vCloud Connector 2.0 and SSL Certificate Replacement

In my previous post about vCloud Connector I went through the various data flows and also explained that it is necessary to have SSL enabled both on the vCC Server and vCC nodes. It is possible to use self-signed certificates or also it is possible to upload via vCC Server/Node VAMI GUI (Virtual Appliance Management Interface) publicly trusted and signed certificates. However when you want to use certificates provided by your own Enterprise Certificate Authority the process is not so straight forward and requires using command line.

The problem statement is following: I have my own Enterprise Certificate Authority which is not publicly trusted and I have issued certificates for my vCC Server and all Nodes without any intermediate certificate. How do I import them?

The vCC VAMI GUI supoprts only import of certificate chain that consist of root>intermediate>certificate. As I do not have intermediate certificate I have to use JAVA keytool command. There are two keystores: cacerts for trusted root certificates and tcserver.jks for the other certificates. My Enterprise CA root certificate must be imported into the former one and the vCC Server/Node certificates to the latter.

Here is the exact procedure:

vCloud Connector Server

1. Log in into the vCC Server console as root and delete the self signed hcserver certificate from tcserver.jks keystore. Note the keystore password (changeme) is hardcoded – do not try to change it.

/usr/java/latest/bin/keytool -delete -alias hcserver -keystore /usr/local/tcserver/vfabric-tc-server-standard/server/conf/tcserver.jks -storepass changeme

2. Create new hcserver certificate, where CN (first and last name) is the vCC Server FQDN. Use the same password for the certificate as the keystore password (just hit RETURN when asked).

/usr/java/latest/bin/keytool -genkey -validity 3650 -keyalg RSA -keysize 2048 -alias hcserver -keystore /usr/local/tcserver/vfabric-tc-server-standard/server/conf/tcserver.jks -storepass changeme

What is your first and last name?
 [Unknown]:  vccserver.fojta.com
What is the name of your organizational unit?
  [Unknown]:vCloud Connector Server
What is the name of your organization?
  [Unknown]:  fojta.com
What is the name of your City or Locality?
  [Unknown]:  Prague
What is the name of your State or Province?
  [Unknown]:
What is the two-letter country code for this unit?
  [Unknown]:  CZ
Is CN=vccserver.fojta.com, OU= vCloud Connector Server, O=fojta.com, L=Prague, ST=Unknown, C=CZ correct?
  [no]:  yes
 Enter key password for <hcserver>
        (RETURN if same as keystore password):

3. Now we have to create the Certificate Signing Request. We can do it either from command line or from the VAMI GUI (Server>SSL>Generate and download CSR)

/usr/java/latest/bin/keytool -certreq -alias hcserver -file hcserver.csr -keystore /usr/local/tcserver/vfabric-tc-server-standard/server/conf/tcserver.jks -storepass changeme

4. Sign the certificate signing request (hcserver.csr) with your Enterprise CA. I have used the Subordinate Certification Authority certificate template. Upload the signed certificate to the vCC server as file hcserver.cer.

5. Before importing hcserver.cer certificate we need to import the CA root certificate otherwise it would not be able to build trusted chain. Obtain the CA root certificate (in my case named fojta-dc-CA.cer and import to cacerts keystore with following command). The alias must be unique. Note the certificate password (changeit) is hardcoded, do not try to change it (no pun intended).

/usr/java/latest/bin/keytool -import -alias fojta-dc-CA -file fojta-dc-CA.cer -keystore /usr/java/default/lib/security/cacerts -storepass changeit

6. Now we can import the hcserver certificate

/usr/java/latest/bin/keytool -import -alias hcserver -file hcserver.cer -trustcacerts -keystore /usr/local/tcserver/vfabric-tc-server-standard/server/conf/tcserver.jks -storepass changeme

7. Verify that the import was successful.

/usr/java/latest/bin/keytool -list -keystore /usr/local/tcserver/vfabric-tc-server-standard/server/conf/tcserver.jks -storepass changeme

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

hcserver, May 10, 2013, PrivateKeyEntry,
Certificate fingerprint (SHA1): FC:A3:29:96:0D:CD:E2:04:3D:0F:E9:B6:8B:A0:6F:B8:C8:BF:3E:61

vCloud Connector Node

The process is identical to the vCloud Connector Server certificate replacement with just minor changes. The certificate alias is not hcserver but hcagent and the tcserver.jks keystore location is different. Therefore just briefly:

1. Delete selfsigned hcagent certificate
/usr/java/latest/bin/keytool -delete -alias hcagent -keystore /usr/local/tcserver/vfabric-tc-server-standard/agent/conf/tcserver.jks -storepass changeme

2. Create new hcagent certificate

/home/admin # /usr/java/latest/bin/keytool -genkey -validity 3650 -keyalg RSA -keysize 2048 -alias hcagent -keystore /usr/local/tcserver/vfabric-tc-server-standard/agent/conf/tcserver.jks -storepass changeme

What is your first and last name?
[Unknown]:  vccnode.fojta.com
What is the name of your organizational unit?
[Unknown]:vCloud Connector Node
What is the name of your organization?
[Unknown]:  fojta.com
What is the name of your City or Locality?
[Unknown]:  Prague
What is the name of your State or Province?
[Unknown]:
What is the two-letter country code for this unit?
[Unknown]:  CZ
Is CN=vccnode.fojta.com, OU=vCloud Connector Node, O=fojta.com, L=Prague, ST=Unknown, C=CZ correct?
[no]:  yes

Enter key password for <hcagent>
(RETURN if same as keystore password):

3. Create CSR or download from VAMI GUI: Node>SSL>Generate and download CSR

/usr/java/latest/bin/keytool -certreq -alias hcagent -file hcagent.csr -keystore /usr/local/tcserver/vfabric-tc-server-standard/agent/conf/tcserver.jks -storepass changeme

4. Sign hcagent.csr with your CA => hcagent.cer

5. Import CA root certificate (fojta-dc-CA.cer)

/usr/java/latest/bin/keytool -import -alias fojta-dc-CA -file fojta-dc-CA.cer -keystore /usr/java/default/lib/security/cacerts -storepass changeit

6. Import hcagent certificate

/usr/java/latest/bin/keytool -import -alias hcagent -file hcagent.cer -trustcacerts -keystore /usr/local/tcserver/vfabric-tc-server-standard/agent/conf/tcserver.jks -storepass changeme

7. Verify

/usr/java/latest/bin/keytool -list -keystore /usr/local/tcserver/vfabric-tc-server-standard/agent/conf/tcserver.jks -storepass changeme

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

hcagent, May 10, 2013, PrivateKeyEntry
Certificate fingerprint (SHA1): 9E:63:B1:BC:91:FE:7D:84:FC:8C:66:24:B9:1B:B9:73:80:5D:AC:87

Enabling SSL

Now we should be able both on vCC Server and all vCC Nodes to enable SSL (in Server/Node tab, SSL subtab click Enable SSL button). When returning the the SSL tab it seems vCC is not able to get the current SSL status correctly. vCC Server displays an error and vCC Node nothing – not really sure why is this happening, just ignore it.

Enable SSL

Now we should be able in the Nodes tab on the vCC Server edit the Node configuration and uncheck Ignore SSL Certificate. If the certificate replacement was successful, the Node Status shoud be Up.

Ignore SSL Certificate

For more details rather refer to the online vCloud Connector documentation as it contains more information than the PDF docs.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s