Deploy and Configure an NSX Edge Cluster PDF

Summary

This document provides a guide on deploying and configuring an NSX Edge cluster within VMware Cloud Foundation. It covers essential aspects like certificate management, license keys, ESXi host preparation, and workload domain configuration. The guide is targeted towards professional users in the tech industry.

Full Transcript

VMware Cloud Foundation
Administration Guide
26 MAR 2024
VMware Cloud Foundation 5.1
VMware Cloud Foundation Administration Guide

You can find the most up-to-date technical documentation on the VMware by Broadcom website at:

https://docs.vmware.com/

VMware by Broadcom
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com

©
Copyright 2015-2024 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc.
and/or its subsidiaries. For more information, go to https://www.broadcom.com. All trademarks, trade
names, service marks, and logos referenced herein belong to their respective companies.

VMware by Broadcom 2
 Contents

About the VMware Cloud Foundation Administration Guide 11

1 Administering VMware Cloud Foundation 12
VMware Software Components Deployed by VMware Cloud Foundation 13
Web Interfaces Used to Administer VMware Cloud Foundation 13

2 Getting Started with SDDC Manager 15
Log in to the SDDC Manager User Interface 15
Guided SDDC Manager Onboarding 16
Tour of the SDDC Manager User Interface 16
Log out of the SDDC Manager User Interface 20

3 Configure the Customer Experience Improvement Program Settings for VMware
Cloud Foundation 21

4 Managing Certificates in VMware Cloud Foundation 23
View Certificate Information 24
Configure VMware Cloud Foundation to Use Microsoft CA-Signed Certificates 25
Prepare Your Microsoft Certificate Authority to Allow SDDC Manger to Manage Certificates
26
Install Microsoft Certificate Authority Roles 27
Configure the Microsoft Certificate Authority for Basic Authentication 27
Create and Add a Microsoft Certificate Authority Template 28
Assign Certificate Management Privileges to the SDDC Manager Service Account 30
Configure a Microsoft Certificate Authority in SDDC Manager 31
Install Microsoft CA-Signed Certificates using SDDC Manager 32
Configure VMware Cloud Foundation to Use OpenSSL CA-Signed Certificates 34
Configure OpenSSL-signed Certificates in SDDC Manager 34
Install OpenSSL-signed Certificates using SDDC Manager 36
Install Third-Party CA-Signed Certificates Using Server Certificate and Certificate Authority Files
38
Install Third-Party CA-Signed Certificates in VMware Cloud Foundation Using a Certificate
Bundle 40
Add a Trusted Certificate to the SDDC Manager Trust Store 44
Remove Old or Unused Certificates from SDDC Manager 44

5 Managing License Keys in VMware Cloud Foundation 46
Add a Component License Key in the SDDC Manager UI 47
Edit a Component License Key Description in the SDDC Manager UI 47

VMware by Broadcom 3
VMware Cloud Foundation Administration Guide

Delete a Component License Key in the SDDC Manager UI 48
Update Component License Keys for Workload Domain Components 48

6 Prepare ESXi Hosts for VMware Cloud Foundation 50
Create a Custom ISO Image for ESXi 51
Create a Custom ESXi ISO Image Using VMware PowerCLI 51
Create a Custom ESXi ISO Image Using vSphere Lifecycle Manager 53
Install ESXi Interactively and Configure Hosts for VMware Cloud Foundation 53
Install ESXi on VMware Cloud Foundation Hosts Using the ISO 54
Configure the Network on VMware Cloud Foundation Hosts 55
Configure the Virtual Machine Network Port Group on VMware Cloud Foundation Hosts
56
Configure NTP on VMware Cloud Foundation Hosts 57
Regenerate the Self-Signed Certificate on All Hosts 58
Configure ESXi Hosts with Signed Certificates 58

7 Managing ESXi Hosts in VMware Cloud Foundation 61
Network Pool Management 61
Size a Network Pool 62
View Network Pool Details 63
Create a Network Pool 64
Add or Remove a Network Pool IP Address Range 66
Rename a Network Pool 66
Delete a Network Pool 67
View Host Inventory 67
Commission Hosts 69
Decommission Hosts 73
ESXi Lockdown Mode 74

8 Managing vSphere Lifecycle Manager Images in VMware Cloud Foundation 76
Create a vSphere Lifecycle Manager Image 78
Export a vSphere Lifecycle Manager Image 81
Creating a vSphere Lifecycle Manager Image in VMware Cloud Foundation 82
Extract a vSphere Lifecycle Manager Image 82
Import a vSphere Lifecycle Manager Image 83
Firmware Updates 85
View vSphere Lifecycle Manager Images 85

9 Managing Storage in VMware Cloud Foundation 86
vSAN Storage with VMware Cloud Foundation 87
NFS Storage with VMware Cloud Foundation 88
Fibre Channel Storage with VMware Cloud Foundation 90

VMware by Broadcom 4
VMware Cloud Foundation Administration Guide

HCI Mesh with VMware Cloud Foundation 91
vVols Storage with VMware Cloud Foundation 91
Add a VASA Provider 93
View a VASA Provider 94
Edit a VASA Provider 94
Delete a VASA Provider 94

10 Managing Workload Domains in VMware Cloud Foundation 96
Add Virtual Machines to the Management Domain 97
About VI Workload Domains 98
Prerequisites for a Workload Domain 100
Deploy a VI Workload Domain Using the SDDC Manager UI 102
Specify Names, vCenter Single Sign-On Domain, and vSphere Lifecycle Manager Method
103
Specify vSphere Cluster Details 105
Specify Compute Details 105
Specify Networking Details 106
Select the vSAN Storage Parameters 107
Specify the VMFS on FC Datastore 108
Specify vVols Storage Details 108
Select Hosts 109
Specify Switch Configuration 110
Specify NFS Storage Details 112
Select Licenses 112
View Object Names 113
Review Details and Start the Creation Workflow 114
Deploying a VI Workload Domain with a Remote Cluster 114
Delete a VI Workload Domain 116
View Workload Domain Details 117
Expand a Workload Domain 119
Add a Host to a vSphere Cluster Using the SDDC Manager UI 119
Add a vSphere Cluster to a Workload Domain Using the SDDC Manager UI 121
Shrink a Workload Domain 126
Remove a Host from a vSphere Cluster in a Workload Domain 126
Delete a vSphere Cluster from a Workload Domain 127
Rename a Workload Domain 128
vSphere Cluster Management 128
View vSphere Cluster Details 128
Rename a Cluster in the SDDC Manager UI 129
Mount a Remote Datastore 130
Unmount a Remote Datastore 131
Tag Management 131

VMware by Broadcom 5
VMware Cloud Foundation Administration Guide

Tag a Workload Domain 131
Remove a Tag from your Workload Domain 132
Tag a Cluster 132
Remove a Tag from your Cluster 133
Tag a Host 133
Remove a Tag from your Host 134

11 Managing NSX Edge Clusters in VMware Cloud Foundation 135
Prerequisites for an NSX Edge Cluster 136
Deploy an NSX Edge Cluster 136
Add Edge Nodes to an NSX Edge Cluster 143
Remove Edge Nodes from an NSX Edge Cluster 148

12 Deploying Application Virtual Networks in VMware Cloud Foundation 150
Deploy Overlay-Backed NSX Segments 151
Deploy VLAN-Backed NSX Segments 153

13 VMware Cloud Foundation with VMware Tanzu 155
Enable Workload Management 155
View Workload Management Cluster Details 157
Update Workload Management License 157

14 VMware Aria Suite Lifecycle in VMware Cloud Foundation mode 159
VMware Aria Suite Lifecycle Implementation 160
Deploy VMware Aria Suite Lifecycle 161
Replace the Certificate of the VMware Aria Suite Lifecycle Instance 162
Configure Data Center and vCenter Server in VMware Aria Suite Lifecycle 163
Workspace ONE Access Implementation 164
Import the Workspace ONE Access Certificate to VMware Aria Suite Lifecycle 165
Add Workspace ONE Access Passwords to VMware Aria Suite Lifecycle 165
Deploy a Standard Workspace ONE Access Instance Using VMware Aria Suite Lifecycle
166
Deploy Clustered Workspace ONE Access Instance Using VMware Aria Suite Lifecycle 169
Configure an Anti-Affinity Rule and a Virtual Machine Group for a Clustered Workspace ONE
Access Instance 171
Configure NTP on Workspace ONE Access 172
Configure the Domain and Domain Search Parameters on Workspace ONE Access 173
Configure an Identity Source for Workspace ONE Access 173
Add the Clustered Workspace ONE Access Cluster Nodes as Identity Provider Connectors
175
Assign Roles to Active Directory Groups for Workspace ONE Access 176
Assign Roles to Active Directory Groups for VMware Aria Suite Lifecycle 176

VMware by Broadcom 6
VMware Cloud Foundation Administration Guide

15 Working with NSX Federation in VMware Cloud Foundation 178
NSX Federation Key Concepts 178
Configuring NSX Federation in VMware Cloud Foundation 179
Create Global Manager Clusters for VMware Cloud Foundation 182
Deploy Global Manager Nodes 183
Join Global Manager Nodes to Form a Cluster 185
Create Anti-Affinity Rule for Global Manager Cluster in VMware Cloud Foundation 185
Assign a Virtual IP Address to Global Manager Cluster 186
Prepare Local Manager for NSX Federation in VMware Cloud Foundation 186
Enable NSX Federation in VMware Cloud Foundation 187
Set Active Global Manager 187
Add Location to Global Manager 188
Stretch Segments between VMware Cloud Foundation Instances 190
Create and Configure Cross-Instance Tier-1 Gateway 191
Connect Cross-Instance Segments to Cross-Instance Tier-1 Gateway 191
Delete Existing Tier-0 Gateways in Additional Instances 192
Connect Additional VMware Cloud Foundation Instances to Cross-Instance Tier-0
Gateway 192
Connect Local Tier-1 Gateway to Cross-Instance Tier-0 Gateway 194
Add Additional Instance as Locations to the Cross-Instance Tier-1 Gateway 194
Set Standby Global Manager 195
Replacing Global Manager Cluster Certificates in VMware Cloud Foundation 196
Import a CA-Signed Certificate to the Global Manager Cluster 196
Replace the Certificate for the First Global Manager Node 196
Replace Certificates and Virtual IP for the Remaining Global Manager Nodes 198
Update Local Manager Certificate Thumbprint in Global Manager Cluster 200
Password Management for NSX Global Manager Cluster in VMware Cloud Foundation 201
Update Password for Global Manager Cluster 201
Synch Up Passwords of Global Manager Appliances in Global Manager Cluster 202
Backup and Restore of NSX Global Manager Cluster in VMware Cloud Foundation 203
Configure NSX Global Manager Cluster Backups 203
Restore an NSX Global Manager Cluster Backup 204

16 Managing Installation and Upgrade Bundles in VMware Cloud Foundation 206
Downloading Install Bundles for VMware Cloud Foundation 207
Download an Install Bundle from SDDC Manager 207
Configure a Proxy Server for Downloading Bundles 208
Download an Install Bundle Using the Bundle Transfer Utility 208
View Bundle Download History 211

17 Stretching vSAN Clusters in VMware Cloud Foundation 212

VMware by Broadcom 7
VMware Cloud Foundation Administration Guide

About Availability Zones and Regions 213
Stretched Cluster Requirements 213
Deploy and Configure vSAN Witness Host 216
Deploy vSAN Witness Host 216
Register vSAN Witness Host 217
Configure NTP on the Witness Host 217
Configure the VMkernel Adapters on the vSAN Witness Host 218
Stretch a Cluster in VMware Cloud Foundation 219
NSX Configuration for Availability Zone 2 231
Configure IP Prefixes in the Tier-0 Gateway for Availability Zone 2 231
Configure Route Maps in the Tier-0 Gateway for Availability Zone 2 232
Configure BGP in the Tier-0 Gateway for Availability Zone 2 233
Expand a Stretched Cluster in VMware Cloud Foundation 235
Unstretch a Cluster 237
Replace a Failed Host in a Stretched Cluster 238
Change the vSAN Witness Host in a Stretched Cluster 240

18 Composable Infrastructure in VMware Cloud Foundation 241
Configure Translation Layer 241
Compose a Server 243
View Composability Information 244
Add Storage to Composable Servers 244
Remove Storage from Composable Servers 245
Decompose a Server 245

19 Monitoring Capabilities in the VMware Cloud Foundation System 247
Viewing Tasks and Task Details 247
API Activity Logging 249

20 Updating VMware Cloud Foundation DNS and NTP Servers 251
Update DNS Server Configuration 251
Update NTP Server Configuration 252

21 Supportability and Serviceability (SoS) Utility 254
SoS Utility Options 254
Collect Logs for Your VMware Cloud Foundation System 260
Component Log Files Collected by the SoS Utility 262

22 Replacing Host Components in VMware Cloud Foundation 265
Avoiding Unintentional Downtime 265
Replacing Components of a Host Running in Degraded Mode 266

VMware by Broadcom 8
VMware Cloud Foundation Administration Guide

Replace Components of an Assigned Host Running in Degraded Mode 266
Replace Components of an Unassigned Host Running in Degraded Mode 267
Replace a Dead Host 268
Replace Boot Disk on a Host 269

23 Managing Users and Groups in VMware Cloud Foundation 270
Configuring the Identity Provider for VMware Cloud Foundation 271
Add Active Directory over LDAP or OpenLDAP as an Identity Source for VMware Cloud
Foundation 271
Configure AD FS as the Identity Provider in the SDDC Manager UI 273
Configure Identity Federation in VMware Cloud Foundation Using Okta 276
Create an OpenID Connect application for VMware Cloud Foundation in Okta 277
Configure Okta as the Identity Provider in the SDDC Manager UI 278
Update the Okta OpenID Connect application with the Redirect URI from SDDC Manager
283
Create a SCIM 2.0 Application for VMware Cloud Foundation 283
Assign Okta Users and Groups as Administrators in SDDC Manager, vCenter Server, and
NSX Manager 285
Add a User or Group to VMware Cloud Foundation 290
Remove a User or Group 291
Create a Local Account 291
Create an Automation Account 293

24 Managing Passwords in VMware Cloud Foundation 297
Rotate Passwords 299
Manually Update Passwords 302
Remediate Passwords 303
Look Up Account Credentials 304
Updating SDDC Manager Passwords 305
Update SDDC Manager Root and Super User Passwords 305
Update SDDC Manager Local Account Password 306
Update Expired SDDC Manager Root Password 307

25 Backup and Restore of VMware Cloud Foundation 308
Reconfigure SFTP Backups for SDDC Manager and NSX Manager 309
File-Based Backups for SDDC Manager and vCenter Server 310
Back Up SDDC Manager 311
Configure a Backup Schedule for vCenter Server 312
Manually Back Up vCenter Server 313
Export the Configuration of the vSphere Distributed Switches 314
File-Based Restore for SDDC Manager, vCenter Server, and NSX 315
Restore SDDC Manager 315

VMware by Broadcom 9
VMware Cloud Foundation Administration Guide

Prepare for Restoring SDDC Manager 316
Restore SDDC Manager from a File-Based Backup 317
Validate the Status of SDDC Manager 319
Restore vCenter Server 319
Prepare for Restoring vCenter Server 320
Restore a vCenter Server Instance from a File-Based Backup 323
Move the Restored vCenter Server Appliance to the Correct Folder 326
Validate the vCenter Server State 326
Validate the SDDC Manager State After a vCenter Server Restore 327
Restore the Configuration of a vSphere Distributed Switch 327
Restore an NSX Manager Cluster Node 328
Prepare for Restoring an NSX Manager Cluster Node 328
Restore the First Node of a Failed NSX Manager Cluster 330
Deactivate the NSX Manager Cluster 333
Restore an NSX Manager Node to an Existing NSX Manager Cluster 333
Update or Recreate the VM Anti-Affinity Rule for the NSX Manager Cluster Nodes 339
Validate the SDDC Manager Inventory State 339
Restoring NSX Edge Cluster Nodes 340
Prepare for Restoring NSX Edge Cluster Nodes 340
Replace the Failed NSX Edge Node with a Temporary NSX Edge Node 342
Replace the Temporary NSX Edge Node with the Redeployed NSX Edge Node 345
Image-Based Backup and Restore of VMware Cloud Foundation 349

26 VMware Cloud Foundation Glossary 351

VMware by Broadcom 10
About the VMware Cloud Foundation
Administration Guide

The VMware Cloud Foundation Administration Guide provides information about managing a
VMware Cloud Foundation™ system, including managing the system's virtual infrastructure,
managing users, configuring, upgrading, and monitoring the system.

Intended Audience
The VMware Cloud Foundation Administration Guide is intended for cloud architects,
infrastructure administrators, and cloud administrators who are familiar with and want to use
VMware software to quickly deploy and manage a software-defined data center (SDDC). The
information in this document is written for experienced data center system administrators who
are familiar with:

n Concepts of virtualization, software-defined data centers, and virtual infrastructure (VI)

n VMware virtualization technologies, such as VMware ESXi™, the hypervisor
®
n Software-defined networking using VMware NSX

n Software-defined storage using VMware vSAN™

n Networking concepts such as Layer-2, Layer-3, and Border Gateway Protocol (BGP).

Related Publications
Getting Started with VMware Cloud Foundation document provides a high-level overview of the
VMware Cloud Foundation product.

The Planning and Preparation Workbook provides detailed information about the software, tools,
and external services that are required for VMware Cloud Foundation.

The VMware Cloud Foundation Deployment Guide provides information about installing ESXi
software on VMware Cloud Foundation servers and deploying the management domain using the
VMware Cloud Builder appliance.

The VMware Cloud Foundation Lifecycle Management document describes how to manage the
life cycle of a VMware Cloud Foundation environment.

VMware by Broadcom 11
Administering VMware Cloud
Foundation 1
As an SDDC administrator, you use the information in the VMware Cloud Foundation
Administration document to understand how to administer and operate your VMware Cloud
Foundation system.

An administrator of a VMware Cloud Foundation system performs tasks such as:

n Manage certificates and passwords.

n Add capacity to your system.

n Configure and provision workload domains.

n Manage provisioned workload domains.

n Troubleshoot issues and prevent problems across the physical and virtual infrastructure.

n Perform lifecycle management of the VMware Cloud Foundation software components.

Note Perform all VMware Cloud Foundation operations in the SDDC Manager UI. Do not use
the vSphere Client or VMware Host Client to modify or delete resources which VMware Cloud
Foundation has deployed and configured, unless specifically instructed to do so in the VMware
Cloud Foundation documentation.

See the Introducing VMware Cloud Foundation document for a high-level overview of the
VMware Cloud Foundation product and the VMware Cloud Foundation Deployment Guide for
information on deploying the product.

Read the following topics next:

n VMware Software Components Deployed by VMware Cloud Foundation

n Web Interfaces Used to Administer VMware Cloud Foundation

VMware by Broadcom 12
VMware Cloud Foundation Administration Guide

VMware Software Components Deployed by VMware Cloud
Foundation
VMware Cloud Foundation is designed and built to deploy specific VMware products using the
SDDC Manager appliance.

Note For information about which editions of each VMware product are licensed for use with
the VMware Cloud Foundation license, use the compare VMware Cloud Foundation editions
matrix.

For the exact version numbers of the VMware products that are supported, refer to the Release
Notes document for your VMware Cloud Foundation version on VMware Docs. If the system
has been updated after the initial bring-up process using the lifecycle management features,
see "View Upgrade History" in the VMware Cloud Foundation Lifecycle Management Guide for
details on how to view the versions of the VMware software components that are running in your
VMware Cloud Foundation instance.

You can find product-specific documentation for the following VMware software products and
components at VMware Docs:

n vSphere (vCenter Server and ESXi)

n VMware vSAN

n VMware NSX

n VMware Aria Suite

Web Interfaces Used to Administer VMware Cloud
Foundation
SDDC Manager provides a web-based user interface where you can manage your VMware Cloud
Foundation instance. This user interface provides centralized access to and an integrated view of
the physical and virtual infrastructure of your system.

In addition to using the SDDC Manager UI, you can use the following user interfaces for
administration tasks involving their associated VMware software components that are part of
a VMware Cloud Foundation instance. All of these interfaces run in a web browser, and you can
launch them from within the SDDC Manager UI.

Launch links are typically identified in the SDDC Manager UI by the launch icon:.

VMware by Broadcom 13
VMware Cloud Foundation Administration Guide

VMware SDDC Web Interfaces Launch Link Location in the SDDC Manager UI

vSphere Client 1 In the navigation pane, click Inventory > Workload Domains.
2 Click View Details for a workload domain.
3 In the Domain column, click the domain name.
4 Click the Services tab.
5 Click the vCenter Server launch link.

NSX Manager UI 1 In the navigation pane, click Inventory > Workload Domains.
2 Click View Details for a workload domain.
3 In the Domain column, click the domain name.
4 Click the Services tab.
5 Click the NSX Cluster launch link.

VMware Host Client 1 In the navigation pane, click Inventory > Hosts..
2 In the FQDN column, click the host FQDN.
3 Click Actions > Open in VMware Host Client.

VMware by Broadcom 14
Getting Started with SDDC
Manager 2
You use SDDC Manager to perform administration tasks on your VMware Cloud Foundation
instance. The SDDC Manager UI provides an integrated view of the physical and virtual
infrastructure and centralized access to manage the physical and logical resources.

You work with the SDDC Manager UI by loading it in a web browser. For the list of supported
browsers and versions, see the Release Notes.

Read the following topics next:

n Log in to the SDDC Manager User Interface

n Guided SDDC Manager Onboarding

n Tour of the SDDC Manager User Interface

n Log out of the SDDC Manager User Interface

Log in to the SDDC Manager User Interface
Connect to the SDDC Manager appliance by logging into the SDDC Manager UI using a
supported web browser.

Prerequisites

To log in, you need the SDDC Manager IP address or FQDN and the password for the single-
sign on user (for example [email protected]). You added this information to the
deployment parameter workbook before bring-up.

Procedure

1 In a web browser, type one of the following.

n https://FQDN where FQDN is the fully-qualified domain name of the SDDC Manager
appliance.

n https://IP_address where IP_address is the IP address of the SDDC Manager appliance.

2 Log in to the SDDC Manager UI with vCenter Server Single Sign-On user credentials.

Results

You are logged in to SDDC Manager UI and the Dashboard page appears in the web browser.

VMware by Broadcom 15
VMware Cloud Foundation Administration Guide

Guided SDDC Manager Onboarding
VMware Cloud Foundation includes an onboarding dashboard to help you with configuring a
healthy SDDC Manager environment.

This dashboard appears when you log into SDDC Manager. It provides a walk-through for initial
configuration, including the recommended order for completing each task. After completing the
walk-through, a banner at the top of the screen offers a tour of the SDDC Manager UI.

You can skip sections and exit out of the guided setup at any point. This dashboard automatically
shows unless you click "Don't show onboarding screen again" and close the page. Clicking this
option also prevents the optional guided tour from automatically displaying in the future.

Use the Help Icon in the upper-right corner of the page to later access the onboarding dashboard
and guided tour.

Tour of the SDDC Manager User Interface
The SDDC Manager UI provides a single point of control for managing and monitoring your
VMware Cloud Foundation instance and for provisioning workload domains.

You use the navigation bar to move between the main areas of the user interface.

Navigation Bar
The navigation bar is available on the left side of the interface and provides a hierarchy for
navigating to the corresponding pages.

VMware by Broadcom 16
VMware Cloud Foundation Administration Guide

Category Functional Areas

Dashboard The Dashboard provides the high-level administrative
view for SDDC Manager in the form of widgets. There are
widgets for Solutions; Workload Domains; Host Types and
Usage; Ongoing and Scheduled Updates; Update History;
CPU, Memory, Storage Usage; and Recent Tasks.
You can control the widgets that are displayed and how
they are arranged on the dashboard.
n To rearrange widgets, click the heading of the widget
and drag it to the desired position.
n To hide a widget, hover the mouse anywhere over the
widget to reveal the X in the upper-right corner, and
click the X.
n To add a widget, click the three dots in the upper right
corner of the page and select Add New Widgets. This
displays all hidden widgets. Select a widget and click
Add.

