SDDC Certificate Tool User Guide

Similar documents
Administering VMware Cloud Foundation. VMware Cloud Foundation 2.3

Administering VMware Cloud Foundation. Modified on 4 OCT 2017 VMware Cloud Foundation 2.2

Planning and Preparation. VMware Validated Design 4.0 VMware Validated Design for Remote Office Branch Office 4.0

vrealize Suite Lifecycle Manager 1.0 Installation and Management vrealize Suite 2017

Administering VMware Cloud Foundation. VMware Cloud Foundation 2.3.2

vrealize Production Test

VMware Validated Design Backup and Restore Guide

vrealize Suite Lifecycle Manager 1.1 Installation, Upgrade, and Management vrealize Suite 2017

Planning and Preparation. 22 AUG 2017 VMware Validated Design 4.1 VMware Validated Design for Management and Workload Consolidation 4.

Introducing VMware Validated Designs for Software-Defined Data Center

Planning and Preparation

Introducing VMware Validated Designs for Software-Defined Data Center

Introducing VMware Validated Designs for Software-Defined Data Center

VMware vrealize Operations Federation Management Pack 1.0. vrealize Operations Manager

Migrating vrealize Automation 6.2 to 7.2

Migrating vrealize Automation 6.2 to 7.1

Using the vrealize Orchestrator Chef Plug-In 1.0

DCLI User's Guide. Data Center Command-Line Interface

DCLI User's Guide. Modified on 20 SEP 2018 Data Center Command-Line Interface

Planning and Preparation. Modified on 21 DEC 2017 VMware Validated Design 4.1 VMware Validated Design for Micro-Segmentation 4.1

VMware Validated Design Site Protection and Recovery Guide

VMware Validated Design Planning and Preparation Guide

Using vrealize Operations Tenant App as a Service Provider

vrealize Suite Lifecycle Manager 1.2 Installation, Upgrade, and Management vrealize Suite 2017

DCLI User's Guide. Data Center Command-Line Interface 2.9.1

Setting Up Resources in VMware Identity Manager

Planning and Preparation. 13 FEB 2018 VMware Validated Design 4.2 VMware Validated Design for Software-Defined Data Center 4.2

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

vrealize Suite Lifecycle Manager 2.0 Installation, Upgrade, and Management VMware vrealize Suite Lifecycle Manager 2018

Planning and Preparation. 22 AUG 2017 VMware Validated Design 4.1 VMware Validated Design for Software-Defined Data Center 4.1

Advanced Service Design. vrealize Automation 6.2

VMware AirWatch Integration with SecureAuth PKI Guide

Installing and Configuring vcloud Connector

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

Installing and Configuring vcloud Connector

VMware Validated Design Monitoring and Alerting Guide

DCLI User's Guide. Data Center Command-Line Interface 2.7.0

AirWatch Mobile Device Management

Introducing VMware Validated Designs for Software-Defined Data Center

SAML-Based SSO Configuration

TECHNICAL WHITE PAPER - FEBRUARY VMware Site Recovery for VMware Cloud on AWS Evaluation Guide TECHNICAL WHITE PAPER

vrealize Operations Management Pack for NSX for Multi-Hypervisor

VMware Validated Design Monitoring and Alerting Guide

Planning and Preparation. 17 JUL 2018 VMware Validated Design 4.3 VMware Validated Design for Software-Defined Data Center 4.3

Introducing VMware Validated Designs for Software-Defined Data Center

User guide NotifySCM Installer

LDAP Directory Integration

Building Automation and Orchestration for Software-Defined Storage with NetApp and VMware

Using the vrealize Orchestrator OpenStack Plug-In 2.0. Modified on 19 SEP 2017 vrealize Orchestrator 7.0

Planning and Preparation. 17 JUL 2018 VMware Validated Design 4.3 VMware Validated Design for Management and Workload Consolidation 4.

