If you update or change vRealize Automation appliance or IaaS certificates, you must update vRealize Orchestrator to trust the new or updated certificates.

About this task

This procedure applies to all vRealize Automation deployments that use an embedded vRealize Orchestrator instance. If you use an external vRealize Orchestrator instance, see Update External vRealize Orchestrator to Trust vRealize Automation Certificates.

Note:

This procedure resets tenant and group authentication back to the default settings. If you have customized your authentication configuration, note your changes so that you can re-configure authentication after completing the procedure.

See the vRealize Orchestrator documentation for information about updating and replacing vRealize Orchestrator certificates.

If you replace or update vRealize Automation certificates without completing this procedure, the vRealize Orchestrator Control Center may be inaccessible, and errors may appear in the vco-server and vco-configurator log files.

Problems with updating certificates can also occur if vRealize Orchestrator is configured to authenticate against a different tenant and group than vRealize Automation. See https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2147612.

Procedure

  1. Stop the vRealize Orchestrator server and Control Center services.
    service vco-server stop
    service vco-configurator stop
  2. Reset the vRealize Orchestrator authentication provider by running the following command.
    /var/lib/vco/tools/configuration-cli/bin/vro-configure.sh reset-authentication
    ls -l /etc/vco/app-server/
    mv /etc/vco/app-server/vco-registration-id /etc/vco/app-server/vco-registration-id.old
    vcac-vami vco-service-reconfigure
  3. Check the trusted certificate for the vRealize Orchestrator trust store using the command line interface utility located at /var/lib/vco/tools/configuration-cli/bin with the following command:
    /var/lib/vco/tools/configuration-cli/bin/vro-configure.sh list-trust
    • Check for the certificate with the following alias: vco.cafe.component-registry.ssl.certificate. This should be the vRealize Automation certificate that the vRealize Orchestrator instance uses as an authentication provider.

    • This certificate must match the newly configured vRealize Automation certificate. If it does not match, it can be changed as follows

      1. Copy your vRealize Automation signed appliance certificate PEM file to the /tmp folder on the appliance.

      2. Run the following command adding the appropriate certificate path:

        ./vro-configure.sh trust --registry-certificate path-to-the-certificate-file-in-PEM-format

        See the following example command:

        /var/lib/vco/tools/configuration-cli/bin/vro-configure.sh trust --registry-certificate /tmp/certs/vra.pem

  4. You may need to run the following commands to trust the certificate:
    /var/lib/vco/tools/configuration-cli/bin/vro-configure.sh trust --uri https://vra.domain.com
    
    /var/lib/vco/tools/configuration-cli/bin/vro-configure.sh trust --registry-certificate --uri https://vra.domain.com
  5. Ensure that the vRealize Automation certificate is now injected into the vRealize Orchestrator trust store using the following command:
    /var/lib/vco/tools/configuration-cli/bin/vro-configure.sh list-trust
  6. Start the vRealize Orchestrator server and control center services.
    service vco-server start
    service vco-configurator start