VMware Cloud Foundation 5.2 Administration Guide PDF
Document Details
Uploaded by GreekMichigander
CMU
2024
Tags
Summary
This document is an administration guide for VMware Cloud Foundation 5.2. It provides instructions on configuring various aspects of the platform, like certificates, licenses, and ESXi hosts, targeting a professional audience.
Full Transcript
VMware Cloud Foundation Administration Guide VMware Cloud Foundation 5.2 VMware Cloud Foundation Administration Guide You can find the most up-to-date technical documentation on the VMware by Broadcom website at: https://docs.vmware.com/ VMware by Broadcom 3401 Hillview Ave. Palo Alto, CA 94304...
VMware Cloud Foundation Administration Guide VMware Cloud Foundation 5.2 VMware Cloud Foundation Administration Guide You can find the most up-to-date technical documentation on the VMware by Broadcom website at: https://docs.vmware.com/ VMware by Broadcom 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com © Copyright 2015-2024 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, go to https://www.broadcom.com. All trademarks, trade names, service marks, and logos referenced herein belong to their respective companies. VMware by Broadcom 2 Contents About the VMware Cloud Foundation Administration Guide 12 1 Administering VMware Cloud Foundation 13 VMware Software Components Deployed by VMware Cloud Foundation 13 Web Interfaces Used to Administer VMware Cloud Foundation 14 2 Getting Started with SDDC Manager 15 Log in to the SDDC Manager User Interface 15 Guided SDDC Manager Onboarding 16 Tour of the SDDC Manager User Interface 16 Log out of the SDDC Manager User Interface 19 3 Configure the Customer Experience Improvement Program Settings for VMware Cloud Foundation 20 4 Managing Certificates in VMware Cloud Foundation 22 View Certificate Information 23 Configure VMware Cloud Foundation to Use Microsoft CA-Signed Certificates 24 Prepare Your Microsoft Certificate Authority to Allow SDDC Manger to Manage Certificates 25 Install Microsoft Certificate Authority Roles 26 Configure the Microsoft Certificate Authority for Basic Authentication 26 Create and Add a Microsoft Certificate Authority Template 27 Assign Certificate Management Privileges to the SDDC Manager Service Account 29 Configure a Microsoft Certificate Authority in SDDC Manager 30 Install Microsoft CA-Signed Certificates using SDDC Manager 31 Configure VMware Cloud Foundation to Use OpenSSL CA-Signed Certificates 33 Configure OpenSSL-signed Certificates in SDDC Manager 33 Install OpenSSL-signed Certificates using SDDC Manager 35 Install Third-Party CA-Signed Certificates Using Server Certificate and Certificate Authority Files 37 Install Third-Party CA-Signed Certificates in VMware Cloud Foundation Using a Certificate Bundle 39 Add a Trusted Certificate to the SDDC Manager Trust Store 43 Remove Old or Unused Certificates from SDDC Manager 43 5 Managing License Keys in VMware Cloud Foundation 45 Add a Component License Key in the SDDC Manager UI 46 Edit a Component License Key Description in the SDDC Manager UI 46 VMware by Broadcom 3 VMware Cloud Foundation Administration Guide Delete a Component License Key in the SDDC Manager UI 47 Update Component License Keys for Workload Domain Components 47 6 Prepare ESXi Hosts for VMware Cloud Foundation 49 Create a Custom ISO Image for ESXi 50 Create a Custom ESXi ISO Image Using VMware PowerCLI 50 Create a Custom ESXi ISO Image Using vSphere Lifecycle Manager 52 Install ESXi Interactively and Configure Hosts for VMware Cloud Foundation 52 Install ESXi on VMware Cloud Foundation Hosts Using the ISO 54 Configure the Network on VMware Cloud Foundation Hosts 54 Configure the Virtual Machine Network Port Group on VMware Cloud Foundation Hosts 55 Configure NTP on VMware Cloud Foundation Hosts 56 Regenerate the Self-Signed Certificate on All Hosts 57 Configure ESXi Hosts with Signed Certificates 58 7 Managing ESXi Hosts in VMware Cloud Foundation 60 Network Pool Management 60 Size a Network Pool 61 View Network Pool Details 62 Create a Network Pool 63 Add or Remove a Network Pool IP Address Range 65 Rename a Network Pool 65 Delete a Network Pool 66 View Host Inventory 66 Commission Hosts 68 Decommission Hosts 72 ESXi Lockdown Mode 73 8 Managing vSphere Lifecycle Manager Images in VMware Cloud Foundation 75 Create a vSphere Lifecycle Manager Image 77 Export a vSphere Lifecycle Manager Image 80 Creating a vSphere Lifecycle Manager Image in VMware Cloud Foundation 81 Extract a vSphere Lifecycle Manager Image 81 Import a vSphere Lifecycle Manager Image 82 Firmware Updates 84 View vSphere Lifecycle Manager Images 84 9 Managing Storage in VMware Cloud Foundation 85 vSAN Storage with VMware Cloud Foundation 86 NFS Storage with VMware Cloud Foundation 88 Fibre Channel Storage with VMware Cloud Foundation 89 VMware by Broadcom 4 VMware Cloud Foundation Administration Guide HCI Mesh with VMware Cloud Foundation 90 vVols Storage with VMware Cloud Foundation 91 Add a VASA Provider 93 View a VASA Provider 94 Edit a VASA Provider 94 Delete a VASA Provider 94 10 Converting or Importing Existing vSphere Environments into VMware Cloud Foundation 96 Supported Scenarios for Converting or Importing vSphere Environments to VMware Cloud Foundation 97 Considerations Before Converting or Importing Existing vSphere Environments into VMware Cloud Foundation 97 Network and Compute Requirements for Converting or Importing Existing vSphere Environments 101 Download Software for Converting or Importing Existing vSphere Environments 102 VCF Import Tool Options and Parameters 102 Convert a vSphere Environment to a Management Domain or Import a vSphere Environment as a VI Workload Domain in VMware Cloud Foundation 103 Copy the VCF Import Tool to the Target vCenter Appliance 105 Run a Precheck on the Target vCenter Before Conversion 106 Generate an NSX Deployment Specification for Converting or Importing Existing vSphere Environments 107 Deploy the SDDC Manager Appliance on the Target vCenter 108 Upload the Required Software to the SDDC Manager Appliance 109 Run a Detailed Check on the Target vCenter Before Conversion or Import 110 Convert or Import the vSphere Environment into the SDDC Manager Inventory 111 Add Licenses for Converted or Imported Workload Domains in SDDC Manager 112 Validate a Converted Management Domain or Imported VI Workload Domain 112 VCF Import Tool Troubleshooting 113 General Troubleshooting for the VCF Import Tool 113 Importing a VI Workload Domain Fails while Importing Trusted Root Certificates 113 VCF Import Tool Guardrail Troubleshooting 113 ESX Upgrade Policy Guardrail Failure 113 Troubleshooting Guardrail Issues Requiring Manual SDDC Manager Database Updates 114 11 Managing Workload Domains in VMware Cloud Foundation 118 About VI Workload Domains 119 Prerequisites for a Workload Domain 121 Deploy a VI Workload Domain Using the SDDC Manager UI 124 Specify Names, vCenter Single Sign-On Domain, and vSphere Lifecycle Manager Method 125 Specify vSphere Cluster Details 127 VMware by Broadcom 5 VMware Cloud Foundation Administration Guide Specify Compute Details 127 Specify Networking Details 128 Select the vSAN Storage Parameters 129 Specify the VMFS on FC Datastore 131 Specify vVols Storage Details 131 Select Hosts 131 Specify Switch Configuration 132 Specify NFS Storage Details 135 Select Licenses 136 View Object Names 137 Review Details and Start the Creation Workflow 137 Deploy a Multi-Rack Compute VI Workload Domain 138 Deactivate Auto Policy Management for vSAN ESA 138 Create and Assign a New Default Storage Policy for vSAN ESA 139 Create vSAN Fault Domains 139 Deploy NSX Manager for Workload Domains 140 Delete a VI Workload Domain 142 View Workload Domain Details 143 Expand a Workload Domain 145 Add a Host to a vSphere Cluster Using the SDDC Manager UI 145 Add a vSphere Cluster to a Workload Domain Using the SDDC Manager UI 147 Shrink a Workload Domain 154 Remove a Host from a vSphere Cluster in a Workload Domain 154 Delete a vSphere Cluster from a Workload Domain 155 Rename a Workload Domain 156 vSphere Cluster Management 156 View vSphere Cluster Details 156 Rename a Cluster in the SDDC Manager UI 157 Mount a Remote vSAN Datastore 158 Unmount a Remote vSAN Datastore 159 Tag Management 159 Tag a Workload Domain 160 Remove a Tag from your Workload Domain 160 Tag a Cluster 161 Remove a Tag from your Cluster 161 Tag a Host 162 Remove a Tag from your Host 162 Manage Workload Domain Configuration Drift Between vCenter Server and SDDC Manager 163 12 Managing NSX Edge Clusters in VMware Cloud Foundation 165 Prerequisites for an NSX Edge Cluster 166 VMware by Broadcom 6 VMware Cloud Foundation Administration Guide Deploy an NSX Edge Cluster 167 Add Edge Nodes to an NSX Edge Cluster 173 Remove Edge Nodes from an NSX Edge Cluster 178 13 Managing Avi Load Balancer in VMware Cloud Foundation 180 Deploy Avi Load Balancer for a Workload Domain 181 Remove Avi Load Balancer from a Workload Domain 184 14 Deploying Application Virtual Networks in VMware Cloud Foundation 185 Deploy Overlay-Backed NSX Segments 186 Deploy VLAN-Backed NSX Segments 188 15 VMware Cloud Foundation with VMware Tanzu 190 Enable Workload Management 190 View Workload Management Cluster Details 192 Update Workload Management License 192 16 VMware Aria Suite Lifecycle in VMware Cloud Foundation mode 194 VMware Aria Suite Lifecycle Implementation 195 Deploy VMware Aria Suite Lifecycle 196 Replace the Certificate of the VMware Aria Suite Lifecycle Instance 197 Configure Data Center and vCenter Server in VMware Aria Suite Lifecycle 198 Workspace ONE Access Implementation 199 Import the Workspace ONE Access Certificate to VMware Aria Suite Lifecycle 200 Add Workspace ONE Access Passwords to VMware Aria Suite Lifecycle 202 Deploy a Standard Workspace ONE Access Instance Using VMware Aria Suite Lifecycle 203 Deploy Clustered Workspace ONE Access Instance Using VMware Aria Suite Lifecycle 205 Configure an Anti-Affinity Rule and a Virtual Machine Group for a Clustered Workspace ONE Access Instance 207 Configure NTP on Workspace ONE Access 208 Configure the Domain and Domain Search Parameters on Workspace ONE Access 209 Configure an Identity Source for Workspace ONE Access 209 Add the Clustered Workspace ONE Access Cluster Nodes as Identity Provider Connectors 211 Assign Roles to Active Directory Groups for Workspace ONE Access 212 Assign Roles to Active Directory Groups for VMware Aria Suite Lifecycle 212 17 Working with NSX Federation in VMware Cloud Foundation 214 NSX Federation Key Concepts 214 Configuring NSX Federation in VMware Cloud Foundation 215 Create Global Manager Clusters for VMware Cloud Foundation 218 VMware by Broadcom 7 VMware Cloud Foundation Administration Guide Deploy Global Manager Nodes 219 Join Global Manager Nodes to Form a Cluster 221 Create Anti-Affinity Rule for Global Manager Cluster in VMware Cloud Foundation 221 Assign a Virtual IP Address to Global Manager Cluster 222 Prepare Local Manager for NSX Federation in VMware Cloud Foundation 222 Enable NSX Federation in VMware Cloud Foundation 223 Set Active Global Manager 223 Add Location to Global Manager 224 Stretch Segments between VMware Cloud Foundation Instances 226 Create and Configure Cross-Instance Tier-1 Gateway 227 Connect Cross-Instance Segments to Cross-Instance Tier-1 Gateway 227 Delete Existing Tier-0 Gateways in Additional Instances 228 Connect Additional VMware Cloud Foundation Instances to Cross-Instance Tier-0 Gateway 228 Connect Local Tier-1 Gateway to Cross-Instance Tier-0 Gateway 230 Add Additional Instance as Locations to the Cross-Instance Tier-1 Gateway 230 Set Standby Global Manager 231 Replacing Global Manager Cluster Certificates in VMware Cloud Foundation 232 Import a CA-Signed Certificate to the Global Manager Cluster 232 Replace the Certificate for the First Global Manager Node 232 Replace Certificates and Virtual IP for the Remaining Global Manager Nodes 234 Update Local Manager Certificate Thumbprint in Global Manager Cluster 236 Password Management for NSX Global Manager Cluster in VMware Cloud Foundation 237 Update Password for Global Manager Cluster 237 Synch Up Passwords of Global Manager Appliances in Global Manager Cluster 238 Backup and Restore of NSX Global Manager Cluster in VMware Cloud Foundation 239 Configure NSX Global Manager Cluster Backups 239 Restore an NSX Global Manager Cluster Backup 240 18 Managing Installation and Upgrade Bundles in VMware Cloud Foundation 242 Downloading Install Bundles for VMware Cloud Foundation 243 Connect SDDC Manager to a Software Depot for Downloading Bundles 243 Download an Install Bundle from SDDC Manager 244 Configure a Proxy Server for Downloading Bundles 245 Download an Install Bundle Using the Bundle Transfer Utility 246 View Bundle Download History 250 19 Stretching vSAN Clusters in VMware Cloud Foundation 251 About Availability Zones and Regions 252 Stretched Cluster Requirements 252 Deploy and Configure vSAN Witness Host 255 Deploy vSAN Witness Host 255 VMware by Broadcom 8 VMware Cloud Foundation Administration Guide Register vSAN Witness Host 256 Configure NTP on the Witness Host 257 Configure the VMkernel Adapters on the vSAN Witness Host 257 Stretch a vSAN Cluster in VMware Cloud Foundation 258 NSX Configuration for Availability Zone 2 270 Configure IP Prefixes in the Tier-0 Gateway for Availability Zone 2 270 Configure Route Maps in the Tier-0 Gateway for Availability Zone 2 271 Configure BGP in the Tier-0 Gateway for Availability Zone 2 272 Expand a Stretched Cluster in VMware Cloud Foundation 274 Unstretch a Cluster 276 Replace a Failed Host in a Stretched Cluster 277 Change the vSAN Witness Host in a Stretched Cluster 279 20 Monitoring Capabilities in the VMware Cloud Foundation System 280 Viewing Tasks and Task Details 280 API Activity Logging 282 21 Updating VMware Cloud Foundation DNS and NTP Servers 284 Update DNS Server Configuration 284 Update NTP Server Configuration 285 22 Supportability and Serviceability (SoS) Utility 287 SoS Utility Options 287 Collect Logs for Your VMware Cloud Foundation System 293 Component Log Files Collected by the SoS Utility 295 23 Replacing Host Components in VMware Cloud Foundation 298 Avoiding Unintentional Downtime 298 Replacing Components of a Host Running in Degraded Mode 299 Replace Components of an Assigned Host Running in Degraded Mode 299 Replace Components of an Unassigned Host Running in Degraded Mode 300 Replace a Dead Host 301 Replace Boot Disk on a Host 302 24 Managing Users and Groups in VMware Cloud Foundation 303 Configuring the Identity Provider for VMware Cloud Foundation 304 Add Active Directory over LDAP or OpenLDAP as an Identity Source for VMware Cloud Foundation 304 Configure Microsoft ADFS as the Identity Provider in the SDDC Manager UI 306 Configure Identity Federation in VMware Cloud Foundation Using Okta 309 Create an OpenID Connect application for VMware Cloud Foundation in Okta 310 Configure Okta as the Identity Provider in the SDDC Manager UI 311 VMware by Broadcom 9 VMware Cloud Foundation Administration Guide Update the Okta OpenID Connect application with the Redirect URI from SDDC Manager 315 Create a SCIM 2.0 Application for Using Okta with VMware Cloud Foundation 315 Assign Okta Users and Groups as Administrators in SDDC Manager, vCenter Server, and NSX Manager 317 Configure Identity Federation in VMware Cloud Foundation Using Microsoft Entra ID 322 Create an OpenID Connect application for VMware Cloud Foundation in Microsoft Entra ID 323 Configure Microsoft Entra ID as the Identity Provider in the SDDC Manager UI 325 Update the Microsoft Entra ID OpenID Connect application with the Redirect URI from SDDC Manager 328 Create a SCIM 2.0 Application for Using Microsoft Entra ID with VMware Cloud Foundation 329 Assign Microsoft Entra ID Users and Groups as Administrators in SDDC Manager, vCenter Server, and NSX Manager 333 Add a User or Group to VMware Cloud Foundation 336 Remove a User or Group 337 Create a Local Account 337 Create an Automation Account 339 25 Managing Passwords in VMware Cloud Foundation 343 Rotate Passwords 345 Manually Update Passwords 348 Remediate Passwords 349 Look Up Account Credentials 350 Updating SDDC Manager Passwords 351 Update SDDC Manager Root and Super User Passwords 351 Update SDDC Manager Local Account Password 352 Update Expired SDDC Manager Root Password 353 26 Backup and Restore of VMware Cloud Foundation 354 Reconfigure SFTP Backups for SDDC Manager and NSX Manager 355 File-Based Backups for SDDC Manager and vCenter Server 357 Back Up SDDC Manager 358 Configure a Backup Schedule for vCenter Server 359 Manually Back Up vCenter Server 360 Export the Configuration of the vSphere Distributed Switches 361 File-Based Restore for SDDC Manager, vCenter Server, and NSX 362 Restore SDDC Manager 362 Prepare for Restoring SDDC Manager 363 Restore SDDC Manager from a File-Based Backup 364 Validate the Status of SDDC Manager 366 Restore vCenter Server 366 VMware by Broadcom 10 VMware Cloud Foundation Administration Guide Prepare for Restoring vCenter Server 367 Restore a vCenter Server Instance from a File-Based Backup 370 Move the Restored vCenter Server Appliance to the Correct Folder 373 Validate the vCenter Server State 373 Validate the SDDC Manager State After a vCenter Server Restore 374 Restore the Configuration of a vSphere Distributed Switch 374 Restore an NSX Manager Cluster Node 375 Prepare for Restoring an NSX Manager Cluster Node 375 Restore the First Node of a Failed NSX Manager Cluster 377 Deactivate the NSX Manager Cluster 380 Restore an NSX Manager Node to an Existing NSX Manager Cluster 380 Update or Recreate the VM Anti-Affinity Rule for the NSX Manager Cluster Nodes 386 Validate the SDDC Manager Inventory State 386 Restoring NSX Edge Cluster Nodes 387 Prepare for Restoring NSX Edge Cluster Nodes 387 Replace the Failed NSX Edge Node with a Temporary NSX Edge Node 389 Replace the Temporary NSX Edge Node with the Redeployed NSX Edge Node 392 Image-Based Backup and Restore of VMware Cloud Foundation 396 27 VMware Cloud Foundation Glossary 398 VMware by Broadcom 11 About the VMware Cloud Foundation Administration Guide The VMware Cloud Foundation Administration Guide provides information about managing a VMware Cloud Foundation™ system, including managing the system's virtual infrastructure, managing users, configuring, upgrading, and monitoring the system. Intended Audience The VMware Cloud Foundation Administration Guide is intended for cloud architects, infrastructure administrators, and cloud administrators who are familiar with and want to use VMware software to quickly import, deploy, and manage a software-defined data center (SDDC). The information in this document is written for experienced data center system administrators who are familiar with: n Concepts of virtualization, software-defined data centers, and virtual infrastructure (VI) n VMware virtualization technologies, such as VMware ESXi™, the hypervisor ® n Software-defined networking using VMware NSX n Software-defined storage using VMware vSAN™ n Networking concepts such as Layer-2, Layer-3, and Border Gateway Protocol (BGP). Related Publications Getting Started with VMware Cloud Foundation document provides a high-level overview of the VMware Cloud Foundation product. The Planning and Preparation Workbook provides detailed information about the software, tools, and external services that are required for VMware Cloud Foundation. The VMware Cloud Foundation Deployment Guide provides information about installing ESXi software on VMware Cloud Foundation servers and deploying the management domain using the VMware Cloud Builder appliance. The VMware Cloud Foundation Lifecycle Management document describes how to manage the life cycle of a VMware Cloud Foundation environment. VMware by Broadcom 12 Administering VMware Cloud Foundation 1 As an SDDC administrator, you use the information in the VMware Cloud Foundation Administration document to understand how to administer and operate your VMware Cloud Foundation system. An administrator of a VMware Cloud Foundation system performs tasks such as: n Manage certificates and passwords. n Add capacity to your system. n Configure and provision workload domains. n Manage provisioned workload domains. n Troubleshoot issues and prevent problems across the physical and virtual infrastructure. n Perform lifecycle management of the VMware Cloud Foundation software components. See the Introducing VMware Cloud Foundation document for a high-level overview of the VMware Cloud Foundation product and the VMware Cloud Foundation Deployment Guide for information on deploying the product. Read the following topics next: n VMware Software Components Deployed by VMware Cloud Foundation n Web Interfaces Used to Administer VMware Cloud Foundation VMware Software Components Deployed by VMware Cloud Foundation VMware Cloud Foundation is designed and built to deploy specific VMware products using the SDDC Manager appliance. For the exact version numbers of the VMware products that are supported, refer to the Release Notes document for your VMware Cloud Foundation version on VMware Docs. If the system has been updated after the initial bring-up process using the lifecycle management features, see "View Upgrade History" in the VMware Cloud Foundation Lifecycle Management Guide for details on how to view the versions of the VMware software components that are running in your VMware Cloud Foundation instance. VMware by Broadcom 13 VMware Cloud Foundation Administration Guide You can find product-specific documentation for the following VMware software products and components at VMware Docs: n vSphere (vCenter Server and ESXi) n VMware vSAN n VMware NSX n VMware Aria Suite Web Interfaces Used to Administer VMware Cloud Foundation SDDC Manager provides a web-based user interface where you can manage your VMware Cloud Foundation instance. This user interface provides centralized access to and an integrated view of the physical and virtual infrastructure of your system. In addition to using the SDDC Manager UI, you can use the following user interfaces for administration tasks involving their associated VMware software components that are part of a VMware Cloud Foundation instance. All of these interfaces run in a web browser, and you can launch them from within the SDDC Manager UI. Launch links are typically identified in the SDDC Manager UI by the launch icon:. VMware SDDC Web Interfaces Launch Link Location in the SDDC Manager UI vSphere Client 1 In the navigation pane, click Inventory > Workload Domains. 2 Click View Details for a workload domain. 3 In the Domain column, click the domain name. 4 Click the Services tab. 5 Click the vCenter Server launch link. NSX Manager UI 1 In the navigation pane, click Inventory > Workload Domains. 2 Click View Details for a workload domain. 3 In the Domain column, click the domain name. 4 Click the Services tab. 5 Click the NSX Cluster launch link. VMware Host Client 1 In the navigation pane, click Inventory > Hosts.. 2 In the FQDN column, click the host FQDN. 3 Click Actions > Open in VMware Host Client. VMware by Broadcom 14 Getting Started with SDDC Manager 2 You use SDDC Manager to perform administration tasks on your VMware Cloud Foundation instance. The SDDC Manager UI provides an integrated view of the physical and virtual infrastructure and centralized access to manage the physical and logical resources. You work with the SDDC Manager UI by loading it in a web browser. For the list of supported browsers and versions, see the Release Notes. Read the following topics next: n Log in to the SDDC Manager User Interface n Guided SDDC Manager Onboarding n Tour of the SDDC Manager User Interface n Log out of the SDDC Manager User Interface Log in to the SDDC Manager User Interface Connect to the SDDC Manager appliance by logging into the SDDC Manager UI using a supported web browser. Prerequisites To log in, you need the SDDC Manager IP address or FQDN and the password for the single- sign on user (for example [email protected]). You added this information to the deployment parameter workbook before bring-up. Procedure 1 In a web browser, type one of the following. n https://FQDN where FQDN is the fully-qualified domain name of the SDDC Manager appliance. n https://IP_address where IP_address is the IP address of the SDDC Manager appliance. 2 Log in to the SDDC Manager UI with vCenter Server Single Sign-On user credentials. Results You are logged in to SDDC Manager UI and the Dashboard page appears in the web browser. VMware by Broadcom 15 VMware Cloud Foundation Administration Guide Guided SDDC Manager Onboarding VMware Cloud Foundation includes an onboarding dashboard to help you with configuring a healthy SDDC Manager environment. This dashboard appears when you log into SDDC Manager. It provides a walk-through for initial configuration, including the recommended order for completing each task. After completing the walk-through, a banner at the top of the screen offers a tour of the SDDC Manager UI. You can skip sections and exit out of the guided setup at any point. This dashboard automatically shows unless you click "Don't show onboarding screen again" and close the page. Clicking this option also prevents the optional guided tour from automatically displaying in the future. Use the Help Icon in the upper-right corner of the page to later access the onboarding dashboard and guided tour. Tour of the SDDC Manager User Interface The SDDC Manager UI provides a single point of control for managing and monitoring your VMware Cloud Foundation instance and for provisioning workload domains. You use the navigation bar to move between the main areas of the user interface. Navigation Bar The navigation bar is available on the left side of the interface and provides a hierarchy for navigating to the corresponding pages. VMware by Broadcom 16 VMware Cloud Foundation Administration Guide Category Functional Areas Dashboard The Dashboard provides the high-level administrative view for SDDC Manager in the form of widgets. There are widgets for Solutions; Workload Domains; Host Types and Usage; Ongoing and Scheduled Updates; Update History; CPU, Memory, Storage Usage; and Recent Tasks. You can control the widgets that are displayed and how they are arranged on the dashboard. n To rearrange widgets, click the heading of the widget and drag it to the desired position. n To hide a widget, hover the mouse anywhere over the widget to reveal the X in the upper-right corner, and click the X. n To add a widget, click the three dots in the upper right corner of the page and select Add New Widgets. This displays all hidden widgets. Select a widget and click Add. Solutions Solutions include the following section: n Kubernetes - Workload Management allows you to start a Workload Management deployment and view Workload Management cluster details. Inventory Inventory includes the following sections: n Workload Domains takes you to the Workload Domains page, which displays and provides access to all workload domains. This page includes summary information about all workload domains, including domain type, storage usage, configuration status, owner, clusters, hosts and update availability. It also displays CPU, memory, and storage utilization for each workload domain, and collectively across all domains. n Hosts takes you to the Hosts page, which displays and provides access to current hosts and controls for managing hosts. This page includes detailed information about all hosts, including FQDN, host IP, network pool, configuration status, host state, cluster, and storage type. It also displays CPU and memory utilization for each host, and collectively across all hosts. VMware by Broadcom 17 VMware Cloud Foundation Administration Guide Category Functional Areas Lifecycle Management Lifecycle Management includes the following sections: n Release Versions displays the versions in your environment and the associated component versions in that release. n Bundle Management displays the available install, update, and upgrade bundles for your environment, and your bundle download history. Note To access bundles, you must be logged in to your Broadcom Support Portal account through the Administration > Depot Settings page. n Image Management allows you to import a vSphere Lifecycle Manager cluster image from vCenter Server and view the available images. This is an alternative way of managing the life cycle of ESXi hosts. Administration Administration includes the following sections: n Network Settings allows you to configure, view, and manage network pool settings. You can create new network pools, and view and modify existing network pools. You can also use Network Settings to update the DNS and NTP servers that VMware Cloud Foundation uses. n Storage Settings allows you to add new VASA providers, view, edit, and delete existing VASA providers. n Licensing allows you to manage VMware product licenses. You can also add licenses for the component products in your VMware Cloud Foundation deployment. n Single Sign On allows you to manage VMware Cloud Foundation users and groups, including adding users and groups and assigning roles. You can also configure identity providers for VMware Cloud Foundation. n Proxy Settings allows you to configure a proxy server to download install and upgrade bundles from the VMware Depot. n Depot Settings allows you to log in to your Broadcom Support Portal account to download install and upgrade bundles. n VMware Aria Suite allows you to deploy VMware Aria Suite Lifecycle and configure connections between workload domains and VMware Aria Suite products. n Backup allows you to register an external SFTP server with SDDC Manager for backing up SDDC Manager and NSX Managers. You can also configure the backup schedule for SDDC Manager. n VMware CEIP to join or leave the VMware Customer Experience Improvement Program. VMware by Broadcom 18 VMware Cloud Foundation Administration Guide Category Functional Areas Security n Password Management allows password management actions, such as rotation, updates and remediation. n Certificate Authority allows you to integrate with your Microsoft Certificate Authority Server. Developer Center The VMware Cloud Foundation Developer Center includes the following sections: n Overview: API reference documentation. Includes information and steps for all the Public APIs supported by VMware Cloud Foundation. n API Explorer: Lists the APIs and allows you to invoke them directly on your VMware Cloud Foundation system. Log out of the SDDC Manager User Interface Log out of the SDDC Manager UI when you have completed your tasks. Procedure 1 In the SDDC Manager UI, click the logged-in account name in the upper right corner. 2 Click Log out. VMware by Broadcom 19 Configure the Customer Experience Improvement Program Settings for VMware Cloud 3 Foundation VMware Cloud Foundation participates in the VMware Customer Experience Improvement Program (CEIP). You can choose to activate or deactivate CEIP for your VMware Cloud Foundation instance. The Customer Experience Improvement Program provides VMware with information that allows VMware to improve its products and services, to fix problems, and to advise you on how best to deploy and use our products. As part of the CEIP, VMware collects technical information about your organization’s use of the VMware products and services regularly in association with your organization’s VMware license keys. This information does not personally identify any individual. For additional information regarding the CEIP, refer to the Trust & Assurance Center at http:// www.vmware.com/trustvmware/ceip.html. You can activate or deactive CEIP across all the components deployed in VMware Cloud Foundation by the following methods: n When you log into SDDC Manager for the first time, a pop-up window appears. The Join the VMware Customer Experience Program option is selected by default. Deselect this option if you do not want to join CEIP. Click Apply. n You can activate or deactivate CEIP from the Administration tab in the SDDC Manager UI. Procedure 1 In the navigation pane, click Administration > VMware CEIP. VMware by Broadcom 20 VMware Cloud Foundation Administration Guide 2 To activate CEIP, select the Join the VMware Customer Experience Improvement Program option. 3 To deactivate CEIP, deselect the Join the VMware Customer Experience Improvement Program option. VMware by Broadcom 21 Managing Certificates in VMware Cloud Foundation 4 You can use the SDDC Manager UI to manage certificates in a VMware Cloud Foundation instance, including integrating a certificate authority, generating and submitting certificate signing requests (CSR) to a certificate authority, and downloading and installing certificates. This section provides instructions for using either: n OpenSSL as a certificate authority, which is a native option in SDDC Manager. n Integrating with Microsoft Active Directory Certificate Services. n Providing signed certificates from another external Certificate Authority. You can manage the certificates for the following components. n vCenter Server n NSX Manager n VMware Avi Load Balancer (formerly known as NSX Advanced Load Balancer) n SDDC Manager n VMware Aria Suite Lifecycle Note Use VMware Aria Suite Lifecycle to manage certificates for the other VMware Aria Suite components. Note VMware Cloud Foundation does not manage certificates for ESXi hosts. By default, ESXi hosts use VMCA-signed certificates, but they can also use external CA-signed certificates. If ESXi hosts are using VMCA-signed certificates, VMCA manages the certificates and certificate rotation. If ESXi hosts are using external certificates, you are responsible for managing the certificates. For more information about external certificates, see Configure ESXi Hosts with Signed Certificates. You replace certificates for the following reasons: n A certificate has expired or is nearing its expiration date. n A certificate has been revoked by the issuing certificate authority. n You do not want to use the default VMCA-signed certificates. n Optionally, when you create a new workload domain. VMware by Broadcom 22 VMware Cloud Foundation Administration Guide It is recommended that you replace all certificates after completing the deployment of the VMware Cloud Foundation management domain. After you create a new VI workload domain, you can replace certificates for the appropriate components as needed. n View Certificate Information You can view details of an applied certificate for a resource directly through the SDDC Manager UI. n Configure VMware Cloud Foundation to Use Microsoft CA-Signed Certificates VMware Cloud Foundation supports the ability to manage certificates by integrating with Microsoft Active Directory Certificate Services (Microsoft CA). Before you can perform certificate operations using the SDDC Manager UI you must ensure that the Microsoft Certificate Authority is configured correctly. n Configure VMware Cloud Foundation to Use OpenSSL CA-Signed Certificates VMware Cloud Foundation supports the ability to manage certificates using OpenSSL configured on the SDDC Manager appliance. n Install Third-Party CA-Signed Certificates Using Server Certificate and Certificate Authority Files VMware Cloud Foundation supports two ways to install third-party certificates. This procedure describes the new method, which is the default method for VMware Cloud Foundation 4.5.1 and later. n Install Third-Party CA-Signed Certificates in VMware Cloud Foundation Using a Certificate Bundle VMware Cloud Foundation supports two ways to install third-party certificates. This procedure describes the legacy method of using a certificate bundle. To use the legacy method, you must modify your preferences and then use this procedure to generate CSRs, sign the CSRs with a third-party CA, and finally upload and install the certificates. n Add a Trusted Certificate to the SDDC Manager Trust Store If you replaced the certificate for a VMware Cloud Foundation component outside of SDDC Manager then you must add the new certificate to the SDDC Manager trust store. n Remove Old or Unused Certificates from SDDC Manager Old or unused certificates are stored in a trust store in SDDC Manager. You can delete old certificates using the VMware Cloud Foundation API. View Certificate Information You can view details of an applied certificate for a resource directly through the SDDC Manager UI. The SDDC Manager UI provides a banner notification for any certificates that are expiring in the next 30 days. VMware by Broadcom 23 VMware Cloud Foundation Administration Guide Procedure 1 In the navigation pane, click Inventory > Workload Domains. 2 On the Workload Domains page, from the table, in the domain column click the domain you want to view. 3 On the domain summary page, click the Certificates tab. This tab lists the certificates for each resource type associated with the workload domain. It displays the following details: n Resource type n Issuer, the certificate authority name n Resource hostname n Valid From n Valid Until n Certificate status: Active, Expiring, or Expired. n Certificate operation status 4 To view certificate details, expand the resource next to the Resource Type column. Configure VMware Cloud Foundation to Use Microsoft CA- Signed Certificates VMware Cloud Foundation supports the ability to manage certificates by integrating with Microsoft Active Directory Certificate Services (Microsoft CA). Before you can perform certificate operations using the SDDC Manager UI you must ensure that the Microsoft Certificate Authority is configured correctly. VMware by Broadcom 24 VMware Cloud Foundation Administration Guide Complete the below tasks to manage Microsoft CA-Signed certificates using SDDC Manager. Procedure 1 Prepare Your Microsoft Certificate Authority to Allow SDDC Manger to Manage Certificates To ensure secure and operational connectivity between the SDDC components, you apply signed certificates provided by a Microsoft Certificate Authority for the SDDC components. 2 Configure a Microsoft Certificate Authority in SDDC Manager You configure a connection between SDDC Manager and a Microsoft Certificate Authority by entering your service account credentials. 3 Install Microsoft CA-Signed Certificates using SDDC Manager Replace the self-signed certificates with signed certificates from the Microsoft Certificate Authority by using SDDC Manager. Prepare Your Microsoft Certificate Authority to Allow SDDC Manger to Manage Certificates To ensure secure and operational connectivity between the SDDC components, you apply signed certificates provided by a Microsoft Certificate Authority for the SDDC components. You use SDDC Manager to generate the certificate signing request (CSRs) and request a signed certificate from the Microsoft Certificate Authority. SDDC Manager is then used to install the signed certificates to SDDC components it manages. In order to achieve this the Microsoft Certificate Authority must be configured to allow integration with SDDC Manager. Procedure 1 Install Microsoft Certificate Authority Roles Install the Certificate Authority and Certificate Authority Web Enrollment roles on the Microsoft Certificate Authority server to facilitate certificate generation from SDDC Manager. 2 Configure the Microsoft Certificate Authority for Basic Authentication Configure the Microsoft Certificate Authority with basic authentication to allow SDDC Manager the ability to manage signed certificates. 3 Create and Add a Microsoft Certificate Authority Template You must set up a certificate template in the Microsoft Certificate Authority. The template contains the certificate authority attributes for signing certificates for the VMware Cloud Foundation components. After you create the template, you add it to the certificate templates of the Microsoft Certificate Authority. 4 Assign Certificate Management Privileges to the SDDC Manager Service Account Before you can use the Microsoft Certificate Authority and the pre-configured template, it is recommended to configure least privilege access to the Microsoft Active Directory Certificate Services using an Active Directory user account as a restricted service account. VMware by Broadcom 25 VMware Cloud Foundation Administration Guide Install Microsoft Certificate Authority Roles Install the Certificate Authority and Certificate Authority Web Enrollment roles on the Microsoft Certificate Authority server to facilitate certificate generation from SDDC Manager. Note When connecting SDDC Manager to Microsoft Active Directory Certificate Services, ensure that Web Enrollment role is installed on the same machine where the Certificate Authority role is installed. SDDC Manager can't request and sign certificates automatically if the two roles (Certificate Authority and Web Enrollment roles) are installed on different machines. Procedure 1 Log in to the Microsoft Certificate Authority server by using a Remote Desktop Protocol (RDP) client. FQDN Active Directory Host User Active Directory administrator Password ad_admin_password 2 Add roles to Microsoft Certificate Authority server. a Click Start > Run, enter ServerManager, and click OK. b From the Dashboard, click Add roles and features to start the Add Roles and Features wizard. c On the Before you begin page, click Next. d On the Select installation type page, click Next. e On the Select destination server page, click Next. f On the Select server roles page, under Active Directory Certificate Services, select Certification Authority and Certification Authority Web Enrollment and click Next. g On the Select features page, click Next. h On the Confirm installation selections page, click Install. Configure the Microsoft Certificate Authority for Basic Authentication Configure the Microsoft Certificate Authority with basic authentication to allow SDDC Manager the ability to manage signed certificates. Prerequisites The Microsoft Certificate Authority and IIS must be installed on the same server. VMware by Broadcom 26 VMware Cloud Foundation Administration Guide Procedure 1 Log in to the Active Directory server by using a Remote Desktop Protocol (RDP) client. FQDN Active Directory Host User Active Directory administrator Password ad_admin_password 2 Add Basic Authentication to the Web Server (IIS). a Click Start > Run, enter ServerManager, and click OK. b From the Dashboard, click Add roles and features to start the Add Roles and Features wizard. c On the Before you begin page, click Next. d On the Select installation type page, click Next. e On the Select destination server page, click Next. f On the Select server roles page, under Web Server (IIS) > Web Server > Security, select Basic Authentication and click Next. g On the Select features page, click Next. h On the Confirm installation selections page, click Install. 3 Configure the certificate service template and CertSrv web site, for basic authentication. a Click Start > Run, enter Inetmgr.exe and click OK to open the Internet Information Services Application Server Manager. b Navigate to your_server > Sites > Default Web Site > CertSrv. c Under IIS, double-click Authentication. d On the Authentication page, right-click Basic Authentication and click Enable. e In the navigation pane, select Default Web Site. f In the Actions pane, under Manage Website, click Restart for the changes to take effect. Create and Add a Microsoft Certificate Authority Template You must set up a certificate template in the Microsoft Certificate Authority. The template contains the certificate authority attributes for signing certificates for the VMware Cloud Foundation components. After you create the template, you add it to the certificate templates of the Microsoft Certificate Authority. VMware by Broadcom 27 VMware Cloud Foundation Administration Guide Procedure 1 Log in to the Active Directory server by using a Remote Desktop Protocol (RDP) client. FQDN Active Directory Host User Active Directory administrator Password ad_admin_password 2 Click Start > Run, enter certtmpl.msc, and click OK. 3 In the Certificate Template Console window, under Template Display Name, right-click Web Server and select Duplicate Template. 4 In the Properties of New Template dialog box, click the Compatibility tab and configure the following values. Setting Value Certification Authority Windows Server 2008 R2 Certificate recipient Windows 7 / Server 2008 R2 5 In the Properties of New Template dialog box, click the General tab and enter a name for example, VMware in the Template display name text box. 6 In the Properties of New Template dialog box, click the Extensions tab and configure the following. a Click Application Policies and click Edit. b Click Server Authentication, click Remove, and click OK. c Click Basic Constraints and click Edit. d Click the Enable this extension check box and click OK. e Click Key Usage and click Edit. f Click the Signature is proof of origin (nonrepudiation) check box, leave the defaults for all other options and click OK. 7 In the Properties of New Template dialog box, click the Subject Name tab, ensure that the Supply in the request option is selected, and click OK to save the template. 8 Add the new template to the certificate templates of the Microsoft CA. a Click Start > Run, enter certsrv.msc, and click OK b In the Certification Authority window, expand the left pane, right-click Certificate Templates, and select New > Certificate Template to Issue. c In the Enable Certificate Templates dialog box, select VMware, and click OK. VMware by Broadcom 28 VMware Cloud Foundation Administration Guide Assign Certificate Management Privileges to the SDDC Manager Service Account Before you can use the Microsoft Certificate Authority and the pre-configured template, it is recommended to configure least privilege access to the Microsoft Active Directory Certificate Services using an Active Directory user account as a restricted service account. Prerequisites n Create a user account in Active Directory with Domain Users membership. For example, svc-vcf-ca. Procedure 1 Log in to the Microsoft Certificate Authority server by using a Remote Desktop Protocol (RDP) client. FQDN Active Directory Host User Active Directory administrator Password ad_admin_password 2 Configure least privilege access for a user account on the Microsoft Certificate Authority. a Click Start > Run, enter certsrv.msc, and click OK. b Right-click the certificate authority server and click Properties. c Click the Security tab, and click Add. d Enter the name of the user account and click OK. e In the Permissions for.... section configure the permissions and click OK. Setting Value (Allow) Read Deselected Issue and Manage Certificates Selected Manage CA Deselected Request Certificates Selected 3 Configure least privilege access for the user account on the Microsoft Certificate Authority Template. a Click Start > Run, enter certtmpl.msc, and click OK. b Right-click the VMware template and click Properties. c Click the Security tab, and click Add. VMware by Broadcom 29 VMware Cloud Foundation Administration Guide d Enter the svc-vcf-ca service account and click OK. e In the Permissions for.... section configure the permissions and click OK. Setting Value (Allow) Full Control Deselected Read Selected Write Deselected Enroll Selected Autoenroll Deselected Configure a Microsoft Certificate Authority in SDDC Manager You configure a connection between SDDC Manager and a Microsoft Certificate Authority by entering your service account credentials. Prerequisites n Verify connectivity between SDDC Manager and the Microsoft Certificate Authority Server. See VMware Ports and Protocols. n Verify that the Microsoft Certificate Authority Server has the correct roles installed on the same machine where the Certificate Authority role is installed. See Install Microsoft Certificate Authority Roles. n Verify the Microsoft Certificate Authority Server has been configured for basic authentication. See Configure the Microsoft Certificate Authority for Basic Authentication. n Verify a valid certificate template has been configured on the Microsoft Certificate Authority. See Create and Add a Microsoft Certificate Authority Template. n Verify least privileged user account has been configured on the Microsoft Certificate Authority Server and Template. See Assign Certificate Management Privileges to the SDDC Manager Service Account. n Verify that time is synchronized between the Microsoft Certificate Authority and the SDDC Manager appliance. Each system can be configured with a different timezone, but it is recommended that they receive their time from the same NTP source. Procedure 1 In the navigation pane, click Security > Certificate Authority. 2 Click Edit. VMware by Broadcom 30 VMware Cloud Foundation Administration Guide 3 Configure the settings and click Save. Setting Value Certificate Authority Type Microsoft CA Server URL Specify the URL for the issuing certificate authority. This address must begin with https:// and end with certsrv. For example, https://ca.rainpole.io/certsrv. User Name Enter a least privileged service account. For example, svc-vcf-ca. Password Enter the password for the least privileged service account. Template Name Enter the issuing certificate template name. You must create this template in Microsoft Certificate Authority. For example, VMware. 4 In the CA Server Certificate Details dialog box, click Accept. Install Microsoft CA-Signed Certificates using SDDC Manager Replace the self-signed certificates with signed certificates from the Microsoft Certificate Authority by using SDDC Manager. Procedure 1 In the navigation pane, click Inventory > Workload Domains. 2 On the Workload Domains page, from the table, in the domain column click the workload domain you want to view. 3 On the domain summary page, click the Certificates tab. VMware by Broadcom 31 VMware Cloud Foundation Administration Guide 4 Generate CSR files for the target components. a From the table, select the check box for the resource type for which you want to generate a CSR. b Click Generate CSRs. c On the Details dialog, configure the settings and click Next. Option Description Algorithm Select the key algorithm for the certificate. Key Size Select the key size (2048 bit, 3072 bit, or 4096 bit) from the drop-down menu. Email Optionally, enter a contact email address. Organizational Unit Use this field to differentiate between divisions within your organization with which this certificate is associated. Organization Name Type the name under which your company is known. The listed organization must be the legal registrant of the domain name in the certificate request. Locality Type the city or locality where your company is legally registered. State Type the full name (do not abbreviate) of the state, province, region, or territory where your company is legally registered. Country Type the country name where your company is legally registered. This value must use the ISO 3166 country code. d (Optional) On the Subject Alternative Name dialog, enter the subject alternative name(s) and click Next. e On the Summary dialog, click Generate CSRs. 5 Generate signed certificates for each component. a From the table, select the check box for the resource type for which you want to generate a signed certificate for. b Click Generate Signed Certificates. VMware by Broadcom 32 VMware Cloud Foundation Administration Guide c In the Generate Certificates dialog box, from the Select Certificate Authority drop-down menu, select Microsoft. d Click Generate Certificates. 6 Install the generated signed certificates for each component. a From the table, select the check box for the resource type for which you want to install a signed certificate. b Click Install Certificates. Configure VMware Cloud Foundation to Use OpenSSL CA- Signed Certificates VMware Cloud Foundation supports the ability to manage certificates using OpenSSL configured on the SDDC Manager appliance. Complete the following tasks to be able to manage OpenSSL-signed certificates issued by SDDC Manager. Procedure 1 Configure OpenSSL-signed Certificates in SDDC Manager To generate OpenSSL-signed certificates for the VMware Cloud Foundation components you must first configure the certificate authority details. 2 Install OpenSSL-signed Certificates using SDDC Manager Replace the self-signed certificates with OpenSSL-signed certificates generated by SDDC Manager. Configure OpenSSL-signed Certificates in SDDC Manager To generate OpenSSL-signed certificates for the VMware Cloud Foundation components you must first configure the certificate authority details. Procedure 1 In the navigation pane, click Security > Certificate Authority. 2 Click Edit. 3 Configure the settings and click Save. VMware by Broadcom 33 VMware Cloud Foundation Administration Guide Setting Value Certificate Authority OpenSSL Common Name Specify the FQDN of the SDDC Manager appliance. Organizational Unit Use this field to differentiate between the divisions within your organization with which this certificate is associated. Organization Specify the name under which your company is known. The listed organization must be the legal registrant of the domain name in the certificate request. Locality Specify the city or the locality where your company is legally registered. State Enter the full name (do not abbreviate) of the state, province, region, or territory where your company is legally registered. Country Select the country where your company is registered. This value must use the ISO 3166 country code. VMware by Broadcom 34 VMware Cloud Foundation Administration Guide Install OpenSSL-signed Certificates using SDDC Manager Replace the self-signed certificates with OpenSSL-signed certificates generated by SDDC Manager. Procedure 1 In the navigation pane, click Inventory > Workload Domains. 2 On the Workload Domains page, from the table, in the domain column click the workload domain you want to view. 3 On the domain summary page, click the Certificates tab. 4 Generate CSR files for the target components. a From the table, select the check box for the resource type for which you want to generate a CSR. b Click Generate CSRs. The Generate CSRs wizard opens. VMware by Broadcom 35 VMware Cloud Foundation Administration Guide c On the Details dialog, configure the settings and click Next. Option Description Algorithm Select the key algorithm for the certificate. Key Size Select the key size (2048 bit, 3072 bit, or 4096 bit) from the drop-down menu. Email Optionally, enter a contact email address. Organizational Unit Use this field to differentiate between divisions within your organization with which this certificate is associated. Organization Name Type the name under which your company is known. The listed organization must be the legal registrant of the domain name in the certificate request. Locality Type the city or locality where your company is legally registered. State Type the full name (do not abbreviate) of the state, province, region, or territory where your company is legally registered. Country Type the country name where your company is legally registered. This value must use the ISO 3166 country code. d (Optional) On the Subject Alternative Name dialog, enter the subject alternative name(s) and click Next. You can enter multiple values separated by comma (,), semicolon (;), or space ( ). For NSX, you can enter the subject alternative name for each node along with the Virtual IP (primary) node. Note Wildcard subject alternate name, such as *.example.com is not recommended. e On the Summary dialog, click Generate CSRs. 5 Generate signed certificates for each component. a From the table, select the check box for the resource type for which you want to generate a signed certificate. b Click Generate Signed Certificates. c In the Generate Certificates dialog box, from the Select Certificate Authority drop-down menu, select OpenSSL. d Click Generate Certificates. VMware by Broadcom 36 VMware Cloud Foundation Administration Guide 6 Install the generated signed certificates for each component. a From the table, select the check box for the resource type for which you want to install a signed certificate. b Click Install Certificates. Install Third-Party CA-Signed Certificates Using Server Certificate and Certificate Authority Files VMware Cloud Foundation supports two ways to install third-party certificates. This procedure describes the new method, which is the default method for VMware Cloud Foundation 4.5.1 and later. If you prefer to use the legacy method for installing third-party CA-signed certificates, see Install Third-Party CA-Signed Certificates in VMware Cloud Foundation Using a Certificate Bundle. Procedure 1 In the navigation pane, click Inventory > Workload Domains. 2 On the Workload Domains page, from the table, in the domain column click the workload domain you want to view. 3 On the domain summary page, click the Certificates tab. 4 Generate CSR files for the target components. a From the table, select the check box for the resource type for which you want to generate a CSR. b Click Generate CSRs. The Generate CSRs wizard opens. VMware by Broadcom 37 VMware Cloud Foundation Administration Guide c On the Details dialog, configure the settings and click Next. Option Description Algorithm Select the key algorithm for the certificate. Key Size Select the key size (2048 bit, 3072 bit, or 4096 bit) from the drop-down menu. Email Optionally, enter a contact email address. Organizational Unit Use this field to differentiate between divisions within your organization with which this certificate is associated. Organization Name Type the name under which your company is known. The listed organization must be the legal registrant of the domain name in the certificate request. Locality Type the city or locality where your company is legally registered. State Type the full name (do not abbreviate) of the state, province, region, or territory where your company is legally registered. Country Type the country name where your company is legally registered. This value must use the ISO 3166 country code. d (Optional) On the Subject Alternative Name dialog, enter the subject alternative name(s) and click Next. You can enter multiple values separated by comma (,), semicolon (;), or space ( ). For NSX, you can enter the subject alternative name for each node along with the Virtual IP (primary) node. Note Wildcard subject alternative name, such as *.example.com are not recommended. e On the Summary dialog, click Generate CSRs. 5 Download and save the CSR files by clicking Download CSR. 6 When the downloads complete, request signed certificates from your third-party Certificate Authority for each.csr. 7 After you receive the signed certificates, open the SDDC Manager UI and click Upload and Install. 8 In the Install Signed Certificates dialog box, select the resource for which you want to install a signed certificate. The drop-down menu includes all resources for which you have generated and downloaded CSRs. VMware by Broadcom 38 VMware Cloud Foundation Administration Guide 9 Select a Source and enter the required information. Source Required Information Paste Text Copy and paste the: n Server Certificate n Certificate Authority Paste the server certificate and the certificate authority in PEM format (base64-encoded). For example: -----BEGIN CERTIFICATE----- -----END CERTIFICATE------ If the Certificate Authority includes intermediate certificates, it should be in the following format: -----BEGIN CERTIFICATE----- -----END CERTIFICATE------ -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- File Upload Click Browse to upload the: n Server Certificate n Certificate Authority Files with.crt,.cer,.pem,.p7b and.p7c extensions are supported. Certificate Chain Click Browse to upload the certificate chain. Files with.crt,.cer,.pem,.p7b and.p7c extensions are supported. 10 Click Validate. If validation fails, resolve the issues and try again, or click Remove to skip the certificate installation. 11 To install a signed certificate for another resource, click Add Another and repeat steps 8-10 for each resource. 12 Once all signed certificates have been validated successfully, click Install. Install Third-Party CA-Signed Certificates in VMware Cloud Foundation Using a Certificate Bundle VMware Cloud Foundation supports two ways to install third-party certificates. This procedure describes the legacy method of using a certificate bundle. To use the legacy method, you must modify your preferences and then use this procedure to generate CSRs, sign the CSRs with a third-party CA, and finally upload and install the certificates. VMware by Broadcom 39 VMware Cloud Foundation Administration Guide Prerequisites VMware Cloud Foundation 4.5.1 introduces a new method for installing third-party CA-signed certificates. By default, VMware Cloud Foundation use the new method. See Install Third-Party CA-Signed Certificates Using Server Certificate and Certificate Authority Files for information using the new method. If you prefer to use the legacy method, you must modify your preferences. 1 In the SDDC Manager UI, click the logged in user and select Preferences. 2 Use the toggle to switch to legacy certificate management. Uploading CA-signed certificates from a third-party Certificate Authority using the legacy method requires that you collect the relevant certificate files in the correct format and then create a single.tar.gz file with the contents. It's important that you create the correct directory structure within the.tar.gz file as follows: n The name of the top-level directory must exactly match the name of the workload domain as it appears in the list on the Inventory > Workload Domains. For example, sfo-m01. n The PEM-encoded root CA certificate chain file (must be named rootca.crt) must reside inside this top-level directory. The rootca.crt chain file contains a root certificate authority and can have n number of intermediate certificates. For example: -----BEGIN CERTIFICATE----- -----END CERTIFICATE------ -----BEGIN CERTIFICATE----- -----END CERTIFICATE------ -----BEGIN CERTIFICATE----- -----END CERTIFICATE----- In the above example, there are two intermediate certificates, intermediate1 and intermediate2, and a root certificate. Intermediate1 must use the certificate issued by intermediate2 and intermediate2 must use the certificate issued by Root CA. VMware by Broadcom 40 VMware Cloud Foundation Administration Guide n The root CA certificate chain file, intermediate certificates, and root certificate must contain the Basic Constraints field with value CA:TRUE. n This directory must contain one sub-directory for each component resource for which you want to replace the certificates. n Each sub-directory must exactly match the resource hostname of a corresponding component as it appears in the Resource Hostname column in the Inventory > Workload Domains > Certificates tab. For example, nsxManager.vrack.vsphere.local, vcenter-1.vrack.vsphere.local, and so on. n Each sub-directory must contain the corresponding.csr file, whose name must exactly match the resource as it appears in the Resource Hostname column in the Inventory > Workload Domains > Certificates tab. n Each sub-directory must contain a corresponding.crt file, whose name must exactly match the resource as it appears in the Resource Hostname column in the Inventory > Workload Domains > Certificates tab. The content of the.crt files must end with a newline character. For example, the nsxManager.vrack.vsphere.local sub-directory would contain the nsxManager.vrack.vsphere.local.crt file. n All certificates including rootca.crt must be in UNIX file format. n Additional requirements for NSX certificates: n Server certificate (NSX_FQDN.crt) must contain the Basic Constraints field with value CA:FALSE. n If the NSX certificate contains HTTP or HTTPS based CRL Distribution Point it must be reachable from the server. n The extended key usage (EKU) of the generated certificate must contain the EKU of the CSR generated. Note All resource and hostname values can be found in the list on the Inventory > Workload Domains > Certificates tab. Procedure 1 In the navigation pane, click Inventory > Workload Domains. 2 On the Workload Domains page, from the table, in the domain column click the workload domain you want to view. 3 On the domain summary page, click the Certificates tab. VMware by Broadcom 41 VMware Cloud Foundation Administration Guide 4 Generate CSR files for the target components. a From the table, select the check box for the resource type for which you want to generate a CSR. b Click Generate CSRs. The Generate CSRs wizard opens. c On the Details dialog, configure the settings and click Next. Option Description Algorithm Select the key algorithm for the certificate. Key Size Select the key size (2048 bit, 3072 bit, or 4096 bit) from the drop-down menu. Email Optionally, enter a contact email address. Organizational Unit Use this field to differentiate between divisions within your organization with which this certificate is associated. Organization Name Type the name under which your company is known. The listed organization must be the legal registrant of the domain name in the certificate request. Locality Type the city or locality where your company is legally registered. State Type the full name (do not abbreviate) of the state, province, region, or territory where your company is legally registered. Country Type the country name where your company is legally registered. This value must use the ISO 3166 country code. d (Optional) On the Subject Alternative Name dialog, enter the subject alternative name(s) and click Next. You can enter multiple values separated by comma (,), semicolon (;), or space ( ). For NSX, you can enter the subject alternative name for each node along with the Virtual IP (primary) node. Note Wildcard subject alternative name, such as *.example.com are not recommended. e On the Summary dialog, click Generate CSRs. 5 Download and save the CSR files to the directory by clicking Download CSR. 6 Complete the following tasks outside of the SDDC Manager UI: a Verify that the different.csr files have successfully generated and are allocated in the required directory structure. b Request signed certificates from a Third-party Certificate authority for each.csr. VMware by Broadcom 42 VMware Cloud Foundation Administration Guide c Verify that the newly acquired.crt files are correctly named and allocated in the required directory structure. d Create a new.tar.gz file of the directory structure ready for upload to SDDC Manager. For example:.tar.gz. 7 Click Upload and Install. 8 In the Upload and Install Certificates dialog box, click Browse to locate and select the newly created.tar.gz file and click Open. 9 Click Upload. 10 If the upload is successful, click Install Certificate. The Certificates tab displays a status of Certificate Installation is in progress. Add a Trusted Certificate to the SDDC Manager Trust Store If you replaced the certificate for a VMware Cloud Foundation component outside of SDDC Manager then you must add the new certificate to the SDDC Manager trust store. This functionality is available in VMware Cloud Foundation 4.5.1 and later. Replacing the certificate for a VMware Cloud Foundation component outside of SDDC Manager results in an error in the SDDC Manager UI. You can add the trusted certificate to the SDDC Manager trust store using the VMware Cloud Foundation API or the SDDC Manager UI. This procedure describes using the SDDC Manager UI. Using the SDDC Manager UI adds the certificate to the trust store for outbound communications. Procedure 1 Click review in the error message in the SDDC Manager UI. In the SDDC Manager UI, click Inventory > Workload Domains, click the workload domain name, and then click the Certificates tab. The error appears in the Status column 2 Review the information to make sure it is accurate and then click Trust Certificate. Remove Old or Unused Certificates from SDDC Manager Old or unused certificates are stored in a trust store in SDDC Manager. You can delete old certificates using the VMware Cloud Foundation API. See Delete Trusted Certificate in the VMware Cloud Foundation API Reference Guide for more information. VMware by Broadcom 43 VMware Cloud Foundation Administration Guide Procedure 1 Log in to the SDDC Manager UI as a user with the ADMIN role. For more information about roles, see Chapter 24 Managing Users and Groups in VMware Cloud Foundation. 2 In the navigation pane, click Developer Center > API Explorer. 3 Browse to and expand API Categories > Trusted Certificates. 4 Expand GET /v1/sddc-manager/trusted-certificates and click EXECUTE. 5 In the Response, click TrustedCertificate and copy the alias for the certificate you want to remove. 6 Expand DELETE /v1/sddc-manager/trusted-certificates/{alias}, enter the alias, and click EXECUTE. VMware by Broadcom 44 Managing License Keys in VMware Cloud Foundation 5 You can add component license keys in the SDDC Manager UI or add a solution license key in vSphere Client. Starting with VMware Cloud Foundation 5.1.1, you can license VMware Cloud Foundation components using a solution license key or individual component license keys. Note VMware Cloud Foundation 5.1.1 supports a combination of solution and component license keys. For example, Workload Domain 1 can use component license keys and Workload Domain 2 can use the solution license key. For more information about the VCF solution license key, VMware vSphere 8 Enterprise Plus for VCF, see https://knowledge.broadcom.com/external/article?articleNumber=319282. SDDC Manager does not manage the solution license key. If you are using a solution license key, VMware Cloud Foundation components are deployed in evaluation mode and then you use the vSphere Client to add and assign the solution key. See Managing vSphere Licenses for information about using a solution license key for VMware ESXi and vCenter Server. If you are using a solution license key, you must also add a separate VMware vSAN license key for vSAN clusters. See Configure License Settings for a vSAN Cluster. Note VMware vCenter Server, VMware NSX, VMware Aria Suite components, and VMware HCX are all licensed when you assign a solution license key to a vCenter Server. Use the SDDC Manager UI to manage component license keys. If you entered component license keys in the deployment parameter workbook that you used to create the management domain, those component license keys appear in the Licensing screen of the SDDC Manager UI. You can add additional component license keys to support your requirements. You must have adequate license units available before you create a VI workload domain, add a host to a vSphere cluster, or add a vSphere cluster to a workload domain. Add the necessary component license keys before you begin any of these tasks. Read the following topics next: n Add a Component License Key in the SDDC Manager UI n Edit a Component License Key Description in the SDDC Manager UI n Delete a Component License Key in the SDDC Manager UI VMware by Broadcom 45 VMware Cloud Foundation Administration Guide n Update Component License Keys for Workload Domain Components Add a Component License Key in the SDDC Manager UI You can use the SDDC Manager UI to add component license keys to the SDDC Manager inventory. SDDC Manager does not manage solution license keys. See Chapter 5 Managing License Keys in VMware Cloud Foundation for more information about solution license keys. Procedure 1 In the navigation pane, click Administration > Licensing. 2 Click + License Key. 3 Select a product from the drop-down menu. 4 Enter the license key. 5 Enter a description for the license. A description can help in identifying the
