Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
Sign In Create an Account Premier Sign In Dell Financial Services Partner Program Sign In
Contact Us

Your Dell.com Carts

VxRail: How to update the PTAgent certificate for a VxRail node

Summary: How to update the PTAgent certificate for a VxRail node.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Before following the below steps, read the information in the 'Additional Info' section.

There are two options to update the PTAgent SSL certificate:

  1. Update the PTAgent SSL certificate with ESXi SSL certificate. Refer to KB article Dell EMC VxRail: How to update PTAgent certificates with ESXi host certificates .
  2. Update the PTAgent SSL certificate with a customized SSL certificate.

A customized SSL certificate includes the following files:

server.crt (this should be a server certificate file)
server.key (this should be a server key file)
server-chain.crt (this should be a certificate chain file)

Note: this is an example, and the filenames may be different.

Steps

  1. SSH to the ESXi node with root account.
  2. Stop the DellPTAgent service with the following command:
/etc/init.d/DellPTAgent stop
       3. Place all customized certificate files into the '/opt/dell/DellPTAgent/secure/' path. Update the files permission to be the same with the default PTAgent SSL certificates.

Below is an example for the PTAgent default SSL certificate permissions: 
[root@c4-esx01:/opt/dell/DellPTAgent/secure] ls -l
total 12
-r--------    1 root     root           424 Apr  7 01:30 pta_dhparm.pem
-r--------    1 root     root          1257 Apr  7 01:30 pta_server.crt
-r--------    1 root     root          1704 Apr  7 01:30 pta_server.key

      4. Update the PTAgent certificate parameter with the customized certificates in the PTAgent.config:

There are two options:

  • (Not recommended) The customized SSL certificate is self-signed. In this situation, there should be no certificate chain file. The PTAgent config file should be updated with the below values: 
"certificate_store_path": {
        "description": "List of SSL certificates file path",
        "value": "/opt/dell/DellPTAgent/secure/server.crt,/opt/dell/DellPTAgent/secure/server.key,/opt/dell/DellPTAgent/secure/pta_dhparm.pem
        "defaultValue": "/opt/dell/DellPTAgent/secure/pta_server.crt,/opt/dell/DellPTAgent/secure/pta_server.key,/opt/dell/DellPTAgent/secure/pta_dhparm.pem
    },
  • Customer sends the CSR to their enterprise or external CA for signing. In this situation, there should be three files (server.crt, server.key, server-chain.crt) or two files (server.crt, server.key). 
    • If there are three files, the server certificate file should be separated with a certificate chain file. Combine them together to get a new server certificate file (new_server.crt).

Note: The server certificate should be at the end of the new server certificate file.

  • The PTAgent config file should be updated with the below value:
"certificate_store_path": {
        "description": "List of SSL certificates file path",
        "value": "/opt/dell/DellPTAgent/secure/new_server.crt,/opt/dell/DellPTAgent/secure/server.key,/opt/dell/DellPTAgent/secure/pta_dhparm.pem
        "defaultValue": "/opt/dell/DellPTAgent/secure/pta_server.crt,/opt/dell/DellPTAgent/secure/pta_server.key,/opt/dell/DellPTAgent/secure/pta_dhparm.pem
    },

 

  • There are two files, the server certificate file should include all CA certificates, which store in a certificate chain file. The PTAgent config file should be updated with below value:  
"certificate_store_path": {
        "description": "List of SSL certificates file path",
        "value": "/opt/dell/DellPTAgent/secure/server.crt,/opt/dell/DellPTAgent/secure/server.key,/opt/dell/DellPTAgent/secure/pta_dhparm.pem
        "defaultValue": "/opt/dell/DellPTAgent/secure/pta_server.crt,/opt/dell/DellPTAgent/secure/pta_server.key,/opt/dell/DellPTAgent/secure/pta_dhparm.pem
    },

 

5. Start the DellPTAgent service with the below command:  
/etc/init.d/DellPTAgent start

 

6. Check the PTAgent running status with the below command: 
/etc/init.d/DellPTAgent status
esxcli network ip connection list | grep LISTEN | grep Dell
The expected results should be same with below,
DellPTAgent is running
tcp         0       0  {ESXi_host_ipv4_address}/{ESXi_host_ipv6_address}:8086                0.0.0.0:0            LISTEN        3992948  newreno  DellPTAgent

7. Verify that the PTAgent certificate is updated with the below command: 
openssl s_client -connect {ESXi_host_ipv4_address}/{ESXi_host_ipv6_address}:8086

Note: The PTAgent certificates should now be updated with the customized SSL certificate. If the certificate is not updated, contact the Dell Technologies Support Center or your service representative for technical support and quote this solution ID.
 
8. Repeat the step 1 ~ step 7 for other nodes in the same VxRail cluster.

Additional Information

PTAgent configuration file brief introduction: 
PowerTools agent run-time configurations are stored in the file that is named PTAgent.config which is found in the installation folder.
Configurations parameters are read-only upon start-up.

The PTAgent configuration file path on the ESXi host is:

/opt/dell/DellPTAgent/cfg/PTAgent.config

PTAgent configuration certificate parameter:
 

certificate_store_path Full file-path of certificate files used in SSL hand-shake with REST clients, comma separated.



The default PTAgent certificate example:

"certificate_store_path": {
        "description": "List of SSL certificates file path",
        "value": "/opt/dell/DellPTAgent/secure/pta_server.crt,/opt/dell/DellPTAgent/secure/pta_server.key,/opt/dell/DellPTAgent/secure/pta_dhparm.pem
        "defaultValue": "/opt/dell/DellPTAgent/secure/pta_server.crt,/opt/dell/DellPTAgent/secure/pta_server.key,/opt/dell/DellPTAgent/secure/pta_dhparm.pem
    },

 

[root@c1-esx01:/opt/dell/DellPTAgent/cfg] openssl s_client -connect {ESXi_IPv4|ESXi_IPv6}:8086
CONNECTED(00000003)
depth=0 C = US, ST = Texas, L = Round Rock, O = Dell EMC Inc, OU = Server Storage HCI, CN = dellemc.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = Texas, L = Round Rock, O = Dell EMC Inc, OU = Server Storage HCI, CN = dellemc.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Texas/L=Round Rock/O=Dell EMC Inc/OU=Server Storage HCI/CN=dellemc.com
   i:/C=US/ST=Texas/L=Round Rock/O=Dell EMC Inc/OU=Server Storage HCI/CN=dellemc.com
---

Products

VxRail Appliance Family, VxRail Appliance Series
Article Properties
Article Number: 000157777
Article Type: How To
Last Modified: 07 Nov 2024
Version:  7
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.