Solutions Solutions include the following section:
n Kubernetes - Workload Management allows you to
start a Workload Management deployment and view
Workload Management cluster details.

Inventory Inventory includes the following sections:
n Workload Domains takes you to the Workload
Domains page, which displays and provides access to
all workload domains.

This page includes summary information about all
workload domains, including domain type, storage
usage, configuration status, owner, clusters, hosts and
update availability. It also displays CPU, memory, and
storage utilization for each workload domain, and
collectively across all domains.
n Hosts takes you to the Hosts page, which displays
and provides access to current hosts and controls for
managing hosts.

This page includes detailed information about all
hosts, including FQDN, host IP, network pool,
configuration status, host state, cluster, and storage
type. It also displays CPU and memory utilization for
each host, and collectively across all hosts.

VMware by Broadcom 17
VMware Cloud Foundation Administration Guide

Category Functional Areas

Lifecycle Management Lifecycle Management includes the following sections:
n Release Versions displays the versions in your
environment and the associated component versions
in that release.
n Bundle Management displays the available install,
update, and upgrade bundles for your environment,
and your bundle download history.

Note To access bundles, you must be logged in to
your VMware Customer Connect account through the
Administration > Repository Settings page.
n Image Management allows you to import a vSphere
Lifecycle Manager cluster image from vCenter Server
and view the available images. This is an alternative
way of managing the life cycle of ESXi hosts.

VMware by Broadcom 18
VMware Cloud Foundation Administration Guide

Category Functional Areas

Administration Administration includes the following sections:
n Network Settings allows you to configure, view,
and manage network pool settings. You can create
new network pools, and view and modify existing
network pools. You can also use Network Settings to
update the DNS and NTP servers that VMware Cloud
Foundation uses.
n Storage Settings allows you to add new VASA
providers, view, edit, and delete existing VASA
providers.
n Licensing allows you to manage VMware product
licenses. You can also add licenses for the component
products in your VMware Cloud Foundation
deployment.
n Single Sign On allows you to manage VMware
Cloud Foundation users and groups, including adding
users and groups and assigning roles. You can
also configure identity providers for VMware Cloud
Foundation.
n Proxy Settings allows you to configure a proxy server
to download install and upgrade bundles from the
VMware Depot.
n Online Depot allows you to log in to your VMware
Customer Connect account to download install and
upgrade bundles from the VMware Depot.
n Composable Infrastructure allows you to configure
composable servers to meet the needs of your
workloads without physically moving any hardware
components.
n VMware Aria Suite allows you to deploy VMware Aria
Suite Lifecycle and configure connections between
workload domains and VMware Aria Suite products.
n Backup allows you to register an external SFTP
server with SDDC Manager for backing up SDDC
Manager and NSX Managers. You can also configure
the backup schedule for SDDC Manager.
n VMware CEIP to join or leave the VMware Customer
Experience Improvement Program.

VMware by Broadcom 19
VMware Cloud Foundation Administration Guide

Category Functional Areas

Security n Password Management allows password
management actions, such as rotation, updates and
remediation.
n Certificate Authority allows you to integrate with your
Microsoft Certificate Authority Server.

Developer Center The VMware Cloud Foundation Developer Center includes
the following sections:
n Overview: API reference documentation. Includes
information and steps for all the Public APIs supported
by VMware Cloud Foundation.
n API Explorer: Lists the APIs and allows you to invoke
them directly on your VMware Cloud Foundation
system.

Log out of the SDDC Manager User Interface
Log out of the SDDC Manager UI when you have completed your tasks.

Procedure

1 In the SDDC Manager UI, click the logged-in account name in the upper right corner.

2 Click Log out.

VMware by Broadcom 20
Configure the Customer
Experience Improvement Program
Settings for VMware Cloud
3
Foundation

VMware Cloud Foundation participates in the VMware Customer Experience Improvement
Program (CEIP). You can choose to activate or deactivate CEIP for your VMware Cloud
Foundation instance.

The Customer Experience Improvement Program provides VMware with information that allows
VMware to improve its products and services, to fix problems, and to advise you on how best to
deploy and use our products. As part of the CEIP, VMware collects technical information about
your organization’s use of the VMware products and services regularly in association with your
organization’s VMware license keys. This information does not personally identify any individual.
For additional information regarding the CEIP, refer to the Trust & Assurance Center at http://
www.vmware.com/trustvmware/ceip.html.

You can activate or deactive CEIP across all the components deployed in VMware Cloud
Foundation by the following methods:

n When you log into SDDC Manager for the first time, a pop-up window appears. The Join the
VMware Customer Experience Program option is selected by default. Deselect this option if
you do not want to join CEIP. Click Apply.

n You can activate or deactivate CEIP from the Administration tab in the SDDC Manager UI.

Procedure

1 In the navigation pane, click Administration > VMware CEIP.

VMware by Broadcom 21
VMware Cloud Foundation Administration Guide

2 To activate CEIP, select the Join the VMware Customer Experience Improvement Program
option.

3 To deactivate CEIP, deselect the Join the VMware Customer Experience Improvement
Program option.

VMware by Broadcom 22
Managing Certificates in VMware
Cloud Foundation 4
You can use the SDDC Manager UI to manage certificates in a VMware Cloud Foundation
instance, including integrating a certificate authority, generating and submitting certificate signing
requests (CSR) to a certificate authority, and downloading and installing certificates.

This section provides instructions for using either:

n OpenSSL as a certificate authority, which is a native option in SDDC Manager.

n Integrating with Microsoft Active Directory Certificate Services.

n Providing signed certificates from another external Certificate Authority.

You can manage the certificates for the following components.

n vCenter Server

n NSX Manager

n SDDC Manager

n VMware Aria Suite Lifecycle

Note Use VMware Aria Suite Lifecycle to manage certificates for the other VMware Aria
Suite components.

Note VMware Cloud Foundation does not manage certificates for ESXi hosts. By default, ESXi
hosts use VMCA-signed certificates, but they can also use external CA-signed certificates. If
ESXi hosts are using VMCA-signed certificates, VMCA manages the certificates and certificate
rotation. If ESXi hosts are using external certificates, you are responsible for managing the
certificates. For more information about external certificates, see Configure ESXi Hosts with
Signed Certificates.

You replace certificates for the following reasons:

n A certificate has expired or is nearing its expiration date.

n A certificate has been revoked by the issuing certificate authority.

n You do not want to use the default VMCA-signed certificates.

n Optionally, when you create a new workload domain.

VMware by Broadcom 23
VMware Cloud Foundation Administration Guide

It is recommended that you replace all certificates after completing the deployment of the
VMware Cloud Foundation management domain. After you create a new VI workload domain,
you can replace certificates for the appropriate components as needed.

n View Certificate Information
You can view details of an applied certificate for a resource directly through the SDDC
Manager UI.

n Configure VMware Cloud Foundation to Use Microsoft CA-Signed Certificates
VMware Cloud Foundation supports the ability to manage certificates by integrating with
Microsoft Active Directory Certificate Services (Microsoft CA). Before you can perform
certificate operations using the SDDC Manager UI you must ensure that the Microsoft
Certificate Authority is configured correctly.

n Configure VMware Cloud Foundation to Use OpenSSL CA-Signed Certificates
VMware Cloud Foundation supports the ability to manage certificates using OpenSSL
configured on the SDDC Manager appliance.

n Install Third-Party CA-Signed Certificates Using Server Certificate and Certificate Authority
Files
VMware Cloud Foundation supports two ways to install third-party certificates. This
procedure describes the new method, which is the default method for VMware Cloud
Foundation 4.5.1 and later.

n Install Third-Party CA-Signed Certificates in VMware Cloud Foundation Using a Certificate
Bundle
VMware Cloud Foundation supports two ways to install third-party certificates. This
procedure describes the legacy method of using a certificate bundle. To use the legacy
method, you must modify your preferences and then use this procedure to generate CSRs,
sign the CSRs with a third-party CA, and finally upload and install the certificates.

n Add a Trusted Certificate to the SDDC Manager Trust Store
If you replaced the certificate for a VMware Cloud Foundation component outside of SDDC
Manager then you must add the new certificate to the SDDC Manager trust store.

n Remove Old or Unused Certificates from SDDC Manager
Old or unused certificates are stored in a trust store in SDDC Manager. You can delete old
certificates using the VMware Cloud Foundation API.

View Certificate Information
You can view details of an applied certificate for a resource directly through the SDDC Manager
UI.

The SDDC Manager UI provides a banner notification for any certificates that are expiring in the
next 30 days.

VMware by Broadcom 24
VMware Cloud Foundation Administration Guide

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 On the Workload Domains page, from the table, in the domain column click the domain you
want to view.

3 On the domain summary page, click the Certificates tab.

This tab lists the certificates for each resource type associated with the workload domain. It
displays the following details:

n Resource type

n Issuer, the certificate authority name

n Resource hostname

n Valid From

n Valid Until

n Certificate status: Active, Expiring, or Expired.

n Certificate operation status

4 To view certificate details, expand the resource next to the Resource Type column.

Configure VMware Cloud Foundation to Use Microsoft CA-
Signed Certificates
VMware Cloud Foundation supports the ability to manage certificates by integrating with
Microsoft Active Directory Certificate Services (Microsoft CA). Before you can perform certificate
operations using the SDDC Manager UI you must ensure that the Microsoft Certificate Authority
is configured correctly.

VMware by Broadcom 25
VMware Cloud Foundation Administration Guide

Complete the below tasks to manage Microsoft CA-Signed certificates using SDDC Manager.

Procedure

1 Prepare Your Microsoft Certificate Authority to Allow SDDC Manger to Manage Certificates
To ensure secure and operational connectivity between the SDDC components, you apply
signed certificates provided by a Microsoft Certificate Authority for the SDDC components.

2 Configure a Microsoft Certificate Authority in SDDC Manager
You configure a connection between SDDC Manager and a Microsoft Certificate Authority
by entering your service account credentials.

3 Install Microsoft CA-Signed Certificates using SDDC Manager
Replace the self-signed certificates with signed certificates from the Microsoft Certificate
Authority by using SDDC Manager.

Prepare Your Microsoft Certificate Authority to Allow SDDC Manger
to Manage Certificates
To ensure secure and operational connectivity between the SDDC components, you apply signed
certificates provided by a Microsoft Certificate Authority for the SDDC components.

You use SDDC Manager to generate the certificate signing request (CSRs) and request a signed
certificate from the Microsoft Certificate Authority. SDDC Manager is then used to install the
signed certificates to SDDC components it manages. In order to achieve this the Microsoft
Certificate Authority must be configured to allow integration with SDDC Manager.

Procedure

1 Install Microsoft Certificate Authority Roles
Install the Certificate Authority and Certificate Authority Web Enrollment roles on the
Microsoft Certificate Authority server to facilitate certificate generation from SDDC Manager.

2 Configure the Microsoft Certificate Authority for Basic Authentication
Configure the Microsoft Certificate Authority with basic authentication to allow SDDC
Manager the ability to manage signed certificates.

3 Create and Add a Microsoft Certificate Authority Template
You must set up a certificate template in the Microsoft Certificate Authority. The template
contains the certificate authority attributes for signing certificates for the VMware Cloud
Foundation components. After you create the template, you add it to the certificate
templates of the Microsoft Certificate Authority.

4 Assign Certificate Management Privileges to the SDDC Manager Service Account
Before you can use the Microsoft Certificate Authority and the pre-configured template,
it is recommended to configure least privilege access to the Microsoft Active Directory
Certificate Services using an Active Directory user account as a restricted service account.

VMware by Broadcom 26
VMware Cloud Foundation Administration Guide

Install Microsoft Certificate Authority Roles
Install the Certificate Authority and Certificate Authority Web Enrollment roles on the Microsoft
Certificate Authority server to facilitate certificate generation from SDDC Manager.

Note When connecting SDDC Manager to Microsoft Active Directory Certificate Services, ensure
that Web Enrollment role is installed on the same machine where the Certificate Authority role
is installed. SDDC Manager can't request and sign certificates automatically if the two roles
(Certificate Authority and Web Enrollment roles) are installed on different machines.

Procedure

1 Log in to the Microsoft Certificate Authority server by using a Remote Desktop Protocol
(RDP) client.

FQDN Active Directory Host

User Active Directory administrator

Password ad_admin_password

2 Add roles to Microsoft Certificate Authority server.

a Click Start > Run, enter ServerManager, and click OK.

b From the Dashboard, click Add roles and features to start the Add Roles and Features
wizard.

c On the Before you begin page, click Next.

d On the Select installation type page, click Next.

e On the Select destination server page, click Next.

f On the Select server roles page, under Active Directory Certificate Services, select
Certification Authority and Certification Authority Web Enrollment and click Next.

g On the Select features page, click Next.

h On the Confirm installation selections page, click Install.

Configure the Microsoft Certificate Authority for Basic Authentication
Configure the Microsoft Certificate Authority with basic authentication to allow SDDC Manager
the ability to manage signed certificates.

Prerequisites

The Microsoft Certificate Authority and IIS must be installed on the same server.

VMware by Broadcom 27
VMware Cloud Foundation Administration Guide

Procedure

1 Log in to the Active Directory server by using a Remote Desktop Protocol (RDP) client.

FQDN Active Directory Host

User Active Directory administrator

Password ad_admin_password

2 Add Basic Authentication to the Web Server (IIS).

a Click Start > Run, enter ServerManager, and click OK.

b From the Dashboard, click Add roles and features to start the Add Roles and Features
wizard.

c On the Before you begin page, click Next.

d On the Select installation type page, click Next.

e On the Select destination server page, click Next.

f On the Select server roles page, under Web Server (IIS) > Web Server > Security, select
Basic Authentication and click Next.

g On the Select features page, click Next.

h On the Confirm installation selections page, click Install.

3 Configure the certificate service template and CertSrv web site, for basic authentication.

a Click Start > Run, enter Inetmgr.exe and click OK to open the Internet Information
Services Application Server Manager.

b Navigate to your_server > Sites > Default Web Site > CertSrv.

c Under IIS, double-click Authentication.

d On the Authentication page, right-click Basic Authentication and click Enable.

e In the navigation pane, select Default Web Site.

f In the Actions pane, under Manage Website, click Restart for the changes to take effect.

Create and Add a Microsoft Certificate Authority Template
You must set up a certificate template in the Microsoft Certificate Authority. The template
contains the certificate authority attributes for signing certificates for the VMware Cloud
Foundation components. After you create the template, you add it to the certificate templates of
the Microsoft Certificate Authority.

VMware by Broadcom 28
VMware Cloud Foundation Administration Guide

Procedure

1 Log in to the Active Directory server by using a Remote Desktop Protocol (RDP) client.

FQDN Active Directory Host

User Active Directory administrator

Password ad_admin_password

2 Click Start > Run, enter certtmpl.msc, and click OK.

3 In the Certificate Template Console window, under Template Display Name, right-click Web
Server and select Duplicate Template.

4 In the Properties of New Template dialog box, click the Compatibility tab and configure the
following values.

Setting Value

Certification Authority Windows Server 2008 R2

Certificate recipient Windows 7 / Server 2008 R2

5 In the Properties of New Template dialog box, click the General tab and enter a name for
example, VMware in the Template display name text box.

6 In the Properties of New Template dialog box, click the Extensions tab and configure the
following.

a Click Application Policies and click Edit.

b Click Server Authentication, click Remove, and click OK.

c Click Basic Constraints and click Edit.

d Click the Enable this extension check box and click OK.

e Click Key Usage and click Edit.

f Click the Signature is proof of origin (nonrepudiation) check box, leave the defaults for
all other options and click OK.

7 In the Properties of New Template dialog box, click the Subject Name tab, ensure that the
Supply in the request option is selected, and click OK to save the template.

8 Add the new template to the certificate templates of the Microsoft CA.

a Click Start > Run, enter certsrv.msc, and click OK

b In the Certification Authority window, expand the left pane, right-click Certificate
Templates, and select New > Certificate Template to Issue.

c In the Enable Certificate Templates dialog box, select VMware, and click OK.

VMware by Broadcom 29
VMware Cloud Foundation Administration Guide

Assign Certificate Management Privileges to the SDDC Manager Service Account
Before you can use the Microsoft Certificate Authority and the pre-configured template, it is
recommended to configure least privilege access to the Microsoft Active Directory Certificate
Services using an Active Directory user account as a restricted service account.

Prerequisites

n Create a user account in Active Directory with Domain Users membership. For example,
svc-vcf-ca.

Procedure

1 Log in to the Microsoft Certificate Authority server by using a Remote Desktop Protocol
(RDP) client.

FQDN Active Directory Host

User Active Directory administrator

Password ad_admin_password

2 Configure least privilege access for a user account on the Microsoft Certificate Authority.

a Click Start > Run, enter certsrv.msc, and click OK.

b Right-click the certificate authority server and click Properties.

c Click the Security tab, and click Add.

d Enter the name of the user account and click OK.

e In the Permissions for.... section configure the permissions and click OK.

Setting Value (Allow)

Read Deselected

Issue and Manage Certificates Selected

Manage CA Deselected

Request Certificates Selected

3 Configure least privilege access for the user account on the Microsoft Certificate Authority
Template.

a Click Start > Run, enter certtmpl.msc, and click OK.

b Right-click the VMware template and click Properties.

c Click the Security tab, and click Add.

VMware by Broadcom 30
VMware Cloud Foundation Administration Guide

d Enter the svc-vcf-ca service account and click OK.

e In the Permissions for.... section configure the permissions and click OK.

Setting Value (Allow)

Full Control Deselected

Read Selected

Write Deselected

Enroll Selected

Autoenroll Deselected

Configure a Microsoft Certificate Authority in SDDC Manager
You configure a connection between SDDC Manager and a Microsoft Certificate Authority by
entering your service account credentials.

Prerequisites

n Verify connectivity between SDDC Manager and the Microsoft Certificate Authority Server.
See VMware Ports and Protocols.

n Verify that the Microsoft Certificate Authority Server has the correct roles installed on the
same machine where the Certificate Authority role is installed. See Install Microsoft Certificate
Authority Roles.

n Verify the Microsoft Certificate Authority Server has been configured for basic authentication.
See Configure the Microsoft Certificate Authority for Basic Authentication.

n Verify a valid certificate template has been configured on the Microsoft Certificate Authority.
See Create and Add a Microsoft Certificate Authority Template.

n Verify least privileged user account has been configured on the Microsoft Certificate
Authority Server and Template. See Assign Certificate Management Privileges to the SDDC
Manager Service Account.

n Verify that time is synchronized between the Microsoft Certificate Authority and the SDDC
Manager appliance. Each system can be configured with a different timezone, but it is
recommended that they receive their time from the same NTP source.

Procedure

1 In the navigation pane, click Security > Certificate Authority.

2 Click Edit.

VMware by Broadcom 31
VMware Cloud Foundation Administration Guide

3 Configure the settings and click Save.

Setting Value

Certificate Authority Type Microsoft

CA Server URL Specify the URL for the issuing certificate authority.
This address must begin with https:// and end with
certsrv. For example, https://ca.rainpole.io/certsrv.

User Name Enter a least privileged service account. For example,
svc-vcf-ca.

Password Enter the password for the least privileged service
account.

Template Name Enter the issuing certificate template name. You must
create this template in Microsoft Certificate Authority.
For example, VMware.

4 In the CA Server Certificate Details dialog box, click Accept.

Install Microsoft CA-Signed Certificates using SDDC Manager
Replace the self-signed certificates with signed certificates from the Microsoft Certificate
Authority by using SDDC Manager.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 On the Workload Domains page, from the table, in the domain column click the workload
domain you want to view.

3 On the domain summary page, click the Certificates tab.

VMware by Broadcom 32
VMware Cloud Foundation Administration Guide

4 Generate CSR files for the target components.

a From the table, select the check box for the resource type for which you want to
generate a CSR.

b Click Generate CSRs.

c On the Details dialog, configure the settings and click Next.

Option Description

Algorithm Select the key algorithm for the certificate.

Key Size Select the key size (2048 bit, 3072 bit, or 4096 bit)
from the drop-down menu.

Email Optionally, enter a contact email address.

Organizational Unit Use this field to differentiate between divisions
within your organization with which this certificate is
associated.

Organization Name Type the name under which your company is known.
The listed organization must be the legal registrant of
the domain name in the certificate request.

Locality Type the city or locality where your company is
legally registered.

State Type the full name (do not abbreviate) of the state,
province, region, or territory where your company is
legally registered.

Country Type the country name where your company is
legally registered. This value must use the ISO 3166
country code.

d (Optional) On the Subject Alternative Name dialog, enter the subject alternative name(s)
and click Next.

e On the Summary dialog, click Generate CSRs.

5 Generate signed certificates for each component.

a From the table, select the check box for the resource type for which you want to
generate a signed certificate for.

b Click Generate Signed Certificates.

VMware by Broadcom 33
VMware Cloud Foundation Administration Guide

c In the Generate Certificates dialog box, from the Select Certificate Authority drop-down
menu, select Microsoft.

d Click Generate Certificates.

6 Install the generated signed certificates for each component.

a From the table, select the check box for the resource type for which you want to install a
signed certificate.

b Click Install Certificates.

Configure VMware Cloud Foundation to Use OpenSSL CA-
Signed Certificates
VMware Cloud Foundation supports the ability to manage certificates using OpenSSL configured
on the SDDC Manager appliance.

Complete the following tasks to be able to manage OpenSSL-signed certificates issued by SDDC
Manager.

Procedure

1 Configure OpenSSL-signed Certificates in SDDC Manager
To generate OpenSSL-signed certificates for the VMware Cloud Foundation components
you must first configure the certificate authority details.

2 Install OpenSSL-signed Certificates using SDDC Manager
Replace the self-signed certificates with OpenSSL-signed certificates generated by SDDC
Manager.

Configure OpenSSL-signed Certificates in SDDC Manager
To generate OpenSSL-signed certificates for the VMware Cloud Foundation components you
must first configure the certificate authority details.

Procedure

1 In the navigation pane, click Security > Certificate Authority.

2 Click Edit.

3 Configure the settings and click Save.

VMware by Broadcom 34
VMware Cloud Foundation Administration Guide

Setting Value

Certificate Authority OpenSSL

Common Name Specify the FQDN of the SDDC Manager appliance.

Organizational Unit Use this field to differentiate between the divisions
within your organization with which this certificate is
associated.

Organization Specify the name under which your company is known.
The listed organization must be the legal registrant of
the domain name in the certificate request.

Locality Specify the city or the locality where your company is
legally registered.

State Enter the full name (do not abbreviate) of the state,
province, region, or territory where your company is
legally registered.

Country Select the country where your company is registered.
This value must use the ISO 3166 country code.

VMware by Broadcom 35
VMware Cloud Foundation Administration Guide

Install OpenSSL-signed Certificates using SDDC Manager
Replace the self-signed certificates with OpenSSL-signed certificates generated by SDDC
Manager.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 On the Workload Domains page, from the table, in the domain column click the workload
domain you want to view.

3 On the domain summary page, click the Certificates tab.

4 Generate CSR files for the target components.

a From the table, select the check box for the resource type for which you want to
generate a CSR.

b Click Generate CSRs.

The Generate CSRs wizard opens.

VMware by Broadcom 36
VMware Cloud Foundation Administration Guide

c On the Details dialog, configure the settings and click Next.

Option Description

Algorithm Select the key algorithm for the certificate.

Key Size Select the key size (2048 bit, 3072 bit, or 4096 bit)
from the drop-down menu.

Email Optionally, enter a contact email address.

Organizational Unit Use this field to differentiate between divisions
within your organization with which this certificate is
associated.

Organization Name Type the name under which your company is known.
The listed organization must be the legal registrant of
the domain name in the certificate request.

Locality Type the city or locality where your company is
legally registered.

State Type the full name (do not abbreviate) of the state,
province, region, or territory where your company is
legally registered.

Country Type the country name where your company is
legally registered. This value must use the ISO 3166
country code.

d (Optional) On the Subject Alternative Name dialog, enter the subject alternative name(s)
and click Next.

You can enter multiple values separated by comma (,), semicolon (;), or space ( ). For
NSX, you can enter the subject alternative name for each node along with the Virtual IP
(primary) node.

Note Wildcard subject alternate name, such as *.example.com is not recommended.

e On the Summary dialog, click Generate CSRs.

5 Generate signed certificates for each component.

a From the table, select the check box for the resource type for which you want to
generate a signed certificate.

b Click Generate Signed Certificates.

c In the Generate Certificates dialog box, from the Select Certificate Authority drop-down
menu, select OpenSSL.

d Click Generate Certificates.

VMware by Broadcom 37
VMware Cloud Foundation Administration Guide

6 Install the generated signed certificates for each component.

a From the table, select the check box for the resource type for which you want to install a
signed certificate.

b Click Install Certificates.

Install Third-Party CA-Signed Certificates Using Server
Certificate and Certificate Authority Files
VMware Cloud Foundation supports two ways to install third-party certificates. This procedure
describes the new method, which is the default method for VMware Cloud Foundation 4.5.1 and
later.

If you prefer to use the legacy method for installing third-party CA-signed certificates, see Install
Third-Party CA-Signed Certificates in VMware Cloud Foundation Using a Certificate Bundle.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 On the Workload Domains page, from the table, in the domain column click the workload
domain you want to view.

3 On the domain summary page, click the Certificates tab.

4 Generate CSR files for the target components.

a From the table, select the check box for the resource type for which you want to
generate a CSR.

b Click Generate CSRs.

The Generate CSRs wizard opens.

VMware by Broadcom 38
VMware Cloud Foundation Administration Guide

c On the Details dialog, configure the settings and click Next.

Option Description

Algorithm Select the key algorithm for the certificate.

Key Size Select the key size (2048 bit, 3072 bit, or 4096 bit)
from the drop-down menu.

Email Optionally, enter a contact email address.

Organizational Unit Use this field to differentiate between divisions
within your organization with which this certificate is
associated.

Organization Name Type the name under which your company is known.
The listed organization must be the legal registrant of
the domain name in the certificate request.

Locality Type the city or locality where your company is
legally registered.

State Type the full name (do not abbreviate) of the state,
province, region, or territory where your company is
legally registered.

Country Type the country name where your company is
legally registered. This value must use the ISO 3166
country code.

d (Optional) On the Subject Alternative Name dialog, enter the subject alternative name(s)
and click Next.

You can enter multiple values separated by comma (,), semicolon (;), or space ( ). For
NSX, you can enter the subject alternative name for each node along with the Virtual IP
(primary) node.

Note Wildcard subject alternative name, such as *.example.com are not recommended.

e On the Summary dialog, click Generate CSRs.

5 Download and save the CSR files by clicking Download CSR.

6 When the downloads complete, request signed certificates from your third-party Certificate
Authority for each.csr.

7 After you receive the signed certificates, open the SDDC Manager UI and click Upload and
Install.

8 In the Install Signed Certificates dialog box, select the resource for which you want to install
a signed certificate.

The drop-down menu includes all resources for which you have generated and downloaded
CSRs.

VMware by Broadcom 39
VMware Cloud Foundation Administration Guide

9 Select a Source and enter the required information.

Source Required Information

Paste Text Copy and paste the:
n Server Certificate
n Certificate Authority
Paste the server certificate and the certificate authority in PEM format
(base64-encoded). For example:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE------

If the Certificate Authority includes intermediate certificates, it should be in
the following format:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE------
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

File Upload Click Browse to upload the:
n Server Certificate
n Certificate Authority
Files with.crt,.cer,.pem,.p7b and.p7c extensions are supported.

Certificate Chain Click Browse to upload the certificate chain.
Files with.crt,.cer,.pem,.p7b and.p7c extensions are supported.

10 Click Validate.

If validation fails, resolve the issues and try again, or click Remove to skip the certificate
installation.

11 To install a signed certificate for another resource, click Add Another and repeat steps 8-10
for each resource.

12 Once all signed certificates have been validated successfully, click Install.

Install Third-Party CA-Signed Certificates in VMware Cloud
Foundation Using a Certificate Bundle
VMware Cloud Foundation supports two ways to install third-party certificates. This procedure
describes the legacy method of using a certificate bundle. To use the legacy method, you must
modify your preferences and then use this procedure to generate CSRs, sign the CSRs with a
third-party CA, and finally upload and install the certificates.

VMware by Broadcom 40
VMware Cloud Foundation Administration Guide

Prerequisites

VMware Cloud Foundation 4.5.1 introduces a new method for installing third-party CA-signed
certificates. By default, VMware Cloud Foundation use the new method. See Install Third-Party
CA-Signed Certificates Using Server Certificate and Certificate Authority Files for information
using the new method. If you prefer to use the legacy method, you must modify your
preferences.

1 In the SDDC Manager UI, click the logged in user and select Preferences.

2 Use the toggle to switch to legacy certificate management.

Uploading CA-signed certificates from a third-party Certificate Authority using the legacy method
requires that you collect the relevant certificate files in the correct format and then create a
single.tar.gz file with the contents. It's important that you create the correct directory structure
within the.tar.gz file as follows:

n The name of the top-level directory must exactly match the name of the workload domain as
it appears in the list on the Inventory > Workload Domains. For example, sfo-m01.

n The PEM-encoded root CA certificate chain file (must be named rootca.crt) must
reside inside this top-level directory. The rootca.crt chain file contains a root certificate
authority and can have n number of intermediate certificates.

For example:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE------
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE------
-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

In the above example, there are two intermediate certificates, intermediate1 and
intermediate2, and a root certificate. Intermediate1 must use the certificate issued by
intermediate2 and intermediate2 must use the certificate issued by Root CA.

VMware by Broadcom 41
VMware Cloud Foundation Administration Guide

n The root CA certificate chain file, intermediate certificates, and root certificate must
contain the Basic Constraints field with value CA:TRUE.

n This directory must contain one sub-directory for each component resource for which
you want to replace the certificates.

n Each sub-directory must exactly match the resource hostname of a corresponding
component as it appears in the Resource Hostname column in the Inventory > Workload
Domains > Certificates tab.

For example, nsxManager.vrack.vsphere.local, vcenter-1.vrack.vsphere.local, and
so on.

n Each sub-directory must contain the corresponding.csr file, whose name must exactly
match the resource as it appears in the Resource Hostname column in the Inventory >
Workload Domains > Certificates tab.

n Each sub-directory must contain a corresponding.crt file, whose name must exactly
match the resource as it appears in the Resource Hostname column in the Inventory
> Workload Domains > Certificates tab. The content of the.crt files must end with a
newline character.

For example, the nsxManager.vrack.vsphere.local sub-directory would contain the
nsxManager.vrack.vsphere.local.crt file.

n All certificates including rootca.crt must be in UNIX file format.

n Additional requirements for NSX certificates:

n Server certificate (NSX_FQDN.crt) must contain the Basic Constraints field with value
CA:FALSE.

n If the NSX certificate contains HTTP or HTTPS based CRL Distribution Point it must be
reachable from the server.

n The extended key usage (EKU) of the generated certificate must contain the EKU of the
CSR generated.

Note All resource and hostname values can be found in the list on the Inventory > Workload
Domains > Certificates tab.

Procedure

1 In the navigation pane, click Inventory > Workload Domains.

2 On the Workload Domains page, from the table, in the domain column click the workload
domain you want to view.

3 On the domain summary page, click the Certificates tab.

VMware by Broadcom 42
VMware Cloud Foundation Administration Guide

4 Generate CSR files for the target components.

a From the table, select the check box for the resource type for which you want to
generate a CSR.

b Click Generate CSRs.

The Generate CSRs wizard opens.

c On the Details dialog, configure the settings and click Next.

Option Description

Algorithm Select the key algorithm for the certificate.

Key Size Select the key size (2048 bit, 3072 bit, or 4096 bit)
from the drop-down menu.

Email Optionally, enter a contact email address.

Organizational Unit Use this field to differentiate between divisions
within your organization with which this certificate is
associated.

Organization Name Type the name under which your company is known.
The listed organization must be the legal registrant of
the domain name in the certificate request.

Locality Type the city or locality where your company is
legally registered.

State Type the full name (do not abbreviate) of the state,
province, region, or territory where your company is
legally registered.

Country Type the country name where your company is
legally registered. This value must use the ISO 3166
country code.

d (Optional) On the Subject Alternative Name dialog, enter the subject alternative name(s)
and click Next.

You can enter multiple values separated by comma (,), semicolon (;), or space ( ). For
NSX, you can enter the subject alternative name for each node along with the Virtual IP
(primary) node.

Note Wildcard subject alternative name, such as *.example.com are not recommended.

e On the Summary dialog, click Generate CSRs.

5 Download and save the CSR files to the directory by clicking Download CSR.

6 Complete the following tasks outside of the SDDC Manager UI:

a Verify that the different.csr files have successfully generated and are allocated in the
required directory structure.

b Request signed certificates from a Third-party Certificate authority for each.csr.

VMware by Broadcom 43
VMware Cloud Foundation Administration Guide

c Verify that the newly acquired.crt files are correctly named and allocated in the required
directory structure.

d Create a new.tar.gz file of the directory structure ready for upload to SDDC Manager. For
example:.tar.gz.

7 Click Upload and Install.

8 In the Upload and Install Certificates dialog box, click Browse to locate and select the newly
created.tar.gz file and click Open.

9 Click Upload.

10 If the upload is successful, click Install Certificate. The Certificates tab displays a status of
Certificate Installation is in progress.

Add a Trusted Certificate to the SDDC Manager Trust Store
If you replaced the certificate for a VMware Cloud Foundation component outside of SDDC
Manager then you must add the new certificate to the SDDC Manager trust store.

This functionality is available in VMware Cloud Foundation 4.5.1 and later.

Replacing the certificate for a VMware Cloud Foundation component outside of SDDC Manager
results in an error in the SDDC Manager UI.

You can add the trusted certificate to the SDDC Manager trust store using the VMware Cloud
Foundation API or the SDDC Manager UI. This procedure describes using the SDDC Manager UI.

Using the SDDC Manager UI adds the certificate to the trust store for outbound communications.

Procedure

1 Click review in the error message in the SDDC Manager UI.

In the SDDC Manager UI, click Inventory > Workload Domains, click the workload domain
name, and then click the Certificates tab. The error appears in the Status column

2 Review the information to make sure it is accurate and then click Trust Certificate.

Remove Old or Unused Certificates from SDDC Manager
Old or unused certificates are stored in a trust store in SDDC Manager. You can delete old
certificates using the VMware Cloud Foundation API.

See Delete Trusted Certificate in the VMware Cloud Foundation API Reference Guide for more
information.

VMware by Broadcom 44
VMware Cloud Foundation Administration Guide

Procedure

1 Log in to the SDDC Manager UI as a user with the ADMIN role.

For more information about roles, see Chapter 23 Managing Users and Groups in VMware
Cloud Foundation.

2 In the navigation pane, click Developer Center > API Explorer.

3 Browse to and expand API Categories > Trusted Certificates.

4 Expand GET /v1/sddc-manager/trusted-certificates and click EXECUTE.

5 In the Response, click TrustedCertificate and copy the alias for the certificate you want
to remove.

6 Expand DELETE /v1/sddc-manager/trusted-certificates/{alias}, enter the alias, and
click EXECUTE.

VMware by Broadcom 45
Managing License Keys in
VMware Cloud Foundation 5
You can add component license keys in the SDDC Manager UI or add a solution license key in
vSphere Client.

Starting with VMware Cloud Foundation 5.1.1, you can license VMware Cloud Foundation
components using a solution license key or individual component license keys.

Note VMware Cloud Foundation 5.1.1 supports a combination of solution and component license
keys. For example, Workload Domain 1 can use component license keys and Workload Domain
2 can use the solution license key.

For more information about the VCF solution license key, VMware vSphere 8 Enterprise Plus for
VCF, see https://knowledge.broadcom.com/external/article?articleNumber=319282.

SDDC Manager does not manage the solution license key. If you are using a solution license
key, VMware Cloud Foundation components are deployed in evaluation mode and then you
use the vSphere Client to add and assign the solution key. See Managing vSphere Licenses for
information about using a solution license key for VMware ESXi and vCenter Server. If you are
using a solution license key, you must also add a separate VMware vSAN license key for vSAN
clusters. See Configure License Settings for a vSAN Cluster.

Note VMware vCenter Server, VMware NSX, VMware Aria Suite components, and VMware HCX
are all licensed when you assign a solution license key to a vCenter Server.

Use the SDDC Manager UI to manage component license keys. If you entered component license
keys in the deployment parameter workbook that you used to create the management domain,
those component license keys appear in the Licensing screen of the SDDC Manager UI. You can
add additional component license keys to support your requirements. You must have adequate
license units available before you create a VI workload domain, add a host to a vSphere cluster,
or add a vSphere cluster to a workload domain. Add the necessary component license keys
before you begin any of these tasks.

Read the following topics next:

n Add a Component License Key in the SDDC Manager UI

n Edit a Component License Key Description in the SDDC Manager UI

n Delete a Component License Key in the SDDC Manager UI

VMware by Broadcom 46
VMware Cloud Foundation Administration Guide

n Update Component License Keys for Workload Domain Components

Add a Component License Key in the SDDC Manager UI
You can use the SDDC Manager UI to add component license keys to the SDDC Manager
inventory.

SDDC Manager does not manage solution license keys. See Chapter 5 Managing License Keys in
VMware Cloud Foundation for more information about solution license keys.

Procedure

1 In the navigation pane, click Administration > Licensing.

2 Click + License Key.

3 Select a product from the drop-down menu.

4 Enter the license key.

5 Enter a description for the license.

A description can help in identifying the license.

6 Click Add.

What to do next

If you want to replace an existing license with a newly added license, you must add and assign
the new license in the management UI (for example, vSphere Client or NSX Manager) of the
component whose license you are replacing.

Edit a Component License Key Description in the SDDC
Manager UI
If you have multiple component license keys for a product, the description can help in identifying
the license key. For example, you may want to use one license key for high-performance
workload domains and the other license key for regular workload domains.

Procedure

1 In the navigation pane, click Administration > Licensing.

2 Click the vertical ellipsis (three dots) next to the license key and click Edit Description.

3 On the Edit License Key Description dialog, edit the description and click Save.

VMware by Broadcom 47
VMware Cloud Foundation Administration Guide

Delete a Component License Key in the SDDC Manager UI
Deleting a component license key removes it from the SDDC Manager inventory. If the license
key has been applied to any workload domain, host, or vSphere cluster, it is not removed from
them, but it cannot be applied to new workload domains, hosts, or vSphere clusters.

Procedure

1 In the navigation pane, click Administration > Licensing.

2 Click the vertical ellipsis (three dots) next to the license key you want to delete and click
Remove.

3 In the Remove License key dialog, click Remove.

Results

The component license key is removed from the SDDC Manager inventory

Update Component License Keys for Workload Domain
Components
You can use the SDDC Manager UI to update the license keys for components whose license
keys have expired, are expiring, or are incompatible with upgraded components.

You can update component license keys for:

n vCenter Server

n VMware NSX

n VMware vSAN

n ESXi

Updates are specific to the selected workload domain. If you want to update component license
keys for multiple workload domains, you must update each workload domain separately.

Prerequisites

The new component license key(s) must already be added to the SDDC Manager invento