Search the VMware Knowledge Base (KB)
View by Article ID

Using SSL Certificates with App Volumes Manager (2148178)

  • 1 Ratings

Purpose

App Volumes Manager uses SSL to communicate with Machine Managers and App Volumes agents. You can configure, replace, import, disable, and manage the SSL certificates used for SSL communication and validation. 

You can add and upload trusted SSL certificates from the App Volumes Manager console to establish a secure connection to vCenter Server and the remote SQL server. 

You can also replace the default App Volumes Manager certificates that are used for communication with App Volumes agents, disable SSL and SSL certificate validation, and enable an HTTP connection. 
 
This article provides information for: 
  • Configuring SSL Certificates for Machine Managers 
  •  Managing SSL Between App Volumes Manager and Agent 
  •  Disabling SSL and SSL Certificate Validation

Resolution

Configuring SSL Certificates for Machine Managers     

You can establish secure connections from App Volumes Manager to SQL Server and vCenter Server.

Establishing a Secure SQL Server Connection

If the instance of App Volumes Manager that you have installed connects to an SQL server, you can change the default Windows ODBC settings and connect securely to App Volumes Manager.

Ensure that you have downloaded the SSL certificate on the SQL server instance and imported the certificate as a Trusted Certificate on to the machine where App Volumes Manager is installed. Change the ODBC settings on this machine.

For detailed instructions see, the Microsoft Knowledge Base article 316898

Establish a Secure vCenter Server Connection

You can securely connect to a vCenter Server from App Volumes using an SSL certificate.

Prerequisites:

Ensure that vCenter Server you are connecting to has a domain SSL certificate. The certificate must be verified and accepted by App Volumes.

Procedure:

  1. From the App Volumes Manager console, click Machine Managers > Add Machine Manager.
  2. Enter the required Machine Manager information and click Save.

    Option

    Description

    Type

    Enter vCenter Server

    Host name

    The host name of the Machine Manager. For example,
    server.your-domain.local

    User name

    The user name with which you will access the machine. For example, YOURDOMAIN\administrator.

    Password

    The password for the user name.

    Mount Local

    Select this option if your VM's datastore has local copies of volumes and you want to mount the local copies.

    Mount on Host

    Select this option if you want to connect directly to the VM host. This results in increased performance and decreases the burden on the vCenter Server.



  3. Verify the certificate details.

    If the certificate is not trusted or verified, you see these messages:
    • A window with details of the certificate (SHA1 fingerprint, period of validity) that is present in vCenter Server.
    • A message at the top right corner:


      Server error: SSL certificate is not verified and needs to be accepted to continue.

  4. Click Accept to accept the certificate.


    You can also log in to vCenter Server as an administrator and verify the SHA1 code. The Machine Manager is successfully added after the certificate is verified. 


  5. Click Certificate to view the certificate you added. 


    If the certificate is changed on vCenter Server after it has established a connection with App Volumes Manager, the Certificate not valid message is displayed when you log in to App Volumes Manager. You also see this message when you upgrade App Volumes to the latest version. 


  6. To validate the certificate again, select the vCenter Server under Machine Managers, click Certificate, and accept the certificate. 


You now have a trusted SSL certificate to connect to the vCenter Server.

Managing SSL Between App Volumes Manager and Agent     

A default self-signed certificate is installed when you install App Volumes Manager. App Volumes agents use SSL to communicate with the App Volumes Manager and validate the certificate.

Replace the Self-Signed Certificate with CA Certificate

A self-signed certificate is installed when you install App Volumes Manager. You can replace the default self-signed certificate by modifying the Nginx configuration file.

Note: The self-signed certificate is installed in the same location as the Nginx configuration file: C:\Program Files (x86)\CloudVolumes\Manager\nginx\conf.

Prerequisites:

  •  Obtain an SSL certificate from a trusted Certificate Authority (CA).
  • Download the CA certificate and the corresponding key to the machine where the App Volumes Manager is installed. Note down the location where the les are downloaded.

    Note: Do not copy the CA certificate to the same folder as the self-signed certificates.

  • If you provide a passphrase while generating the certificate, note down the passphrase.
  • Verify that the Common Name on the CA certificate is the same as the host name or the IP address of App Volumes Manager that you configured while installing the agent.
  • Verify that the SSL key and certificate are both in PEM Base-64 encoded format.

Procedure

  1. Log in as administrator to the machine where the App Volumes Manager is installed. 

  2. Navigate to C:\Program Files (x86)\CloudVolumes\Manager\nginx\conf and make a copy of the existing Nginx configuration file nginx.conf. 

