We’ve had to update 4 certificates by the end of June. I wasn’t able to write this blog earlier, but I really have to write it down. It took six and a half hour to update four certificates. Yes, there is no typo in that sentence 6,5 hours to update 4 certificates.
The one which is most responsible for that is the Identity Manager Certificate. The replacement of this certificate took 5 hours! I’ll describe the downside of this upgrade as well as a better way to update this certificate.
Getting started
So we’ve got VMware Aria Suite Lifecycle (previously known as VMware vRealize Suite Lifecycle Manager) and you are able to “just” click “Replace Certificate” within the vIDM product in the global environment. After that you’ll walk through a wizard, select the new certificate, retrust product certificate, Opt-in for Snapshot and run a precheck (in which you’ll need to consent with the downtime . After that you’ll be good to go and sit back awaiting the flow containing 18 steps.
First error
At step 9 we received our first error, replacing the certificate on one node failed. After some troubleshooting we’ve ran an inventory sync. In this sync an error showed that the admin account cannot login this node. Our bad, we made some changes: added password entry in locker, retried inventory sync with new credential. After that we could specify this new password entry in the certificate update request, which continued.
Second error
At step 10 the second error occurred (power on nodes). When going to the console (using vCenter) we saw the proces elastic search couldn’t start and it waited 13 minutes before it continued starting up. This continued to happen on each node (3 in total), but finally continued.
Third and final error
LCMVIDM70031
Error Code: LCMVIDM70031vIDM Certificate Update is not successful. Blocking further executions.vIDM Certificate Updated is not successful. Blocking further executions for re-trusting vIDM certificate on referenced products. To apply required certificate on vIDM, re-initiate certificate update operation again
Which is pretty definitive. Fortunately we had two VMware support engineers (since the first error) to help us out. Because of the time of the day (midnight) we mentioned we didn’t want to troubleshoot for too long, just get the log bundles we needed to find out why it happened and how to prevent it from happening the next attempt. The support engineer told us he wanted to replace the certificates manually, which shouldn’t take that long.
As you can see in the screenshot, this attempt took 3 hours and 15 minutes.
Replace certificates manually
- For each Identity Manager node:
- Create a snapshot
- Replace certificate using this VMware KB
- Log in to vIDM Appliance (SSH) and run: service horizon-workspace restart
- Wait two minutes for the service to restart (and start doing these actions on the next Identity Manager node)
- When the certificate is replaced on all Identity Manager nodes, you can go to VMware Aria Suite Lifecycle Manager.
- For each product that is connected to Identity Manager:
- Go to environment
- Go to the product
- Click on “…” and select “Re-trust with identity manager”.
(vRealize Automation took the longest: 20 minutes)
- If using an Load balancer -we use NSX Advanced Load balancing- replace the certificate in there as well.
How does VMware Aria Suite Lifecycle streamline the process of certificate replacement within vIDM (VMware Identity Manager) in the global environment, and what steps does it entail? Greeting : Telkom University
Thats described over here: https://docs.vmware.com/en/VMware-Aria-Suite-Lifecycle/8.16/lifecycle-install-upgrade-manage/GUID-66D54179-D9E1-414C-B956-B21F5B0B463C.html