Generating the Java credential keystore

To generate the Java credential keystore, obtain the VMware ESX(i) Server certificates and then set the credential as the keystore path.

Procedure

Complete the following steps to generate the Java credential keystore:

Obtain the VMware ESX(i) Server or vCenter Server certificate by using the vSphere client, the Secure Shell client application, or a web browser. To obtain VMware ESX(i) Server or vCenter Server certificates by using the vSphere client, create a root-level directory for the certificates. For example, C:\VMware-Certs
1. Install the vSphere client if not already installed.
2. Start the vSphere client and click to the VMware ESX, ESXi, or vCenter Server web server. A message about certifying authority for the certificate is displayed.
3. Click View Certificate to show the certificate properties page. See Table 1 for an example of the certificate properties page.
4. Click the Details tab.
5. Click Copy to File to start the Certificate Export wizard.
6. Select DER encoded binary X.509 (the default) and click Next.
7. Click Browse and find the C:\VMware-Certs subdirectory.
8. Enter a certificate name that identifies the server to which the certificate belongs. For example, C:\VMware-Certs\<server name>.cer

To obtain server certificates by using the Secure Shell client application, connect to the VMware ESX system with a Secure Sockets Layer (SSL) client.

Note: Remote connections to the VMware ESX service console as root are effectively disabled. To obtain the certificate, you must connect as another user with privileges on the server.

Table 1. Server certificate file names and locations of the VMware ESX(i) and vCenter servers
Server	Directory location for certificate	Certificate
VMware ESXi 5.0, 5.1, 5.5, 6.0	/etc/vmware/ssl/	rui.crt
vCenter Server 5.0, 5.1, 5.5, 6.0	C:\Documents and Settings\All Users\Appications	rui.crt

Copy the certificates from the server to the certificate subdirectory. Use a unique file name for the certificate (assuming that you are copying multiple default certificates from multiple VMware ESX systems).

To obtain server certificates by using a web browser, enter the following URL in a web browser to access the web service of the VMware ESX(i) Server or vCenter Server: https://9.11.110.240/
1. If you receive a message about the security certificate, select Continue to this website (not recommended).
2. On the toolbar, click Certificate Error and, in the Certificate Invalid window, click View certificates.
3. In the Certificate window, select the Details tab.
4. Click Copy to File and follow the Certificate Export Wizard with the default option to save the certificate.
5. Create a directory for the Java keystore. For example, C:\VMware
6. Use the Java keytool utility to import a certificate. The syntax is
```
keytool.exe -import -file <certificate-filename> 
-alias <server-name> -keystore vmware.keystore
```
  For example:
```
C:\Program Files\IBM\Hardware Provider for VSS-VDS\jre\bin\keytool.exe –import –file 
C:\tools\rui.crt –keystore C:\VMware\vmware.keystore
```
7. When prompted for a keystore password, enter a password. The keystore utility shows the certificate information at the console. The following example shows the certificate information:
```
Owner: OID.1.2.840.113549.1.9.2="1301079258,564d7761726520496e632e",
CN=cimxa.ibm.com, EMAILADDRESS=ss1-certificates@vmware.com, OU=VMware
ESX Server Default Certificate, 0="VMware, Inc", L=Palo Alto, 
ST=California, C=US
Issuer: 0=VMware Installer
Serial number: 7730362f66385863
Valid from: 3/25/13 7:45 PM until 9/23/24 8:54 PM
Certificate fingerprints:
			MD5: 58:A3:A3:D4:D8:E0:CE:63:6B:B7:7F:4E:3E:6B:71:9D
			SHA1: 8B:60:B9:08:32:33:06:11:47:7D:6D:B6:B4:D1:D5:F9:78:D2:15:5F
			SHA256: 59:1B:A2:BE:D0:BC:04:1B:CE:62:B8:95:07:52:3E:54:69:76:10:A1:
						85:A6:A8:5A:C0:DB:45:79:46:FB:72:82
			Signature algorithm name: SHA1withRSA
			Version 3
```
  At the end of the certificate information, a prompt shows a request for confirmation that the certificate is trusted.
```
Trust this certificate? [No}
```
8. Type yes and press <Enter> to respond to the prompt and import the certificate into the vmware.keystore keystore. The console shows the following message:
```
Certificate was added to keystore
```
To set the vmcredential as the vmware.keystore path, issue the following command
```
ibmvcfg set vmcredential "C:\VMware\vmware.keystore"
```

Issue the ibmvcfg showcfg command to verify that the configuration is correctly saved. The following example output is from the ibmvcfg showcfg command:

cimomHost:                             9.115.246.54
cimomPort:                             5989
username <cimom>:                      superuser
usingSSL:                              true
vssFreeInitiator:                      500000000000000c0
vssReservedInitiator:                  500000000000000c1
backgroundCopy:                        50
targetSVC:
incrementalFC:                         false
cimomTimeout:                          0
rescanOnceArr:                         0
rescanOnceRem:                         0
rescanRemMin:                          0
rescanRemMax:                          45
storageProtocol:                       auto
storagePool:                           test_pool_1
allocateOption:                        standard
ioGroup:                               io_grp0
vmhost:                                https://9.115.247.103/sdk
vmusername:                            root
vmcredential:                          C:\vmware103.keystore
vmtimeout:                             600000

Note: After the configuration is set, the service must be restarted using the following commands in order for the configuration to take effect:

net stop vss
net stop ibmvss

The above commands will stop both VSS VDS and the IBM VSS HW Provider. Both services will start automatically in later use.