Piszki Lab | EN

My case study in the clouds…

SSL Certificates in Horizon Workspace 1.5.1


About the river, who started from version 1.0 (Beta) knows, the bad news is that nothing has changed, it is still a hassle.

Attempting to load the correct pair of certificate / key in the “configurator-va” (Failed to initialize the Java keystore handling):


Fortunately, in the old days, when we tested the beta of Horizon Workspace, got some unofficial pdf documents describing how to deal with various problems. Among other things, there was a description of how to automatically generate and distribute certificates to all machines va, included in the vApp Horizon! Now we have version 1.5.1 of Horizon Workspace and magical script is still there and still works without a problem!

To perform the entire operation, we will need the certificate and private key of our CA. If this is Microsoft Active Directory Certificate Services, we will have (if restrictions permit) to export your primary cert/key and convert it into text format. Then, log in as root to the machine configurator-va (I suggest you immediately add a normal user (group wheel), and login via putty, it will be much easier).

ughorizoncf:/usr/local/horizon/conf # ls
configurator-va_cert.pem  data-va_cert.pem     gateway-va_key.pem                     

license-horizon-workspace-10-e1-201206.txt  root_ca_key.pem
configurator-va_key.pem   data-va_key.pem      horizon-configurator.properties        

logback.xml                                 service-va_cert.pem
connector-va_cert.pem     firewall-rules       license-ham-10-e1-201201.txt           

openssl.cfg                                 service-va_key.pem
connector-va_key.pem      gateway-va_cert.pem  license-horizon-suite-10-e1-201206.txt 

root_ca.pem                                 ssl
ughorizoncf:/usr/local/horizon/conf # rm *va*

As above, we delete all pairs of va, copy key and certificate our local CA to this directory (root_ca.pem and root_ca_key.pem), then run the command:

ughorizoncf:/usr/local/horizon/lib/menu/secure # ./wizardssl.hzn
Generate root CA
pushing SSL certs to service-va ughorizonse.pulab.local
Enter pass phrase for /usr/local/horizon/conf/root_ca_key.pem:
APPLICATION_MANAGER ca.pem cert.pem key.pem
Certificate was added to keystore
Existing entry alias tcserver exists, overwrite? [no]:  Certificate already exists in system-wide CA

keystore under alias <horizoninternal>
Do you still want to add it to your own keystore? [no]:  Certificate was added to keystore
pushing SSL certs to connector-va ughorizoncn.pulab.local
Enter pass phrase for /usr/local/horizon/conf/root_ca_key.pem:
CONNECTOR ca.pem cert.pem key.pem
Certificate was added to keystore
Existing entry alias tcserver exists, overwrite? [no]:  pushing SSL certs to gateway-va ughorizong1.pulab.local
Enter pass phrase for /usr/local/horizon/conf/root_ca_key.pem:
GATEWAY ca.pem cert.pem key.pem
Verifying certs
cert.pem: OK
Installing certs
Shutting down nginx ..done
Starting nginx ..done
pushing SSL certs to configurator-va ughorizoncf.pulab.local
Enter pass phrase for /usr/local/horizon/conf/root_ca_key.pem:
CONFIGURATOR /usr/local/horizon/conf/root_ca.pem /usr/local/horizon/conf/configurator-va_cert.pem

Certificate was added to keystore
Existing entry alias tcserver exists, overwrite? [no]:  pushing SSL certs to data-va ughorizond.pulab.local
Enter pass phrase for /usr/local/horizon/conf/root_ca_key.pem:
DATA ca.pem cert.pem key.pem
Certificate was added to keystore
** Verifying cert.pem against key.pem
Certificate (cert.pem) and private key (key.pem) match.
Valid Certificate: cert.pem: OK
** Verifying cert.pem against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (cert.pem) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
Valid Certificate: cert.pem: OK
** Copying cert.pem to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Appending ca chain ca.pem to /opt/zimbra/ssl/zimbra/commercial/commercial.crt
** Importing certificate /opt/zimbra/ssl/zimbra/commercial/commercial_ca.crt to CACERTS as zcs-user-commercial_ca…done.
** NOTE: mailboxd must be restarted in order to use the imported certificate.
** Saving server config key hzndataSSLCertificate…done.
** Saving server config key hzndataSSLPrivateKey…done.
** Installing slapd certificate and key…done.
** Creating pkcs12 file /opt/zimbra/ssl/zimbra/jetty.pkcs12…done.
** Creating keystore file /opt/zimbra/mailboxd/etc/keystore…done.
** Installing CA to /opt/zimbra/conf/ca…done.
Host ughorizond.pulab.local
Stopping vmware-ha…Done.
Stopping zmconfigd…Done.
Stopping stats…Done.
Stopping spell…Done.
Stopping mailbox…Done.
Stopping convertd…Done.
Stopping ldap…Done.
Host ughorizond.pulab.local
Starting ldap…Done.
Starting zmconfigd…Done.
Starting convertd…Done.
Starting mailbox…Done.
Starting stats…Done.
ughorizoncf:/usr/local/horizon/lib/menu/secure #
Broadcast message from root (Wed Nov 27 12:30:54 2013):

The system is going down for system halt NOW!

This script generates the appropriate pair of certificate / key and send to the appropriate machine. After all, we need to restart all the vApp Horizon-Workspace (necessary but not essential, without it we arein  “half-step”).

After the restart we have the whole environment configured for SSL certificates from our local CA. This works all very well!

This script work in Horizon Workspace 1.8 too ! :)


Was this information is helpful? Tell me, please leave a comment!


Rate this article:
[Total: 0 Average: 0]

Author: Piotr Pisz

Computer always, since I got a Commodore 64 at the end of primary school, through his beloved Amiga and Linux infinite number of consoles, until today, fully virtual day. Since 2001, Unix/Linux Systems Administrator, for seven years a faithful companion and protector of Solaris system, until his sad end. In the year 2011 came in the depths of virtualization, then smoothly ascended into the clouds and continues there today. Professionally working as Systems Architect in the Polish Security Printing Works.

Leave a Reply

Required fields are marked *.