Replace SSL Cert Emulex OCM for VMware with a signed one.

SSL Certs are something of an enigma that have always eluded my proper understanding.  So I took it upon myself to figure this one out.
Summary:
Replace default OCM cert w/ one that is CA signed.  Click below to continue.
PreReqs:
  1. Windows Server (VM Preferred) <-- OCM uses windows
  2. Emulex OCM for VMware
    • Once installed, it’s important that you do NOT register the plugin to vCenter using the link provided.
    • Registration should occur using a link that looks something like this:
Details [Updated info in comments from Aaron]:
  1. OCM installs w/ JRE and the required keytool.exe.  Open a command prompt to this directory.
    • It’s located under the installation directory: (normally here) C:\Program Files\Emulex\OCM for VMware\JRE\
  2. First you need to delete the default cert:
    • keytool -delete -alias vcpluginselfsigned -keystore “C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks”
    • Password for the keystore is “emulex” w/o quotes, all lowercase.
      • You can also check the server.xml file for the java keystore pass.
  3. Next you need to generate a key pair
    • keytool -genkey -alias whateverYouWantToNameIt -keyalg RSA -keystore “C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks” -keysize 2048
    • When it asks you for first name and last name, that is where you provide the server’s FQDN.  ex. yourServers.FQDN.com:8443
  4. Now we need to generate the CSR (Certificate Signing Request)
    • keytool -certreq -alias TheAliasYouCreatedInStep3 -keystore “C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks” -file C:\whereeveryouwant\something.csr
  5. Now you can send the CSR to your CA to get a signed cert.
  6. While waiting for your CA to return back a cert, you may need to import yourdomain’s cert as an authorized CA.  To do so:
    • keytool -import -trustcacerts -alias yourdomain -file C:\yourdomainsRootCert.cer -keystore -keystore “C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks”
  7. Once your domain’s root CA is authorized, you should be able to import your signed cert
    • keytool -importcert -file D:\yoursignedcert.cer -keystore “C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks” -alias whateverYouWantToNameIt
      • If you receive the error: “keytool error: java.lang.Exception: Failed to establish chain from reply” then it’s probably because your RootCA is not authorized.  Refer to step 6 to fix the problem.

Comments

Margie Salcedo said…
I always find it hard to understand what SSL would do for me and my server. Now that I get to bump into this SSL Certificates, I have to get enough information and stock knowledge on what it does.
June 4, 2012 at 5:24 PM
Anonymous said…
Hi Thanks for the info.

I am able to get the users from AD, and assigned to VCOPs group, but when logging using my AD account, I get user/password error (after one hour). Anything i missed?

thanks in advance
cheers
Thomas
December 18, 2012 at 8:03 PM
Zsoldier said…
Make sure you are logging
December 18, 2012 at 10:29 PM
Zsoldier said…
Sorry, trying to reply via iPhone. Make sure you are logging in with your full login ID. Usually something like: myusername@domain.local.com
December 18, 2012 at 10:31 PM
Anonymous said…
I think I did everything right in the blog but I can't bring up the alternative url in IE. (https://server.domain.com:8443) to register the plugin. Keep getting page not found. Any ideas?
Thanks
January 30, 2013 at 2:38 PM
Zsoldier said…
That usually occurs if you did not generate a keypair in step 3 OR in simple cases, the service is not started.
January 30, 2013 at 2:41 PM
Anonymous said…
I definitely generated the keypair and sent to the CA for the cert. It appeared to import successfully.

I get: Internet Explorer cannot display the webpage

Which service are you referencing?

Thanks
January 31, 2013 at 9:31 AM
Zsoldier said…
I believe it registers itself as "Emulex OCM for VMware vCenter"

Restart that service. Probably should add that as a step.
January 31, 2013 at 9:59 AM
Anonymous said…
Yes I restarted the OCM and iis services with no success, then tried a reboot. Still no love.
January 31, 2013 at 10:06 AM
Zsoldier said…
Is 8443 the port used by the Emulex plugin? I believe you can configure it to be different and if you have IIS running as well, you'll need to check you are not using the same port. You can find the port config that the plug in uses by going to it's installation directory and opening the server.xml file under the apache tomcat directory.
Usually something like:
C:\Program Files\Emulex\OCM for vCenter\ApacheTomcat\conf\server.xml

This is the line you are looking for:


This'll tell you what ports the plug in runs on.
January 31, 2013 at 10:13 AM
Zsoldier said…
Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443"

Sorry, comment was formatted wrong.
January 31, 2013 at 10:17 AM
Aaron Reilly said…

Part One:



Thank you for spending the time to get your solution published! I would recommend some modifications to the steps above:

1) OCM installs all of the required components including keytool.exe. Open an Administrator command prompt to the following directory below:

 It’s located under the installation directory: (normally here) C:\Program Files\Emulex\OCM for VMware\JRE\



2) Lets list the certs currently inside of the KeyStore:

keytool -list -keystore "C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks"



3) We will then delete all default generated certs:

keytool -delete -alias vcpluginselfsigned -keystore “C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks”

 Password for the keystore is “emulex” w/o quotes, all lowercase.

 You can also check the server.xml file for the java keystore pass.



4) Next you need to generate a private key:

keytool -genkey -alias ServerShortName-key -keyalg RSA -keystore “C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks” -keysize 2048

 When it asks you for first name and last name, that is where you provide the server’s FQDN. ex. servername.domain.tld



5) Now we need to generate the CSR (Certificate Signing Request)

keytool -certreq -alias ServerShortName-Key -keystore “C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks” -file C:\certs\ServerShortName.csr
August 12, 2015 at 2:42 AM
Aaron Reilly said…

Part Two:



6) Now you can send the CSR to your CA to get a signed cert.

