--
This is the first post in a short series on configuring VMware View 5.1, using vSphere 5.0 Update 1, on Windows Server 2008 R2 SP1. The article assumes you already have vCenter 5.0 running in the environment, and are using Microsoft SQL Server 2008 R2, so I won't cover how to install those products.
Other articles in this series include:
VMware View 5.1 Installation Part 2 - Composer
Having worked a lot with XenDesktop 5.5 in the past, it is interesting to see work flow for a View 5.1 installation. The first component I installed is the View Connection server, which can NOT be installed on the vCenter server. It will complain about port 80 being taken, so start off with a fresh Windows Server 2008 R2 SP1 VM for this component.
After you have provisioned a fresh VM for the View connection manager, we need to get our certificate house in order to ensure properly trusted SSL connections to this server. After the certificate is created and installed, we proceed with the basic View Connection server installation process, and finally verify the SSL certificate is working. The next article will cover the View Composer, which requires a database back-end, unlike View Connection server.
Take note the SSL certificate configuration process for View 5.1 is *completely* different from View 5.0 and previous versions. DO NOT follow VMware KB article 1008705 for View 5.1. You can find all of the View 5.1 documentation here. Should you try the View 5.0 and earlier instructions you can expect errors such as the following to be logged:
Couldn't create SSL socket factory com.vmware.vdi.ice.server.u.a(SourceFile:529)
java.lang.NullPointerException: invalid null input
To properly configure View 5.1 connection server, follow these steps:
1. On what will be your new View Connection server open a blank MMC, add the Certificates snap-in, and manage certificates for your Computer Account.
2. Open your personal certificates and review any existing certificates you may have. In this case I have Autoenroll configured, so the server automatically got a "computer" certificate installed. However, View Connection server can't use this certificate if it was issued with all default settings, which prohibit exporting the private key.
If you try to use this certificate, the built-in web server will barf and you won't get the login screen. The reason for this, is the default computer certificate template does not allow the private key to be exported, which View requires. So you could either alter the computer certificate request to allow private key export, or create a web server template (or request) with the allow private key export enabled.
3. Right click in the right pane and select Request New Certificate. Click Next, and on the following screen if you have a Windows CA that is online and configured to issue computer certificates, you should see something similar to the following picture. Click Next.
4. In my environment I configured my Microsoft Root CA to issue a custom web server template (Web Server v3), so I selected that enrollment policy. I recommend using a custom "web server" template as you can extend the validity period, ensure the allow private key export option is enabled, and customize the cipher strength. If you use the default computer template, you must alter the request properties to allow exporting of the private key or the certificate will not work.
To create a custom web server certificate template, see my article How to create custom Microsoft CA SSL certificate templates to create a template. Or you can simply import a pkcs#12 certificate from a commercial CA into the computer store, such as GoDaddy or Verisign. As I've mentioned before the certificate template MUST have the "Allow private key to be exported" option enabled, otherwise the VMware View Security Gateway component will fail to start. Also, only use the Windows Server 2003 certificate template option, NOT Windows Server 2008, as those will NOT work.
5. Click on More information is required.. and the following window will pop up. For the subject name select common name and enter the FQDN of the View server. Click on Add to move the value to the right side.
6. On the General tab add a Friendly Name of vdm to the certificate. This is key! And only one certificate in your computer's store can have this friendly name. Note that the friendly name is not baked into the certificate, and you can change it after the certificate is installed. If you import a certificate from a commercial CA, then open the properties of your imported certificate and change the friendly name.
7. Click OK, then click on Enroll. If all goes well, you should now see a new certificate with a friendly name of vdm in your certificate store. Note that the intended purposes is only Server Authentication.
