vSphere Replication Server provides replication of data that must be secured using SSL and a certificate through stunnel.

Securing vSphere Replication Server Traffic with stunnel

Download the stunnel RPM:

# rpm -ivh http://pkgs.clodo.ru/suse/test/

Generate stunnel certificate using the command shown. Use a CA signed certificate or self signed wildcard certificate:

# cd /etc/stunnel
# openssl req -new -x509 -keyout stunnel.pem -out stunnel.pem -days 3650 -nodes -subj "/C=US/ST=California/L=SanFrancisco/O=Palo Alto/CN=*.se.vpc.vmw"

The stunnel certificate can be used for all vSphere Replication servers as it is a wildcard certificate and simplifies the importing of stunnel certificates into the Cloud Proxy truststore as mentioned in next section.

Create directories and change ownership and permissions:

# mkdir /var/run/stunnel/
# mkdir /var/log/stunnel
# chown -R stunnel:nogroup /var/run/stunnel/ /var/log/stunnel
# chown stunnel:nogroup /etc/stunnel/stunnel.pem
# chmod 600 /etc/stunnel/stunnel.pem

Modify the stunnel.conf file to reflect the following configuration entries only:

client = no
foreground=no  this needs to be added 
pid = /var/run/stunnel/stunnel.pid
debug = 1
output = /var/log/stunnel/stunnel.log
cert = /etc/stunnel/stunnel.pem

accept = 9998
connect = 31031

Start and enable the stunnel service:

service stunnel start
chkconfig stunnel on

Firewall Configuration

After starting stunnel on vSphere Replication Server appliance, you must drop packages from outside of the network to ports 31031, 44046, and 9998 must be allowed in firewall configuration.

Steps for SuSE firewall configuration:

# vi  /etc/sysconfig/SuSEfirewall2 

Change from

FW_SERVICES_EXT_TCP="22 80 5480 8043 8123 10000:10020 31031 40404 41111 44046" 


FW_SERVICES_EXT_TCP="22 80 5480 8043 8123 9998 10000:10020 40404 41111"

Restart the SuSE firewall:

# /etc/init.d/SuSEfirewall2_setup reload

Enable stunnel service in TCP_WRAPPERS in /etc/hosts.allow

# vi /etc/hosts.allow

Add the following line


Import Stunnel Certificates to Cloud Proxy TrustStore


This action is required to use Self-signed certificates in stunnel

Copy stunnel certificate from one vSphere Replication Server to one of the cloud Proxy cells to use wildcard certification for stunnel for all vSphere Replication Server:

# scp ${VRS_HOSTNAME}:/etc/stunnel/stunnel.pem ${CLOUDPROXY_HOSTNAME}:/tmp/

Convert .pem file to .der

# openssl x509 -outform der -in stunnel.pem -out stunnel.der

Import the certificate into /opt/vmware/vcloud-director/jre/lib/security/cacerts of the Cloud proxy:

# keytool -import -alias stunnel_{VRS_HOSTNAME} -keystore /opt/vmware/vcloud-director/jre/lib/security/cacerts -file stunnel.der

Restart the cloud proxy service:

# service vmware-vcd restart

Copy /opt/vmware/vcloud-director/jre/lib/security/cacerts from the first cloud proxy cell to the remaining cells and restart the vmware-vcd service.