By adding a system property, you can activate the certificate path validation algorithm for your trusted certificates.

Automation Orchestrator uses an enhanced public-key infrastructure X.509 (PKIX) certification path when working with certificates for establishing an SSL or TLS connection with a host. Automation Orchestrator must work uninterrupted when establishing a connection with a host with an updated certificate issued by a trusted certificate authority (CA) included in the Automation Orchestrator trust store.

If the subject certificate or some of the intermediate certificates are renewed, the algorithm makes an informed trust decision on whether it can trust any certificate that is not already explicitly trusted.

Note: Activating the com.vmware.o11n.certPathValidator system property makes certificate validation stricter and done according to RFC5280. After activating the certificate validation algorithm, some workflows associated with a host with a trusted but outdated certificate start to fail. To resolve this certificate issue, renew the specific host to use a valid and up to date certificate and add it to the Automation Orchestrator trust store again.

Procedure

  1. Log in to the Control Center as root.
  2. Select System Properties, and click New.
  3. In the Key text-box, enter com.vmware.o11n.certPathValidator.
  4. In the Value text-box, enter true.
  5. (Optional) Add a description for the system property.
  6. Click Add.
    A pop-up window appears.
  7. To finish adding the new system property, click Save changes from the pop-up window.
  8. Wait for the server to automatically restart so the changes are applied.

Results

The certificate validation algorithm is now active. For more information on managing Automation Orchestrator certificates, see Manage Automation Orchestrator certificates.

What to do next

If your Automation Orchestrator deployment uses vSphere as an authentication provider and you change the vCenter certificate, you must restart the Automation Orchestrator pod so the environment can use the new certificate. To restart your pod, use the following procedure:

  1. Log in to the Automation Orchestrator Appliance as root.
  2. Run the following commands:
    kubectl -n prelude scale deployment vco-app --replicas=0
kubectl -n prelude scale deployment vco-app --replicas=1
    Note: For clustered Automation Orchestrator deployments, replace the second command with the following: 
    kubectl -n prelude scale deployment vco-app --replicas=3