If you are using a custom CA certificate for your VCF operations for logs cluster then starting VCF Operations for Logs 8.12 and later needs a SSL certificate with below requirements and one of them is – SSL Client key usage extension. If this requirement is not met then you would see the errors in the cassandra service, the error would look something like this.
<<Unable to get user data. Possible Cassandra is down.>>
Also when you run the command below on the VRLI node you will see output similar to this
This primarily happens because the CA certificate that was generated did not have the SSL client key usage extension enabled in it. This can be done only by the Certificate Authority signing the certificate in a particular organization. So when you create a certificate signing request ensure that CA signs the certificate with SSL client key usage extension.
Here is another way to validate whether your CA certificate has the SSL client key usage extension enabled or not.
In the image above certificate on the left does have the Client Auth enabled however that is not the case with the certificate on the right. Certificate on the left is the one that’s the correct certificate to be used and applied to the Log insight cluster.
Here are some useful links to the documentation which can be used for understanding the custom SSL certificate requirements and steps that need to be used to apply the custom CA certificate for VCF operations for logs cluster.
SSL certificate requirements – https://techdocs.broadcom.com/us/en/vmware-cis/aria/aria-operations-for-logs/8-18/aria-operations-for-logs-8-18/configuring-vrealize-log-insight/install-a-custom-ssl-certificate.html
Installing a custom CA certificate Aria Operations for Logs – https://knowledge.broadcom.com/external/article/315949/install-a-custom-certificate-in-vmware-a.html
