Using SSL Certificates with App Volumes Manager (2148178)
- Configuring SSL Certificates for Machine Managers
- Managing SSL Between App Volumes Manager and Agent
- Disabling SSL and SSL Certificate Validation
You can establish secure connections from App Volumes Manager to SQL Server and vCenter Server.
Establishing a Secure SQL Server Connection
If the instance of App Volumes Manager that you have installed connects to an SQL server, you can change the default Windows ODBC settings and connect securely to App Volumes Manager.
Ensure that you have downloaded the SSL certificate on the SQL server instance and imported the certificate as a Trusted Certificate on to the machine where App Volumes Manager is installed. Change the ODBC settings on this machine.
For detailed instructions see, the Microsoft Knowledge Base article 316898.
Establish a Secure vCenter Server Connection
You can securely connect to a vCenter Server from App Volumes using an SSL certificate.
Ensure that vCenter Server you are connecting to has a domain SSL certificate. The certificate must be verified and accepted by App Volumes.
- From the App Volumes Manager console, click Machine Managers > Add Machine Manager.
- Enter the required Machine Manager information and click Save.
Enter vCenter Server
The host name of the Machine Manager. For example,
The user name with which you will access the machine. For example, YOURDOMAIN\administrator.
The password for the user name.
Select this option if your VM's datastore has local copies of volumes and you want to mount the local copies.
Mount on Host
Select this option if you want to connect directly to the VM host. This results in increased performance and decreases the burden on the vCenter Server.
- Verify the certificate details.
If the certificate is not trusted or verified, you see these messages:
- A window with details of the certificate (SHA1 fingerprint, period of validity) that is present in vCenter Server.
- A message at the top right corner:
Server error: SSL certificate is not verified and needs to be accepted to continue.
- Click Accept to accept the certificate.
You can also log in to vCenter Server as an administrator and verify the SHA1 code. The Machine Manager is successfully added after the certificate is verified.
- Click Certificate to view the certificate you added.
If the certificate is changed on vCenter Server after it has established a connection with App Volumes Manager, the Certificate not valid message is displayed when you log in to App Volumes Manager. You also see this message when you upgrade App Volumes to the latest version.
- To validate the certificate again, select the vCenter Server under Machine Managers, click Certificate, and accept the certificate.
You now have a trusted SSL certificate to connect to the vCenter Server.
A default self-signed certificate is installed when you install App Volumes Manager. App Volumes agents use SSL to communicate with the App Volumes Manager and validate the certificate.
Replace the Self-Signed Certificate with CA Certificate
A self-signed certificate is installed when you install App Volumes Manager. You can replace the default self-signed certificate by modifying the Nginx configuration file.
Note: The self-signed certificate is installed in the same location as the Nginx configuration file: C:\Program Files (x86)\CloudVolumes\Manager\nginx\conf.
- Obtain an SSL certificate from a trusted Certificate Authority (CA).
- Download the CA certificate and the corresponding key to the machine where the App Volumes Manager is installed. Note down the location where the les are downloaded.
Note: Do not copy the CA certificate to the same folder as the self-signed certificates.
- If you provide a passphrase while generating the certificate, note down the passphrase.
- Verify that the Common Name on the CA certificate is the same as the host name or the IP address of App Volumes Manager that you configured while installing the agent.
- Verify that the SSL key and certificate are both in PEM Base-64 encoded format.
- Log in as administrator to the machine where the App Volumes Manager is installed.
- Navigate to C:\Program Files (x86)\CloudVolumes\Manager\nginx\conf and make a copy of the existing Nginx configuration file nginx.conf.
- Open the Nginx configuration file.
- Edit the ssl_certificate and ssl_certificate_key variables in the Nginx configuration file to correspond to the certificate les that you downloaded.
- If the CA-signed certificate requires a passphrase, enter the passphrase for your certificate in the Nginx configuration file.
- Save the configuration file.
- Restart the App Volumes Manager service.
Example: Nginx Configuration File:
In this example, the appvol_ca1_vmware.com.crt and appvol_ca1_vmware.com.key are the default self-signed certificates.
Import Default Self-Signed Certificate
If you do not want to replace the default self-signed certificate in the App Volumes Manager, you can import the certificate and add it to the local trust store of the machine where the App Volumes agent is installed.
If you have installed and configured multiple App Volumes Manager instances for use in all agent machines, then the self-signed certificates have to be imported from each App Volumes Manager instance to the agent machines.
- Verify that the certificate is a default self-signed certificate.
Note: If the certificate is a CA certificate, do not import it. You can download and add it to the trust store of the App Volumes agent directly.
- Obtain the IP address of the App Volumes Manager instance whose certificate you want to import.
- Verify that you have the Microsoft Management Console (MMC) on the machine where the App Volumes agent is installed.
- Log in as an administrator to the machine where the App Volumes agent is installed.
- In a Web browser, enter the host name or IP address of the App Volumes Manager in the form of https://hostname. A warning message that the SSL certificate is not validated is displayed.
- Click the warning message and follow instructions to download the SSL certificate displayed in the browser.
- Open MMC and import the downloaded SSL certificate.
You can disable SSL communication and SSL certificate validation between App Volumes agent and manager.
You can disable SSL communication and enable an HTTP connection when you are installing App Volumes Manager.
You might want to disable SSL communication, for example, when you upgrade App Volumes to the latest version, and want to install and test App Volumes immediately without configuring SSL certificates.
- When you choose networks ports during App Volumes Manager installation, select the Allow Connections Over HTTP (insecure) option.
- Enter a value for the HTTP port or retain the default value of 80.
SSL is disabled and all communication with the App Volumes Manager occurs over HTTP.
Disable SSL Certificate Validation When Installing App Volumes Agent
The App Volumes agent validates the SSL certificate of the App Volumes Manager during communication with the manager.
You can disable the validation when installing the agent. You might want to disable the validation if you are running App Volumes Manager behind a load balancer.
When you install the App Volumes agent, select the Disable Certificate Validation with App Volumes Manager box on the App Volumes Agent window.
Certificate validation is disabled but communication still occurs over SSL.
Disable SSL and SSL Certificate Validation After Installing App Volumes Agent
SSL and SSL certificate validation is enabled by default when you install the App Volumes agent.
You can disable SSL certificate validation and SSL communication between App Volumes agent and App Volumes Manager after you have installed the agent.
Ensure that you have enabled HTTP in App Volumes Manager. For more information, see Enable an HTTP Connection in App Volumes Manager.
- Log in as administrator on the machine where the App Volumes agent is installed.
- Click the Start menu in Windows and enter regedit to open the Registry editor.
- In the Registry Editor, go to HKLM\System\CurrentControlSet\Services\svservices\Parameters.
- Locate and set the EnforceSSlCertificateValidation key to 0. The SSL certificate is no longer validated.
- To disable SSL communication, set the SSL key in the HKLM\System\CurrentControlSet\Services\svservices\Parameters path to 0.