Thursday, March 1, 2012

View 5 Security Gateway - SSL

Ok, after a few months of working with VMWare View 5 internally, it was time to get our View Security Gateway up and running.  After doing some research, the build of the View Security Gateway is pretty straightforward and VMWare has some really good documentation so I'm not going to go through all the steps to getting the server up and running. What I do want to go over is how to set up the Certificate for SSL on the secure gateway. There really isn't a lot of consistent documentation on this, so here's how I got it working...

1.) The first thing we need to do on the View Security Gateway server is to modify the Path environmental variable to include the path to the keytool tool.  Keytool is what vmware uses to create, import, and modify Vmware certificates.
  • Right click My Computer and select properties
  • Choose Advance System Settings
  • Click on Environmental Variables
  • Under System Variables, select Path and choose Edit
  • Put a ; after the last entry, then add install_directory\VMware\VMware View\Server\jre\bin
  • Click Ok 3 times
2.) Open a command prompt with elevated privelages
3.) Run the following command to create a key
  •  keytool -genkey -keyalg "RSA" -keystore keys.p12 -storetype pkcs12 -validity 360 -keysize 2048
  • When prompted, create a password for the new key file
  • When prompted for your first and last name, enter in the external dns name that will be used to access the view security gateway
  •  Continue to enter in your OU, City, State, Country
4.) Generate the Cert Request
  • keytool -certreq -file filename.csr -keystore keys.p12 -storetype pkcs12 -storepass password (from step 3)
5.) At this point you will need to send your csr file to CA
6.) Once you have the new cert from the CA, you will need to convert the cert to a p7b file. This is where I ran into some issues.  I had to do this on an XP machine, then copy the p7b file to my 2008 server...my server wouldn't recognize the cert path when I tried to do this...even after importing the root and intermediate certs...weird
  • Open the cer file and click on the Details Tab
  • Click Copy to file
  • Click Next
  • Select Cryptographic Message Syntax Standard - PKCS #7 Certificates (p7b)
  • Also select Include all certificates in the certification path
  • Give the file a name and save it
  • Copy the file to your server
7.) Now that you have a p7b file, you can import it via keytool
  • keytool -import -keystore keys.p12 -storetype pkcs12 -storepass password -keyalg "RSA" -trustcacerts -file filename.p7b
  • you should receive a message stating "Certificate reply was installed in keystore"
8.) Copy keys.p12 to C:\Program Files\VMware\Vmware View\Server\sslgateway\conf
9.) Create a file called locked.properties
10.) Open locked.properties with a txt editor and add the following lines
  • keyfile=keys.p12
  • keypass=password
11.) You can either restart the services or restart the box
12.) You should be all set now.

1 comment:

  1. Yeahhh this is working!!! but how could you get another page with the user logged into the website... for example the account page of the user. cheap wildcard ssl

    ReplyDelete