{"id":298,"date":"2011-03-18T17:15:35","date_gmt":"2011-03-18T21:15:35","guid":{"rendered":"http:\/\/enterpriseadmins.org\/blog\/?p=298"},"modified":"2011-03-18T19:00:09","modified_gmt":"2011-03-18T23:00:09","slug":"vcenter-mobile-access-vcma-and-custom-ssl-certificates","status":"publish","type":"post","link":"https:\/\/enterpriseadmins.org\/blog\/virtualization\/vcenter-mobile-access-vcma-and-custom-ssl-certificates\/","title":{"rendered":"vCenter Mobile Access (vCMA) and custom SSL certificates"},"content":{"rendered":"<p>If you haven&#8217;t heard of the vCMA Fling, you should stop reading this article and check out <a href=\"http:\/\/labs.vmware.com\/flings\">http:\/\/labs.vmware.com\/flings<\/a>.  It is by far my favorite application available.<\/p>\n<p>I like to use valid certificates on all VMware products.  I&#8217;ve replaced certificates used by vCenter, Update Manager, View and individual ESX\/ESXi hosts.  Today I started using the newest version of vCMA (vCenter Mobile Access) that has built in SSL support &#8212; but uses a generic certificate.  I decided to find out how much effort would be required to replace this cert with a valid certificate issued from a certificate authority.<\/p>\n<p>I found the following article that helped a lot.  You&#8217;ll need everything on page 2 and 3 of the document: <a href=\"http:\/\/www.informit.com\/articles\/article.aspx?p=407886&amp;seqNum=2\">http:\/\/www.informit.com\/articles\/article.aspx?p=407886&amp;seqNum=2<\/a><\/p>\n<p>The first step was to find the keytool required.  A simple &#8220;find \/|grep keytool&#8221; showed me right where the command was, so I changed to that directory:<\/p>\n<pre>cd \/usr\/lib\/vmware\/mobile\/java\/jre1.6.0_11\/bin<\/pre>\n<p>Once in the proper directory, I decided to create a new key file (using the steps in the above article)<\/p>\n<pre>.\/keytool -genkey -alias mobile-vmware -keyalg RSA -keysize 2048 -dname \"CN=vcma.domain.test,OU=Organization Name,O=Parent Organization,L=City,ST=State,C=US,emailAddress=vmware-admin@domain.test\" -keypass mypass -keystore \/etc\/mobile\/ssl\/mobile-vmware.jks -storepass mypass<\/pre>\n<p>Easy enough.  Now we need to create a certificate request<\/p>\n<pre>.\/keytool -certreq -v -alias mobile-vmware -file \/etc\/mobile\/ssl\/csr-mobile-vmware.pem -keypass mypass -storepass mypass -keystore \/etc\/mobile\/ssl\/mobile-vmware.jks<\/pre>\n<p>The command returns the following information if successful<br \/>\nCertification request stored in file<br \/>\nSubmit this to your CA<\/p>\n<p>Take the contents of the generated file and submit them to your certificate authority.  Once the file is returned, copy it to \/etc\/mobile\/ssl (I used WinSCP for this task).  Another file you&#8217;ll need to transfer at this time is the CA certificate (Verisign\/internal\/etc).<\/p>\n<p>Once you have the two files copied over to the vCMA appliance, you&#8217;ll want to prepare your keystore to accept the certificate by importing the CA&#8217;s certificate.  You can do that with this command:<\/p>\n<pre>.\/keytool -import -v -noprompt -trustcacerts -alias rootcacert -file \/etc\/mobile\/ssl\/rootca-certnew.cer -keystore \/etc\/mobile\/ssl\/mobile-vmware.jks -storepass mypass<\/pre>\n<p>The following results should be returned from that command:<br \/>\nCertificate was added to keystore<br \/>\n[Storing \/etc\/mobile\/ssl\/mobile-vmware.jks]<\/p>\n<p>Now we are ready to import our actual certificate:<\/p>\n<pre>.\/keytool -import -v -alias mobile-vmware -file \/etc\/mobile\/ssl\/mobile-vmware-certnew.cer -keystore \/etc\/mobile\/ssl\/mobile-vmware.jks -keypass mypass -storepass mypass<\/pre>\n<p>The following results should be returned from that command:<br \/>\nCertificate reply was installed in keystore<br \/>\n[Storing \/etc\/mobile\/ssl\/mobile-vmware.jks]<\/p>\n<p>Almost at the end now&#8230;<\/p>\n<p>We need a text editor, so I went the easy way and installed one I know how to use.  You can do the same with &#8220;yum install nano&#8221;.<\/p>\n<pre>nano \/usr\/lib\/vmware\/mobile\/tomcat\/apache-tomcat-6.0.28\/conf\/server.xml<\/pre>\n<p>Look through the code for a line that starts <\/p>\n<pre>&lt;Connector port=\"443\" protocol=\"HTTP\/1.1\"<\/pre>\n<p> \u00a0 In that section you&#8217;ll want to change the keystore file to &#8220;\/etc\/mobile\/ssl\/mobile-vmware.jks&#8221; and the keystorepass to &#8220;mypass&#8221;.<\/p>\n<p>Once the code is modified, save the file and exit nano.  Now type the following:<\/p>\n<pre>service mobile restart<\/pre>\n<p>This restarts the vCMA application to read in the certificate changes we made.  Now when you access vCMA you should check the certificate &#8212; it should be the valid one you created.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you haven&#8217;t heard of the vCMA Fling, you should stop reading this article and check out http:\/\/labs.vmware.com\/flings. It is by far my favorite application available. I like to use valid certificates on all VMware products. I&#8217;ve replaced certificates used &hellip; <a href=\"https:\/\/enterpriseadmins.org\/blog\/virtualization\/vcenter-mobile-access-vcma-and-custom-ssl-certificates\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":6,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[4],"tags":[],"class_list":["post-298","post","type-post","status-publish","format-standard","hentry","category-virtualization"],"_links":{"self":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/298","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/comments?post=298"}],"version-history":[{"count":4,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/298\/revisions"}],"predecessor-version":[{"id":302,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/posts\/298\/revisions\/302"}],"wp:attachment":[{"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/media?parent=298"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/categories?post=298"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/enterpriseadmins.org\/blog\/wp-json\/wp\/v2\/tags?post=298"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}