Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Working with vCenter Orchestrator over SSL connection (2007032)

Solution

You can resolve the issue by creating a certificate that matches your Orchestrator server name. You can also replace the SSL certificate with a certificate signed by a commercial certificate authority (CA). For more information about replacing the SSL certificate signed by a CA, see Installing and Configuring VMware vCenter Orchestrator. To stop receiving certificate warning from the Orchestrator client, add your root CA certificate to the Orchestrator keystore on the machine on which the Orchestrator client is installed.

Create a certificate that matches your Orchestrator server name:

  1. Back up the jssecacerts file, located at: orchestrator_installation_directory\jre\lib\security\jssecacerts
  2. Stop the Orchestrator server service.

    a) Select Start > Programs > Administrative Tools > Services.
    b) In the right pane, right-click VMware vCenter Orchestrator Server and select Stop.

  3. Open a command prompt as an administrator.

    a) From the Windows Start menu navigate to Start > Command Prompt.
    b) Right-click Command Prompt, and select Run as administrator.

  4. Delete the current dunes key from the keystore by running the keytool Java utility at the command prompt:

     

    keytool -delete-alias dunes -keystore "c:\program files\vmware\orchestrator\jre\lib\security\jssecacerts"

    The keytool Java utility is located at:

    orchestrator_installation_directory\jre\bin\keytool.exe

  5. Generate a new certificate for the dunes key, for example a 10-years certificate:

     

    keytool -keystore "c:\program files\vmware\orchestrator\jre\lib\security\jssecacerts" -storepass dunesdunes -genkey -alias dunes -validity 3650

    You can adjust the validity of the certificate in days.

  6. When prompted for your first and last name, enter the fully qualified domain name (FQDN) of your Orchestrator server.

    Note: Make sure to enter the FQDN of the Orchestrator server, because it will tie the certificate to the server.

    For example, if the FQDN of the Orchestrator server is vco-411.vcoteam.lab, you should type the following information:

    What is your first and last name?

    [Unknown]: vco-411.vcoteam.lab

  7. For each of the remaining prompts such as Organizational Unit, Organization, City, State, Country Code, and so on, type the appropriate information for your organization.
  8. To confirm the change, type yes, and press Enter.
  9. When prompted for the password for dunes, press Enter to use the same password as the keystore password (dunesdunes).
  10. Log in to the Orchestrator configuration interface as vmware and start the Orchestrator server service.
a) In the Orchestrator configuration interface, click the Startup Options tab
b) Click Start service.

Your Orchestrator server has a self-signed certificate that matches the FQDN of the Orchestrator server.

What to do next: Open a Web browser and navigate to the Orchestrator server with HTTPS. Add the certificate to your local store. You must complete this procedure only once.

Add the certificate to your local store:

Prerequisite: Add the Orchestrator server as a trusted site.

To add the certificate in Internet Explorer:

  1. Open your Internet Explorer and navigate to https://orchestrator_server_ip:8281/
  2. When prompted, click Continue to this website (not recommended).

    In Internet Explorer you see the Certificate Error on the right of the address bar.

  3. Click the Certificate Error and select View Certificates.
  4. Click Install Certificate.
  5. In the Welcome page of the Certificate Import Wizard, click Next.
  6. In the Certificate Store window, select Place all certificates in the following store.
  7. Browse and select Trusted Root Certification Authorities.
  8. Click Next.
  9. Click Finish.
  10. Restart Internet Explorer.
  11. Navigate to the Orchestrator server over your SSL connection.
You are no longer prompted with warnings and you do not have a Certificate Error on the right of the address bar.
 

At this point, other applications and systems (such as VMware Service Manager) must be able to connect successfully to the Orchestrator SOAP API over SSL connection.

If your Orchestrator SSL certificate is issued from a CA not imported in the Orchestrator keystore, you might receive warning certificate messages when you try to connect the Orchestrator client to the Orchestrator server. To fix that, add your root CA certificate to the Orchestrator keystore on the machine on which the Orchestrator client is installed.

To add your root CA certificate to the Orchestrator keystore on the client machine

  1. Stop the Orchestrator client.
  2. Back up the jssecacerts file, located at: orchestrator_installation_directory\jre\lib\security\jssecacerts.
  3. Open a command prompt as an administrator.

    4. a) From the Windows Start menu navigate to Start > Command Prompt.
    b) Right click Command Prompt, and select Run as administrator.

  4. Run the commands to add the certificate:

    C:\> cd "orchestrator_installation_directory\jre"

    orchestrator_installation_directory\jre>bin\keytool -importcert -noprompt -keystore lib\security\jssecacerts -storepass dunesdunes -alias ourOwnCARootV1 -file cacert.pem

    Here cacert.pem is the certificate in PEM format. For more information about the keytool command, see Oracle documentation .

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 1 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 1 Ratings
Actions
KB: