Each vSmart controller and vBond orchestrator in the overlay network must have a signed certificate installed before it can operate in the overlay network. The signed certificate can be provided by Symantec or by an enterprise root CA. A certificate signing request (CSR) must be generated, and then the signed certificate must be received, installed on the device, and sent to the vBond orchestrator to allow the device to join the overlay network.
If the certificate is provided by Symantec, when you install a device from the vManage NMS, the NMS can automatically generate the CSR, retrieve the generated certificate, install it on the device, and send it to the vBond orchestrator. Or you can choose to manually generate the certificate. However, this is not recommended only because the automatic process requires only a single step.
If the certificate is provided by an enterprise root CA, you must manually generate and install the certificate from the vManage NMS. See Manually Generate a Certificate below.
Select the Certificate-Generation Method
- In vManage NMS, select the Administration ► Settings screen.
- Click the Edit button to the right of the Certificate Authorization bar.
- In Certificate Signing by Symantec, select Automated to have the Symantec signing server automatically generate, sign, and install certificates on each controller device. If not, select Manual.
- Enter the first and last name of the requestor of the certificate.
- Enter the email address of the requestor of the certificate. If you selected Manual in Step 1, the signed certificate and a confirmation email are sent to the requestor via email and are also made available though the customer portal.
- Specify the validity period for the certificate.
- Click the Edit Challenge Phrase checkbox to enter a challenge phrase. The challenge phrase is your certificate password and is required when you renew or revoke a certificate.
- Confirm your challenge phrase.
- In the Certificate Retrieve Interval field, specify how often the vManage server checks if the Symantec signing server has sent the certificate.
- Click Save.
You need to select the certificate-generation method only once. The method you select is automatically used each time you add a device to the overlay network.
Automatically Generate a Certificate
- In vManage NMS, select the Configuration ► Devices screen.
- Click Add Controller, and add a vBond orchestrator or vSmart controller to the overlay network.
- Complete the fields in the Add vSmart or Add vBond window. Ensure that the Generate CSR checkbox is selected.
- Click Add.
The vManage NMS sends the CSR to Symantec. It periodically checks with Symantec, and when the signed certificate is ready, the NMS retrieves it. Then, the vManage NMS installs the signed certificate on the device and sends it to the vBond orchestrator.
By default, the vManage NMS checks with Symantec once per hour. This interval allows time for Symantec to verify your device and network information with the Viptela Customer Support team. You can shorten this time period in the Certificate Authorization section of the Administration ► Settings screen.
To view the progress of the certificate-generation process, select the Configuration ► Devices screen, and then select the device. The workflow bar at the bottom of the screen shows the progress of the four steps in the process. A check mark in a green circle indicates that a step is complete, and a check mark in a gray circle indicates that a step has not yet been completed.
Manually Generate a Certificate
- In vManage NMS, select the Configuration ► Devices screen. Click the Controllers tab.
- Click Add Controller to add a vBond orchestrator or vSmart controller to the overlay network.
- Complete the fields in the Add vSmart or Add vBond window. Ensure that the Generate CSR checkbox is not selected.
- Click Add.
- Select the Configuration ► Certificates screen, and select the device. In the workflow bar at the bottom of the screen, the check mark next to Add Device is green, indicating that the device has been added, but the remaining three check marks are gray, indicating that these three operations still need to be performed before the device becomes operational in the overlay network.
In the More Actions icon to the right side of the row, select Generate CSR. Either cut and paste the CSR or download it to the local browser window. The downloaded CSR is in a file with a name in the format hostname.csr or ip-address.csr. In the workflow bar at the bottom of the screen, the check mark next to Generate CSR changes from gray to green.
- If you are using an enterprise root CA, have the certificate signed and continue to the next step.
If you want Symantec to sign the certificate, go to the Symantec website, enroll, and paste the CSR or upload the CSR file. (For specific details about how to do this, log in to support.viptela.com. Click Certificate, and read the Symantec certificate instructions.) Symantec sends an email to the email address you specified in the Certificate Authorization fields acknowledging the receipt of your CSR, and it sends an email to the Viptela Customer Support team asking them to approve the signing request. When Symantec receives approval from Viptela, it signs the certificate and sends an email to you indicating that the signed certificate is ready to be retrieved. Retrieve the signed certificate from the Symantec website.
- In the Configuration ► Certificates screen, select the device, and select Install Certificate. Either cut and paste the certificate text or select the certificate file. Click Install. In the workflow bar at the bottom of the screen, the check mark next to Upload Certificate changes from gray to green.
- Click the Send to vBond button in the top left corner of the screen. In the workflow bar at the bottom of the screen, the check mark next to Update vBond changes from gray to green. The device is now operational.
Introduced in vManage NMS in Release 15.2.