how to enable ssl in horizon application manager - wildcard v2
TRANSCRIPT
Activating HTTPS using wildcard certificate in Horizon Application Manager 1.5 Authors: Rasmus Jensen, Sr. Specialist Consultant EUC, NEMEA, VMware Inc. Peter Björk, EMEA Horizon & ThinApp Specialist Systems Engineer, VMware Inc.
ACTIVATING HTTPS USING WILDCARD CERTIFICATE IN HORIZON APPLICATION MANAGER 1.5 1
The Horizon Application Manager implementation 2
Activate HTTPS on service-‐va and external connector using public CA 2 1. Create a certificate request 2 2. Generate a certificate 6 3. Build a certificate chain 11 4. Activate the certificate on service-‐va 23 5. Import the new service-‐va certificate on connector 32 6. Activate the certificate on the external connector 34
Disable HTTP access on all component 40 1. Disable HTTP on the service-‐va 41 2. Disable HTTP on the connectors 42 3. Verify access to SaaS based applications 44
The Horizon Application Manager implementation The Horizon installation used in this guide looks like the picture below. The implementation uses one connector for internal users offering Kerberos Single Sing-‐on for domain members located accessing the Horizon workspace connected to the LAN. Another connector serves the external users and is located on the DMZ. The Service-‐va (the workspace) and the external connector are both accessible from Internet.
Component: Hostname: Externally accessible: Service-‐va workspace.myhorizondemo.com Yes Connector (DMZ) ext-‐con.myhorizondemo.com Yes Connector (LAN) connector.pinata.local No Now when you have a picture of the implementation let’s get started securing the installation with the use of certificates.
Activate HTTPS on service-‐va and external connector using public CA
1. Create a certificate request The first thing that we have to do is to generate a certificate request. This request is later used to generate a signed certificate, verified by a public Certificate Authority (CA). For your reference, VMware have a couple KB articles on how to generate certificate requests. http://kb.vmware.com/kb/2015383 references many of the KB:s.
Download and install OpenSSL OpenSSL is the tool we will use to create a certificate request. OpenSSL is available for many different platforms. In this guide we will use the Windows version.
You can download Win32 OpenSSL from http://slproweb.com/products/Win32OpenSSL.html.
For this guide we downloaded the full Win32 OpenSSL v1.0.0j 16MB installer. You could probably download one of the smaller packages and still get a way with it.
Install OpenSSL on a Windows client. We used the default location of C:\OpenSSL-‐Win32.
Edit the openssl.cfg The openssl.cfg file is used to specify your certificate request. You can copy and paste the example file from http://kb.vmware.com/kb/2015387 into the C:\OpenSSL-‐Win32\bin\openssl.cfg file.
The part of the file you have to modify in order to generate a certificate request is highlighted in red below. For a wildcard certificate request subjectAltName is not relevant. [ req_distinguished_name ] # change these settings for your environment countryName = SE stateOrProvinceName = Stockholm localityName = Stockholm 0.organizationName = Peter Bjork organizationalUnitName = IT commonName = *.myhorizondemo.com emailAddress = [email protected] [ v3_req ] basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS: ext-con.myhorizondemo.com, DNS: view.myhorizondemo.com, DNS: gtw.myhorizondemo.com, DNS: services.myhorizondemo.com Since we will request a wildcard certificate these additional hostnames are not of importance.
Save your modified openssl.cfg.
Generate the certificate request Open a cmd prompt and navigate to C:\OpenSSL-‐Win32\bin\.
Run the command: openssl req -new -nodes -out rui.csr -keyout rui.key -config openssl.cfg This command creates two files:
rui.csr which is your certificate request.
rui.key which is your private key. Make sure you store your private key in a safe place. Without the private key your certificate becomes useless.
Run the command: type rui.csr This displays your certificate request. Copy the content of your rui.csr file, here we did it straight from the cmd promt. Make sure you include the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST parts.
2. Generate a certificate Next step is to use our certificate request to issue a signed certificate. We will use a publicly trusted CA to generate our certificate. This way will all browsers trust the certificate. In this guide are we using GoDaddy (godaddy.com) as our CA. There is many other CA out there and any should work. VMware does not recommend a particular Certificate Authority. It is important to make sure you request a wildcard certificate.
