Use this procedure to replace the VMware Identity Manager certificate or the globalenvironment setting in your VMware Aria Suite Lifecycle environment.

Note: The VMware Identity Manager and Workspace ONE Access terms are used interchangeably in VMware Aria Suite Lifecycle product documentation.

For related information about replacing certificates for VMware Aria Suite Lifecycle, see Replace certificate for VMware Aria Suite Lifecycle products.

Note: To replace a certificate on a clustered deployment, you must manually replace the certificate on the load balancer. If you encounter an error while replacing the certificate and you are running Workspace ONE Access version 3.3.7, see https://ikb.vmware.com/s/article/94095.

Generate a self-signed certificate

Use the Locker service to generate a Certificate Signing Request (CSR) and create a .pem file. With information from the .pem file, you import the cerficiate into the VMware Aria Suite Lifecycle locker .

  1. From the My Services dashboard, click Locker.
  2. Click Generate CSR and enter the name globalenvironment.
  3. Enter customer-specific values for all required fields on he Generate CSR form and click Generate to generate the .pem file.

    A sample form is shown below.

    Sample generate CSR page as described in the text.

    Note: To replace your certificate in a clustered environment, enter multiple domain names and IP addresses, separated by commas.
    A .pem file contains a certificate signing request and a private key as in the example below with certificate and key details removed. 
    -----BEGIN CERTIFICATE REQUEST-----
...
-----END CERTIFICATE REQUEST-----
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
  4. Submit the .pem file to a signing authority to request that it be signed. If you do not have a configured signing authority, perform the following steps.

    In this example, the signing authority is the Microsoft Active Directory Certificate Service and it is configured for http://localhost/certsrv/.

    1. Open http://localhost/certsrv/.
    2. Click Request a Certificate > Advance Certificate Request.
    3. For this example, click Request a certificate.

      Screen shows the request a certificate option as described in the text.

    4. Click Advanced certificate request.

      Screen shows the Advanced certificate request as described in the text.

    5. Click the Submit a certificate request using base64 encoded … option.

      Screen shows the Submit a certificate request ... option as described in the text.

    6. Paste the certificate .pem file content from your certificate request and click Submit.

      Screen shows the .pem content pasted into the form and the Submit key as described in the text.

  5. After the .pem is submitted. you are prompted to download a certificate. Select the Base64 encoded certificate format and select both the Download certificate and the Download certificate chain options.

    Screen shows all three options described in the text.

    This actions downloads certnew.cer for the certificate and certnew.p76 for the certificate chain. In this example, they are downloaded to a user downloads folder of C:\USERS\ARUN|DOWNLOADS. An example of both are provided below:
    • certnew.cer - certificate
      Reference: certnew.cer  
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
    • certnew.p7b - certificate chain
      Reference: certnew.p7b
 
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
  6. The root certificate is needed. In this example, an existing server certificate named cap-AD-CA exists and an existing root certificate of vidm.cap.org exists and both were issued by a signing authority of cap-AD-CA.

    Screen shows the two existing certificates described in the text.

  7. Split this into the globalenvironment certificate and the root certificate by using the Copy To File function. The certificates involved are certnew.cert, globalenvironmentcert.cert, rootcert.cert and the certnew.p7b certificate chain.

    The 4 files to use in the Copy To File function are shown.

  8. Import the globalenvironment certificate into the VMware Aria Suite Lifecycle Locker service:
    1. Click Locker from the VMware Aria Suite Lifecycle My Services page
    2. Click Certificates > Import.
    3. The Import Certificate page appears. In the Name field, enter globalenvironment.
  9. Using the extracted globalenvironment and root certificate as source, open Notepad ++ or any other text editor and create a certificate chain with two certificate sections: the server certificate content at the top followed by the root certificate content . The example below shows the two sections with details removed. 
    -----BEGIN CERTIFICATE-----
...
###server certificate content###
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
###root certificate content###
...
-----END CERTIFICATE-----
    • Copy and paste the private key content from the .pem file created by the generated CSR into the Private Key section of the Import Certificate form.
    • Copy and paste the content with the two certificate sections into the Certificate Chain section of the Import Certificate form.
  10. Verify the certificate chain by using a verification tool such https://tools.keycdn.com/ssl.
  11. Click Import to import the new globalenvironment certificate into VMware Aria Suite Lifecycle.

    A sample populated Import Certificate form is shown below.

    Sample populated Import Certificate form is shown as described in the text.

    When the import is successful, the Certificate successfully added. statement appears, as shown below.

    Certificate successfully added statement appears as described.

  12. You can display details about the successfully imported new certificate. A sample is shown below.

    Details page for newly imported globalenvironment certificate as described.

