Back in June I published an entry on resolving VASA registration issues (https://drewtonnesen.wordpress.com/2014/06/25/vmax-vasa-and-registration-failure-in-vcenter/). In it I covered some of the more common problems you are likely to hit when attempting to register the VASA Provider in VMware vCenter. Through many customer issues I have come to find that one of the simpler solutions, when the problem is not obvious, is to import a certificate through the ECOM Administration page. Not just any certificate actually, but rather the very certificate that VMware is sending to ECOM. Now assuming you have followed the steps I laid out in the previous blog entry and confirmed that the VMware certificate is valid, here is how to go about importing it manually so that when registration is attempted, the certificate VMware sends, is the one ECOM already has. Now let me say that I consider this procedure a workaround of sorts and something that should not be necessary; but after spending many days debugging customer environments, it is something that is relatively easy to do and in my opinion worth trying out before opening an SR with EMC Support. In other words there is no concern in messing up the environment by doing this so have at it.
In order to import the VMware certificate into the ECOM page it must be in PEM format and unfortunately it is not. We will need to run two conversions on the file to get it into the PEM format – JKS -> PKCS12 -> PEM. To convert the existing certificate requires two executables: keytool and openssl. Now the keytool is on the vCenter by default (Windows or vApp) but openssl is only on the vApp. It would have to be installed separately on Windows. For this reason I am going to use the vApp in my example. If you are using Windows really the only thing that will change is the file paths. So the steps:
1. Execute the following on the vApp to convert the VMware certificate into the PKCS12 format:
keytool -importkeystore -srckeystore /etc/vmware-vpx/ssl/sms.keystore -destkeystore /etc/vmware-vpx/ssl/sms.pkcs -srcstoretype JKS -deststoretype PKCS12
This command will ask for a password. It is “testpassword”. If an alias exists, as in my case, overwrite it. Here is an example:
2. Now that the certificate is in PKCS12 format, it can be converted again into PEM format. The command to do that uses openssl. For the conversion on a Windows box you might choose to sftp the PKCS12 file to a Linux box and then run openssl from there as it is usually included on a Linux install. I’ve done that also but it is up to you.
openssl pkcs12 -in /etc/vmware-vpx/ssl/sms.pkcs -out /etc/vmware-vpx/ssl/sms.pem
This command will ask for a password once and a passphrase twice. It is “testpassword” for all.
3. Once the PEM format is available, it can be copied and imported. To do this, simply run a “more” on the file and copy the PEM format as shown below.
4. Now import the certificate. Log into the ECOM website (https ://<IP>:5989/ecomconfig) as the default admin user: admin/#1Password.
5. Once in, select “SSL Certificate Management” from the menu:
Click to enlarge – use browser back button to return to post
7. Finally, paste the PEM certificate from step 3 into the box and submit the certificate.
8. Retry the VASA registration once complete and it should succeed. Note that if you are registering more than one vCenter and the second vCenter fails to register after this procedure, you can paste multiple certificates into the box in step 7 and try again.
A pretty straightforward procedure I hope. I have included this in the VASA whitepaper but an update is not yet published so for now this is the available “documentation”.