vCloud Director and SSL Certificates

VCD Cell SSL Certificates

The communication between the end-user and vCloud Director cell (either GUI or API) is encrypted and by default self-signed certificates are used. The certificate replacement procedure is explained in the documentation in a few simple steps. The problem I have encountered during big vCloud deployments is that enterprise security teams have specific procedures how to create and distribute certificates which is different from those described in the documentation.

The default procedure is following:

  • create untrusted certificates (private and public key) with JAVA keytool command (this must be done for vCloud Director GUI and console proxy)
  • create certificate signing requests
  • send the certificate signing requests to your Certification Authority
  • import the Certificate Authority root certificate
  • import signed certificates

In my case the certificates were created for me by the security team and I have received the private key in a .key file. On top of that the Certification Authority which signed the certificates was intermediate and was signed by two others. The chain was following: public Root CA -> intermediate CA1 -> intermediate CA2 -> VCD certificate.

vCloud Director JAVA keytool command does not allow private key import. Also the whole trusted chain for the certificate must be built so all the intermediate certificates are presented to the client browsers and the vCloud Director certificate can be validated. This has been achieved with the following procedure:

  1. Concatenate all CA certificates to create the whole chain:
    cat CA2.cer CA1.cer RootCA.cer > chain.crt
  2. With openssl create PKCS12 keystore with the private key, certificate chain and proper alias (first for the GUI):
    openssl.exe pkcs12 -export -in http.crt -inkey http.key -CAfile chain.crt -name http -passout pass:<password> -out http.pfx -chain
  3. Repeat for the console proxy:
    openssl.exe pkcs12 -export -in consoleproxy.crt -inkey consoleproxy.key -CAfile chain.crt -name consoleproxy -passout pass:<password> -out consoleproxy.pfx –chain
  4. Now we can import the two PKCS12 keystores into JAVA JCKS keystore with keytool:/opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -deststorepass <password> -destkeystore certificates.ks -deststoretype JCEKS -srckeystore http.pfx -srcstoretype PKCS12 -srcstorepass <password>

    /opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -deststorepass <password> -destkeystore certificates.ks -deststoretype JCEKS -srckeystore consoleproxy.pfx -srcstoretype PKCS12 -srcstorepass <password>
  5. We can check if the import was successful:
    /opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -storepass <password> -keystore certificates.ks –list
  6. Now we can import the new certificates to the vCloud Director cell. To do that we need first to stop it:service vmware-vcd stopNote this will interrupt all running VCD jobs. In order to do graceful shutdown followhttp://kb.vmware.com/kb/1033575
  7. Rerun configuration tool and point to the certificates.ks keystore created in steps 2 and 3. This will import the certificates./opt/vmware/vcloud-director/bin/configure
  8. Repeat for the other VCD cells

Special Thanks to Tom Fojta for this blog post.

Continue Reading

Installing a SSL Certificate in IIS 7

Installation:

  1. Open the file containing your certificate. Save the file named your_domain_name.cer to the desktop of the web server you are securing.
  2. Click on Start, then Administrative Tools, then Internet Information Services (IIS) Manager.
  3. Click on the server name.
  4. From the center menu, double-click the “Server Certificates” button in the “Security” section (near the bottom of the menu).
  5. From the “Actions” menu (on the right), click on “Complete Certificate Request.” This will open the Complete Certificate Request wizard.
  6. Browse to your_domain_name.cer file that was provided to you by your SSL cert provider. You will then be required to enter a friendly name. The friendly name is not part of the certificate itself, but is used by the server administrator to easily distinguish the certificate.
  7. Clicking “OK” will install the certificate to the server.Note: There is a known issue in IIS 7 giving the following error: “Cannot find the certificate request associated with this certificate file. A certificate request must be completed on the computer where it was created.” You may also receive a message stating “ASN1 bad tag value met”. If this is the same server that you generated the CSR on then, in most cases, the certificate is actually installed. Simply cancel the dialog and press “F5” to refresh the list of server certificates. If the new certificate is now in the list, you can continue with the next step. If it is not in the list, you will need to reissue your certificate using a new CSR. After creating a new CSR, login to your DigiCert account and click the re-key button for your certificate.
  8. Once the SSL certificate has been successfully installed to the server, you will need to assign that certificate to the appropriate website using IIS.
  9. From the “Connections” menu in the main Internet Information Services (IIS) Manager window, select the name of the server to which the certificate was installed.
  10. Under “Sites,” select the site to be secured with SSL.
  11. From the “Actions” menu (on the right), click on “Bindings.” This will open the “Site Bindings” window.
  12. In the “Site Bindings” window, click “Add…” This will open the “Add Site Binding” window.
  13. Under “Type” choose https. The IP address should be the IP address of the site or All Unassigned, and the port over which traffic will be secured by SSL is usually 443. The “SSL Certificate” field should specify the certificate that was installed in step 7.
  14. Click “OK.”
  15. Your SSL certificate is now installed, and the website configured to accept secure connections.
Continue Reading

McAfee is blocking email on SMTP port 25

By default McAfee Enterprise, and some other versions, automatically block port 25 by default. This is an Anti-MailWorm feature. To disable it, do the following:

  • Rt Click on the McAfee icon in your system tray
  • Select “Open VirusScan Console” or Manage Features > VirusScan Enterprise. Depending on the version you have.
  • Double click on Access Protection Properties, this will open the dialog for this area
  • Under Anti-Virus Standard protection there is a rule that is set to block, it is “Prevent Mass Mailing Worms from Sending Mail
  • Uncheck the box under BLOCK and you are all set….click ok, and try it again. A reboot is NOT needed.
Continue Reading

Creating a Keystore for LDAP SSL

Exporting your Active Directory Certificate
As an Administrative user on your Active Directory server:

  1. Open the Microsoft Management Console by running mmc.exe.
  2. Add the Certificates snap-in for the Computer Account (select the Local Computer).
  3. Locate your certificate in the resulting tree. If you are using a self-signed certificate then this will appear under the Personal folder.
  4. Right click on the certificate, select All Tasks > Export.
  5. Export the certificate (without the private key but will all associated trusted certificates) in Base 64 format.

Creating a Keystore
Once the certificate has been exported you will be able to create a keystore with this certificate that you can use to access your Active Directory server.

  • To do this you will use the keytool (keytool.exe on Windows) utility supplied with your Java runtime with the following command:

keytool -import -alias ldap -file <certificate file> -keystore shdomain.ks

  • Enter a secure password for your keystore. This will create a keystore file called shdomain.ks
Continue Reading