So, now with the View 5 Client, it is tighter on security with certificates by default. I see that there is a way to bypass this, but I would rather leave the setting at the default. Here is my situation:
I have my 2 connection servers load balanced with a single DNS name and the SSL certificate is reflecting that name. However, I have some remote VPN users that do not have access to our DNS and they use the IP address directly to connect. Also, in some circumstances, we may have a user connect with one of the server names or its direct IP address. Therefore, we have a possible 6 different ways to connect. The only way it seems to work with the client if they are not using the Load Balanced DNS name is if we set it to 'Not Secure.' This is not ideal as we would have to instruct every user to change that setting.
So, is there a way to have multiple SSL certs for each method of connection and how would you do that? If not, is there a way to modify the client to install with 'Not Secure' as the default instead of Warn?
Thanks much!
Scott.
Yeah certificates are difficult to get your head around! I have to refer back to my detailed notes everytime I revisit them. So this might be too much detail starting from the beginning but hopefully it gets you out of a bind.
1. Create the certificate keystore on the view server
- Add C:\Program Files\VMware\VMware View\Server\jre\bin to PATH
- At cmd prompt run cd "c:\program files\vmware\vmware view\server\sslgateway\conf"
- keytool -genkey -keyalg "RSA" -keystore keystorefilename.p12 -storetype pkcs12 -validity days
- Provide and confirm a keystore password when prompted (this will be stored in clear text later by the way)
- You will then get prompted for your first and last name. Use the servername.domainname. Answer the other questions if you want.
- Type yes to confirm
2. Create the CSR request
- keytool -certreq -keyalg "RSA" -file csrfilename.csr -keystore keystorefilename.p12 -storetype pkcs12
- Use password from keystore creation
3. Submit CSR request to Windows CA
- Open IE and go to your CAs certificate request page
- Request advanced cert
- Submit a certificate request
- Copy and paste content of csrfilename.csr file
- Cert template: Web
- Additional attributes san:dns=blah&dns=blah.domainname&dns=ip (must've already run editflag command on CA server for this to wor as per my last post)
- Save the Base64chain p7b file to c:\program files\vmware\vmware view\server\sslgateway\conf
4. Import certificate chain into keystore
- keytool -import -keystore keystorefilename.p12 -storetype pkcs12 -keyalg "RSA" -trustcacerts -file base64chain.p7b
- At prompt type yes
You then need to edit/create "locked.properties" text file in c:\program files\vmware\vmware view\server\sslgateway\conf which contains 2 lines:
keyfile=keystorefilename.p12
keypass=keystorepass
5. Reboot (VM says that restarting VM view web services should do but I haven't had that work but it might for you)
It sounds to me as though you should register your servername so that it can be publicly resolved. That way, external users do not have to use the IP address to connect.
If you really do want to script the "Not Secure" option, refer to the Admin documentation for information about what registry values can be used. The easiest way is to use a GPO, the 2nd easiest way is to have them do it directly in the UI, and the other way is to distribute a .reg script that will modify the registry values directly.
Hi Scott, I had the same problem and was able to resolve it by using Subject Alternate Names when signing the request on my Internal Windows 2003 CA. If you don't use a Windows CA then you will have to figure out how to create SAN attributes for the type of CA you are using.
Anyway, on our Win2k3 CA I initially had to enable it on the CA otherwise the certificate won't get issued with the additional SAN attributes. I followed: http://support.microsoft.com/kb/931351
Basically, run certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2 then restart certsvc
Then, when I submitted the CSR to the CA I had to add attributes in the following format:
san:dns=dns.name[&dns=dns.name]
e.g. viewserver_name&dns=viewserver_name.domain.name&dns=ip_of_viewserver
Hope this helps!
Michelle
Michelle,
Thanks for the suggestion, this looks to be promising as we do have a Win 2003 CA. However, I'm a bit illiterate when it comes to cert stuff and this is driving me crazy. Would it be possible for you to provide some more detailed steps with both creating the cert and getting it onto the connection server? Are you requesting the cert from the CA web interface? Does it matter that it doesn't seem to allow the private key to be exported? I guess I'm a little stuck.
