Configure CVIM Openstack SSL Certificate for VIM Connector in Elastic Services Controller

This document describes the procedure to add a renewed Openstack RESTAPI SSL certificate for Virtualized Infrastructure Manager (VIM) Connection in Cisco Elastic Services Controller.

Cisco recommends that you have knowledge of these topics:

• Cisco Elastic Services Controller
• Cisco VIM/Openstack

The information in this document is based on these software and hardware versions:

• Cisco Elastic Services Controller 5.10.0.95
• Cisco VIM 4.2.2

Note: This procedure is also applicable for adding a certificate newly while adding a new VIM connector.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

After renewing the Openstack RESTAPI SSL certificate (haproxy certificate for Cisco VIM environment), Elastic Services Controller reports that VIM connection failed.

[admin@lab-esc-1 ~]$ tail -100f /var/log/esc/yangesc.log
2024-04-09 10:35:36.148 WARN ===== SEND NOTIFICATION STARTS =====
2024-04-09 10:35:36.148 WARN Type: VIM_CONNECTION_STATE
2024-04-09 10:35:36.148 WARN Status: FAILURE
2024-04-09 10:35:36.148 WARN Status Code: 500
2024-04-09 10:35:36.148 WARN Status Msg: VIM Connection State Down
2024-04-09 10:35:36.148 WARN Vim connector id: cvim-openstack-lab
2024-04-09 10:35:36.148 WARN ===== SEND NOTIFICATION ENDS =====

[admin@lab-esc-1 ~]$ sudo escadm vim show
{
  "id":"cvim-openstack-lab",
  "type":"OPENSTACK",
  "last_checked":"2024-04-09T10:35:36.099",
  "status":"CONNECTION_FAILED",
  "status_message":"Unable to establish VIM connection",
}

List the current certificates present in Elastic Services Controller truststore:

[admin@lab-esc-1 ~]$ escadm truststore show --verbose
esc, Mar 30, 2024, trustedCertEntry, 
cvim-openstack-lab, Apr 4, 2024, trustedCertEntry, 

Copy/Transfer CA Certificate file to Elastic Services Controller VM.

1. For Active-Standby Elastic Services Controller setup, copy the certificate to Active VM.

2. For Active-Active ESC setup, copy the certificate to Geo-Primary Leader VM.

[admin@lab-esc-1 ~]$ ls -l /home/admin
-rw-r--r--. 1 admin admin 1911 Apr 9 06:20 cvim-openstack-lab-renewed_haproxy.crt

Add certificate to Elastic Services Controller truststore by executing  escadm truststore add  command.

1. File argument refers to the CA certificate file of types X.509 v1, v2, and v3 certificates, and PKCS#7.

2. Alias argument is unique and refers to the name this specific CA certificate is given.

[admin@lab-esc-1 ~]$ sudo escadm truststore add --alias cvim-openstack-lab-renewed --file cvim-openstack-lab-renewed_haproxy.crt --verbose
CA certificate "cvim-openstack-lab-renewed" added successfully. 
On ESC setup running ETSI, restart ETSI by running "sudo escadm etsi restart". All other components will reload the certificate automatically.

Verify whether the certificate is added to Elastic Services Controller truststore successfully.

[admin@lab-esc-1 ~]$ sudo escadm truststore show --verbose
esc, Mar 30, 2024, trustedCertEntry, 
cvim-openstack-lab, Apr 4, 2024, trustedCertEntry, 
cvim-openstack-lab-renewed, Apr 9, 2024, trustedCertEntry, 

Verify whether the VIM connection is up.

[admin@lab-esc-1 esc]$ sudo escadm vim show
{
  "id":"cvim-openstack-lab",
  "type":"OPENSTACK",
  "last_checked":"2024-04-09T11:15:57.157",
  "status":"CONNECTION_SUCCESSFUL",
  "status_message":"Successfully connected to VIM"
}

[admin@lab-esc-1 ~]$ tail -100f /var/log/esc/yangesc.log
2024-04-09 11:15:57.188 INFO ===== SEND NOTIFICATION STARTS =====
2024-04-09 11:15:57.188 INFO Type: VIM_CONNECTION_STATE
2024-04-09 11:15:57.188 INFO Status: SUCCESS
2024-04-09 11:15:57.188 INFO Status Code: 200
2024-04-09 11:15:57.188 INFO Status Msg: VIM Connection State Up
2024-04-09 11:15:57.189 INFO Vim connector id: cvim-openstack-lab
2024-04-09 11:15:57.189 INFO ===== SEND NOTIFICATION ENDS =====

Optional Step

In case of certificate renewal, remove the old certificate after confirming the VIM connection is up after adding new certificate.

[admin@lab-esc-1 ~]$ sudo escadm truststore delete --alias cvim-openstack-lab --verbose
CA certificate "cvim-openstack-lab" deleted successfully

[admin@lab-esc-1 ~]$ sudo escadm truststore show --verbose
esc, Mar 30, 2024, trustedCertEntry, 
cvim-openstack-lab-renewed, Apr 9, 2024, trustedCertEntry,

Elastic Services Controller truststore is automatically reloaded after adding a new one, so VIM connection must automatically become up. Check escmanager logs to troubleshoot in case of failure.

[admin@lab-esc-1 ~]$ tail -100f /var/log/esc/escamanager.log
2024-04-09 11:15:55.369 INFO [SslManager.java:run:262] Change of type ENTRY_MODIFY is detected on truststore. Trigger reloading.
2024-04-09 11:15:55.370 INFO [SslManager.java:loadESCTruststore:215] ESC truststore file loaded successfully.
2024-04-09 11:15:55.375 INFO [SslManager.java:loadESCTruststore:226] Added Java default Root CA certificates: 136
2024-04-09 11:15:55.376 INFO [VimUtils.java:reloadVimManagerTrustStore:1057] Starting request to reload VimManager truststore.
2024-04-09 11:15:55.430 INFO [VimUtils.java:reloadVimManagerTrustStore:1065] Completed request to reload vimManager truststore.
2024-04-09 11:15:55.430 INFO [SslManager.java:run:270] Reloading of truststore is done.
2024-04-09 11:15:57.183 INFO [VimAuthenticationService.java:updateVimStatusFromNotification:709] Vim status message: VIM reachable; connection state: CONNECTED
2024-04-09 11:15:57.183 INFO [VimAuthenticationService.java:processVimStatusNotification:784] Sending VIM Status notification for vim cvim-openstack-lab, status CONNECTION_SUCCESSFUL
2024-04-09 11:16:31.428 INFO [VimUtils.java:getAuthStatusById:1077] VIM ID - cvim-openstack-lab, VimInfo is : VimInfoHolder [vimStatus=VIM_STATUS_REACHABLE, vimUserStatus=VIM_USER_STATUS_AUTHENTICATED, ts=2024-04-09T11:15:57.157]