Archive

Archive for the ‘Citrix NetScaler’ Category

Configure Netscaler Management for SSL with Trusted Certificate Part2

September 14, 2012 1 comment

Step 2 Convert the Certificate PFX file to a PEM file and upload to a Citrix Netscaler

So from my previous blog post we now have a PFX file but the Netscaler will not use this, we need to convert the file into a PEM file. To do this logon to the Netscaler device and select the SSL folder, on the right hand side select the Import PKCS12 option. A Dialog box will appear.

1. Click browse on the PKCS12 filed and select the certificate file you had previously exported.

2. In the output File Name field enter a name for the converted file to be called, ensure the name ends with the pem extension as shown below.

3. Type in the password you set when you previously exported the certificate in the password box and select OK

The certificate has now been converted and both the pem file and the PFX file are stored on the devices file system, we now need to add this to the config so it is available to assign to servies. To do this select the Certificates option under the SSL folder and then select Install. A dialog box will appear, in the certificate name field at the top enter a friendly name so you can identify it and in the Certificate File name and the Private Key File Name select the PEM file you just created. You select the same file for both fields because the PEM files contain both the certificate and the private key, as shown below. Lastly enter the password in the password field and select install.

clip_image001

clip_image003

To assign this new certificate to the management services

1. Log into your NetScaler using an account with “superuser” powers (nsroot)

2. Expand the “Load Balancing” Tab and click on “Services”

3. On the right side under services click the “Internal Services” tab

4 Highlight the “nshttps-127.0.0.1-443″ service and click the “Open” button

image

5. In the “Configure Service” window, click the “SSL Settings” tab

6. Under the “Configured” certificates you will see the default “ns-server-certificate”, highlight it and click the “Remove” button

7. Under the “Available” certificates, highlight the certificate you want to use and click the “Add” button (in my case, the “Netscaler Cert”)

 

clip_image006

 

8. Select Ok

You may get an error popup saying something like “No usable ciphers configured on the SSL vserver/service”. Just select OK this happens because you are removing and adding a certificate in one step and the GUI is actually doing it in two, so it removes the old one before it adds the new one.

clip_image007

9. Select “Ok” and close that window

10. Repeat the same steps for “nsrpcs-127.0.0.1-3008″ and “nsrpcs-127.0.0.1-3009″ as these are the “services” used when you configure the NetScaler using the “Web Start Client” Java App

11. Repeat the same steps also for any of the management IP address you are going to be using.

12. Select “Save” and then “Refresh All” to save your new configuration to the NetScaler

That’s it, the Netscalers are all set for management using SSL, my next step is to configure my System Centre 2012 VMM environment to use SSL.

Categories: Citrix NetScaler

Configure Netscaler Management for SSL with Trusted Certificate Part1

September 14, 2012 Leave a comment

So here is a scenario, you have two Citrix Netscaler VPX devices configured as a HA pair and you need to manage that pair over SSL for whatever reason. The devices are installed out of the box with a self-signed certificate which maybe fine in a dev environment but not really best practise in production. Also now with Microsoft’s Internet Explorer 10 you will find you cannot even manage the box as it no longer gives you the option to accept the untrusted certificates and continue, you will also find that this could break applications such as System Centre 2012 Virtual Machine Manager.

So what to do, well you need to get a trusted certificate but pause for a moment, you may want a little more. In this scenario we have two devices so what if you wanted to have the ability to not only logon to the active device but also the standby, well you are going to now need a certificate with Subject Alternate Names (SAN), this will enable you to connect to the device by the individual device name and the Virtual IP address shared by the devices.

Note: I am going to be using FQDN’s to access the device and not just an IP address

You need to have each nodes management name (whatever you put in the browser to get to the devise) and IP address in DNS not forgetting the shared Virtual IP.

You need to have a valid certificate, with all the FQDN’s listed as SAN’s that is trusted by all devices that will connect using SSL.

You then need to import the certificate into the Netscaler and map it to the management services.

Sounds easy, but it took me a while to put all this together.

Step 1 Get a Certificate

I am using Microsoft 2008 R2 Certificate Services and using the guide here I generate a certificate for use on the Netscalers.

1. Log on to the server as a member of the local Administrators group.

2. Click Start.

3. In the Search programs and files box, type mmc.exe, and press ENTER.

4. On the File menu, click Add/Remove Snap-in.

5. In the list of available snap-ins, click Certificates, and then click Add.

6. Click Computer account, and click Next.

7. Click Local computer, and click Finish.

8. Click OK.

9. In the console tree, double-click Certificates (Local Computer), and then double-click Personal.

10. Right-click Personal, point to All Tasks, and then click Request New Certificate to start the Certificate Enrolment wizard. (in my case Active Directory Enrollment Policy”

11. Click Next.

12. Select the Web Server template. Click the warning icon below more information is required to enroll for this certificate. Click here to configure these settings.

13. In the Subject name area under Type, click Common Name.

14. In the Subject name area under Value, enter the fully qualified domain name of the server, and then click Add.

15. In the Alternative name area under Type, click DNS.

16. In the Alternative name area under Value, enter the fully qualified domain name of the server, and then click Add.

17. Repeat steps 15 and 16 above for each additional SAN that you require.

18. On the Private Key tab ensure you enable the “Make private key exportable”

19. Click OK when finished.

20. Click Enroll

It should have looked something like the below

clip_image001

clip_image004

 

clip_image006

 

Checking the certificate we can see all the names listed (awesome)

clip_image007

 

We next need to export this certificate and prepare it for upload into the Netscaler devices

Click export to file and follow the wizard ensuring you select Yes to exporting the file and Include all certificates in the certification path id possible. The end result you will have a pfx file.

This file is no good for the Netscaler as it want a PEM file so we need to convert it.

Part 2

Citrix NetScaler HTTPS Management not working

May 7, 2012 1 comment

So I had an interesting issue today, I was deploying a new Citrix Netscaler VPX virtual appliance and I found that I could login on HTTP but not HTTPS. It took a while to figure out the issue but for all those people that run into this I had to amend the Cipher list.

Login to the Web management interface and under Load Balancing \ Services \ Internal Services open the nshttps-127.0.0.1-443 and nsrpcs-::1l-443 services and on the SSL Settings tab select Ciphers. From the list of Available Ciphers Groups select HIGH and click Add, click OK to close the dialog box and OK again to commit the changes.

 

image