A self-signed certificate is generated when you first install the broker agent. The broker agent uses this certificate by default to authenticate to the View adapter. You can replace the self-signed certificate with a certificate that is signed by a valid certificate authority.

Prerequisites

  • Verify that you can connect to the View Connection Server host where the broker agent is installed.

  • Verify that the keytool utility is added to the system path on the View Connection Server host where the broker agent is installed.

  • Verify that you have the password for the certificate store. You can obtain this password from the msgserver.properties file. See Broker Agent Certificate and Trust Store Files.

  • Become familiar with the Java keytool utility. Documentation is available at http://docs.oracle.com.

Procedure

  1. Log in to the View Connection Server host where the broker agent is installed.
  2. Use the keytool utility with the -selfcert to generate a new self-signed certificate.

    Because the default self-signed certificate is issued to VMware, you must generate a new self-signed certificate before you request a signed certificate. The signed certificate must be issued to your organization.

    For example:

    keytool –selfcert –alias v4v-brokeragent –dname dn-of-org –keystore v4v-brokeragent.jks

    dn-of-org is the distinguished name of the organization to which the certificate is issued, for example, "OU=Management Platform, O=VMware, Inc. , C=US".

    By default, the certificate signature uses the SHA1withRSA algorithm. You can override this default by specifying the name of the algorithm in the keytool utility.

  3. Use the keytool utility with the -certreq option to generate the certificate signing request.

    A certificate signing request is required to request a certificate from a certificate signing authority.

    For example:

    keytool –certreq –alias v4v-brokeragent –file certificate-request-file -keystore v4v-brokeragent.jks

    certificate-request-file is the name of the file that will contain the certificate signing request.

  4. Upload the certificate signing request to a certificate authority and request a signed certificate.

    If the certificate authority requests a password for the certificate private key, use the password configured for the certificate store.

    The certificate authority returns a signed certificate.

  5. Copy the certificate file to the conf directory and run the keytool utility with the -import option to import the signed certificate into the certificate store for the broker agent.

    You must import the certificate file to the certificate store for the broker agent so that the broker agent can start using the signed certificate.

    For example:

    keytool –import –alias v4v-brokeragent –file certificate-filename -keystore v4v-brokeragent.jks

    certificate-filename is the name of the certificate file from the certificate authority.

  6. Run the keytool utility with the -import option to import the certificate authority root certificate into the trust store file for the broker agent.

    For example:

    keytool -import -alias aliasname -file root_certificate -keystore v4v-truststore.jks -trustcacerts

    root_certificate is the name of the certificate authority root certificate.

  7. Restart the broker agent to start using the new certificate.

    You can restart the broker agent by using the vRealize Operations Horizon Broker Agent Settings wizard, or by restarting the vRealize Operations Horizon Broker Agent Service.

What to do next

After you restart the broker agent, you must pair it with the View adapter. See Certificate Pairing.