After you deploy vCloud Usage Meter, the appliance generates a self-signed SSL certificate. When you access the vCloud Usage Meter Web interface over HTTPS for the first time, you are prompted to manually trust the self-signed certificate.

You can secure the connection to vCloud Usage Meter by replacing the vCloud Usage Meter self-signed certificate with by using an external or internal Certification Authority (CA) - signed certificate.

When running, all vCloud Usage Meter applications use the same keystore and CA certificate store. The NGINX certificates are updated on OS startup. Unless specifically noted, you can run commands on the vCloud Usage Meter console as usagemeter.

To allow remote interaction with the vCloud Usage Meter console, you can activate SSH or invoke the commands in a vSphere web console.

The vCloud Usage Meter appliance stores the certificates in a Java key store at /opt/vmware/cloudusagemetering/platform/security/keystore.

The CA certificate key store is located at /opt/vmware/cloudusagemetering/platform/security/cacerts.
Note: The certificate CN must match the hostname of the vCloud Usage Meter appliance.

Import an Internal Certificate Authority (CA) - Signed Certificate

If you want to replace the vCloud Usage Meter certificate with a certificate signed by an internal Certificate Authority (CA), you must first import the CA to the vCloud Usage Meter appliance.

Prerequisites

  • Verify that you have access to the vCloud Usage Meter console as usagemeter.
  • Verify that you have access to the vCloud Usage Meter console as root.

Procedure

  1. Log in to the vCloud Usage Meter console as usagemeter and stop all appliance services.
    cd /opt/vmware/cloudusagemetering
    ./scripts/stop.sh All
  2. Export the environment variables.
    export $(grep -v '^#' "/opt/vmware/cloudusagemetering/platform/conf/env.properties" | xargs)
  3. Establish a trust between the vCloud Usage Meter appliance and the certificate that is signed by the internal certificate authority.
    Enter a name that identifies the certificate within the keystore under the alias property in the following command.
    keytool -import -trustcacerts -file filepath-to-the-certificate -alias custom-internal-certificate-authority -keystore /opt/vmware/cloudusagemetering/platform/security/cacerts -storetype BCFKS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/cloudusagemetering/platform/lib/bc-fips-1.0.2.1.jar -storepass "${TRUST_STORE_PASSWORD}"
  4. Log in as root and reboot the vCloud Usage Meter appliance.
    reboot

Install a Certificate Authority (CA) - Signed Certificate

To establish a secure network connection to the vCloud Usage Meter Web interface, you can install a CA-signed SSL certificate on the vCloud Usage Meter appliance.

To obtain a CA-signed certificate and private key, you must generate a certificate signing request. The certificate authority uses the request to generate the official certificate.

Prerequisites

  • Verify that you have access to the vCloud Usage Meter console as usagemeter.
  • From the certificate authority, obtain both the private key and the signed certificate. Both files must be in PEM format.

Procedure

  1. Import the certificate authority in the vCloud Usage Meter appliance. For information, see Import an Internal Certificate Authority (CA) - Signed Certificate.
  2. Log in to the vCloud Usage Meter console as usagemeter and stop all appliance services.
    cd /opt/vmware/cloudusagemetering
    ./scripts/stop.sh All
  3. Export the environment variables.
    export $(grep -v '^#' "/opt/vmware/cloudusagemetering/platform/conf/env.properties" | xargs)
  4. Back up the existing vCloud Usage Meter appliance certificate.
    1. Back up the existing keystore.
      mv /opt/vmware/cloudusagemetering/platform/security/keystore /opt/vmware/cloudusagemetering/platform/security/keystore.backup
    2. Move the existing keystore entry from the specifed alias to a new alias that is under the destalias parameter.
      keytool -changealias -alias "usage-meter-platform" -destalias "usage-meter-platform-backup" -keystore /opt/vmware/cloudusagemetering/platform/security/cacerts -storetype BCFKS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/cloudusagemetering/platform/lib/bc-fips-1.0.2.1.jar -storepass "${TRUST_STORE_PASSWORD}"
  5. Import the CA-signed certificate and private key to the vCloud Usage Meter appliance.
    1. Create a temporary directory and set the directory path to the NGINX_FOLDER environment variable.
      export NGINX_FOLDER=$(mktemp -d)
    2. Create two temporary sub-directories within the temporary directory.
      mkdir ${NGINX_FOLDER}/private
      mkdir ${NGINX_FOLDER}/certs
    3. Upload the CA - signed certificate to the ${NGINX_FOLDER}/certs/ folder and rename the file to nginx-selfsigned.crt.
    4. Upload the CA - signed private key to the ${NGINX_FOLDER}/private/ folder and rename the file to nginx-selfsigned.key.
  6. Create a new keystore for the CA-signed certificate.
    ./platform/bin/create-keystore.sh
  7. (Optional) Remove all temporary and backup folders, and delete the old vCloud Usage Meter certificate.
    rm -rf $NGINX_FOLDER
    rm /opt/vmware/cloudusagemetering/platform/security/keystore.backup
    keytool -delete -alias "usage-meter-platform-backup" -keystore /opt/vmware/cloudusagemetering/platform/security/cacerts -storetype BCFKS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/cloudusagemetering/platform/lib/bc-fips-1.0.2.1.jar -storepass "${TRUST_STORE_PASSWORD}"
  8. Configure the permissions for the keystore.
    chmod 0640 /opt/vmware/cloudusagemetering/platform/security/keystore
  9. Log in as root and reboot the vCloud Usage Meter appliance.
    reboot
    If the installation of the CA-signed SSL certificate on the vCloud Usage Meter appliance is successful, no security warning is displayed the next time you log in to the vCloud Usage Meter Web interface.

