How to renew Self-Signed certificates for NSX-T LocalManager, tomcat and mp-cluster.

 Hello Everyone,

Hope you are doing well.

Today, i am covering this posts regarding the self-signed certificate expires in NSX-T environments for components like LocalManager and mp-cluster. 

you will see warnings on NSX-T GUI that LocalManager and mp-cluster self-signed certificates has been expired. 

Generally, we update only NSX Manager Cluster/VIP certificates only. 

Certificates for LocalManager, tomcat and mp-cluster comes with self-signed certificates when we deployed the NSX-T environment.

tomcat certificates is an API certificate used for external communication with individual NSX Manager nodes through UI/API.

mp-cluster is an API certificate used for external communication with the NSX Manager cluster using the cluster VIP, through UI/API.

Let's start to renew the LocalManager self-signed certificates.

Login to NSX-T GUI with admin credentials.

Go to Systems > Under Settings click on Certificates > click on CSRs > click GENERATE CsR

Click on GENERATE. CSR for LocalManager certificates will generate and shows as below.

Now, select the LocalManager CSR and go to Actions and click on Self Sign Certificate for CSR.

Once you click on Self Sign Certificate for CSR, it will ask for number of days the certificate will be active, by default is 825 days but we can modify the number of days according to our policy.

Click on ADD. Certificate will be generated and you can see in Certificates Tab like below.

Now, you can delete the existing expired local-manager certificate and certificate alarm will be resolved in NSX-T GUI.

If you will get error while deleting the expired certificates like "Certificate cannot be deleted because it is used by 1 MP node(s)" then you need to use the NSX-T API to find the node which is using this expired certificates and then release the certificates from that node and then you will be able to delete the certificate successfully.

Hope, this will be informative. thanks !!

Cross vCenter Server VM migration without same SSO domain in vSphere 7.0.

 Hello All,

Today, i am covering the new feautres introduced in vSphere 7.0 where we can migrate a VM to another vCenter Server which is not joined to same SSO domain. 

It means, there is no need to have linked mode and same SSO joined vCenter Servers to migrate a VM to another vCenter Server.

All you need you have Network connectivity between the Source and Destination vCenter Servers and required ports should be allowed as well as have access at both the vCenter Server.

Below are the screenshots capture while moving a VM from one vCenter Server to another running on vSphere 7.0 version.

 Login on Source vCenter Server and choose the VM which we want to migrate. 

Right click on VM and choose Migrate option and then select Cross vCenter Server export option.

 

 

Click NEXT 

Put Destination vCenter Server FQDN, Username and Password and Click on LOGIN option.

Accept the thumbprint and click on Yes

 

 

 

 Click NEXT and Proceed further. Select Destination cluster on which you want to move this VM.

Click NEXT and Select Storage datastore, in my case, i have vSAN backed DS.

 

Click NEXT and choose the folder hieracy to place the VM.

 

 

 Click NEXT and choose the Network port group for the VM.

 

Click NEXT and review the details and if all OK then Click on FINISH to Start the VM migration.

 

 

VM clone operation task will initate and will take sometime depending on the VM size and Network throughput.

 

Once the task finished you will get the Cloned VM at Destination vCenter Server.

That's it. This is really a cool feature to migrate a VM from one vCenter Server to another one without worry about linked mode and same SSO domain things.

Thanks....