vendredi 3 octobre 2014

Replacing SSL Certificates for VMware Horizon View 5.2

While replacing the default SSL Certificates in the vSphere suite could seems challenging, the process in the View suite is much easier.

This article will cover the replacement of the default SSL certificates for both VMware View Connection Server and VMware View Composer.

OpenSSL and a Windows 2008 R2 CA are used to generate our CA Signed SSL certificates.

As a reminder, View Composer can be installed on the vCenter server or on another server (in case of heavy load).

My domain katalykt.lan is designed as follow:
- dc0001.katalykt.lan: This is the domain controller and our Certification Authority.
- vc0001.katalykt.lan: This is the vCenter and our View Composer server.
- cs0001.katalykt.lan: This is our View Connection Server.

Let's start by creating our working directory, under

C:\OpenSSL-Win32\Certificates


Let's create the following folders:

  • Composer
  • ConnectionServer


Creating the OpenSSL Template files

In this part, we'll create a configuration file for those folders in their respective folder:

Composer.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:vc0001, DNS:vc0001.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = ViewComposer
commonName = vc0001.katalykt.lan

ConnectionServer.cfg
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
 
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = DNS:cs0001, DNS:cs0001.katalykt.lan
 
[ req_distinguished_name ]
countryName = FR
stateOrProvinceName = Normandie
localityName = Caen
0.organizationName = Katalykt
organizationalUnitName = ConnectionServer
commonName = cs0001.katalykt.lan


Creating the SSL Certificates CA Template

A specific CA SSL Certificate Template is required for VMware View. See my article about Preparing a Microsoft CA SSL Certificate Template for VMware View 5.2 here to create one.

I've granted my service account srv-vcenter the right to Enroll my VMwareViewSSL Template here (this is done by modifying the template)



Generating the SSL Certificates

So now that we've got everything that we need we can just go ahead and create a script which will do the manual labor for us!

This script will do as follow for each component:
  • Create a private key rui.key in RSA 2048
  • Create a Certificate Signing Request from the current OpenSSL Template
  • Submit the previous request to the CA and (hopefully) generate the Certificate rui.crt
  • Create the Personal Information Exchange file which will bundle our Certificate along with its private key
Create_View_SSL.bat
REM Change this according to your needs
Set OPENSSL=c:\OpenSSL-Win32\bin\openssl.exe
Set SSLPATH=c:\OpenSSL-Win32\Certificates
Set MSCA=DC0001\katalykt-DC0001-CA
Set MSCATEMPLATE=VMwareViewSSL
  
REM Core processing
echo PROCESSING: View Composer SSL Certificate
cd /d %SSLPATH%\Composer
%OPENSSL% genrsa 2048 > rui.key
%OPENSSL% req -out rui.csr -key rui.key -new -config Composer.cfg
certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt
%OPENSSL% pkcs12 -export -in rui.crt -inkey rui.key -name vdm -passout pass:testpassword -out rui.pfx
  
echo PROCESSING: View Connection Server SSL Certificate
cd /d %SSLPATH%\ConnectionServer
%OPENSSL% genrsa 2048 > rui.key
%OPENSSL% req -out rui.csr -key rui.key -new -config ConnectionServer.cfg
certreq -submit -config %MSCA% -attrib "CertificateTemplate:%MSCATEMPLATE%" rui.csr rui.crt
%OPENSSL% pkcs12 -export -in rui.crt -inkey rui.key -name vdm -passout pass:testpassword -out rui.pfx


Replacing the View Composer Certificate

If you already have a View Connection Server up and linked to an existing View Composer then make sure to stop it's services before replacing View Composer SSL certificate.

As you may already know, View Composer is installed either on the vCenter or on a side server. In this case it's hosted on my vCenter.

The first step is to stop the VMware View Composer service before proceeding any further.


The goal of this operation is to import our previously generated Personal Information Exchange rui.pfx into the View Composer server Personal store so that it may use both the SSL Certificate along with its private key.

So we hit the mmc.exe component where the View Composer is installed and load the Certificates Snap-in.


We pick the Computer account here.


I'm picking Local computer here since the mmc snap-in is running on the View Composer server.


Once the operation done, we browse to Personal >> Certificates. If you already have View Composer installed then you should be able to see the default Self Signed SSL Certificate in there.


The next step is to import our rui.pfx into the Certificates folder.

Using the contextual menu on the Certificates folder we do All Tasks > Import... to import it in there.

The first thing is to select the View Composer's rui.pfx file.


We use the password testpassword here (if you haven't changed it from the script that is) and we absolutely need to mark the key as exportable by ticking the option Mark this key as exportable...


