VMware

Prerequisites for vCenter

  1. Make sure the vCenter device is reachable from the cloud connector.
  2. Support is only for vCenter 7.0.3 or later (REST API-based).
  3. Minimum permissions required to run the CLM operation in AppViewX for the vCenter User is:
    • Role > Certificate Management > Create/Delete (Admins priv)

Onboarding VMware

  1. Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
  3. Click the (Add) icon.
  4. Select VMware logo from the Vendors list.
  5. In the Server Details section, enter details as mentioned below.
    Table 1. Server Details - Field Description Table
    Fields Description
    *Server Type Select server type as VMWare NSX or VMWare vCenter from the dropdown list.
    *Server name Enter the name of the designated VMware server.
    *IP address/ FQDN Enter the valid IP address or fully qualified domain name (FQDN) for device communication and integration with the VMware.
    Data center Select the datacenter for routing communications to this vendor.
    Onboarding Group Select the onboarding group to assign the device.
    Note: Devices without an assigned group are automatically mapped to the Default group during migration, onboarding, and when edited without existing group mappings.
    HTTPS Port Enter the port number used for HTTPS communication with the server. By default, it is 443.
    Proxy required Select the checkbox to enable the secure proxy service.
    Cert sync Choose from any of the following:
    • Managed - AppViewX performs the config fetch operations and the certificates are discovered and managed in the inventory. CLM actions (push & bind, rollback etc.) can be performed on them.
    • Monitored - AppViewX performs the config fetch operations and the certificates are downloaded in the inventory in the read-only state. CLM actions cannot be performed on them.
    • Ignored - AppViewX only performs the config fetch operations for the devices. There is no certificate discovery performed.
    *: Mandatory fields
  6. In the Credentials section, enter the details as follows.
    Table 2. Credentials - Field Description Table
    Fields Description
    *Credential Type Select the credential type from the dropdown.
    • Manual entry (default)
    • Credential List - AppViewX
    Note: If Credential list - AppViewX is selected, the *Credentials list dropdown field is displayed. Select any of the preconfigured credential values.
    *Username Enter the designated username for authentication. (This field displayed only for manual entry.)
    *Password Enter the secure password. (This field displayed only for manual entry.)
    *: Mandatory fields
  7. In the Vendor Specific Details section, enter details as mentioned below.
    Note: This section is displayed only for VMWare NSX device.
    Table 3. Vendor Specific Details - Field Description Table
    Fields Description
    *Base URL Enter the base URL that is to be appended with the API.

    Example: /policy/api/v1
    *: Mandatory fields
  8. Click Save.
    The VMware device is added successfully.
  9. On onboarding VMWare vCenter, run two REST APIs: GET Session (to fetch the session ID to authorize and to confirm communication with the vCenter device) and GET Version (to fetch the vCenter version).
    Note: REST API is used for vCenter version 7.0.3 and later.

The VMWare vCenter device can also be onboarded by the import functionality using the standard .xlsx and .csv templates available.

To onboard the VMWare vCenter device to the AppViewX inventory using the import functionality:
  1. Go to (Menu) > CERT+ > ADMINISTRATION > Device Management.
  2. Click the Server tab.
  3. Click the (Import) icon on top of the page. The Import details page is displayed.
  4. Click the CSV or XLSX icons in the Uploader Info section.

    The sample templates are downloaded and saved at the default file location.

  5. Open the CSV or XLSX templates, enter the relevant information for onboarding the VMWare vCenter device, and save the file.
    Note: Ensure all the mandatory and relevant fields are entered in the .csv or .xlsx template.
  6. Click the Upload icon in the Import section, and select the .csv or .xlsx file from the file dialog box.

    The status of the uploaded file is displayed in the File Histories section.

Discovering Certificates

Note: This section is application only for VMWare vCenter.
  • Discovery (on-demand and scheduled) of certificates via REST API includes:
    • Machine SSL
    • STS Signing (active_cert_chain)
    • Trusted Root certificates
  • The system creates the following certificate profiles with the correct naming convention:
    Certificate Profile Naming Convention
    Machine SSL {deviceName}:machineSSL
    STS Signing (active_cert_chain) {deviceName}:stsSigning
    Trusted Root certificates {deviceName}:trustedRoot
    Note:
    • To enable push operations from the root and intermediate inventory, a trustedRoot profile has been created. To add a connector for VMWare NSX, select VMWare from Vendor.
    • Limitation: As the private key is never exposed via API, discovered certificates do not include the private key.

Pushing Certificates to the Device

  • Admin can select Machine SSL or STS Signing as the target certificate type.
  • The system validates the certificate chain in the following order: Server Certificate → Intermediate CA → Root CA
  • Users can select both Machine SSL and STS Signing profiles for a single push operation.
  • Machine SSL supported scenarios:
    • CSR was previously generated and the private key is securely stored.
    • The root CA of the signed certificate is:
      • Already trusted by vCenter → No additional trust configuration required.
      • Not trusted by vCenter → The root CA certificate must be added during the operation.
  • STS Signing supported scenarios:
    • The certificate must include the private key and the trust (root/intermediate) certificate(s).
    • If either the private key or trust certificates are missing, the operation will fail in the backend.
  • Trust Store Handling
    • If the root CA is already trusted, the system installs only the certificate and the private key (if required).
    • If the root CA is not trusted, the system installs the certificate, the private key, and the root CA certificate, and updates the trust store.
    • The operation will succeed only if the trust chain is complete and valid.
  • Logging & Audit

    All certificate push attempts are logged with user, timestamp, certificate type, and result.

  • Error Handling

    The system displays user-friendly error messages for invalid input, trust chain failures, or installation errors.

Note:
  1. If VMware Appliance Management Interface does not display the new certificate after replacing the MACHINE_SSL_CERT on vCenter Server Appliance, refer to https://knowledge.broadcom.com/external/article?legacyId=2136693
  2. For stopping, starting, or restarting VMware vCenter Server Appliance services, refer to https://knowledge.broadcom.com/external/article/344633/stopping-starting-or-restarting-vmware-v.html

Backing Up and Rolling Back Certificates

  • Backup: The existing vCenter certificate is backed up before replacement.
  • Private Key Limitation:

    The private key cannot be backed up. Rollback is possibleonly if the private key is already stored in AppViewX for the corresponding backup certificate UUID.

  • Rollback Support:
    • Rollback option is available only if the push is successful and the backup certificate’s private key is present in AppViewX.
    • Not applicable for certificates enrolled directly at the endpoint.

    Once a certificate is pushed for an enrolled private key, further pushes are not allowed for that key.

Validating the Device

After the device is onboarded successfully, follow the steps to validate the device communication with AppViewX:
  1. Go to ADMINISTRATION > Device Management.
    By default, the ADC tab opens.
  2. Click the Server tab.
    The Server Inventory page is displayed.
  3. Check that the device name appears in the inventory (Name column) with the specified status in the status column.
    The status column will have the value Managed/Monitored/Ignored if the connection is successful or displays Failed/Unresolved in case of failure.
  4. From the Status column, click the Managed/Monitored/Ignored/Failed/Unresolved.
    Device Status Log pop-up is displayed.
  5. Expand each value in the pop-up to know the Device communication, Device Version, Instance Information, and Certificate Discovery From Device.

What's Next

Once you have onboarded and validated the device connection, you are ready to proceed with the any of the following certificate actions: