Table of contents

Connect to vCloud Director (Carrenza only)

vCloud Director is the interface we use to manage our infrastructure in Carrenza. This includes virtual machines, gateways, firewalls and VPNs between providers.

To access vCloud Director, you will need to connect to a Carrenza-provided VPN. You can use either Cisco AnyConnect or openconnect to do this.


  1. Get the VPN client certificate from the 2nd line password store.
  2. Save the certificate to a file on your machine (eg. vcloud.pem).
  3. Get the VPN credentials, also from the 2nd line password store. You’ll need to use an app (such as Google Authenticator) to turn the TOTP secret into a 2FA code.

Connecting with Cisco AnyConnect

  1. Convert the VPN client certificate from PEM format to PFX format by running openssl pkcs12 -export -in vcloud.pem -out vcloud.pfx. You’ll be asked for two passwords. For the first one, enter the VPN password, and for the second one, enter the certificate passphrase.
  2. Import the PFX format certificate into your Keychain by running security import vcloud.pfx -k ~/Library/Keychains/login.keychain-db. You’ll be asked for a password. Enter the certificate passphrase.
  3. Create a new file on your machine at /opt/cisco/anyconnect/profile/carrenza-secure.xml. and copy the following XML into that file:
<?xml version="1.0" encoding="UTF-8"?>
<AnyConnectProfile xmlns="">
      <HostName>Carrenza - Secure</HostName>
  1. Restart Cisco AnyConnect if it’s already running.
  2. Choose “Carrenza - Secure” from the drop down list and click “Connect”.
  3. The first password is the 2FA code.
  4. The second password is the VPN password.

Connecting with openconnect

  1. Run sudo openconnect -c vcloud.pem. Make sure you provide the correct path to where you’ve saved the VPN client certificate.
  2. The first password is your machine password (requested by sudo).
  3. The second password (the PEM pass phrase) is the VPN password (note, this is not the certificate passphrase).
  4. The third password is the 2FA code.
  5. The fourth password is the same password as in step 3.

Accessing vCloud Director

Once you’ve connected to the VPN, visit You can get the organsation name from the 2nd line password store entry for the relevant vCloud environment.

This page was last reviewed on 12 February 2019. It needs to be reviewed again on 12 August 2019 by the page owner #govuk-2ndline .
This page was set to be reviewed before 12 August 2019 by the page owner #govuk-2ndline. This might mean the content is out of date.