About the river, who started from version 1.0 (Beta) knows, the bad news is that nothing has changed, it is still a hassle.
Attempting to load the correct pair of certificate / key in the “configurator-va” (Failed to initialize the Java keystore handling):
Fortunately, in the old days, when we tested the beta of Horizon Workspace, got some unofficial pdf documents describing how to deal with various problems. Among other things, there was a description of how to automatically generate and distribute certificates to all machines va, included in the vApp Horizon! Now we have version 1.5.1 of Horizon Workspace and magical script is still there and still works without a problem!
To perform the entire operation, we will need the certificate and private key of our CA. If this is Microsoft Active Directory Certificate Services, we will have (if restrictions permit) to export your primary cert/key and convert it into text format. Then, log in as root to the machine configurator-va (I suggest you immediately add a normal user (group wheel), and login via putty, it will be much easier).
ughorizoncf:/usr/local/horizon/conf # ls
configurator-va_cert.pem data-va_cert.pem gateway-va_key.pem
license-horizon-workspace-10-e1-201206.txt root_ca_key.pem
configurator-va_key.pem data-va_key.pem horizon-configurator.properties
logback.xml service-va_cert.pem
connector-va_cert.pem firewall-rules license-ham-10-e1-201201.txt
openssl.cfg service-va_key.pem
connector-va_key.pem gateway-va_cert.pem license-horizon-suite-10-e1-201206.txt
root_ca.pem ssl
ughorizoncf:/usr/local/horizon/conf # rm *va*
As above, we delete all pairs of va, copy key and certificate our local CA to this directory (root_ca.pem and root_ca_key.pem), then run the command:
ughorizoncf:/usr/local/horizon/lib/menu/secure # ./wizardssl.hzn
Generate root CA
pushing SSL certs to service-va ughorizonse.pulab.local
Enter pass phrase for /usr/local/horizon/conf/root_ca_key.pem:
APPLICATION_MANAGER ca.pem cert.pem key.pem
Certificate was added to keystore
Existing entry alias tcserver exists, overwrite? [no]: Certificate already exists in system-wide CA
keystore under alias <horizoninternal>
Do you still want to add it to your own keystore? [no]: Certificate was added to keystore
pushing SSL certs to connector-va ughorizoncn.pulab.local
Enter pass phrase for /usr/local/horizon/conf/root_ca_key.pem:
CONNECTOR ca.pem cert.pem key.pem
Certificate was added to keystore
Existing entry alias tcserver exists, overwrite? [no]: pushing SSL certs to gateway-va ughorizong1.pulab.local
Enter pass phrase for /usr/local/horizon/conf/root_ca_key.pem:
GATEWAY ca.pem cert.pem key.pem
Verifying certs
cert.pem: OK
Installing certs
Shutting down nginx ..done
Starting nginx ..done
pushing SSL certs to configurator-va ughorizoncf.pulab.local
Enter pass phrase for /usr/local/horizon/conf/root_ca_key.pem:
CONFIGURATOR /usr/local/horizon/conf/root_ca.pem /usr/local/horizon/conf/configurator-va_cert.pem
/usr/local/horizon/conf/configurator-va_key.pem
Certificate was added to keystore
Existing entry alias tcserver exists, overwrite? [no]: pushing SSL certs to data-va ughorizond.pulab.local
Enter pass phrase for /usr/local/horizon/conf/root_ca_key.pem:
DATA ca.pem cert.pem key.pem
Certificate was added to keystore
** Verifying cert.pem against key.pem
Certificate (cert.pem) and private key (key.pem) match.
Valid Certificate: cert.pem: OK
** Verifying cert.pem against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (cert.pem) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: cert.pem: OK
** Copying cert.pem to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain ca.pem to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca…done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key hzndataSSLCertificate…done.
** Saving server config key hzndataSSLPrivateKey…done.
** Installing slapd certificate and key…done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore…done.
** Installing CA to /opt/zimbra/conf/ca…done.
Host ughorizond.pulab.local
Stopping vmware-ha…Done.
Stopping zmconfigd…Done.
Stopping stats…Done.
Stopping spell…Done.
Stopping mailbox…Done.
Stopping convertd…Done.
Stopping ldap…Done.
Host ughorizond.pulab.local
Starting ldap…Done.
Starting zmconfigd…Done.
Starting convertd…Done.
Starting mailbox…Done.
Starting stats…Done.
ughorizoncf:/usr/local/horizon/lib/menu/secure #
Broadcast message from root (Wed Nov 27 12:30:54 2013):
The system is going down for system halt NOW!
This script generates the appropriate pair of certificate / key and send to the appropriate machine. After all, we need to restart all the vApp Horizon-Workspace (necessary but not essential, without it we arein “half-step”).
After the restart we have the whole environment configured for SSL certificates from our local CA. This works all very well!
This script work in Horizon Workspace 1.8 too ! :)
Was this information is helpful? Tell me, please leave a comment!
