3 Replies Latest reply on Nov 21, 2016 10:06 AM by VMscribble

    Log Insight SSL Certificate Change on Standard/Free license

    Brian Knutsson Enthusiast
    vExpert

      Hi,

       

      I have installed Log Insight on a number of customer sites, since VMware released it with vCenter (25 OSI Pack). If you did not know this. Go ahead and install Log Insight for free. It is a great addition to you trouble shooting toolbox. Also it gets syslogs away from you vCenter, it that is not already the case.

       

      You can setup LI to do AD authentication very easily, but you do not want that to happened on a self signed SSL certificate, since anyone can catch you login credentials. The obvious solution would be to install a SSL certificate from you own approved PKI infrastructure, but wait that is not possible with the Free version!

       

      This is the message you get on the web interface when going to the SSL tab:

      Log Insight is currently operating with a license that does not allow using custom SSl certificates.

      In order to enable this functionality, you will need to purchase a full-feature license for Log Insight.

      Please contact you VMware Account Manager or purchase directly from VMware.

       

      ?? WHAT !! Log Insight is running on a Linux Open Source platform on TOMCAT, and you want us to pay for the ability to change the SSL certificate? I can not I my wildest dream imagine who came up with that idea.

       

      Here it my silent protest against this. VMware this is Ludacris! You want you products to be safe, not to have them make the customer network insecure!

       

      I will properly get in trouble for what I am about to post, but I chose to intrepid VMware's License statement, in the sense that you are paying to use the Web interface to change the SSL certificate. I refuse to believe that they are charging you money to use open source tools, on a open source platform, to tighten security on a product that would otherwise be insecure. I got a statement from VMware when asking about this. They responded that "requiring a cost for SSL certificates is a common practice and not specific to VMware"

       

      So here goes. These are the steps to change the certificate the free and manual way:

       

      This guide is based on the script found on the Log Insight Appliance: /opt/vmware/bin/li-ssl-cert.sh

      WARNING: Everything you read here is used on you own risk, and I will take no responsebility if it breakes your enrivonment, or any other misfortune it will bring you. I am pretty sure that VMware Support will not be able to help you and you might be in violation of license policy. I other words, I am covered in Teflon.

       

      All commands a run using putty on the log insight (LI) appliance logged in as user root. And requires you to know how the get around in Linux and change files.

       

       

      1. Shut down your Log Insight Appliance(s) and take a snapshot for backup.
        1. Change the "default_bits" setting in /etc/ssl/openssl.cnf til from 1024 to 2048 bits
      2. Generate certifikat i PEM format.
        1. Generer Request
          Command: Openssl req -new -nodes -out /root/rui.csr -keyout /root/rui-orig.key -config /etc/ssl/openssl.cnf
      3. Issue a Web Server certificate using the request /root/rui.csr using your PKI Infrastructure. (You will have to figure this out for yourself. This is beyond this guide)
      4. Save you new certificate as a Base64 encoded file, and move it to the LI appliance using scp. It shout be located in /root and called response.cer Do not edit any of the certificate files in Windows!
      5. Gather the certificates into a PFX file
        Command: openssl pkcs12 -export -in /root/response.cer -inkey /root/rui-orig.key -name rui -passout pass:vmware -out /root/newCert.pfx
      6. Change the certificate into PEM format
        Command: openssl pkcs12 -in /root/newCert.pfx -inkey /root/rui-orig.key -out /root/newCert.pem -nodes
      7. Generate Certificate Chain
        Download Root CA Certificate from PKI infrastructure in Base 64 format, and copy them to the appliance if you want. Or you can open it in wordpad and paste the content into the Key Chain File (PEM)
        Download Intermediate CA Certificate from PKI infrastructure in Base 64 format, and copy them to the appliance if you want. Or you can open it in wordpad and paste the content into the Key Chain File (PEM)
      8. Create a new file and put in the certificates in the following order. - Ref: VMware vRealize Log Insight
        Log Insight Public Key (newCert.pem Remember to remove the x509 information in the file)
        Log Insight Private Key (newCert.pem Remember to remove the x509 information in the file)
        Intermediate CA Certificate if any is used
        Root CA Certificate
      9. Replace the certificates using the flowing commands:

      DATE=$(date +%s)

      SSL_API_SCRIPT_IN_PROGRESS_FLAG=/tmp/ssl_api_script_in_progress

      SSL_KEYSTORE_REPLACED_API_FLAG=/tmp/ssl_keystore_replaced_api

      SSL_CUSTOM_KEYSTORE_UPLOADED_API_FLAG=/tmp/ssl_custum_keystore_uploaded_api

      DEFAULT_KEYSTORE_STOREPASS=vmware

      TOMCAT=$(basename $(ls -td /usr/lib/loginsight/application/3rd_party/apache-tomcat-* | head -n 1))

      touch $SSL_API_SCRIPT_IN_PROGRESS_FLAG

      cp /root/newCert.pem /usr/lib/loginsight/application/3rd_party/$TOMCAT/conf/custom.pem

      /usr/lib/loginsight/application/sbin/custom-ssl-cerf 2>&1

      touch $SSL_KEYSTORE_REPLACED_API_FLAG

      touch $SSL_CUSTOM_KEYSTORE_UPLOADED_API_FLAG

      rm -f $SSL_API_SCRIPT_IN_PROGRESS_FLAG

       

      You are done!

       

      In reality moving the certificate chain to the appliance, and running the last commands is what you are paying 6000$ for.


      If it doesn't work. Revert to snapshot, and try again. Give up or pay for a license to use the web interface to do it.

       

      Best Regards

      Brian Knutsson