Implementing CA signed SSL certificates with vSphere 5.x – Part 6 – Horizon View

16/10/2015

In a VMware Horizon for View environment (VMware’s VDI solution), View Connection servers are an important client facing component. A View Connection Server acts as a broker for client connections and for that reason VMware highly recommends that you replace the default SSL certificates which are generated during the installation of the Connection servers.

To help you with this job, VMware has a lot of useful documentation available, like:

For each View Connection server you should perform these basic tasks for setting up SSL Certificates:

  1. Generate a Certificate Signing Request
  2. Request a signed Certificate from a CA
  3. Import the signed Certificate
  4. Set up the imported Certificate for a View server
  5. Import Certificates on other View Servers

In the next sections I will show you the steps and some tips to step over some of the caveats.

Read the rest of this entry »


Implementing CA signed SSL certificates with vSphere 5.x – Part 5– ESXi and Automation

25/05/2015

In the previous posts, we discussed the need for certificates, how to obtain certificates, implementing certificates on a vCenter Server Appliance, vCenter Update Manager server and finally a vCenter Orchestrator Appliance. Although there are more vSphere components, we conclude with the implementation of certificates for ESXi hosts.

ESXi hosts

The configuration of CA certificates is explained in KB “Configuring CA signed certificates for ESXi 5.x hosts (2015499)”. Most important remark in this KB; “Each server must be unique to the component as it ties to the fully qualified domain name of the server. As such you cannot just take a single certificate and apply it to all hosts. Wildcard certificates are currently not supported, but even if they were, it is much more secure to have a proper certificate for each host.”

To create a certificate request for multiple ESXi servers, you can follow the procedure as describes in KB “Configuring OpenSSL for installation and configuration of CA signed certificates in the vSphere environment (2015387)”.

Read the rest of this entry »


Implementing CA signed SSL certificates with vSphere 5.x – Part 4 – VUM and vCO/vRO

19/04/2015

In the previous post, we discussed the replacement of SSL certificates in the vCenter Server Appliance. Following our planning, next on the list is the vSphere Update Manager and the vCenter Orchestrator Appliance.

vSphere Update Manager

Our guide is “Configuring CA signed SSL certificates for vSphere Update Manager in vCenter Server 5.1 and 5.5 (2037581)”.

One important note from this KB: “You can replace only the SSL certificates that Update Manager uses for communication between the Update Manager server and client components.
You cannot replace the SSL certificates that Update Manager uses on port 9087 when importing offline bundles or upgrade release files.

KB 2037581 resumes at the point where we ended in Part 2, and created the required SSL certificates.

Steps:

  • Assuming the VUM is a VM, create a snapshot before you start working.
  • If you haven’t already done this, import the root certificate Root64.cer into the “Trusted Root Certification Authorities” Windows certificate store. This ensures that the certificate server is trusted from now on.
    SSL-04-01
    Figure 1
  • Backup the current certificates, location: C:\Program Files (x86)\VMware\Infrastructure\Update Manager\SSL directory.
    SSL-04-02
    Figure 2
  • Copy the new certificate files to this directory replacing the current ones. If you are following my blog posts, the certificates are located in C:\certs\UpdateManager.
  • Stop the vSphere Update Manager Service and the vSphere Update Manager UFA services from the services control manager.
  • Launch the exe application, located in C:\Program Files (x86)\VMware\Infrastructure\Update Manager.
    While using the VCSA, the VUM is always separated, so use the IP address or hostname of the vCSA. Use the credentials Update Manager uses to connect to the VCSA.
    SSL-04-03
    Figure 3
  • Click the SSL Certificate Link.
  • Select the Followed and verified the steps.
  • Click Apply.
    SSL-04-04
    Figure 4
  • Click OK when prompted with message “Restart the VMware vSphere Update Manager service to apply the setting”.
  • Restart the vSphere Update Manager Service and the vSphere Update Manager UFA services.

Read the rest of this entry »


Implementing CA signed SSL certificates with vSphere 5.x – Part 3 – vCenter Server Appliance

11/03/2015

In the previous post, we highlighted the default template needed, in case of an Organizational CA, and ended with the creation of the certificates needed for the vCenter Server components.

According to our compass KB “Implementing CA signed SSL certificates with vSphere 5.x (2034833)”, the next step is to replace the vCenter Single Sign-On certificate and it points us to KB “Configuring CA signed SSL certificates for vCenter Single Sign-On in vSphere 5.5 (2058519)”.

Unfortunately, we are in trouble now, as KB 2034833 refers to the Windows vCenter Server components, with no reference to the vCenter Server Appliance. We will return to this KB later, for the vSphere Update Manager.

Luckily, KB “Configuring Certificate Authority (CA) signed certificates for vCenter Server Appliance 5.5 (2057223)” is available for the vCenter Server Appliance. In fact this KB contains all steps for setting up OpenSSL, generating certificate requests, getting and implementing certificates.

The Script

In fact, we have reached the section “Installation and configuration of the certificates for all the components”. This 40 step long section contains a lot of commands. To overcome the differences and make the installation process easier, I have created a script which can be found in this post. Copy and paste the content in a notepad and save as vcsa_certs.sh.

Read the rest of this entry »


Implementing CA signed SSL certificates with vSphere 5.x – Part 2 – Obtaining Certificates

11/03/2015

Implementing CA signed SSL certificates with vSphere 5.x – Part 2

This is the second post in a series about implementing CA signed SSL certificates. The previous post provided some background and a few important questions to consider before taking off.

Until now, KB “Implementing CA signed SSL certificates with vSphere 5.x (2034833)” is our compass.

Creating a new default template

If you are using certificates from an organizational CA, like I am, the first step is to create a correct SSL certificate template for the Certificate Authority. Follow the directions in KB “Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 5.x (2062108)”.

The steps in this KB are straightforward. After creating a new default template, the new template needs to be added to the Root CA or Subordinate CA server. This new template should be used in place of the Web Server template.

There are a few important steps:

  • Create a duplicate of the Web Server
  • On the Extensions tab, Key Usage, make sure you select the Signature is proof of origin (nonrepudiation) option and the Allow encryption of user data
    SSL-02-01
    figure 1
  • On the Extensions tab, Application Policies, make sure you Add Client Authentication.
    SSL-02-02
    figure 2

Read the rest of this entry »


Implementing CA signed SSL certificates with vSphere 5.x – Part 1- Introduction

09/03/2015

Why certificates?

Almost all vSphere components, like ESXi, vCenter Server, vSphere Update Manager make use of SSL certificates. However, the certificates installed during the installation process are signed by VMware and are not verifiable and are not signed by a trusted certificate authority (CA).

SSL-01-01Figure 1

Also the vSphere Hardening Guide (for all components) recommends not using the default self-signed certificates for ESXi communication for all three profiles, because;
Using the default self-signed certificates leaves the SSL connection open to Man-in-The-Middle (MiTM) attacks. Replace default self-signed certificates with those from a trusted CA, either commercial or organizational.

The vSphere Hardening Guides recommends the following assessment procedure and if you need to replace SSL certificates points to a useful KB.

Connect to each ESX/ESXi host with an internet browser,
https:// <hostname>/. View the details of the SSL certificate; determine if it is issued by a trusted CA, either commercial or organizational. To change SSL certificates refer to KB “
Implementing CA signed SSL certificates with vSphere 5.x (2034833)”.

See figure 1, for a result.

The vSphere Hardening Guide points to the very useful KB 2034833, but it also becomes clear that it’s one of many KB s on implementing SSL certificates, and there are even more KB s not mentioned.
So, I was very curious how this would work out in a common vSphere Cluster.

Read the rest of this entry »


vCenter Configuration Manager – First Run

21/01/2014

Aka vSphere Hardening – Part 6

In Part 4 of this series, we ended with the collection of Data from our vCenter Server.

Before we continue, I will point to a few issues I have encountered while working with vCM.

First, while opening one of the Dashboards (Console -> Dashboards -> Select dashboard), the following error message was received; “An error has occurred performing an SRS security request. You must use Internet Explorer with the Run as administrator option to view dashboard reports when working locally on the Collector.”
VMware has multiple Knowledge Base articles discussing this error. The one that solved the problem in my case was KB “SSRS authentication must be configured in two-tier and three-tier installation environments that use Basic authentication (2000082)”. Also note, I run a one-tier installation!

But that was not all…

Read the rest of this entry »