First we have to purchase the correct certificate type. This can be tricky since there is so many different variations. For this guide we purchased the one called: Single Domains with Unlimited Sub Domains (Wildcard).
Click Set Up.
Go to the Credits folder and click “Click here to update your list” until you see your purchase listed. When available click Request Certificate.
Paste in the content of your certificate request (rui.csr) and click Next.
Since the domain name used in this guide was purchased on GoDaddy is my ownership of the domain validated automatically. In order for a CA to be able to issue you a certificate must they verify you are the owner or authorized to request certificates on behalf of the domain. Many times are this validation made with the help of email. Click Next.
Click Next.
Click Finished.
It may take a while but eventually will your certificate request be approved and your signed certificate will show up under Certificates. Click your wildcard certificate, in our case it is the *.myhorizondemo.com.
Click Download.
Chose Tomcat as your server type and click Download.
The certificate is delivered as a zip file including some other certificates. Extract the zip file.
3. Build a certificate chain The signed certificate we’ve downloaded only includes parts of the whole certificate chain. In order to be able to successfully import it into Horizon must we add the rest of the chain to it and then store the outcome as a keystore file. Later this keystore file will be copied to our service-‐va.
Go to https://certs.godaddy.com/anonymous/repository.seam to access the rest of the certificate chain we need. Download:
Go Daddy Secure Server Certificate (Intermediate Certificate) File name: gd_intermediate.crt Go Daddy Class 2 Certification Authority Root Certificate File name: gd-‐class2-‐root.crt
In order to create the keychain and create a keystore will we use a tool called KeyStore Explorer.
Download KeyStore Explorer from http://www.lazgosoftware.com/kse/index.html and install it. Next we’ll have to convert our private key into a format we can import into KeyStore Explorer.
1. Open a cmd prompt and navigate to C:\OpenSSL-‐Win32\bin folder. 2. Run the command:
openssl.exe 3. In the OpenSSL console run the command:
rsa -in rui.key –inform PEM –out output.key –outform DER
This will create output.key that is your private key in a format that can be imported into KeyStore Explorer. Make sure to store the output.key in a safe place.
Launch KeyStore Explorer.
Create a new keystore, chose JKS as the type.
Click Tools – Import Key Pair.
Chose OpenSSL as the type.
Encrypted Private Key: Disable OpenSSL Private Key File: output.key (the converted private key file). Certificate(s) File: Your signed certificate (in our case the myhorizondemo.com.crt file). Click Import.
The Alias name must be tcserver. Click OK.
The password must be changeme. Click OK.
Verify import was successful. Click OK.
Right click tcserver and chose View Details – Certificate Chain Details.
This shows your certificate chain. As you can see it only contains your signed certificate. We must therefore add the rest of the chain from our CA. Click OK.
Right click tcserver and chose Edit Certificate Chain – Append Certificate.
Chose the gd_intermediate.crt file downloaded earlier from https://certs.godaddy.com/anonymous/repository.seam. Click Append.
Verify successful append. Click OK.
Right click tcserver and chose View Details – Certificate Chain Details.
As you can see we now have added one more part to the certificate chain. We only need to add the last part, the ROOT, and then have we our complete certificate chain. Click OK.
Right click tcserver and chose Edit Certificate Chain – Append Certificate.
Chose the gd-class2-root.crt file downloaded earlier from https://certs.godaddy.com/anonymous/repository.seam. Click Append.
Verify successful append. Click OK.
Right click tcserver and chose View Details – Certificate Chain Details.
Now the complete chain is built. Now we can create the keystore file we will upload the service-‐va. Click OK.
Press Save and again specify changeme as the password.
Name the new keystore tcserver.keystore.
4. Activate the certificate on service-‐va
Activate SSH access for ROOT We will have to copy our tcserver.keystore to the service-‐va. In order to be able to do that easier will I start with activating root SSH access.
1. Open the service-‐va console. 2. Login as ROOT. 3. Run the command:
vi /etc/ssh/sshd_config
Change PermitRootLogin to Yes. Exit using :wq.
