Type in your browser in all lowercase:
about:config
Search for the following:
Server has a weak ephemeral Diffie-Hellman public key (FireFox)
Creating and importing self-signed SSL certificates for vCD using keytool
To create and import self-signed SSL certificates:
- Create an untrusted certificate for the HTTP service host with the command:keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey -alias http
- Enter the fully qualified domain name of the HTTP service host when prompted for your first name and last name.
- Create an untrusted certificate for the console proxy service host with the command:keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey -alias consoleproxy
- Verify that all the certificates have been imported, list the contents of the keystore file with the command:keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -list
Notes:
- By default, certificates are valid only for 3 months. To increase the duration, add the switch -validity number_of_days when creating your certificate.
- After creating the certificates, you must run the /opt/vmware/vcloud-director/bin/configure script. This script prompts you for the SSL certificates. After you enter the required passwords, the vCloud Director service starts.
Creating and importing signed SSL certificates for vCloud Director using keytool
To create and import signed SSL certificates:
- Create the certificate.
- To create an untrusted certificate for the HTTP service host, run the command:keytool -keystore certificates.ks -storetype JCEKS -storepass passwd –genkey -alias http
- To create a certificate signing request for the HTTP service, run the command:keytool -keystore certificates.ks -storetype JCEKS -storepass passwd –certreq -alias http -file http.csrNote: This command creates a certificate signing request in the file http.csr.
- To create an untrusted certificate for the console proxy service host, run the command:keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey -alias consoleproxy
- To create a certificate signing request for the console proxy service, run the command:keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -certreq –alias consoleproxy -file consoleproxy.csrNote: This command creates a certificate signing request in the file consoleproxy.csr.
- Send the certificate signing requests to your Certification Authority. You receive the SSL Certificates in an email.
- When you receive the signed certificates, import them into the keystore.
- To import the Certification Authority’s root certificate into the keystore file, run the command:keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import –alias root -file root.cer
- To import the Certification Authority’s intermediate certificates into the keystore file, run the command:keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import –alias intermediate -file intermediate.cer
- To import the host-specific certificate for the HTTP service, run the command:keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import –alias http -file http.cer
- To import the host-specific certificate for the console proxy service, run the command:keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import –alias consoleproxy -file consoleproxy.cer
- Verify that all the certificates have been imported, list the contents of the keystore file with the command:keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -list
vCloud Director and SSL Certificates
VCD Cell SSL Certificates
The communication between the end-user and vCloud Director cell (either GUI or API) is encrypted and by default self-signed certificates are used. The certificate replacement procedure is explained in the documentation in a few simple steps. The problem I have encountered during big vCloud deployments is that enterprise security teams have specific procedures how to create and distribute certificates which is different from those described in the documentation.
The default procedure is following:
- create untrusted certificates (private and public key) with JAVA keytool command (this must be done for vCloud Director GUI and console proxy)
- create certificate signing requests
- send the certificate signing requests to your Certification Authority
- import the Certificate Authority root certificate
- import signed certificates
In my case the certificates were created for me by the security team and I have received the private key in a .key file. On top of that the Certification Authority which signed the certificates was intermediate and was signed by two others. The chain was following: public Root CA -> intermediate CA1 -> intermediate CA2 -> VCD certificate.
vCloud Director JAVA keytool command does not allow private key import. Also the whole trusted chain for the certificate must be built so all the intermediate certificates are presented to the client browsers and the vCloud Director certificate can be validated. This has been achieved with the following procedure:
- Concatenate all CA certificates to create the whole chain:
cat CA2.cer CA1.cer RootCA.cer > chain.crt - With openssl create PKCS12 keystore with the private key, certificate chain and proper alias (first for the GUI):
openssl.exe pkcs12 -export -in http.crt -inkey http.key -CAfile chain.crt -name http -passout pass:<password> -out http.pfx -chain - Repeat for the console proxy:
openssl.exe pkcs12 -export -in consoleproxy.crt -inkey consoleproxy.key -CAfile chain.crt -name consoleproxy -passout pass:<password> -out consoleproxy.pfx –chain - Now we can import the two PKCS12 keystores into JAVA JCKS keystore with keytool:
/opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -deststorepass <password> -destkeystore certificates.ks -deststoretype JCEKS -srckeystore http.pfx -srcstoretype PKCS12 -srcstorepass <password>
/opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -deststorepass <password> -destkeystore certificates.ks -deststoretype JCEKS -srckeystore consoleproxy.pfx -srcstoretype PKCS12 -srcstorepass <password>
- We can check if the import was successful:
/opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -storepass <password> -keystore certificates.ks –list - Now we can import the new certificates to the vCloud Director cell. To do that we need first to stop it:
service vmware-vcd stopNote this will interrupt all running VCD jobs. In order to do graceful shutdown followhttp://kb.vmware.com/kb/1033575
- Rerun configuration tool and point to the certificates.ks keystore created in steps 2 and 3. This will import the certificates.
/opt/vmware/vcloud-director/bin/configure - Repeat for the other VCD cells
Special Thanks to Tom Fojta for this blog post.
Redirect SSL with .htaccess
If you use an SSL certificate to secure pages on your website, you may want to setup your server to always display non-secure pages using ‘http’ instead of ‘https’
In terms of search engine optimisation it is advisable that your server is setup to display a single version of a page to avoid duplication.
In other words, when an SSL certificate is setup, it generally means that every page on the site is available at http://www.yoursitedomain.com and https://www.yoursitedomain.com.
Other than duplicate content, this can also cause the splitting of link equity between two versions of the same page.
This can happen when a user navigates to a secure page on your site (‘https’) and then navigates to other areas of the site whilst still remaining on the secure version of the site (which is the default behaviour on most Apache servers with SSL installed).
The rest of this blog psot explains how to handle SSL redirection using at .htaccess file installed on your server.
How to Create .htaccess Files
To create .htaccess files you will need to use a simple text editor such as Notepad on Windows or TextEdit on an Apple Mac. The .htaccess file should be saved with no file extension and it is important to include the full stop ‘.’ at the beginning of the filename. To do this, click Save As, and name the file .htaccess. If the program tries to save the file as .rtf or .txt, change this option to All Files.
Redirect Folder to HTTPS
Create the following .htaccess file and place it within the folder that you want to serve using SSL. Change the domain name and folder name to match your sites requirements. The .htaccess file will redirect http://www.yousitedomain.com/foldername/ to https://www.yoursitedomain.com/foldername/, it will also redirect any other pages within the folder to the ‘https’ version.
RewriteEngine OnRewriteCond %{SERVER_PORT} !=443RewriteCond %{REQUEST_URI} foldernameRewriteRule ^(.*)$ https://www.yoursitedomain.com/foldername/$1 [R=301,L]Redirect Non-Secure Pages to HTTP
The following .htaccess file needs to be placed in the websites root folder. Change the domain name to match your sites requirements.
RewriteEngine OnRewriteCond %{SERVER_PORT} ^443$RewriteRule ^(.*)$ http://www.yousitedomain.com/$1 [R=301,L]
Please Note: When making adjustments to your server settings, please test the above method thorougly to check that it works correctly in all situations. Server’s can be setup with various different configurations. If this is the case the above .htaccess files may not work in their current format. It may be a simple case of changing the port settings in the .htaccess files or you may need to contact your website host for more information.