This post includes information to change the default SSL self-signed cert in a highly available configuration of vRO 6.x Appliances (Not tested on 7.x), using CA issued SAN certs or similar.
Many times, especially in enterprise environments, securing communications to the vRO server(s) is mandatory to comply with security standards. Self-signed certificates are then replaced with SAN certs issued by a CA. There is a trick to this, and I found numerous articles for this process but fell short every time with the configurator service not allowing connections.
It's actually really simple, but I've found disjointed pieces of references everywhere and I found they lacked cohesion. Hopefully I haven't made the mistake below, but ultimately, I use this page for my own reference :-)
- If you've configured a vRO cluster, shut down the other nodes first. You'll need to repeat this process below for each node.
-
SSH into your appliance and stop the vRO (vco) service:
service vco-server stop
- Get into the correct directory:
cd /etc/vco/app-server/security
- Back up your jssecacerts file
cp jssecacerts jssecacerts-backup
- Remove the existing dunes alias
keytool -keystore jssecacerts -delete -alias dunes -storepass dunedunes
- SCP or SFTP your PFX (.pfx) cert and your root cert (.cer) into a directory on the appliance - you can create one on the root as follows:
/vrealize-certs/
- Import your root cert to the keystore
keytool -import -alias root -keystore jssecacerts -trustcacerts -file "/vrealize-certs/<Root cert name>.cer"
- Import your CA cert into the keystore
Note: When you run the above command, an alias for the import is output in the window. This alias is what you will use in the next command.
keytool -importkeystore -srckeystore "/vrealize-certs/<CA cert name>.pfx" -srcstoretype pkcs12 -srcstorepass <passphrase for CA cert> -deststoretype jks -destkeystore jssecacerts -deststorepass dunesdunes
- Rename the above alias into "dunes" so that vRO understands it
keytool -changealias -alias "<alias name here>" -destalias "dunes" -keystore jssecacerts -storetype jks -storepass dunesdunes
- Now, we need to ensure that the password to the keystore is "dunesdunes" so that vRO can access it.
keytool -keypasswd -keystore /etc/vco/app-server/security/jssecacerts -alias dunes
- First prompt, enter the password:
dunesdunes
- 2nd prompt, enter the passphrase you used in step 8. above
- 3rd prompt, again, enter the password:
dunesdunes
- Final prompt, confirm the password:
dunesdunes
- First prompt, enter the password:
- Assign ownership to vco user
chown vco:vco "/etc/vco/app-server/security/jssecacerts"
- If HA, shut down this appliance and start the same process on the next appliance. Otherwise, reboot this appliance and you're done.
Hopefully the above helps you. It's certainly already helped me as reference material.