{"id":115,"date":"2013-11-27T07:53:00","date_gmt":"2013-11-27T06:53:00","guid":{"rendered":"http:\/\/vm.piszki.pl\/certyfikaty-ssl-w-horizon-workspace"},"modified":"2014-03-25T08:06:46","modified_gmt":"2014-03-25T07:06:46","slug":"certyfikaty-ssl-w-horizon-workspace","status":"publish","type":"post","link":"https:\/\/vm.piszki.pl\/?p=115","title":{"rendered":"Certyfikaty SSL w Horizon Workspace"},"content":{"rendered":"

Temat rzeka, kto zaczyna\u0142 od wersji 1.0 (Beta) ten wie, z\u0142a wiadomo\u015b\u0107 jest taka, \u017ce nic si\u0119 nie zmieni\u0142o, ci\u0105gle jest to m\u0119czarnia.<\/p>\n

Pr\u00f3ba za\u0142adowania poprawnej pary certyfikat\/klucz w \u201cconfigurator-va\u201d (Failed to initialize Java keystore handling):<\/p>\n

\"ssl_error\"<\/a><\/p>\n

Na szcz\u0119\u015bcie, w dawnych czasach, gdy testowali\u015bmy bet\u0119 Horizona, dostali\u015bmy kilka, nieoficjalnych dokument\u00f3w pdf (jak tylko je odszukam to podlinkuj\u0119 w tym wpisie), opisuj\u0105cych jak sobie radzi\u0107 z r\u00f3\u017cnymi problemami. Mi\u0119dzy innymi, by\u0142 tam opis, jak automatycznie wygenerowa\u0107 i rozes\u0142a\u0107 certyfikaty na wszystkie maszyny va, wchodz\u0105ce w sk\u0142ad vApp Horizon! Latka min\u0119\u0142y, mamy wersj\u0119 Horizon Workspace 1.5.1 a magiczny skrypt nadal istnieje i nadal dzia\u0142a bez problemu! \"U\u015bmiech\"<\/p>\n

<\/p>\n

\n

Aby przeprowadzi\u0107 ca\u0142\u0105 operacj\u0119, b\u0119dziemy potrzebowali certyfikatu i klucza prywatnego naszego CA. Je\u015bli jest to Microsoft Active Directory Certificate Services, to b\u0119dziemy musieli (je\u015bli restrykcje na to pozwalaj\u0105) wyeksportowa\u0107<\/a> nasz klucz g\u0142\u00f3wny i przekonwertowa\u0107<\/a> go do formatu tekstowego. Nast\u0119pnie musimy si\u0119 zalogowa\u0107 jako root do maszyny configurator-va, proponuj\u0119 od razu doda\u0107 sobie zwyk\u0142ego u\u017cytkownika (w grupie wheel) i zalogowa\u0107 si\u0119 przez putty, b\u0119dzie o wiele \u0142atwiej.<\/p>\n

ughorizoncf:\/usr\/local\/horizon\/conf # ls
configurator-va_cert.pem  data-va_cert.pem     gateway-va_key.pem                      <\/span><\/p>\n

license-horizon-workspace-10-e1-201206.txt  root_ca_key.pem
configurator-va_key.pem   data-va_key.pem      horizon-configurator.properties         <\/span><\/p>\n

logback.xml                                 service-va_cert.pem
connector-va_cert.pem     firewall-rules       license-ham-10-e1-201201.txt            <\/span><\/p>\n

openssl.cfg                                 service-va_key.pem
connector-va_key.pem      gateway-va_cert.pem  license-horizon-suite-10-e1-201206.txt  <\/span><\/p>\n

root_ca.pem                                 ssl
ughorizoncf:\/usr\/local\/horizon\/conf # rm *va*<\/span><\/p>\n

Jak wy\u017cej, kasujemy wszystkie pary va, pod pliki root* podstawiamy nasz klucz i certyfikat, nast\u0119pnie uruchamiamy polecenie:<\/p>\n

ughorizoncf:\/usr\/local\/horizon\/lib\/menu\/secure # .\/wizardssl.hzn
Generate root CA
pushing SSL certs to service-va ughorizonse.pulab.local
Enter pass phrase for \/usr\/local\/horizon\/conf\/root_ca_key.pem:
APPLICATION_MANAGER ca.pem cert.pem key.pem
Certificate was added to keystore
Existing entry alias tcserver exists, overwrite? [no]:  Certificate already exists in system-wide CA <\/span><\/p>\n

keystore under alias <horizoninternal>
Do you still want to add it to your own keystore? [no]:  Certificate was added to keystore
pushing SSL certs to connector-va ughorizoncn.pulab.local
Enter pass phrase for \/usr\/local\/horizon\/conf\/root_ca_key.pem:
CONNECTOR ca.pem cert.pem key.pem
Certificate was added to keystore
Existing entry alias tcserver exists, overwrite? [no]:  pushing SSL certs to gateway-va ughorizong1.pulab.local
Enter pass phrase for \/usr\/local\/horizon\/conf\/root_ca_key.pem:
GATEWAY ca.pem cert.pem key.pem
Verifying certs
cert.pem: OK
Installing certs
Shutting down nginx ..done
Starting nginx ..done
pushing SSL certs to configurator-va ughorizoncf.pulab.local
Enter pass phrase for \/usr\/local\/horizon\/conf\/root_ca_key.pem:
CONFIGURATOR \/usr\/local\/horizon\/conf\/root_ca.pem \/usr\/local\/horizon\/conf\/configurator-va_cert.pem <\/span><\/p>\n

