After you deploy vCloud Usage Meter, the appliance generates a self-signed SSL certificate. When you access the vCloud Usage Meter Web interface over HTTPS for the first time, you are prompted to manually trust the self-signed certificate.

You can secure the connection to vCloud Usage Meter by replacing the vCloud Usage Meter self-signed certificate with by using an external or internal Certification Authority (CA) - signed certificate.

When running, all vCloud Usage Meter applications use the same keystore and CA certificate store. The NGINX certificates are updated on OS startup. Unless specifically noted, you can run commands on the vCloud Usage Meter console as usagemeter.

To allow remote interaction with the vCloud Usage Meter console, you can activate SSH or invoke the commands in a vSphere web console.

The vCloud Usage Meter appliance stores the certificates in a Java key store at /opt/vmware/cloudusagemetering/platform/security/keystore.

The CA certificate key store is located at /opt/vmware/cloudusagemetering/platform/security/cacerts.

Note: The certificate CN and Subject Alternative Name (SAN) must match the hostname of the vCloud Usage Meter appliance.

Import an Internal Certificate Authority (CA) - Signed Certificate for a vCloud Usage Meter Appliance with Enabled FIPS Mode

If you want to replace the vCloud Usage Meter certificate with a certificate signed by an internal Certificate Authority (CA), you must first import the CA to the vCloud Usage Meter appliance with enabled FIPS mode.

Prerequisites

  • Verify that you have access to the vCloud Usage Meter console as usagemeter.
  • Verify that FIPS is enabled for the vCloud Usage Meter appliance by navigating to Settings > Security.

Procedure

  1. Log in to the vCloud Usage Meter console as usagemeter and stop all appliance services.
    cd /opt/vmware/cloudusagemetering
    ./scripts/stop.sh All
    sudo systemctl stop vmware-um-journal.service
    sudo systemctl stop vmware-um-login.service
    sudo systemctl stop vmware-um-schedule.service
  2. Export the environment variables.
    export $(grep -v '^#' "/opt/vmware/cloudusagemetering/platform/conf/env.properties" | xargs)
  3. Establish a trust between the vCloud Usage Meter appliance with enabled FIPS mode and the certificate that is signed by the internal certificate authority.
    Enter a name that identifies the certificate within the keystore under the alias property in the following command.
    keytool -import -trustcacerts -file filepath-to-the-certificate -alias custom-internal-certificate-authority -keystore /opt/vmware/cloudusagemetering/platform/security/cacerts -storetype BCFKS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/cloudusagemetering/platform/lib/bc-fips-*.jar -storepass "${TRUST_STORE_PASSWORD}"
  4. Reboot the vCloud Usage Meter appliance with enabled FIPS mode.
    sudo reboot

Import an Internal Certificate Authority (CA) - Signed Certificate for a vCloud Usage Meter Appliance with Deactivated FIPS Mode

If you want to replace the certificate of a vCloud Usage Meter appliance with deactivated FIPS mode with a certificate signed by an internal Certificate Authority (CA), you must first import the CA to the appliance.

Prerequisites

  • Verify that you have access to the vCloud Usage Meter console as usagemeter.
  • Verify that FIPS is deactivated for the vCloud Usage Meter appliance by navigating to Settings > Security.

Procedure

  1. Log in to the vCloud Usage Meter console as usagemeter and stop all appliance services.
    cd /opt/vmware/cloudusagemetering
    ./scripts/stop.sh All
    sudo systemctl stop vmware-um-journal.service
    sudo systemctl stop vmware-um-login.service
    sudo systemctl stop vmware-um-schedule.service
  2. Export the environment variables.
    export $(grep -v '^#' "/opt/vmware/cloudusagemetering/platform/conf/env.properties" | xargs)
  3. Establish a trust between the vCloud Usage Meter appliance with deactivated FIPS mode and the certificate that is signed by the internal certificate authority.
    Enter a name that identifies the certificate within the keystore under the alias property in the following command.
    keytool -import -trustcacerts -file filepath-to-the-certificate -alias custom-internal-certificate-authority -keystore /opt/vmware/cloudusagemetering/platform/security/cacerts -storepass "${TRUST_STORE_PASSWORD}"
  4. Reboot the vCloud Usage Meter appliance with deactivated FIPS mode.
    sudo reboot

Install a Certificate Authority (CA) - Signed Certificate for a vCloud Usage Meter Appliance with Enabled FIPS Mode

To establish a secure network connection to the vCloud Usage Meter Web interface, you can install a CA-signed SSL certificate on the vCloud Usage Meter appliance with enabled FIPS mode.

