By default, vCenter will create a self-signed certificate with just the host [...]]]> Certain third party products such as XenDesktop respect the expiration date on the vCenter SSL certificate. The vSphere Client doesn’t mind so much, nor it appears does the ESX hosts, but when your VDIs suddenly can’t be reached, it’s a bad thing.

By default, vCenter will create a self-signed certificate with just the host name. In our case, since we’re not publishing any SSL services to the public and already have a Microsoft Certificate Authority, we can create and sign our own vCenter certificate. And just like the newer version of vCenter, we’ll set it up for 10 years too.

This can be completed in just under 15 minutes if all the prerequisites are in place. Took me an hour (including this documentation).

Environment Summary

For this process to work, the following assumptions are made:

• Active Directory installed and Certificate Authority installed (in my case, it’s on a Windows 2008 Domain Controller with Certificate Authority and Certificate Authority Web Enrollment )
• DNS used for vCenter and internal FQDN name
• vCenter server part of the domain, Domain Admin access to it
• Using the included web services that comes with vCenter (IIS users on your own for this one)

To test, we’ll use a browser from a workstation and the XenDesktop DDC to validate connection (make sure the root CA certificate is added to the Trusted Roots for the Computer Account on each test and production server)

Prep vCenter

Download OpenSSL for Windows (binaries can be found at: http://www.slproweb.com/products/Win32OpenSSL.html) . You may have to install the 2008 redistributable package first.

Open a command shell and go to c:\temp\vcenter\newssl (create if needed)

Verify the private key exists in: C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\rui.key

Copy all the files in C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL to a temporary location such as c:\temp\vcenter\oldssl (create if needed)

Generate the new RSA private key (2048 bit) and the certificate request (most important is that the common name must be the FQDN of the server). For the CSR, I normally use the common name value.csr, but since we’re working with rui.*, we’ll use that here too:

C:\temp\vcenter\newssl>c:\OpenSSL\bin\openssl.exe req -newkey rsa:2048 -keyout rui.key -nodes –days 3650 -out rui.csr
Loading 'screen' into random state - done
Generating a 2048 bit RSA private key
.............................+++
......................................+++
writing new private key to 'rui.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:Georgia
Locality Name (eg, city) []:Cumming
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Gavin Adams
Organizational Unit Name (eg, section) []:
Common Name (eg, YOUR name) []:vcenter.peanuts.local
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

C:\temp\vcenter\newssl>dir
Volume in drive C has no label.
Volume Serial Number is 204A-99B1
Directory of C:\temp\vcenter\newssl
04/16/2010  03:50 PM    <DIR>          .
04/16/2010  03:50 PM    <DIR>          ..
04/16/2010  03:50 PM             1,024 .rnd
04/16/2010  03:49 PM             1,675 privkey.pem
04/16/2010  03:50 PM             1,679 rui.key
04/16/2010  03:50 PM             1,005 rui.csr

From the vCenter system, browse to the certsrv URL for your Active Directory Certificate Authority:

Select Request a certificate, advanced certificate request, and then Submit a certificate using base-64…. Past the entire contents of the CSR (open in Notepad) in the Saved Request box, select Web Server for Certificate template:

At this point the certificate will be signed. On the next page select Base 64 encoded then  Download certificate and save as rui.crt in c:\temp\vcenter\newssl

From the private key and certificate, create the PFX fie:

C:\temp\vcenter\newssl>c:\openssl\bin\openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx

Stop the following services:

VMware VirtualCenter Management Webservices
VMware VirtualCenter Server

Copy  all the files in the newssl directory to : C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\ replacing the existing ones. Don’t worry, we backed these up.

Now restart the services in this order (unsure if it matters):

VMware VirtualCenter Server
VMware VirtualCenter Management Webservices

Use browser and navigate to the URL of the vCenter (e.g.,  https://vcenter.peanuts.local) and verify the certificate is valid. Open the vSphere client and verify all looks okay. After restarting the services, you will need  to reconnect to the ESX / ESXi hosts and re-authenticate with root credentials on each server. This is because the SSL trust between the two has changed and a new trust relationship needs to be established. Another reason for a longer term certificate!

This posting will walk you through the steps [...]]]> Linux and Windows Active Directory (AD) integration has come a long ways since 2000. It is now quite easy to take advantage of Kerberos for managing authentication at the host level (user logins and such). Surprisingly, it’s just as easy to the same in Apache now.

This posting will walk you through the steps needed to configure and test authentication against a valid AD user.

