Activating HTTPS using wildcard certificate in Horizon Application Manager 1.5

Similar documents
Replacing Default vcenter Server 5.0 and ESXi Certificates

Using VMware vcenter SSO 5.5 with VMware vcloud Automation Center 6.1

VMware vcenter Server 5.5 Deploying a Centralized VMware vcenter Single Sign-On Server with a Network Load Balancer

KMIP installation Guide. DataSecure and KeySecure Version SafeNet, Inc

Working with Certificate and Key Files in MatrixSSL

Replacing vcenter Server 4.0 Certificates VMware vsphere 4.0

Configuring Secure Socket Layer (SSL) for use with BPM 7.5.x

Creating and Managing Certificates for My webmethods Server. Version 8.2 and Later

Replacing VirtualCenter Server Certificates VMware Infrastructure 3

Scenarios for Setting Up SSL Certificates for View

SolarWinds Technical Reference

Obtaining SSL Certificates for VMware Horizon View Servers

Deploying Certificates with Cisco pxgrid. Using Self-Signed Certificates with ISE pxgrid node and pxgrid Client

Installation valid SSL certificate

Junio SSL WebLogic Oracle. Guía de Instalación. Junio, SSL WebLogic Oracle Guía de Instalación CONFIDENCIAL Página 1 de 19

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

How to: Install an SSL certificate

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

How to Order and Install Odette Certificates. Odette CA Help File and User Manual

VMware Identity Manager Connector Installation and Configuration

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

1. If there is a temporary SSL certificate in your /ServerRoot/ssl/certs/ directory, move or delete it. 2. Run the following command:

HTTPS Configuration for SAP Connector

NSi Mobile Installation Guide. Version 6.2

How to generate SSL certificates for use with a KVM box & XViewer with XCA v0.9.3

Installing Digital Certificates for Server Authentication SSL on. BEA WebLogic 8.1

Using Internet or Windows Explorer to Upload Your Site

Generating and Installing SSL Certificates on the Cisco ISA500

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

CA Nimsoft Unified Management Portal

The IceWarp SSL Certificate Process

IceWarp SSL Certificate Process

Configuring TLS Security for Cloudera Manager

Working with Portecle to update / create a Java Keystore.

Generating and Renewing an APNs Certificate. Technical Paper May 2012

Wildcard Certificates

How to Implement Two-Way SSL Authentication in a Web Service

Yealink Technical White Paper. Contents. About VPN Types of VPN Access VPN Technology... 3 Example Use of a VPN Tunnel...

fåíéêåéí=péêîéê=^çãáåáëíê~íçêûë=dìáçé

Marriott Enrollment Server for Web User Guide V1.4

Microsoft Exchange 2010 and 2007

webmethods Certificate Toolkit

TSM for Windows Installation Instructions: Download the latest TSM Client Using the following link:

Create an ios App using Adobe Flash Side by Side Training, And without using a Mac

Installation Procedure SSL Certificates in IIS 7

Configuring Multiple ACE Management Servers VMware ACE 2.0

How To Set Up A Backupassist For An Raspberry Netbook With A Data Host On A Nsync Server On A Usb 2 (Qnap) On A Netbook (Qnet) On An Usb 2 On A Cdnap (

LoadMaster SSL Certificate Quickstart Guide

Lepide Active Directory Self Service. Configuration Guide. Follow the simple steps given in this document to start working with

VMware Identity Manager Administration

Exchange Reporter Plus SSL Configuration Guide

Using WinSCP to Transfer Data with Florida SHOTS

Managing the SSL Certificate for the ESRS HTTPS Listener Service Technical Notes P/N REV A01 January 14, 2011

X.509 Certificate Generator User Manual

App Orchestration 2.0


Cox Managed CPE Services. RADIUS Authentication for AnyConnect VPN Version 1.3 [Draft]

App Orchestration 2.5

Secret Server Installation Windows Server 2012

1. Open the preferences screen by opening the Mail menu and selecting Preferences...

Smart Policy - Web Collector. Version 1.1

Laptop Backup - Administrator Guide (Windows)

Virtual Appliance Setup Guide

DocAve Upgrade Guide. From Version 4.1 to 4.5

Introduction to Mobile Access Gateway Installation

Configure Single Sign on Between Domino and WPS

APNS Certificate generating and installation

Secret Server Installation Windows Server 2008 R2

Obtaining SSL Certificates for VMware View Servers

Securing Web Access with a Private Certificate Authority

LAB: Enterprise Single Sign-On Services. Last Saved: 7/17/ :48:00 PM

Entrust Managed Services PKI. Configuring secure LDAP with Domain Controller digital certificates

RSA Security Analytics

Instructions to connect to GRCC Remote Access using a Macintosh computer

User's Guide. Product Version: Publication Date: 7/25/2011

Generating SSH Keys and SSL Certificates for ROS and ROX Using Windows AN22

Clearswift Information Governance

Browser-based Support Console

e-cert (Server) User Guide For Apache Web Server

Configuring SSL in OBIEE 11g

About VPN Yealink IP Phones Compatible with VPN Installing the OpenVPN Server Configuring the OpenVPN Feature on IP Phones...