To obtain a CA-signed certificate and private key, you must generate a certificate signing request. The certificate authority uses the request to generate the official certificate.

Prerequisites

  • Verify that you have access to the vCloud Usage Meter console as usagemeter.
  • From the certificate authority, obtain both the private key and the signed certificate. Both files must be in PEM format.
  • Verify that FIPS is enabled for the vCloud Usage Meter appliance by navigating to Settings > Security.

Procedure

  1. If the certificate is signed by an internal certificate authority, you must first import the certificate authority in the vCloud Usage Meter appliance. For information, see Import an Internal Certificate Authority (CA) - Signed Certificate for a vCloud Usage Meter Appliance with Enabled FIPS Mode.
  2. Log in to the vCloud Usage Meter console as usagemeter and stop all appliance services.
    cd /opt/vmware/cloudusagemetering
    ./scripts/stop.sh All
    sudo systemctl stop vmware-um-journal.service
    sudo systemctl stop vmware-um-login.service
    sudo systemctl stop vmware-um-schedule.service
  3. Export the environment variables.
    export $(grep -v '^#' "/opt/vmware/cloudusagemetering/platform/conf/env.properties" | xargs)
  4. Back up the existing vCloud Usage Meter appliance certificate.
    1. Back up the existing keystore.
      mv /opt/vmware/cloudusagemetering/platform/security/keystore /opt/vmware/cloudusagemetering/platform/security/keystore.backup
    2. Move the existing keystore entry from the specifed alias to a new alias that is under the destalias parameter.
      keytool -changealias -alias "usage-meter-platform" -destalias "usage-meter-platform-backup" -keystore /opt/vmware/cloudusagemetering/platform/security/cacerts -storetype BCFKS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/cloudusagemetering/platform/lib/bc-fips-*.jar -storepass "${TRUST_STORE_PASSWORD}"
  5. Import the CA-signed certificate and private key to the vCloud Usage Meter appliance.
    1. Create a temporary directory and set the directory path to the NGINX_FOLDER environment variable.
      export NGINX_FOLDER=$(mktemp -d)
    2. Create two temporary sub-directories within the temporary directory.
      mkdir ${NGINX_FOLDER}/private
      mkdir ${NGINX_FOLDER}/certs
    3. Upload the CA - signed certificate to the ${NGINX_FOLDER}/certs/ folder and rename the file to nginx-selfsigned.crt.
    4. Upload the CA - signed private key to the ${NGINX_FOLDER}/private/ folder and rename the file to nginx-selfsigned.key.
  6. Create a new keystore for the CA-signed certificate.
    Note: Make sure that you are in the /opt/vmware/cloudusagemetering directory.
    ./platform/bin/create-keystore.sh
  7. (Optional) Remove all temporary and backup folders, and delete the old vCloud Usage Meter certificate.
    rm -rf $NGINX_FOLDER
    rm /opt/vmware/cloudusagemetering/platform/security/keystore.backup
    keytool -delete -alias "usage-meter-platform-backup" -keystore /opt/vmware/cloudusagemetering/platform/security/cacerts -storetype BCFKS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/cloudusagemetering/platform/lib/bc-fips-*.jar -storepass "${TRUST_STORE_PASSWORD}"
  8. Configure the permissions for the keystore.
    chmod 0640 /opt/vmware/cloudusagemetering/platform/security/keystore
  9. Reboot the vCloud Usage Meter appliance.
    sudo reboot
    If the installation of the CA-signed SSL certificate on the vCloud Usage Meter appliance is successful, no security warning is displayed the next time you log in to the vCloud Usage Meter Web interface.

