How to enable or disable SSL Encryption For Secure User Sessions

How to enable or disable SSL Encryption For Secure User Sessions

book

Article ID: CTX230021

calendar_today

Updated On:

Description

This article describes the method to enable/disable SSL Encryption for Secure User Sessions for Linux VDA
 

Instructions

Starting from version 7.16, Linux VDA supports SSL encryption for HDX connections. It adds certificate-based end-to-end SSL support into Linux VDA and thus provides a much more secure HDX solution.
SSL encryption is disabled by default. Customers can complete the following 3 major steps to enable this feature:

  1. Obtain and install certificates on both Linux VDA and client host
  2. Enable SSL encryption on Linux VDA
  3. Enable SSL encryption on the Delivery Controller

Step 1: Obtain and install certificates

 Customers are encouraged to obtain following certificates through standard procedures:
  1. Server certificate in PEM format, which will be installed on Linux VDA;
  2. Root certificate in CRT format from a trusted Certificate Authority (CA), which will be installed on both Linux VDA and client host where receiver is running.
A server certificate contains the following sections:
  • Certificate
  • Password-decrypted private key
  • Intermediate certificates (optional)
We provide an example of a server certificate at the end of this article, for your reference. 
Note: If you want to access storefront through Chromebook or Chrome Brower, please pay attention:
  1. Subject Alternative Name is required in certificate;
  2. SHA1 is too weak for signature algorithm, use SHA2 or above.
After obtaining required certificates, customers need to install them as follows:
  1. Upload server and CA certificates into Linux VDA server, which will be used in “Step 2: Enable SSL encryption on Linux VDA”. For example, put server.pem (name of server certificate) and myca.crt (name of CA certificate) to folder /root/myCert/myCA/certs/.
  2. Download the CA certificate (myca.crt as an example) to client host and import it into system Certificate Store on the “Trusted Root Certification Authorities” folder. You can refer to Importing Trusted CA Certificates into the Windows Certificate Store for the instructions. Note: Make sure the client host is able to resolve the FQDN of Linux VDA, otherwise, the connection can’t be established.

Step 2: Enable SSL encryption on Linux VDA

Linux VDA provides a tool named enable_vdassl.sh to enable (or disable) SSL encryption for secure user sessions. It is located in /opt/Citrix/VDA/sbin directory. You can get detailed help information through following command:
/opt/Citrix/VDA/sbin/enable_vdassl.sh -h
  • To enable SSL encryption on Linux VDA, run the following command:
enable_vdassl.sh -Enable [-Certificate <CERT-FILE>] [-RootCertificate <ROOT-CERT-FILE >]
As an example:
/opt/Citrix/VDA/sbin/enable_vdassl.sh -Enable -Certificate "/root/myCert/myCA/certs/server.pem" -RootCertificate "/root/myCert/myCA/certs/myca.crt"
After the command run successfully, you can find server certificate (server.pem) and CA certificate (myca.crt) at /etc/xdl/.sslkeystore/certs and /etc/xdl/.sslkeystore/cacerts respectively. And the new SSL listener will be started, you can check it with following command:
[root@sin-centos73 ~]# netstat -lptn|grep hdx
tcp6       0      0 :::1494        :::*        LISTEN      12942/ctxhdx
tcp6       0      0 :::443         :::*        LISTEN      12942/ctxhdx
tcp6       0      0 :::2598        :::*        LISTEN      12942/ctxhdx
 
  • This tool (enable_vdassl.sh) can also be used to disable SSL encryption on Linux VDA:
/opt/Citrix/VDA/sbin/enable_vdassl.sh -Disable

Step 3: Enable SSL encryption on the Delivery Controller

To enable SSL encryption on the Delivery Controller, note the following:
  1. You can only enable SSL encryption for an entire delivery group, can’t enable SSL encryption for specific applications.
  2. The Delivery Controller must use the Fully Qualified Domain Name (FQDN) of the Linux VDA rather than IP address (which is used by default) to connect to the target Linux VDA.
Please execute the following commands in a PowerShell window on the Delivery Controller:
  1. Asnp citrix.*
  2. Get-BrokerAccessPolicyRule –DesktopGroupName ‘<GROUPNAME>’ | Set-BrokerAccessPolicyRule –HdxSslEnabled $true
Note: <GROUPNAME> is the target Delivery Group name, for example:
Get-BrokerAccessPolicyRule –DesktopGroupName ‘sin-centos73’ | Set-BrokerAccessPolicyRule –HdxSslEnabled $true
  1. Set-BrokerSite –DnsResolutionEnabled $true
After above configurations, you’ll be able to launch SSL encrypted ICA connection. That is, the ICA connection will be establish via SSL listener instead of TCP listener (1494, by default) or Session Reliability listener (2598, by default). Run the following command inside Linux VDA, you can see the ICA connection was established on SSL port (443, by default):
[root@sin-centos73 ~]#netstat -ano|grep 443
  
If you want to disable SSL encryption for ICA connections, complete the following steps:
  1. Disable SSL encryption on the Delivery Controller
Run the following command in a PowerShell windows on the Delivery Controller:
# Asnp citrix.*
# Get-BrokerAccessPolicyRule –DesktopGroupName ‘<GROUPNAME>’ | Set-BrokerAccessPolicyRule –HdxSslEnabled $false
Note: <GROUPNAME> is the target Delivery Group name, for example:
Get-BrokerAccessPolicyRule –DesktopGroupName ‘sin-centos73’ | Set-BrokerAccessPolicyRule –HdxSslEnabled $false
# Set-BrokerSite –DnsResolutionEnabled $false
  1. Disable SSL encryption on Linux VDA
Run command: /opt/Citrix/VDA/sbin/enable_vdassl.sh –Disable

