Replace SSL Cert Emulex OCM for VMware with a signed one.

SSL Certs are something of an enigma that have always eluded my proper understanding.  So I took it upon myself to figure this one out.
Summary:
Replace default OCM cert w/ one that is CA signed.  Click below to continue.
PreReqs:
  1. Windows Server (VM Preferred) <-- OCM uses windows
  2. Emulex OCM for VMware
    • Once installed, it’s important that you do NOT register the plugin to vCenter using the link provided.
    • Registration should occur using a link that looks something like this:
Details [Updated info in comments from Aaron]:
  1. OCM installs w/ JRE and the required keytool.exe.  Open a command prompt to this directory.
    • It’s located under the installation directory: (normally here) C:\Program Files\Emulex\OCM for VMware\JRE\
  2. First you need to delete the default cert:
    • keytool -delete -alias vcpluginselfsigned -keystore “C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks”
    • Password for the keystore is “emulex” w/o quotes, all lowercase.
      • You can also check the server.xml file for the java keystore pass.
  3. Next you need to generate a key pair
    • keytool -genkey -alias whateverYouWantToNameIt -keyalg RSA -keystore “C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks” -keysize 2048
    • When it asks you for first name and last name, that is where you provide the server’s FQDN.  ex. yourServers.FQDN.com:8443
  4. Now we need to generate the CSR (Certificate Signing Request)
    • keytool -certreq -alias TheAliasYouCreatedInStep3 -keystore “C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks” -file C:\whereeveryouwant\something.csr
  5. Now you can send the CSR to your CA to get a signed cert.
  6. While waiting for your CA to return back a cert, you may need to import yourdomain’s cert as an authorized CA.  To do so:
    • keytool -import -trustcacerts -alias yourdomain -file C:\yourdomainsRootCert.cer -keystore -keystore “C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks”
  7. Once your domain’s root CA is authorized, you should be able to import your signed cert
    • keytool -importcert -file D:\yoursignedcert.cer -keystore “C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks” -alias whateverYouWantToNameIt
      • If you receive the error: “keytool error: java.lang.Exception: Failed to establish chain from reply” then it’s probably because your RootCA is not authorized.  Refer to step 6 to fix the problem.

14 comments:

Margie Salcedo said...

I always find it hard to understand what SSL would do for me and my server. Now that I get to bump into this SSL Certificates, I have to get enough information and stock knowledge on what it does.

Anonymous said...

Hi Thanks for the info.

I am able to get the users from AD, and assigned to VCOPs group, but when logging using my AD account, I get user/password error (after one hour). Anything i missed?

thanks in advance
cheers
Thomas

Chris Nakagaki said...

Make sure you are logging

Chris Nakagaki said...

Sorry, trying to reply via iPhone. Make sure you are logging in with your full login ID. Usually something like: myusername@domain.local.com

Anonymous said...

I think I did everything right in the blog but I can't bring up the alternative url in IE. (https://server.domain.com:8443) to register the plugin. Keep getting page not found. Any ideas?
Thanks

Chris Nakagaki said...

That usually occurs if you did not generate a keypair in step 3 OR in simple cases, the service is not started.

Anonymous said...

I definitely generated the keypair and sent to the CA for the cert. It appeared to import successfully.

I get: Internet Explorer cannot display the webpage

Which service are you referencing?

Thanks

Chris Nakagaki said...

I believe it registers itself as "Emulex OCM for VMware vCenter"

Restart that service. Probably should add that as a step.

Anonymous said...

Yes I restarted the OCM and iis services with no success, then tried a reboot. Still no love.

Chris Nakagaki said...

Is 8443 the port used by the Emulex plugin? I believe you can configure it to be different and if you have IIS running as well, you'll need to check you are not using the same port. You can find the port config that the plug in uses by going to it's installation directory and opening the server.xml file under the apache tomcat directory.
Usually something like:
C:\Program Files\Emulex\OCM for vCenter\ApacheTomcat\conf\server.xml

This is the line you are looking for:


This'll tell you what ports the plug in runs on.

Chris Nakagaki said...

Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443"

Sorry, comment was formatted wrong.

Aaron Reilly said...


Part One:



Thank you for spending the time to get your solution published! I would recommend some modifications to the steps above:

1) OCM installs all of the required components including keytool.exe. Open an Administrator command prompt to the following directory below:

 It’s located under the installation directory: (normally here) C:\Program Files\Emulex\OCM for VMware\JRE\



2) Lets list the certs currently inside of the KeyStore:

keytool -list -keystore "C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks"



3) We will then delete all default generated certs:

keytool -delete -alias vcpluginselfsigned -keystore “C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks”

 Password for the keystore is “emulex” w/o quotes, all lowercase.

 You can also check the server.xml file for the java keystore pass.



4) Next you need to generate a private key:

keytool -genkey -alias ServerShortName-key -keyalg RSA -keystore “C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks” -keysize 2048

 When it asks you for first name and last name, that is where you provide the server’s FQDN. ex. servername.domain.tld



5) Now we need to generate the CSR (Certificate Signing Request)

keytool -certreq -alias ServerShortName-Key -keystore “C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks” -file C:\certs\ServerShortName.csr

Aaron Reilly said...


Part Two:



6) Now you can send the CSR to your CA to get a signed cert.

 Once you have the certificate from the CA, download the certificate chain from the CA. Export the certificate chain and open your ServerShortName.crt, the Iussing CA's certificate, and the Root CA's certificate (if applicable) into notepad.

 Create a new text file called ServerShortName_bundle.pem and place your certificates text as such:



  -----BEGIN CERTIFICATE-----

  MIIEc....

  -----END CERTIFICATE-----

  -----BEGIN CERTIFICATE-----

  MIIEi....

  -----END CERTIFICATE-----

  -----BEGIN CERTIFICATE-----

  MIIDr.....

  -----END CERTIFICATE-----



 Ensure that there are no spaces before or after the "BEGIN CERTIFICATE" and "END CERTIFICATE"



7) Now that your bundle is created, import it into the KeyStore by issuing the following command:

keytool -importcert -file c:\certs\ServerShortName_bundle.pem -keystore "C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks" -alias ServerShortName

  If you receive the error: “keytool error: java.lang.Exception: Failed to establish chain from reply” then it’s probably because your bundle certificate is improperly formatted.

  Check your syntax and attempt to re-create the ServerShortName_bundle.pem.



8) Navigate to the following directory:

C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf



9) Open Server.conf in a notepad and add an arguement to the line : KeyAlias="ServerShortName"

 Note that KeyAlias is CASE-SENSITIVE. Save the file and restart the "Emulex OCM for VMware vCenter" service.

10) To validate that the certificte has applied corectly, navigate to "ServerShoftName.domain.tld:8443". You will not see a webpage appear, but if you do not get a certificate error you have succeeded in changing the certificate out.



Note:

If there were errors in the certificate import process and you still see a SelfSignedCertificate when loading the webpage, the certificate you imported into the keystore is not being referenced correctly in the connector (server.conf) or there were certificate syntax errors.

If you find that the webpage shows "Page cannot be displayed" or you get a 404, there is not a valid cert to bind the tomcat instance to, the webservice will simply fail to launch. When this occurs the service "Emulex OCM for VMware vCenter" will show as started. Troubleshoot further, verify syntax, and restart the service.

Chris Nakagaki said...

Appreciate the updates, I've referenced your comments in the original post. Thanks. :)