|   Login    |   October 19, 2020    |   Knowledge Base  >  VMware  >  VMware  >  VMware View Manager Certificate Installation
search:   
Phone: (480) 722-1227
Toll Free: (888) 722-1227
VMware View Manager Certificate Installation
Last Post 30 Dec 2012 05:37 PM by SuperUser Account. 0 Replies.
Printer Friendly
Sort:
PrevPrev NextNext
You are not authorized to post a reply.
Author Messages
SuperUser AccountUser is Offline
Basic Member
Basic Member
Posts:138

--
30 Dec 2012 05:37 PM  

VMware View Manager (Connection and Security servers) ships with a self-signed SSL certificate that can be used by clients when creating secure sessions to View desktops. However, there are many reasons why one should not use a self-signed SSL certificates, but probably none more than the lack of security controls with this type of certificate. In this article, we will describe the steps necessary to replace the default self-signed SSL certificate with either a third party Certificate Authority (CA) or your very own internal CA.

Items for consideration:

For clients that will access View via the Internet, you should consider purchasing a certificate from an external CA such as Thawte or Entrust. A third party CA will ensure the site your clients believe to be yours, is in-fact genuine and not a impostor posing to be you. Further more, it will save us the additional configurations necessary for thin clients to work with a self-signed certificate - and we would hate to do anymore work than absolutely necessary.

If your clients only access to View is from a non-Internet facing internal network, you might opt to use a internal CA. So as long as your clients can communicate with both your internal CA and the View server, there is no need to purchase a certificate from a third party.

Among other things, the web browser uses the Common Name or CN of both the issuer and issue to verify the identify of the web server to which it is communicating. If everything verifies, your browser knows the certificate is valid, and you'll never see this message. But if any of the details differ between the issuer and the certificate, your browser will provide you with an alert.

As we can see in the following image, the certificate presented to our browser shows that it was issued by “VMware VDM” and was issued to “VMware VDM”:

This is of no help to us because not only does the CN of “VMware VDM” not match the host-name of our View Security server (which is view.tcpdump.com in our example) but the issuer, VMware VDM, is not listed in our browsers trusted root certificate authorities.

Until we correct these issues, we will continue to receive these notices unless suppressed by the configuration of our browser, or we install a valid certificate. In the following pages, we will install a new new certificate, but before we can do so, we must configure our system's environment.

Configuring Environement for Keytool

View Manager includes a tool that can generate a certificate signing request (CSR) called keytool. Using keytool, we can access the SSL keyring installed within View Manager and create, edit or delete the SSL keys used by our web server.

If you used the default install path for your Security and Connection server deployments, you will find keytool.exe located in the following path:'C:\Program Files\VMware\VMware View\Server\jre\bin'

We begin by adding the location (or the path in which you installed View) to our system's environment PATH variable within Windows:

  1. Click Start » Settings » Control Panel
  2. Double click on the System icon Under the Advanced tab, click 'Environment Variables'


  3. Highlight the Path variable and click edit. Append the following to 'Variable value':
    ';C:\Program Files\VMware\VMware View\Server\jre\bin'


  1. Click through the remaining screens selecting the 'OK' option until the changes have been saved.
    ======
    Creating a certificate signing request file

A certificate signing request or CSR, is a file created by a web server that is sent to a certificate authority (CA) to enroll for a SSL certificate. We will use a public key infrastructure (PKI) to generate a key pair that will store the private part of our key within View's keystore. We will then provide the public key to our CA so that it may provide a SSL certificate (that has been digitally signed using the private key of the CA) that can then be configured with View.

Before we can generate a CSR file, we must first create a keystore to store our certificate. We will use the keytool to create this keystore:

  1. Open the command prompt on your View server:
    Start » Run » CMD
  2. Change directory to:'C:\Program Files\VMware\VMware View\Server\sslgateway\conf'
  3. C:\Documents and Settings\Administrator>cd \ C:\>cd “C:\Program Files\VMware\VMware View\Server\sslgateway\conf”
    C:\Program Files\VMware\VMware View\Server\sslgateway\conf>
  4. Run the following command:
    'keytool -genkey -keyalg “RSA” -keystore keys.p12 -storetype pkcs12 -validity 360'

C:\Program Files\VMware\VMware View\Server\sslgateway\conf>keytool -genkey -keyalg “RSA” -keystore keys.p12 -storetype pkcs12 -validity 360

  1. You will be asked to enter a keystore password. It is important this password never be lost. If you loose this password, you will loose the ability to manage your keystore which will eventually require that you recreate a new keystore and certificate.
    Enter keystore password: MY_PASSWORD

  2. When asked for your first and last name, enter the fully qualified domain name FQDN of your View server.
    DO NOT enter your name or the certificate you create will be invalid:
    What is your first and last name?[Unknown]: view.tcpdump.com
  3. Answer the remaining questions to complete the creation of the keystore
    What is the name of your organizational unit?[Unknown]: IT
    What is the name of your organization?[Unknown]: TCPDump
    What is the name of your City or Locality?[Unknown]: Phoenixville
    What is the name of your State or Province?[Unknown]: PA
    What is the two-letter country code for this unit?[Unknown]: US
    Is CN=view.tcpdump.com, OU=IT, O=TCPDump, L=Phoenixville, ST=PA, C=US correct?[no]: yes
    Enter key password for (RETURN if same as keystore password)

Creating the Certificate Signing Request

We are now ready to create the certificate signing request. We will continue with the use of the keytool:

  1. From the command prompt, enter the following:
    'keytool -certreq -keyalg “RSA” -file certificate.csr -keystore keys.p12 -storetype pkcs12'
    C:\Program Files\VMware\VMware View\Server\sslgateway\conf>keytool -certreq -keyalg “RSA” -file certificate.csr -keystore keys.p12 -storetype pkcs12
    Enter keystore password: MY_PASSWORD
  2. This will create a file called 'certificate.csr' in your working directory. You may now submit the 'certificate.csr' to a CA in accordance with their enrollment process requesting a certificate in PKCS7 format.
    If you would like to tryout a temporary certificate from a untrusted root, both Thawte and Verisign offer free trials where you can try before you buy:
    Thawte - https://www.thawte.com/cgi/server/try.exe
    VeriSign - https://www.verisign.com/cgi-bin/clearsales_cgi/leadgen.htm?form_id=5191

Importing a Certificate to the Key Store

Once you have your new certificate in PKCS7 format, we will continue with the keytool to import the certificate into View's keystore:

  1. Copy the text file containing the CA issued key to the directory that contains your keystore. In our example, this is:
    'C:\Program Files\VMware\VMware View\Server\sslgateway\'
  2. From the command prompt, enter the following replacing with the file name of your certificate:
    'keytool -import -keystore keys.p12 -storetype pkcs12 -keyalg “RSA” -trustcacerts -file '
    C:\Program Files\VMware\VMware View\Server\sslgateway\conf>keytool -import -keystore keys.p12 -storetype pkcs12 -keyalg “RSA” -trustcacerts -file thwat_test_key.p7
  3. You will be asked to provide the password to your keystore:
    Enter keystore password: MY_PASSWORD
  4. After providing the correct password, you will see an informational screen similar to the below with details about your certificate and the issuing CA:
    Top-level certificate in reply:
    Owner: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
    Issuer: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA
    Serial number: 0
    Valid from: Wed Jul 31 20:00:00 EDT 1996 until: Thu Dec 31 16:59:59 EST 2020
    Certificate fingerprints:
    MD5: 5E:E0:0E:1D:17:B7:CA:A5:7D:36:D6:02:4D:26:A4
    SHA1: 39:C6:9D:27:AFC:EB:476:33:36:6A:B2:05:F1:47:A9:B4A:EA
  5. If you used a test certificate, as we did in the example above, you will receive an additional prompt that the issuer is not trusted. Answer this question with a 'yes' or 'y':
    … is not trusted. Install reply anyway? [no]: y
  6. If everything worked, you should see a message indicating that the certificate was added to the keystore:
    Certificate reply was installed in keystore

Configure View to use the new certificate

For the final part of our configuration, we must tell View to use the new cert. We do this by editing the locked.properties file:

  1. If the locked.properties file does not exist, create it. If the file already exists, edit it:
    'C:\Program Files\VMware\View Manager\Server\sslgateway\conf\locked.properties'
    C:\Program Files\VMware\VMware View\Server\sslgateway\conf>notepad locked.properties
  2. Add the following to the file replacing with your keystore's password: keyfile=keys.p12
    keypass=

  3. Save the locked.properties file and exit notepad.
  4. Restart the View Connection Server service.
  5. If working from the Security Server:
    C:\>net stop “VMware View Security Server”
    The VMware View Security Server service is stopping..
    The VMware View Security Server service was stopped successfully.

    C:\>net start “VMware View Security Server”
    The VMware View Security Server service is starting.
    The VMware View Security Server service was started successfully.

    If working from the Connection Server:
    C:\>net stop “VMware View Connection Server”
    The VMware View Connection Server service is stopping….
    The VMware View Connection Server service was stopped successfully.

    C:\>net start “VMware View Connection Server”
    The VMware View Connection Server service is starting.
    The VMware View Connection Server service was started successfully.
  1. Using your web browser, navigate to your View Manager server and test out your new certificate!
  2. Credits: http://www.tcpdump.com/kb/virtualization/virtual-desktop/installing-ssl-certificates-in-vmware-view/all-pages.html
You are not authorized to post a reply.

Active Forums 4.2
Vigilant Technologies
Vigilant Technologies is a certified 8(a), Veteran Owned company headquartered in Chandler, Arizona. We provide products, services and enterprise-wide integration of innovative IT solutions to commercial, Federal, State and Local government clients. Our Leading edge services include Private/Hybrid Cloud, Server Consolidation, Visualization implementation, and Infrastructure Management.
Engage with us
Copyright 2006 - 2013 Vigilant Support   |  Privacy Statement  |  Terms Of Use
Uluslararası evden eve nakliyat