Solarwind NPM in HA Web Certificate steps

Hi all.

We have a new SolarWinds NPM installation i HA, and we wish to enable SSL web certificate on the VIP IP. What are the steps to accomplish this? can´t seem to find any guides explaining this.

In a normal single node installation we would normally make the CSR from the IIS and import it once signed, and then it would work. but i´m not sure on how to do it in a HA setup.

Can anyone guide me in direction? or maybe have a guide.

Thanks in advance.

Top Replies

  • You shouldn't need to mess with IIS at all. Simply import the certificate using Windows Certificate Manager and then select the certificate Orion should use as part of the website section of the Configuration Wizard. Repeat this same step on the HA backup. 

  • Hi aLTeReGo

    But to generate the certificate many of the vendors ask for a CSR file, is it any different in the above case, if yes can you please guide me further on this ?

    I understand we can install the cert using Windows Cert Manager, but if an SSL cert needs to be generated dont we have to provide a CSR file ?

  • There are a variety of different ways to generate a CSR. IIS is obviously the easiest, but honestly it can be any IIS server. It doesn't need to be the Orion server if you don't want it to be. You can even generate these on your workstation.

    Regardless of where/how you generate the CSR, the proper way of importing the Certificate into Orion once you have it, is through the Configuration Wizard. In an HA pair, that requires failing over to the secondary to run the Configuration Wizard. The alternative way without failing over is to import the certificate into the Windows certificate store directly. Note that you aren't generating two CSRs or handling two different certificates. You will be using the same certificate for both members in an HA pool. Certificates are bound to the virtual name, not individual servers.

  • Thank you aLTeReGo, we had discussed this few years ago but couldn't find the thread, that's the reason i thought I would check with you once again, thanks a ton. emoticons_happy.png

  • I know this is an "old" thread, but could i get some clarification this would be 'a correct way' to do this:

    1. Get the certificate and have it "imported" into the certificate store on the primary. The Certificate could be for the VIP IP address only, but could also have any extra DNS names for that VIP, etc.

    2. Failover to secondary in HA cluster

    3. Run the Configuration Wizard on the primary/non active server. The config wizard will ask for the website configuration+certificate.  Also: I believe the config wizard has 3 checkboxes? for what you want to configure, so I assume you would only need to select 'Website" and leave "services" and "Database" alone?

    4. Configuration Wizard completes.  Fail the HA cluster back over to the primary. Primary is now using HTTPS and using the certificate.

    5. Manually import the certificate into the secondary server certificate store, into the same folder/location it exists in the primary certificate store.

    Question: is the secondary now going to actually use HTTPS and the certificate if the system is failed over to the secondary? What I question is: wouldn't the secondary also need to have the IIS website "reconfigured" using the config wizard as well?