Prerequisites

It is assumed the following prerequisites are in place:

• CentOS 5.2 Server – fully updated
• Apache, Kerberos, and supporting packages installed
• Samba configured as member server (net ads join has been successfully performed)
• Windows Server 2003 R2 or 2008 SP1 with UNIX Identity Management extensions installed
• Kerberos working (kinit from a AD user properly authenticates and klist shows tickets)

If possible, test this from a freshly installed machine. In this example, the following servers and realms will be referenced:

AD Server       dc01.example.com
Linux Server    www.example.com
Computer Object www
Kerberos Realm  EXAMPLE.COM

Creating the SPN

Kerberos uses a service principal name for each service available on the host. For a server that can authenticate against AD, this would include at least the HOST principal. From the AD server, issue the setspn command to view the current SPN’s assigned to www.example.com (use the canonical name for www, not the FQDN):

C:\>setspn -L www
Registered ServicePrincipalNames for CN=www,CN=Computers,DC=example,DC=com:
        HOST/www
        HOST/www.example.com

Now as root on www issue the command to create the HTTP SPN (the net ads command is provided by the samba packages–make sure these are installed even if they are not used):

[root@www /]# net ads keytab add HTTP -U administrator
Processing principals to add...
administrator's password: *******

The -U is used to provide an administrator account with Domain Admin privileges. This step has added the SPN which we’ll see in AD, and it has also updated the local keytab file /etc/krb5.keytab with the SPN bits.

To verify the SPN has been created properly, issue the same setspn command and verify there are entries for HTTP. It should look something like this:

C:\>setspn -L www
Registered ServicePrincipalNames for CN=www,CN=Computers,DC=example,DC=com:
        HTTP/www
        HTTP/www.example.com
        HOST/www
        HOST/www.example.com

Configure Apache

Make sure the package mod_auth_kerb is installed. This should create the configuration file in /etc/httpd/conf.d/auth_kerb.conf which will load the Kerberos module and provide a commented out example (which we’ll use). First, because httpd runs as apache, we need to copy the keytab file and change permissions so that apache can read it. I’ve placed it in the default specified in the auth_kerb.conf file:

[root@www /]# cp /etc/krb5.keytab /etc/httpd/conf/keytab2
[root@www /]# ls -l /etc/httpd/conf
total 64
-rw-r--r-- 1 root   root   33760 Mar 25 14:01 httpd.conf
---------- 1 root   root    1321 Mar 25 15:06 keytab
-rw-r--r-- 1 root   root   12958 Nov 12 10:43 magic
[root@www /]# chown apache.apache /etc/httpd/conf/keytab2
[root@www /]# chmod 400 /etc/httpd/conf/keytab2
[root@www /]# ls -l /etc/httpd/conf
total 64
-rw-r--r-- 1 root   root   33760 Mar 25 14:01 httpd.conf
-r-------- 1 apache apache  1321 Mar 25 15:06 keytab
-rw-r--r-- 1 root   root   12958 Nov 12 10:43 magic

Create an Apache Location for Testing

Now modify the “private” location and uncomment the directives and set them for the realm (changes from defaults in bold):

[root@www /]# vi /etc/http/conf.d/auth_kerb.conf# The mod_auth_kerb module implements Kerberos authentication over
# HTTP, following the "Negotiate" protocol.
#
LoadModule auth_kerb_module modules/mod_auth_kerb.so
#
# Sample configuration: Kerberos authentication must only be
# used over SSL to prevent replay attacks.  The keytab file
# configured must be readable only by the "apache" user, and
# must contain service keys for "HTTP/www.example.com", where
# "www.example.com" is the FQDN of this server.
#

#<Location /private>
#  SSLRequireSSL
 AuthType Kerberos
 AuthName "Kerberos Login"
 KrbMethodNegotiate On
 KrbMethodK5Passwd On
 KrbAuthRealms EXAMPLE.COM
 Krb5KeyTab /etc/httpd/conf/keytab
 require valid-user
</Location>

Create the directory (/var/www/html/private) and a test HTML file in the directory (index.html). Restart httpd and navigate to the URL (http://www.example.com/private/index.html). You should be prompted for credentials. Using a valid AD user and password should get you in. A side benefit is that if logged into a workstation within the domain (e.g., Windows XP, Vista, etc), using Internet Explorer should use your Kerberos credentials to authenticate.

Uses

For production use, any application or web service that can use Apache’s authentication mechanisms should work. Take care to understand that even if you enter a short username, the realm will be appended onto the end. In this example, the username gadams would appear as gadams@EXAMPLE.COM in the log files, and probably be presented to the referenced application.

Credit

I’d like to Scott Lowe for all the articles he has done on Linux / AD / Kerberos integration, and this article, which was where I started my CentOS / Apache / Kerberos / AD journey. His article covers all the basics, but a lot has changed (for the better) since 2006. Thanks Scott!