9. Select View Standard Server.
11. Have the installer automatically configure your firewall.
12. Enter the group name you choose for View administrators.
13. Click through the remainder of the installation and wait for the installer to complete.
15. After you've lowered the security posture of your victim computer with Adobe Flash, you can browse to the FQDN and shortname URL (e.g. HTTPS://D0001View/admin) and you should get welcomed by the View Administrator logon screen and no SSL errors. In your browser open the properties of the SSL certificate and verify it is using your trusted certificate.
And now you should see the View Administrator logon!
Thanks for the write up. I just worked on this myself before finding your blog for about twelve hours!!
ReplyDeleteIt really angers me how difficult setting up view has become. The hatred I have for the setup completely overshadows any new innovations they made.
I agree. Fresh installs won't be bad, but this whole thing with having to have a valid trusted certificate for vcenter, composer, connection servers, security servers is a little ridiculous. I spent hours trying to perform an upgrade from View 5.0 to 5.1 with an environment that had zero certificates.
DeleteThe excercise of replacing just the vCenter default certificate with a trusted one is enormous because of all the associated services that are affected. Here's a great blog that goes over the process in detail:
http://www.wooditwork.com/2011/11/30/vsphere-5-certificates-1-installing-a-root-certificate-authority-3/
After you complete that AND also install trusted certificates for composer, connection and security servers you can go ahead and upgrade View to 5.1. But alas, after I upgraded everything and attempted to recompose my View Pool, it gave me a generic composer error. It seems that even though composer gets upgraded and I bind the new certificate to composer there's still something in the ADAM or composer database that screws things up.
I uninstalled and installed all of the View components and got things working.
My advice would be if you need to upgrade View to 5.1, take backups of the relevent databases, snapshot relevent vm's, make note of all View pool settings and uninstall/install View 5.1 - it's just easier.
Thanks for the manual - but all my connection Servers are still shown in red -invalid- Server's Certificate does not match the URL. The certificates are vaild in the IE with fqnd and short name - that can't be the problem here.
ReplyDeleteAny ideas ?
I have a similar issue. Using a wildcard certificate and everything works fine from the client perspective but the ‘alarm’ red -invalid- Server's certificate cannot be checked, is really annoying . It’s the same with the security server.
DeleteAny ideas ?
From my experimentation, it seems that having a certificate with a SAN (subject alternate name) confuses View and sometimes IE. So I changed the instructions to only use the FQDN (no short name) and that fixed the red certificate issues in IE and View. For the View problem, I'd open a ticket with VMware to complain that certs with SANs cause a certificate error.
DeleteThanks for your article Derek. You saved me a lot of hair pulling.
DeleteI'm working on a Teradici zero client with firmware 4.0 which seems to handle a View connection server certificate with a SAN.
I have just completed our View 5.1 Upgrade across all servers and security servers. I came across this post when trying to resolve the Red alarm on our security server. Once again certificate and everything works fine from the client perspective but the ‘alarm’ red -invalid- Server's certificate cannot be checked.
DeleteI was able to resolve this error by allowing the Connection server that was paired with our security server reporting the red alarm access via HTTP through several firewalls to get to the Verisign CRL sites, so that it could correctly validate the purchased ssl certificate bound to the security server. Hope this helps someone else cause it really annoyed me too. Also a restart of VCS & VSS was required for it to recheck the CRL again after about 15 mins and again when a user connected via Security Server.
Hi, I read your article and wanted to say thank you for clearing the confusion regarding the new ways to use certs in 5.1.
ReplyDeleteUnfortunately in my View 5.1 setup I am getting a blank page and the port 443 is not binding to the new certificate. I have tried both an internal and external, when I do a 'netstat -ab' the port is not listening. I have tried this now on two servers.
Any ideas?
Alan Wright
When I upgraded from 5.0 to update 1, I think I had the same issue and the way VMware corrected it was by getting the previous version .swf server file and replacing the new one.
DeleteAnonymous:
ReplyDeleteI noticed in one environment when I included both the FQDN and the shortname, that IE and Connection Server were not happy with the cert, even though the hostnames were 100% correct. I re-issued the certificate with only the FQDN, and then the cert errors went away. So you might try a new cert w/o the shortname and see what that does for ya.
