Director and Certificate Authority Issuance

Transcription

1 VMware vcloud Director and Certificate Authority Issuance Leveraging QuoVadis Certificate Authority with VMware vcloud Director TECHNICAL WHITE PAPER OCTOBER 2012

2 Table of Contents Introduction Process Overview Java Keystore Structure Certificate Signing Request (CSR) Creation Prerequisites... 5 HTTP Service CSR Creation Proxy Service CSR Creation CSR Submission and Certificate Collection from QuoVadis CSR Submission Obtaining the SSL Certificates SSL Certificate Installation Summary Next Steps Additional Documentation VMware Contact Information QuoVadis Contact Information Providing Feedback TECHNICAL WHITE PAPER / 2

3 Introduction Cloud computing has become one of the hottest technologies today. It is being used by service providers and enterprises alike. As more and more people have been accessing cloud services via the Internet or within their corporate environments, traffic passing through the cloud has multiplied. Along with this growth and proliferation have come heightened security risks and resulting attacks to the information being shared. Security has become a paramount concern, because authenticity, confidentiality, and integrity of the information are vital and must be guaranteed. Network security leverages numerous techniques to aid in the protection of transmitted information. Traditionally, it relies on the principles of cryptology to provide the foundation of security. This involves the conversion of information into an incomprehensible form factor that is usable only to selected recipients capable of transforming the information back into a usable form. Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) are cryptographic protocols commonly used today to aid in network security. Complex infrastructures such as cloud computing involve multiple connections between various hosts and external communication channels. The use of SSL certificates is an important tool to encrypt those connections to provide data privacy. SSL certificates also provide for two-way authentication. This enables a host to validate that it is connected to the intended recipient. This decreases the ability of an imposter to intercept the information transmitted. Moreover, higher value SSL certificates, such as organization validation (OV) SSL and extended validation (EV) SSL, which name the actual certificate owner, are beneficial for connections with actual end users. The end user can view the certificate details to verify that they are using the legitimate and intended Web site or device and not an imposter. With EV SSL, the name of the SSL owner is displayed next to the favicon in most desktop browsers, making this important verification easy for the user. In the past, different certificate authorities (CAs) followed different validation procedures when issuing SSL. This caused issues with interoperability and ease of use. The CA and Browser Forum, of which QuoVadis is an active member, created common standards for OV and EV SSL to create consistency across providers and regions and eliminate problems previously experienced. Browsers for all CAs in their root distribution programs have adopted these standards. Both OV and EV SSL can be issued to enterprises and service providers, with the caveat that the CA must verify that a service provider is acting as an agent for the named entity in the certificate. The speed of issuance also can be an important aspect for cloud providers in these environments. QuoVadis provides a Web application called Trust/Link, which enables domains and corporate details to be prevalidated, allowing subsequent straight-through issuance of SSL. TECHNICAL WHITE PAPER / 3

4 Process Overview Figure 1 depicts the process flow for this document. This outlines all the steps involved in requesting, configuring, obtaining and installing an SSL certificate from QuoVadis, which can be used as CA for VMware vcloud Director Obtain the necessary IP addresses Log in and download the certificates from the QuoVadis Trust/Link application Download the QuoVadis Root CA 2 and QuoVadis Global SSL ICA certificates Run the vcloud director configuration script Obtain the FQDN from the IP addresses QuoVadis approves both certificates Upload SSL, Intermediate and Root certificate to the server Upload the completed keystore file to the correct directory 3 Creat a CSR for the HTTP Service 6 Submit both the HTTP and Console Proxy Service CSRs to the QuoVadis Trust/Link applicatioin 11 Import the Root Certificate 14 Import the Console Proxy Service certificate Creat a CSR for the Console Proxy Service Download, complete and submit the QuoVadis SSL application form Import the Intermediate certificate Import the HTTP Service certificate Figure 1. The Process Flow for Using QuoVadis as Certificate Authority with VMware vcloud Director Java Keystore Structure This certificate installation requires that you create a Java keystore file using the keytool utility for certificate installation. The resulting keystore file will contain two SSL certificates along with the necessary intermediate and root certificates. By the end of this procedure, your keystore file will have a similar structure to the following diagram: Alias: Root QuoVadis Root CA 2 Alias: Intermediate QuoVadis Global SSL ICA Alias: consoleproxy public key private key Alias: http public key private key Figure 2. Representation of the Keystore Structure Upon Completion TECHNICAL WHITE PAPER / 4