Installation and Configuration Guide

Creation and Management of Certificates

IIS 6.0SSL Certificate Deployment Guide

CASHNet Secure File Transfer Instructions

VMware Identity Manager Administration

Setting Up SSL From Client to Web Server and Plugin to WAS

SSL Certificate Generation

ez Agent Administrator s Guide

Setting Up Resources in VMware Identity Manager

Getting Started Guide: Deploying Puppet Enterprise in Microsoft Azure

IIS, FTP Server and Windows

How to Obtain an APNs Certificate for CA MDM

CTERA Portal Datacenter Edition

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

Steps to import MCS SSL certificates on a Sametime Server. Securing LDAP connections to and from Sametime server using SSL

FileMaker Server 14. FileMaker Server Help

SSL VPN. Virtual Appliance Installation Guide. Virtual Private Networks

Transcription:

Activating HTTPS using wildcard certificate in Horizon Application Manager 1.5 Authors: Rasmus Jensen, Sr. Specialist Consultant EUC, NEMEA, VMware Inc. Peter Björk, EMEA Horizon & ThinApp Specialist Systems Engineer, VMware Inc. ACTIVATING HTTPS USING WILDCARD CERTIFICATE IN HORIZON APPLICATION MANAGER 1.5 The Horizon Application Manager implementation 1 2 Activate HTTPS on service- va and external connector using public CA 1. Create a certificate request 2 2. Generate a certificate 6 3. Build a certificate chain 11 4. Activate the certificate on service- va 23 5. Import the new service- va certificate on connector 32 6. Activate the certificate on the external connector 34 Disable HTTP access on all component 1. Disable HTTP on the service- va 41 2. Disable HTTP on the connectors 42 3. Verify access to SaaS based applications 44 2 40

The Horizon Application Manager implementation The Horizon installation used in this guide looks like the picture below. The implementation uses one connector for internal users offering Kerberos Single Sing- on for domain members located accessing the Horizon workspace connected to the LAN. Another connector serves the external users and is located on the DMZ. The Service- va (the workspace) and the external connector are both accessible from Internet. Component: Hostname: Externally accessible: Service- va workspace.myhorizondemo.com Yes Connector (DMZ) ext- con.myhorizondemo.com Yes Connector (LAN) connector.pinata.local No Now when you have a picture of the implementation let s get started securing the installation with the use of certificates. Activate HTTPS on service- va and external connector using public CA 1. Create a certificate request The first thing that we have to do is to generate a certificate request. This request is later used to generate a signed certificate, verified by a public Certificate Authority (CA). For your reference, VMware have a couple KB articles on how to generate certificate requests. http://kb.vmware.com/kb/2015383 references many of the KB:s. Download and install OpenSSL OpenSSL is the tool we will use to create a certificate request. OpenSSL is available for many different platforms. In this guide we will use the Windows version.

You can download Win32 OpenSSL from http://slproweb.com/products/win32openssl.html. For this guide we downloaded the full Win32 OpenSSL v1.0.0j 16MB installer. You could probably download one of the smaller packages and still get a way with it.

Install OpenSSL on a Windows client. We used the default location of C:\OpenSSL- Win32. Edit the openssl.cfg The openssl.cfg file is used to specify your certificate request. You can copy and paste the example file from http://kb.vmware.com/kb/2015387 into the C:\OpenSSL- Win32\bin\openssl.cfg file.

