Scenarios for Setting Up SSL Certificates for View VMware Horizon 6 Version 6.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
Scenarios for Setting Up SSL Certificates for View You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2015 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents Scenarios for Setting Up SSL Connections to View 5 1 Obtaining SSL Certificates from a Certificate Authority 7 Determining If This Scenario Applies to You 7 Selecting the Correct Certificate Type 8 Generating a Certificate Signing Request and Obtaining a Certificate with Microsoft Certreq 9 2 Off-loading SSL Connections to Intermediate Servers 15 Import SSL Off-loading Servers' Certificates to View Servers 15 Set View Server External URLs to Point Clients to SSL Off-loading Servers Allow HTT
Scenarios for Setting Up SSL Certificates for View 4 VMware, Inc.
Scenarios for Setting Up SSL Connections to View Scenarios for Setting Up SSL Connections to View provides examples of setting up SSL certificates for use by View servers. The first scenario shows you how to obtain signed SSL certificates from a Certificate Authority and ensure that the certificates are in a format that can be used by View servers. The second scenario shows you how to configure View servers to off-load SSL connections to an intermediate server.
Scenarios for Setting Up SSL Certificates for View 6 VMware, Inc.
Obtaining SSL Certificates from a Certificate Authority 1 VMware strongly recommends that you configure SSL certificates that are signed by a valid Certificate Authority (CA) for use by View Connection Server instances, security servers, and View Composer instances. Default SSL certificates are generated when you install View Connection Server, security server, or View Composer instances. Although you can use the default, self-signed certificates for testing purposes, replace them as soon as possible.
Scenarios for Setting Up SSL Certificates for View If your organization provides you with SSL certificates that are signed by a CA, you can use these certificates. Your organization can use a valid internal CA or a third-party, commercial CA. If your certificates are not in PKCS#12 format, you must convert them. See “Convert a Certificate File to PKCS#12 Format,” on page 18.
Chapter 1 Obtaining SSL Certificates from a Certificate Authority Generating a Certificate Signing Request and Obtaining a Certificate with Microsoft Certreq To make a certificate available to a View server, you must create a configuration file, generate a certificate signing request (CSR) from the configuration file, and send the signing request to a CA.
Scenarios for Setting Up SSL Certificates for View [NewRequest] Subject = "CN=View_Server_FQDN, OU=Organizational_Unit, O=Organization, L=City, S=State, C=Country" ; Replace View_Server_FQDN with the FQDN of the View server. ; Replace the remaining Subject attributes. KeySpec = 1 KeyLength = 2048 ; KeyLength is usually chosen from 2048, 3072, or 4096. A KeyLength ; of 1024 is also supported, but it is not recommended.
Chapter 1 Obtaining SSL Certificates from a Certificate Authority What to do next Generate a CSR from the configuration file. Generate a CSR and Request a Signed Certificate from a CA Using the completed configuration file, you can generate a CSR by running the certreq utility. You send the request to a third-party CA, which returns a signed certificate. Prerequisites n Verify that you completed a CSR configuration file. See “Create a CSR Configuration File,” on page 9.
Scenarios for Setting Up SSL Certificates for View 6 Rename the root CA and intermediate CA certificate files to root.cer and intermediate.cer. Make sure that the files are located on the View server on which the certificate request was generated. NOTE These certificates do not have to be in PKCS#12 (PFX) format when you use the certreq utility to import the certificates into the Windows local computer certificate store.
Chapter 1 Obtaining SSL Certificates from a Certificate Authority Import a Signed Certificate by Using Certreq When you have a signed certificate from a CA, you can import the certificate into the Windows local computer certificate store on the View server host. If you used the certreq utility to generate a CSR, the certificate private key is local to the server on which you generated the CSR. To work correctly, the certificate must be combined with the private key.
Scenarios for Setting Up SSL Certificates for View 5 If you use HTML Access in VMware Horizon View 5.2 or later, restart the VMware View Blast Secure Gateway service. 6 If you are setting up a certificate on a View Composer server, you might have to take another step. n n If you set up the new certificate after you install View Composer, you must run the SviConfig ReplaceCertificate utility to replace the certificate that is bound to the port used by View Composer.
