OPERATIONAL DEFECT DATABASE
...
...
When you access the IP address or URL of the Usage Meter Appliance in Internet Explorer, you see the warning: There is a problem with this website's security certificate. The security certificate presented by this website was not issued by a trusted certificate authority. The security certificate presented by this website has expired or is not yet valid. The security certificate presented by this website was issued for a different website's address. You see a similar warning when using FireFox or Chrome.
This article provides steps to successfully generate a Certificate Signing Request (CSR) to send to an Internal CA to issue a signed SSL Certificate for use with vCloud Usage Meter.
This issue occurs because the self-signed SSL Certificate has either expired or is not compliant with your environment as it has not been issued by a trusted certificate authority or has been issued for another web site URL.
vCloud Usage Meter requires a signed Certificate issued by a Certificate Authority (CA).To resolve this issue, generate and install a compliant certificate: Generating a Certificate Signing Request To generate a Certificate Signing Request to send to an Internal CA to issue a signed SSL Certificate: Log in to the vCloud Usage Meter appliance as root.Stop Tomcat by running the command: # service tomcat stop Add the keytool command directory on your path by running the command: # export PATH=$PATH:/usr/java/latest/bin Verify that the keytool command is now on your $PATH by running the command: # which keytool /usr/java/latest/bin/keytool Change directory to /home/usgmtr/ by running the command: # cd /home/usgmtr/ Backup the existing .keystore file by running the command: # cp .keystore .keystore.bak Create a new key to be used to generate a new CSR (Certificate Signing request) by running the command: # keytool -genkey -alias tomcat -keyalg RSA -keysize 2048 -keystore .keystore Notes: The keystore password must be silverpen.This must be the keystore in /home/usgmtr. There are multiple on the appliance, and the other keystores will not have the intended effect. If the command does not work or you receive the Key Pair already exists error message, delete the existing Tomcat alias from the keystore and re-run the previous genkey command: # keytool -delete -alias tomcat -keystore .keystore Create the Certificate Signing Request (CSR) by running the command: # keytool -certreq -alias tomcat -keyalg RSA -file example.com.csr -keystore .keystore Note: Ensure the CN (Common Name) is either the FQDN or IP address of the Usage Meter server. Obtaining the certificate To generate a certificate on an Internal CA for use with vCloud Usage Meter:Open the Certificate Signing Request (CSR) and copy the contents to the Internal CA, then obtain the signed public key, with the CA, in BASE64 .P7B format.Example: Using the Microsoft Windows Certificate Authority Using a web browser, go to: https://Internal_Certificate_Authority_URL/certsrv Under Select a Task, click Request a Certificate.Click Advanced Certificate Request.Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.Open the Certificate Signing Request (CSR) file in a plain text editor and copy the contents into the Saved Request section, starting with: -----BEGIN CERTIFICATE REQUEST----- to -----END CERTIFICATE REQUEST-----. Under Certificate Template, click Web Server then click Submit. You are shown the download options for the issued certificate.Click Base 64 Encoded > Download certificate chain. The certificate to import into the Usage Meter appliance has been generated. Importing the certificate To import the certificate into the Usage Meter appliance: Import the certificate into the keystore by running the command: # keytool -import -trustcacerts -alias tomcat -file certificate_from_ca.p7b -keystore .keystore You see this confirmation message: Certificate reply was installed in keystore. Note: If you are asked if you want to trust the certificate, type y or yes. Assign ownership of the keystore to the usgmtr user by running the command: # chown usgmtr .keystore Copy the new keystore by running the commands: # service tomcat stop # service vami-lighttp stop # cp /home/usgmtr/.keystore /opt/vmware/vfabric-tc-server-standard/um/conf/tcserver.jks.new Note: In vCloud Usage Meter 3.6.1 and later versions, you can find the .jks file in the following location: /usr/share/tomcat/conf/webserver_certificate.jks Backup the existing keystore by running the command: # cp /usr/share/tomcat/conf/webserver_certificate.jks /usr/share/tomcat/conf/webserver_certificate.jks.bac Note: In vCloud Usage Meter 3.5 and older versions, you can find the .jks file in the following location. /opt/vmware/vfabric-tc-server-standard/um/conf/tcserver.jksReplace the existing keystore with the newly generated one by running the commands: # cp /usr/share/tomcat/conf/webserver_certificate.jks.new /opt/vmware/vfabric-tc-server-standard/um/conf/tcserver.jks # service tomcat start # service vami-lighttp startOptionally, add an entry to the /etc/hosts file on the Usage Meter appliance for the Usage Meter FQDN which links to the IP address.Verify that Tomcat is now running with new SSL certificate as issued by the internal CA by accessing https://Usage_Meter_appliance_IP:8443 in a web browser. Note: If the new SSL certificate is not shown, restart the Usage Meter appliance.
Click on a version to see all relevant bugs
VMware Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.