The part of the file you have to modify in order to generate a certificate request is highlighted in red below. For a wildcard certificate request subjectaltname is not relevant. [ req_distinguished_name ] # change these settings for your environment countryname = SE stateorprovincename = Stockholm localityname = Stockholm 0.organizationName = Peter Bjork organizationalunitname = IT commonname = *.myhorizondemo.com emailaddress = admin@myhorizondemo.com [ v3_req ] basicconstraints = CA:FALSE keyusage = nonrepudiation, digitalsignature, keyencipherment, dataencipherment extendedkeyusage = serverauth, clientauth subjectaltname = DNS: ext-con.myhorizondemo.com, DNS: view.myhorizondemo.com, DNS: gtw.myhorizondemo.com, DNS: services.myhorizondemo.com Since we will request a wildcard certificate these additional hostnames are not of importance. Save your modified openssl.cfg. Generate the certificate request Open a cmd prompt and navigate to C:\OpenSSL- Win32\bin\. Run the command: openssl req -new -nodes -out rui.csr -keyout rui.key -config openssl.cfg This command creates two files: rui.csr which is your certificate request.

rui.key which is your private key. Make sure you store your private key in a safe place. Without the private key your certificate becomes useless. Run the command: type rui.csr This displays your certificate request. Copy the content of your rui.csr file, here we did it straight from the cmd promt. Make sure you include the BEGIN CERTIFICATE REQUEST and END CERTIFICATE REQUEST parts. 2. Generate a certificate Next step is to use our certificate request to issue a signed certificate. We will use a publicly trusted CA to generate our certificate. This way will all browsers trust the certificate. In this guide are we using GoDaddy (godaddy.com) as our CA. There is many other CA out there and any should work. VMware does not recommend a particular Certificate Authority. It is important to make sure you request a wildcard certificate.

First we have to purchase the correct certificate type. This can be tricky since there is so many different variations. For this guide we purchased the one called: Single Domains with Unlimited Sub Domains (Wildcard). Click Set Up. Go to the Credits folder and click Click here to update your list until you see your purchase listed. When available click Request Certificate.

Paste in the content of your certificate request (rui.csr) and click Next. Since the domain name used in this guide was purchased on GoDaddy is my ownership of the domain validated automatically. In order for a CA to be able to issue you a certificate must they verify you are the owner or authorized to request certificates on behalf of the domain. Many times are this validation made with the help of email. Click Next.

Click Next. Click Finished. It may take a while but eventually will your certificate request be approved and your signed certificate will show up under Certificates. Click your wildcard certificate, in our case it is the *.myhorizondemo.com.

Click Download. Chose Tomcat as your server type and click Download. The certificate is delivered as a zip file including some other certificates. Extract the zip file.

3. Build a certificate chain The signed certificate we ve downloaded only includes parts of the whole certificate chain. In order to be able to successfully import it into Horizon must we add the rest of the chain to it and then store the outcome as a keystore file. Later this keystore file will be copied to our service- va. Go to https://certs.godaddy.com/anonymous/repository.seam to access the rest of the certificate chain we need. Download: Go Daddy Secure Server Certificate (Intermediate Certificate) File name: gd_intermediate.crt Go Daddy Class 2 Certification Authority Root Certificate File name: gd- class2- root.crt In order to create the keychain and create a keystore will we use a tool called KeyStore Explorer.

Download KeyStore Explorer from http://www.lazgosoftware.com/kse/index.html and install it. Next we ll have to convert our private key into a format we can import into KeyStore Explorer. 1. Open a cmd prompt and navigate to C:\OpenSSL- Win32\bin folder. 2. Run the command: openssl.exe 3. In the OpenSSL console run the command: rsa -in rui.key inform PEM out output.key outform DER

This will create output.key that is your private key in a format that can be imported into KeyStore Explorer. Make sure to store the output.key in a safe place. Launch KeyStore Explorer. Create a new keystore, chose JKS as the type.

Click Tools Import Key Pair. Chose OpenSSL as the type.

Encrypted Private Key: Disable OpenSSL Private Key File: output.key (the converted private key file). Certificate(s) File: Your signed certificate (in our case the myhorizondemo.com.crt file). Click Import. The Alias name must be tcserver. Click OK.

The password must be changeme. Click OK. Verify import was successful. Click OK.

Right click tcserver and chose View Details Certificate Chain Details. This shows your certificate chain. As you can see it only contains your signed certificate. We must therefore add the rest of the chain from our CA. Click OK.

Right click tcserver and chose Edit Certificate Chain Append Certificate. Chose the gd_intermediate.crt file downloaded earlier from https://certs.godaddy.com/anonymous/repository.seam. Click Append.

Verify successful append. Click OK. Right click tcserver and chose View Details Certificate Chain Details.

As you can see we now have added one more part to the certificate chain. We only need to add the last part, the ROOT, and then have we our complete certificate chain. Click OK. Right click tcserver and chose Edit Certificate Chain Append Certificate.

Chose the gd-class2-root.crt file downloaded earlier from https://certs.godaddy.com/anonymous/repository.seam. Click Append. Verify successful append. Click OK.

