vCenter

 View Only
Expand all | Collapse all

Replace UpdateManager PKI certificate

  • 1.  Replace UpdateManager PKI certificate

    Posted May 08, 2008 01:24 PM

    After replacing the default VUM certificate with our own certificate, UpdateManager no longer connects to VirtualCenter.

    What I did:

    - Replaced the rui.* files on the VUM server in O:\Program Files\VMware\Infrastructure\Update Manager\SSL

    - Replaced the file public.key (containing the VUM public key) on the VirtualCenter server in

    C:\Program Files\VMware\Infrastructure\VirtualCenter Server\extensions\com.vmware.vcIntegrity

    - Restarted the VC and VUM services.

    However VirtualCenter comes up with the error:

    "The VMware Update Manager cannot accept requests now because VirtualCenter server cannot be reached, or the database cannot be reached, or it is in the process of stopping"

    The VUM Log file shows the following:

    Connecting to host on port 443 using protocol https

    Authenticating extension com.vmware.vcIntegrity

    FormatField: Optional unset (integrity.fault.NoVcConnection.vcServer)

    If the original rui.* files on VUM and public.key on VC are restored and the services restarted everything works again.

    What is the correct way to replace the certificates of UpdateManager?



  • 2.  RE: Replace UpdateManager PKI certificate

    Posted May 08, 2008 06:16 PM

    Those certs are from the vc server for secure communications. If you remove them, and restart VC and VUM, I believe they should be copied down from VC, as they do on ESX.

    -KjB



  • 3.  RE: Replace UpdateManager PKI certificate

    Posted May 09, 2008 07:37 AM

    Sorry, this is not the solution. If the certificate on VUM is removed the VUM service does not start correctly. It shows the following log information:

    O:\Program Files\VMware\Infrastructure\Update Manager\ssl\rui.key: open: Could not find the file.

    Error importing key: I/O error

    Failed to create secure event for event prefix VMware-rdevServer-exit-event. System error: 0

    Error starting Process monitor: System error 0: The operation completed successfully.; Context: Failed to create secure windows event

    This confirms what I had seen earlier: the default VUM certificate is generated at VUM install time and self-signed by VMware. At install time the VUM registers its extension at the VC and uploads its public key to the VC (I have installed VC and VUM in different VMs).

    It would be good if I could repeat the registration process once the certificates are updated, however I cannot find any documentation how this is done.



  • 4.  RE: Replace UpdateManager PKI certificate

    Posted May 09, 2008 12:51 PM

    The VUM service is using the certificate and the private key. Are those the two files you are replacing when you create your new certificate? Also, if you are not keeping the same name as the existing files, you will have to modify at least 3 different files. From what I noticed, the certificate appears to be used for extension authentication. Is this what you are trying to modify? Just wanted to be clear on the intent.

    -KjB



  • 5.  RE: Replace UpdateManager PKI certificate

    Posted May 12, 2008 03:59 PM

    It is correct that I am replacing the certificates to authenticate the VUM extension to the VC.

    I have replaced the following files on the VUM server:

    C:\Program Files\VMware\Infrastructure\Update Manager\ssl\rui.key

    C:\Program Files\VMware\Infrastructure\Update Manager\ssl\rui.crt

    C:\Program Files\VMware\Infrastructure\Update Manager\ssl\rui.pfx

    These were newly generated (and signed), with the same names as the original files.

    The rui.pfx file uses the password ("testpassword") specified in the documentation for replacing the VC and ESX certificates. I am not sure this is correct but there is no other documentation.

    Then I have extracted the public key from the certificate (rui.crt) and put in on the VC server in:

    C:\Program Files\VMware\Infrastructure\VirtualCenter Server\extensions\com.vmware.vcIntegrity\public.key

    I have also imported the CA certificate in the machine certificate store (on both servers) to make sure the certificates can be validated without errors.

    Finally the VC service and the VUM service were stopped and started.



  • 6.  RE: Replace UpdateManager PKI certificate

    Posted May 12, 2008 07:54 PM

    I verified testpassword is correct in the original vc pfx file, so that looks good. I'd open an SR with vmware.

    -KjB

    Message was edited by: kjb007 : Removed the client cert comment



  • 7.  RE: Replace UpdateManager PKI certificate

    Posted May 12, 2008 07:58 PM

    OK,

    I will open an SR

    Thanks for your help



  • 8.  RE: Replace UpdateManager PKI certificate

    Posted May 12, 2008 08:00 PM

    No problem. Make sure to post any resolution.

    -KjB



  • 9.  RE: Replace UpdateManager PKI certificate

    Posted Oct 14, 2008 04:01 PM

    Was this issue resolved?

    If so, how?

    Thanks!!!



  • 10.  RE: Replace UpdateManager PKI certificate

    Posted May 06, 2009 08:33 PM

    argh i am having the exact same issue, does anyone know the fix?



  • 11.  RE: Replace UpdateManager PKI certificate

    Posted Aug 31, 2009 01:12 AM

    I too am having this exact same problem. I have an open SR but no help yet from VMware tech. Was there a resolution for this post?



  • 12.  RE: Replace UpdateManager PKI certificate

    Posted Sep 20, 2009 08:36 PM

    Hello,

    Move to Update Manager forum.


    Best regards,

    Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
    Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
    Also available 'VMWare ESX Server in the Enterprise'[/url]
    [url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]



  • 13.  RE: Replace UpdateManager PKI certificate

    Posted Oct 19, 2009 03:02 PM

    Just solved the Problem, but it's more or less only a workaround. To change the Update Manager Certificate up to Version 3.5 you can use the repair Function in the Update Manager MSI Package.

    Change the Update Manager Certificates in Update Manager Folder: Default: C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL (all the rui.* files ).

    The Certificates have to be the same format like the ones from Virtual Center with testpassword and so on.

    Use the Repair Function under Start > Settings > Control Panel > Add Remove Programs.

    Click on VMware Update Manager component and click Change.

    Follow the wizard and when prompted, choose Repair.

    Done...

    In Vsphere you have to uninstall the Update Manager...because of missing repair function (Maybe that this is because i use 64 Bit Win 2008) The SSL Folder will be present afterwards...

    change the rui.* files

    Install Update Manager...

    Done

    I think it should be possible to update the rui.* files before installing the Update Manager by copying them in place before a fresh installation. Even if i did not try it.



  • 14.  RE: Replace UpdateManager PKI certificate

    Posted Sep 15, 2010 07:36 PM

    The above steps did not fully resolve the issue on a vCenter4.1 / VUM 4.1 install. I opened a SR with VMware and received the following that successfully resolved the issue.

    Here are the steps to import your custom SSL keys into the Update Manager keystore and then re-register the extension with VC

    1. On the Windows machine where Update Manager is installed, import the certificates into vmware-vum.keystore.

    Open a command prompt and navigate to the Update Manager installation directory.

    To import certificates, run a command with the following syntax:

    vciInstallUtils.exe -v -S "c:\Program Files\VMware\Infrastructure\Update Manager\extension.xml" -C "c:\Program Files\VMware\Infrastructure\Update Manager" -L "c:\Documents and Settings\All Users\Application Data\VMware\VMware Update Manager\Logs" --op extupdate



  • 15.  RE: Replace UpdateManager PKI certificate

    Posted Oct 04, 2010 05:43 PM

    Hi touimet and thank you for posting this :smileyhappy:, saved me for a call to Vmware support...

    /gekken