Install a Certificate Authority (CA) - Signed Certificate for a vCloud Usage Meter Appliance with Deactivated FIPS Mode

To establish a secure network connection to the vCloud Usage Meter Web interface, you can install a CA-signed SSL certificate on the vCloud Usage Meter appliance with deactivated FIPS mode.

To obtain a CA-signed certificate and private key, you must generate a certificate signing request. The certificate authority uses the request to generate the official certificate.

Prerequisites

  • Verify that you have access to the vCloud Usage Meter console as usagemeter.
  • From the certificate authority, obtain both the private key and the signed certificate. Both files must be in PEM format.
  • Verify that FIPS is deactivated for the vCloud Usage Meter appliance by navigating to Settings > Security.

Procedure

  1. If the certificate is signed by an internal certificate authority, you must first import the certificate authority in the vCloud Usage Meter appliance with deactivated FIPS. For information, see Import an Internal Certificate Authority (CA) - Signed Certificate for a vCloud Usage Meter Appliance with Deactivated FIPS Mode.
  2. Log in to the vCloud Usage Meter console as usagemeter and stop all appliance services.
    cd /opt/vmware/cloudusagemetering
    ./scripts/stop.sh All
    sudo systemctl stop vmware-um-journal.service
    sudo systemctl stop vmware-um-login.service
    sudo systemctl stop vmware-um-schedule.service
  3. Export the environment variables.
    export $(grep -v '^#' "/opt/vmware/cloudusagemetering/platform/conf/env.properties" | xargs)
  4. Back up the existing vCloud Usage Meter appliance certificate.
    1. Back up the existing keystore.
      mv /opt/vmware/cloudusagemetering/platform/security/keystore /opt/vmware/cloudusagemetering/platform/security/keystore.backup
    2. Move the existing keystore entry from the specifed alias to a new alias that is under the destalias parameter.
      keytool -changealias -alias "usage-meter-platform" -destalias "usage-meter-platform-backup" -keystore /opt/vmware/cloudusagemetering/platform/security/cacerts -storepass "${TRUST_STORE_PASSWORD}"
  5. Import the CA-signed certificate with deactivated FIPS mode and private key to the vCloud Usage Meter appliance with deactivated FIPS mode.
    1. Create a temporary directory and set the directory path to the NGINX_FOLDER environment variable.
      export NGINX_FOLDER=$(mktemp -d)
    2. Create two temporary sub-directories within the temporary directory.
      mkdir ${NGINX_FOLDER}/private
      mkdir ${NGINX_FOLDER}/certs
    3. Upload the CA - signed certificate to the ${NGINX_FOLDER}/certs/ folder and rename the file to nginx-selfsigned.crt.
    4. Upload the CA - signed private key to the ${NGINX_FOLDER}/private/ folder and rename the file to nginx-selfsigned.key.
  6. Create a new keystore for the CA-signed certificate.
    Note: Make sure that you are in the /opt/vmware/cloudusagemetering directory.
    ./platform/bin/create-keystore.sh
  7. (Optional) Remove all temporary and backup folders, and delete the old vCloud Usage Meter certificate.
    rm -rf $NGINX_FOLDER
    rm /opt/vmware/cloudusagemetering/platform/security/keystore.backup
    keytool -delete -alias "usage-meter-platform-backup" -keystore /opt/vmware/cloudusagemetering/platform/security/cacerts -storepass "${TRUST_STORE_PASSWORD}"
  8. Configure the permissions for the keystore.
    chmod 0640 /opt/vmware/cloudusagemetering/platform/security/keystore
  9. Reboot the vCloud Usage Meter appliance with deactivated FIPS mode.
    sudo reboot
    If the installation of the CA-signed SSL certificate on the vCloud Usage Meter appliance with deactivated FIPS mode is successful, no security warning is displayed the next time you log in to the vCloud Usage Meter Web interface.

Replace the Default Appliance Self-Signed SSL Certificate With a New Self-Signed Certificate for a vCloud Usage Meter appliance with enabled FIPS mode

You can replace the default self-signed certificate for a vCloud Usage Meter appliance with enabled FIPS mode by generating and installing a new self-signed certificate.

Prerequisites

  • Verify that you have access to the vCloud Usage Meter console as usagemeter.
  • Verify that FIPS is enabled for the vCloud Usage Meter appliance by navigating to Settings > Security.