Off-loading SSL Connections to Intermediate Servers 2 You can set up intermediate servers between your View servers and Horizon Client devices to perform tasks such as load balancing and off-loading SSL connections. Horizon Client devices connect over HTTPS to the intermediate servers, which pass on the connections to the external-facing View Connection Server instances or security servers.
Scenarios for Setting Up SSL Certificates for View Do not confuse load balancing with SSL off-loading. The preceding requirement applies to any device that is configured to provide SSL off-loading, including some types of load balancers. However, pure load balancing does not require copying of certificates between devices. IMPORTANT The scenario described in the following topics shows one approach to the sharing of SSL certificates between third-party components and VMware components.
Chapter 2 Off-loading SSL Connections to Intermediate Servers Before you start, verify that the F5 BIG-IP LTM system is deployed with View. Check that you completed the tasks in the F5 deployment guide, Deploying the BIG-IP LTM System with VMware View, located at http://www.f5.com/pdf/deployment-guides/f5-vmware-view-dg.pdf. 1 Connect to the F5 BIG-IP LTM configuration utility. 2 On the Main tab of the navigation pane, expand Local Traffic and click SSL certificates.
Scenarios for Setting Up SSL Certificates for View Convert a Certificate File to PKCS#12 Format If you obtained a certificate and its private key in PEM or another format, you must convert it to PKCS#12 (PFX) format before you can import the certificate into a Windows certificate store on a View server. PKCS#12 (PFX) format is required if you use the Certificate Import wizard in the Windows certificate store.
Chapter 2 Off-loading SSL Connections to Intermediate Servers For other types of certificate files, only the server certificate is imported into the Windows local computer certificate store. In this case, you must take separate steps to import the root certificate and any intermediate certificates in the certificate chain. For more information about certificates, consult the Microsoft online help available with the Certificate snap-in to MMC.
Scenarios for Setting Up SSL Certificates for View 4 Click Apply and click OK. 5 Verify that no other server certificates in the Personal > Certificates folder have a Friendly name of vdm. a Locate any other server certificate, right-click the certificate, and click Properties. b If the certificate has a Friendly name of vdm, delete the name, click Apply, and click OK. What to do next Import the root certificate and intermediate certificates into the Windows local computer certificate store.
Chapter 2 Off-loading SSL Connections to Intermediate Servers Set View Server External URLs to Point Clients to SSL Off-loading Servers If SSL is off-loaded to an intermediate server and Horizon Client devices use the secure tunnel to connect to View, you must set the secure tunnel external URL to an address that clients can use to access the intermediate server. You configure the external URL settings on the View Connection Server instance or security server that connects to the intermediate server.
Scenarios for Setting Up SSL Certificates for View Modify the External URLs for a Security Server You use View Administrator to modify the external URLs for a security server. Prerequisites n Verify that the secure tunnel connections are enabled on the View Connection Server instance that is paired with this security server. Procedure 1 In View Administrator, select View Configuration > Servers. 2 Select the Security Servers tab, select the security server, and click Edit.
Chapter 2 Off-loading SSL Connections to Intermediate Servers 3 (Optional) Add properties to configure a non-default HTTP listening port and a network interface on the View server. n To change the HTTP listening port from 80, set serverPortNonSSL to another port number to which the intermediate device is configured to connect.
Scenarios for Setting Up SSL Certificates for View 24 VMware, Inc.
Index C P certificate signing request configuration file 9 generating 9, 11 certificate signing requests, verifying in the certificate store 12 certificates friendly name 19 importing into a Windows certificate store 13 obtaining 5 obtaining from a CA 7 preparing for the Windows certificate store 7 selecting certificate types 8 setting up an imported certificate 13 certreq generating a CSR 9 importing a certificate 13 PEM format certificates, converting to PKCS#12 18 PFX certificate formats, converting
Scenarios for Setting Up SSL Certificates for View 26 VMware, Inc.