Tag Archives: vrealize

Replacing SSL certificates for vRealize Orchestrator Appliance

This posting is ~5 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

It’s a common practice to replace self-signed certificates, that are used in several VMware products, with CA signed certificates. I did this in my lab for my vCenter Server Appliance and my VMware Update Manager. While I was working with vRealize Orchestrator I noticed, that it is also using self-signed certificates (what else?). For completeness, I decided to replace the self-signed certificates with CA signed.

My lab environment

  1. VMware vSphere 5.5 environment running a vCenter Server appliance (already using CA signed certificates)
  2. vRealize Orchestrator Appliance 5.5.2 (not version 5.5.2.1,  because I had problems with this release)
  3. Microsoft Windows CA running on a Windows 2012 R2 Standard server

You don’t need a Microsoft Windows CA. You can use any other CA. There is no need to use a special vendor. I use a windows-based CA in my lab, so the screenshots reflect this fact. The way how certificates are replaced differs between vRealize Orchestrator Appliance and the windows-based standalone or vCenter Server embedded version. If you use the in the vCenter Server embedded or Standalone Orchestrator check Derek Seamans VMware vSphere 5.5 SSL Toolkit. I used the Orchestrator appliance.

I will only highlight the necessary steps to replace the certificates. I assume that you have a running Orchestrator appliance.

Create the package signing certificate

This certificate is used to sign packages. This certificate is NOT used with HTTPS.

1. Log into the Orchestrator Configuration website using the username “vmware” and click “Server Certificate” on the left navigation page. On the right side appears the server package signing certificate.

vco_package_sign_certificate_01

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

2. Create a new certificate. Otherwise, if you directly export the CSR, the CSR would include the organization, common name, OU etc. from the self-signed certificate. Choose the fourth option “Create a certificate database and self-signed server certificate”.

vco_package_sign_certificate_02

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

3. Enter at least the common name (FQDN of your Orchestrator appliance) and click “Create” (on the right at the end of the page).

vco_package_sign_certificate_03

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

4. Now the CSR can be exported. The CSR is saved into a file called “vCO_SigningRequest.csr”.

vco_package_sign_certificate_04

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

5. Take the CSR and submit a certificate request at your CA. In my case I took the content of the file and copied it into the corresponding text box of my CA. Make sure that you only use the content between “—–BEGIN NEW CERTIFICATE REQUEST—–” and “—–END NEW CERTIFICATE REQUEST—–“. I used a customized certificate template (check Derek Seamans blog for more information about VMware and SSL certificates!).

vco_package_sign_certificate_05

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

6. Download the Base 64 encoded certificate and give it a meaningful name (certnew.cer is NOT meaningful…).

vco_package_sign_certificate_06

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Import the CA certificate

1. Now we have to import the CA certificate. Otherwise we would get an error message when we try to import the CA signed certificate. If you use a Microsoft CA, you can get the CA certificate from the “Active Directory Certificate Services” website. Simply click “Download a CA certificate, certificate chain, or CRL” from the “Select a task:” list. Then save the Base 64 encoded certificate file by choosing “Download CA certificate”. Give the file a meaningful name.

import_ca_certificate_01

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

2. Start the Orchestrator Client and login with an account, that has administrator privileges. In my case this is my domain-admin account (Administrator@lab.local) which is member of the Orchestrator administrator group.

import_ca_certificate_02

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

3. Select “Tools” > “Certificate manager…” from the right top of the Orchestrator client.

import_ca_certificate_03

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

4. Click “Import certificate…”, choose the certificate file you saves some seconds ago and import it.

import_ca_certificate_04

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

That’s it. Now we can move forward and replace the package signing certificate.

Replace the package signing certificate

1. Switch back to the Orchestrator Configuration website and choose the third option: “Import a certificate signing request signed by a certificate authority”.

vco_package_sign_certificate_07

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

2. Choose the saved certificate for your Orchestrator appliance and click “Import” (on the right at the end of the page).

vco_package_sign_certificate_08

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

That’s it! The package signing certificate is now replaced by a CA signed one.

vco_package_sign_certificate_09

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

As I already wrote: This certificate is not used to secure HTTPS. To get rid of the certificate warning when using the Orchestrator Client or the Orchestrator Configuration website, we need some additional steps.

Replace the client certificate

This certificate is used to for HTTPS. After replacing this certificate, the certificate warning for the Orchestrator configuration page (port 8283), the application page (port 8281) and the appliance management page (port 5480) should disappear.

These steps can’t be done using the Orchestrator Configuration, or the appliance management website. Let’s start a SSH session to the Orchestrator appliance.

1. Use SSH, connect to the Orchestrator appliance and login with root credentials. Change to the directory /etc/vco/app-server/security and take a backup of the Java Keystore (JKS).

2. Stop the Orchestrator service

3. The utility “keytool” is used to manage the Java Keystore. The certificate we want to replace has the alias “dunes”. The password for the Java Keystore is “dunesdunes”. This password is valid for every Orchestrator installation! Before we can create a new keypair and export the CSR, the old key needs to be removed from the Java Keystore.

4. Now a new keypair must be created.

Make sure that you hit RETURN keytool asks for the password! Just accept, that the same password is used as for the Java Keystore. btw: “dunes” is a hint to the company who originally developed the Orchestrator. This compay was bought by VMware some years ago.

5. Export the CSR to a file.

You can copy the file to your CA by using SCP. Otherwise use a simple cat and copy the content between “—–BEGIN NEW CERTIFICATE REQUEST—–” and “—–END NEW CERTIFICATE REQUEST—–” directly into the corresponding text box of the CA.

6. Use the CSR to issue a new certificate.

vco_client_certificate_01

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

7. Download the Base 64 encloded certificate.

vco_client_certificate_02

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

8. Copy the certificate (using SCP) to the Orchestrator appliance, e.g. to /root or /etc/vco/app-server/security. Depending on the path, you have to change the “-file” parameter! I’ve copied the certificate to /etc/vco/app-server/security.

Please note that you also have to import the CA certificate into the Java Keystore! In my case, the CA certificate was already imported during the initial certificate import from my vCenter Server Appliance, where I also use CA signed certificates. You can import the CA certificate using the “SSL Tab” on the Orchestrator Configuration website.

9. Start the Orchestrator service.

10. Navigate to the Orchestrator website and check the success of the certificate import.

vco_client_certificate_03

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

I still got a certificate warning when starting the Orchestrator client. But I am sure that this behavior is due to Java, because Java doesn’t know the CA.

Replace the appliance management website certificate

The appliance management (port 5480) is also secured with HTTPS. By default the certificate and private key are stored in a PEM file (the file is not protected by a passphrase), which is located at /opt/vmware/etc/lighttpd/server.pem. The PEM file includes the certificate AND the private key. It’s a bit tricky to export a PEM file with the private key from the Java Keystore.

1. First of all: Backup the old PEM file. I assume that you are still logged in on the Orchestrator appliance and still located at /etc/vco/app-server/security.

2. Export the dunes key from the Java Keystore to a PKCS#12 store.

3. Export a PEM file from the PCKS12 keystore. Make sure that you add the “-nodes” parameter.

4. Copy the PEM file to /opt/vmware/etc/lighttpd/server.pem.

5. Restart the lighttpd.

You can safly ignore the warning. Check the state of the daemon using this command:

Lighttpd is running.

6. Check the status of the appliance management website.

vco_mgmt_cert_01

Patrick Terlisten/ www.vcloudnine.de/ Creative Commons CC0

Congratulations! The certificate is working.

Final words

As always, working with certificates is challenging. My first attempts have cost me an entire Sunday, especially because the documentation didn’t cover all aspects. I hope this blog post helps you to get through the certificate jungle. Feel free to provide feedback!

