Certificates for Workload Balancing 编辑

Citrix Hypervisor and Workload Balancing communicate over HTTPS. During Workload Balancing Configuration, the wizard automatically creates a self-signed test certificate. This self-signed test certificate lets Workload Balancing establish a TLS connection to Citrix Hypervisor. By default, Workload Balancing creates this TLS connection with Citrix Hypervisor automatically. You do not need to perform any certificate configurations during or after configuration for Workload Balancing to create this TLS connection.

Note:

The self-signed certificate is a placeholder to facilitate HTTPS communication and is not from a trusted certificate authority. For added security, we recommend using a certificate signed from a trusted certificate authority.

To use a certificate from another certificate authority, such as a signed one from a commercial authority, you must configure Workload Balancing and Citrix Hypervisor to use it.

By default, Citrix Hypervisor does not validate the identity of the certificate before it establishes connection to Workload Balancing. To configure Citrix Hypervisor to check for a specific certificate, export the root certificate that was used to sign the certificate. Copy the certificate to Citrix Hypervisor and configure Citrix Hypervisor to check for it when a connection to Workload Balancing is made. Citrix Hypervisor acts as the client in this scenario and Workload Balancing acts as the server.

Depending on your security goals, you can either:

• Configure Citrix Hypervisor to verify the self-signed certificate.

• Configure Citrix Hypervisor to verify a certificate-authority certificate.

Note:

Certificate verification is a security measure designed to prevent unwanted connections. Workload Balancing certificates must meet strict requirements or the certificate verification doesn’t succeed. When certificate verification fails, Citrix Hypervisor doesn’t allow the connection.

For certificate verification to succeed, you must store the certificates in the specific locations in which Citrix Hypervisor expects to find the certificates.

Configure Citrix Hypervisor to verify the self-signed certificate

You can configure Citrix Hypervisor to verify that the Citrix Workload Balancing self-signed certificate is authentic before Citrix Hypervisor permits Workload Balancing to connect.

Important:

For the Workload Balancing virtual appliance to work with certificate verification in the Citrix Hypervisor 8 Cloud preview. Ensure that the key length of the self-signed certificate is 2048 and that a necessary parameter was added to the stunnel configuration:

1. Log in to the virtual appliance by entering the VM user name (typically root) and the root password you created earlier.

2. Generate a self-signed certificate with a key length of 2048 by running the following command: openssl req -x509 -days 3650 -nodes -subj "/CN=<WLB_IP>" -newkey rsa:2048 -keyout /etc/ssl/certs/server.key -out /etc/ssl/certs/server.pem

3. Edit the file /etc/stunnel/stunnel.conf to include the line curve = secp384r1 by using the following command:

   sed -i ‘/^fips=no/a curve = secp384r1’ /etc/stunnel/stunnel.conf

4. Restart the Workload Balancing virtual appliance.

You might have already completed these steps as part of the procedure Configure the Workload Balancing virtual appliance.

To verify the Citrix Workload Balancing self-signed certificate, you must connect to Workload Balancing using its host name. To find the Workload Balancing host name, run the hostname command on the virtual appliance.

To configure Citrix Hypervisor to verify the self-signed certificate, complete the following steps:

1. Copy the self-signed certificate from the Workload Balancing virtual appliance to the pool coordinator. The Citrix Workload Balancing self-signed certificate is stored at /etc/ssl/certs/server.pem. Run the following command on the pool coordinator:

   scp root@<wlb-ip>:/etc/ssl/certs/server.pem .
   <!--NeedCopy-->