Right click tcserver and chose View Details Certificate Chain Details. Now the complete chain is built. Now we can create the keystore file we will upload the service- va. Click OK.

Press Save and again specify changeme as the password. Name the new keystore tcserver.keystore. 4. Activate the certificate on service- va Activate SSH access for ROOT We will have to copy our tcserver.keystore to the service- va. In order to be able to do that easier will I start with activating root SSH access.

1. Open the service- va console. 2. Login as ROOT. 3. Run the command: vi /etc/ssh/sshd_config Change PermitRootLogin to Yes. Exit using :wq.

Restart the SSH daemon (service sshd restart). Go back to the service- va console menu by typing Exit and press Enter. Generate a certificate request on the service- va We will now create a certificate request on the service- va. This request will not be used since we already have made our request and have our signed certificate. But we must create the request anyway. First must we verify HTTPS is active on your service- va. If not make sure to activate it before generating a certificate request. Open the service- va console.

Chose Configure. Enter 4 and hit Enter.

On our service- va is HTTPS already active. Q and Enter to go back. Chose 3.

The domain name must be the same as your wildcard certificate. Hit Enter. Copy your own keystore to the service- va Once the certificate request is generated is it time to copy our own tcserver.keystore to the service- va.

I use WinSCP and login as ROOT to copy the tcserver.keystore file. 1. Navigate to /opt/vmware/horizon/horizoninstance/conf 2. Rename the existing tcserver.keystore file to tcserver.keystore.old

Copy the new tcserver.keystore to /opt/vmware/horizon/horizoninstance/conf. Go back to the service- va console and restart the Web Service using option 5

..and option 3. Verify HTTPS access. Verify your service- va is accessible via HTTPS and is using your signed wildcard certificate. In our case we access https://workspace.myhorizondemo.com

If you look at the certificate you should see it is your wildcard being used. 5. Import the new service- va certificate on connector Since the certificate used by the service- va now has been changed must you import the new service- va certificate on your connectors. This should be performed on all your active connectors. Open the connector console. Chose Configure.

Chose menu option 3. The connector is now automatically importing and trusting the service- va certificate.

Verify menu option 3 now is all green. 6. Activate the certificate on the external connector So far we ve enabled secure access to our service- va. We will now activate HTTPS on our external connector. Create a private key supported by the connector First we have to export our private key from the keystore we created for our service- va. Launch KeyStore Explorer and open the tcserver.keystore created earlier.

Enter changeme as the password and click OK. Right click tcserver and chose Export Export Private Key.

Enter changeme as the password and click OK. Chose OpenSSL as the type and click OK.

Make sure to disable Encrypt. Enter a path and file name (we used c:\public.key) and click Export. Verify the export was successful and click OK.

If you open the export file it should start with: -----BEGIN RSA PRIVATE KEY----- This is important for the import to the connector to be successful. Import the public certificate and private key to the connector Open a web browser and navigate to your connector s admin interface (https://url_to _connector:8443). 1. Under External Access paste your signed wildcard certificate as the SSL Certificate and paste your newly exported private key (we used the file name public.key) as the Private Key. 2. Make sure no extra line breaks are in your certificates. If there is, delete them. But be carful not to delete any characters. 3. Click Save.

Restart your connector to make the new certificate active. Verify HTTPS access to your connector Launch a web browser and navigate to your connector using https://. As you can see is our connector responding on HTTPS.

Activate SSL authentication Next step is to make sure authentication is made over HTTPS. Open a web browser and navigate to your connector s admin interface (https://url_to _connector:8443). Under Internal Access enable Use SSL and press Save. Verify your users can still login using the external connector. You have now successfully enabled HTTPS and SSL authentication on your external connector. Disable HTTP access on all component In order to make sure no users access Horizon using HTTP you should disable HTTP. Before you disable HTTP make sure you have verified access to all components using HTTPS.

1. Disable HTTP on the service- va Login to the service- va console and chose Configure. Chose menu option 4.

Disable HTTP by typing 1 and Enter. Verify HTTP is disabled. 2. Disable HTTP on the connectors Open the connector console. These steps should be made on all your connectors.

Chose Configure. Chose option 2.

Disable port 80 by pressing 1 and Enter. Verify port 80 is disabled. 3. Verify access to SaaS based applications If you have been running your Horizon implementation using HTTP access for a while and have SaaS based applications entitled must you login as administrator on all SaaS applications and change the reference to your Workspace from HTTP to HTTPS.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information