadmins.com/2021/02/14/install-and-configure-vrealize-operations-manager-8-2-part-3-...

Once you accept the thumbprint automatically the Certificate will appear in /Administration/Certificates section.

We don't need to import the certificate manually.

Jayendra
Reply
0 Kudos