ENTRUST CONNECTOR Installation and Configuration Guide Version April 21, 2017

Using the Horizon vrealize Orchestrator Plug-In

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

VMware AirWatch Integration with RSA PKI Guide

Installing and Configuring vrealize Code Stream. 28 JULY 2017 vrealize Code Stream 2.3

vcloud Usage Meter 3.6 User's Guide vcloud Usage Meter 3.6

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Using SSL/TLS with Active Directory / LDAP

Cisco Prime Service Catalog Virtual Appliance Quick Start Guide 2

Installation and Configuration. vrealize Code Stream 2.1

vrealize Operations Management Pack for NSX for vsphere Release Notes

vrealize Operations Management Pack for NSX for vsphere 2.0

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

VMware Tunnel Guide Deploying the VMware Tunnel for your AirWatch environment

Administering VMware Cloud Foundation. SDDC Manager VMware Cloud Foundation 2.1.3

vrealize Operations Management Pack for NSX for vsphere 3.5.0

vrealize Operations Management Pack for NSX for vsphere 3.0

VMware Skyline Collector Installation and Configuration Guide. VMware Skyline 1.4

Installing and Configuring vrealize Code Stream

ACE Live on RSP: Installation Instructions

LDAP Directory Integration

Storage Manager 2018 R1. Installation Guide

Installation and Configuration

VMware vfabric AppInsight Installation Guide

vrealize Operations Management Pack for NSX for vsphere 3.5 Release Notes

VMware Workspace ONE UEM VMware AirWatch Cloud Connector

VMware Integrated OpenStack with Kubernetes Getting Started Guide. VMware Integrated OpenStack 4.0

Using vrealize Code Stream. vrealize Code Stream 1.0

Introducing VMware Validated Design Use Cases

VMware Skyline Collector Installation and Configuration Guide. VMware Skyline Collector 2.0

Introducing VMware Validated Design Use Cases. Modified on 21 DEC 2017 VMware Validated Design 4.1

SUREedge MIGRATOR INSTALLATION GUIDE FOR NUTANIX ACROPOLIS

vcenter Server Installation and Setup Modified on 11 MAY 2018 VMware vsphere 6.7 vcenter Server 6.7

vrealize Orchestrator Load Balancing

CLI users are not listed on the Cisco Prime Collaboration User Management page.

NexentaStor VVOL

vcenter Server Installation and Setup Update 1 Modified on 30 OCT 2018 VMware vsphere 6.7 vcenter Server 6.7

vcenter Operations Management Pack for NSX-vSphere

Dell EMC Ready Solution for VMware NFV Platform

Horizon Cloud with On-Premises Infrastructure Administration Guide. VMware Horizon Cloud Service Horizon Cloud with On-Premises Infrastructure 1.

vrealize Production Test Upgrade Assessment Guide

User Inputs for Installation, Reinstallation, and Upgrade

Hitachi ID Systems Inc Identity Manager 8.2.6

Planning and Preparation. VMware Validated Design 4.0 VMware Validated Design for Software-Defined Data Center 4.0

VIRTUAL GPU LICENSE SERVER VERSION , , AND 5.1.0

Deep Security 9 vcenter Operations Manager Integration

How to Deploy vcenter on the HX Data Platform

EMC ViPR Controller. Create a VM and Provision and RDM with ViPR Controller and VMware vrealize Automation. Version 2.

Managing vrealize Automation. 15 March 2018 vrealize Automation 7.3

VMware Cloud Foundation Architecture and Deployment Guide. VMware Cloud Foundation 3.5

Transcription:

SDDC Certificate Tool User Guide

Table of Contents Summary... 3 System Requirements... 3 Instructions... 3 Installation... 3 Workflows... 4 Configuration File... 4 Sample JSON... 5 Configuration File Samples... 5 JSON Key Description... 6 Simple Workflow... 6 Advanced Workflow... 7 Creating Certificate Signing Requests... 7 Request Signed Certificates for all VMware Components... 8 Save Passwords in an Encrypted file... 8 Command Line Arguments... 8

Summary Replacing SSL certificates across VMware products is a manual and time-consuming process. The SDDC Certificate Tool automates this workflow and makes it easy to keep certificates across your SDDC up to date. It will replace all certificates in the supported products and reestablish trust between the components. Supported Products: VMware Platform Services Controller (PSC) VMware vcenter Server (VC) VMware NSX for vsphere (NSX) vrealize Log Insight (vrli) vrealize Operations Manager (vrops) vrealize Automation (vra) vrealize Business for Cloud (vrb) System Requirements Linux server running Java 1.8+ Certificate Files in x509 format (.cer) Certificate Chain in x509 format (.cer) Supported VMware products: Product Minimum Version Maximum Version VMware Platform Services Controller (PSC) 6.0 U2 6.7 VMware vcenter Server (VC) 6.0 U2 6.7 VMware NSX for vsphere (NSX) 6.2.4 6.4.1 vrealize Log Insight (vrli) 3.6 4.6 vrealize Operations Manager (vrops) 6.3 6.7 vrealize Automation (vra) 7.4 7.4 vrealize Business for Cloud (vrb) 7.1 7.4 Instructions Installation To run CertReplace you will need Linux host with Java Version 1.8 or higher. PhotonOS is the suggested distribution. 1. Download and install PhotonOS: https://github.com/vmware/photon/wiki/downloading-photon-os

2. Download the SDDC Certificate Tool RPM and transfer it to the created PhotonOS VM. 3. Install Java 1.8. tdnf install openjdk8 4. Browse to the directory where you transferred the SDDC Certificate Tool and install the RPM. rpm -ivh cert-mgmt-1.0.0-8986031.noarch.rpm 5. The SDDC Certificate Tool will be installed at /opt/vmware/cert-mgmt/. Workflows There are two workflows described in these instructions. The simple workflow is if you already have signed certificates from a trusted Certificate Authority (CA) and simply want to use the tool to replace certificates. The advanced workflow is if you would like the SDDC Certificate Tool to generate Certificate Signing Requests (CSRs) for the VMware appliances, send the CSRs to a trusted CA for certificate generation, and finally replace the certificates. The steps to perform the simple workflow are: 1. Copy certificate, private keys, and the root chain to a Linux server. 2. Download and extract the SDDC Certificate Tool. 3. Edit the configuration file to include hostnames, account credentials, and location of the certificate files. 4. Run SDDC Certificate Tool to replace certificates. Additional details are in the Simple Workflow section. The advanced workflow steps are: 1. Download and extract the SDDC Certificate Tool. 2. Edit the Configuration JSON file with hostnames and passwords. 3. Use SDDC Certificate Tool to Generate Certificate Signing Requests (CSRs). 4. Use generated CSRs to receive signed certificates from Certificate Authority and copy it to the Linux server. 5. Edit the configuration JSON file to include locations of the certificates. 6. Run SDDC Certificate Tool to replace certificates. Additional details are in the Advanced Workflow section. Configuration File The first step is to create a configuration file to match your environment. Check the sample configuration files in /opt/vmware/cert-mgmt/config/ directory for further configuration templates. This file is a JSON with multiple VMware product components. This is a sample PSC configuration with a description below. Note, including passwords in the JSON configuration file is optional for security reasons. Remove the password line in the JSON. If you choose this method, use the command line argument:

java -jar lib/certreplace-*.jar -config config/config.json -createlocalcsr - This will prompt you for all passwords initially and can optionally save them in an encrypted file for reuse later. To save the passwords for reuse, see Save Passwords in an Encrypted file. Sample JSON This is an example JSON configuration file showing specifics of a vcenter Server and the descriptions of the keys. { "default":{ "csrspec":"output/csrspec/default.txt", "vcenters":[ { "host":{ "hostname":"sfo01m01vc01.rainpole.local", "osadmin":{ "username":"root", "password":"vmware1!", "admin":{ "username":"administrator@vsphere.local", "password":"vmware1!", "serviceaccounts":[ { "credential":{ "username":"svc-vrops@rainpole.local", "password":"vmware1!", "description":"example service account for vcenter to access vrops" ], "newsslcert":true, "sslcert":{ "csrspec":"output/csrspec/sfo01m01vc01.txt", "privatekey":"signedbymscacerts/sfo01m01vc01/sfo01m01vc01.key", "password":"vmware1!", "signedcert":"signedbymscacerts/sfo01m01vc01/sfo01m01vc01.1.cer", "cachain":"signedbymscacerts/rootca/root64.cer" ] Configuration File Samples The /opt/vmware/cert-mgmt/config folder includes a few sample configuration files: File config-allproducts.json config-csr.json embedded-pscvcenter.json Description All supported products supported by SDDC Certificate Tool with CSR generation code. Two-member external PSC and one vcenter that need CSR generation and replacement. Embedded PSC and vcenter instance that requires a certificate replacement.