IaaS by VMware: VMware vCloud Hybrid Service

This posting is ~5 years years old. You should keep this in mind. IT is a short living business. This information might be outdated.

VMware vCloud Hybrid Service (vCHS) stands in one line with Amazon Web Services, Microsoft Azure, Rackspace Cloud or other cloud offerings. I don’t want to compare the different provider with vCHS. To be honest: This article is more a summary for myself, than really new content. I just want to summarize information about the IaaS offering of VMware. If you want a comparison of vCHS and AWS, I recommend to read this article written by Alex Mattson (AHEAD).

Introducing VMware vCloud Hybrid Service (vCHS)

VMware vCHS isn’t a tasty cheese (please DON’T pronounce it “vCheese”…), it’s a public cloud IaaS offering by VMware. And because public cloud concepts are no cheese, you should stick your nose into it more closely. VMware vCHS is built with the same VMware products that you’re using in your private datacenter. Because of this vCHS is compatible to your private VMware environment and you can move VMs between your private datacenter and VMware vCHS. You can use vCHS to move workloads to a public cloud environment, or you can use it to start a new deployment. Sure you can move workloads vom vCHS to your private datacenter.

Core Compute Services

VMware offers two core compute services: Dedicated Cloud and Virtual Private Cloud. Both provide a pool of compute, storage and networking resources. Dedicated Cloud is, as the name says, dedicated to a single-tenant, physically isolated with a dedicated management stack. 100% of the resources are reserved and can be allocated depending on customer needs. The customer can assign the resources to virtual dedicated clouds. Each virtual dedicated cloud provides individual access and control over the resources. Virtual Private Cloud is multi-tenant and logical isolated. The infrastructure is shared among several tenants. The virtual private cloud is ideal for testing or peak workloads. Both core services can be extended by various options. CPU, memory, storage and IP addresses can be added in increments to both compute services.

Business Continuity

VMware offers two services to protect your private and cloud-based VMs: vCHS Disaster Recovery and vCHS Data Protection. vCHS Disaster Recovery is based on vSphere Replication. With vCHS Disaster Recovery you can replicate VMs from your private datacenter into your vCHS environment, regardsless if you have a dedicated cloud or virtual private cloud. vCHS Data Protection is used to protect the VMs, that are running in your vCHS dedicated cloud or virtual private cloud environment.

Management Tools & Networking

Beside the core compute services and services like vCHS Disaster Recovery and vCHS Data Protection, VMware offers, and supports tools and applications to increase the value of vCHS. You can use the free vCloud Connector to migrate VMs from your VMware vSphere or vCloud environment to a vCHS dedicated cloud or virtual private cloud. VMware vCloud Automation Center can be used together with vCHS, e.g. users can provision multi-tier applications in vCHS by using vCAC self-service. vCHS takes care of the infrastructure deployment, vCAC controls the application deployment and enforces governance. With the vSphere Web Client Plug-in you can manage your private VMware environment and your vCHS environment through the same client. Offline Data Transfer (ODT) can be used for bulk uploads of VMs, templates, vApps etc. An encrypted device is provided by VMware to store the data for the transfer. Regarding networking VMware offers vCloud Hybrid Service Edge Gateway and Direct Connect. The edge gateways provides features like firewalling, NAT, IPSec VPN and load balancing. Director Connect provides high bandwidth (1 Gbps and 10 Gbps) connections to connect vCHS to your private datacenter. Direct Connect is a service provided by VMware and VMware Direct Connect partners.

Pricing

For pricing you should visit the vCHS Pricing & Comparison website, but to give you a clue: A virtual private cloud (20 GB, 5 Ghz, 2 TB storage, 10 Mbps bandwidth and 2 public IPs) costs ~ 1.200 € per month.

Final words

vCHS is a great product and there are dozens of use cases for it, e.g. disaster recovery with vSphere Replication. Good news for vExperts: VMware has re-launched the vExpert access to vCHS. Participants can use vCHS for 30 days. A great chance to demonstrate this to potential customers!