5 The console proxy and the HTTP alias use the same hierarchy of certificates. Because this one keystore file contains both certificates, you can use this single file wherever it is needed after it has been created. NOTE: Because this file contains private keys and is protected by a single password, it is strongly recommended that you do not keep copies of this file in unsecured locations. You should maintain a copy of a keystore file only where absolutely needed. Certificate Signing Request (CSR) Creation Prerequisites Before beginning the procedures, the following prerequisites must be fulfilled: Obtain the IP addresses for the vcloud Director server and the fully qualified domain name (FQDN) for each. The configured IP addresses on the vcloud Director host can be identified through the use of the ifconfig a command. The FQDN for the IP addresses can be displayed using the nslookup <ip address> command, where <ip address> equates to a configured IP address. Note the FQDN names for each IP address, because this name will be used for the HTTP server and console proxy service SSL certificates. Noting the IP addresses will assist in the installation of the SSL certificate. Access the keytool utility. This utility is installed with vcloud Director by default. It is possible to use the keytool utility on another computer that has the Java Runtime Environment (JRE) Version 6 installed and then import the created Java keystore file onto your vcloud Director server. This document assumes you are using the keytool installed on your vcloud Director server. As such, after obtaining a shell to the vcloud Director server, you must change directories to the following: /opt/vmware/vcloud-director/jre/bin/keytool using the cd /opt/vmware/vcloud-director/jre/bin/keytool command. HTTP Service CSR Creation After you have fulfilled the prerequisites, type in the following command to create the keystore file (if it does not already exist) and generate the HTTP SSL certificate: $ keytool -keystore certificates.ks -storetype JCEKS -storepass psswrd -genkey -keyalg RSA -alias http To conform to the environment in question, substitutions might have to be made throughout this document. In the command examples, this is denoted by the italic text. If substitutions are made, it is important that the change be consistently applied in the exact same manner throughout all of the steps. For example, if the keystore name in the previously provided command example were changed from certificates.ks to mysslcertificate.ks, you would have to continue to use mysslcertificate.ks in place of certificates.ks. After executing the previous command, the keytool utility will prompt you for responses to several questions, as shown in the following. Replace the example input in italics with the information relevant to your environment. What is your first and last name? [Unknown]:mycloud.mydomain.com What is the name of your organizational unit? [Unknown]:MyCompanyDivision What is the name of your organization? [Unknown]:MyCompanyLegalName What is the name of your City or Locality? [Unknown]:CityOfMyCompany What is the name of your State or Province? [Unknown]:StateMyCompanyResides What is the two-letter country code for this unit? [Unknown]:MyCompanyCountryCode TECHNICAL WHITE PAPER / 5

6 The keytool utility then will summarize your entries in a final question and prompt you for validation that the information listed is correct. Using the preceding example, this would resemble the following: Is CN=mycloud.mydomain.com, OU=MyCompanyDivision, O=MyCompanyLegalName, L= CityOfMyCompany, ST=StateMyCompanyResides, C=MyCompanyCountryCode correct? [no]: This should match the information that you substituted to represent your company. As a real-world example, QuoVadis information has been used in the following summary to give you a better understanding: Is CN=mycloud.quovadisglobal.com, OU=Cloud Services, O=QuoVadis Limited, L=Hamilton, ST=Pembroke, C=BM correct? [no]: Respond to the prompt with Yes if the information is valid and you are ready to continue. Next, you will be prompted to enter a password. Press Return to use the same password (psswrd) that you used previously for the keystore file. Enter key password for <http> (RETURN if same as keystore password): Next, run the following command to obtain your CSR for the HTTP service: $ keytool keystore certificates.ks storetype JCEKS storepass psswrd certreq alias http file http.csr This creates a file called the http.csr that represents the CSR for the HTTP service. Proxy Service CSR Creation In the directory containing the keytool utility, type the following command: $ keytool keystore certificates.ks storetype JCEKS storepass psswrd genkey keyalg RSA alias consoleproxy As before, the keytool utility will prompt you for responses to several questions, as shown in the following. Replace the example input in italics with the information relevant to your environment. What is your first and last name? [Unknown]:mycloud.mydomain.com What is the name of your organizational unit? [Unknown]:MyCompanyDivision What is the name of your organization? [Unknown]:MyCompanyLegalName What is the name of your City or Locality? [Unknown]:CityOfMyCompany What is the name of your State or Province? [Unknown]:StateMyCompanyResides What is the two-letter country code for this unit? [Unknown]:MyCompanyCountryCode The keytool utility then will summarize your entries in a final question and prompt you for validation that the information listed is correct. Using the real-world example with QuoVadis information, this would resemble the following: Is CN=mycloud.quovadisglobal.com, OU=Cloud Services, O=QuoVadis Limited, L=Hamilton, ST=Pembroke, C=BM correct? [no]: Of course, this would represent the information specific to your environment instead. If the information is valid, type Yes to continue. Next, you will be prompted to enter a password. Press Return to use the same password (passwrd) that you used previously for the keystore file. TECHNICAL WHITE PAPER / 6

