Scenarios for Setting Up SSL Certificates for View VMware Horizon 6.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
Scenarios for Setting Up SSL Certificates for View You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2014 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents Scenarios for Setting Up SSL Connections to View 5 1 Obtaining SSL Certificates from a Certificate Authority 7 Determining If This Scenario Applies to You 7 Selecting the Correct Certificate Type 8 Generating a Certificate Signing Request and Obtaining a Certificate with Microsoft Certreq 8 2 Off-loading SSL Connections to Intermediate Servers 15 Import SSL Off-loading Servers' Certificates to View Servers 15 Set View Server External URLs to Point Clients to SSL Off-loading Servers Allow HTT
Scenarios for Setting Up SSL Certificates for View 4 VMware, Inc.
Scenarios for Setting Up SSL Connections to View Scenarios for Setting Up SSL Connections to View provides examples of setting up SSL certificates for use by View servers. The first scenario shows you how to obtain signed SSL certificates from a Certificate Authority and ensure that the certificates are in a format that can be used by View servers. The second scenario shows you how to configure View servers to off-load SSL connections to an intermediate server.
Scenarios for Setting Up SSL Certificates for View 6 VMware, Inc.
Obtaining SSL Certificates from a Certificate Authority 1 VMware strongly recommends that you configure SSL certificates that are signed by a valid Certificate Authority (CA) for use by View Connection Server instances, security servers, and View Composer instances. Default SSL certificates are generated when you install View Connection Server, security server, or View Composer instances. Although you can use the default, self-signed certificates for testing purposes, replace them as soon as possible.
Scenarios for Setting Up SSL Certificates for View If your organization provides you with SSL certificates that are signed by a CA, you can use these certificates. Your organization can use a valid internal CA or a third-party, commercial CA. If your certificates are not in PKCS#12 format, you must convert them. See “Convert a Certificate File to PKCS#12 Format,” on page 18.
Chapter 1 Obtaining SSL Certificates from a Certificate Authority The Microsoft certreq utility is available on Windows Server 2008 R2 and can be used to generate a CSR and import a signed certificate. If you intend to send a request to a third-party CA, using certreq is the quickest and simplest way to obtain a certificate for View. 1 Create a CSR Configuration File on page 9 The Microsoft certreq utility uses a configuration file to generate a CSR.
Scenarios for Setting Up SSL Certificates for View Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.
Chapter 1 Obtaining SSL Certificates from a Certificate Authority Procedure 1 Open a command prompt by right-clicking on Command Prompt in the Start menu and selecting Run as administrator. 2 Navigate to the directory where you saved the request.inf file. For example: cd c:\certificates 3 Generate the CSR file. For example: certreq -new request.inf certreq.txt 4 Use the contents of the CSR file to submit a certificate request to the CA in accordance with the CA's enrollment process.
Scenarios for Setting Up SSL Certificates for View Verify That the CSR and Its Private Key Are Stored in the Windows Certificate Store If you use the certreq utility to generate a CSR, the utility also generates an associated private key. The utility stores the CSR and private key in the Windows local computer certificate store on the computer on which you generated the CSR. You can confirm that the CSR and private key are properly stored by using the Microsoft Management Console (MMC) Certificate snap-in.
Chapter 1 Obtaining SSL Certificates from a Certificate Authority Prerequisites n Verify that you received a signed certificate from a CA. See “Generate a CSR and Request a Signed Certificate from a CA,” on page 10. n Perform the certreq operation described in this procedure on the computer on which you generated a CSR and stored the signed certificate. Procedure 1 Open a command prompt by right-clicking on Command Prompt in the Start menu and selecting Run as administrator.
Scenarios for Setting Up SSL Certificates for View To perform the tasks in this procedure, see the following topics: n “Modify the Certificate Friendly Name,” on page 19 n “Import the Root and Intermediate Certificates into the Windows Certificate Store,” on page 20 For more information, see "Configure View Connection Server, Security Server, or View Composer to Use a New SSL Certificate" in the View Installation document.