Create a snapshot of the environment

Before replacing your existing globalenvironment certificate with the new certificate, take a snapshot in the Lifecycle Operations service.

  1. From the VMware Aria Suite Lifecycle dashboard, click Lifecycle Operations.
  2. Click Environments and then click View Details on the globalenvironment tile.
  3. Click the 3 dot ellipse () following the Change Admin Password option and select Snapshot > Create Snapshot from the drop-down menu.

    Create a snapshot of the Lifecycle Operations service environment

  4. For this example, enter Snapshot Before Cert Replacement in the Snapshot Prefix field Description fields.
  5. Switch the Shutdown before taking snapshot option to the on position and click Next.

    Image of the Create Snapshot screen as described in the text.

  6. When prompted, click Run Precheck.
  7. When the precheck result is returned, click Finish.

    The completed Precheck result is returned and the Finish option is available as described in the text.

  8. After you click Finish, the Request Details page automatically appears and displays the progression of each stage of the pre-check process.
  9. When the snapshot request is complete, you can proceed to make the certificate replacement request.

Create the certificate replacement request

After you create the snapshot, you're ready to initiate the certificate replacement request and replace the existing standalone globalenvironment certificate with the new self-signed certificate.

  1. On the VMware Aria Suite Lifecycle My Services page, click Lifecycle Operations and then click Environments.
  2. Click View Details on the globalenvironment tile.
  3. Click the three dot icon (...) in the VMware Identity Manager row and click Replace Certificate from the drop-down menu.

    Displays selection of Replace Certificate as described in the text.

    The Current Certificate details page appears. If you've never replaced the certificate, then this is the default certificate that was used during installation of the product.

  4. On the resultant Current Certificate details page, click Next.

    The Select Certificate page appears.

  5. On the Select Certificate page, select globalenvironment from the drop-down menu.

    Select the globalenvironment option from the drop-down menu.

    The Select Certificate details page appears.

  6. On the resultant Select Certificate details page, click Next.

    The Retrust Product Certificate page appears.

  7. On the Retrust Product Certificate page, select all the products to be impacted by the retrust certificate action and then click Next.

    Select all the products and then click Next.

    The Opt-in for Snapshot page appears.

  8. Click the Opt-in for Snapshot check box to enable the option and then click Next.

    The Precheck page appears.

  9. On the Precheck page, click Run Precheck.
  10. If you are prompted to consent to a validation request, click Re-run Precheck.

    Review the pre-check results and take any further actions that are needed as prompted on-screen.

    Respond as needed to on-screen prompts.

  11. When all pre-check validations are complete, click Finish to submit the request.

    Click Finish.

  12. You can monitor the request details status by selecting Requests in the Lifecycle Operations left pane menu. The stages of the replace certificate action are detailed below. 
    Stage-1
 Gracefully Shut Down VMware Identity Manager
    Start
    Validate VMware Identity Manager Certificate
    Start graceful shutdown of VMware Identity Manager
    Prepare graceful shutdown of VMware Identity Manager nodes
    Check power states of VMware Identity Manager nodes
    Validate SSH credentials of VMware Identity Manager nodes
    Update VMware Identity Manager node types
    Extract vMoid of VMware Identity Manager nodes
    Verify Identity Manager Appliance Health Check
    Verify Identity Manager Postgres Health Check
    Validate VMware Identity Manager node types
    VMware Identity Manager stop horizon service
    VMware Identity Manager stop Elasticsearch / Opensearch service
    VMware Identity Manager stop pgpool service
    VMware Identity Manager stop postgres service
    Shutdown VMware Identity Manager nodes
    Final
 
Stage-2
 Create Node Snapshot
    Start
    Get vMoid using Virtual Machine
    Virtual Machine Snapshot using vMoid
    Final
 
Stage-3
 Power on VMware Identity Manager Node(s)
    Start
    Validate VMware Identity Manager Certificate
    Start Power On of VMware Identity Manager nodes
    Prepare required inputs to power on VMware Identity Manager Node(s)
    Extract vMoid
    Power On VMware Identity Manager Node
    Check Hostname/IP status of VMware Identity Manager
    Get node endpoint of VMware Identity Manager
    Final
 
Stage-4
 Remediate VMware Identity Manager
    Start
    Start remediation of VMware Identity Manager
    Prepare required inputs to remediate VMware Identity Manager
    Validate ssh credentials of VMware Identity Manager
    VMware Identity Manager start pgpool service
    Update VMware Identity Manager node types
    Check primary node status of VMware Identity Manager
    VMware Identity Manager Appliance Health Check
    Update VMware Identity Manager node details with VMware Aria Suite Lifecycle's inventory
    Final
 