Alan:
Is the VMware Gateway service running? I bet not, since it doesn't appear to be listening on 443. This points to a certificate problem. Does the certificate you are using have the 'mark private key as exportable' flag set? Have you looked in the VDM logs for any certificate based errors? If you see the error at the top of my post about invalid null data, that means the Java service can't read the private key so it barfs.
I have managed to get the internal certificate working with your instructions regarding using a Windows2003 Template. This has been working fine for over a week. I have since purchased a Thawte SSL certificate and I am now back to square one for the security servers.
DeleteI did check the services and they are all running ok, the log file shows the error:
[u] The Secure Gateway Server is using SSL certificate store of type KeyVault
[KeyVaultKeyStore] No qualifying certificates in keystore
[KeyVaultKeyStore] No qualifying certificates in keystore
[u] The Secure Gateway Server is listening on https://*:443
[e] Smart Card/Certificate Authentication will not be used as not configured for SSL.
But 443 isn't listening as before !
I noticed if I did put a short name in it failed on the internal certificate so was very careful not to do this on the external certificate.I did however use the friendly name on the CSR so am now thinking should I have done that.
Will keep you informed on my progress
Hi. Great instructions. I found this youtube video before your instructions:
ReplyDeletehttp://youtube.ng/watch?v=JCWkZj1EgBI
I followed it and when I requested a new certificate from my Root CA, I used the Computer policy (not web server). Everything else was pretty much the same as you explained. The end result is that the certificate generated for my connection servers were trusted and I'm able to log onto the View Administrator without any certificate issues at all. Just wondering why you believe that the Computer Policy would not work for the certificate request?
Unknown: The computer policy did not work in the two environments that I tested it with. My computer template policy does not allow exporting of the private key, which View seems to require. I configured the web server template policy to allow private key export, and it works fine (doesn't if private key export is disabled). I'll try the computer template with private key export and see what that does.
ReplyDeleteUnknown: If I modify the computer certificate request and allow the private key to be exported, View does accept the certificate as valid. The default computer certificate issued by a default auto-enrollment policy does not allow private key export. From a security perspective I would not allow private key export for all auto-enrolled computers. So I still think the best route is to use a web server template so you get a manually created certificate with the right properties, and a longer validity period than 1 yr which the default computer template uses.
ReplyDeleteHi Derek. I didn't use any auto-enroll computer certificates. When I requestd a new certificate I received the option to select the Computer template (like in your screenshot). I was able to select that and mark the key as exportable and it all worked.
ReplyDeleteVMware have issued a KB Article on the 5th June with some missing steps. Will give this a go and report back.
ReplyDeletekb.vmware.com/kb/2011848
Alan Wright, that KB article is for View 5.0, not View 5.1. There is a completely different procedure for View 5.1.
ReplyDeleteDerek, thank you for shedding light on this subject! I'm having a doosy of a time figuring out this SSL certificate issue and need a little help. I have a security server in the DMZ. I want only users from outside our network to connect to the security server and use the signed verisign certificate I have. However, I generated the CSR from the connection server. Should I have generated the CSR from the security server? Does it matter? I get a "page not found" when I use this 3rd party cert. Self-signed cert works fine. I renamed the friendly name vdm and the cert has the private key marked exportable but no dice. Ideas? Thanks in advance, been working for weeks on this.
ReplyDeleteDerek, Thanks for the detailed instructions. However, I ran into a problem when trying to add the vcenter server to View admin. I recently installed vCenter server 5.0 update 1, and created a certificate from our internal Microsoft CA. I'm receiving an error in View Administrator that says an Invaild certificate detected. The identity of the vcenter server can not be verified because the Server's certificate is not trusted. I checked the issuing and root CA certs and they are in the local certificate store. Not sure what's wrong at this point.
