VMware Cloud Community
BenJ_UAlb
Contributor
Contributor
Jump to solution

Certs for End Point Operations Management (EPO)

Working in a nested lab, with the PCS and vCenter combined appliance.  vROps is monitoring my 1 ESXi 6.1 nested host, and the 3 tiny VM's I have created thus far.

I happened upon this article:

Operating System and Application Monitoring Using vRealize Operations Manager 6.2 – Getting Started

I must experiment with Application monitoring, but when I access the admin portal for vROps, and click the SSL certificate icon :smileycry:, I only see 1 certificate.

Should I use that one?

Kind Regards

Ben

1 Solution

Accepted Solutions
mark_j
Virtuoso
Virtuoso
Jump to solution

When you configure an agent, Linux's agent will prompt you to accept the thumbprint that is found on the host you target. The Windows agent will ASK you to insert the thumbprint. The SSL Thumbprint/cert to be used is the SSL cert installed on the host you're targeting. If you have multiple vR Ops nodes (any # of nodes >1), you should have installed a customer SSL certificate that is a SAN type. The SAN cert will have a CN of the load balancer/vip of the cluster, with subject alt names for each nodes (FQDNs), as well as any other load balancer in place for remote collector groups.

Short answer, when you go the /admin UI, you will always see a single cert, because the vR Ops nodes can ONLY EVER have a single cert loaded. By default, all nodes will have self signed certs. Once you install a custom cert, ALL NODES will have their self-signed certs replaced with that custom cert you just installed. You can only have a single custom cert loaded in a vR Ops cluster/deployment at any single time, so you're using a SAN cert because you need to have 'one ring to rule them all'.

If you find this or any other answer useful please mark the answer as correct or helpful.

View solution in original post

2 Replies
mark_j
Virtuoso
Virtuoso
Jump to solution

When you configure an agent, Linux's agent will prompt you to accept the thumbprint that is found on the host you target. The Windows agent will ASK you to insert the thumbprint. The SSL Thumbprint/cert to be used is the SSL cert installed on the host you're targeting. If you have multiple vR Ops nodes (any # of nodes >1), you should have installed a customer SSL certificate that is a SAN type. The SAN cert will have a CN of the load balancer/vip of the cluster, with subject alt names for each nodes (FQDNs), as well as any other load balancer in place for remote collector groups.

Short answer, when you go the /admin UI, you will always see a single cert, because the vR Ops nodes can ONLY EVER have a single cert loaded. By default, all nodes will have self signed certs. Once you install a custom cert, ALL NODES will have their self-signed certs replaced with that custom cert you just installed. You can only have a single custom cert loaded in a vR Ops cluster/deployment at any single time, so you're using a SAN cert because you need to have 'one ring to rule them all'.

If you find this or any other answer useful please mark the answer as correct or helpful.
BenJ_UAlb
Contributor
Contributor
Jump to solution

Great stuff.  Many thanks!!!

Kind Regards
Ben

Reply
0 Kudos