Product Documentation

Securing endpoints using SSL

Mar 23, 2015

This document explains how to use SSL to secure the Monitor Service OData API endpoints. If you choose to use SSL, you must configure SSL on all Delivery Controllers in the site; you cannot use a mixture of SSL and non-SSL.

To secure Monitor Service endpoints using SSL, you must perform the following configuration. Some steps need to be done only once per site, others must be run from every machine hosting the Monitor Service in the site. The steps are described below.

Part 1: Certificate registration with the system

  1. Create a certificate using a trusted certificate manager. The certificate must be associated with the port on the machine that you wish to use for OData SSL.
  2. Configure the Monitor Service to use this port for SSL communication. The steps depend on your environment and how this works with certificates. The following example shows how to configure port 449:
  • Associate the certificate with a port:
    netsh http add sslcert ipport=0.0.0.0:449 certhash=97bb629e50d556c80528f4991721ad4f28fb74e9  
    appid='{00000000-0000-0000-0000-000000000000}'
    Tip: In a PowerShell command window, ensure you put single quotes around the GUID in the appID, as shown above, or the command will not work. Note that a line break has been added to this example for readability only.

Part 2: Modify the Monitor Service configuration settings

  1. From any Delivery Controller in the site, run the following PowerShell commands once. This removes the Monitor Service registration with the Configuration Service.
    asnp citrix.*  
     
    $serviceGroup = get-configregisteredserviceinstance -servicetype Monitor | Select -First 1 ServiceGroupUid 
      
    remove-configserviceGroup -ServiceGroupUid $serviceGroup.ServiceGroupUid 
    
  2. Do the following on all Controllers in the site:
    • Using a cmd prompt, locate the installed Citrix Monitor directory (typically in C:\Program Files\Citrix\Monitor\Service). Within that directory run:
      Citrix.Monitor.Exe -CONFIGUREFIREWALL -ODataPort 449 -RequireODataSsl
    • Run the following PowerShell commands:
    asnp citrix.*  (if not already run within this window) 
     
    get-MonitorServiceInstance | register-ConfigServiceInstance  
     
    Get-ConfigRegisteredServiceInstance -ServiceType Config | Reset-MonitorServiceGroupMembership