vSphere Replication – Part 3 – Basic setup and custom certificate

In the previous article we deployed our appliances. Before to go live, we are going to update some settings and update the self-signed certificates with CA-signed certificates. With that done, we will connect both appliances together, which will allow replications to be configured between the appliances.

Remark: the certificate update only makes sense if you already configured CA-signed certificates for your other vSphere components (have a look here if you want to update the certificates of the vCenter Server Appliance). If you didn’t, and don’t plan to do it, just skip this step!

Basic configuration

Let’s start by connecting to https://my-appliance:5480 (if you haven’t created a DNS record, now is a good time to do it!). You can ignore the certificate warnings.01.Login RootNow click on Configuration. We will replace the IP address in the VRM Host field by the FQDN of the appliance. Beware: this field must match the subject name of our certificate later on! Click on Save and Restart Service when you’re done.02.Update VRM HostThis is going to take several minutes. When it’s done, we go to System, Time Zone, configure the correct time zone, then Save Settings.05.Time ZoneYou can also check your network settings in the Network tab. Here for exemple I’ve added a second DNS server.03.DNS UpdateAs you can see, nothing special here. Repeat these little configuration steps for the second appliance. If you don’t wish to update the certificates, you can immediately jump to the next part, where we will connect the appliances. If you’re interested in the certificate update, let’s do it now!

CA-signed certificate configuration

Unlike vCenter Server, there is no automation possibility yet for the generating and installing custom CA-signed certificates for a vSphere Replication Appliance. Therefore, we will do the steps manually, by following parts of the official kb. I assume that you have already generated and installed certificates for your vCenter Servers and that all the required bits are ready: a certificate template, OpenSSL… If you don’t have the environment ready, then you probably haven’t updated the certificates for the vCenter; do this first!

Creation of the certificate

Start from your Widows machine where the tools are ready and create a folder to store the certificates of your replication appliances, one folder per appliance. In each folder, create a configuration file for the certificate request.

10.ConfigFileThis configuration file should contain the following text (the fields that you must customize are in bold).

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: server1, IP:, DNS: server1.domain.com
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = BeautifulProvince
localityName = MyCity
0.organizationName = My Company
organizationalUnitName = vSphere Replication Appliance
commonName = server1.domain.com

Save the file as server-name.cfg, here I used server1.cfg. Let’s now generate the certificate request, which is made of a .csr file (our request) and a .key file (our private key). Open a command line in the location of the configuration file and type:

c:\OpenSSL\bin\openssl.exe req -new -nodes -out server1.csr -keyout server1-orig.key -config server1.cfg

As before, update the fields written in bold characters. Your folder’s content should now look like this:11.csr-and-keyLet’s now request our certificate (here, at an internal Microsoft CA). Update the fields in bold characters.

certreq -submit -attrib CertificateTemplate:VMware-Certificate -config "my-CA-server\my-authority" server1.csr server1.crt

The CertificateTemplate parameter must be followed by the display name of your VMware certificate, and the config parameter must match your CA. This creates a new .crt file, which is the certificate:

12.crt fileThe private key must follow the RSA standard. This is done by typing:

C:\OpenSSL\bin\OpenSSL.exe rsa -in server1-orig.key -out server1.key

We can now generate a PKCS#12 certificate, which is what our appliance requires:

c:\OpenSSL\bin\OpenSSL.exe pkcs12 -export -in server1.crt -inkey server1.key -name "server1" -passout pass:replication55 -out server1.p12

And here is our certificate!

13.P12 certificateImport the certificate on the appliance

We are now going to import the certificate on our appliance. Connect to the web interface at https://appliance-fqdn:5480 and connect with the root account. Go to the Configuration tab.

Click Choose file, then browse to the .p12 file and click Upload and install.20.Upload CertYou will be prompted for the certificate password. If you followed this guide, it should be replication55.21.CertPasswordAfter a few minutes, the appliance will request you to log out. Close the browser and re-open it to check that the new certificate is now in place:22.VictoireCongratulations! The new certificate is now applied. Repeat these steps on the second appliance. When you’re done, you are ready to connect the appliances.

Connect the appliances

Now that our two appliances are configured, we will connect them together, enabling cross-site replication. Just as reminder, in our scenario we have deployed one appliance on the production site, and one on a disaster recovery site, in a topology similar to this one:

Protected production site(s) with dedicated recovery siteOur main replication traffic is obviously from the production clusters to the recovery server. However, it can be useful to reverse this replication flow, for instance if you need to failback to the production site after a recovery. Therefore, we will configure the links to support both replication flows.

Let’s start on the production vCenter (the order doesn’t matter) and click on the new vSphere Replication icon.23.vSphere-Icon-ENThere are two options: Monitor and Manage. To connect both appliances, we are going to click Manage.24.vSphereReplication-ENFirst check if the appliance is registered properly (availability OK, name and version displayed), then go to Target Sites. If the appliance is not available, solve the issue before to continue!25.vSphereReplication2-ENLet’s add the target site: click the small icon on the top left.26.AddConnection-ENTarget the recovery vCenter and enter valid credentials for this site. We use a service account which has admin permissions on the remote vCenter, however you could define more specific permission profiles.27.AddConnection2-ENIgnore the certificate warning if you have one. After a few seconds, the new site shows up, as well as the remote replication appliance.28.AddConnection3-ENWe could now configure replications to this remote site. But before to start, let’s configure the opposite replication flow by replaying these steps on the recovery vCenter. There will be a difference on the second vCenter as the peer vCenter will be displayed in the Target Sites already. However, it needs to be reconnected (select it and click the Reconnect button). You will be prompted for credentials and the site will be connected properly.

29.AddConnection4-ENWhat’s next?

The setup is finished! We have our two apliances, installed on both sites, each connected to its own vCenter. We can start to replicate virtual machines!

In the next part, we will go through the steps of configuring a new replication, and see which tools can help us to monitor this replication.