Which keystore would a vSphere Replication administrator use to manually add an additional Certificate Authority certificate?
A. hms-truststore.jks
B. hms-keystore.jks
C. certificates.ks
D. cacerts.ks
Correct Answer: A
Explanation/Reference:
Explanation: vSphere Replication can verify remote server certificates either by verifying the validity of the certificate and the thumbprint or by verifying the thumbprint only. By default, vSphere Replication verifies the thumbprint only. If you select the Accept only SSL certificates signed by a trusted Certificate Authority option in the VAMI, this causes vSphere Replication to verify the validity of the certificate as well as the thumbprint. This means that the certificate authority that issued the certificates for vSphere Replication and vCenter Server must be trusted by vSphere Replication. By default, vSphere replication trusts all certificate authorities that the Java Virtual Machine trusts. You can import additional trusted CA certificates in /opt/vmware/hms/security/ hmstruststore.Jks on the vSphere Replication appliance. To import these certificates, perform these steps:
1.Locate the root certificate authority certificate that was used when generating the vCenter server certificates (usually Root64.cer). If you use a Microsoft certificate authority, this can be re-generated by performing the mentioned in Creating certificate requests and certificates for vCenter Server 5.1 components (2037432).
Otherwise, you may be able to export the root certificate using the MMC on a Windows system.
2.Copy the certificate to your replication appliance.
For example, /home directory. A utility such as WinSCP can be used for this.
3.Run this command to import the certificate into the HMS truststore:
/usr/java/default/bin/keytool -import -trustcacerts -alias root -file /home/Root64.cer -keystore /opt/vmware/hms/security/hms-truststore.jks -storepass vmware
4.Type yes at the prompt and press enter to complete the certificate import process: Trust this certificate? [no]: yes
5.You see the this text which confirms the import was successful: Certificate was added to keystore
6.Use this command to verify the certificate is now present in the HMS truststore:
/usr/java/default/bin/keytool -list -keystore /opt/vmware/hms/security/hms-truststore.jks -storepass vmware -v
Reference: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2080395
Explanation/Reference:
Explanation: vSphere Replication can verify remote server certificates either by verifying the validity of the certificate and the thumbprint or by verifying the thumbprint only. By default, vSphere Replication verifies the thumbprint only. If you select the Accept only SSL certificates signed by a trusted Certificate Authority option in the VAMI, this causes vSphere Replication to verify the validity of the certificate as well as the thumbprint. This means that the certificate authority that issued the certificates for vSphere Replication and vCenter Server must be trusted by vSphere Replication. By default, vSphere replication trusts all certificate authorities that the Java Virtual Machine trusts. You can import additional trusted CA certificates in /opt/vmware/hms/security/ hmstruststore.Jks on the vSphere Replication appliance. To import these certificates, perform these steps:
1.Locate the root certificate authority certificate that was used when generating the vCenter server certificates (usually Root64.cer). If you use a Microsoft certificate authority, this can be re-generated by performing the mentioned in Creating certificate requests and certificates for vCenter Server 5.1 components (2037432).
Otherwise, you may be able to export the root certificate using the MMC on a Windows system.
2.Copy the certificate to your replication appliance.
For example, /home directory. A utility such as WinSCP can be used for this.
3.Run this command to import the certificate into the HMS truststore:
/usr/java/default/bin/keytool -import -trustcacerts -alias root -file /home/Root64.cer -keystore /opt/vmware/hms/security/hms-truststore.jks -storepass vmware
4.Type yes at the prompt and press enter to complete the certificate import process: Trust this certificate? [no]: yes
5.You see the this text which confirms the import was successful: Certificate was added to keystore
6.Use this command to verify the certificate is now present in the HMS truststore:
/usr/java/default/bin/keytool -list -keystore /opt/vmware/hms/security/hms-truststore.jks -storepass vmware -v
Reference: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2080395