Solved: replace horizon security server ssl

GROOVYJOSH1975 · ‎08-01-2017

I have rebuilt the RDS hosts, replaced all SSL certs for the Connection servers with a newly updated Godaddy public cert and all that is left is the virtual security server running on the same instance as the public connection host used for the SSL acceptance traffic. I am struggling on the Security server portion, I have the SSL bound to the correct certificate store, named VDM, etc., this all works perfectly, I only need a guide to replace the actual security cert. We are running Horizon View 6.1.1 with MS RDS hosts using PCoIP and View to access the farms.

GROOVYJOSH1975 · ‎08-21-2017

Hey TechGuy129, the cert expired yesterday so I prepared a workaround with bypassing SSL alerts while I dug in deep. I fixed it this morning, it turns out I had everything correctly set (as I noted, i did follow all VMWare documentation which is why I was so baffled). The long and short is the SSL cert was not being validated as this security server sits in the DMZ and is locked down, both inbound and outbound so there was no internet. The SSL could not validate the CRL which was causing private key issues with the cert itself. I ended up exporting the exact same cert from the working View servers, then imported the entire .PFX (with all extended properties) that was already validated and working onto the security server. As soon as I did this and restarted the services, boom, everything worked so the issue is resolved and I will close this "question", hopefully this helps someone else down the road in the same situation.

Thanks for the help though!

View solution in original post

techguy129 · ‎08-01-2017

After you import the certificate into the certificate store and change the friendly name to vdm, you have to restart the appropriate services for it to take affect. That is all I needed to do. You can take a look into the server logs for additional info.

Taken from Doc:

Restart the VMware Horizon View Connection Server service, VMware Horizon View Security Server service, or VMware Horizon View Composer service to make your changes take effect.

Documentation Center for VMware Horizon 6.0 with View

GROOVYJOSH1975 · ‎08-01-2017

First, thank you for the response, second I apologize, i should have stated that I have restarted all services plus reboot the server more than once since swapping the cert. All other SSL services display the new cert, it is only the embedded security service that does not. The embedded security service is the main public access point displayed through Horizon all outside (internet) users connect through, this is the piece I need to fix.

techguy129 · ‎08-01-2017

Is your security server actually an VMware access point (UAG) rather then an actual horizon security server? If its an access point, then you need to use the Rest API to upload a new certificate and/or update the thumbprint in the view configuration settings. Newer version of UAG have an GUI.

VMware Access Point 2.7 Documentation Center

GROOVYJOSH1975 · ‎08-01-2017

Apologies again, poor wording on my part. Access point meaning this is the point of entry from public (internet) access. The security server runs directly on the view server and there is no appliance or firewall running the security access.

GROOVYJOSH1975 · ‎08-02-2017

This is the server in question, I even used "keytool" to verify any certs in the store and there are none returned:

I removed all of the personal info like server names, expiration date, ETC. But this is all I need to renew, this is the back-end VMWare Security services handled through Java (I assume).

techguy129 · ‎08-02-2017

I'm a little confused. are you saying the security server is installed on the view connection server? So you are pointing both internal and external clients to the same server?

GROOVYJOSH1975 · ‎08-02-2017

To answer your question, yes the View Connection server and the Security service is on the same server.

techguy129 · ‎08-02-2017

That is not a supported configuration. There is no need for the security server service to be installed on the same connection server. You can just send clients to the view connection server.

In View admin, go under View Configuration -> Servers -> Connection Servers tab. If you edit your connection server, are the Tunnel and gateway enabled and url specified? Also, is the security servers tab and connection servers tab have the same server listed?

GROOVYJOSH1975 · ‎08-02-2017

Yes, Secure Tunnel, PCoIP Secure Gateway and Blast Secure all have entries that resolve to the same server (either using public FQDN or IP for PCoIP). They are all enabled, the Secure Tunnel uses the public FQDN:443. PCoIP uses IP:4172, anf the Blast Secure Gateway uses HTTPS://FQDN:8443, again these all resolve to the same public IP that is NAT'd to the same internal IP.

GROOVYJOSH1975 · ‎08-21-2017

Hey TechGuy129, the cert expired yesterday so I prepared a workaround with bypassing SSL alerts while I dug in deep. I fixed it this morning, it turns out I had everything correctly set (as I noted, i did follow all VMWare documentation which is why I was so baffled). The long and short is the SSL cert was not being validated as this security server sits in the DMZ and is locked down, both inbound and outbound so there was no internet. The SSL could not validate the CRL which was causing private key issues with the cert itself. I ended up exporting the exact same cert from the working View servers, then imported the entire .PFX (with all extended properties) that was already validated and working onto the security server. As soon as I did this and restarted the services, boom, everything worked so the issue is resolved and I will close this "question", hopefully this helps someone else down the road in the same situation.

Thanks for the help though!