Check out page 75 of the install guide. http://pubs.vmware.com/view-50/topic/com.vmware.ICbase/PDF/view-50-installation.pdf
mittim12,
I am looking at those instructions, however, they seem to require that the exported cert be in PFX or PKCS#12 format with a private key. When I follow the page that Michelle sent, it will not let me export the private key, so it limits me to .CER or .P7B format.
Yeah certificates are difficult to get your head around! I have to refer back to my detailed notes everytime I revisit them. So this might be too much detail starting from the beginning but hopefully it gets you out of a bind.
1. Create the certificate keystore on the view server
- Add C:\Program Files\VMware\VMware View\Server\jre\bin to PATH
- At cmd prompt run cd "c:\program files\vmware\vmware view\server\sslgateway\conf"
- keytool -genkey -keyalg "RSA" -keystore keystorefilename.p12 -storetype pkcs12 -validity days
- Provide and confirm a keystore password when prompted (this will be stored in clear text later by the way)
- You will then get prompted for your first and last name. Use the servername.domainname. Answer the other questions if you want.
- Type yes to confirm
2. Create the CSR request
- keytool -certreq -keyalg "RSA" -file csrfilename.csr -keystore keystorefilename.p12 -storetype pkcs12
- Use password from keystore creation
3. Submit CSR request to Windows CA
- Open IE and go to your CAs certificate request page
- Request advanced cert
- Submit a certificate request
- Copy and paste content of csrfilename.csr file
- Cert template: Web
- Additional attributes san:dns=blah&dns=blah.domainname&dns=ip (must've already run editflag command on CA server for this to wor as per my last post)
- Save the Base64chain p7b file to c:\program files\vmware\vmware view\server\sslgateway\conf
4. Import certificate chain into keystore
- keytool -import -keystore keystorefilename.p12 -storetype pkcs12 -keyalg "RSA" -trustcacerts -file base64chain.p7b
- At prompt type yes
You then need to edit/create "locked.properties" text file in c:\program files\vmware\vmware view\server\sslgateway\conf which contains 2 lines:
keyfile=keystorefilename.p12
keypass=keystorepass
5. Reboot (VM says that restarting VM view web services should do but I haven't had that work but it might for you)
What page did you see that on?
Hi
We don't use vmware view but we had a lot of issues with SSL certs when we upgraded to vCenter Server 5.0. We installed it on a new server (virtual) however the SSL folder under the vmware virtual center folder already had some SSL certs stored there which the installation used. It is also worth noting if you uninstall vcenter it does not remove the SSL, Extensions and Endpoint folders - this must be done manually. Once we upgraded - straightfoward, all worked ok except we had Hardware Status tab errors, Licence Service and vCenter Inventory Service critical errors. I spent 4 days modifying Container details via ldp.exe, recreating SSL certs using openssl, recreating inventory databases etc to no avail (all these are detailed quite well in other posts/google). To resolve I uninstalled vCenter completely, deleted any vmware related folders as I stated above. reinstalled the instance and everything worked fine. All issues were resolved.
Thank you Michelle!!
That was exactly what I was looking for. I didn't realize that I could add the extra attributes to an already created Cert request from the connection server. I'll post how my testing goes. Thanks again!
Bottom of page 76:
Use an Existing SSL Certificate and Private Key
If your organization already has a valid SSL server certificate, you can use that certificate to replace the default
SSL server certificate provided with View Connection Server.
To use an existing certificate, you also need the accompanying private key. The PKCS#12 file format, formerly
called PFX file format, includes both the server certificate and the private key. The PKCS#12 file type can have
a
.pfx or .p12 extension.
My test worked perfectly, thanks so much for the detailed instructions. Now, I just have to do the same for my Load balanced servers. That will be a lot of entries in the attributes field.
Ok, never tried using the exisiting. I always create a new CSR and just go from there. Glad you got it working.
That's great news!
Cheers