Understanding Serverless Discovery: Why SSL Certificates Are Required for MID Server

🎯 What is Serverless Discovery?

During my implementation of Kubernetes and Nutanix discovery, I encountered the term "Serverless Discovery" in the discovery schedule type dropdown. This was different from the traditional "Configuration Items" discovery I was familiar with.

My Initial Confusion

When I first saw "Serverless" as a discovery type, I was confused:

• 🤔 Does this mean no servers are involved?
• 🤔 Why is it called "serverless" when we're discovering servers?
• 🤔 How is this different from normal discovery?

What I Learned

The term "serverless" refers to the discovery method, not the infrastructure being discovered. It means:

• ✅ No traditional SSH/WMI/SNMP probe infrastructure needed
• ✅ No direct server-level access required and uses a Discovery Pattern
• ✅ API-driven communication over HTTPS
• ✅ Ideal for cloud-native platforms and containerized environments

🔄 Traditional vs Serverless Discovery: What I Observed

Here's the key difference I noticed during my implementations:

Traditional Discovery (What I Was Used To)

Example: Windows Server Discovery

Characteristics:

• Multiple ports and protocols required
• Direct OS-level access (SSH for Linux, WMI for Windows)
• Uses credentials like SSH keys or Windows domain accounts
• Discovery schedule type: "Configuration Items"

Serverless Discovery (What I Implemented for Kubernetes & Nutanix)

Example: Kubernetes Discovery

Example: Nutanix Discovery

Characteristics:

• Single HTTPS endpoint (one port: 443, 6443, or 9440)
• No direct OS access needed
• API-based authentication (tokens or basic auth)
• Discovery schedule type: "Serverless" or "Cloud Application"

Comparison Table

🔐 Why SSL/TLS Certificates Are Required for MID Server

This was the most confusing part of my implementation. Here's what I learned:

The Problem I Encountered

When I first ran my Kubernetes discovery schedule, it failed with this error:

Translation: The MID Server doesn't trust the SSL certificate from the Kubernetes API server.

Understanding the HTTPS Connection

Serverless discovery patterns connect to API endpoints using HTTPS (secure HTTP). When the MID Server attempts to connect, an SSL/TLS handshake must occur:

At Step 3, the MID Server checks: "Do I trust this certificate?"

If the certificate isn't in the MID Server's trust store, the connection fails.

Why This Security Check Exists

The SSL/TLS handshake ensures:

1. Server Identity Verification - Confirms we're connecting to the real Kubernetes/Nutanix API, not an imposter
2. Encrypted Communication - Protects credentials and data in transit
3. Certificate Chain Validation - Verifies the certificate is issued by a trusted authority

🔧 Why Java Keystore? (The Part That Confused Me Most)

My Initial Mistake

When I first encountered the certificate error, I thought:

• "I'll just install the certificate in Windows Certificate Store"
• "Maybe I need to add it to the Linux system trust store"

What I Learned

This means:

• ❌ Installing in Windows Certificate Store → MID Server can't see it
• ❌ Installing in Linux /etc/ssl/certs/ → MID Server can't see it
• ✅ Installing in Java keystore (cacerts) → MID Server can see it! ✅

Java Truststore Location

This cacerts file is Java's trusted certificate store - like a phonebook of "certificates I trust."

📝 The Certificate Import Process (High-Level)

Here's the general workflow I followed for both Kubernetes and Nutanix:

1Export the SSL Certificate

From the target platform (Kubernetes API server, Nutanix Prism):

• Using a web browser (view certificate → export)
• Using OpenSSL command
• Using platform-specific tools

Result: A .cer or .crt file containing the public certificate

2Transfer to MID Server

Copy the certificate file to your MID Server host (Windows or Linux)

3Import into Java Keystore

Use the keytool command (comes with Java):

Windows:

Linux:

Key Parameters:

• -alias → A friendly name for the certificate
• -keystore → Path to Java's cacerts file
• -file → Path to the certificate file
• -storepass → Password for keystore (default is changeit)

4Verify Import

5Restart MID Server

🚀 Real-World Examples: What I Implemented

I successfully implemented serverless discovery for two platforms:

⚠️ Common Certificate Errors I Encountered

1. SSLHandshakeException: PKIX Path Building Failed

2. Certificate Name Mismatch

3. MID Server Not Restarted

4. Wrong Java Truststore Modified

🛠️ Best Practices I Learned

1. Certificate Management

Track Expiration Dates:

• Most SSL certificates expire after 1-2 years
• When certificates renew on the target platform, re-import to MID Server
• Set calendar reminders 30 days before expiration

Check Certificate Expiration:

2. Multiple MID Server Environments

If you have DEV, TEST, PROD MID Servers:

• ✅ Import certificates to each MID Server separately
• ✅ Document which certificates are on which servers
• ✅ Keep certificate files in a secure, accessible location

3. Use Descriptive Certificate Aliases

4. Always Test Before Production

My workflow:

1. ✅ Export certificate from target platform
2. ✅ Import to DEV MID Server first
3. ✅ Test discovery in DEV environment
4. ✅ Document the process
5. ✅ Repeat for TEST and PROD MID Servers

5. Security Reminder

📊 When to Use Serverless Discovery

Based on my experience, serverless discovery is ideal for:

🎓 Key Takeaways: What I Want You to Remember

📚 Additional Resources

💡 Final Thoughts

When I started implementing Kubernetes and Nutanix discovery, I was confused by the term "serverless" and frustrated by SSL certificate errors. Through trial and error (mostly error! 😅), I learned:

• Serverless discovery is just a different approach - using APIs instead of traditional protocols
• SSL certificates aren't optional - they're fundamental to HTTPS security
• Java truststore management is key - you must understand where certificates go
• Documentation helps everyone - that's why I'm sharing this!