Set up SSL certificates

As part of the post-installation process, you might want to set up your Secure Sockets Layer (SSL) certificates. Setting up SSL certificates is optional when installing Tanzu Salt, but recommended.

Before you start

Setting up the SSL certificates is one post-installation step in a series of several steps that should be followed in a specific order. First, complete one of the installation scenarios and then read the following post-installation pages:

• Install the license key
• Install and configure the Master Plugin
• Check the RaaS configuration file
• Log in for the first time and change default credentials
• Accept the Salt master key and back up data

Set up and configure SSL certificates

To create the SSL certificates:

1. The python36-pyOpenSSL package is necessary to configure SSL after installation. This step is usually completed before installation. If you were unable to install it before installation, it can be installed now. For instructions about checking for and installing this dependency, see Required Tanzu Salt dependencies.

2. Create and set permissions for the certificate folder for the RaaS service.

   sudo mkdir -p /etc/raas/pki
   sudo chown raas:raas /etc/raas/pki
   sudo chmod 750 /etc/raas/pki
   

3. Generate keys for the RaaS service using Salt, or provide your own.

   sudo salt-call --local tls.create_self_signed_cert tls_dir=raas
   sudo chown raas:raas /etc/pki/raas/certs/localhost.crt
   sudo chown raas:raas /etc/pki/raas/certs/localhost.key
   sudo chmod 400 /etc/pki/raas/certs/localhost.crt
   sudo chmod 400 /etc/pki/raas/certs/localhost.key
   

4. To enable SSL connections to Tanzu Salt user interface, generate a PEM-encoded SSL certificate or ensure that you have access to an existing PEM-encoded certificate.

5. Save the .crt and .key files you generated in the previous step to /etc/pki/raas/certs on the RaaS node.

6. Update the RaaS service configuration by opening /etc/raas/raas in a text editor. Configure the following values, replacing <filename> with your SSL certificate filename:

   tls_crt:/etc/pki/raas/certs/<filename>.crt
   tls_key:/etc/pki/raas/certs/<filename>.key
   port:443
   

7. Restart the RaaS service.

   sudo systemctl restart raas
   

8. Verify the RaaS service is running.

   sudo systemctl status raas
   

9. Confirm that you can connect to the user interface in a web browser by navigating to your organization’s custom Tanzu Salt URL and entering your credentials. For more information about logging in, see Log in for the first time and change default credentials.

Your SSL certificates for Tanzu Salt are now set up.

Updating SSL certificates

Instructions for updating SSL certificates for Tanzu Salt are available at the VMware knowledge base. For more information, see How to update SSL certificates for Tanzu Salt.

Troubleshooting Tanzu Salt environments with VMware Aria Automation that use self-signed certificates

This information is for customers who are working with VMware Aria Automation deployments that use a certificate signed by a non-standard certificate authority.

Tanzu Salt might experience the following symptoms:

• When you first open VMware Aria Automation, your web browser displays a security warning next to the URL or in the display page that the certificate cannot be validated.
• When you attempt to open the Tanzu Salt user interface in your web browser, you might get a 403 error or a blank screen.

These symptoms might be caused if your VMware Aria Automation deployment is using a certificate signed by a non-standard certificate authority. To verify whether this is causing Tanzu Salt to display a blank screen, SSH into the node that is hosting Tanzu Salt and review the RaaS log file (/var/log/raas/raas). If you find a traceback error message that indicates that self-signed certificates are not allowed, there are two options you can try to resolve the issue.

Note:
As a security best practice, you should never set up a production environment to use self-signed certificates or improperly signed certificates to authenticate VMware Aria Automation or Tanzu Salt. The recommended practice is to use certificates from trusted certificate authorities instead.

If you choose to use self-signed or improperly signed certificates, you may put your system at serious risk of a security breach. Proceed with caution when using this procedure.

If you experience this problem and your environment needs to continue using a certificate signed by a non-standard certificate authority, there are two options available to you.

The first option is to add the VMware Aria Automation root certificate authority (CA) to your Tanzu Salt environment. The second option is to disable VMware Aria Automation certificate validation in Tanzu Salt.

Add the vRealize Automation root certificate authority (CA) to your Tanzu Salt environment

This procedure requires:

• Root access
• The ability to SSH into the RaaS server

Note:
As an additional security best practice, only the most trusted and senior individuals at your organization should be granted this level of access. Take care to restrict root access to your environment.

You may find it easier to create a private certificate authority and sign your own VMware Aria Automation certificates with that certificate authority rather than using self-signed certificates. The advantage of this approach is you only have to go through this process once for every VMware Aria Automation certificate you need. Otherwise, you would have to go through this process for every vRealize Automation certificate you create. For more information about creating a private certificate authority, see How do you sign a certificate request with your own certification authority (Stack Overflow).

To add a certificate signed by a non-standard certificate authority to the list of certificate authorities in Tanzu Salt:

1. Attempt to open the vRealize Automation web interface in your browser. The certificate should display a warning message in the browser window and the URL display.

2. Run the following script which gets and installs the certificate, replacing <vra_fqdn> with your VMware Aria Automation FQDN:

   echo -n | openssl s_client -connect <vra_fqdn>:443 -showcerts | tac | sed -ne '1,/-BEGIN CERTIFICATE-/p' | tac | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | tee -a /etc/pki/tls/certs/ca-bundle.crt && sed -i.bak '/ExecStart\=/iEnvironment=REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt' /usr/lib/systemd/system/raas.service && systemctl daemon-reload && systemctl stop raas && rm /var/log/raas/raas && systemctl start raas && echo -e 'Starting RaaS Service and tailing the log to see if errors persist. \n Please Wait' && sleep 10 && echo -e 'Relaunch the web browser and navigate to the vRASSC login page and monitor this screen for further errors.\n CTRL+C to exit the tail' && tail -f /var/log/raas/raas
   

3. Verify that this solution has solved the problem by logging into the Tanzu Salt web interface. If the problem has been resolved, Tanzu Salt displays the Dashboard page.

Disable certificate validation

Caution:
Disabling certificate validation is not a recommended or supported production deployment option for Tanzu Salt. Certificate validation provides increased security and should be your standard practice. As a non-recommended deployment option, VMware will not assist in disabling certificate validation or issues that arise from this deployment option. If you choose to disable this feature, you do so at your own risk.

To disable certificate validation in Tanzu Salt:

1. Open the RaaS configuration file on the RaaS node, which is stored in /etc/raas/raas.
2. In the vra setting, set the value for validate_ssl to false.
3. Run systemctl restart raas to restart the RaaS service.
4. Verify that this solution has solved the problem by logging into the Tanzu Salt web interface. If the problem has been resolved, Tanzu Salt displays the Dashboard page.

What to do next

After setting up SSL certificates, you may need to complete additional post-installation steps.

If you are a Automation for Secure Hosts customer, the next step is to set up these services. For more information, see Configure Automation for Secure Hosts.

If you’ve completed all the necessary post-installation steps, the next step is to integrate Tanzu Salt with VMware Aria Automation for Secure Hosts. See Create a Tanzu Salt integration with VMware Aria Automation for more information.