Senior Technical Account Manager
Since vRealize Operations Manager 6.6, you have a new vRealize Log Insight view from Home tab. However, if you are using the default self-signed certificate in the vRealize Log Insight, you will receive an error message stating that content is blocked. To overcome this issue, you must use a valid certificate, that could be a commercial certificate, or a certificate signed by your internal certification authority.
I was helping my customer (Prodam) to upgrade their vRealize Automation and vRealize Log Insight to the newest versions, and they asked me how to create and import the certificate into vRealize Log Insight. I took some time looking for a “how to”, from creating the request to add the certificate, but I have no success. Even if you look in the vRealize Log Insight documentation, the information it’s not so clear.
So, I decided to take some time to create a “how to” to my customer, and as we tested with success, I decide to share it to help everyone that has not fluency in certificate language.
First, to manage certificates in the vRealize Log Insight, you have to go Administration (upper right):
You will see certificate requirements by clicking in the small “i”, next to “New certificate file (PEM format)”. Note that PEM is the only supported certificate format, but don’t be afraid, I will explain how to create it … ;). If want to know the difference between certificate formats, please check here.
I decided to use the native OpenSSL available in my Mac OS, but you can use the native OpenSSL installed in the vRealize Log Insight appliance. Also, there is a version of OpenSSL for Windows. You can find it here.
In order to make my life easier, I created a new OpenSSL configuration file, that I named “loginsight.cnf”. The file had the following content:
[ req ]
default_md = sha512
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:”Log Insight FQDN”, DNS:”Log Insight IP for FQDN”, IP: ”Log Insight IP for FQDN”, DNS:”Log Insight Server Name”, DNS:”Log Insight Server IP”
[ req_distinguished_name ]
countryName = BR
stateOrProvinceName = Sao Paulo
localityName = Sao Paulo
0.organizationName = My Customer
organizationalUnitName = Management
commonName = loginsight.corp.local
Here I want to bring your attention to the following item in the OpenSSL configuration file: subjectAltName.
- If you are using an alias to access vRealize Log Insight, you must add the alias name;
- If you are planning to use the same certificate in all vRealize Log Insight nodes, you must add all hostnames and IP addresses;
- I had a problem with different browsers. If you want a certificate compatible with Internet Explorer, Mozilla and Chrome you must add all IP addresses twice: one using the string “DNS: IP address” and other using the string “IP: IP address”.
Assuming that you have created the OpenSSL configuration file, you must first create a new RSA key, that will be used in the PEM file, before creating the request. You must run the following command:
openssl genrsa -out loginsight.key 2048
Generating RSA private key, 2048 bit long modulus
e is 65537 (0x10001)
You can generate a certificate signing request by running this command:
openssl req -new -key loginsight.key -out loginsight.csr -config loginsight.cnf
Now you have the request key (loginsight.key) and the certificate request (loginsight.csr). Submit the CSR file to your Certificate Authority (CA) to obtain the certificate. In my lab, my certification authority is a Windows 2012 R2 server.
Click in the “Request a certificate”link:
Submit the CSR file “Advanced certificate request”:
Then select “Submit a certificate …”:
Open your request file (loginsight.csr) using a text editor, and copy the content into the “Save Request” area. Please, be sure to copy all information. Please, be sure to select “Web Server” in the “Certificate Template” option:
From your Certificate Authority, use the “Base 64 encoded” format to download the new issued certificate. I saved my certificate file as “loginsight.cer”.
Great ! Bear in mind that vRealize Log Insight only accept PEM certificates, so I had to create my loginsight.pem file, and the process is very simple. Just combine loginsight.key and loginsight.cer in the same file … ;
type loginsight.key loginsight.cer > loginsight.pem
Please, return to vRealize Log Insight, go to Administration and then SSL, click in Browser button, select your PEM file (loginsight.pem), and then click in SAVE.
Be sure to check if everything went well by returning to vRealize Operations Manager, and then trying to access vRealize Log Insight, you must find these screenshots:
This is the certificate signed by my Certificate Authority that I’m using in the vRealize Log Insight:
Note that when I requested my certificate, I added the alias (loginsight.corp.local), the server name (log-01a.corp.local), and the IP address twice: one for IP Address (192.168.110.102) and other for DNS Name (192.168.110.102). If you have more that one server, please add them to your request.
Easy, right ? Please, if you have any suggestion don’t hesitate to comment here. Also, I would like to say thanks to my friends from Prodam (Rodrigo Gregório, Henkel Sauer and Ricardo Rangel), and to my pal Eduardo Meirelles by reviewing this post.
Jean Oliveira is a Technical Account Manager for VMware based in São Paulo, Brazil. For the last 6 years, he has assisted and helped customers in their hybrid-cloud journey, saving money and achieving a higher IT maturity. You can connect with Jean on LinkedIn.