This one is not in my wheelhouse by a long shot, but having recently assisted our sales team with one of their customers, it is clear our documentation on certificates with the VASA Provider (VP) is lacking. My intent is to present the options available to the user with the VP certs. I’m not going to delve deeply here (not that I could), rather I want to explain the process. As I only have the embedded VP, I have to use that as my example, though the ECOM process I go over is the same for the external VP.
Here’s the easy one. The VASA Provider already has a certificate. In the vVol documentation the procedure for registering the VP assumes the customer uses the default cert. You select to register a new storage provider, input the information as below, verify you know the host, and that’s it. If you are using embedded you do this twice, once for each VP.
Using your own signed certificate is also an option for customers. This is the one that causes confusion because the release documentation (Release Notes/Product Guide) includes information about signed certificates but doesn’t do a great job of connecting the dots on exactly how this is accomplished. There are two sections related to signed certs. The first is how ECOM can be used to import a signed certificate or CA cert:
The second section relates that you can’t set the parameter to retain the cert:
Knowing these things, though, does not necessarily help a customer to understand how they get the VP to use their certificate. In the absence of this connecting information, the VP registration screen seems to indicate you can use this checkbox below to provide your certificate. Makes sense to me.
But this is where we get in trouble. We don’t support this checkbox. If you do check it, then you are allowed to pick your certificate, but the registration will fail and the wheels will spin. So don’t do that. (Unfortunately VMware owns this dialog so we can’t gray-out the option.)
If you want to use your signed certificate, you must import it into ECOM as the documentation mentioned above, if vaguely. So once you have your certificate you navigate to the ECOM home page which is the IP of Unisphere at port 5989: http s://<IP>:5989/ecomconfig.
Login then choose SSL Certificate Management.
Finally, import your cert – either Option 1 or Option 3 depending on your circumstance.
Once imported you must restart ECOM – stop and start. In the vApp it is a daemon, in embedded it looks like this:
Once you’ve done this, you can register VASA-0. Then, in the case of embedded VP, you’ll need to repeat the process for VASA-1 because these are different applications.
Certificate for Multiple vCenters
This one is actually well documented in the Product Guide (and the white paper linked above) so I would simply be repeating the information. The PG is here. It is version 9.2 but it holds for 10.0 also. When using more than one vCenter with a VP, you have to set a flag so that the second vCenter does not overwrite the certificate of the first. To achieve this, if you are using the default certificate, you have to recreate it in ECOM (Option #2 above) using parameters explained in the PG. If you need to use a signed certificate in this circumstance, the doc explains how that is accomplished also. Again, the missing piece is the import process I included above.
Returning to Default Certificate
If you feel you’ve messed up your certificates somehow, you can always return to the default self-signed certificate. Choose Option # 2 to reveal the following screen:
Enter the following details in the certificate screen:
- Common Name: <hostname of VASA Provider>, e.g., VASA-0
- Country: <Country>
- State: <state>
- Locality: <locality>
- Organization name: <Org name>
- Organization Unit name: <Org unit name>
- Serial Number: <Must not be 0>, e.g., SID of the array.
- SAN Email Address: <empty>
- SAN IP: <VASA Provider IP address>
- SAN URI: <empty>
- Key Usage: <default>
- CA: <leave this unchecked>
Click Generate a Self-Signed Certificate. Again, once this is complete you must stop and start the ECOM provider, register in vCenter, and then repeat on VASA-1 if using embedded.
With any luck, if you run into certificate issues this guide will help you through. Though I always respond to comments, I will re-iterate that I am not a certificate guru and if you exceed my knowledge with a question I will likely ask you to open an SR with support to be sure you get the right answer the first time.
Leave a Reply