Skip to main content
All CollectionsEnterprise WorkloadsProtect VMware Virtual MachinesVMware Reference Reads
Enhance security with a signed SSL certificate for CloudCache R3 for VMware
Enhance security with a signed SSL certificate for CloudCache R3 for VMware
Updated over a week ago

Overview

CloudCache R3 ships with a self-signed SSL certificate. The communication between Backup Proxy and CloudCache takes place using a secured TLS. However, Backup Proxy cannot verify the self-signed certificate.

For enhanced security, you can use your own signed SSL certificates. The benefit of using a signed certificate is that the Backup proxy can verify the SSL certificate, which cannot be done for the self-signed certificate.

Prerequisites

  • You must have the SSL certificate and the key file for your domain name.

  • The SSL certificate file typically has a file extension of .crt, and the key file typically has a file extension of .key.

  • Contact your network administrator for these files.

  • Additionally, the root-CA certificate of the certificate authority (CA) must be added to the trust pool of the Backup Proxy server.

Procedure

It is a two-step process:

Backup Proxy configuration

Log in to the Backup Proxy server, open a terminal, and follow these steps:

  1. Open the following file in any editor:

    /etc/Druva/EnterpriseWorkloads/vmware/VMwareConfig.yaml
  2. Locate the following flag and set its value to true:
    CC_SSL_INSECURE

    The impact of the following possible values for this flag is mentioned below:

    1. CC_SSL_INSECURE: true (Default value)

      Impact: Even though the communication between Backup proxy and CloudCache is over SSL, the CloudCache certificate is not verified.

      This is the default option because you will need to provide your certificate and key to enable the certificate validation.

    2. CC_SSL_INSECURE: false

      Impact: The most secure setting where the communication between Backup proxy and CloudCache uses SSL and the CloudCache certificate is verified.

  3. Restart the Backup Proxy service with the following command:

    service Druva-EnterpriseWorkloads restart

CloudCache configuration

Before you begin, take note of the path where you saved the certificate and the key file. See Prerequisites.

Log into the CloudCache server, launch a terminal and follow these steps:

  1. sudo apt-get install -y ca-certificates
  2. Create or download the cc.cert file, which is configured on the CloudCache machine.

  3. Copy the cc.crt file to /usr/local/share/ca-certificates using the following command:

     cp cc.crt  /usr/local/share/ca-certificates
  4. Execute the following command:

     cp /opt/Druva/Enterpriseworkloads/ca-certificates.crt  /usr/local/share/ca-certificates/
  5. Execute this command:

     update-ca-certificates
  6. Replace the config.yaml and VmwareConfig.yaml with the new certificate path, i.e cacertificate_bundle: /etc/ssl/certs/ca-certificates.crt or copy the ca-certificate from /etc/ssl/certs/ to /opt/Druva/EnterpriseWorkloads

  7. In the plugin config, assign these values to the respective flags: ssl_insecure: false and cc_ssl_insecure: false.

  8. Finally, save the configuration file and restart the CloudCache service as follows:
    service Druva-EnterpriseWorkloads restart

Did this answer your question?