Piszki Lab | EN

My case study in the clouds…

VMware vCenter Hyperic 5.8 Appliance: Replacing server SSL certificate.


Hyperic Appliance, apart from the obvious benefit, which is to install everything with one hand, it also has one disadvantage. Everything is pre-configured. In the Lab we use your own CA and all services that operate here on ports 443 are exposed to the signed certificate kept by this CA (including Hyperic). The change procedure is very simple, log in as root with the password specified during appliance installation. Go to the directory /opt/hyperic /server-current/conf and issue the following command:


Password is “hyperic” (which is given explicitly in the file hq-server.conf), as we can see, the key alias is “hq”. If you will delete the file and generate new hyperic.keystore, during Hyperic server boot you will meet with the message “SYSTEM IS DOWN DUE TO shutting PRIVATE KEY (S) SYNC. AUTOMATIC RESTART WOULD ONLY IF WRAPPER occur WATCHDOG IS INSTALLED ” and the file hyperic.keystore will be overritten (his copy exists in the database). To prevent this situation, after we generate hyperic.keystore file, run the server installer again in full mode. Go to the directory /opt/hyperic and issue the following command (as a user hyperic):


We have already prepared the keystore, generated key server and imported the CA certificate, the next step we generate a CSR, ship to CA, and import the certificate into our keystore:


Run again Hyperic installer (as I mentioned, this is a necessary step to avoid problems with keys). It is also the perfect time to indicate another PostgreSQL server if we’re interested. If you leave everything as it is during the installer, choose the option to erase the database (this is very important, it is a crucial step!).



And now run the server, and we can enjoy a valid SSL certificate:


It may seem strange that we carry out the installation operation inside the appliance, but this is the only method. Carry out the operation only once, just after loading the appliance, it has no impact on future versions of Hyperic raising. If someone feels so familiar with PostgreSQL, it is enough to load into the database new hyperic.keystore file and restart the server. Otherwise, apply the method described by me.

EDIT 22.10.2015:

And the magic is this:

  1. Stop Hyperic Server.
  2. Prepare new keystore and copy it to conf directory.
  3. Connect to PostreSQL HQ database as hqadmin.
  4. Execute SQL Script: DELETE FROM eam_keystore WHERE TYPE=’PrivateKeyEntry’ AND alias_name=’hq’;
  5. Start Hyperic Server (new key is copied from keystore into db).


Rate this article:
[Total: 0 Average: 0]

Author: Piotr Pisz

Computer always, since I got a Commodore 64 at the end of primary school, through his beloved Amiga and Linux infinite number of consoles, until today, fully virtual day. Since 2001, Unix/Linux Systems Administrator, for seven years a faithful companion and protector of Solaris system, until his sad end. In the year 2011 came in the depths of virtualization, then smoothly ascended into the clouds and continues there today. Professionally working as Systems Architect in the Polish Security Printing Works.

Leave a Reply

Required fields are marked *.