Symantec Workspace Streaming 6.1 - Enabling SSL on Launch Servers

Introduction

Symantec Workspace Streaming includes an option to enable secure communication between the end user and the launch server. I noticed there was no walkthrough on Connect for confiuring the option to use SSL on launch servers so I wanted to share with you the steps I followed in order to enable this setting.

For this exercise, I setup a lab environment with three seperate servers and a client:

• Domain Controller
• Back End Server (Streamlet Engine)
• Front End Server (Launch Server/Streaming Server)
• Client

All servers used in my lab environment are running Microsoft Windows 2008 R2 Standard SP1. My domain controller has the Active Directory Certificate Authority and Certificate Authority Web Enrollment Role Services enabled. The SWS servers are on the most recent release (currently 6.1 SP8 MP1). The client system is running Microsoft Windows 7 Enterprise SP1.

Creating the Certificate Service Request

On the back end server:

1. Login to the console.
2. From the navigation column, under Configuration, select Launch Server.
3. Select the launch server.
4. Click Generate Certificate Request.
5. Fill in the web form to create a Certificate Service Request (CSR).
6. Save the cert_req.txt file using its alias for the file name as a reminder.
7. Copy the CSR file to a convenient location.

Creating the Certificate

On the Certificate Authority:

1. Open the Certificate Services web interface (e.g., http://localhost/certsrv/).
2. Click on Request a certificate.
3. Click on advanced certificate request.
4. Click on Submit a certificate request by using a base-64-encoded CMC or PKCS#10...
5. Saved Request: Paste the contents of cert_req.txt here.
6. Certificate Template: Web Server.
7. Additional Attributes: leave this blank.
8. Click the Submit button.
9. Click on Download certificate chain.
10. Save the certificate file using its alias for the file name as a reminder.
11. Copy the certificate to a convenient location.

Uploading the Certificate

On the back end server:

1. Login to the console.
2. From the navigation column, under Configuration, select Launch Server.
3. Select a launch server.
4. Click Upload Certificate.
5. Certificate File: browse to where you saved the certificate and select the corresponding file.
6. Alias: type in the alias used in the steps above.
7. Click the Upload button.
8. Typing in the wrong alias gets this message: “java.lang.exception: input not an x.509 certificate”; go back and type in the matching alias name.

Enabling Secure Communication

On the back end server:

1. Login to the console.
2. From the navigation column, under Configuration, select Launch Server.
3. Select the launch server.
4. Click the Basic button.
5. Select the option for Enable Secure Socket Connection to Launch Server.
6. Click the Save button.
7. From the navigation column, under Status and Control, select Component Status.
8. Select the FE component and click Restart.

Testing Secure Communication

On a client machine:

1. Open a browser and navigate to the portal page.
2. The web server will automatically redirect the browser to use the secure port.
3. View the certificate details to confirm the names of the servers “Issued to:” and “Issued from:”

This concludes setting up secure communication between the end user and the launch server.

But wait, there's more!

I thought I should include a short walkthrough on reverting back to non-secure mode and also how to clean up the certificates from the front end server.

Reverting Back to Non-secure Communication

On the back end server:

1. Login to the console.
2. From the navigation column, under Configuration, select Launch Server.
3. Select the launch server.
4. Click the Basic button.
5. Deselect the option for Enable Secure Socket Connection to Launch Server.
6. Click the Save button.
7. From the navigation column, under Status and Control, select Component Status.
8. Select the FE component and click Restart.

Removing the Certificate

On the front end server:

1. Open an elevated command prompt.
2. Change directory to:
   

   C:\Symantec\Workspace Streaming\Server\common\jre\bin\

3. List the contents of the stscerts file:
   

   keytool -list -v -keystore "C:\Symantec\Workspace Streaming\Server\common\jre\lib\security\stscerts"

4. Find the alias of the certificate.
5. Delete the certificate using its alias name:
   

   keytool -delete -alias certificate_alias_name -keystore "C:\Symantec\Workspace Streaming\Server\common\jre\lib\security\stscerts"

Now your launch server is back to the state we started in before we began this adventure with SSL.

Feedback

I'd like to hear back from the community! Share your success stories or problems you previously encountered setting up SSL on the launch server using the comments section below.