Single Node Clusters
To resolve the issue, generate a new keystore on the problematic node.
- Log into the problematic node as root via SSH or Console.
- Stop the loginsight service:
service loginsight stop
- Look into the /storage/core/loginsight/config/ directory and note the loginsight-config.xml# file with the highest number.
- Open the loginsight-config.xml# file with the highest number, noted in step 3, in a text editor.
Example: vi loginsight-config.xml#31
- Find the syslog-ssl-keystore-password tag and delete it.
Example: Remove these lines:
<importer>
...
<syslog-ssl-keystore-password value="IC1zBFx21ecBy2oHO93PNNfY3QSm0EQK" />
...
</importer>
- Save and close the file.
- Run the following command and note the provided password:
grep syslog-ssl-keystore-password /usr/lib/loginsight/application/etc/loginsight-config-base.xml | gawk -F'"' '{print $2}'
Output Example: wXnOwLx8RTO0odq9VsR5jL7iBBEzM3xx
- Look into the /usr/lib/loginsight/application/3rd_party/ directory and note the apache-tomcat directory with the highest version.
Example: apache-tomcat-8.5.38
- Delete the old keystore file by running the following command:
rm /usr/lib/loginsight/application/3rd_party/apache_ver/conf/keystore
Note: Replace apache_ver with the apache directory noted in step 8
Example: rm /usr/lib/loginsight/application/3rd_party/apache-tomcat-8.5.38/conf/keystore
- Run the following command to generate a new keystore:
/usr/java/default/bin/keytool -genkey -alias loginsight -keyalg RSA -validity 3650 -keysize 4096 -keystore /usr/lib/loginsight/application/3rd_party/apache_ver/conf/keystore -keypass keystore_password -storepass keystore_password -dname "CN=VMware vCenter Log Insight, OU=vCenter Log Insight, O=VMware\, Inc., L=Palo Alto, S=California, C=US"Note: Replace
apache_ver with the apache directory noted in step 8 and replace
keystore_password with the password noted in step 7.
Example: /
usr/java/default/bin/keytool -genkey -alias loginsight -keyalg RSA -validity 3650 -keysize 4096 -keystore /usr/lib/loginsight/application/3rd_party/apache-tomcat-8.5.38/conf/keystore -keypass wXnOwLx8RTO0odq9VsR5jL7iBBEzM3xx -storepass wXnOwLx8RTO0odq9VsR5jL7iBBEzM3xx -dname "CN=VMware vCenter Log Insight, OU=vCenter Log Insight, O=VMware\, Inc., L=Palo Alto, S=California, C=US"Note: All arguments can be customized as desired. CN value should be changed with fully qualified domain name associated with the IP address of the endpoint.
You can find more information about keytool usage here:
Java Platform, Standard Edition Tools Reference: keytool
- Start the loginsight service:
service loginsight start
Multi Node Clusters
If some nodes have healthy keystores, copy a valid keystore from a healthy node onto the problematic node.
- Log into the problematic node as root via SSH or Console.
- Stop the loginsight service:
service loginsight stop
- Run the following command to copy the keystore from a healthy node:
scp root@healthy_node_address:/storage/var/loginsight/apache-tomcat/conf/keystore /storage/var/loginsight/apache-tomcat/conf/Note: Replace
healthy_node_address with the IP address of the healthy vRealize Log Insight node.
Example:
scp [email protected]:/storage/var/loginsight/apache-tomcat/conf/keystore /storage/var/loginsight/apache-tomcat/conf/
- Start the vRealize loginsight service on the affected node:
- service loginsight start
If all nodes have a damaged keystore, generate a new keystore on the Primary node, and copy it to all of the worker nodes.
- Log into the Primary node as root via SSH or Console.
- Run the following command on all nodes to stop the loginsight service:
service loginsight stop
- Look into the /usr/lib/loginsight/application/3rd_party/ directory and note the apache-tomcat directory with the highest version.
Example: apache-tomcat-8.5.38
- Run the following command on all nodes to remove the damaged keystore:
rm /usr/lib/loginsight/application/3rd_party/apache_ver/conf/keystore
Note: Replace apache_ver with the apache directory noted in step 3.
Example: rm /usr/lib/loginsight/application/3rd_party/apache-tomcat-8.5.38/conf/keystore
- Look into the /storage/core/loginsight/config/ directory and note the loginsight-config.xml# file with the highest number.
- Run the following command and note the provided password:
grep syslog-ssl-keystore-password /storage/core/loginsight/config/loginsight-config.xml# | gawk -F'"' '{print $2}'
Note: Replace loginsight-config.xml# with the file noted in step 5.
Example: grep syslog-ssl-keystore-password /storage/core/loginsight/config/loginsight-config.xml#31 | gawk -F'"' '{print $2}'
Output Example: wXnOwLx8RTO0odq9VsR5jL7iBBEzM3xx
- Run the following command to generate a new keystore:
/usr/java/default/bin/keytool -genkey -alias loginsight -keyalg RSA -validity 3650 -keysize 4096 -keystore /usr/lib/loginsight/application/3rd_party/apache_ver/conf/keystore -keypass keystore_password -storepass keystore_password -dname "CN=VMware vCenter Log Insight, OU=vCenter Log Insight, O=VMware\, Inc., L=Palo Alto, S=California, C=US"
Note: Replace apache_ver with the apache directory noted in step 3 and replace keystore_password with the password noted in step 6.
Example: usr/java/default/bin/keytool -genkey -alias loginsight -keyalg RSA -validity 3650 -keysize 4096 -keystore /usr/lib/loginsight/application/3rd_party/apache-tomcat-8.5.38/conf/keystore -keypass wXnOwLx8RTO0odq9VsR5jL7iBBEzM3xx -storepass wXnOwLx8RTO0odq9VsR5jL7iBBEzM3xx -dname "CN=VMware vCenter Log Insight, OU=vCenter Log Insight, O=VMware\, Inc., L=Palo Alto, S=California, C=US"
- Copy the newly generated keystore to the other nodes in the cluster:
scp /usr/lib/loginsight/application/3rd_party/apache_ver/conf/keystore root@worker_address:/usr/lib/loginsight/application/3rd_party/apache_ver/conf/keystoreNote: Replace
apache_ver with the apache directory noted in step 3 and replace
worker_address with the IP address of a worker node in the cluster.
Example:
scp /usr/lib/loginsight/application/3rd_party/apache_ver/conf/keystore [email protected]:/usr/lib/loginsight/application/3rd_party/apache-tomcat-8.5.38/conf/keystore
- Repeat step 8 for all other worker nodes in the cluster.
- Start the loginsight service on all nodes in the cluster:
service loginsight start