Wednesday, August 11, 2021

Replacing vROPS Certificates


Issue:  When using default certificates in vROPS  Due to security requirements it was necessary to replace the default self-signed certificates with a trusted certificate signed by an internal CA.

Unlike vCenter, vROPS uses a common name vc-ops-slice-1 followed by slice-2 for data and other node, where vCenter has SAN names in the default certificate so when you add the root of the local machine trusted store then the vCenter url shows secured.



In order to make the secure SSL we have to generate the CSR and get it signed by any third party SSL vendors or our own Microsoft CA. 

I will be generating a CSR and getting signed by internal Microsoft CA .We can refer this below article from VMware as reference. 

https://kb.vmware.com/s/article/2046591?lang=en_us

Steps: 

1.The first step is to create a new private key from taking a SSH session to master node vROPS.

openssl genrsa -out vrops.key 2048




2. Using the configuration file below make sure to provide details of master node ,data node  of FQDN /IP address and other basic information of certificates like organization name, locality etc. 

sample vrops.cfg file 

*********************************************************************

distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vrops1.org.com, IP:192.168.0.14,vrops2.org.com,192.168.0.15

[ req_distinguished_name ]
countryName = IN
stateOrProvinceName = VAR
localityName = CAL
0.organizationName = VROPS
organizationalUnitName = VROPSORG
commonName = vrops1.org.com

********************************************************************

openssl req -new -key vrops.key -out vrops.csr -config vrops.cfg






3. Get the certificate signed from your Internal CA using the vrops.csr file for instance we save the certificate obtained as  Server_cert.cer



4. The order of CA's certs in the .PEM file: Cert, Private Key, Intermediate Cert and then Root Cert.
cat server_cert.cer vrops.key cacerts.cer >final.pem.pem


-----BEGIN CERTIFICATE-----
(Your Primary SSL certificate: your_domain_name.crt)
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
(Your Private Key: your_domain_name.key)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Your Intermediate certificate: name.crt)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Your Root certificate: TrustedRoot.crt)
-----END CERTIFICATE-----


5.Access the admin page of vRops master node and click on the SSL certificate to install the pem file



6. After the installation will complete in few minutes logout from the admin and refresh the browser and access the vROPS to show as secured SSL










 
at No comments:
Labels:

Wednesday, March 3, 2021

vCloud Usage Meter 4.3 DNS settings is not updated after the UM 4.3 ovf Deployment

Issue: I had multiple occasions where the UM 4.3 is deployed using ovf template and DNS settings are provided during the deployment and later checked DNS settings rollbacks to default IP address

Actions Performed :

1.Accesses the /op/vmware/share/vami/vami_config_net and updated the DNS settings but still it rollback to default  DNS IP address

2. Added the DNS domain server in /etc/resolv.conf file but after the reboot the DNS IP address is not persistent 

Cause: We found the resolv.conf is pointing to runtime symbolic which is making not persistent after reboot

Workaround 1: 

  • Take an SSH/ console onto the Usage Meter appliance, and run the below commands.
  • mv /etc/resolve.conf /etc/resolve.conf.bak
  • vi /etc/resolve.conf
  • chmod 644 resolve.conf
  • Key in the DNS server info in the below format. I have attached a screenshot below.
  • nameserver DNSIPAddress1
  • nameserver DNSIPAddress1
  • Quit out of the file, and perform a reboot.
Workaround 2:

  • Navigated to the file: /etc/systemd/network/10-eth0.network 
  • vi  /etc/systemd/network/10-eth0.network 
  • Added the DNS entries
  • Reboot the Appliance or restart the network by running systemctl restart systemd-networkd
  • post which the DNS settings is persistent
                                        

















at 3 comments:
Labels:

Tuesday, January 26, 2021

Usage Meter 4.3 Fails to connect to vRNI (Network Insight) fails with API ERROR

 Usage Meter v4.3 is not able to connect to vRealize Network Insight (vRNI v5.1.0). Product status in UM = collection error Message Notification = Collection error: APIError 







                                                                                                                                                                     Resolution : In `conf` directory modify `vrnicollector_process.conf` file, add the following lines and restart the vRNI collector service. Ensure the backup the file before making the changes below.

        -httpConnectionTimeout 900
-httpReadTimeout 900
-httpWriteTimeout 900






Restart the vRNI Collector service 




cd /opt/vmware/cloudusagemetering
scripts/stop.sh vrniCol
scripts/start.sh vrniCol




at No comments:
Labels:
Subscribe to: Posts (Atom)

Replacing vROPS Certificates

Issue:  When using default certificates in vROPS  Due to security requirements it was necessary to replace the default self-signed certifica...