4 Replies Latest reply on Aug 12, 2015 12:36 PM by mark.j

    vRops SSL Certs

    JohnGibson Expert

      Hi

       

      So ive recently deployed a 8 node vRops enviromnemt, and finally got around to requesting internal CA signed SSL Certs, got them created, converted them to PEM format, uploaded the 1st cert, looked ok, then did the 2nd, node, checked it and it looked ok, I then checked the 1st node, that reported an error and said it had the same SSL cert as the 2nd node.

       

      Now I need to check as the documentation doesnt seem to say this and dont see anything on the web that is clear either.

       

      For a vROps enviromnemt is the SSL Certificate the same SSL certifiate for each and every node?

       

      If so do I need to create a single SSL cert and put a subjectAltName for each node intot he cert request.

       

      i.e. do i need to put a section like this into my openssl.cnf

       

      [ v3_req ]

      subjectAltName = @alt_names

       

      [alt_names]

      DNS.1 = vropsnode1.internal.domain

      DNS.2 = vropsnode2.internal.domain

      DNS.3 = vropsnode3.internal.domain

      DNS.4 = vropsnode4.internal.domain

      DNS.5 = vropsnode5.internal.domain

      DNS.6 = vropsnode6.internal.domain

      DNS.7 = vropsnode7.internal.domain

      DNS.8 = vropsnode8.internal.domain

      IP.1 = 192.168.1.1

      IP.2 = 192.168.1.2

      IP.3 = 192.168.1.3

      IP.4 = 192.168.1.4

      IP.5 = 192.168.1.5

      IP.6 = 192.168.1.6

      IP.7 = 192.168.1.7

      IP.8 = 192.168.1.8

       

      cheers

       

      John

        • 1. Re: vRops SSL Certs
          JohnGibson Expert

          Documentation really is poor in this area. but got this from VMware "A single certificate will be used by the web server on all nodes, so for this to work the certificate must be valid for all nodes.  One way to make this happen is with multiple Subject Alternative Name (SAN) entries."  So looks like im on the right track.

           

          Which is sort of weird, but works as that says, when you look at the self signed ssl certs they have different names vc-ops-slice-1, vc-ops-slice-2 etc but then you upload a SSL cert the same cert is on all nodes.

           

          Update: Ive had a SSL cert generated with the subjectAltName's as in the example above with fqdn and IPs for each node in the cluster and created the appropriate PEM file from this, and imported, this works and the certificate is valid on all nodes, so thats the solution.

           

          Also of impact is the issue that vRops registeres itself to vCenter with the IP and not FQDN, the SSL cert needs the IP, but in my case it also causes connectivity issues from browsers due to our proxy settings, so this needs to be considered if its needed...

           

          • vRealize Operations Manager extension is registered using the IP address instead of DNS name
            By default, vRealize Operations Manager registers its extension with vCenter using the vRealize Operations Manager IP address and not the DNS name. Users who click to open vRealize Operations Manager from the Monitor tab in vCenter open a URL based on the vRealize Operations Manager IP address and not the DNS name.
            Workaround: To allow registration of the vRealize Operations Manager extention with the DNS name, follow these steps:
            1. On every node in the vRealize Operations Manager cluster, follow these steps:
              1. From the console, open the following file in a text editor.
                $ALIVE_BASE/user/conf/configuration.properties
              2. Add the following line to the properties.
                extensionUseDNS=true
                Note: You can return to using the IP address by changing the property to false.
              3. Save and close configuration.properties.
            2. Log in to the vRealize Operations Manager administration interface, and restart the cluster.

           

          John

          • 2. Re: vRops SSL Certs
            Zsoldier Expert
            vExpert

            I don't think the alternative names are necessary since the only one producing the Web-UI is the master node.  As long as that has the correct cert, you should be set.

            • 3. Re: vRops SSL Certs
              JohnGibson Expert

              Thanks

               

              After testing yes we did need to put in the Subject alternative names, as we are connecting to each node via the node name... the master node does replicate a single cert to each node, but I needed to use a Subnet Alternative Name in the Cert... doesn't seem to need IP addresses though.  although there are some issues with vROps using the IP even though its supposed to use the FQDN in places.

               

              John

              • 4. Re: vRops SSL Certs
                mark.j Master
                VMware Employees

                You need the subject alt names for each node to prevent cert errors when you access the Admin UI (/admin) portals in each node. When you load the cert on the master node, it'll replicate to all other nodes within the Analytic cluster. Do not use IPs or shortname in the subject alt names for the nodes, just use the FQDNs since that's how you'll be likely referring to each node.