Airgap server CA certificate is not editable from TCA UI if the airgap server is associated with any clusters. This guide provides steps to update TCA manager Postgres DB directly as a workaround to unblock creating new clusters.

Prerequisites

Airgap server is updated with new self-signed certificate or private root CA signed certificate.

Note:

If airgap server is updated with public signed certificate, updating existing cluster or following the steps in this guide is not required.

Procedure

  1. Encode airgap server CA certificate with base64.

    Login to airgap server, and use base64 tool to get base64 encoding string of the CA certificate.

    For the airgap server auto-generated certificate, the CA certificate is located at /root/airgap/certs/ca.crt.

    # base64 <path to the CA certificate> -w 0

    Copy out the output base64 encoding string which is one of the input of Step 6 Update the DB record with the new json string and record ID.

  2. Login to TCA Manager appliance via SSH admin account. 
    # ssh admin@<tca manager ip>
  3. Login to Postgres DB. 
    [admin@tcam ~]$export PGPASSWORD=$(cat /common/pgsql/passwords/tca_admin)
[admin@tcam ~]$ psql -d tca -U tca_admin -h localhost
psql (14.2)
Type "help"for help.
tca=>
  4. Query the DB record of your airgap server with below command, replace the <airgap server fqdn> string to your actual airgap server FQDN. 
    tca=> select * from "Extension" where strpos(val::text,'<airgap server fqdn>')>0;
  id | val | creationDate | lastUpdated
  3 | {"name": "airgap-repo-server-2", "type": "Repository", "state": "ENABLED", "version": "", "isDeleted": false, "description": "", "extensionId": "d6618c6e-c40e-43f1-bb32-9e44b2a1fa25", "creationUser": "[email protected]", "extensionKey": "", "interfaceInfo": {"fqdn": "airgap-repo-server-2.ipv6.eng.vmware.com", "caCert": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2VENDQTZXZ0F3SUJBZ0lVVmJ4bkZ4emtjZXM2c2dhUU1RamltaGR1bWtrd0RRWUpLb1pJaHZjTkFRRU4KQlFBd2JqRUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdNQjBKbGFXcHBibWN4RURBT0JnTlZCQWNNQjBKbAphV3BwYm1jeER6QU5CZ05WQkFvTUJsWk5kMkZ5WlRFTU1Bb0dBMVVFQ3d3RFZFVkRNUnd3R2dZRFZRUUREQk5wCmNIWTJMbVZ1Wnk1MmJYZGhjbVV1WTI5dE1CNFhEVEl5TURneU5qQXlOVGcxT1ZvWERUTXlNRGd5TXpBeU5UZzEKT1Zvd2JqRUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdNQjBKbGFXcHBibWN4RURBT0JnTlZCQWNNQjBKbAphV3BwYm1jeER6QU5CZ05WQkFvTUJsWk5kMkZ5WlRFTU1Bb0dBMVVFQ3d3RFZFVkRNUnd3R2dZRFZRUUREQk5wCmNIWTJMbVZ1Wnk1MmJYZGhjbVV1WTI5dE1JSUNJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQ0NnS0MKQWdFQTZ4c2RVcVF5bVBUN3lvcCtQaFZVTnBnSVhNQVMwMENQWjFSZndNM1M0RE11cDJxWWRiN2JOMXphVkx6WApPbGpoQmNYNmo1S1llWnhDNitvUEU4eE14a2d0L21FZkNpREp4SU9XcWt0cVJjbjZ4U3EvUzgydTdKTTVRZURaCnJnaXYwcGl5NVBWS0I1LzU4RlEvWXFpaHR0YUVYT3V4Y3A2V1J0bVNyTVd5enJHc0kwcExBTktJeEdERW5vajAKSkNacFNHSE9oM21uczVPVi9GRFhHcjZhL3N1RmxvWGFqMnFvRnRkQzhnUkpseUJnWjc0OHVob3NZZ0VmZjdzcwpkMUJ3SzA0ZndCdlBxRDJxSHV4a2JSWk1JTkgxVysrbjUzTVlUcDBOeUFtbmx1R0NreWNwa3FEc0hJa3ZjREJVCndXL3VpV1hudy9lbVhlQWJuSENwZVQ5UGxiUjJzUmt4bUJOSkZLQ0FFc1diMFBGVzVHcURVMDdmUkRVTkE3VG4KZkRIdWxNMXMvMFhESFo4UEZDYjlhZ0xxczdFZ2NTanhZNUVLNDVsL3Z1OUo0SHVib0xGUUFxR0VzUm1mSnY0dwpuemowaTM3SDlLMXk4MnVMMldYVUp0c282aHdzTUkyeW5EcFpYaVNOK1p1SHYxZmZVb1UwK3dqR0FoS2NjdkE4CkxZMVh4RzRGcFRteWQzcFZhbjhTL0RDallMTmlHRHFzQ1B3ckRUbTRhVnFwbktWaHZWejdFTVF0Nk9jaVU2dTUKTGV3UzNwMS9lUkx3eWlzbDBrMWx0SnRtNUR0RkUvYVA2NVQ0azFCWHBOdUZuTzdWaE5ibFNRSVBpaGVxN2VtcgozcFdjb3NzZ0sxQUVkc29kcWhBWjNVSlgvMXRFM25kZzFmVkZ1VEdURWJOZkpJRUNBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRktTaVNEUXpEeUtTZWlUVUt6UTlLUlBOYm5WUE1COEdBMVVkSXdRWU1CYUFGS1NpU0RRekR5S1MKZWlUVUt6UTlLUlBOYm5WUE1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRU5CUUFEZ2dJQgpBSE9NcG9JdlBtUk55cWV5dmpnOVdvb2s5eWs1MDNkb3p2RXIxWnZjeUNjZlljaHlYNHVTR2NpelZEK2tLUUFVCkorWkZjMUpQL0w4UUNodzRXVkRBV3NGSjhPZHZvZFlKamRhaUVuREM4UitVdkU5bmxLdnJjd3BmaFJmUWEzcGsKKy9Lb0xObDVCakVIbGpaakhDZTF1YTFreEdaZ0J4VW5MNHZpVG9BZVFWVHVpbmRNcDdUU1BqSVlxOHFPZDB2agppam5PV21GSEFQS1RGRTViQ2pia0ZzYXdqcDd4MjZOUW5Vbit3ajRlenIyMDEwZCtjMFc3SXhEd3BSNFlDWnh1CnV4WTdMWHNxckIvN25tLzA1NEZ4aW84RzI0ZCs5SnBjMWhyeXRvMmVHN3VETXFrMEVUcGx6ZVV0SHVEMlh6WFMKU3N2NjgrYU1leEp4Um9aZmFJRTEyNnJFTDFoaDdLUGdDallIa01aRjJrUnorRUl0NXhvMDA3cUh0dGhkSmxEdgpoMVZrZHhQRU1ZNTU0SUtTQitsZkFQdVZleGJiTFJyUFBlOGFkSnk5cXgyMXhSaE5vTUhXVHJJbjU1VWdwSzBtCmRadWNPbjBWRHR5Y09mRkExT1NDZkJZUWZRbU5MRnpLNlNoU28wMVlmZU1vbktpL0l0WldkS0lWcUJDVU42SlYKN1BQbUQzTHFEM3ZMa0orZC83TmpFVnYydWtRQ1BGTXhCQ2NyKzBwZlhZUGJpYkZma2VyYjZ2NVN1TXVaZGZVeApGbmRGQXFhOG1EWk9iNDBDUFpoV1ZIaDFubS9MV0JkU3lWWFphSUNaM3V0RG05dy9vcDVFaEFPSVUrcFgxSDRZClpranJSTExpWW9zQVRLckdnZzdhQm5ZcjRUancrWE5zTDhxTHVUS0RLc05NCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0="}, "lastUpdateUser": "[email protected]", "extensionSubtype": "Airgap", "creationEnterprise": "HybridityAdmin", "additionalParameters": {}, "creationOrganization": "HybridityAdmin", "lastUpdateEnterprise": "HybridityAdmin", "lastUpdateOrganization": "HybridityAdmin"} | 2023-03-15 02:13:03.894 | 2023-03-15 06:09:50.291678
  (1 row)
  5. Copy the second field(which is a long json string) to your editor, then replace the CA base64 string with new CA base64 string generated in Step 1 Encode airgap server CA certificate with base64.
  6. Update the DB record with the new json string and record ID.

    Make sure the new json string is a one-line string without Enter.

    tca=> update "Extension" set val='{"name": "airgap-repo-server-2", "type": "Repository", "state": "ENABLED", "version": "", "isDeleted": false, "description": "", "extensionId": "d6618c6e-c40e-43f1-bb32-9e44b2a1fa25", "creationUser": "[email protected]", "extensionKey": "", "interfaceInfo": {"fqdn": "airgap-repo-server-2.ipv6.eng.vmware.com", "caCert": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZ2VENDQTZXZ0F3SUJBZ0lVQ2lxMWd0dC9HQzNMSm83SjZaL0xoVjlUL0Q0d0RRWUpLb1pJaHZjTkFRRU4KQlFBd2JqRUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdNQjBKbGFXcHBibWN4RURBT0JnTlZCQWNNQjBKbAphV3BwYm1jeER6QU5CZ05WQkFvTUJsWk5kMkZ5WlRFTU1Bb0dBMVVFQ3d3RFZFVkRNUnd3R2dZRFZRUUREQk5wCmNIWTJMbVZ1Wnk1MmJYZGhjbVV1WTI5dE1CNFhEVEl5TURneU5qQTNNVEkxTTFvWERUTXlNRGd5TXpBM01USTEKTTFvd2JqRUxNQWtHQTFVRUJoTUNRMDR4RURBT0JnTlZCQWdNQjBKbGFXcHBibWN4RURBT0JnTlZCQWNNQjBKbAphV3BwYm1jeER6QU5CZ05WQkFvTUJsWk5kMkZ5WlRFTU1Bb0dBMVVFQ3d3RFZFVkRNUnd3R2dZRFZRUUREQk5wCmNIWTJMbVZ1Wnk1MmJYZGhjbVV1WTI5dE1JSUNJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBZzhBTUlJQ0NnS0MKQWdFQW0xdHIrNUNBRUVhc3pmWCtTTllrb2pVTHZ0anAxZmR5bHVkQUdnbmxqaHBlWUZIRisrUXJQZE8rdnROZQpCeVB4VzhpdlZEK2I3U3dRQ29iVjJpVEkrbERSRnFESGhVQjRsZUFRZXM5UkwzdEN2MlBKczVHTG9KUTFaTTBqCkFNbzJKaGZldEhOMWpRUzJ0RVBCOFdUdFc2Q08rZXFjMFRNQmtHZDcxVUlXM1lwR1cyRExEWTFHTGQ4UE8xOUIKTEgzR2NxMytsbVE5ODhhM3Q1dklVcWpzTVZwQW41anJJQWhSc2d5K0JEc2YyNmpoT2g1QVAvSUhEdkdzdURWQQpDaEkyZzFNTW5IT2hoMVUwOUhOZmIyMWFMQWZ2LzVlOHJpWDcrMUtlaHd0UjVBaFNuTkZzL3VKTWNOTUlJZG9iCkg4RmJKdDl2dnlkMzV0YnNvZWxSSUpBMHRWcXVUd3FkT0ZrZW9FYUZKTVNLeDFHY21RdStwNm9QdXROWGg2Z0MKZjdxRi8rTXBxcDNocW1vc285K1ZLSVEyRW51QlBSK2pUQjVTV083YS90TEJaVUdvUWR2aTlKWUV6UUdRa1A1ZAo5aU9ZRHNNN1JDMktyMnBRRG5QckFhUkVWU3hyVFVmbVYyN2xERkgwU0dYNks2SnlJY21XZExYaGlKeWhTOXdoCnR5NDByY2ZOQTdtbHhKSFBQVGZPOTFMUVk3c0RuclgwOG9pSTJyaUVjckRTczlGMEZPZXJNbmQyUFljT2NCNVYKemcvaVA0NFJJb0Ewa1drYWI1MVYzZjhXcmVWZE9xdmh5TEMwM1UzR2plRGc3R0VsNkhJVEMza0s3bjBkb2NjZwp4cDhVV0pPa3VRUzlzNzV5ZjFsQ2pra1FGL3AxM0U2R0IwMHpwaTg5WDNLZXdxa0NBd0VBQWFOVE1GRXdIUVlEClZSME9CQllFRkROc25XQnRCd1I4dkx3QzY3OE9iemI5T1RXdU1COEdBMVVkSXdRWU1CYUFGRE5zbldCdEJ3UjgKdkx3QzY3OE9iemI5T1RXdU1BOEdBMVVkRXdFQi93UUZNQU1CQWY4d0RRWUpLb1pJaHZjTkFRRU5CUUFEZ2dJQgpBQ1ptTEd2NWtnY1FLZTRSbEJIbDNFSUR1WnNLN2FhNlFzQy9JajMvS3ZmaWc2U25NYm5QN0xQNy82a0g1V2xjCjFyZzk5UThxTk1QSFdmYWhoaTZ3MU03QVNXMVM3c2FBRldvQmZ0UXQ3YWxEeUd2ODI0VitYVHdLc2tXR0NTWTcKd004dmlDLzV6bE9mTUt4dTZGNGxjOXgzQUgvMjU5OG1laEtFenhEYWhJQ3huQVJIWW1iT01jL1BsYXZTTVR2UApTRmdGZ1c4Y1Q4am45Zzc0aWxSNkhiVXdTQmMzdXdub3h4RlZabC9BWjRtWG8yWlZuTUlscEVoc2RUSWdJVVk5CmJnSU1Kem9acitKbGxGa1ZqRHQ2QUozczNUdEZkQlZISmtDN2F6K0lkZFZCQjUyWE56ajBNcXZmQ1RUYVFHV1QKa3ZTYnhXcHZReDNvNVJWWCtPZlh2ZXFxanZZWVM1eXo5amZKVmljNDR3T0IzTkhGL0x2bVpld2h4SGV2Z09UVwpodFpzendFVlhnN0gwZW1FVWVDUlF2ZHRUQ2hqZXBEaFVLYmhFdDdUOFhEOFFqRUpHV05qRXBWMUdkTldkTjlBCjQrTzRpZGlrNCttM29NWXpvYXR3UlN0YkRVa3NKaFkyY2xQN3FEY0hZazZMRkpyK2lRTm13K2xFYXQwYnBCdWcKZ3Zob3lsME1LVDd0U0lSQ0hBUURXSEQ5VHFVZDFwY21TVnNUVVNtRzVZKzNIOGZGcHV5bzJXNnhNQU9pbzl4VwpOWHlIWjI3VjBhM2hlWFVFd3VnNDlwTnQxL0pJb0tDSWhXcHR0M3luTy9qMm9PRHprYXhNUVc5WGZva1Ewa1BLCmozTzU4aGwvMHB6a2l2bmhlVFFRQ0JCMUNIcXhzdHhFcFFPWmFCbzNmWlR0Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"}, "lastUpdateUser": "[email protected]", "extensionSubtype": "Airgap", "creationEnterprise": "HybridityAdmin", "additionalParameters": {}, "creationOrganization": "HybridityAdmin", "lastUpdateEnterprise": "HybridityAdmin", "lastUpdateOrganization": "HybridityAdmin"}' where id = 3;

Results

After reloading TCA UI, new CA certificate will be populated in the corresponding airgap server setting of Partner System. User can create new clusters associating to the CA updated airgap server.