I always forget - so this is a note:
Nexus 1000v ports should be connected as:
- Ethernet 1: Control
- Ethernet 2: Management
- Ethernet 3: Packet
see Cisco.
C-M-P
Cheers.
Monday, September 17
Monday, September 3
vCenter appliance 5.0u1 - certificate replacement - OpenSSL
This is just another piece of my OpenSSL headshot. I won't format it better, if you need this you can use it.
Been using this unsatisfactory kb, this forum post for reference.
This blog spot contains some of the information you can find here. Some differences though (he forgets to mention that the password for /usr/lib/vmware-vsphere-client/server/config/keystore is changeit for example)
vcVA stores it's certificates @ many different places:
It is slightly easier, if you haven't yet initialized the DB - the DB connection is using the rui.crt from vpxd, if it is already initialized it has to be changed in sms.keystore & sms.truststore :( .
That must be something secret, as nobody ever published any howto on it. I should have, but I'm just too lazy...
So, for the fresh install:
Been using this unsatisfactory kb, this forum post for reference.
This blog spot contains some of the information you can find here. Some differences though (he forgets to mention that the password for /usr/lib/vmware-vsphere-client/server/config/keystore is changeit for example)
vcVA stores it's certificates @ many different places:
- /opt/vmware/etc/lighttpd/server.pem - The vami management interface's (port 5480) https certificate
- /etc/vmware-vpx/ssl/ - VPX service's certificate (also TomCat), keys are stored here for SQL communication
- /usr/lib/vmware-vpx/inventoryservice/ssl/ - Inventory service's certificate
- /usr/lib/vmware-vsphere-client/server/config/keystore - Web Client's certificate
- /etc/ssl/certs/ - Root CA PEMs, if needed
It is slightly easier, if you haven't yet initialized the DB - the DB connection is using the rui.crt from vpxd, if it is already initialized it has to be changed in sms.keystore & sms.truststore :( .
That must be something secret, as nobody ever published any howto on it. I should have, but I'm just too lazy...
So, for the fresh install:
- # cp rui.* /usr/lib/vmware-vpx/inventoryservice/ssl/ - Inv. service's cert has to be replaced manually
- # vpxd_servicecfg eula accept - Or accept it on GUI, if you haven't
- Configure the database, for example the embedded can be initialised using:
# vpxd_servicecfg db write embedded - Change the certs for vpxd and vami:
# vpxd_servicecfg certificate change rui.crt rui.key - This also changes the management GUI cert (concatenates the .key and .crt files into server.pem) - Change the cert for Web Client:
# cd /usr/lib/vmware-vsphere-client/server/config/
# mv keystore keystore.orig
# /usr/lib/vmware-vpx/jre/bin/keytool -keystore keystore -importcert -file rui.crt -alias s2dmk -storetype JKS -storepass changeit - changeit is the default password for the keystore. Don't change it ;)
# /usr/lib/vmware-vsphere-client/scripts/admin-cmd.sh unregister https://localhost:9443/vsphere-client localhost root vmware - vmware is the assumed root password.
# /usr/lib/vmware-vsphere-client/scripts/admin-cmd.sh unregister https://FQDN:9443/vsphere-client localhost root vmware - Press A to Accept the certificate. Set FQDN, localhost might not work. - (Re)Start the whole thing
# /etc/init.d/vami-lighttp restart
# /etc/init.d/vmware-vpxd start
# /etc/init.d/vsphere-client restart
Or just reboot.
You can check for any errors in /var/log/vmware/vpx/.
That's all, hope you don't mind...
That's all, hope you don't mind...
Subscribe to:
Posts (Atom)