WilliamLam.com

TLS Chain of Trust when using SSL Inspection with VCF Download Tool (VCFDT)

by // Leave a Comment

SSL traffic inspection is commonly deployed by Enterprises to ensure that they have visibility into encrypted connections, enabling their organization to reduce security risks and enforce acceptable use policies.

When using the VCF Download Tool (VCFDT), the connection must first terminate at your SSL inspection system and you may come across the following error: Unable to connect to the Depot Server


Taking a closer look at the VCFDT log file, we can quickly identify the problem which is due to validating the certificate chain from the SSL inspection system as you can see from this snippet:

Error checking certificate chain CN=depot.vcf.lab, OU=R&D, O=WilliamLam, L=Palo Alto, ST=CA, C=US, SerialNumber=91513477326140466830150858710326987151105506009,CN=WilliamLam-RootCA, OU=R&D, O=WilliamLam, L=Palo Alto, ST=CA, C=US, SerialNumber=659677038159141611554120742063414354480349425756 for validity.
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

To resolve this problem, we need to add the Root CA signing certificate into Java keystore that VCFDT can use to establish the chain of trust.

[Read more...]

Quick Tip - Reset vCenter Server from previously managed VCF Operations for VCF Single Sign-On (SSO)

by // Leave a Comment

Over the holidays, I was testing some new VMware Cloud Foundation (VCF) upgrade flows in my lab environment, where I ended up bricking SDDC Manager, which was completely my fault! While I had backups for the majority of the VCF components, I realized I did NOT have any backups for SDDC Manager itself 😢

With VCF 9.0, I realized I could simply leverage the built-in VCF Converge/Convert workflow that can take my existing vSphere-based deployment and turn it into a new VCF Fleet!


After a couple of hours, a new VCF Operations instance was deployed along with a new SDDC Manager that is now managing my existing vCenter Server. Since this was a new VCF Operations instance, I needed to reconfigure VCF SSO, so that I could have common authentication across all VCF Components.

Note: Make sure you have uninstalled both the old SDDC Manager and VCF Operations vSphere UI plugin as well as unregistering the SDDC Manager extension using the vSphere MOB.

However, when I attempted to setup VCF SSO, I ran into the following message: The identity source configuration is managed by another VCF Operations console.


The new VCF Operations instance would not allow me to configure VCF SSO as it knew the vCenter Server was managed by a different VCF Operations ... which I thought would be resolved with the re-deployment.

[Read more...]

Running VCF Download Tool (VCFDT) on Apple macOS

by // Leave a Comment

The VMware Cloud Foundation (VCF) Download Tool (VCDT) is how users download both VMware vSphere Foundation (VVF) and VCF) install and upgrade binaries, which can then then be hosted locally as a VCF Offline Depot.

VCFDT is only supported on a Windows or Linux-based operating system, which is a shame since I am exclusively an Apple macOS user 😞

If you attempt to run VCFDT on macOS (x86 or Apple Silicon), you will come across the following error message: cannot execute binary file: Exec format error


As you can see from the screenshot above, it attempts to use the Java runtime that has been compiled for Linux, which is denoted by the lin64 directory.

After poking around the VCFDT startup script, I saw that you could set your own custom JAVA path, which gave me an idea ...

Disclaimer: This is not officially supported by Broadcom, please use at your own risk.

[Read more...]