tag:blogger.com,1999:blog-5834591349436314089.post3009091505620443737..comments2024-01-27T03:17:53.246-05:00Comments on Zsoldier's Tech Blog: Replace SSL Cert Emulex OCM for VMware with a signed one.Zsoldierhttp://www.blogger.com/profile/11268515960384934875noreply@blogger.comBlogger14125tag:blogger.com,1999:blog-5834591349436314089.post-17499071673120093032015-08-12T10:00:37.261-04:002015-08-12T10:00:37.261-04:00Appreciate the updates, I've referenced your c...Appreciate the updates, I've referenced your comments in the original post. Thanks. :)Zsoldierhttps://www.blogger.com/profile/11268515960384934875noreply@blogger.comtag:blogger.com,1999:blog-5834591349436314089.post-60596582106019785572015-08-12T02:44:01.190-04:002015-08-12T02:44:01.190-04:00Part Two:
6) Now you can send the CSR to your CA ...<br>Part Two:<br /><br><br /><br>6) Now you can send the CSR to your CA to get a signed cert.<br /><br> Once you have the certificate from the CA, download the certificate chain from the CA. Export the certificate chain and open your ServerShortName.crt, the Iussing CA's certificate, and the Root CA's certificate (if applicable) into notepad. <br /><br> Create a new text file called ServerShortName_bundle.pem and place your certificates text as such:<br /><br><br /><br> -----BEGIN CERTIFICATE-----<br /><br> MIIEc....<br /><br> -----END CERTIFICATE-----<br /><br> -----BEGIN CERTIFICATE-----<br /><br> MIIEi....<br /><br> -----END CERTIFICATE-----<br /><br> -----BEGIN CERTIFICATE-----<br /><br> MIIDr.....<br /><br> -----END CERTIFICATE-----<br /><br><br /><br> Ensure that there are no spaces before or after the "BEGIN CERTIFICATE" and "END CERTIFICATE"<br /><br><br /><br>7) Now that your bundle is created, import it into the KeyStore by issuing the following command:<br /><br> <i>keytool -importcert -file c:\certs\ServerShortName_bundle.pem -keystore "C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks" -alias ServerShortName</i><br /><br> If you receive the error: “keytool error: java.lang.Exception: Failed to establish chain from reply” then it’s probably because your bundle certificate is improperly formatted. <br /><br> Check your syntax and attempt to re-create the ServerShortName_bundle.pem. <br /><br><br /><br>8) Navigate to the following directory:<br /><br> <i>C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf</i><br /><br><br /><br>9) Open Server.conf in a notepad and add an arguement to the line : KeyAlias="ServerShortName"<br /><br> Note that KeyAlias is CASE-SENSITIVE. Save the file and restart the "Emulex OCM for VMware vCenter" service.<br /><br>10) To validate that the certificte has applied corectly, navigate to "ServerShoftName.domain.tld:8443". You will not see a webpage appear, but if you do not get a certificate error you have succeeded in changing the certificate out.<br /><br><br /><br>Note:<br /><br>If there were errors in the certificate import process and you still see a SelfSignedCertificate when loading the webpage, the certificate you imported into the keystore is not being referenced correctly in the connector (server.conf) or there were certificate syntax errors. <br /><br>If you find that the webpage shows "Page cannot be displayed" or you get a 404, there is not a valid cert to bind the tomcat instance to, the webservice will simply fail to launch. When this occurs the service "Emulex OCM for VMware vCenter" will show as started. Troubleshoot further, verify syntax, and restart the service.Aaron Reillyhttps://www.linkedin.com/pub/aaron-reilly/28/91b/449noreply@blogger.comtag:blogger.com,1999:blog-5834591349436314089.post-22708640568380629872015-08-12T02:42:21.753-04:002015-08-12T02:42:21.753-04:00Part One:
Thank you for spending the time to get ...<br>Part One:<br /><br><br /><br>Thank you for spending the time to get your solution published! I would recommend some modifications to the steps above:<br /><br>1) OCM installs all of the required components including keytool.exe. Open an Administrator command prompt to the following directory below:<br /><br> It’s located under the installation directory: (normally here) <i>C:\Program Files\Emulex\OCM for VMware\JRE\</i><br /><br><br /><br>2) Lets list the certs currently inside of the KeyStore:<br /><br> <i>keytool -list -keystore "C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks"</i><br /><br><br /><br>3) We will then delete all default generated certs:<br /><br> <i>keytool -delete -alias vcpluginselfsigned -keystore “C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks”</i><br /><br> Password for the keystore is “emulex” w/o quotes, all lowercase.<br /><br> You can also check the server.xml file for the java keystore pass.