vRO Architecture Considerations when Digitally Signing Packages (SKKB1036)

In this blog post we will take a look at how Digitally signing packages in VMware realize Orchestrator (vRO) may affect how you deploy vRO in your environment.

Update Log:

Lab Environment

The full lab logical design can be seen HERE.

Introduction

Digitally signing packages may affect how you deploy vRO in your environment.
Lets consider few examples.

 

Use Case 1 (Single Digital Signature Issuer)

Lets say you have vRO ServerA and vRO ServerB in your environment. You’ve performed the steps outlined in How to Change the Package Signing Certificate of a vRO Appliance (SKKB1029) article to change the PSC on vRO ServerA , export the keystore and import it on vRO ServerB. This will allow the following:

  • vRO ServerA can digitally sign workflow packages and vRO ServerB can read packages digitally signed by vRO ServerA
  • vRO ServerB can digitally sign workflow packages and vRO ServerA can read packages digitally signed by vRO ServerB (Vice-Versa)

Now what happens when you add vRO ServerC.
In addition to the above:

  • vRO ServerC can digitally sign workflow packages and vRO ServerA and vRO ServerB can read packages digitally signed by vRO ServerC.
  • vRO ServerA and vRO ServerB can digitally sign workflow packages and vRO ServerC read packages digitally signed by vRO ServerA and vRO ServerB.

This is great as long as you have imported the PSC keystore and the Private Key/Secret Key on all vRO Server. Let’s see what happens in a more complex scenario.
The following diagram illustrates the example:

 

Use Case 2 (Multiple Digital Signature Issuers)

Let’s say you have multiple customer’s digitally signing packages and you have to read the packages they send you.
Consider the following:

  • CustomerA encrypts a package with PSC CertA from vRO ServerA and send you the package.
  • CustomerB encrypts a package with PSC CertB from vRO ServerB and send you the package.
  • Both customers can provide you their PSC Keystores (KeystoreA and KeystoreB) so that you can import them in vRO and read the digitally signed packages they send you.
  • You have a single vRO ServerC Appliance .

Having in mind you have only one vRO appliance instance, in this use case,  you will only be able to read packages from one Customer. This is because in order to read digitaly signed packages from both CustomerA and CustomerB you need to import both KeystoreA and KeystoreB keystores.

You cannot perform this on a single vRO appliance. A vRO appliance can only have one PSC Keystore. You will need to install a vRO appliance instance for each customer.

The following diagrams illustrated the example:

 

Now consider that CustomerA and CustomerB are actually vRA Tenants (TenantA and TenantB). If both tenands want to digitally sign packages and use their own PSC Certificates you may have to configure a different vRO Appliance instance for each vRA Tenant.

 

Final Step

If all went well, go grab a beer.

Leave a Reply

Your email address will not be published. Required fields are marked *