Replace the Default Appliance Self-Signed SSL Certificate With a New Self-Signed Certificate

You can replace the default vCloud Usage Meter appliance self-signed certificate by generating and installing a new self-signed certificate.

Prerequisites

  • Verify that you have access to the vCloud Usage Meter console as usagemeter.
  • Verify that you have access to the vCloud Usage Meter console as root.

Procedure

  1. Log in to the vCloud Usage Meter console as usagemeter and stop all appliance services.
    cd /opt/vmware/cloudusagemetering
    ./scripts/stop.sh All
  2. Export the environment variables.
    export $(grep -v '^#' "/opt/vmware/cloudusagemetering/platform/conf/env.properties" | xargs)
  3. Back up the existing vCloud Usage Meter appliance certificate.
    1. Back up the existing keystore.
      mv /opt/vmware/cloudusagemetering/platform/security/keystore /opt/vmware/cloudusagemetering/platform/security/keystore.backup
    2. Move the existing keystore entry from the specifed alias to a new alias that is under the destalias parameter.
      keytool -changealias -alias "usage-meter-platform" -destalias "usage-meter-platform-backup" -keystore /opt/vmware/cloudusagemetering/platform/security/cacerts -storetype BCFKS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/cloudusagemetering/platform/lib/bc-fips-1.0.2.1.jar -storepass "${TRUST_STORE_PASSWORD}"
  4. Create a temporary directory and set the directory path to the NGINX_FOLDER environment variable.
    export NGINX_FOLDER=$(mktemp -d)
  5. Generate a new self-signed certificate.
    ./platform/bin/create-keystore.sh
  6. (Optional) Remove all temporary and backup folders, and delete the old vCloud Usage Meter certificate.
    rm -rf $NGINX_FOLDER
    rm /opt/vmware/cloudusagemetering/platform/security/keystore.backup
    keytool -delete -alias "usage-meter-platform-backup" -keystore /opt/vmware/cloudusagemetering/platform/security/cacerts -storetype BCFKS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/cloudusagemetering/platform/lib/bc-fips-1.0.2.1.jar -storepass "${TRUST_STORE_PASSWORD}"
  7. Configure the permissions for the keystore.
    chmod 0640 /opt/vmware/cloudusagemetering/platform/security/keystore
  8. Log in as root and reboot the vCloud Usage Meter appliance.
    reboot

Import a Certificate to the vCloud Usage Meter Appliance Keystore

If the instance you want to add for metering uses network and security configuration entities such as load balancer, proxy, or firewall, or you use proxy over HTTPS, you must import their certificates to the vCloud Usage Meter appliance keystore.

To import the certificate of a network and security configuration entity to the vCloud Usage Meter apliance keystore, you must obtain the password of the truststore. The password is located at /opt/vmware/cloudusagemetering/conf/env.properties.

Prerequisites

  • Verify that you have access to the vCloud Usage Meter appliance as usagemeter.

  • Verify that you have access to the vCloud Usage Meter appliance as root.

Procedure

  1. Log in to the vCloud Usage Meter console as usagemeter and stop all appliance services.
    cd /opt/vmware/cloudusagemetering
    ./scripts/stop.sh All
  2. To extract the trustore password in an enviroment variable, run the following command.
    export $(grep -v '^#' "/opt/vmware/cloudusagemetering/platform/conf/env.properties" | xargs)
  3. To import the certificate to the vCloud Usage Meter appliance keystore, run the following command.
    keytool -import -trustcacerts -alias certificate-alias -file certificate-file -keystore /opt/vmware/cloudusagemetering/resources/cacerts -storetype bcfks -storepass "${TRUST_STORE_PASSWORD}" -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/cloudusagemetering/jars/bc-fips-*.jar
  4. Log in as root and reboot the vCloud Usage Meter appliance.
    reboot