Procedure

  1. Log in to the vCloud Usage Meter console as usagemeter and stop all appliance services.
    cd /opt/vmware/cloudusagemetering
    ./scripts/stop.sh All
    sudo systemctl stop vmware-um-journal.service
    sudo systemctl stop vmware-um-login.service
    sudo systemctl stop vmware-um-schedule.service
  2. Export the environment variables.
    export $(grep -v '^#' "/opt/vmware/cloudusagemetering/platform/conf/env.properties" | xargs)
  3. Back up the existing vCloud Usage Meter appliance certificate.
    1. Back up the existing keystore.
      mv /opt/vmware/cloudusagemetering/platform/security/keystore /opt/vmware/cloudusagemetering/platform/security/keystore.backup
    2. Move the existing keystore entry from the specifed alias to a new alias that is under the destalias parameter.
      keytool -changealias -alias "usage-meter-platform" -destalias "usage-meter-platform-backup" -keystore /opt/vmware/cloudusagemetering/platform/security/cacerts -storetype BCFKS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/cloudusagemetering/platform/lib/bc-fips-*.jar -storepass "${TRUST_STORE_PASSWORD}"
  4. Create a temporary directory and set the directory path to the NGINX_FOLDER environment variable.
    export NGINX_FOLDER=$(mktemp -d)
  5. Create a keystore for the new self-signed certificate.
    Note: Make sure that you are in the /opt/vmware/cloudusagemetering directory.
    ./platform/bin/create-keystore.sh
  6. (Optional) Remove all temporary and backup folders, and delete the old vCloud Usage Meter certificate.
    rm -rf $NGINX_FOLDER
    rm /opt/vmware/cloudusagemetering/platform/security/keystore.backup
    keytool -delete -alias "usage-meter-platform-backup" -keystore /opt/vmware/cloudusagemetering/platform/security/cacerts -storetype BCFKS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/cloudusagemetering/platform/lib/bc-fips-*.jar -storepass "${TRUST_STORE_PASSWORD}"
  7. Configure the permissions for the keystore.
    chmod 0640 /opt/vmware/cloudusagemetering/platform/security/keystore
  8. Reboot the vCloud Usage Meter appliance with enabled FIPS mode.
    sudo reboot

Replace the Default Appliance Self-Signed SSL Certificate With a New Self-Signed Certificate for a vCloud Usage Meter appliance with deactivated FIPS mode

You can replace the default self-signed certificate for a vCloud Usage Meter appliance with deactivated FIPS mode by generating and installing a new self-signed certificate.

Prerequisites

  • Verify that you have access to the vCloud Usage Meter console as usagemeter.
  • Verify that FIPS is deactivated for the vCloud Usage Meter appliance by navigating to Settings > Security.

Procedure

  1. Log in to the vCloud Usage Meter console as usagemeter and stop all appliance services.
    cd /opt/vmware/cloudusagemetering
    ./scripts/stop.sh All
    sudo systemctl stop vmware-um-journal.service
    sudo systemctl stop vmware-um-login.service
    sudo systemctl stop vmware-um-schedule.service
  2. Export the environment variables.
    export $(grep -v '^#' "/opt/vmware/cloudusagemetering/platform/conf/env.properties" | xargs)
  3. Back up the existing vCloud Usage Meter appliance certificate.
    1. Back up the existing keystore.
      mv /opt/vmware/cloudusagemetering/platform/security/keystore /opt/vmware/cloudusagemetering/platform/security/keystore.backup
    2. Move the existing keystore entry from the specifed alias to a new alias that is under the destalias parameter.
      keytool -changealias -alias "usage-meter-platform" -destalias "usage-meter-platform-backup" -keystore /opt/vmware/cloudusagemetering/platform/security/cacerts -storepass "${TRUST_STORE_PASSWORD}"
  4. Create a temporary directory and set the directory path to the NGINX_FOLDER environment variable.
    export NGINX_FOLDER=$(mktemp -d)
  5. Create a keystore for the new self-signed certificate.
    Note: Make sure that you are in the /opt/vmware/cloudusagemetering directory.
    ./platform/bin/create-keystore.sh
  6. (Optional) Remove all temporary and backup folders, and delete the old vCloud Usage Meter certificate.
    rm -rf $NGINX_FOLDER
    rm /opt/vmware/cloudusagemetering/platform/security/keystore.backup
    keytool -delete -alias "usage-meter-platform-backup" -keystore /opt/vmware/cloudusagemetering/platform/security/cacerts -storepass "${TRUST_STORE_PASSWORD}"
  7. Configure the permissions for the keystore.
    chmod 0640 /opt/vmware/cloudusagemetering/platform/security/keystore
  8. Reboot the vCloud Usage Meter appliance with deactivated FIPS mode.
    sudo reboot

