VMware Aria Suite Lifecycle 8.16

8.18 8.16 8.14 8.12
Português (Brasil) 简体中文 Deutsch Español Français Italiano 日本語 한국어 Nederlands 繁體中文 English

Replace your
Workspace ONE Access
 certificate by using
VMware Aria Suite Lifecycle

Use this procedure to replace the VMware Identity Manager certificate or the globalenvironment setting in your
VMware Aria Suite Lifecycle
 environment.
The VMware Identity Manager and
Workspace ONE Access
 terms are used interchangeably in
VMware Aria Suite Lifecycle
 product documentation.
For related information about replacing certificates for
VMware Aria Suite Lifecycle
, see Replace certificate for VMware Aria Suite Lifecycle products.
To replace a certificate on a clustered deployment, you must manually replace the certificate on the load balancer. If you encounter an error while replacing the certificate and you are running
Workspace ONE Access
 version 3.3.7, see https://ikb.vmware.com/s/article/94095.

Generate a self-signed certificate

Use the Locker service to generate a Certificate Signing Request (CSR) and create a .pem file. With information from the .pem file, you import the cerficiate into the
VMware Aria Suite Lifecycle
 locker .
  1. From the My Services dashboard, click
    Locker
    .
  2. Click
    Generate CSR
     and enter the name
    globalenvironment
    .
  3. Enter customer-specific values for all required fields on he Generate CSR form and click
    Generate
     to generate the .pem file.
    A sample form is shown below.
    Sample generate CSR page as described in the text.
    To replace your certificate in a clustered environment, enter multiple domain names and IP addresses, separated by commas.
    A .pem file contains a certificate signing request and a private key as in the example below with certificate and key details removed.
    -----BEGIN CERTIFICATE REQUEST-----
...
-----END CERTIFICATE REQUEST-----
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
  4. Submit the .pem file to a signing authority to request that it be signed. If you do not have a configured signing authority, perform the following steps.
    In this example, the signing authority is the Microsoft Active Directory Certificate Service and it is configured for http://localhost/certsrv/.
    2. Click
      Request a Certificate
      Advance Certificate Request
      .
    3. For this example, click
      Request a certificate
      .
      Screen shows the request a certificate option as described in the text.
    4. Click
      Advanced certificate request
      .
      Screen shows the Advanced certificate request as described in the text.
    5. Click the
      Submit a certificate request using base64 encoded …
       option.
      Screen shows the Submit a certificate request ... option as described in the text.
    6. Paste the certificate .pem file content from your certificate request and click Submit.
      Screen shows the .pem content pasted into the form and the Submit key as described in the text.
  5. After the .pem is submitted. you are prompted to download a certificate. Select the
    Base64 encoded
     certificate format and select both the
    Download certificate
     and the
    Download certificate chain
     options.
    Screen shows all three options described in the text.
    This actions downloads
    certnew.cer
     for the certificate and
    certnew.p76
     for the certificate chain. In this example, they are downloaded to a user downloads folder of
    C:\USERS\ARUN|DOWNLOADS
    . An example of both are provided below:
    • certnew.cer - certificate
      Reference: certnew.cer  
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
    • certnew.p7b - certificate chain
      Reference: certnew.p7b
 
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
  6. The root certificate is needed. In this example, an existing server certificate named
    cap-AD-CA
     exists and an existing root certificate of
    vidm.cap.org
     exists and both were issued by a signing authority of cap-AD-CA.
    Screen shows the two existing certificates described in the text.
  7. Split this into the globalenvironment certificate and the root certificate by using the
    Copy To File
     function. The certificates involved are
    certnew.cert
    ,
    globalenvironmentcert.cert
    ,
    rootcert.cert
     and the
    certnew.p7b
     certificate chain.
    The 4 files to use in the Copy To File function are shown.
  8. Import the globalenvironment certificate into the
    VMware Aria Suite Lifecycle
     Locker service:
    1. Click
      Locker
       from the
      VMware Aria Suite Lifecycle
       My Services page
    2. Click
      Certificates
      Import
      .
    3. The Import Certificate page appears. In the
      Name
       field, enter
      globalenvironment
      .
  9. Using the extracted globalenvironment and root certificate as source, open Notepad ++ or any other text editor and create a certificate chain with two certificate sections: the server certificate content at the top followed by the root certificate content . The example below shows the two sections with details removed. 
    -----BEGIN CERTIFICATE-----
...
###server certificate content###
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
###root certificate content###
...
-----END CERTIFICATE-----
    • Copy and paste the private key content from the .pem file created by the generated CSR into the
      Private Key
       section of the Import Certificate form.
    • Copy and paste the content with the two certificate sections into the
      Certificate Chain
       section of the Import Certificate form.
  10. Verify the certificate chain by using a verification tool such https://tools.keycdn.com/ssl.
  11. Click
    Import
     to import the new globalenvironment certificate into
    VMware Aria Suite Lifecycle
    .
    A sample populated Import Certificate form is shown below.
    Sample populated Import Certificate form is shown as described in the text.
    When the import is successful, the
    Certificate successfully added.
    statement appears, as shown below.
    Certificate successfully added statement appears as described.
  12. You can display details about the successfully imported new certificate. A sample is shown below.
    Details page for newly imported globalenvironment certificate as described.

Create a snapshot of the environment

Before replacing your existing globalenvironment certificate with the new certificate, take a snapshot in the Lifecycle Operations service.
  1. From the
    VMware Aria Suite Lifecycle
     dashboard, click
    Lifecycle Operations
    .
  2. Click
    Environments
     and then click
    View Details
     on the globalenvironment tile.
  3. Click the 3 dot ellipse (
    ) following the Change Admin Password option and select
    Snapshot
    Create Snapshot
     from the drop-down menu.
    Create a snapshot of the Lifecycle Operations service environment
  4. For this example, enter
    Snapshot Before Cert Replacement
     in the
    Snapshot Prefix
     field
    Description
     fields.
  5. Switch the
    Shutdown before taking snapshot option
     to the on position and click
    Next
    .
    Image of the Create Snapshot screen as described in the text.
  6. When prompted, click
    Run Precheck
    .
  7. When the precheck result is returned, click
    Finish
    .
    The completed Precheck result is returned and the Finish option is available as described in the text.
  8. After you click
    Finish
    , the
    Request Details
     page automatically appears and displays the progression of each stage of the pre-check process.
  9. When the snapshot request is complete, you can proceed to make the certificate replacement request.

Create the certificate replacement request

After you create the snapshot, you're ready to initiate the certificate replacement request and replace the existing standalone globalenvironment certificate with the new self-signed certificate.
  1. On the
    VMware Aria Suite Lifecycle
     My Services page, click
    Lifecycle Operations
     and then click
    Environments
    .
  2. Click
    View Details
     on the globalenvironment tile.
  3. Click the three dot icon (
    ...
    ) in the VMware Identity Manager row and click
    Replace Certificate
     from the drop-down menu.
    Displays selection of Replace Certificate as described in the text.
    The
    Current Certificate
     details page appears. If you've never replaced the certificate, then this is the default certificate that was used during installation of the product.
  4. On the resultant
    Current Certificate
     details page, click
    Next
    .
    The
    Select Certificate
     page appears.
  5. On the
    Select Certificate
     page, select
    globalenvironment
     from the drop-down menu.
    Select the globalenvironment option from the drop-down menu.
    The
    Select Certificate
     details page appears.
  6. On the resultant
    Select Certificate
     details page, click
    Next
    .
    The
    Retrust Product Certificate
     page appears.
  7. On the
    Retrust Product Certificate
     page, select all the products to be impacted by the retrust certificate action and then click
    Next
    .
    Select all the products and then click Next.
    The
    Opt-in for Snapshot
     page appears.
  8. Click the
    Opt-in for Snapshot
     check box to enable the option and then click
    Next
    .
    The
    Precheck
     page appears.
  9. On the
    Precheck
     page, click
    Run Precheck
    .
  10. If you are prompted to consent to a validation request, click
    Re-run Precheck
    .
    Review the pre-check results and take any further actions that are needed as prompted on-screen.
    Respond as needed to on-screen prompts.
  11. When all pre-check validations are complete, click
    Finish
     to submit the request.
    Click Finish.
  12. You can monitor the request details status by selecting
    Requests
     in the Lifecycle Operations left pane menu. The stages of the replace certificate action are detailed below. 
    Stage-1
 Gracefully Shut Down VMware Identity Manager
    Start
    Validate VMware Identity Manager Certificate
    Start graceful shutdown of VMware Identity Manager
    Prepare graceful shutdown of VMware Identity Manager nodes
    Check power states of VMware Identity Manager nodes
    Validate SSH credentials of VMware Identity Manager nodes
    Update VMware Identity Manager node types
    Extract vMoid of VMware Identity Manager nodes
    Verify Identity Manager Appliance Health Check
    Verify Identity Manager Postgres Health Check
    Validate VMware Identity Manager node types
    VMware Identity Manager stop horizon service
    VMware Identity Manager stop Elasticsearch / Opensearch service
    VMware Identity Manager stop pgpool service
    VMware Identity Manager stop postgres service
    Shutdown VMware Identity Manager nodes
    Final
 
Stage-2
 Create Node Snapshot
    Start
    Get vMoid using Virtual Machine
    Virtual Machine Snapshot using vMoid
    Final
 
Stage-3
 Power on VMware Identity Manager Node(s)
    Start
    Validate VMware Identity Manager Certificate
    Start Power On of VMware Identity Manager nodes
    Prepare required inputs to power on VMware Identity Manager Node(s)
    Extract vMoid
    Power On VMware Identity Manager Node
    Check Hostname/IP status of VMware Identity Manager
    Get node endpoint of VMware Identity Manager
    Final
 
Stage-4
 Remediate VMware Identity Manager
    Start
    Start remediation of VMware Identity Manager
    Prepare required inputs to remediate VMware Identity Manager
    Validate ssh credentials of VMware Identity Manager
    VMware Identity Manager start pgpool service
    Update VMware Identity Manager node types
    Check primary node status of VMware Identity Manager
    VMware Identity Manager Appliance Health Check
    Update VMware Identity Manager node details with VMware Aria Suite Lifecycle's inventory
    Final
 
Stage-5
 Product Health Check
    Start
    Product Health Check prepare
    vIDM health pre-Check
    Final
 
Stage-6
 Update Certificate on VMware Identity Manager
    Start
    Validate VMware Identity Manager Certificate
    Start update of Certificate on  VMware Identity Manager nodes
    Update  Certificate on  VMware Identity Manager nodes
    Final
 
Stage-7
 Trust vIDM Certificate in LCM
    Start
    Add vIDM certificate to VMware Aria Suite Lifecycle trust store
    Final
 
Stage-8
 Revert to Node Snapshot
    Start
    Get vMoid
    Final
 
Stage-9
 Power On VMware Identity Manager Nodes
    Start
    Validate VMware Identity Manager Certificate
    Final
 
Stage-10
 Remediate VMware Identity Manager Nodes
    Start
    Start remediation of VMware Identity Manager
    Prepare required inputs to remediate VMware Identity Manager   
    Validate ssh credentials of VMware Identity Manager
    VMware Identity Manager start pgpool service
    Update VMware Identity Manager node types
    Check primary node status of VMware Identity Manager
    VMware Identity Manager Appliance Health Check
    Update VMware Identity Manager node details with VMware Aria Suite Lifecycle's inventory
    Final
 
Stage-11
 Product Health Check
    Start
    Product Health Check prepare
    Final
 
Stage-12
 Delete Node Snapshot
    Start
    Get vMoid Delete Snapshot
    Delete Node Snapshot
    Final
 
Stage-13
 Locker Reference Update
    Start
    Locker reference update init
    Locker reference inventory  update
    Final
 
Stage-14
 Product Replace Update Notification
    Start
    Start replace update notification
    Replace certificate notification
    Final
 
Stage-15
 Validate if VMware Identity Manager re-trust is required on products
    Start
    Start Validate if VMware Identity Manager re-trust is required on products
    Validate if VMware Identity Manager re-trust is required on products
    Final
 
Stage-16
 Update VMware Identity Manager Auth provider hostname
    Start
    Start update auth provider hostname
    Trust VMware Identity Manager Certificate in VMware Aria Suite Lifecycle
    Update VMware Identity Manager Auth provider hostname
    Final
 
Stage-17
 Retrust VMware Identity Manager on VMware Aria Automation
    Start
    Start VMware Identity Manager flow
    Check if vIDM root certificate is present on VMware Aria Automation
    Check for VMware Identity Manager availability
    Check for VMware Identity Manager Login Token
    Check for VMware Identity Manager Default Configuration User availability
    Configure VMware Identity Manager  for VMware Aria Automation
    Configure Load Balancer for VMware Aria Automation
    Initialize VMware Aria Automation
    Update VMware Identity Manager allowed redirects
    Final
 
VMware Aria Operations reconfigure vidm
    Start
    Start VMware Aria Operations - VMware Identity Manager reconfigure
    Reconfigure VMware Identity Manager
    Prepare Identity Manager catalog task
    Final
 
VMware Aria Operations for Logs retrust vidm
    Start
    Start VMware Aria Operations for logs retrust vIDM
    Prepare Nodes
    Final
 
VMware Aria Operations for Networks Reconfigure vidm
    Start
    Start VMware Aria Operations for Networks generic
    Validate and fetch VMware Aria Operations for Networks vidm client details
    vIDM get O Auth client details
    Reconfigure vIDM hostname
    Final
  
Stage-18
Re-trust VMware Identity Manager on VMware Aria Automation
    Start
    Start VMware Identity Manager flow
    Check if vIDM root certificate is present on VMware Aria Automation
    Check for VMware Identity Manager availability
    Check for VMware Identity Manager Login Token
    Check for VMware Identity Manager Default Configuration User availability
    Configure VMware Identity Manager  for VMware Aria Automation
    Configure Load Balancer for VMware Aria Automation
    Initialize VMware Aria Automation
    Update VMware Identity Manager allowed redirects
    Final
 
 VMware Aria Operations reconfigure vidm
    Start
    Start VMware Aria Operations - VMware Identity Manager reconfigure
    Reconfigure VMware Identity Manager
    Prepare Identity Manager catalog task
    Final
  13. When complete, confirm that the certificate is in use by clicking
    Locker
     from the
    My Services
     page of
    VMware Aria Suite Lifecycle
     and then select
    Certificates
    globalenvironment
    .
    Confirm the globalenvironment certificate in the Locker.
    You can also view
    VMware Aria Suite Lifecycle
     and VMware Identity Manager logs. The log statement
    Applied certificate to vIDM..
     indicates that the VMware Identity Manager services are being restarted.

Content feedback and comments