The system administrator can replace the Management Agent certificate when it expires or replace a self-signed certificate with one issued by a certificate authority.
Each IaaS host runs its own Management Agent. Repeat this procedure on each IaaS node whose Management Agent you want to update.
Copy the Management Agent identifier in the Node ID column before you remove the record. You use this identifier when you create the new Management Agent certificate and when you register it.
When you request a new certificate, ensure that the Common Name (CN) attribute in the certificate subject field for the new certificate is typed in the following format:
VMware Management Agent 00000000-0000-0000-0000-000000000000
Use the string VMware Management Agent, followed by a single space and the GUID for the Management Agent in the numerical format shown.
- Stop the Management Agent service from your Windows Services snap-in.
- From your Windows machine, click Start.
- In the Windows Start Search box, enter services.msc and press Enter.
- Right-click VMware vCloud Automation Center Management Agent service and click Stop to stop the service.
- Remove the current certificate from the machine. For information about managing certificates on Windows Server 2008 R2, see the Microsoft Knowledge Base article at http://technet.microsoft.com/en-us/library/cc772354.aspx or the Microsoft wiki article at http://social.technet.microsoft.com/wiki/contents/articles/2167.how-to-use-the-certificates-console.aspx.
- Open the Microsoft Management Console by entering the command mmc.exe.
- Press Ctrl + M to add a new snap-in to the console or select the option from the File drop-down menu.
- Select Certificates and click Add.
- Select Computer account and click Next.
- Select Local computer: (the computer this console is running on).
- Click OK.
- Expand Certificates (Local Computer) on the left side of the console.
- Expand Personal and select the Certificates folder.
- Select the current Management Agent certificate and click Delete.
- Click Yes to confirm the delete action.
- Import the newly generated certificate into the local computer.personal store, or do not import anything if you want the system to auto-generate a new self-signed certificate.
- Register the Management Agent certificate with the vRealize Automation appliance management site.
- Open a command prompt as an administrator and navigate to the Cafe directory on the machine on which the Management Agent is installed at <vra-installation-dir>\Management Agent\Tools\Cafe, typically C:\Program Files (x86)\VMware\vCAC\Management Agent\Tools\Cafe.
- Enter the Vcac-Config.exe RegisterNode command with options to register the Management Agent identifier and certificate in one step. Include the Management Agent identifier you recorded earlier as the value for the -nd option.
Table 1. Required Options and Arguments for Vcac-Config.exe RegisterNode
The URL of the management site host, including a port specification.
The user name, which must be the root user.
Password for the root user as a quoted string.
The machine name of the Management Agent host, including domain information.
This value must match the hostname that the current node is registered with in the vRealize Automation appliance. Can be seen with option 1 specified above for the node ID or in the VAMI - Distributed Deployment Information table. If it is not the same value, the following error is returned when the command is executed: Failure: Cannot add duplicate node id 00000000-0000-0000-0000-000000000000.
Management Agent identifier.
Thumb print of the SSL certificate of the management site host, as defined in the -vamih parameter.
The following example shows the command format:
Vcac-Config.exe RegisterNode -v -vamih "vra-va-hostname.domain.name:5480" -cu "root" -cp "password" -hn "machine-hostname.domain.name" -nd "00000000-0000-0000-0000-000000000000" -tp "0000000000000000000000000000000000000000"
- Restart the Management Agent.
Command to Register a Management Agent Certificate
Vcac-Config.exe RegisterNode -v -vamih "vra-va.eng.mycompany:5480" -cu "root" -cp "secret" -hn "iaas.eng.mycompany" -nd "C816CFBX-4830-4FD2-8951-C17429CEA291" -tp "70928851D5B72B206E4B1CF9F6ED953EE1103DED"