vRealize Automation uses certificates to maintain trust relationships and provide secure communication among components in distributed deployments.

In a distributed, or clustered, deployment, vRealize Automation certificate organization largely conforms to the three tiered architectural structure of vRealize Automation. The three tiers are vRealize Automation appliance, IaaS Website components, and Manager Service components. In a distributed system, each hardware machine in a particular tier shares a certificate. That is, each vRealize Automation appliance shares a common certificate, and each Manager Service machine shares the common certificate that applies to that layer.

You can use system or user generated self-signed certificates, or CA supplied certificates with distributed vRealize Automation deployments. Starting in vRealize Automation 7.0 and newer, if no certificates are supplied by the user, the installer automatically generates self-signed certificates for all applicable nodes and places them in the appropriate trust stores.

You can use load balancers with distributed vRealize Automation components to provide high availability and failover support. VMware recommends that vRealize Automation deployments use a pass-through configuration for deployments that use load balancers. In a pass-through configuration, load balancers pass requests along to the appropriate components rather than decrypting them. The vRealize Automation appliance and IaaS web servers must then perform the necessary decryption.

For more information about using and configuring load balancers, see vRealize Automation Load Balancing.

If you supply or generate your own certificates using Openssl or another tool, you can use either wildcard or Subject Alternative Name (SAN) certificates. Note that the IaaS certificates must be multi-use certificates.

If you are supplying certificates, you must obtain a multiple-use certificate that includes the IaaS component in the cluster, and then copy that certificate to the trust store for each component. If you use load balancers, you must include the load balancer FQDN in the trusted address of the cluster multiple-use certificate.

f you are need to update system generated self-signed certificates with user or CA supplied certificates, see Managing vRealize Automation.

The Certificate Trust Requirements table summarizes the trust registration requirements for various imported certificates.

Table 1. Certificate Trust Requirements

Import

Register

vRealize Automation appliance cluster

IaaS Web components cluster

IaaS Web component cluster

  • vRealize Automation appliance cluster

  • Manager Service components cluster

  • DEM Orchestrators and DEM Worker components

Manager Service component cluster

  • DEM Orchestrators and DEM Worker components

  • Agents and Proxy Agents