Skip to main content
Table of contents


Connect to vCloud Director (Carrenza only)

vCloud Director is the interface we use to manage our infrastructure in Carrenza. This includes virtual machines, gateways, firewalls and VPNs between providers.

To access vCloud Director, you will need to connect to a Carrenza-provided VPN. You can use either Cisco AnyConnect or OpenConnect as a VPN client for this.

Setting up the Cisco AnyConnect VPN profile on a Mac

  1. Make sure you have the latest version of govuk-secrets.

  2. Install oathtool (this will be used to generate one time passwords).

   $ brew install oath-toolkit
  1. Get the VPN client certificate and private key from the 2nd line password store and save the decrypted contents to a file on your machine (for example ~/carrenza-vpn-cert-and-key.pem).

    $ PASSWORD_STORE_DIR=~/govuk/govuk-secrets/pass/2ndline pass carrenza/vpn-certificate > ~/carrenza-vpn-cert-and-key.pem
  2. Get the VPN credentials, also from the 2nd line password store.

    $ PASSWORD_STORE_DIR=~/govuk/govuk-secrets/pass/2ndline pass carrenza/vpn-credentials
    Certificate passphrase: ...
    MFA key: ................
    Password: ...
    VPN gateway: ...
  3. Convert the VPN client certificate from PEM format to PFX format. You will be asked for two passwords (one for decrypting the PEM and one for encrypting the PFX). The first password is the Certificate passphrase field from carrenza/vpn-credentials. The second password can be of your own choice. You will need it for the next few steps but you won’t need to remember it after that.

    $ openssl pkcs12 -export -in ~/carrenza-vpn-cert-and-key.pem -out ~/carrenza-vpn-cert-and-key.pfx
    Enter pass phrase for /Users/.../carrenza-vpn-cert-and-key.pem: <Certificate passphrase from vpn-credentials>
    Enter Export Password: <Password from vpn-credentials>
    Verifying - Enter Export Password:
  4. Import the PFX format certificate into your macOS login keychain. You’ll be asked for a password. Enter the passphrase which you used to encrypt the PFX file (Certificate passphrase field from carrenza/vpn-credentials).

   $ security import ~/carrenza-vpn-cert-and-key.pfx
  1. Delete the PFX file as it is no longer needed.

    $ rm ~/carrenza-vpn-cert-and-key.pfx

Connecting with OpenConnect

  1. Install OpenConnect: brew install openconnect
  2. Run OpenConnect. Make sure you provide the correct path to where you’ve saved the VPN client certificate.
   $ sudo openconnect -c ~/carrenza-vpn-cert-and-key.pem
  1. The first password is your machine password (requested by sudo).
  2. The second password (the PEM passphrase) is the certificate passphrase from the password store.
  3. The third password is the 2FA code (use oathtool -b <MFA-key-from-password-store> --totp).
  4. The fourth password is the password from the password store.

Accessing vCloud Director

  1. Fetch the VCloud Director credentials for the environment which you want to connect to.

    $ PASSWORD_STORE_DIR=~/govuk/govuk-secrets/pass/2ndline pass carrenza/vcloud-integration
    ......... <a long string which is the VCloud Director password>
    User: <username for logging into VCloud Director>
    Org: <this string goes in the URL path for accessing VCloud Director>
  2. Ensure that you are connected to the Carrenza VPN (see above).

  3. Visit{organisation}/ (replacing {organisation} with the value of the Org field from the password store entry.

  4. Log in with the username and password from the password store entry.

This page was last reviewed on 26 November 2019. It needs to be reviewed again on 26 May 2020 by the page owner #re-govuk .
This page was set to be reviewed before 26 May 2020 by the page owner #re-govuk. This might mean the content is out of date.