Saturday, September 29, 2012

VMware vCenter 5.1 Installation: Part 12 (VUM SSL Configuration)

UPDATE 1/28/2013: Minor changes for clarification purposes.

In Part 11 we installed VMware vCenter Update Manager 5.1 (VUM), and optionally, you could have pre-staged the SSL certificates. If you pre-staged them, you can skip this part and go to Part 13. If however, you want to use a different certificate for VUM then continue on and follow the steps below. Thankfully they are easy to perform and resistant to being hosed up. You can find the official VMware article for this procedure here. If only VMware made it so easy for all services!

1. Backup all the files in the directory below. Copy the rui.key, rui.crt and rui.pfx files from your D:\Certs\VUM directory and replace the files in this directory:

C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL

2. Stop the VMware vSphere Update Manger Service.


3. In the C:\Program Files (x86)\VMware\Infrastructure\Update Manager directory launch the VMwareUpdateManagerUtility.exe application.

4. Login to the vCenter server using proper credentials.


5. Click on the SSL Certificate option on the left side then check the box on the right side and click Apply.


6. If all goes well you should see the window below. Restart the service as directed.

 
 
In Part 13 we perform basic VUM configuration to add the HP patch depot and attach built-in baselines for VMs and ESXi hosts.

at

7 comments:

  1. AnonymousOctober 11, 2012 at 8:54 AM

    If only all the VMware Certificates were that easy!

    ReplyDelete
  2. AnonymousNovember 15, 2012 at 7:59 AM

    Hello Derek, thanks a lot for this very useful blog post.

    I was able to succesfully deploy pre-staged certificates for all vSphere 5.1.0A components. No problem at all.

    But as I tried to import an ESXi image to VUM I got a typical vCenter certificate warning.

    I tested it by navigating to https://vum-hostname.domain:9087 (VUM SSL port)
    and got: "There is a problem with this website's security certificate."
    The certificate used is a VMware self-signed one and is stored in
    C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL\vmware-vum.keystore
    --------------------------------------------------------------------------------
    ..\> keytool -list -keystore vmware-vum.keystore
    Enter keystore password: (IS EMPTY)

    ***************** WARNING WARNING WARNING *****************
    * The integrity of the information stored in your keystore *
    * has NOT been verified! In order to verify its integrity, *
    * you must provide your keystore password. *
    ***************** WARNING WARNING WARNING *****************

    Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 2 entries

    vum-server, Nov 15, 2012, trustedCertEntry,
    Certificate fingerprint (MD5): XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
    vum-jetty, Nov 15, 2012, PrivateKeyEntry,
    Certificate fingerprint (MD5): D1:4F:80:74:A6:27:1E:9B:77:4A:B2:03:70:78:1F:78
    --------------------------------------------------------------------------------

    vum-server is my trusted pre-staged certificate from our internal CA
    vum-jetty is a VMware self-signed certificate
    Is it possible to replace it with a trusted one also?
    or probably use the certificate for both vum-server and vum-jetty?
    How do we have to proceed?

    May I contact you per e-mail?
    Best regards, Denis

    ReplyDelete
  3. AnonymousNovember 18, 2012 at 3:06 PM

    IN step 1 you mention C:\Program Files\VMware\Infrastructure\Update Manager\SSL, for me the SSL folder is in (x86). Did anything go wrong with installing?

    Regards

    ReplyDelete
    Replies
    1. NoneNovember 20, 2012 at 6:01 PM

      Anonymous: Fixed the typo...should have had the (x86) in there. Thanks!

      Delete
  4. AnonymousDecember 6, 2012 at 2:04 PM

    Hi

    The installation of VUM does not pick-up my pre-staged trusted VUM certificate.

    I have exactly the same problem as described by Denis - if I follow the procedure and then review by navigating to https://vum-hostname.domain:9087, I still end up with an untrusted, 2-year certificate, Issued To and Issued By "VMware".

    Any thoughts?

    Paul B

    ReplyDelete
  5. Kevin WilliamsonDecember 18, 2012 at 2:34 PM

    According to the Reconfiguring VMWare vSphere Update Manager, page 7, it appears that we can't replace the SSL certs that Update Manager uses when we are importing offline bundles or upgrade release files

    ReplyDelete
  6. AnonymousDecember 19, 2012 at 2:03 AM

    I raised a support call with VMware about this and they have just advised me:

    "This certificate [for the service on port 9087] cannot be replaced. You can replace only the SSL certificates that Update Manager uses for communication between the Update Manager server and client components. You cannot replace the SSL certificates that Update Manager uses when importing offline bundles or upgrade release files."

    I hope this helps.

    Paul B

    ReplyDelete