Appendix

An example of server certificate:

-----BEGIN CERTIFICATE-----

MIIDTTCCAragAwIBAgIJALluncpiqGXCMA0GCSqGSIb3DQEBBQUAMGcxCzAJBgNV

BAYTAlVLMRIwEAYDVQQIEwlDYW1icmlkZ2UxEjAQBgNVBAcTCUNhbWJvdXJuZTEU

MBIGA1UEChMLQ2l0cml4IFRlc3QxGjAYBgNVBAMTEWNhMDAxLmNpdHJpdGUubmV0

MB4XDTA4MDkzMDEwNTk1M1oXDTI4MDkyNTEwNTk1M1owgYoxCzAJBgNVBAYTAlVL

MRIwEAYDVQQIEwlDYW1icmlkZ2UxEjAQBgNVBAcTCUNhbWJvdXJuZTEUMBIGA1UE

ChMLQ2l0cml4IFRlc3QxGzAZBgNVBAsTElNlcnZlciBDZXJ0aWZpY2F0ZTEgMB4G

A1UEAxMXY2EwMDEtc2MwMDEuY2l0cml0ZS5uZXQwgZ8wDQYJKoZIhvcNAQEBBQAD

gY0AMIGJAoGBALCTTOdxcivbI0L0F66xgO5gkNeIGKVP+37pSKV8B66lWCVzr6p9

t72Fa+9oCcf2x/ue274NXFcg4fqGRDsrEw13YxM6COyBf7L6psrsCDNnBP1q8TJH

4xoPIXUeaW4MVk/3PVyfhHKs4fz8yy1I4VDnXVHhw+0FQ2Bq3NhwsRhnAgMBAAGj

gdwwgdkwCQYDVR0TBAIwADAdBgNVHQ4EFgQUrLidzYot+CUXSh9xMfp1M+/O8y0w

gZkGA1UdIwSBkTCBjoAU85kN1EPJ0cVhcOss1slseDQwGsKha6RpMGcxCzAJBgNV

BAYTAlVLMRIwEAYDVQQIEwlDYW1icmlkZ2UxEjAQBgNVBAcTCUNhbWJvdXJuZTEU

MBIGA1UEChMLQ2l0cml4IFRlc3QxGjAYBgNVBAMTEWNhMDAxLmNpdHJpdGUubmV0

ggkAy8nC8dcB32EwEQYJYIZIAYb4QgEBBAQDAgVgMA0GCSqGSIb3DQEBBQUAA4GB

AD5axBYHwIxJCJzNt2zdXnbp200yUToWElBwQe/9cGaP6CpjoxJ7FJa2/8IpaT68

VelBu1SEYY1GKCGCw93pc7sPKqb8pGBRI5/dygb+geFk1Q7KyVbu0IjOtr3pkxAe

b6CFJtNLudHUrwF6l0rB72zbyz3PiIx+HEwt1j0j8z4K

-----END CERTIFICATE-----

-----BEGIN RSA PRIVATE KEY-----

MIICXgIBAAKBgQCwk0zncXIr2yNC9BeusYDuYJDXiBilT/t+6UilfAeupVglc6+q

fbe9hWvvaAnH9sf7ntu+DVxXIOH6hkQ7KxMNd2MTOgjsgX+y+qbK7AgzZwT9avEy

R+MaDyF1HmluDFZP9z1cn4RyrOH8/MstSOFQ511R4cPtBUNgatzYcLEYZwIDAQAB

AoGBAKwBgZu/bkl8edgB8YPyU7diiBX89I0s4b/aPjM+JDmjxb8N96RsPO24p9Ea

FtUc9+iL8mEroLUbSicCXjsJFc+cxg9vVaNa6EEkkBj735oCUERqSx0Yb/lAdck/

FXzU0tqytUe/KHgcSgjtjrSeqLJqMm+yxzBAatVRTTzGdwAhAkEA3l1KRZjIN5uz

Enmi2RTI3ngBhBP/S3GEbvJfKsD5n2Ri90+OoEPxclvvp5ne8Q0zUpshbjFEPb0C

ykZ6UassFwJBAMtI5yPnV9ewPzJoaNjZIJcMtNXDchSlxXiJiyzv+Qmr8RuQz9Pv

fIenmTrfZ+Wo4DaKg+8ar2OvOnKF0HFAmDECQQDEwR1H6cE3WyCfN1u942M9XkhR

GvSpR7+b///vL6Nwwv3CwPV9n8DTpL+wuDkJZ9nCvRteil9MlaMTYjs3alNvAkEA

qy5JzZcbBnrYzMbVO32jju7ZPISnhTGO1xDjzMSLLpTGpNLN34b0k3sTclr8L42E

uQjtTqRm+wdsrVF3lFazkQJANudmsUVv3gZKhMGaV2hzIdXIfHyOIYv+3leZhQY6

h5eEmxSZS50TvyNGt2e6m2ZgaZmjTagH59TCBHvR5nof2g==

-----END RSA PRIVATE KEY-----

 

Issue/Introduction

This article describes the method to enable/disable SSL Encryption for Secure User Sessions on Linux VDA.

Additional Information

Powered by Wolken Software