If the service provider vCloud Director instances use a self-signed certificate, you must update the on-premise vSphere Replication appliances to trust the self-signed certificate. By using a self-signed certificate in the tenant configuration, you ensure security and encryption for tenant deployments.

About this task

Note:

The following procedure contains long, single commands that should be run as one. There are breaks in the command for better visibility marked with "\". "#" marks the beginning of a new command.

Procedure

  1. Copy the self-signed certificate to the client vSphere Replication Appliance and load it into the keystore.
    1. Log in to vSphere Replication Appliance.
    2. Export the vCloud Director certificate and import it into the Java keystore:
      # openssl s_client -connect $CLOUD_PROXY_IP:443 -tls1 </dev/null 2>/dev/null \
      | openssl x509 > /tmp/vcloud.pem
      
      # /usr/java/default/bin/keytool -noprompt \
      -import -trustcacerts -alias cloudproxy -file /tmp/vcloud.pem \
      -keystore /usr/java/default/lib/security/cacerts -storepass changeit
      
      Note:

      Keytools can be on a different folder depending on the vSphere Replication release.

  2. Restart the services that use the keystore file by running the following commands.
    # service hms restart
    
    # service vmware-vcd restart