<br /><br><br /><br>4) Next you need to generate a private key:<br /><br> <i>keytool -genkey -alias ServerShortName-key -keyalg RSA -keystore “C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks” -keysize 2048</i><br /><br> When it asks you for first name and last name, that is where you provide the server’s FQDN. ex. servername.domain.tld<br /><br><br /><br>5) Now we need to generate the CSR (Certificate Signing Request)<br /><br> <i>keytool -certreq -alias ServerShortName-Key -keystore “C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks” -file C:\certs\ServerShortName.csr</i>Aaron Reillyhttps://www.linkedin.com/pub/aaron-reilly/28/91b/449noreply@blogger.comtag:blogger.com,1999:blog-5834591349436314089.post-76904150616841641172013-01-31T10:17:33.885-05:002013-01-31T10:17:33.885-05:00Connector connectionTimeout="20000" port...Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443"<br /><br />Sorry, comment was formatted wrong.Zsoldierhttps://www.blogger.com/profile/11268515960384934875noreply@blogger.comtag:blogger.com,1999:blog-5834591349436314089.post-85034341760226959612013-01-31T10:13:19.349-05:002013-01-31T10:13:19.349-05:00Is 8443 the port used by the Emulex plugin? I bel...Is 8443 the port used by the Emulex plugin? I believe you can configure it to be different and if you have IIS running as well, you'll need to check you are not using the same port. You can find the port config that the plug in uses by going to it's installation directory and opening the server.xml file under the apache tomcat directory.<br />Usually something like:<br />C:\Program Files\Emulex\OCM for vCenter\ApacheTomcat\conf\server.xml<br /><br />This is the line you are looking for:<br /><br /><br />This'll tell you what ports the plug in runs on.Zsoldierhttps://www.blogger.com/profile/11268515960384934875noreply@blogger.comtag:blogger.com,1999:blog-5834591349436314089.post-39200379760867217722013-01-31T10:06:23.729-05:002013-01-31T10:06:23.729-05:00Yes I restarted the OCM and iis services with no s...Yes I restarted the OCM and iis services with no success, then tried a reboot. Still no love.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5834591349436314089.post-18735022834798411252013-01-31T09:59:03.271-05:002013-01-31T09:59:03.271-05:00I believe it registers itself as "Emulex OCM ...I believe it registers itself as "Emulex OCM for VMware vCenter"<br /><br />Restart that service. Probably should add that as a step.Zsoldierhttps://www.blogger.com/profile/11268515960384934875noreply@blogger.comtag:blogger.com,1999:blog-5834591349436314089.post-91135542132297707722013-01-31T09:31:42.080-05:002013-01-31T09:31:42.080-05:00I definitely generated the keypair and sent to the...I definitely generated the keypair and sent to the CA for the cert. It appeared to import successfully.<br /><br />I get: Internet Explorer cannot display the webpage <br /><br />Which service are you referencing?<br /><br />ThanksAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5834591349436314089.post-62367055372300966152013-01-30T14:41:21.107-05:002013-01-30T14:41:21.107-05:00That usually occurs if you did not generate a keyp...That usually occurs if you did not generate a keypair in step 3 OR in simple cases, the service is not started.Zsoldierhttps://www.blogger.com/profile/11268515960384934875noreply@blogger.comtag:blogger.com,1999:blog-5834591349436314089.post-39217523730660012252013-01-30T14:38:36.328-05:002013-01-30T14:38:36.328-05:00I think I did everything right in the blog but I c...I think I did everything right in the blog but I can't bring up the alternative url in IE. (https://server.domain.com:8443) to register the plugin. Keep getting page not found. Any ideas?<br />ThanksAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5834591349436314089.post-42384872976590426002012-12-18T22:31:04.426-05:002012-12-18T22:31:04.426-05:00Sorry, trying to reply via iPhone. Make sure you ...Sorry, trying to reply via iPhone. Make sure you are logging in with your full login ID. Usually something like: myusername@domain.local.comZsoldierhttps://www.blogger.com/profile/11268515960384934875noreply@blogger.comtag:blogger.com,1999:blog-5834591349436314089.post-44847990800799614872012-12-18T22:29:33.799-05:002012-12-18T22:29:33.799-05:00Make sure you are loggingMake sure you are loggingZsoldierhttps://www.blogger.com/profile/11268515960384934875noreply@blogger.comtag:blogger.com,1999:blog-5834591349436314089.post-3226834463316212232012-12-18T20:03:15.717-05:002012-12-18T20:03:15.717-05:00Hi Thanks for the info.
I am able to get the user...Hi Thanks for the info.<br /><br />I am able to get the users from AD, and assigned to VCOPs group, but when logging using my AD account, I get user/password error (after one hour). Anything i missed?<br /><br />thanks in advance<br />cheers<br />ThomasAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-5834591349436314089.post-5216157042493816182012-06-04T17:24:32.713-04:002012-06-04T17:24:32.713-04:00I always find it hard to understand what SSL would...I always find it hard to understand what SSL would do for me and my server. Now that I get to bump into this <a href="http://www.sslcertificatereview.net" rel="nofollow">SSL Certificates</a>, I have to get enough information and stock knowledge on what it does.Margie Salcedohttp://www.sslcertificatereview.netnoreply@blogger.com