Import a Certificate to the vCloud Usage Meter Appliance Keystore when FIPS Mode is Enabled

If the instance you want to add for metering uses network and security configuration entities such as load balancer, proxy, or firewall, or you use proxy over HTTPS or SMTP over SSL/TLS, you must import their certificates to the vCloud Usage Meter appliance keystore.

To import the certificate of a network and security configuration entity to the vCloud Usage Meter apliance keystore, you must obtain the password of the truststore. The password is located at /opt/vmware/cloudusagemetering/conf/env.properties.

Prerequisites

  • Verify that you have access to the vCloud Usage Meter appliance as usagemeter.
  • Verify that FIPS is enabled for the vCloud Usage Meter appliance by navigating to Settings > Security.

Procedure

  1. Log in to the vCloud Usage Meter console as usagemeter and stop all appliance services.
    cd /opt/vmware/cloudusagemetering
    ./scripts/stop.sh All
    sudo systemctl stop vmware-um-journal.service
    sudo systemctl stop vmware-um-login.service
    sudo systemctl stop vmware-um-schedule.service
  2. To extract the trustore password in an enviroment variable, run the following command.
    export $(grep -v '^#' "/opt/vmware/cloudusagemetering/platform/conf/env.properties" | xargs)
  3. To import the certificate to the vCloud Usage Meter appliance keystore, run the following command.
    keytool -import -trustcacerts -alias certificate-alias -file certificate-file -keystore  /opt/vmware/cloudusagemetering/resources/cacerts -storetype bcfks -storepass "${TRUST_STORE_PASSWORD}" -providername BCFIPS -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath /opt/vmware/cloudusagemetering/jars/bc-fips-*.jar
  4. Reboot the vCloud Usage Meter appliance with enabled FIPS mode.
    sudo reboot

Import a Certificate to the vCloud Usage Meter Appliance Keystore when FIPS Mode is Deactivated

If the instance you want to add for metering uses network and security configuration entities such as load balancer, proxy, or firewall, or you use proxy over HTTPS or SMTP over SSL/TLS and FIPS is disabled for the appliance, you must import their certificates to the vCloud Usage Meter appliance keystore.

To import the certificate of a network and security configuration entity to the vCloud Usage Meter apliance keystore, you must obtain the password of the truststore. The password is located at /opt/vmware/cloudusagemetering/conf/env.properties.

Prerequisites

  • Verify that you have access to the vCloud Usage Meter appliance as usagemeter.
  • Verify that FIPS is deactivated for the vCloud Usage Meter appliance by navigating to Settings > Security.

Procedure

  1. Log in to the vCloud Usage Meter console as usagemeter and stop all appliance services.
    cd /opt/vmware/cloudusagemetering
    ./scripts/stop.sh All
    sudo systemctl stop vmware-um-journal.service
    sudo systemctl stop vmware-um-login.service
    sudo systemctl stop vmware-um-schedule.service
  2. To extract the trustore password in an enviroment variable, run the following command.
    export $(grep -v '^#' "/opt/vmware/cloudusagemetering/platform/conf/env.properties" | xargs)
  3. To import the certificate to the vCloud Usage Meter appliance keystore, run the following command.
    keytool -import -trustcacerts -alias certificate-alias -file certificate-file -keystore  /opt/vmware/cloudusagemetering/resources/cacerts -storepass "${TRUST_STORE_PASSWORD}"
  4. Reboot the vCloud Usage Meter appliance with deactivated FIPS mode.
    sudo reboot