After you deploy vCloud Usage Meter, the appliance generates a self-signed SSL certificate. When you access the vCloud Usage Meter Web interface over HTTPS for the first time, you are prompted to manually trust the self-signed certificate.

You can secure the connection to vCloud Usage Meter by replacing the vCloud Usage Meter self-signed certificate with by using an external or internal Certification Authority (CA) - signed certificate.

When running, all vCloud Usage Meter applications use the same keystore and CA certificate store. The NGINX certificates are updated on OS startup. Unless specifically noted, you can run commands on the vCloud Usage Meter console as usagemeter.

To allow remote interaction with the vCloud Usage Meter console, you can activate SSH or invoke the commands in a vSphere web console.

The vCloud Usage Meter appliance stores the certificates in a Java key store at /opt/vmware/cloudusagemetering/platform/security/keystore.

The CA certificate key store is located at /opt/vmware/cloudusagemetering/platform/security/cacerts.

Import an internal Certification Authority (CA) - Signed Certificate

If you want to replace the vCloud Usage Meter certificate with a certificate signed by an internal to your organization Certificate Authority, first you must import the Certificate Authority in the vCloud Usage Meter appliance.

Prerequisites

Procedure

  1. Log in to the vCloud Usage Meter console as usagemeter and stop all appliance services.
    cd /opt/vmware/cloudusagemetering
    ./scripts/stop.sh All
  2. Export the environment variables.
    export $(grep -v '^#' "/opt/vmware/cloudusagemetering/platform/conf/env.properties" | xargs)
  3. Establish a trust between the vCloud Usage Meter appliance and the certificate that is signed by the internal certificate authority.
    keytool -import -trustcacerts -file ca_certificate.pem -alias "my_trusted_authority" -keystore /opt/vmware/cloudusagemetering/platform/security/cacerts -storetype BCFKS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/cloudusagemetering/platform/lib/bc-fips-1.0.2.1.jar -storepass "${TRUST_STORE_PASSWORD}"
  4. Reboot the vCloud Usage Meter appliance.

Install a Certificate Authority (CA) - Signed Certificate

To establish a secure network connection to the vCloud Usage Meter Web interface, you can install a CA-signed SSL certificate on the vCloud Usage Meter appliance.

To obtain a CA-signed certificate and private key, you must generate a certificate signing request. The certificate authority uses the request to generate the official certificate.

Prerequisites

  • Verify that you have access to the vCloud Usage Meter console as usagemeter.
  • From the certificate authority, obtain the private key and the signed certificate. Both files must be in PEM format.
  • If the certificate is signed by an internal certificate authority, first you must import the certificate authority in the vCloud Usage Meter appliance. For information, see Import an internal Certification Authority (CA) - Signed Certificate.

Procedure

  1. Log in to the vCloud Usage Meter console as usagemeter and stop all appliance services.
    cd /opt/vmware/cloudusagemetering
    ./scripts/stop.sh All
  2. Export the environment variables.
    export $(grep -v '^#' "/opt/vmware/cloudusagemetering/platform/conf/env.properties" | xargs)
  3. Back up the existing vCloud Usage Meter appliance certificate.
    mv /opt/vmware/cloudusagemetering/platform/security/keystore /opt/vmware/cloudusagemetering/platform/security/keystore.backup
    keytool -changealias -alias "usage-meter-platform" -destalias "usage-meter-platform-backup" -keystore /opt/vmware/cloudusagemetering/platform/security/cacerts -storetype BCFKS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/cloudusagemetering/platform/lib/bc-fips-1.0.2.1.jar -storepass "${TRUST_STORE_PASSWORD}"
  4. Import the CA-signed certificate and private key to the vCloud Usage Meter appliance.
    1. Create the necessary temporary file structure.
      export NGINX_FOLDER=$(mktemp -d)
      mkdir ${NGINX_FOLDER}/private
      mkdir ${NGINX_FOLDER}/certs
    2. Upload the CA-signed certificate to the ${NGINX_FOLDER}/certs/ folder and rename the file to nginx-selfsigned.crt.
    3. Upload the CA-signed private key to the ${NGINX_FOLDER}/private/ folder and rename the file to nginx-selfsigned.key.
  5. Create a new keystore for the CA-signed certificate.
    ./platform/bin/create-keystore.sh
  6. (Optional) Remove all temporary and backup folders, and delete the old vCloud Usage Meter certificate.
    rm -rf $NGINX_FOLDER
    rm /opt/vmware/cloudusagemetering/platform/security/keystore.backup
    keytool -delete -alias "usage-meter-platform-backup" -keystore /opt/vmware/cloudusagemetering/platform/security/cacerts -storetype BCFKS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/cloudusagemetering/platform/lib/bc-fips-1.0.2.1.jar -storepass "${TRUST_STORE_PASSWORD}"
  7. Configure the permissions for the keystore.
    chmod 0640 /opt/vmware/cloudusagemetering/platform/security/keystore
  8. Reboot the vCloud Usage Meter appliance.
    If the installation of the CA-signed SSL certificate on the vCloud Usage Meter appliance is successful, no security warning is displayed the next time you log in to the vCloud Usage Meter Web interface.

Replace the Default Appliance Self-Signed SSL Certificate With a New Self-Signed Certificate

You can replace the default vCloud Usage Meter appliance self-signed certificate by generating and installing a new self-signed certificate.

Procedure

  1. Log in to the vCloud Usage Meter console as usagemeter and stop all appliance services.
    cd /opt/vmware/cloudusagemetering
    ./scripts/stop.sh All
  2. Export the environment variables.
    export $(grep -v '^#' "/opt/vmware/cloudusagemetering/platform/conf/env.properties" | xargs)
  3. Back up the existing vCloud Usage Meter appliance certificate.
    mv /opt/vmware/cloudusagemetering/platform/security/keystore /opt/vmware/cloudusagemetering/platform/security/keystore.backup
    keytool -changealias -alias "usage-meter-platform" -destalias "usage-meter-platform-backup" -keystore /opt/vmware/cloudusagemetering/platform/security/cacerts -storetype BCFKS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/cloudusagemetering/platform/lib/bc-fips-1.0.2.1.jar -storepass "${TRUST_STORE_PASSWORD}"
  4. Generate a new self-signed certificate.
    export NGINX_FOLDER=$(mktemp -d)
    ./platform/bin/create-keystore.sh
  5. (Optional) Remove all temporary and backup folders, and delete the old vCloud Usage Meter certificate.
    rm -rf $NGINX_FOLDER
    rm /opt/vmware/cloudusagemetering/platform/security/keystore.backup
    keytool -delete -alias "usage-meter-platform-backup" -keystore /opt/vmware/cloudusagemetering/platform/security/cacerts -storetype BCFKS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/cloudusagemetering/platform/lib/bc-fips-1.0.2.1.jar -storepass "${TRUST_STORE_PASSWORD}"
  6. Configure the permissions for the keystore.
    chmod 0640 /opt/vmware/cloudusagemetering/platform/security/keystore
  7. Reboot the vCloud Usage Meter appliance.

Import a Certificate to the vCloud Usage Meter Appliance Keystore

If the instance you want to add for metering uses network and security configuration entities such as load balancer, proxy, or firewall, or you use proxy over HTTPS, you must import their certificates to the vCloud Usage Meter appliance keystore.

To import the certificate of a network and security configuration entity to the vCloud Usage Meter apliance keystore, you must obtain the password of the truststore. The password is located at /opt/vmware/cloudusagemetering/conf/local.conf.

Prerequisites

  • Verify that you have access to the vCloud Usage Meter appliance as usagemeter.

  • Verify that you have access to the vCloud Usage Meter appliance as root.

Procedure

  1. Log in to the vCloud Usage Meter appliance as usagemeter.
  2. To extract the trustore password in an enviroment variable, run the following command.
    export TRUSTOREPASS=$(grep "trustStorePassword" /opt/vmware/cloudusagemetering/conf/local.conf | cut -d' ' -f2-)
    
  3. Import the certificate.
    keytool -import -trustcacerts -alias alias-for-the-certificate-of-the-entity -file the-directory-of-the-certificate-of-the-entity -keystore 
    /opt/vmware/cloudusagemetering/resources/cacerts.bcfks -storetype bcfks -storepass "${TRUSTOREPASS}" -providername BCFIPS -providerclass 
    org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/cloudusagemetering/jars/bc-fips-*.jar
  4. Log in as root and reboot the vCloud Usage Meter appliance.
    reboot