Wednesday, June 10, 2015

vCloud Director Public Addresses

Most of vCloud Director implementations I’ve worked on where multi-cells implementations behind a load balancer to distribute the load and “hide” the cells from direct internet access.

In those scenarios you must configure the Public Address on vCloud configuration page, this way the cells will reply back to end users the public address instead of it’s internal address.
Starting with vCloud Director for Service Providers 5.6.3 there’s a few more flexible ways of configuring it.

Now we have options for:
- vCloud Director public URL
- vCloud Director secure public URL
- vCloud Director secure certificate chain
- vCloud Director public REST API base URL
- vCloud Director secure public REST API base URL
-vCloud Director public REST API certificate chain
As you could see we have a few new options, we could specify different address for HTTP and HTTPS access, but also when you specify the secure addresses you must include the certificate chain to be used, this means you wont use the internal cell’s certificate you specified during the cell’s installation.
This gives you the flexibility to have internal certificate provided by a internal CA and do real SSL OffLoad on your Load Balancer.

 Remember: Consoly proxy still no able to provide SSL Offload, so you still need that valid certificate internal to the cell.

 If you recall during cells implementation, there’s no API certificate bind to service during cell’s installation, so in the cases you want a different API URL than vCD URL having the option to specify it’s own certificate handy is awesome.

 The vCD's documentation was not update to reflect those new options yet, so I hope this posts helps to clarify a little bit about how to use them.



Johann said...

great post! can you provide some information on how you created your certificate chain?

Eduardo Meirelles da Rocha said...

Hi Johann, in fact the certificate chain was provided by a Certificate Authority company. You could follow the procedure bellow to generate your certificate signing request (csr) and send to them.

Unknown said...

Hi Eduardo,
After reading your post I have a question: The certificate chain from the load balancer we configure in the "secure public address space", should include the private key as well, or just the certificate?

Eduardo Meirelles da Rocha said...

Hi there, not sure what you are mentioning, if you are doing ssl offload on your load balancer, contact it's vendor on how to implemente the certificate how and where.
Now, if you are mentioning vCloud Director secure certificate chain, you dont need to specify your chain...well it will also depends if you are using a internal or external CA, with intermediates, etc..
what issue are you facing ?

Anonymous said...

Hi Eduardo, thanks for answering.
I have a reverse proxy on front, lets say, called server "A", with "A" certificate from verisign. Behind I have a vcloud cell, server "B", using "B" certificate from an internal CA.
In vCloud Public REST API I'm specifying "B" hostname, and putting a pem file containing < root CA, intermediate CA, B certificate>.
My question is, should I also include "B" private key in the PEM file I'm placing there?
The reverse proxy is doing the SSL termination currently.

I guess I don't understand the need for that vCloud option. Why does it needs to have that certificate in the secure public address field?

In terms of what is actually failing, I'm having errors uploading media and ovfs if I'm going through the reverse proxy, but internally it works fine.
And because I haven't found the root cause yet, I'm trying to not leave any stone unturned and I realised I don't really understand these settings completely.
What are your thoughts?

Thanks again

Eduardo Meirelles da Rocha said...

Let me start with the easy one, " don't understand the need for that vCloud option, this feature is to guarantee your Cloud Identify, I mean, your users will have a way to make sure your are who you say you are through the certificate. I know you are using SSL offload, but there are scenarios, where the traffic is passing direct through the LB or there's not LB at all, so we might need a way to pass the certificate to the users, that's the way.

Eduardo Meirelles da Rocha said...

Now, with your issue. The session is established between your client and your load balance and terminated there, a new session is then established between your LB and the vCD cell, for that to be successfully, your vCD cell must be trusted by LB, in some cases it means to add your internal CA on the LB.
But my best advice is to open a support case with VMware, they will help you in a more fast way.

Post a Comment

Who am I

My photo
I’m an IT specialist with over 15 years of experience, working from IT infrastructure to management products, troubleshooting and project management skills from medium to large environments. Nowadays I'm working for VMware as a Consulting Architect, helping customers to embrace the Cloud Era and make them successfully on their journey. Despite the fact I'm a VMware employee these postings reflect my own opinion and do not represents VMware's position, strategies or opinions. Reach me at @dumeirell

Most Viewed Posts

Blog Archive