Command Line Shortcuts, Security & SSL, Virtualization

Creating and importing signed SSL certificates for vCloud Director using keytool

No Comments
To create and import signed SSL certificates:
  1. Create the certificate.
    • To create an untrusted certificate for the HTTP service host, run the command:keytool -keystore certificates.ks -storetype JCEKS -storepass passwd –genkey -alias http
    • To create a certificate signing request for the HTTP service, run the command:keytool -keystore certificates.ks -storetype JCEKS -storepass passwd –certreq -alias http -file http.csrNoteThis command creates a certificate signing request in the file http.csr.

       

    • To create an untrusted certificate for the console proxy service host, run the command:keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -genkey -alias consoleproxy
    • To create a certificate signing request for the console proxy service, run the command:keytool -keystore certificates.ks -storetype JCEKS -storepass passwd -certreq –alias consoleproxy -file consoleproxy.csrNote: This command creates a certificate signing request in the file consoleproxy.csr.

       

  2. Send the certificate signing requests to your Certification Authority. You receive the SSL Certificates in an email.
  3. When you receive the signed certificates, import them into the keystore.
    • To import the Certification Authority’s root certificate into the keystore file, run the command:keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import –alias root -file root.cer
    • To import the Certification Authority’s intermediate certificates into the keystore file, run the command:keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import –alias intermediate -file intermediate.cer
    • To import the host-specific certificate for the HTTP service, run the command:keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import –alias http -file http.cer
    • To import the host-specific certificate for the console proxy service, run the command:keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -import –alias consoleproxy -file consoleproxy.cer
  4. Verify that all the certificates have been imported, list the contents of the keystore file with the command:keytool -storetype JCEKS -storepass passwd -keystore certificates.ks -list
Continue Reading

Cloud, Security & SSL, Virtualization

vCloud Director and SSL Certificates

No Comments

VCD Cell SSL Certificates

The communication between the end-user and vCloud Director cell (either GUI or API) is encrypted and by default self-signed certificates are used. The certificate replacement procedure is explained in the documentation in a few simple steps. The problem I have encountered during big vCloud deployments is that enterprise security teams have specific procedures how to create and distribute certificates which is different from those described in the documentation.

The default procedure is following:

  • create untrusted certificates (private and public key) with JAVA keytool command (this must be done for vCloud Director GUI and console proxy)
  • create certificate signing requests
  • send the certificate signing requests to your Certification Authority
  • import the Certificate Authority root certificate
  • import signed certificates

In my case the certificates were created for me by the security team and I have received the private key in a .key file. On top of that the Certification Authority which signed the certificates was intermediate and was signed by two others. The chain was following: public Root CA -> intermediate CA1 -> intermediate CA2 -> VCD certificate.

vCloud Director JAVA keytool command does not allow private key import. Also the whole trusted chain for the certificate must be built so all the intermediate certificates are presented to the client browsers and the vCloud Director certificate can be validated. This has been achieved with the following procedure:

  1. Concatenate all CA certificates to create the whole chain:
    cat CA2.cer CA1.cer RootCA.cer > chain.crt
  2. With openssl create PKCS12 keystore with the private key, certificate chain and proper alias (first for the GUI):
    openssl.exe pkcs12 -export -in http.crt -inkey http.key -CAfile chain.crt -name http -passout pass:<password> -out http.pfx -chain
  3. Repeat for the console proxy:
    openssl.exe pkcs12 -export -in consoleproxy.crt -inkey consoleproxy.key -CAfile chain.crt -name consoleproxy -passout pass:<password> -out consoleproxy.pfx –chain
  4. Now we can import the two PKCS12 keystores into JAVA JCKS keystore with keytool:/opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -deststorepass <password> -destkeystore certificates.ks -deststoretype JCEKS -srckeystore http.pfx -srcstoretype PKCS12 -srcstorepass <password>

    /opt/vmware/vcloud-director/jre/bin/keytool -importkeystore -deststorepass <password> -destkeystore certificates.ks -deststoretype JCEKS -srckeystore consoleproxy.pfx -srcstoretype PKCS12 -srcstorepass <password>
  5. We can check if the import was successful:
    /opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -storepass <password> -keystore certificates.ks –list
  6. Now we can import the new certificates to the vCloud Director cell. To do that we need first to stop it:service vmware-vcd stopNote this will interrupt all running VCD jobs. In order to do graceful shutdown followhttp://kb.vmware.com/kb/1033575
  7. Rerun configuration tool and point to the certificates.ks keystore created in steps 2 and 3. This will import the certificates./opt/vmware/vcloud-director/bin/configure
  8. Repeat for the other VCD cells

Special Thanks to Tom Fojta for this blog post.

Continue Reading

DNS, Virtualization

Changing the name of an ESX or ESXi host

No Comments
To rename a VMware ESX host:
  1. If the ESX host is part of a Cluster, remove it from the cluster.
  2. If the ESX host is managed by VirtualCenter/vCenter, disconnect and remove the ESX host from the vCenter.
  3. Make the modifications in your DNS environment to reflect the correct name and IP association for the new name.
  4. Log in as root to the console of ESX host.
  5. Using a text editor, change the name and domain name, if applicable, of the host in these files:
    • /etc/hosts
    • /etc/sysconfig/network
  6. Execute this command where hostname is the new FQDN hostname for the ESX host:

    esxcfg-advcfg -s hostname /Misc/HostName

  7. Reboot the ESX host.
  8. Join the ESX host to VirtualCenter / vCenter and clusters.
To rename a VMware ESXi host:
  1. If the ESXi host is part of a Cluster, remove it from the cluster by Entering Maintenance mode first.
  2. If the ESXi host is managed by VirtualCenter/vCenter Server, disconnect and remove the ESXi host from the cluster.
  3. Connect to the host directly with a vSphere Client.
  4. Click on the ESXi host.
  5. Click on the Configuration tab.
  6. Click on DNS and Routing.
  7. Click on Properties.
  8. Edit the Name: field in the DNS Configuration tab. Change anything else that is necessary in your environment.
  9. Click OK.
  10. Join the ESX host to VirtualCenter/vCenter and clusters.
Continue Reading

Cool Tricks and Tools, Virtualization

vSphere OVF tool

No Comments

Firstly, for those wondering what the OVF tool is then you can go here.

If you’re wondering what OVF is, well here is a good introduction.   The short summary is the Open Virtualization Format (OVF) describes an open, secure, portable, efficient, and flexible format for the packaging and distribution of one or more virtual machines.

So how do you create an OVF file from a VM.   It’s simple.

Select the VM you want to export in your vSphere client.  Then using the File menu, select Export

Then it’s just a case of following your nose and saving the OVF export to somewhere with sufficient disk space.

At the end of the process you get this :

and the OVF export is complete.  The exported contents look like this : ~/ovf$ ls winxp-sp3-disk1.vmdk  winxp-sp3.mf  winxp-sp3.ovf

The mf file is a set of SHA1 hashes for the OVF and any of the VMDK files. The ovf file is an xml file that attempts to describe the virtual machine in an independent/open format which is in theory importable into virtualisation products that fully support OVF files – I must try that :-)

To display the OVF file you can run the ovftool in probe mode. ~/ovf$ ovftool winxp-sp3.ovf Opening OVF source: winxp-sp3.ovf OVF version:   1.0 Name:          winxp-sp3

Download Size:    20.35 GB

Deployment Sizes:   Flat disks:     37.27 GB   Sparse disks:   Unknown Networks:   Name:        VM Network   Description: The VM Network network

Virtual Hardware:   Family:       vmx-07   Disk Types:   SCSI-buslogic

Completed successfully

 

To import the OVF you use a command like (the syntax for the vSphere locator is a bit odd – I highly suggest you read the OVF Tool Guide) $ ovftool --powerOn --datastore=NFS1 winxp-sp3.ovf   vi://10.100.0.100/HomeLab/Host?ip=10.100.0.3 Opening OVF source: winxp-sp3.ovf Please enter login information for target vi://10.100.0.100/ Username: geoff Password: ******** Opening VI target: vi://[email protected]/HomeLab/Host Deploying to VI: vi://[email protected]/HomeLab/Host Disk progress: 1% and on the VC you’ll see

Eventually you’ll get

Powering on VM: winxp-sp3 Completed successfully

 

Sure you can deploy from templates, but what if you have multiple environments in a variety  of network locations and you’d like to have a common set of templates – enter the OVF.  With a repository full of OVF’s accessible via http you can centrally store and distribute standard images out into all of your virtual environments.

Continue Reading