vCloud Director: How to Preserve Network settings when deploying from a template

I got an inquiry a few weeks ago on how to deploy a vAPP from a vAPP template that will preserve the preconfigured network settings. I knew this can be done so I fired up my lab and did a quick test.

As I found out, this can be easily achieved when adding a vAPP template into the catalog. When adding a vAPP to a catalog, ensure you select “Make Identical Copy” . This will preserve all the settings


In this example, below is my preconfigured vAPP template. Take note of the network settings from vAPP diagram.


Then I deployed  a vAPP from this template:


This is what it looks like after deployment. The network settings are preserved.


A few things to consider when using “Make Identical Copy“. From vCloud Director documentation, If you select Make Identical Copy on the vApp template Properties page, and select Add to My Cloud, the settings in the vApp Template are applied to the new vApp, regardless of whether customization is enabled.

These are the default values of guest customization settings.

The Enable guest customization check box is deselected.

In Windows guest virtual machines, the Change SID check box is deselected.

The password reset setting is deselected.

This means the vAPP will be exactly the same after deployment. You may encounter conflict in MAC Address/IP address when multiple vAPPs from this template is powered on since the vAPPs are exact clones of the template. You may choose to customize the vAPP after deployment or you can “FENCE” the vAPP. Fencing basically adds an edge device which will do Proxy-ARP and NAT.

I’ve found good blog on vAPP fencing as follows:


Using Wildcard Certificates in vCloud Director

A few months back, I did a vCloud implementation and one of the requirements is to use a signed wildcard certificate to replace the default self signed certs. In my case, I received a CA-signed certificate from the customer. We will call the certificate certificate.pfx

Here are the procedures that I did to import the wildcard certificate (We will use both openssl and keytool commands):

1. Convert pfx to pem: openssl pkcs12 -in certificate.pfx -out certificate.cer –nodes

2. Obtain the private key from certificate.cer (cut and paste the private key to a new file, name it wildcard.key)

3. Use the following command to recreate the pfx and set alias (PKCS12 keystore): openssl pkcs12 -export -in certificate.cer -inkey wildcard.key -name http –passout pass:password -out http.pfx

4. Use the same certificate and key to create the consoleproxy pfx (PKCS12 keystore): openssl pkcs12 -export -in certificate.cer -inkey wildcard.key -name consoleproxy -passout pass:password -out consoleproxy.pfx

5. Import the 2 PKCS12 keystore into Java keystore using keytool:

./keytool -importkeystore -srckeystore http.pfx -srcstoretype PKCS12 –destkeystore CERTIFICATES.ks -deststoretype JCEKS -deststorepass password –srcalias http -destalias http -srcstorepass password
./keytool -importkeystore -srckeystore consoleproxy.pfx -srcstoretype PKCS12 -destkeystore CERTIFICATES.ks – deststoretype JCEKS -deststorepass password –srcalias consoleproxy -destalias consoleproxy -srcstorepass password

6. Import the root certificate to the same keystore:
/keytool -importcert -alias root -file DigiCertHighAssuranceEVRootCA.crt -storetype JCEKS -keystore CERTIFICATES.ks -storepass password

7. Import the Intermediate certificate to the same keystore:
./keytool -importcert -alias intermediate -file DigiCertHighAssuranceCA-3.crt -storetype JCEKS -keystore CERTIFICATES.ks -storepass password

8. Verify the CERTIFICATES.ks keystore:
./keytool -list -keystore CERTIFICATES.ks -storetype JCEKS -storepass password

9. Provide the necessary permission:
chown vcloud:vcloud /opt/vmware/vcloud-director/jre/bin/CERTIFICATES.ks

10. Stop the VCD service: service vmware-vcd stop

11. Run the configure command: /opt/vmware/vcloud-director/bin/configure

12. When prompted for the certificate, point to the following: /opt/vmware/vclouddirector/jre/bin/CERTIFICATES.ks

13. When prompted to start the cell, press y and Enter

That should be it! You can now use the wildcard certificate for both the http and console proxy connections. Hope someone finds it useful 🙂