This topic describes establishing mutually trusted TLS certificates for use with VMware Tanzu GemFire for Tanzu Application Service.
In order for services instances in two foundations to communicate using TLS encryption, the CredHub “/services/tls_ca” certificate must be trusted in both foundations; otherwise, WAN connections with TLS will fail.
In order for services instances in two foundations to communicate with TLS, the CredHub “/services/tls_ca” certificate must be trusted in both foundations; otherwise, WAN connections requiring TLS will fail.
To be trusted in both foundations, their certificates must be signed by:
If one of these conditions is satisfied, mutually trusted credentials are already in place; there is no need to implement the following procedure.
If the two foundations have different “/services/tls_ca” certificates that are not already mutually trusted, follow these steps to establish mutual trust.
Assuming you have two different Tanzu Application Service for VMs foundations, A and B, connected by a WAN:
Access the CredHub of Foundation A using instructions from Access BOSH CredHub
Fetch the certificate from Foundation A using CredHub:
credhub get -n /services/tls_ca -k certificate
Record the output.
Navigate to the Ops Manager Installation Dashboard of Foundation B and click the BOSH Director tile.
Click Security.
Append the contents of the new CA certificate to the old CA certificate under Trusted Certificates. Do not remove the old CA certificate.
Click Save.
Distribute the new CA certificate to your GemFire for Tanzu Application Service VMs and regenerate each server certificate using the new CA:
Return to the Installation Dashboard in Ops Manager and click Apply Changes.
Repeat Steps 2 - 9 for Foundation B to put its services CA into Foundation A.