The system administrator can replace the Management Agent certificate when it expires or replace a self-signed certificate with one issued by a certificate authority.

About this task

Each IaaS host runs its own Management Agent. Repeat this procedure on each IaaS node whose Management Agent you want to update.

Prerequisites

  • Before you replace a Management Agent certificate, remove its entry from the Distributed Deployment Information table. Note the Management Agent identifier in the Node ID column before you remove the record. You use this identifier when you create the new Management Agent certificate and when you register it. For more information, see the procedure about removing a node from the Distributed Deployment Information table in System Administration for vRealize Automation.

  • When you request a new certificate, ensure that the Common Name (CN) attribute in the certificate subject field for the new certificate is typed in in the following format:

    VMware Management Agent 00000000-0000-0000-0000-000000000000

    Use the string VMware Management Agent, followed by a single space and the GUID for the Management Agent in the numerical format shown.

  • Record the SHA1 thumbprint of the new Management Agent certificate.

Procedure

  1. Stop the Management Agent service from your Windows Services snap-in.
    1. From your Windows machine, click Start.
    2. In the Windows Start Search box, type services.msc and press Enter.
    3. Right-click VMware vCloud Automation Center Management Agent service and click Stop to stop the service.
  2. Remove the current certificate from the machine. For information about managing certificates on Windows Server 2008 R2, see the Microsoft Knowledge Base article at http://technet.microsoft.com/en-us/library/cc772354.aspx or the Microsoft wiki article at http://social.technet.microsoft.com/wiki/contents/articles/2167.how-to-use-the-certificates-console.aspx.
  3. Register the Management Agent certificate with the vRealize Appliance management site.
    1. Open a command prompt as an administrator and navigate to the Cafe directory on the machine on which the Management Agent is installed at <vra-installation-dir>\Management Agent\Tools\Cafe, typically C:\Program Files (x86)\VMware\vCAC\Management Agent\Tools\Cafe
    2. Type the Vcac-Config.exe RegisterNode command with options to register the Management Agent identifier and certificate in one step. Include the Management Agent identifier you recorded earlier as the value for the -nd option and the thumbprint of the new certificate as the value of the -tp.
      Table 1. Required Options and Arguments for Vcac-Config.exe RegisterNode

      Option

      Argument

      Notes

      -url

      "vra-va-hostname.domain.name:5480"

      The URL of the management site host, including a port specification

      -cu

      "root"

      The user name, which must be the root user

      -cp

      "password"

      Password for the root user as a quoted string

      -hn

      "machine-hostname.domain.name"

      The machine name of the Management Agent host, including domain information

      -nd

      "00000000-0000-0000-0000-000000000000"

      Management Agent identifier

      -tp

      "0000000000000000000000000000000000000000

      Thumbprint for the new certificate

      The following example shows the command format:

      Vcac-Config.exe RegisterNode -v -url "vra-va-hostname.domain.name:5480" 
      -cu "root" -cp "password" -hn "machine-hostname.domain.name" 
      -nd "00000000-0000-0000-0000-000000000000" 
      -tp "0000000000000000000000000000000000000000" 

Command to Register a Management Agent Certificate

Vcac-Config.exe RegisterNode -v -url "vra-va.eng.mycompany:5480" -cu "root" -cp "secret" -hn "iaas.eng.mycompany" -nd "C816CFBX-4830-4FD2-8951-C17429CEA291" -tp "70928851D5B72B206E4B1CF9F6ED953EE1103DED"