Restart the SSH daemon (service sshd restart). Go back to the service-‐va console menu by typing Exit and press Enter.
Generate a certificate request on the service-‐va We will now create a certificate request on the service-‐va. This request will not be used since we already have made our request and have our signed certificate. But we must create the request anyway. First must we verify HTTPS is active on your service-‐va. If not make sure to activate it before generating a certificate request. Open the service-‐va console.
Chose Configure.
Enter 4 and hit Enter.
On our service-‐va is HTTPS already active. Q and Enter to go back.
Chose 3.
The domain name must be the same as your wildcard certificate. Hit Enter.
Copy your own keystore to the service-‐va Once the certificate request is generated is it time to copy our own tcserver.keystore to the service-‐va.
I use WinSCP and login as ROOT to copy the tcserver.keystore file.
1. Navigate to /opt/vmware/horizon/horizoninstance/conf 2. Rename the existing tcserver.keystore file to tcserver.keystore.old
Copy the new tcserver.keystore to /opt/vmware/horizon/horizoninstance/conf.
Go back to the service-‐va console and restart the Web Service using option 5…
..and option 3.
Verify HTTPS access. Verify your service-‐va is accessible via HTTPS and is using your signed wildcard certificate.
In our case we access https://workspace.myhorizondemo.com
If you look at the certificate you should see it is your wildcard being used.
5. Import the new service-‐va certificate on connector Since the certificate used by the service-‐va now has been changed must you import the new service-‐va certificate on your connectors. This should be performed on all your active connectors.
Open the connector console. Chose Configure.
Chose menu option 3.
The connector is now automatically importing and trusting the service-‐va certificate.
Verify menu option 3 now is all green.
6. Activate the certificate on the external connector So far we’ve enabled secure access to our service-‐va. We will now activate HTTPS on our external connector.
Create a private key supported by the connector First we have to export our private key from the keystore we created for our service-‐va.
Launch KeyStore Explorer and open the tcserver.keystore created earlier.
Enter changeme as the password and click OK.
Right click tcserver and chose Export – Export Private Key.
Enter changeme as the password and click OK.
Chose OpenSSL as the type and click OK.
Make sure to disable Encrypt. Enter a path and file name (we used c:\public.key) and click Export.
Verify the export was successful and click OK.
If you open the export file it should start with: -----BEGIN RSA PRIVATE KEY----- This is important for the import to the connector to be successful.
Import the public certificate and private key to the connector Open a web browser and navigate to your connector’s admin interface (https://url_to _connector:8443).
1. Under External Access paste your signed wildcard certificate as the SSL
Certificate and paste your newly exported private key (we used the file name public.key) as the Private Key.
2. Make sure no extra line breaks are in your certificates. If there is, delete them. But be carful not to delete any characters.
3. Click Save.
Restart your connector to make the new certificate active.
Verify HTTPS access to your connector Launch a web browser and navigate to your connector using https://.
As you can see is our connector responding on HTTPS.
Activate SSL authentication Next step is to make sure authentication is made over HTTPS. Open a web browser and navigate to your connector’s admin interface (https://url_to _connector:8443).
Under Internal Access enable Use SSL and press Save. Verify your users can still login using the external connector. You have now successfully enabled HTTPS and SSL authentication on your external connector.
Disable HTTP access on all component In order to make sure no users access Horizon using HTTP you should disable HTTP. Before you disable HTTP make sure you have verified access to all components using HTTPS.
1. Disable HTTP on the service-‐va
Login to the service-‐va console and chose Configure.
Chose menu option 4.
Disable HTTP by typing 1 and Enter.
Verify HTTP is disabled.
2. Disable HTTP on the connectors Open the connector console. These steps should be made on all your connectors.
Chose Configure.
Chose option 2.
Disable port 80 by pressing 1 and Enter.
Verify port 80 is disabled.
3. Verify access to SaaS based applications If you have been running your Horizon implementation using HTTP access for a while and have SaaS based applications entitled must you login as administrator on all SaaS applications and change the reference to your Workspace from HTTP to HTTPS.