Monday, July 20, 2020

Using Custom Certificates in Usage Meter 4.x


As we get to move on with customers and service providers asking to implement to use a secure web browser access to Usage Meter .The old versions of UM has methods to replace the certificates.

Beginning from 3.6.1 versions there is no official or supported methods to use a custom certificates for Usage Meter and we are still allowed with default certificates.

Recently we are receiving request from customer using their own internal or custom signed certificates for Usage Meter 4.x versions. It still in the road map and i believe it will be taken care in the upcoming versions.

I have tested in my lab since the Usage Meter 4.x version uses ngnix web servers so i found a possibility to replace the certificates.

Note: Its official not supported and no supported documentation available at this moment  and you have to repeat ever time you upgrade or patch the Usage Meter appliance make sure to take a snapshot or a valid backup before performing the steps

Please take a snapshot of the Usage Meter Appliance
Once you have the certificate and the key file generated from your CA
Access the Usage Meter appliance via SSH using the root account
Take a backup of the crt and key files from the location and copy the new crt and key files to     
ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt
ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key
Edit the configuration file 
        vi /opt/vmware/cloudusagemetering/conf/nginx.conf  to match the crt and key location


    


Once the changes have been made make sure to give the usagemeter account full permissions to the directories crt,key,configuration files as shown below

 chown -R usagemeter /opt/vmware/cloudusagemetering/conf/nginx.conf
 chown -R usagemeter /etc/ssl/private/nginx-selfsigned.key
 chown -R usagemeter /etc/ssl/certs/nginx-selfsigned.crt


Once the permission has been provided the usagemeter account should be able to access the file
using the account so login into the UM appliance via SSH using usagemeter account

  chmod 777 /etc/ssl/certs/nginx-selfsigned.crt
  chmod 777 /etc/ssl/private/nginx-selfsigned.key
  chmod 777 /opt/vmware/cloudusagemetering/conf/nginx.conf



Finally reboot the appliance and verify the certificates on the https://IPaddress:8443 browser interface

No comments:

Post a Comment

Replacing vROPS Certificates

Issue:  When using default certificates in vROPS  Due to security requirements it was necessary to replace the default self-signed certifica...