By adding a system property, you can enable the certificate path validation algorithm for your trusted certificates.

vRealize Orchestrator now uses an enhanced public-key infrastructure X.509 (PKIX) certification path when working with certificates for establishing an SSL or TLS connection with a host. vRealize Orchestrator must work uninterrupted when establishing a connection with a host with an updated certificate issued by a trusted certificate authority (CA) included in the vRealize Orchestrator trust store.

If the subject certificate or some of the intermediate certificates are renewed, the algorithm makes an informed trust decision on whether it can trust any certificate that is not already explicitly trusted.

Note: Enabling the com.vmware.o11n.certPathValidator system property makes certificate validation stricter and done according to RFC5280. After enabling the certificate validation algorithm, some workflows associated with a host with a trusted but outdated certificate start to fail until the certificate issue is resolved by renewing the specific host to use a valid and up to date certificate and adding it to the vRealize Orchestrator trust store again.

Procedure

  1. Log in to the Control Center as root.
  2. Select System Properties, and click New.
  3. In the Key text-box, enter com.vmware.o11n.certPathValidator.
  4. In the Value text-box, enter true.
  5. (Optional) Add a description for the system property.
  6. Click Add.
    A pop-up window appears.
  7. To finish adding the new system property, click Save changes from the pop-up window.
  8. Wait for the server to automatically restart so the changes are applied.

Results

The certificate validation algorithm is now enabled. For more information on managing vRealize Orchestrator certificates, see Manage vRealize Orchestrator Certificates.

What to do next

If your vRealize Orchestrator deployment uses vSphere as an authentication provider and you change the vCenter certificate, you must restart the vRealize Orchestrator pod so the environment can use the new certificate. To restart your pod, use the following procedure:

  1. Log in to the vRealize Orchestrator Appliance as root.
  2. Run the following commands:
    kubectl -n prelude scale deployment vco-app --replicas=0
kubectl -n prelude scale deployment vco-app --replicas=1
    Note: For clustered vRealize Orchestrator deployments, replace the second command with the following: 
    kubectl -n prelude scale deployment vco-app --replicas=3