Off-loading SSL Connections to Intermediate Servers 2 You can set up intermediate servers between your View servers and Horizon Client devices to perform tasks such as load balancing and off-loading SSL connections. Horizon Client devices connect over HTTPS to the intermediate servers, which pass on the connections to the external-facing View Connection Server instances or security servers.
Scenarios for Setting Up SSL Certificates for View Do not confuse load balancing with SSL off-loading. The preceding requirement applies to any device that is configured to provide SSL off-loading, including some types of load balancers. However, pure load balancing does not require copying of certificates between devices. IMPORTANT The scenario described in the following topics shows one approach to the sharing of SSL certificates between third-party components and VMware components.
Chapter 2 Off-loading SSL Connections to Intermediate Servers Before you start, verify that the F5 BIG-IP LTM system is deployed with View. Check that you completed the tasks in the F5 deployment guide, Deploying the BIG-IP LTM System with VMware View, located at http://www.f5.com/pdf/deployment-guides/f5-vmware-view-dg.pdf. 1 Connect to the F5 BIG-IP LTM configuration utility. 2 On the Main tab of the navigation pane, expand Local Traffic and click SSL certificates.
Scenarios for Setting Up SSL Certificates for View Convert a Certificate File to PKCS#12 Format If you obtained a certificate and its private key in PEM or another format, you must convert it to PKCS#12 (PFX) format before you can import the certificate into a Windows certificate store on a View server. PKCS#12 (PFX) format is required if you use the Certificate Import wizard in the Windows certificate store.
Chapter 2 Off-loading SSL Connections to Intermediate Servers For other types of certificate files, only the server certificate is imported into the Windows local computer certificate store. In this case, you must take separate steps to import the root certificate and any intermediate certificates in the certificate chain. For more information about certificates, consult the Microsoft online help available with the Certificate snap-in to MMC.
Scenarios for Setting Up SSL Certificates for View 4 Click Apply and click OK. 5 Verify that no other server certificates in the Personal > Certificates folder have a Friendly name of vdm. a Locate any other server certificate, right-click the certificate, and click Properties. b If the certificate has a Friendly name of vdm, delete the name, click Apply, and click OK. What to do next Import the root certificate and intermediate certificates into the Windows local computer certificate store.
Chapter 2 Off-loading SSL Connections to Intermediate Servers Set View Server External URLs to Point Clients to SSL Off-loading Servers If SSL is off-loaded to an intermediate server and Horizon Client devices use the secure tunnel to connect to View, you must set the secure tunnel external URL to an address that clients can use to access the intermediate server. You configure the external URL settings on the View Connection Server instance or security server that connects to the intermediate server.
Scenarios for Setting Up SSL Certificates for View Procedure 1 In View Administrator, select View Configuration > Servers. 2 Select the Security Servers tab, select the security server, and click Edit. 3 Type the Secure Tunnel external URL in the External URL text box. The URL must contain the protocol, client-resolvable security server host name and port number. For example: https://myserver.example.
Chapter 2 Off-loading SSL Connections to Intermediate Servers Example: locked.properties file This file allows non-SSL HTTP connections to a View server. The IP address of the View server's clientfacing network interface is 10.20.30.40. The server uses the default port 80 to listen for HTTP connections. The value http must be lower case. serverProtocol=http serverHostNonSSL=10.20.30.40 VMware, Inc.
Scenarios for Setting Up SSL Certificates for View 24 VMware, Inc.
Index C P certificate signing request configuration file 9 generating 8, 10 certificate signing requests, verifying in the certificate store 12 certificates friendly name 19 importing into a Windows certificate store 12 obtaining 5 obtaining from a CA 7 preparing for the Windows certificate store 7 selecting certificate types 8 setting up an imported certificate 13 certreq generating a CSR 8 importing a certificate 12 PEM format certificates, converting to PKCS#12 18 PFX certificate formats, converting
Scenarios for Setting Up SSL Certificates for View 26 VMware, Inc.
