The security of the environment depends on the validity and trust of the management components certificates. If the certificates are approaching expiration, expired, compromised, or certificate attributes require changes, regenerate and replace the certificates.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
|---|---|---|---|
INV-VAON-SEC-011 |
Use a CA-Signed certificate containing the fully qualified domain names (FQDNs) of each VMware Aria Operations for Networks platform and collector node in the SAN attributes, when deploying VMware Aria Operations for Networks |
Configuring a CA-Signed certificate ensures that the communication to the externally facing Web UI and API for VMware Aria Operations for Networks is encrypted. |
|
INV-VAON-SEC-012 |
Use a SHA-2 or higher algorithm when signing certificates. |
The SHA-1 algorithm is considered less secure and has been deprecated. |
Not all certificate authorities support SHA-2. |
Update the NSX to VMware Aria Operations for Networks Integration for Intelligent Network Visibility for VMware Cloud Foundation
Before the certificate for the NSX principal identity expires, you regenerate and update the certificate. You then replace the certificate and private key and you refresh the credential in VMware Aria Operations for Networks.
Replace the NSX Principal Identity Certificate for Intelligent Network Visibility for VMware Cloud Foundation
Before the NSX Manager principal identity certificate expires, to continue using the NSX Manager principal identity, you regenerate the certificate and private key and you refresh the principal identity.
If you followed the Prepare the NSX to VMware Aria Operations for Networks Integration for Cloud-Based Network Visibili… procedure when implementing this validated solution, the NSX Manager principal identity certificate expires in 365 days. You use the contents of the certificate and the key file to refresh the principal identity in NSX Manager.
Some steps in this procedure require the use of the NSX API. To make this process easier, you use PowerShell cmdlets instead.
Procedure
- Log in to SDDC Manager at <sddc_manager_fqdn>:22 as the vcf user by using a Secure Shell (SSH) client.
- Switch to the super user.
su
- Generate the certificate and private key.
openssl req -newkey rsa:2048 -sha256 -x509 -days 365 -subj "/CN=nsx_local_manager_cluster_hostname" -extensions usr_cert -nodes -keyout nsx_local_manager_cluster_hostname.key -out nsx_local_manager_cluster_hostname.cer
Note:You use the
nsx_local_manager_cluster_hostname.keyandnsx_local_manager_cluster_hostname.cercontents to refresh the principal identity in NSX Manager and refresh the credential in VMware Aria Operations for Networks. - Import the new certificate in NSX Manager.
- Log in to NSX Manager at https://<nsx_manager_fqdn>/login.jsp?local=true as admin.
- On the main navigation bar, click System.
- In the left pane, navigate to .
- Click the Certificates tab and, from the Import drop-down menu, select Certificate.
- In the Import certificate dialog box, enter a certificate name identical to the service account name and turn off the Service certificate toggle switch.
- In the Certificate contents text box, paste the contents of the
nsx_local_manager_cluster_hostname.cercertificate file. - In the Private key text box, paste the contents of the
nsx_local_manager_cluster_hostname.keyfile and click Save. - Expand the newly created certificate and copy the ID.
- Update the principal identity with the new certificate by using PowerShell.
Start PowerShell.
- Replace the values in the sample code and run the commands in the PowerShell console.
$nsxManager = "sfo-m01-vc01.sfo.rainpole.io" $nsxUser = "admin" $nsxPass = "VMw@re1!VMw@re1!" $principalIdentity = "svc-inv-sfo-m01-nsx" $newCertificateId = "32fc1dd0-fabd-4643-b64e-35b708424538"
- Obtain the ID of the existing principal identity by running the command in the PowerShell console.
$principalId = (Get-NsxtPrincipalIdentity -name $principalIdentity).id
- Update the principal identity's certificate by using the imported certificate's ID and the principal identity user ID.
Set-NsxtPrincipalIdentityCertificate -principalId $principalId -certificateId $newCertificateId
- Remove the expired certificate from NSX Manager.
- Log in to NSX Local Manager for the management domain at https://<management_domain_nsx_local_manager_fqdn>/login.jsp?local=true as admin.
- On the main navigation bar, click System.
- In the left pane, navigate to .
- Locate the expired certificate, click the ellipsis and click Delete.
- In the Delete dialog box, click Delete.
- Repeat this procedure for each VI workload domain in the VMware Cloud Foundation instance.
Refresh the NSX to VMware Aria Operations for Networks Integration for Intelligent Network Visibility for VMware Cloud Foundation
After you update the NSX principal identity with the new certificate, you must refresh the credential in VMware Aria Operations for Networks and validate the data source connection.
Procedure
- Log in to VMware Aria Operations for Networks at https://<aria_operations_for_networks_fqdn> with a user assigned the Administrator role.
- In the left pane, navigate to .
- On the Data sources page, click the ellipses for the VMware NSX-T Manager and click Edit.
- On the Configuration page, in the Certificate text box, paste the contents of the nsx_local_manager_cluster_hostname.cer certificate file.
- In the Private key text box, paste the contents of the nsx_local_manager_cluster_hostname.key certificate file.
- Click Validate, verify that the new certificate is valid, and click Submit.
- In the Confirmation dialog box, select the confirmation check box and click Continue.
- Repeat the procedure for each VI workload domain NSX Manager in the VMware Cloud Foundation instance.
