Session & SMGR Servers VMware Certficates

[iggy1952]

We are running HA Session Managers and Geo-Redundant SMGR servers on version 7.1.3. For security reasons I need to apply our domain certificates to the SM & SMGR VMware AVP platforms to replace the self signed certificates which will require a reboot.

Do I have to shutdown the Session Manager application before the AVP reboot or disable the geo-redundancy on the SMGR before either of the VMware AVP reboots? Avaya documentation is not helpful.

iggy1952

 

[kyle555]

VMware requires you be in maintenance mode before rebooting. Going into maintenance mode requires no running VMs, so you'll be shutting down your Session Manager anyway.

I'd test that on one AVP server first - I'm not sure how SMGR brokers the trust relationship when it goes to AVP. Maybe it accepts self-signed certs from the VMware webservice by default, maybe you'll need to add your own domain cert authority to SMGR to make that happen.

I tried this once. Word of warning - learn from my fail: if you reboot and that cert isn't happy in vSphere and you can't get to the web page yourself or something about that cert is goofy it could prevent the VMware management web service from starting up and you'd need to go in by SSH. And you get in by SSH by enabling it thru vSphere or the console and you could be calling people at 2 in the morning begging them to get a console cable and enable SSH so you can run he script in the esxcli that regenerates a self-signed cert to get management access back to your box and turn on your Session Manager again. Fun times!

 

[iggy1952]

kyle555,

Thank you for your response and words of warning as I have the same concerns after reading some previous posts about the pitfalls of certificates.

Our Business Partner previously applied both root and identity company domain certificates to our Session Manager and SMGR servers leaving only the VMware hypervisors with self signed certificates. I know from rebooting CM server VMware hypervisors that SSH is automatically disabled so I totally agree with your cautions.

I could reboot the secondary Session Manager hypervisor first after Deny Service to keep call traffic off the server. I will post the result.




iggy1952

 

[kyle555]

SSH disabled in VMware is a VMware thing, not an Avaya thing - it's always that way. There's no way to leave it on persistent thru reboots.

It's perfectly normal to leave the default certs on VMware. See how long they last/when the expire. Avaya knows people aren't going to keep on top of it, so mark your calendar.

2 years after the fact, SMGR won't be able to access it anymore. You'll need to use a PC that you turn back the clock on and access the VMware web interface to enable ssh to either regenerate a valid self signed certificate or import your new SMGR cert