Burke-
VMware Employee
VMware Employee

CA Signed SSL Cert for LCM Appliance?

Jump to solution

Author :

URL : http:////docs.vmware.com/en/vRealize-Suite/2017/com.vmware.vrsuite.lcm.13.doc/GUID-835899B3-8E2D-45E...

Topic Name : Install Upgrades to vRealize Suite Lifecycle Manager from an ISO File

Publication Name : vRealize Suite Lifecycle Manager 1.3 Installation, Upgrade, and Management

Product/Version : vRealize Suite/2017

Question :

How is it that we are three releases into a product and there is not an obvious way, or apparent documentation, to provide a CA signed SSL certificate for the LCM appliance? this should be available as part of the OVF deploy so it is set from the beginning or it should be available in the Settings page - See LogInsight for one of the best VMW product SSL install options. At the very least, the method for doing this SHOULD be documented in the "Configuring vRealize Suite Lifecycle Manager Common Settings" section of the official online docs.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter
Tags (1)
1 Solution

Accepted Solutions
Burke-
VMware Employee
VMware Employee

Update and resolution:

This behavior is being caused by the presence of the following file (apparently new in version 1.3):

/etc/init.d/vlcm-certgen <-- each time the appliance boots, a cert is generated, overwriting any custom certs that had been placed in /opt/vmware/vlcm/cert

So quick resolution is:

  • delete or move the /etc/init.d/vlcm-certgen (I simply moved it to /root)
  • Replace the server.crt and server.key files in /opt/vmware/vlcm/cert folder with those generated by your CA
  • Restart the the services: systemctl restart vlcm-xserver (or reboot the appliance)
  • Start a new Browser session and visit your LCM 1.3+ server, you should see that your custom SSL cert is now being used

Thanks to the quick responses from the team on the solution shown above.

Anyone else reading this, please note that a bug has been filed and assigned ! Smiley Happy

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter

View solution in original post

0 Kudos
4 Replies
daphnissov
Immortal
Immortal
0 Kudos
Burke-
VMware Employee
VMware Employee

The extra annoying bit here is that in a previous version, I had found this:

Replace Certificate on the vRealize Suite Lifecycle Manager Appliance -- which worked.. however, with LCM 1.3, this no longer appears to be the case. It will work initially (after restarting the service as noted in that page), but upon appliance reboot, the CA signed certificate is lost Smiley Sad, giving me the ever so ugly "Not secure" address bar in Chrome.

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter
0 Kudos
daphnissov
Immortal
Immortal

In this day and age, PKI certs should not be a v2 feature--they should be there from day one. This isn't an outlandish "feature" to have any longer.

Burke-
VMware Employee
VMware Employee

Update and resolution:

This behavior is being caused by the presence of the following file (apparently new in version 1.3):

/etc/init.d/vlcm-certgen <-- each time the appliance boots, a cert is generated, overwriting any custom certs that had been placed in /opt/vmware/vlcm/cert

So quick resolution is:

  • delete or move the /etc/init.d/vlcm-certgen (I simply moved it to /root)
  • Replace the server.crt and server.key files in /opt/vmware/vlcm/cert folder with those generated by your CA
  • Restart the the services: systemctl restart vlcm-xserver (or reboot the appliance)
  • Start a new Browser session and visit your LCM 1.3+ server, you should see that your custom SSL cert is now being used

Thanks to the quick responses from the team on the solution shown above.

Anyone else reading this, please note that a bug has been filed and assigned ! Smiley Happy

If my answer resolved or helped you, please mark it as Correct or Helpful to award points. Thank you! Visit http://www.vcoteam.info & http://blogs.vmware.com/orchestrator for vRealize Orchestrator tips and tutorials - @TechnicalValues on Twitter

View solution in original post

0 Kudos