  3. Open the Nginx configuration file. 

  4. Edit the ssl_certificate and ssl_certificate_key variables in the Nginx configuration file to correspond to the certificate les that you downloaded. 

  5. If the CA-signed certificate requires a passphrase, enter the passphrase for your certificate in the Nginx configuration file. 

  6. Save the configuration file. 

  7. Restart the App Volumes Manager service. 


Example: Nginx Configuration File:

In this example, the appvol_ca1_vmware.com.crt and appvol_ca1_vmware.com.key are the default self-signed certificates.

server {
    server_name 0.0.0.0;
    listen 3443;
    listen 443;
    listen [::]:443;
    ssl on;
    ssl_certificate appvol_ca1_vmware.com.crt;
    ssl_certificate_key appvol_ca1_vmware.com.key;
    ssl_session_cache builtin:1000;
    ssl_session_timeout 5m;
    root ../public;
 

Import Default Self-Signed Certificate

If you do not want to replace the default self-signed certificate in the App Volumes Manager, you can import the certificate and add it to the local trust store of the machine where the App Volumes agent is installed.

If you have installed and configured multiple App Volumes Manager instances for use in all agent machines, then the self-signed certificates have to be imported from each App Volumes Manager instance to the agent machines.

For detailed instructions to import the SSL certificate after downloading it see, the Microsoft TechNet article Adding certificates to the Trusted Root Certification Authorities store for a local computer.  
 
 Prerequisites
  • Verify that the certificate is a default self-signed certificate.


    Note: If the certificate is a CA certificate, do not import it. You can download and add it to the trust store of the App Volumes agent directly.

  • Obtain the IP address of the App Volumes Manager instance whose certificate you want to import.
  • Verify that you have the Microsoft Management Console (MMC) on the machine where the App Volumes agent is installed.

Procedure

  1. Log in as an administrator to the machine where the App Volumes agent is installed. 

  2. In a Web browser, enter the host name or IP address of the App Volumes Manager in the form of 
https://hostname. 
A warning message that the SSL certificate is not validated is displayed. 

  3. Click the warning message and follow instructions to download the SSL certificate displayed in the browser. 

  4. Open MMC and import the downloaded SSL certificate. 


Disabling SSL and SSL Certificate Validation     

You can disable SSL communication and SSL certificate validation between App Volumes agent and manager.

You can disable only SSL certificate validation. In such a scenario, the certificate is not validated but communication still occurs over SSL.
 
Note: You must disable SSL on both the App Volumes Manager and agent.
 
Enable an HTTP Connection in App Volumes Manager       

You can disable SSL communication and enable an HTTP connection when you are installing App Volumes Manager.

You might want to disable SSL communication, for example, when you upgrade App Volumes to the latest version, and want to install and test App Volumes immediately without configuring SSL certificates.

You might also disable SSL communication if you are running App Volumes Manager behind a load balancer.
 
Note: Enable HTTP only in a non-production environment.
 
Procedure
  1. When you choose networks ports during App Volumes Manager installation, select the Allow Connections Over HTTP (insecure) option. 

  2. Enter a value for the HTTP port or retain the default value of 80. 


SSL is disabled and all communication with the App Volumes Manager occurs over HTTP.

Disable SSL Certificate Validation When Installing App Volumes Agent

The App Volumes agent validates the SSL certificate of the App Volumes Manager during communication with the manager.

You can disable the validation when installing the agent. You might want to disable the validation if you are running App Volumes Manager behind a load balancer.

Procedure

When you install the App Volumes agent, select the Disable Certificate Validation with App Volumes Manager box on the App Volumes Agent window.

Certificate validation is disabled but communication still occurs over SSL.

Disable SSL and SSL Certificate Validation After Installing App Volumes Agent

SSL and SSL certificate validation is enabled by default when you install the App Volumes agent.

You can disable SSL certificate validation and SSL communication between App Volumes agent and App Volumes Manager after you have installed the agent.

Prerequisites

Ensure that you have enabled HTTP in App Volumes Manager. For more information, see Enable an HTTP Connection in App Volumes Manager.

Procedure

  1. Log in as administrator on the machine where the App Volumes agent is installed. 

  2. Click the Start menu in Windows and enter regedit to open the Registry editor. 

  3. In the Registry Editor, go to HKLM\System\CurrentControlSet\Services\svservices\Parameters. 

  4. Locate and set the EnforceSSlCertificateValidation key to 0. 
The SSL certificate is no longer validated. 

  5. To disable SSL communication, set the SSL key in the 
HKLM\System\CurrentControlSet\Services\svservices\Parameters path to 0. 

SSL certificate validation and SSL communication between App Volumes agent and App Volumes Manager is disabled.
 

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 1 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 1 Ratings
Actions
KB: