Recently I experienced a problem with my vRealize Log Insight Cluster I imported in vRealize Lifecycle Manager (vRSLCM). I wanted to extend my cluster for one additional node, but that was not possible because vRSLCM requires an SSL certificate for Log Insight in Locker to proceed with the installation. I had a CA-signed certificate but my private key was missing.
Here is how can you recover your private key from the Log Insight keystore. Log into the vRLI Appliance Master Node as root via SSH or Console, pressing ALT+F1 in a Console to log in.
First Look into the /storage/core/loginsight/config/ directory and note the loginsight-config.xml# file with the highest number, and run the following command and note the provided password:
cat /storage/core/loginsight/config/loginsight-config.xml#65 | grep keystore
now change to the following directory :
/cd /usr/lib/loginsight/application/3rd_party/apache-tomcat-8.5.65/conf/
find your certificate alias:
/usr/java/default/bin/keytool -list -keystore keystore
in my case alias is tomcat.
/usr/java/default/bin/keytool -exportcert -keystore keystore -rfc -alias tomcat -file /tmp/rootcert.pem
so, now you have to extract private key, but keytool is not able to do it. Solution for this is to convert your keystore with following command:
/usr/java/default/bin/keytool -importkeystore -srckeystore keystore -destkeystore /tmp/keystorepkcs12.p12 -deststoretype PKCS12
after successfully converting your keystore you can read your private key with OpenSSL tools. Just try following command:
openssl pkcs12 -in /tmp/keystorepkcs12.p12 -nocerts -nodes
Now you should have your CA signed certificate and private key to import in your vRealize Lifecycle Manager.