7 Enter key password for <consoleproxy> (RETURN if same as keystore password): Next, run the following command to obtain your CSR for the console proxy service: $ keytool keystore certificates.ks storetype JCEKS storepass psswrd certreq alias consoleproxy file consoleproxy.csr This creates a file called the consoleproxy.csr that represents the CSR for the console proxy service. CSR Submission and Certificate Collection from QuoVadis Now you should have two separate CSR files: One is for the HTTP service (named http.csr in our example); the other is for the console proxy service (named consoleproxy.csr). You must export both of these files from your server to a computer that has Internet access and a browser of your choosing. You will use this computer to submit the CSRs to QuoVadis. For security and compliance, QuoVadis performs vetting on each SSL certificate request. To initiate this process, complete an SSL Certificate Request Form found at the following URL: When the SSL Certificate Request Form has been completed, submit it to QuoVadis in accordance with the instructions. This will start the vetting process for your company by QuoVadis. When this has been completed successfully, you will receive a login to the QuoVadis Trust/Link system. CSR Submission You must perform the following steps for each CSR (http.csr and consoleproxy.csr) that you created earlier. After you complete the process for one CSR, repeat it for the other. To submit the CSRs to QuoVadis, go to to access the QuoVadis Trust/Link portal. When there, click SSL Subscribers, as shown in Figure 3. TECHNICAL WHITE PAPER / 7

8 Figure 3. QuoVadis Trust/Link Portal When prompted, complete the login process by providing your address and password. Figure 4. QuoVadis Trust/Link Portal Login In the left-hand menu, click the Request Certificate link under Subscriber Services to initiate the certificate TECHNICAL WHITE PAPER / 8

9 request process. You have 10 minutes to complete the process for each request. Figure 5. QuoVadis Certificate Request From the drop-down list provided, select your approved organization for which you want to submit an SSL certificate. Figure 6. Organization Selection from QuoVadis From the drop-down list that appears, select the Policy Template that you want to use. If you do not have any policy templates available to choose from, contact QuoVadis support, who will assist in resolving the issue. Figure 7. Policy Template Selection from QuoVadis Select the Validity Period of the certificate, using the check boxes available. TECHNICAL WHITE PAPER / 9

10 Figure 8. Selecting the Validity Period You can optionally select the Server Platform from the drop-down list available. Figure 9. Selecting the Server Platform Open the CSR file you are working with (http.csr or consoleproxy.csr, as used in this document) with a text editor such as vi or Notepad. Highlight all of the contents and copy it into your clipboard (using Ctrl+C). In the browser used to access the QuoVadis Trust/Link portal, paste the contents in the Enter Your Certificate Signing Request field. Enter all of the contents of the CSR, including the BEGIN and END lines, as demonstrated in the following figures. Figure 10. CSR Field TECHNICAL WHITE PAPER / 10

11 Figure 11. Completed CSR Field Click Submit at the bottom of the page. The CSR you submitted will be decoded and shown on the Validate CSR Content screen. Verify the CSR content and make any wanted changes. TECHNICAL WHITE PAPER / 11

12 Figure 12. CSR Content Validation If your certificate requires any subject alternative name (SAN) fields, you can enter them in the Subject Alt DNS Name fields under Certificate Content. If any SAN fields are required, make sure the Common Name is listed in the first SAN field. When finished, click Submit to complete the CSR request to QuoVadis. QuoVadis will review the details of your certificate and contact you if anything appears incorrect. Otherwise, your certificate will be approved. TECHNICAL WHITE PAPER / 12

13 Obtaining the SSL Certificates After the CSR request has been approved, you will receive an informing you that your certificate is ready to download. You can do this by complying with the following procedures for each of the certificates you generated. First, go to and click SSL Subscribers. Complete the login process by entering your address and the respective password at the prompts provided. After successfully logging in, click the My Certificates link under Subscriber Services on the left-hand menu. Verify that the status of the certificate is Valid Certificate, as shown in Figure 13. Figure 13. Certificate with a Valid Certificate Status To view the certificate detail summary, click the Common Name of the certificate you applied for. Scroll to the bottom of the page and click Download. On the Download your SSL Certificate page, click Download your SSL Certificate in PEM (Base 64) format icon. Rename this file to http.crt or consoleproxy.crt, as appropriate, for the certificate you are downloading. TECHNICAL WHITE PAPER / 13

