vRealize Suite Lifecycle Manager SAN Certificate Configuration

Categories Building Clouds (Technology)
vRSLCMSANCertiConfig

If you have not heard by now, vRealize Suite Lifecycle Manager (vRSLCM) v2.0 was just released (Release Notes) and it includes a whole lot of great new features.  While playing with it in my lab and performing a fresh install of the vRealize products I decided to leverage a SAN certificate across all my vRealize deployments.  While it probably makes sense to create certificates for each product in the vRealize Suite (vROps, vRLI, vRA, etc…) in a production environment, I wanted to keep it simple in my lab.  Below is an overview of the process to configure a fresh deployment of vRSLCM and obtain a SAN certificate from an internal Microsoft Enterprise CA.

****UPDATE****

I received some good feedback from Ryan Johnson regarding a limitation with v2.0 of vRSLCM (see below):

“It’s worth noting that the keysize is limited to 2048 at this time when importing certificates. If you require certificates >2048 you have to use the generate certificate and manually replace in a product post-deployment.”

***************

Prerequisites:

  1. IP Addresses and FQDNs for the vRSLCM appliance and any components of the vRealize stack you plan to deploy.  Tip: Make sure you have a solid design/plan for each vRealize product you plan to deploy before you generate your CSR.
  2. DNS A Records for each IP Address identified in step 1 above.
  3. Credentials to the my.vmware.com portal with permissions to download all required products.
  4. IP Address(es) of designated NTP Server(s).

Deploy the vRSLCM Appliance

  1. Download the vRSLCM appliance from the my.vmware.com portal.
  2. Login to the vSphere Client, right-click your host/cluster/datacenter and select “Deploy OVF Template…”.
    Deploy_Template
  3. Select “Local File” and browse to the vRSLCM OVA.
    Choose_OVA
  4. Provide the VM name and choose a folder for it.
    Select_Name_Folder
  5. Select the host or cluster for the VM.
    Select_Host_Cluster
  6. Review the OVA details.
    Review_OVA_Details
  7. Accept the EULA.  Be sure to read the entire thing!
    EULA
  8. Choose whether or not to turn on “Content Management” within vRSLCM.  I highly suggest you enable it as it is a powerful feature of the product.
    Content_Management
  9. Select the storage for the VM.
    Select_Storage
  10. Select the network for the VM.
    Select_Network
  11. Customize the template by providing the hostname (FQDN), CEIP, Certificate Configuration & Networking Properties.
    Hostname
    Certificate_Configuration
    Networking_Properties
  12. Review the OVA deployment and click Finish.
    Finish_OVF

Initial vRSLCM Configuration

  1. Power on vRSLCM and allow a few minutes for the customization settings to be implemented.
  2. Browse to https://<vRSLCM_FQDN>/vrlcm and login as ‘admin@localhost’ with the default password of ‘vmware’.  You will be prompted to change the default password.
    ChangePassword
  3. Click on ‘Settings’ in the bottom left corner of the user interface.
  4. On the ‘Systems Settings’ tab, modify the Root and Admin passwords and save settings.
    RootAdminPasswords
  5. Navigate to the ‘NTP Servers’ tab and add your NTP servers.
    NTPSettings

vRealize Product Downloads

There are several options to download the vRealize product binaries into vRSLCM including downloading directly from VMware, importing from an NFS share or a Windows ISO, and importing from a local directory on the vRSLCM appliance.  I will outline downloading directly from VMware and Importing from a local directory below.  Click HERE to read about all the options.

Option 1: Download directly from VMware.

  1. Navigate to the ‘My VMware’ tab and provide your credentials.  Configure the proxy settings if necessary.
    MyVMwareCreds
  2. Click the download button next to each product you wish to download or click the ‘Download All Products’ button.
    DownloadProducts

Option 2: Import from a local directory on the vRSLCM appliance.

  1. Create a directory on the appliance for the product OVAs.  Open an SSH session to vRSLCM as root and create a folder named “OVAs” in the /data directory.
    > mkdir /data/OVAs
    mkdirOVAs
  2. Copy the product OVAs to the vRSLCM appliance using SCP.
    > scp /path/to/product/OVAs/* root@vrslcm.tilkens.local:/data/OVAs/
    SCPProducts
  3. Navigate to the ‘Product Binaries’ tab and click the ‘Add Binaries’ button.  Keep the ‘Location Type’ as ‘Local’ and enter /data/OVAs in the ‘Base Location’ field, then click ‘Discover’.  Click the checkbox next to each product and click ‘Add’.
    AddProductBinaries
  4. Once the Product Binaries are mapped based on their checksum, they will appear in the list.  This can take several minutes to complete.
    ProductBinariesList

Creating the Subject Alternative Name (SAN) Certificate

  1. Navigate to the ‘Certificate’ tab and then click ‘Generate CSR’.
    CertificateTab
  2. Enter the details for your certificate.
    • In the ‘Domain Name’ section, add all the component FQDNs that are a part of your vRealize design, i.e. – vrops.tilkens.local, vrli01.tilkens.local, vrli.tilkens.local (VIP), vra.tilkens.local, iaas.tilkens.local, vrb.tilkens.local.
    • In the ‘IP Address’ section, add all the component IP Addresses that are a part of your vRealize design.  Do not forget to include VIPs associated with load balancers if you have any.  Do NOT include spaces between the IP Addresses.
      GenerateCSR
  3. A CSR .pem file is automatically downloaded.  This .pem file contains the certificate request as well as the private key.
    CSRContents
  4. Browse to your Microsoft Certificate Services Web Enrollment URL (https://<CA_Server_FQDN>/certsrv/).  This requires that the ‘Certification Authority Web Enrollment’ role is installed on your Microsoft CA server.
    CAServerWebEnrollment
  5. Click ‘Request a Certificate’ and then click ‘advanced certificate request’.
    AdvCertRequest
  6. Click the ‘Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.’ option.
    SubmitCertBase64
  7. Paste the contents of the CSR .pem file into the ‘Saved Request’ text box and choose the ‘Web Server’ certificate template.  Then click ‘Submit’.  Click ‘Yes’ if prompted to accept the Web Access Confirmation.
    CertSubmission
    WebAccessConfirmation
  8. Choose the ‘Base 64 encoded’ option and download the new Certificate and the Certificate Chain.
    DownloadCert
  9. Navigate back to the ‘Certificate’ tab in the settings of the vRSLCM appliance and click ‘Add Certificate’.
  10. Select the ‘Import Certificate’ option and provide the details.
    • Click ‘Choose File’ and browse to the new Certificate .cer file.
    • Copy/Paste the Private Key from the CSR .pem file into the ‘Enter Private Key’ text box.
    • Copy/Paste the contents of the Certificate Chain .p7b file into the ‘Enter Certificate Chain’ text box.
    • Click ‘Import’
      ImportCert
  11. The new SAN certificate has now been imported and is available to use as you deploy vRealize products within your environments.
    ImportedCert

Follow the vRealize Suite Lifecycle Manager documentation (here) for detailed steps on how to create Datacenters/Environments and deploy products.  Add a comment below if you would like to see a follow-up blog on how to do this.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.