Finally we place it in the Personal store.


Once done, we should be able to see our SSL certificate in the Personal store!


If you open up your SSL certificate you should see that a private key is associated with it thanks to the message "You have a private key that corresponds to this certificate".

If the SSL certificate doesn't have an associated private key then the replacement will not work (remember that the SSL Certificate template need to allow the private key export!)


Now that we got our SSL Certificate in our Personal store we can go ahead and replace the existing one.

This step is done by using the SviConfig.exe tool present on the View Composer server.

"c:\Program Files (x86)\VMware\VMware View Composer\SviConfig.exe" -operation=replacecertificate -delete=false

Note that we put the delete switch on false to keep the existing SSL Certificate in the store (we can always delete it later on)

Once the utility launch, simple select the new SSL certificate and everything else will be done automatically!


You may delete (or export as a backup) the old Certificate now.

And that's it! Our View Composer certificate has been changed! Make sure to restart the service!


Replacing the View Connection Server Certificate

View Connection Server SSL Certificate replacement is quite similar to the View Composer's one.

Our last rui.pfx has to be loaded onto the Connection Server personal certificate store. The only difference is that its "friendly name" need to be called vdm (It will only look for SSL Certificates with that friendly name)

Replacing the SSL Certificate of the View Connection Server is a good practice for many reasons. For instance your clients will view the Connection Server as a valid CA Signed entity when they connect through the View Horizon Client (No more red warning about Self Signed yay!)

Let's start our operation by stopping all View components services.


Via the mmc.exe component on the View Connection Server we add the Certificates Snap-in and load the Computer Account (This is the same process as the Composer's one above) on the Local computer.

Once more, we have the default SSL Certificate in there!


The next step is to import our rui.pfx into the Certificates folder.

Using the contextual menu on the Certificates folder we do All Tasks > Import... to import it in there.

The first thing is to select the View Connection Server rui.pfx file.


We use the password testpassword here (if you haven't changed it from the script that is) and we absolutely need to mark the key as exportable by ticking the option Mark this key as exportable...


Finally we place it in the Personal store.


Right now we have both the old and the new SSL Certificate. Make sure that the new SSL Certificate has the "vdm" Friendly Name set otherwise it will not be loaded.


I've removed the old SSL Certificate (you can export it too).


Finally we can restart the View Connection Server services.


After a few minutes, we head to the Web Admin site to ensure that the new SSL Certificate is loaded

https://cs0001.katalykt.lan/admin

If everything's fine our dashboard should show that our Connection Server is healthy!



Integrating View Composer in View Connection Server

In this part, I'll be linking my View Composer to my View Connection Server. If you already did it then you may skip this part.

Let's head in View Configuration >> Servers and add a vCenter server.


In my case the Composer is linked to the vCenter.



My vCenter is added as shown below.


The dashboard shows our View Composer's SSL Certificate as valid! (It may appear red at first but give it a few minutes)


Both our View Connection server and View Composer are now using valid CA SSL Certificates!

jeudi 2 octobre 2014

Preparing a Microsoft CA SSL Certificate Template for VMware View 5.2

Preparing an SSL Certificate Template for VMware View 5.2 is quite easy compared to the other vCenter components. What we have to keep in mind in this case is that the Private Key need to be exportable since both View Composer and View Connection Server requieres that option.

First of all let's go in our Certification Authority to find our Certificate Templates And select Manage from the contextual menu (or you may use the shortcut certtmpl.msc to go straight to the template console)


Now let's duplicate our Web Server template by using the contextual menu action Duplicate Template


We pick Windows Server 2003 Enterprise as a Minimal Supported CA


We can now start to customize our View SSL Template.

Let's start by giving it a descriptive label like VMware View SSL (note the difference between the display name and the template name, the display name has some escape characters while the template name doesn't).

Our template will be refered as VMwareViewSSL later on.


Our template should only be used for Server Authentication as we don't need Client Authentication here.


Next we're going to Edit the Key Usage.


We tick Allow encryption of user data


In the Request Handling tab, the most important part is to tick the option Allow private key to be exported.


We do a quick check in the Subject Name tab to ensure that the Supply in the request option is ticked. This is important for the Subject Alternative Name (SAN) property.


We validate the creation of our template and we should be able to see it among our templates


We quit the Template console and we're back in our CA's Menu.

Let's enable the template by using New >> Certificate Template to Issue  from the contextual menu over the Certificate Templates folder


Once that we're in the Enable Certificate Templates menu, we choose our VMware View SSL template and we validate.


Our Template is now issued and ready to be used!