Most of
vCloud Director implementations I’ve worked on where multi-cells
implementations behind a load balancer to distribute the load and “hide” the
cells from direct internet access.
In those
scenarios you must configure the Public Address on vCloud configuration page,
this way the cells will reply back to end users the public address instead of
it’s internal address.
Starting
with vCloud Director for Service Providers 5.6.3 there’s a few more flexible
ways of configuring it.
Now we have options for:
- vCloud
Director public URL
- vCloud
Director secure public URL
- vCloud
Director secure certificate chain
- vCloud
Director public REST API base URL
- vCloud
Director secure public REST API base URL
-vCloud
Director public REST API certificate chain
As you
could see we have a few new options, we could specify different address for
HTTP and HTTPS access, but also when you specify the secure addresses you must
include the certificate chain to be used, this means you wont use the internal
cell’s certificate you specified during the cell’s installation.
This gives
you the flexibility to have internal certificate provided by a internal CA and
do real SSL OffLoad on your Load Balancer.
Remember:
Consoly proxy still no able to provide SSL Offload, so you still need that
valid certificate internal to the cell.
If you recall during cells implementation, there’s
no API certificate bind to service during cell’s installation, so in the cases
you want a different API URL than vCD URL having the option to specify it’s own
certificate handy is awesome.
7 comments:
great post! can you provide some information on how you created your certificate chain?
Hi Johann, in fact the certificate chain was provided by a Certificate Authority company. You could follow the procedure bellow to generate your certificate signing request (csr) and send to them.
http://pubs.vmware.com/vcd-80/index.jsp#com.vmware.vcloud.install.doc_80/GUID-89437328-EE0A-40D3-A939-EB8DD70DC1E3.html
Hi Eduardo,
After reading your post I have a question: The certificate chain from the load balancer we configure in the "secure public address space", should include the private key as well, or just the certificate?
Hi there, not sure what you are mentioning, if you are doing ssl offload on your load balancer, contact it's vendor on how to implemente the certificate how and where.
Now, if you are mentioning vCloud Director secure certificate chain, you dont need to specify your chain...well it will also depends if you are using a internal or external CA, with intermediates, etc..
what issue are you facing ?
Hi Eduardo, thanks for answering.
I have a reverse proxy on front, lets say, called server "A", with "A" certificate from verisign. Behind I have a vcloud cell, server "B", using "B" certificate from an internal CA.
In vCloud Public REST API I'm specifying "B" hostname, and putting a pem file containing < root CA, intermediate CA, B certificate>.
My question is, should I also include "B" private key in the PEM file I'm placing there?
The reverse proxy is doing the SSL termination currently.
I guess I don't understand the need for that vCloud option. Why does it needs to have that certificate in the secure public address field?
In terms of what is actually failing, I'm having errors uploading media and ovfs if I'm going through the reverse proxy, but internally it works fine.
And because I haven't found the root cause yet, I'm trying to not leave any stone unturned and I realised I don't really understand these settings completely.
What are your thoughts?
Thanks again
Let me start with the easy one, " don't understand the need for that vCloud option, this feature is to guarantee your Cloud Identify, I mean, your users will have a way to make sure your are who you say you are through the certificate. I know you are using SSL offload, but there are scenarios, where the traffic is passing direct through the LB or there's not LB at all, so we might need a way to pass the certificate to the users, that's the way.
Now, with your issue. The session is established between your client and your load balance and terminated there, a new session is then established between your LB and the vCD cell, for that to be successfully, your vCD cell must be trusted by LB, in some cases it means to add your internal CA on the LB.
But my best advice is to open a support case with VMware, they will help you in a more fast way.
Post a Comment