How to import the SSL certificate from HPE Redfish for composability use in VMware Cloud Foundation 3.5.x
Article ID: 316930
Updated On:
Products
VMware Cloud Foundation
Issue/Introduction
Symptoms:
Note: The preceding excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
- Configuring the HPE Redfish connector within SDDC Manager under Composable Infrastructure fails.
- You see an error similar to the following when trying to add credentials for the Redfish connector using the https protocol:
Failed to establish connection. I/O error on POST request for "https://10.10.100.58:5000/redfish/v1/SessionService/Sessions": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.
Note: The preceding excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware Cloud Foundation 3.5.x
Resolution
This is a known issue affecting VMware Cloud Foundation 3.5.x. There is currently no resolution.
Workaround:
To workaround this issue, use the following procedure to manually import the Redfish SSL certificate into the SDDC Manager trusted keystore.
Note: If there is an existing Redfish connector certificate that needs to be deleted or replaced from the SDDC Manager truststore, run a command similar to the following to delete the certificate, and follow Steps 2 through 4 to import the new certificate.
Workaround:
To workaround this issue, use the following procedure to manually import the Redfish SSL certificate into the SDDC Manager trusted keystore.
- SSH to the SDDC Manager VM as the vcf user and then issue the su - command to switch to the root user.
- Issue a command similar to the following to obtain the SSL certificate from the Redfish connector:
openssl s_client -servername [redfish IP] -connect [Redfish IP]:5000 </dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p'>/tmp/redfish.crt
Notes:
- Replace [Redfish IP] with the IP of the Redfish connector.
- If the Redfish port has been changed from the default of 5000, the port value in the previous command needs to be updated accordingly.
- Issue the following command to import the certificate to the truststore:
keytool -import -alias [Redfish IP] -keystore /usr/java/jre-vmware/lib/security/cacerts -file /tmp/redfish.crt
Note: Replace [Redfish IP] with the IP of the Redfish connector.
Note: Replace [Redfish IP] with the IP of the Redfish connector.
- Issue the following command to restart the operationsmanager service:
systemctl restart operationsmanager
Note: If there is an existing Redfish connector certificate that needs to be deleted or replaced from the SDDC Manager truststore, run a command similar to the following to delete the certificate, and follow Steps 2 through 4 to import the new certificate.
keytool -delete -keystore /usr/java/jre-vmware/lib/security/cacerts -alias [Redfish IP]
Note: Replace [Redfish IP] with the IP of the Redfish connector.
Additional Information
To be alerted when this article is updated, click the Subscribe to Article link in the Actions box.
Feedback
Yes
No
Powered by