Stage-5
 Product Health Check
    Start
    Product Health Check prepare
    vIDM health pre-Check
    Final
 
Stage-6
 Update Certificate on VMware Identity Manager
    Start
    Validate VMware Identity Manager Certificate
    Start update of Certificate on  VMware Identity Manager nodes
    Update  Certificate on  VMware Identity Manager nodes
    Final
 
Stage-7
 Trust vIDM Certificate in LCM
    Start
    Add vIDM certificate to VMware Aria Suite Lifecycle trust store
    Final
 
Stage-8
 Revert to Node Snapshot
    Start
    Get vMoid
    Final
 
Stage-9
 Power On VMware Identity Manager Nodes
    Start
    Validate VMware Identity Manager Certificate
    Final
 
Stage-10
 Remediate VMware Identity Manager Nodes
    Start
    Start remediation of VMware Identity Manager
    Prepare required inputs to remediate VMware Identity Manager   
    Validate ssh credentials of VMware Identity Manager
    VMware Identity Manager start pgpool service
    Update VMware Identity Manager node types
    Check primary node status of VMware Identity Manager
    VMware Identity Manager Appliance Health Check
    Update VMware Identity Manager node details with VMware Aria Suite Lifecycle's inventory
    Final
 
Stage-11
 Product Health Check
    Start
    Product Health Check prepare
    Final
 
Stage-12
 Delete Node Snapshot
    Start
    Get vMoid Delete Snapshot
    Delete Node Snapshot
    Final
 
Stage-13
 Locker Reference Update
    Start
    Locker reference update init
    Locker reference inventory  update
    Final
 
Stage-14
 Product Replace Update Notification
    Start
    Start replace update notification
    Replace certificate notification
    Final
 
Stage-15
 Validate if VMware Identity Manager re-trust is required on products
    Start
    Start Validate if VMware Identity Manager re-trust is required on products
    Validate if VMware Identity Manager re-trust is required on products
    Final
 
Stage-16
 Update VMware Identity Manager Auth provider hostname
    Start
    Start update auth provider hostname
    Trust VMware Identity Manager Certificate in VMware Aria Suite Lifecycle
    Update VMware Identity Manager Auth provider hostname
    Final
 
Stage-17
 Retrust VMware Identity Manager on VMware Aria Automation
    Start
    Start VMware Identity Manager flow
    Check if vIDM root certificate is present on VMware Aria Automation
    Check for VMware Identity Manager availability
    Check for VMware Identity Manager Login Token
    Check for VMware Identity Manager Default Configuration User availability
    Configure VMware Identity Manager  for VMware Aria Automation
    Configure Load Balancer for VMware Aria Automation
    Initialize VMware Aria Automation
    Update VMware Identity Manager allowed redirects
    Final
 
VMware Aria Operations reconfigure vidm
    Start
    Start VMware Aria Operations - VMware Identity Manager reconfigure
    Reconfigure VMware Identity Manager
    Prepare Identity Manager catalog task
    Final
 
VMware Aria Operations for Logs retrust vidm
    Start
    Start VMware Aria Operations for logs retrust vIDM
    Prepare Nodes
    Final
 
VMware Aria Operations for Networks Reconfigure vidm
    Start
    Start VMware Aria Operations for Networks generic
    Validate and fetch VMware Aria Operations for Networks vidm client details
    vIDM get O Auth client details
    Reconfigure vIDM hostname
    Final
  
Stage-18
Re-trust VMware Identity Manager on VMware Aria Automation
    Start
    Start VMware Identity Manager flow
    Check if vIDM root certificate is present on VMware Aria Automation
    Check for VMware Identity Manager availability
    Check for VMware Identity Manager Login Token
    Check for VMware Identity Manager Default Configuration User availability
    Configure VMware Identity Manager  for VMware Aria Automation
    Configure Load Balancer for VMware Aria Automation
    Initialize VMware Aria Automation
    Update VMware Identity Manager allowed redirects
    Final
 
 VMware Aria Operations reconfigure vidm
    Start
    Start VMware Aria Operations - VMware Identity Manager reconfigure
    Reconfigure VMware Identity Manager
    Prepare Identity Manager catalog task
    Final
  13. When complete, confirm that the certificate is in use by clicking Locker from the My Services page of VMware Aria Suite Lifecycle and then select Certificates > globalenvironment.

    Confirm the globalenvironment certificate in the Locker.

    You can also view VMware Aria Suite Lifecycle and VMware Identity Manager logs. The log statement Applied certificate to vIDM.. indicates that the VMware Identity Manager services are being restarted.