Setting up secure communication with a VMware vCenter server

Ops Center Automator Installation and Configuration Guide
Version
11.0.x
Audience
anonymous
Part Number
MK-99AUT000-24

As with all web service connections that use secure communication, you must import the VMware vCenter Server root certificates to the Ops Center Automator Common Component truststore that Ops Center Automator references. However, if you plan to use the ESX cluster service templates, you must also install the VMware vCenter Server root certificates into the OS truststore in order to configure secure communication for the prerequisite software in the service templates. You can also change the cipher suites to be used.

Note: If you do not plan to use the ESX cluster service templates, you do not need to complete this procedure.
  1. Download the VMware vCenter Server root certificates as follows:
    1. Using a web browser, access the vCenter user interface.
    2. In the right-side window, select Download trusted root CA certificates.
    3. Select a download location on the server where the Ops Center Automator Common Component truststore resides and confirm the download.
  2. On the server with the Common Component truststore, go to the location in which you downloaded the zip file and unzip the file.
    Note: If the downloaded file does not have a .zip extension, change the extension to .zip.
    • In Windows, the result is a .certs folder that contains both certificate files.
    • In Linux, the includes a directory named lin that contains a file with a .0 extension (xxx.0).
  3. Import the VMware vCenter Server root certificates into the Common Component truststore by running the following command:

    For Windows:

    Common-Component-installation-folder\bin\hcmds64keytool -import -alias
alias-name -keystore Common-Component-installation-folder\uCPSB11
\hjdk\jdk\lib\security\jssecacerts -file certificate-file -storetype JKS

    For Linux:

    Common-Component-installation-directory/uCPSB11/jdk/bin/keytool -import -alias alias-name -keystore Common-Component-installation-directory/uCPSB11/
hjdk/jdk/lib/security/jssecacerts -file certificate-file -storetype JKS

    To import the certificates in Java, ensure that the truststore password includes six or more characters. In addition, ensure that the new alias name does not conflict with an existing alias name. Since the certificates used vary depending on the environment and configuration, import either or both RSA and ECDSA certificates into the Common Component truststore based on the certificates available in VMware vCenter Server.

  4. Install the certificates into the OS truststore.
    In Windows:
    1. Right-click the file with the .crt extension and select Install Certificate.
      The Import Certificate Wizard opens.
    2. Select Local Machine, then click Next.
    3. Select Place all certificates in the following store.
    4. Click Browse, select Trusted Root Certification Authorities, then click Finish.
    5. Repeat steps a through d on the file with the .crl extension.
    In Linux:
    1. Copy the "xxx.0" file to the following directory:
      /etc/pki/tls/certs
  5. (Optional) If you want to change the cipher suites to be used for communication with the VMware vCenter server, do the following:
    Note: When you use the following service templates to communicate with VMware vCenter Server, the property in this step has no effect and you do not need to perform this step.
    • Allocate Volumes, Fabric, and Datastore for ESXi Host
    • Allocate Fabric Aware Volumes and Create Datastore for ESX Cluster
    • Add Host to Cluster in vCenter
    • Remove Host from Cluster in vCenter
    1. Open the config_user.properties file from the following location.
      In Windows (non-cluster): Automation-software-installation-folder\conf

      In Windows (cluster): shared-folder_name\Automation\conf

      In Linux: Automation-software-installation-directory/conf

    2. Edit the tls.client.cipherSuites line. If the tls.client.cipherSuites line does not exist, add it.

      One of the cipher suites in the tls.client.cipherSuites line is used in the communication. Specify the cipher suites you want to use in the tls.client.cipherSuites line. If there are multiple cipher suites you want to use, specify the cipher suites separated by commas.

      For available cipher suites, see Cipher suites supported as a client.

      For details about the tls.client.cipherSuites property, see Changing the system configuration.

  6. Restart the services by running the hcmds64srv command.
    Note: If you plan to use the ESX cluster service templates, you must also install Python as described in the Hitachi Ops Center Automator User Guide.