14 Figure 14. SSL Certificate Download SSL Certificate Installation Now you have two SSL certificates for mycloud.mycompany.com: One is for the HTTP service (called http.crt); the other is for the console proxy service (called consoleproxy.crt). You must transfer these files to the keytool directory on the vcloud Director server (/opt/vmware/vcloud-director/jre/bin/) that you used earlier. You must also download the QuoVadis Root CA 2 and the QuoVadis Global SSL ICA files and put them in the same location. You can find these files via the following URLs: TECHNICAL WHITE PAPER / 14

15 Verify that you have the following five files in the keytool directory (/opt/vmware/vcloud-director/jre/bin/): certificates.ks http.crt consoleproxy.crt quovadis_rca2_der.crt quovadis_globalssl_der.crt Execute the following command to install the QuoVadis Root CA 2 certificate into the keystore file: $ keytool storetype JCEKS storepass psswrd keystore certificates.ks import alias Root trustcacerts file quovadis_rca2_der.crt Next, execute the following command to install the QuoVadis Global SSL ICA certificate into the keystore file: $ keytool storetype JCEKS storepass psswrd keystore certificates.ks import -alias intermediate trustcacerts file quovadis_globalssl_der.cer Finally, execute the next two commands to install both the HTTP service and console proxy service certificates into the keystore file: $ keytool storetype JCEKS storepass psswrd keystore certificates.ks import alias http file http.crt $ keytool storetype JCEKS storepass psswrd keystore certificates.ks import alias consoleproxy file consoleproxy.crt When completed, run the following command to verify that all the certificates have been imported correctly into the keystore: $ keytool storetype JCEKS storetype psswrd keystore certificates.ks -list Using the mv command, move the certificates.ks file to a directory of your choosing. The example directory in this document is the /opt/keystore/ directory, for which the following command is used: mv certificates.ks /opt/keystore/certificates.ks You also have the option to delete the following certificate files from the keytool directory, using the rm command: http.crt consoleproxy.crt quovadis_rca2_der.crt quovadis_globalssl_der.crt Now you are ready to configure vcloud Director to use your new SSL certificates. To do this, execute the vcloud Director configure script located in the /opt/vmware/vcloud-director/bin/ directory. $ /opt/vmware/vcloud-director/bin/configure The configure script will prompt you to specify the IP addresses for both the HTTP service and the console proxy service. Select the appropriate IP address as requested. Next, you will be requested to provide the path to the keystore file. Here you must input the full path of your certificates.ks. The prompt will resemble the following example, with the input shown in italics: TECHNICAL WHITE PAPER / 15

16 Please enter the path to the Java keystore containing your SSL certificates and private keys:/opt/keystore/certificate.ks The configure script will validate that the keystore file exists and then prompt you for the password to access the contents. In our examples, we set the password to psswrd. Please enter the password for the keystore:psswrd Please enter the private key password for the http SSL certificate: Please enter the private key password for the consoleproxy SSL certificate: Complete the rest of the configure script as needed by your particular environment. When the configure script has completed and the vcloud Director services have started, your new SSL certificates will be used with vcloud Director. Summary Providing security for your cloud environment is of paramount concern to ensure the privacy and integrity of the data contained within it. This document demonstrates how easy it is to utilize a certificate authority such as QuoVadis to increase the security of your cloud environment. By following the simple steps described in this guide, you can deploy SSL digital certificates to securely identify your endpoints as legitimate, as well as to encrypt data in transit for privacy and integrity. Next Steps Additional Documentation For more information about VMware vcloud Director, visit the product pages at VMware Contact Information For additional information or to purchase VMware vcloud Director, the VMware global network of solutions providers is ready to assist. If you would like to contact VMware directly, you can reach a sales representative at VMWARE ( outside North America) or sales@vmware.com. When ing, include the state, country and company name from which you are inquiring. QuoVadis Contact Information For more information about SSL and the QuoVadis Trust/Link Enterprise certificate issuance system, you can reach QuoVadis at or info@quovadisglobal.com. Providing Feedback VMware appreciates your feedback on the material included in this guide and in particular would be grateful for any comments on the following topics: 1. How useful was the information in this guide? 2. What other specific topics would you like to see covered? Please send your feedback to tmfeedback@vmware.com, with VMware vcloud Director CA Issuance in the subject line. Thank you for your help in making this a valuable resource. TECHNICAL WHITE PAPER / 16

17 VMware, Inc Hillview Avenue Palo Alto CA USA Tel Fax Copyright 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW-WP-vCLD-CERT-ISSUANCE-USLET-101 Docsource: OIC - 12VM008.05