PowerVCF - Install Signed Certificates on Each Component Managed by SDDC Manager (Part 5)

This is the fifth and final blog in this series that discusses the process of Certificate Management with VMware Cloud Foundation. The series looks at the end to end process that you follow to take a freshly installed VMware Cloud Foundation platform (Management Domain) and replace the components with signed certificates using a Microsoft Certificate Authority.

In this post we will look at the process of installing the signed certificates using SDDC Manager.

Install Signed Certificates using the User Interface

The following procedure demonstrates the process through the SDDC Manager User Interface.

Procedure

• Log in to SDDC Manager using a web browser.
  • Open a Web browser and go to https://lax01mgr01.lax.rainpole.local.
  • Log in using the [email protected] user account
• Navigate to Inventory > Workload Domains.
• In the Workload Domains window, under Virtual Infrastructure VI select View Details.

• In the Virtual Infrastructure (VI) window, select MGMT from the Domain column.

• Select the Security tab.

• Select the checkbox in the table header to select all resource types and click Install Certificates.

NOTE: If you have not completed the Generate CSR and Generate Signed Certificates steps then refer to Parts 3 and Part 4 of this series.

Once complete the User Interface is updated with a status message of Certificate Installation is successful along with the message Added root certificate chain to the SDDC Manager keystore, you need to restart the SDDC Manager services manually (refer documentation).

• Connect to SDDC Manager lax01mgr01.lax.rainpole.local using an SSH client such as Putty.
  • Log in using the vcf user account.
• Switch to root using the su command.
• Restart all the SDDC Manager services. Enter the following command and enter Y.

/opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh

Wait for the services to restart, then on logging back into the User Interface you will see the warning message has gone and just the Certificate Installation is successful remains.

Install Signed Certificates using using PowerVCF

The following procedure demonstrates the process through PowerVCF.

Assumption: You have already installed or imported PowerVCF on your system.

Procedure

Before performing any operations on SDDC Manager using PowerVCF you must enter the credentials, the PowerVCF cmdlet Request-VCFToken takes these credentials and stores them as a base64 string which is then used for each subsequent cmdlet. Enter the following syntax.

Connect-VCFManager -fqdn lax01mgr01.lax.rainpole.local -username admin -password "VMw@re1!"

The process of generating the signed certificates via PowerVCF requires passing a JSON spec containing the required input details as follows:

{
    "operationType": "",
    "resources": [
        {
            "fqdn": "",
            "name": "",
            "resourceId": "",
	    "type": ""
        }]
}

The operationType element supports INSTALL. In our example we will now enter INSTALL as follows.

{
    "operationType": "INSTALL",
    "resources": [
        {
            "fqdn": "",
            "name": "",
            "resourceId": "",
	    "type": ""
        }]
}

Next we need to populate the resources part of the JSON spec for each component we want to install the certificate for. To achieve this we need the following four elements of information for each component (just like we did for generating the CSR files and creating the signed certificates):

• fqdn - The fully distinguished domain name as it relates to the information stored in the SDDC Manager inventory.
• name - The hostname which can be derived from the fqdn
• resourceId - The unique id assigned to the component and stored in the SDDC Manager inventory.
• type - The flag to identify what type of component the resources is, SDDC Manager has the following resource types SDDC_MANAGER, PSC, VCENTER, NSX_MANAGER, NSXT_MANAGER, VRA, VRLI, VROPS, VRSLCM, VXRAIL_MANAGER

In this example we are going to include VCENTER and SDDC_MANAGER resource types, and using the Get-VCFvCenter and Get-VCFManager cmdlets we can obtain the fqdn and resourceIds details.

First lets look at the Get-VCFvCenter cmdlet. Enter the following syntax:

Get-VCFvCenter | select id,fqdn

Using the select command we can return just the id and fqdn details which is all we need for the JSON spec, using this information we can now build the resource section like this:

{
    "operationType": "INSTALL",
    "resources": [
        {
        "fqdn": "lax01m01vc01.lax.rainpole.local",
        "name": "lax01m01vc01",
        "resourceId": "a0652869-dc9b-426a-a9f6-f2866830dceb",
        "type": "VCENTER"
    } ]
}

Next we want to do the same for SDDC Manager using the Get-VCFManager cmdlet. Enter the following syntax:

Get-VCFManager | select id,fqdn

Add this additional information to our JSON spec file as follows, and then save the file in this example I call it updateCertificateSpec.json.

{
    "operationType": "INSTALL",
    "resources": [
        {
        "fqdn": "lax01m01vc01.lax.rainpole.local",
        "name": "lax01m01vc01",
        "resourceId": "a0652869-dc9b-426a-a9f6-f2866830dceb",
        "type": "VCENTER"
    },{
        "fqdn": "lax01mgr01.lax.rainpole.local",
        "name": "lax01mgr01",
        "resourceId": "41290562-a6a5-4d3b-8f3c-25b0dd5535f6",
        "type": "SDDC_MANAGER" 
    } ]
}

Now we have our JSON spec ready we can perform the process of installing the signed certificates using the Set-VCFCertificate cmdlet. When executing this cmdlet we need to provide two inputs, first the name of the Workload Domain, in this example we are using MGMT and the json file we have just created. Enter the following syntax:

Set-VCFCertificate -domainName MGMT -json E:\MyLab\updateCertificateSpec.json

After executing this command you are presented with a response which relates to a Task ID and the status of the request, you can check the status of the request using the Get-VCFTask cmdlet. Enter the following syntax:

Get-VCFTask d6c66f48-e95f-4382-8945-45ca2efc12e0 | select id,name,status

Here we can see a task is named Certificate Operation: REPLACE_CERTIFICATE and it has a status of IN_PROGRESS. This step takes some time as it cycles through the components, you can issue the same Get-VCFTask command over and over until the status changes to SUCCESSFUL as follows.

The final step in the process is to restart the SDDC Manager services.

• Connect to SDDC Manager lax01mgr01.lax.rainpole.local using an SSH client such as Putty.
  • Log in using the vcf user account.
• Switch to root using the su command.
• Restart all the SDDC Manager services. Enter the following command and enter Y.

/opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh

And there you have it we have successfully replaced the vCenter Server and SDDC Manager systems with CA Signed Certificates using both the User Interface and PowerVCF.

I hope you have found this series of posts helpful.

Useful Links

If you would like to learn more about VMware Cloud Foundation or PowerVCF, check out these links:

• VMware Cloud Foundation Documentation
• VMware Cloud Foundation General FAQ
• VMware Cloud Foundation 3.9 Release Notes
• VMware Cloud Foundation 3.9.1 Release Notes
• PowerVCF Documentation
• PowerVCF PowerShell Library Download