 Once you have the certificate from the CA, download the certificate chain from the CA. Export the certificate chain and open your ServerShortName.crt, the Iussing CA's certificate, and the Root CA's certificate (if applicable) into notepad.

 Create a new text file called ServerShortName_bundle.pem and place your certificates text as such:



  -----BEGIN CERTIFICATE-----

  MIIEc....

  -----END CERTIFICATE-----

  -----BEGIN CERTIFICATE-----

  MIIEi....

  -----END CERTIFICATE-----

  -----BEGIN CERTIFICATE-----

  MIIDr.....

  -----END CERTIFICATE-----



 Ensure that there are no spaces before or after the "BEGIN CERTIFICATE" and "END CERTIFICATE"



7) Now that your bundle is created, import it into the KeyStore by issuing the following command:

keytool -importcert -file c:\certs\ServerShortName_bundle.pem -keystore "C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf\emulex.vcplugin.jks" -alias ServerShortName

  If you receive the error: “keytool error: java.lang.Exception: Failed to establish chain from reply” then it’s probably because your bundle certificate is improperly formatted.

  Check your syntax and attempt to re-create the ServerShortName_bundle.pem.



8) Navigate to the following directory:

C:\Program Files\Emulex\OCM for VMware\ApacheTomcat\conf



9) Open Server.conf in a notepad and add an arguement to the line : KeyAlias="ServerShortName"

 Note that KeyAlias is CASE-SENSITIVE. Save the file and restart the "Emulex OCM for VMware vCenter" service.

10) To validate that the certificte has applied corectly, navigate to "ServerShoftName.domain.tld:8443". You will not see a webpage appear, but if you do not get a certificate error you have succeeded in changing the certificate out.



Note:

If there were errors in the certificate import process and you still see a SelfSignedCertificate when loading the webpage, the certificate you imported into the keystore is not being referenced correctly in the connector (server.conf) or there were certificate syntax errors.

If you find that the webpage shows "Page cannot be displayed" or you get a 404, there is not a valid cert to bind the tomcat instance to, the webservice will simply fail to launch. When this occurs the service "Emulex OCM for VMware vCenter" will show as started. Troubleshoot further, verify syntax, and restart the service.
August 12, 2015 at 2:44 AM
Zsoldier said…
Appreciate the updates, I've referenced your comments in the original post. Thanks. :)
August 12, 2015 at 10:00 AM
Post a Comment

Popular posts from this blog

NSX-T: Release associated invalid node ID from certificate

Image
Summary: Basically had an expiring certificate registered in NSX-T that was associated to a node_id that is no longer valid.  Long story short, there wasn't anything obvious in API to delete or disassociate a certificate from a node_id for 3.2.2.  Not sure how things got in this state, but annotating for future reference.  This may change in future revisions, so always check API for latest. Details: Effectively had a stale node associated w/ a certificate that was expiring.  Could not delete certificate until that node was disassociated from the certificate. To get certificate details and associated node_id's, you can use the following curl call (UI works too): curl -k -X GET -H "Content-Type: application/json" -u admin https://<manager ip>/api/v1/trust-management/certificates/<cert UUID> Above will return something like this: Below must be run from one of the manager nodes via elevation to root: ONLY RUN THIS IF YOU ARE ABSOLUTELY SURE OF WHAT YOU ARE DO...
Read more

NSX-T: vCenter and NSX-T Inventory out of Sync (Hosts in vSphere not showing up in NSX-T)

Image
Summary: NSX-T loses synch w/ vCenter inventory, but statuses don't appear to show an issue.  Basically, you add a host to a vCenter cluster, NSX-T bits should start to automatically installing on new host.  Assuming you've created a Transport Node Profile and associated w/ the cluster.  The problem is that NSX-T doesn't see the new host and its link to the compute manager (vCenter) looks fine. Looks fine, Y U NO WORK!? So what's going on here?  This appears to affect NSX-T 2.5 and 2.5.1.  Cause is unknown. Workaround: Restart the cm-inventory service on each NSX-T mgmt/controller node using API or CLI. Details: If you were to query the status of the cm-inventory via API or CLI, you could query all 3 manager/controller nodes and get a status of running.  Even if the primary node associated w/ the VIP, if configured, is not necessarily in charge of inventory.  So you could restart the cm-inventory service till you are blue in the face ...
Read more

MacOS: AnyConnect VPN client was unable to successfully verify the IP forwarding table modifications.

Image
The VPN client was unable to successfully verify the IP forwarding table modification.  A VPN connection will not be established. Summary: I started running into issue utilizing Cisco AnyConnect on my Mac basically complaining about not able to overwrite IP forwarding tables.  This was on 4.6.x.  Since my VPN endpoints were not providing me w/ an updated client and w/ no access to Cisco Anyconnect downloads, my only option was to try openconnect.  It was totally worth it, here is why and how to set it up. PreReqs: Homebrew Installing OpenConnect: Launch MacOS Terminal brew install openconnect Getting VPN IP's/DNS Endpoints from AnyConnect: The information is typically located in your profile xml files located here: /opt/cisco/anyconnect/profile/somethingsomething.xml In the xml file, you are looking for "<HostAddress>typicallyaDNSName.com</HostAddress>" entry.  These are your VPN endpoints that you would need to pass to openconnec...
Read more