Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Configure vRealize Operations Manager (vApp) for SSL using a chain of certificates (2079782)

Details

When configuring vRealize Operations Manager (formerly known as vCenter Operations Manager) 5.x for secure communication, if you import a certificate that is correctly signed by another certificate, the import succeeds but SSL errors appear. 

vRealize Operations Manager does not serve the complete chain of certificates to the browser due to an issue with the way that certificates are configured in vRealize Operations Manager.  As a result, the browser does not trust the certificate that vRealize Operations Manager provides.

Solution

The issue involves three certificates: a root certificate, an intermediate certificate and a certificate to be used by vRealize Operations Manger (formerly known as vCenter Operations Manager) for SSL communication. In this example, the three certificates are: root.crt, intermediate.crt and vcops.pem. These certificates form a chain of trust where vcops.pem is signed by intermediate.crt which is signed by root.crt. 
 
To fix this problem, perform the following steps from a command line window on the UI virtual machine:
  1. Put the root.crt, intermediate.crt, and vcops.pem in /opt/vmware/etc/lighttpd. Modify file permissions with the commands:
chmod ugo+r /opt/vmware/etc/lighttpd/root.crt
chmod ugo+r /opt/vmware/etc/lighttpd/intermediate.crt

  1. Edit /usr/lib/vmware-vcops/user/conf/install/vcops-apache.conf near line 144 to appear as follows:

    ...
    <VirtualHost *:443>
      JkMountCopy On
      # Enable SSL for apache, use lighttpd cert (for now)
      SSLEngine on
      SSLCACertificateFile /opt/vmware/etc/lighttpd/root.crt
      SSLCertificateChainFile /opt/vmware/etc/lighttpd/intermediate.crt
      SSLCertificateFile /opt/vmware/etc/lighttpd/vcops.pem
    </VirtualHost>
    ...
  2. Type the following commands:
/usr/lib/vmware-vcops/user/conf/install/ssl-cert-install.sh /opt/vmware/etc/lighttpd/vcops.pem
source /usr/lib/vmware-vcops/user/conf/install/common.sh
add_pem_to_truststore "/opt/vmware/etc/lighttpd/root.crt" "root"
add_pem_to_truststore "/opt/vmware/etc/lighttpd/intermediate.crt" "intermediate"
 
The final three commands apply to vRealize Operations Manager (formerly known as vCenter Operations Manager) 5.7 or later.
After performing these steps, the browser may still show the certificate as not trusted, but the chain of certificates appears.  If  the root certificate (for example, root.crt) is already trusted in the browser you use, the browser will show that the certificate is trusted.
 

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 0 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 0 Ratings
Actions
KB: