Before following the below steps, read the information in the 'Additional Info' section.
There are two options to update the PTAgent SSL certificate:
- Update the PTAgent SSL certificate with ESXi SSL certificate. Refer to KB article Dell EMC VxRail: How to update PTAgent certificates with ESXi host certificates .
- Update the PTAgent SSL certificate with customized SSL certificate.
Customized SSL certificate includes the below files:
server.crt (this should be server certificate file)
server.key (this should be server key file)
server-chain.crt (this should be certificate chain file)
Note: this is an example, and the filenames may be different.
Steps,
- SSH to the ESXi node with 'root' account.
- Stop the DellPTAgent service with the below command:
/etc/init.d/DellPTAgent stop
3. Place all customized certificate files into the '/opt/dell/DellPTAgent/secure/' path. Update the files permission to be the same with the default PTAgent SSL certificates.
Below is an example for the PTAgent default SSL certificate permissions:
[root@c4-esx01:/opt/dell/DellPTAgent/secure] ls -l
total 12
-r-------- 1 root root 424 Apr 7 01:30 pta_dhparm.pem
-r-------- 1 root root 1257 Apr 7 01:30 pta_server.crt
-r-------- 1 root root 1704 Apr 7 01:30 pta_server.key
4. Update the PTAgent certificate parameter with the customized certificates in the PTAgent.config:
There are two options:
- (Not recommended) The customized SSL certificate is self-signed. In this situation, there should be no certificate chain file. The PTAgent config file should be updated with below values:
"certificate_store_path": {
"description": "List of SSL certificates file path",
"value": "/opt/dell/DellPTAgent/secure/server.crt,/opt/dell/DellPTAgent/secure/server.key,/opt/dell/DellPTAgent/secure/pta_dhparm.pem
"defaultValue": "/opt/dell/DellPTAgent/secure/pta_server.crt,/opt/dell/DellPTAgent/secure/pta_server.key,/opt/dell/DellPTAgent/secure/pta_dhparm.pem
},
- Customer sends the CSR to their enterprise or external CA for signing. In this situation, there should be three files (server.crt, server.key, server-chain.crt) or two files (server.crt, server.key).
- If there are three files, the server certificate file should be separated with a certificate chain file. Combine them together to get a new server certificate file (new_server.crt).
Note: The server certificate should be at the end of the new server certificate file.
- The PTAgent config file should be updated with the below value:
"certificate_store_path": {
"description": "List of SSL certificates file path",
"value": "/opt/dell/DellPTAgent/secure/new_server.crt,/opt/dell/DellPTAgent/secure/server.key,/opt/dell/DellPTAgent/secure/pta_dhparm.pem
"defaultValue": "/opt/dell/DellPTAgent/secure/pta_server.crt,/opt/dell/DellPTAgent/secure/pta_server.key,/opt/dell/DellPTAgent/secure/pta_dhparm.pem
},
- There are two files, the server certificate file should include all CA certificates, which store in a certificate chain file. The PTAgent config file should be updated with below value:
"certificate_store_path": {
"description": "List of SSL certificates file path",
"value": "/opt/dell/DellPTAgent/secure/server.crt,/opt/dell/DellPTAgent/secure/server.key,/opt/dell/DellPTAgent/secure/pta_dhparm.pem
"defaultValue": "/opt/dell/DellPTAgent/secure/pta_server.crt,/opt/dell/DellPTAgent/secure/pta_server.key,/opt/dell/DellPTAgent/secure/pta_dhparm.pem
},
5. Start the DellPTAgent service with the below command:
/etc/init.d/DellPTAgent start
6. Check the PTAgent running status with the below command:
/etc/init.d/DellPTAgent status
esxcli network ip connection list | grep LISTEN | grep Dell
The expected results should be same with below,
DellPTAgent is running
tcp 0 0 {ESXi_host_ipv4_address}/{ESXi_host_ipv6_address}:8086 0.0.0.0:0 LISTEN 3992948 newreno DellPTAgent
7. Verify that the PTAgent certificate is updated with below command:
openssl s_client -connect {ESXi_host_ipv4_address}/{ESXi_host_ipv6_address}:8086
Note: The PTAgent certificates should now be updated with the customized SSL certificate. If the certificate is not updated, contact the Dell Technologies Support Center or your service representative for technical support and quote this solution ID.
8. Repeat the step 1 ~ step 7 for other nodes in the same VxRail cluster.
PTAgent configuration file brief introduction:
PowerTools agent run-time configurations are stored in the file that is named PTAgent.config which is found in the installation folder.
Configurations parameters are read-only upon start-up.
The PTAgent configuration file path on ESXi host is:
/opt/dell/DellPTAgent/cfg/PTAgent.config
PTAgent configuration certificate parameter:
| certificate_store_path |
Full file-path of certificate files used in SSL hand-shake with REST clients, comma separated. |
The default PTAgent certificate example:
"certificate_store_path": {
"description": "List of SSL certificates file path",
"value": "/opt/dell/DellPTAgent/secure/pta_server.crt,/opt/dell/DellPTAgent/secure/pta_server.key,/opt/dell/DellPTAgent/secure/pta_dhparm.pem
"defaultValue": "/opt/dell/DellPTAgent/secure/pta_server.crt,/opt/dell/DellPTAgent/secure/pta_server.key,/opt/dell/DellPTAgent/secure/pta_dhparm.pem
},
[root@c1-esx01:/opt/dell/DellPTAgent/cfg] openssl s_client -connect {ESXi_IPv4|ESXi_IPv6}:8086
CONNECTED(00000003)
depth=0 C = US, ST = Texas, L = Round Rock, O = Dell EMC Inc, OU = Server Storage HCI, CN = dellemc.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = Texas, L = Round Rock, O = Dell EMC Inc, OU = Server Storage HCI, CN = dellemc.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=Texas/L=Round Rock/O=Dell EMC Inc/OU=Server Storage HCI/CN=dellemc.com
i:/C=US/ST=Texas/L=Round Rock/O=Dell EMC Inc/OU=Server Storage HCI/CN=dellemc.com
---