DeleteDerek, Alan Wright is correct - that KB article has been updated to reflect the fact that IT DOES APPLY TO VIEW 5.1
ReplyDeletehttp://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2011848
"Update History
06/05/2012 - Added View Manager 5.1 to product versions "
Anonymous: Alan Wright is not correct, as the update for View 5.1 in this document only includes a footnote which says, that the KB is not for View 5.1 and you should refer to documentation of View 5.1 for that matter. :-)
DeleteDerek -
ReplyDeleteNot sure if you still edit this thing, but you may want to throw this in here:
If the connection server administration console wont connect via https, and you do a netstat -ano and don't see it listening on 443, try this:
Open Windows Firewall with Adv. Security and look at the 1st rule. I used all the defaults listed here, and followed the admin guide to the "T"... maybe not so bright, but anyway. The first rule I had listed was a deny all, put there by View. Thanks. Yeah...
Anyway I hope this helps someone else, I spent a couple hours following rabbit holes before I decided to bust out the old A+ material... first 2 questions: Is it plugged in? Is it turned on? I wish I could meet the crackheads that design this vmware bullsh*t so I could give them the bird.
I have the similar issue to Alan Wright. I am using VMware View Connection Server (64-bit) 2012-05-16 | 5.1.0
ReplyDeleteI have tried to issue self-signed certificate. Then I had some certificate related issues with PCoIP, but View Administrator web page worked fine (only with info that View Conn. server certificate is untrusted).
I managed to make Microsoft CA and issue certificate with auto-enrolment. Everything is set properly, but I get this error message "[KeyVaultKeyStore] No qualifying certificates in keystore" in View Connection log file. That's why my View Administrator (" [Processor] Connection Processor is exiting") does not start at all.
So I tried the tip with creating and configuring locked.properties with exported .pfx file. When I set the locked.properties then the debug log file includes "[SslUtils] Could not decode certificate failure reason (Unknown in Unknown)".
If anyone has some idea what to do next, I have spent a loot of hours with this issue.
Maranel: If this issue is still actual: I had exactly same problems, "No qualifying certificates in keystore" when I created the Computer certificate template with version Windows 2008 Enterprise.
DeleteIt started to work, when:
- I created new Certificate template from Computer, using version Windows 2003 Enterprise
- allowed private key export to it
- then created machine certificate using it and added the friendly name vdm to it
By the way, I figured out how the certificate has to be generated manually using Windows tools and documented it here, specifically for Windows 2008 standalone servers, such as the View Security Server:
ReplyDeletehttp://www.zerouptime.ch/2012/10/manually-generating-view-5-1-ssl-certificates/
Derek,
ReplyDeletehope you have document about view security server how to config and the best practic soon. Thanks for all you hard work.
Derek,
ReplyDeletei use your info but when i connect to connect server it come up and login ok but the cert is error (Mismatched address
the security certificate presented by this website was issued for diffrent website's address.) any advice please thanks
Sounds like the hostname in the certificate does not match the address (hostname) you are using to access the server. Double check the SSL cert properties.
DeleteHi Derek, I'm running in a problem with my Connection server 5.1.1
ReplyDelete- Everything was working fine until I was called that clients cannot connect using the connection server.
- I tried to access my view administrator and is not opening, internet explorer cannot display the page.
- I logged remotely to the connection server and locally I tried to access the view administrator and still page cannot be displayed.
- I prepared a replication server and through it I was able to access the view administrator of the replication server.
- Using the IP address of the replica server I can connect to the virtual desktops, so temporary I have a solution but still I have to fix my primary connection server.
- I thought about reinstalling the connection server but there was a message saying "The installer will help you to remove VMware View Connection Server. to continue click remove. After removal, this program will no longer be available for use."
- What do you think will happen if I continue, knowing I have my replica which is working fine do you think that will harm all my setting.
Thank you,