Sunday, January 5, 2014

vCloud Director 5.5 - Replace current self-signed certificates with signed certificates

Initially I had very little time to get vCloud Director up and and running and just created self signed certificates.
After upgrading from vCloud 5.1 to 5.5, we found a known problem with VMware where MAC desktops cannot access VM console when using self-signed certificates.
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2058496

This provided the perfect opportunity to replacing initial self signed certificates with newly created signed certificates. (internal root CA server)



Prerequisites:
SSH to vCloud director:

  • verify ip addresses used for vcloud  (ifconfig -a)
  • run "nslookup <ipaddress>" to identify the FQDN for both http and consoleproxy IP address.  This will also verify that reverse lookup is working correct.


Example:
10.30.15.100 (http)                      vcloud.company.corp
10.30.15.101 (console proxy)       vcloudcp.company.corp

Some considerations before creating new certificates:

  • I already have a Java keystore file /certs/certificates.ks which is currently configured for the self signed certificates. I decided to create a new Java keystore file called "sslcertificates.ks".  This is not necessary but I wanted to keep the files easily distinguishable.
  • The new Java keystore file i moved to a new folder called /sslcerts/.  This again is not necessary can can keep in original folder or create different one.
  • You can create the new certificates and CSR while vCloud services are running.  You however need to shutdown the vCloud services before you run the configuration script.  Outage required during this short period.


Steps:


  1. SSH to vcloud director (we currently run vcloud on RHEL)
  2. Change folder /opt/vmware/vcloud-director/jre/bin/
  3. Run command to create new keystore file for HTTP:
    • # keytool -keystore sslcertificates.ks -storetype JCEKS -storepass ******* -genkey -keyalg RSA -alias http
      • Keytool utility will prompt for responses to several question. Replace the example input in italics with the information relevant to your environment:
      • What is your first and last name? [Unknown]:                         vcloud.airwatch.corp
      • What is the name of your organizational unit? [Unknown]:       vCloud
      • What is the name of your organization? [Unknown]:                Company
      • What is the name of your City or Locality? [Unknown]:            City
      • What is the name of your State or Province? [Unknown]:         State
      • What is the two-letter country code for this unit? [Unknown]:   US
      • Enter password for http or select option for same password as in command
  4. Run command to obtain CSR for HTTP service:
    • # keytool –keystore sslcertificates.ks –storetype JCEKS –storepass ******* –certreq –alias http –file http.csr
      • This creates a file called the http.csr
  5. Run command to create new keystore file for Console Proxy:
    • # keytool –keystore sslcertificates.ks –storetype JCEKS –storepass ******* –genkey –keyalg RSA –alias consoleproxy
      • Keytool utility will prompt for responses to several question. Replace the example input in italics with the information relevant to your environment:
      • What is your first and last name? [Unknown]:                         vcloudcp.airwatch.corp
      • What is the name of your organizational unit? [Unknown]:       vCloud
      • What is the name of your organization? [Unknown]:                Company
      • What is the name of your City or Locality? [Unknown]:            City
      • What is the name of your State or Province? [Unknown]:         State
      • What is the two-letter country code for this unit? [Unknown]:   US
      • Enter password for http or select option for same password as in command
  6. Run command to obtain CSR for Console Proxy service:
    • # keytool –keystore sslcertificates.ks –storetype JCEKS –storepass ******* –certreq –alias consoleproxy –file consoleproxy.csr
      • This creates a file called the consoleproxy.csr
  7. Copy the http.csr and consoleproxy.csr files that were just create to your local machine. I use an appliciation called WinSCP.
  8. Go to Windows CA certificate server website "https://<servername>/certsrv/" and perform following tasks for both the http and consoleproxy CSRs:
    • request certificate
    • advanced certificate request
    • Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
    • Open the csr file and copy/paste the text into field.
    • Select certificate template = "Web Server"
    • Submit
    • Select "Base 64 encoded"
    • Download certificate, which will provide a certnew.cer file.
    • Rename the file to be specific for example "<service>_certnew.cer"
  9. Lastly download the root CA certificate.
  10. Copy all 3 certificates to vcloud server and import them into the keystore with following commands:
    • Import the root certificate:
      • # keytool -storetype JCEKS -storepass ******* -keystore sslcertificates.ks -import -alias root -file root_certnew.cer
    • Import the http service certificate:
      • # keytool -storetype JCEKS -storepass ******* -keystore sslcertificates.ks -import -alias http -file http_certnew.cer
    • Import the console proxy service certificate:
      • # keytool -storetype JCEKS -storepass ******* -keystore sslcertificates.ks -import -alias consoleproxy -file console_certnew.cer
  11. To verify that all the certificates are imported, list the contents of the keystore file.
    • # keytool -storetype JCEKS -storepass ******* -keystore sslcertificates.ks -list
  12. Move the certifcate.ks file to new folder:  /sslcerts/sslcertificates.ks
    • "mv /opt/vmware/vcloud-director/jre/bin/sslcertificates.ks /sslcerts/"
  13. Now configure vCloud Director to use the new SSL certificates:
    1. Stop vcloud services "service vmware-vcd stop"
    2. Run following command:
      1. # opt/vmware/vcloud-director/bin/configure
        1. Provide the path to the keystore file  /sslcerts/sslcertificates.ks
        2. Enter passwords
        3. Yes to start the vCloud services.

Now your vCloud should be using newly created certificates.