For Communication Service Providers (CSPs), with their vast, complex networks, effective endpoint management across the networks is crucial. These networks often involve numerous systems—from virtual and CaaS infrastructure to various network functions and services—all relying on secure certificate-based communication. Endpoint connectivity and certificate observability are therefore vital to ensure the continuous security of sensitive communications, such as data transfers between network elements. Manually tracking expiry dates for certificates and passwords, renewing hundreds or thousands of certificates across different systems, and re-establishing trust can be a complex and error-prone process. Expired certificates and passwords can lead to service disruptions, customer dissatisfaction, and security vulnerabilities.
Broadcom addresses these challenges by providing endpoint connectivity, certificate observability and management functionalities within VMware Telco Cloud Platform. This enables CSPs to monitor connectivity with the integrated components and their certificates in real-time, ensuring their validity, proper deployment, and continued secure communication between systems. This level of visibility is essential for uninterrupted services, protection against breaches, and regulatory compliance. Furthermore, automated certificate renewals eliminate the risk of unnoticed expirations, maintaining a seamless security posture across the infrastructure.
Telco Cloud Platform uses SSL/TLS protocol to secure communications between all its components, ensuring data privacy and integrity. Disruptions in the SSL/TLS handshake can impair the platform’s orchestration and observability capabilities. To address this, the Telco Cloud Platform provides CSPs with tools to monitor the reachability, authenticated connectivity, and certificate statuses of its components and in some cases, offer single-click remediation operations.
Telco Cloud Platform offers a centralized dashboard to actively monitor the status of certificates and the connection for all integrated components. It also verifies authenticated connectivity to these components, addressing situations where components are reachable but their service account passwords have expired or changed. Once Telco Cloud Automation and its control plane are integrated with the following endpoints, their connectivity, and certificates are automatically monitored:
- VMware vCenter
- NSX-T Manager
- Harbor
- Airgap Server
- Kubernetes Clusters
- VMware Aria Orchestrator
- Syslog Server
- VMware Aria Operations for Logs
- Active Directory
- Git repository
Telco Cloud Automation automatically adds and monitors the connectivity and SSL certificates when a CaaS cluster is deployed. For other components, monitoring commences upon their integration with it. Users can generate and download reports of current endpoint statuses. Telco Cloud Platform triggers alarms for unreachable endpoints, expired or expiring passwords, externally changed passwords, and expiring, expired, or externally rotated certificates.
Single-click remediation operations are available for expiring or expired certificates on specific VMware Telco Cloud Platform components. For example, the ability to renew certificates on CaaS Workload clusters, on demand, can help with scheduled certificate management during maintenance windows. Additionally, the platform offers the capability to re-authenticate certain components when their passwords have expired or been changed. These can be performed proactively or in response to alarms generated in Telco Cloud Automation, and include:
- Renew Certificate on CaaS Workload Cluster
- Re-establish Trust for vCenter
- Re-authenticate vCenter
- Re-establish Trust for Airgap Server
- Re-establish Trust for Harbor
- Re-authenticate Harbor
To understand the process better, let us run through the process of renewing the certificate on a CaaS workload cluster.
- In the Telco Cloud Automation UI, navigate to Fleet Management -> Connected Endpoints page.
- Click on the ellipsis next to the CaaS workload cluster (in this case, wld01-k8s-01).
- Click Renew Certificate to renew the certificate for the CaaS workload cluster. Click OK.
- The endpoint will still be connected and also show that a task is in progress.
- Navigate to Infrastructure -> CaaS Infrastructure and click on the CaaS workload cluster (in this case, wld01-k8s-01). Then click on the Configuration and Control Plane tab and confirm that the cluster update task has been triggered and the status is Processing. The certificate renewal process for CaaS clusters includes creation of new control plane nodes in that CaaS cluster embedded with the new certificates.
- Once the process completes, you will see the Status changed to Provisioned in the configuration and control plane tab of the CaaS workload cluster.
- In the Connected Endpoints, you can validate that the endpoint shows Connected.
To generate and download a report of all connected endpoints:
- Navigate to Fleet Management -> Connected Endpoints page and click on Download Reports.
- Click on Connected Endpoints.
- Then click Download to download a CSV file of all the connected endpoints, their statuses and details.
Through this exercise, we have showcased how streamlined the process of certificate management is with VMware Telco Cloud Platform. Automated certificate management is crucial for telco companies to ensure secure and uninterrupted services across their complex networks. Telco Cloud Platform offers certificate observability and single-click renewal operations, enabling proactive monitoring and remediation of expiring or expired certificates. This capability of Telco Cloud Platform reduces manual effort, enhances security posture, and supports the scalable infrastructure needed for 5G and beyond, thereby ensuring secure and uninterrupted services across the complex telco networks.