nsx+vc.json psc+vc.json NSX and VC with Embedded PSC but only the certificate on NSX needs replacement. Two-member external PSC with one vcenter that all require replacement. JSON Key Description Keys default pscs/ vcenters/ nsxmanagers/etc. host admin serviceaccounts newsslcert sslcert Description Config file location for common entries across all of your certificate signing requests such as OU, LOC, CN, etc. This is not required if CertReplace is not going generate CSRs. Identifies which product it is. There is a section for each product, see the sample configuration file for all of the products that are supported. The hostname and appliance root username and passwords are needed here. The administrator account s username and password are needed here. If you are using service accounts to connect to other appliances in your SDDC, you will need to include those here. This specifies if you would the SSL certificate of this component replaced with a true or false. If this is true, the sslcert section is mandatory. The file location of the csrspec, private key, password, signed certificate, and the certificate authority chain file. The csrspec file has hostnames and SAN that will be included in the certificate and needs to be edited. See the included files for a sample. Simple Workflow This workflow is if you already have signed certificates that you want to replace it on the VMware components. 1. Copy signed certificates, private keys, and the certificate authority chain from your Certificate Signing Authority to a Linux server. A private folder is recommended to safeguard the private keys. 2. Download and extract the SDDC Certificate Tool to the /opt/vmware/cert-mgmt/ folder. 3. Follow a configuration template and edit it to match your environment. Follow the examples at /opt/vmware/cert-mgmt/config and the Configuration File section for a detailed look. 4. Run Certificate Replacement command. java -jar lib/certreplace-*.jar -c config/config.json -replacecert -

If there are any errors in the configuration file, they will be shown and certificate replacement will only proceed once all errors have been fixed. Advanced Workflow This workflow increases the level of security by creating certificate signing requests on the VMware product appliances. The private keys will stay on the appliances and will not need to be copied anywhere. 1. Download and extract the SDDC Certificate Tool to the /opt/vmware/cert-mgmt/ folder. 2. Follow a configuration template and edit it to match your environment. Follow the examples at /opt/vmware/cert-mgmt/config/config-csr.json and the Configuration File section for a detailed look. 3. Use SDDC Certificate Tool to Generate Certificate Signing Requests (CSRs). java -jar lib/certreplace-*.jar -config config/config.json -createcsr - See the Creating Certificate Signing Requests section for more details. 4. Use generated CSRs placed in /opt/vmware/cert-mgmt/output/csrs/ to receive signed certificates from Certificate Authority and copy it to the Linux server. If you are using a Microsoft Certificate Authority, you can use the CertGenVVD Powershell script. See Request Signed Certificates for all VMware Components for more information. 5. Edit the configuration JSON file to include locations of the certificates. Follow /opt/vmware/cert-mgmt/config/config-csr.json as a reference. 6. Run CertReplace to replace certificates. java -jar lib/certreplace-*.jar -c config/config.json -replacecert - Creating Certificate Signing Requests A Certificate Signing Request (CSR) needs to be created for each VMware component. There are a few ways to do this with our tool once the configuration file is complete. The CSRs will then need to be sent a Certificate Authority to receive a signed certificate. You can do this manually or use CertGen. You will need to edit the files in /opt/vmware/cert-mgmt/output/csrspec to match your environment. The default.txt file contains all common elements across the SDDC. Each other component has its own file with a unique CN and SANs. See the files in this folder for samples. Generate CSRs on each product appliance CSRs can be generated on each product appliance specified in the configuration file. This will increase the security since private keys will stay on the appliance not be transferred through the network.

Example Usage: java -jar lib/certreplace-*.jar -config config/config.json -createcsr - This will store all of the CSR files in the /opt/vmware/cert-mgmt/output/csrs. Generate CSRs locally on the host If you prefer to generate CSRs on the host where you are running the certreplace tool, run: java -jar lib/certreplace-*.jar -config config/config.json -createlocalcsr - Request Signed Certificates for all VMware Components The next step is to take the CSRs and send it to a Certificate Authority (CA) to get it signed. You can use any third-party CA. For a Microsoft Certificate Authority, you can use CertGenVVD to do this. Using the CSRs generated, run:.\certgenvvd-3.0.1.ps1 CSR -extra Refer to the CertGen KB article for more information. Save Passwords in an Encrypted file If you prefer to not save your passwords in the configuration file, use the command line argument. java -jar lib/certreplace-*.jar -c config/config.json -replacecert \ - If a password is not in the configuration file, you will be prompted for the password. After all passwords have been entered, you can optionally save the passwords in an encrypted file for reuse next time with a master password. java -jar lib/certreplace-*.jar -c config/config.json -replacecert \ - -passwdfile /opt/vmware/cert-mgmt/config/passwords.secure Command Line Arguments Argument -config - -passwdfile -replacecert Description Configuration file path Require all passwords to be input from the user if not specified in JSON file. More details in Save Passwords in an Encrypted file File path to save encrypted credentials. This is recommended to not have to enter in the credentials multiple times. Replace certificates across the SDDC stack

-createcsr -createlocalcsr -cleanup -help Create certificate signing requests in product appliances Create certificate signing requests on this host Cleanup temporary files in both localhost and product appliances Display command line arguments and details.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback