Generating the Java credential keystore

To generate the Java credential keystore, obtain the ESX(i) Server certificates and then set the credential as the keystore path.

Complete the following steps to generate the Java credential keystore:

1. Obtain the ESX(i) Server or vCenter Server certificate by using the vSphere client, the Secure Shell client application, or a web browser. To obtain ESX(i) Server or vCenter Server certificates by using the vSphere client, create a root-level directory for the certificates. For example, C:\VMware-Certs
   1. Install the vSphere client if not already installed.
   2. Start the vSphere client and click to the ESX, ESXi, or vCenter Server web server. A message regarding the certifying authority for the certificate is displayed.
   3. Click View Certificate to show the certificate properties page. See Table 1 for an example of the certificate properties page.
   4. Click the Details tab.
   5. Click Copy to File to start the Certificate Export wizard.
   6. Select DER encoded binary X.509 (the default) and click Next.
   7. Click Browse and find the C:\VMware-Certs subdirectory.
   8. Enter a certificate name that identifies the server to which the certificate belongs. For example, C:\VMware-Certs\<server name>.cer
2. To obtain server certificates by using the Secure Shell client application, connect to the ESX system with an SSL client.

   Note: Remote connections to the ESX service console as root are effectively disabled. To obtain the certificate, you must connect as another user with privileges on the server.

   Table 1. Server certificate file names and locations of the ESX(i) and vCenter servers

   Server	Directory location for certificate	Certificate
   ESX(i) 4.x, 5.0, 5.1, 5.5	/etc/vmware/ssl/	rui.crt
   vCenter Server 4.x, 5.0, 5.1, 5.5	C:\Documents and Settings\All Users\Appications	rui.crt

   1. Copy the certificates from the server to the certificate subdirectory. Use a unique file name for the certificate (assuming that you are copying multiple default certificates from multiple ESX systems).
3. To obtain server certificates by using a web browser, type the following URL to access the web service of the ESX(i) Server or vCenter Server: https://9.11.110.240/
   1. If you receive a message about the security certificate, select Continue to this website (not recommended).
   2. On the toolbar, click Certificate Error and, in the Certificate Invalid window, click View certificates.
   3. In the Certificate window, select the Details tab.
   4. Click Copy to File and follow the Certificate Export Wizard with the default option to save the certificate.
   5. Create a directory for the Java keystore. For example, C:\VMware
   6. Use the Java keytool utility to import a certificate. The syntax is keytool -import -file <certificate-filename> -alias <server-name> -keystore vmware.keystore For example:

      C:\Program Files\IBM\Hardware Provider for VSS-vDS\jre\bin\keytool.exe –import –file 
      C:\tools\rui.crt –keystore C:\VMware\vmware.keystore

   7. When prompted for a keystore password, type a password.
   8. The keystore utility shows the certificate information at the console. The following is an example certificate information:

      Owner: OID.1.2.840.113549.1.9.2="1301079258,564d7761726520496e632e",
      CN=cimxa.ibm.com, EMAILADDRESS=ss1-certificates@vmware.com, OU=VMware
      ESX Server Default Certificate, 0="VMware, Inc", L=Palo Alto, 
      ST=California, C=US
      Issuer: 0=VMware Installer
      Serial number: 7730362f66385863
      Valid from: 3/25/13 7:45 PM until 9/23/24 8:54 PM
      Certificate fingerprints:
      			MD5: 58:A3:A3:D4:D8:E0:CE:63:6B:B7:7F:4E:3E:6B:71:9D
      			SHA1: 8B:60:B9:08:32:33:06:11:47:7D:6D:B6:B4:D1:D5:F9:78:D2:15:5F
      			SHA256: 59:1B:A2:BE:D0:BC:04:1B:CE:62:B8:95:07:52:3E:54:69:76:10:A1:
      						85:A6:A8:5A:C0:DB:45:79:46:FB:72:82
      			Signature algorithm name: SHA1withRSA
      			Version 3

   9. At the end of the certificate information, a prompt shows a request for confirmation that the certificate is trusted.

      Trust this certificate? [No}

   10. Type yes and press <Enter> to respond to the prompt and import the certificate into the vmware.keystore keystore. The console shows the following message:

       Certificate was added to keystore

4. To set the vmcredential as the vmware.keystore path, type ibmvcfg set vmcredential "C:\VMware\vmware.keystore
5. Enter ibmvcfg showcfg to verify that the configuration is correctly saved. The following example output is from issuing the ibmvcfg showcfg command:

   cimomHost:											9.115.246.54
   comomPort:											5989
   username <cimom>:							superuser
   usingSSL:											true
   vssFreeInitiator:							500000000000000c0
   vssReservedInitiator:						500000000000000c1
   backgroundCopy:								50
   targetSVC:
   incrementalFC:									false
   timeout:											0
   rescanOnceArr:									0
   rescanOnceRem:									0
   rescanRemMin:									0
   rescanRemMax:									45
   storageProtocol:								auto
   vmhost:												https://9.115.247.103/sdk
   vmusername:										root
   vmcredential:									C:\vmware103.keystore