Disaster Recovery

Hi,

Does anyone know how/where to change the SRM & vSphere Replication 8.2 Appliance VAMI https certificates?

I have updated the main appliance certificates, with ones signed by my Enterprise CA, but I cannot find there they are updated for the VAMI interface?

I would appreciate any pointers.

Thanks

M

Hi,

SRM appliance VAMI uses the main appliance certificate. You may need to reload your browser after changing the certificate.

Hope this helps,

Daniel G.

Thank you Daniel,

I am not sure what happened initially, as I did refresh my browser(s). It seems to be working now that I have restarted both the SRM & vSphere Replication appliances.

Follow up question... How do I import my Microsoft Windows Server Enterprise root & intermediate CA certificates into the SRM/vSphere Replication appliances Trusted Root Certificate Authority stores?

Many Thanks,

Martin

Hi Martin,

you can follow the steps in the documentation page "How to Set Up a Trusted Environment for the Site Recovery Manager Virtual Appliance".

Hope this helps,

Daniel G.

Thank you again Daniel,

I am still have a niggly issue with SRM when pairing sites, where the one site cannot validate the vCenter server certificate on the other site.

Steps I have taken:

1) I have reconfigured both of my vCenter server's VMCA's to be subordinate to my Enterprise CA, Both completed successfully and I can browse to either vCenter server without getting browser security errors.

2) I have added my Root CA and both vCenter VMCA CA certificates to the both SRM appliances & re-run c_rehash (without error). They now have trusted connection thumbprints - the same thumbprints as the SRM site pairing does NOT trust!

3) I have created CSR's, signed them (with my root CA) and installed PKCS #12 certificates for both SRM appliances. I restarted both appliances and I can browse to them without getting a browser security error.

Do my vCenter Servers need each others VMCA CA certificate importing? Just tried this and it still errors.

I do not have any SSO/ELM between vCenter servers?

I need a sanity check, can you see/think what have I missed?

vCenter Server Appliance Version - 6.7.0 Build 13007421

VMware SRM Appliance Version - 8.2.0 Build 14383138

vSphere Replication Appliance Version - 8.2.0.8989 Build 14338525

Cheers

Martin

Hi,

you can check the last step (Step 8) in the doc - How to Set Up a Trusted Environment for the Site Recovery Manager Virtual Appliance

Probably this will resolve your issue.

Hope this help,

Daniel G.

Thank you again Daniel,

That has worked. I can now deploy both SRM and vSphere Replication appliances with certificates that are signed by my Enterprise CA.

I can also import the Root CA and both VMCA subordinate CA certificates into each appliance, so there are no more trust warning messages when pairing sites/etc.

I really appreciate your help.

M

Hi M,

Where did you generate the CSR request for the replication appliance?

I have followed the procedure from Daniel and have successfully created and installed the certs on both SRM appliances, however I don't see any option to generate a CSR on the replication appliance.

The VMdoc "Change the SSL Certificate of the vSphere Replication Appliance" at https://docs.vmware.com/en/vSphere-Replication/8.2/com.vmware.vsphere.replication-admin.doc/GUID-C960E9B0-BFF5-4A56-9CBD-7142DA6FB5C6.html

just says to upload the certificate. Wher do I get the certificate from, I assume I have to generate it somewhere?

Thanks in advance

D

I created it manually with OpenSSL... I am working onsite today, but I will dig out the instructions later tonight and post here... M

Hi DJMCVMW​.

Sorry for delay, I was unexpectedly asked to leave my hotel last night as they closed due to the UK Covid19 response and had a 5 hour drive home. :-(

I have uploaded a short document to https://communities.vmware.com/docs/DOC-41405 with the steps I use in OpenSSL to create the CSR, sign the CSR and then to create a pkcs12 (.p12) file for import into either a SRM or VRM appliance.

Let me know if you have any questions. I hope it helps.

Martin

Hi M,

Hope all is going Ok for there.

Thanks for getting back to me, I appreciate you taking the time however I'm unable to view your doc, it tell's me the content is restricted.

D

Hi DJMCVMW

Apologies, it should be working now.

All good here - it's nearly the weekend! :-)

Martin