vRO Architecture Considerations When Digitally Signing Packages

Spas Kaloferov

In this blog post we will take a look at how digitally signing packages in VMware vRealize® Orchestrator™ (vRO) may affect the way you deploy vRO in your environment.

In some use cases, digitally signing workflow packages may affect your vRO architecture and deployment. Let’s consider a few examples.

Use Case 1 (Single Digital Signature Issuer)

Let’s say you have vRO ServerA and vRO ServerB in your environment. You’ve performed the steps outlined in How to Change the Package Signing Certificate of a vRO Appliance (SKKB1029) to change the PSC on vRO ServerA , export the keystore, and import it on vRO ServerB. This will allow the following:

  • vRO ServerA can digitally sign workflow packages, and vRO ServerB can read packages digitally signed by vRO ServerA.
  • vRO ServerB can digitally sign workflow packages, and vRO ServerA can read packages digitally signed by vRO ServerB.

Now what happens when you add vRO ServerC?

In addition to the above:

  • vRO ServerC can digitally sign workflow packages, and vRO ServerA and vRO ServerB can read packages digitally signed by vRO ServerC.
  • vRO ServerA and vRO ServerB can digitally sign workflow packages, and vRO ServerC read packages digitally signed by vRO ServerA and vRO ServerB.

This is great as long as you have imported the PSC keystore and the private key/secret key on all vRO servers. Let’s see what happens in a more complex scenario.

The following diagram illustrates the example:

vRO Architecture

Use Case 2 (Multiple Digital Signature Issuers)

Let’s say you have multiple customers digitally signing packages, and you have to read the packages they send you.

Consider the following:

  • CustomerA encrypts a package with PSC CertA from vRO ServerA and sends you the package.
  • CustomerB encrypts a package with PSC CertB from vRO ServerB and sends you the package.
  • Both customers can provide you their PSC keystores (KeystoreA and KeystoreB), so that you can import them in vRO and read the digitally signed packages they send you.
  • You have a single vRO ServerC appliance.

Since you have only one vRO appliance instance in this use case, you will only be able to read packages from one customer. This is because you need to import both KeystoreA and KeystoreB to read digitally signed packages from both CustomerA and CustomerB .

You cannot perform this on a single vRO appliance. A vRO appliance can only have one PSC keystore. You will need to install a vRO appliance instance for each customer.

The following diagrams illustrate the example:

vRO Architecture
vRO Architecture

Now consider that CustomerA and CustomerB are actually VMware vRealize® Automation™ (vRA) tenants (TenantA and TenantB). If both tenants want to digitally sign packages and use their own PSC certificates, you may have to configure a different vRO appliance instance for each vRA tenant.

The post vRO Architecture Considerations When Digitally Signing Packages appeared first on VMware Professional Services and Education Insights.

Source: VMware Virtualization – blogs.vmware.com