\/usr\/local\/horizon\/conf\/configurator-va_key.pem
Certificate was added to keystore
Existing entry alias tcserver exists, overwrite? [no]:  pushing SSL certs to data-va ughorizond.pulab.local
Enter pass phrase for \/usr\/local\/horizon\/conf\/root_ca_key.pem:
DATA ca.pem cert.pem key.pem
Certificate was added to keystore
** Verifying cert.pem against key.pem
Certificate (cert.pem) and private key (key.pem) match.
Valid Certificate: cert.pem: OK
** Verifying cert.pem against \/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.key
Certificate (cert.pem) and private key (\/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.key) match.
Valid Certificate: cert.pem: OK
** Copying cert.pem to \/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.crt
** Appending ca chain ca.pem to \/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial.crt
** Importing certificate \/opt\/zimbra\/ssl\/zimbra\/commercial\/commercial_ca.crt to CACERTS as zcs-user-commercial_ca…done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key hzndataSSLCertificate…done.
** Saving server config key hzndataSSLPrivateKey…done.
** Installing slapd certificate and key…done.
** Creating pkcs12 file \/opt\/zimbra\/ssl\/zimbra\/jetty.pkcs12…done.
** Creating keystore file \/opt\/zimbra\/mailboxd\/etc\/keystore…done.
** Installing CA to \/opt\/zimbra\/conf\/ca…done.
Host ughorizond.pulab.local
Stopping vmware-ha…Done.
Stopping zmconfigd…Done.
Stopping stats…Done.
Stopping spell…Done.
Stopping mailbox…Done.
Stopping convertd…Done.
Stopping ldap…Done.
Host ughorizond.pulab.local
Starting ldap…Done.
Starting zmconfigd…Done.
Starting convertd…Done.
Starting mailbox…Done.
Starting stats…Done.
ughorizoncf:\/usr\/local\/horizon\/lib\/menu\/secure #
Broadcast message from root (Wed Nov 27 12:30:54 2013):<\/span><\/p>\n

The system is going down for system halt NOW!<\/span><\/p>\n

Skrypt ten wygeneruje w\u0142a\u015bciwe pary certyfikat\/klucz i roze\u015ble na odpowiednie maszyny. Po wszystkim wykonujemy polecenie restartu na ca\u0142ym vApp Horizon-Workspace (koniecznie ale to koniecznie, bez tego jeste\u015bmy \u201cw p\u00f3\u0142 kroku\u201d).<\/p>\n

Po restarcie mamy ca\u0142e \u015brodowisko skonfigurowane na certyfikatach SSL z naszego lokalnego CA. Dzia\u0142a to wszystko bardzo dobrze \"U\u015bmiech\"<\/p>\n

EDIT 2014.03.20:<\/p>\n

Potwierdzam, \u017ce ca\u0142a procedura dzia\u0142a w Horizon Workspace 1.8 !<\/p>\n

<\/div>","protected":false},"excerpt":{"rendered":"

Temat rzeka, kto zaczyna\u0142 od wersji 1.0 (Beta) ten wie, z\u0142a wiadomo\u015b\u0107 jest taka, \u017ce nic si\u0119 nie zmieni\u0142o, ci\u0105gle jest to m\u0119czarnia. Pr\u00f3ba za\u0142adowania poprawnej pary certyfikat\/klucz w \u201cconfigurator-va\u201d (Failed to initialize Java keystore handling): Na szcz\u0119\u015bcie, w dawnych … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":1461,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"yasr_overall_rating":0,"yasr_post_is_review":"","yasr_auto_insert_disabled":"","yasr_review_type":"","footnotes":""},"categories":[36],"tags":[5],"class_list":["post-115","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-analiza","tag-horizon-workspace"],"yasr_visitor_votes":{"stars_attributes":{"read_only":false,"span_bottom":false},"number_of_votes":0,"sum_votes":0},"_links":{"self":[{"href":"https:\/\/vm.piszki.pl\/index.php?rest_route=\/wp\/v2\/posts\/115"}],"collection":[{"href":"https:\/\/vm.piszki.pl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vm.piszki.pl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vm.piszki.pl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/vm.piszki.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=115"}],"version-history":[{"count":9,"href":"https:\/\/vm.piszki.pl\/index.php?rest_route=\/wp\/v2\/posts\/115\/revisions"}],"predecessor-version":[{"id":848,"href":"https:\/\/vm.piszki.pl\/index.php?rest_route=\/wp\/v2\/posts\/115\/revisions\/848"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/vm.piszki.pl\/index.php?rest_route=\/wp\/v2\/media\/1461"}],"wp:attachment":[{"href":"https:\/\/vm.piszki.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vm.piszki.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=115"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vm.piszki.pl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}