VMware View Manager Certificate Installation

VMware View Manager (Connection and Security servers) ships with a self-signed SSL certificate that can be used by clients when creating secure sessions to View desktops. However, there are many reasons why one should not use a self-signed SSL certificates, but probably none more than the lack of security controls with this type of certificate. In this article, we will describe the steps necessary to replace the default self-signed SSL certificate with either a third party Certificate Authority (CA) or your very own internal CA.

Items for consideration:

For clients that will access View via the Internet, you should consider purchasing a certificate from an external CA such as Thawte or Entrust. A third party CA will ensure the site your clients believe to be yours, is in-fact genuine and not a impostor posing to be you. Further more, it will save us the additional configurations necessary for thin clients to work with a self-signed certificate - and we would hate to do anymore work than absolutely necessary.

If your clients only access to View is from a non-Internet facing internal network, you might opt to use a internal CA. So as long as your clients can communicate with both your internal CA and the View server, there is no need to purchase a certificate from a third party.

Among other things, the web browser uses the Common Name or CN of both the issuer and issue to verify the identify of the web server to which it is communicating. If everything verifies, your browser knows the certificate is valid, and you'll never see this message. But if any of the details differ between the issuer and the certificate, your browser will provide you with an alert.

As we can see in the following image, the certificate presented to our browser shows that it was issued by "VMware VDM" and was issued to "VMware VDM":

This is of no help to us because not only does the CN of "VMware VDM" not match the host-name of our View Security server (which is view.tcpdump.com in our example) but the issuer, VMware VDM, is not listed in our browsers trusted root certificate authorities.

Until we correct these issues, we will continue to receive these notices unless suppressed by the configuration of our browser, or we install a valid certificate. In the following pages, we will install a new new certificate, but before we can do so, we must configure our system's environment.

Configuring Environement for Keytool

View Manager includes a tool that can generate a certificate signing request (CSR) called keytool. Using keytool, we can access the SSL keyring installed within View Manager and create, edit or delete the SSL keys used by our web server.

If you used the default install path for your Security and Connection server deployments, you will find keytool.exe located in the following path:
'C:\Program Files\VMware\VMware View\Server\jre\bin'

We begin by adding the location (or the path in which you installed View) to our system's environment PATH variable within Windows:

1. Click Start >> Settings >> Control Panel
   
   
2. Double click on the System icon Under the Advanced tab, click 'Environment Variables'
   
   
   
   
3. Highlight the Path variable and click edit. Append the following to 'Variable value':
   ';C:\Program Files\VMware\VMware View\Server\jre\bin'
   
   
   
   
4. Click through the remaining screens selecting the 'OK' option until the changes have been saved.
   
   

Creating a certificate signing request file

A certificate signing request or CSR, is a file created by a web server that is sent to a certificate authority (CA) to enroll for a SSL certificate. We will use a public key infrastructure (PKI) to generate a key pair that will store the private part of our key within View's keystore. We will then provide the public key to our CA so that it may provide a SSL certificate (that has been digitally signed using the private key of the CA) that can then be configured with View.

Before we can generate a CSR file, we must first create a keystore to store our certificate. We will use the keytool to create this keystore:

1. Open the command prompt on your View server:
   Start >> Run >> CMD
   
   
2. Change directory to:
   'C:\Program Files\VMware\VMware View\Server\sslgateway\conf'
   
   

   Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\Documents and Settings\Administrator>cd \ C:\>cd "C:\Program Files\VMware\VMware View\Server\sslgateway\conf" C:\Program Files\VMware\VMware View\Server\sslgateway\conf>

   
   
3. Run the following command:
   'keytool -genkey -keyalg "RSA" -keystore keys.p12 -storetype pkcs12 -validity 360'
   
   

   C:\Program Files\VMware\VMware View\Server\sslgateway\conf>keytool -genkey -keyalg "RSA" -keystore keys.p12 -storetype pkcs12 -validity 360

   
   
4. You will be asked to enter a keystore password. It is important this password never be lost. If you loose this password, you will loose the ability to manage your keystore which will eventually require that you recreate a new keystore and certificate.
   
   

   Enter keystore password: MY_PASSWORD

   
   
5. When asked for your first and last name, enter the fully qualified domain name FQDN of your View server. DO NOT enter your name or the certificate you create will be invalid:
   
   

   What is your first and last name?[Unknown]: view.tcpdump.com

   
   
6. Answer the remaining questions to complete the creation of the keystore
   
   

   What is the name of your organizational unit?[Unknown]: IT What is the name of your organization?[Unknown]: TCPDump What is the name of your City or Locality?[Unknown]: Phoenixville What is the name of your State or Province?[Unknown]: PA What is the two-letter country code for this unit?[Unknown]: US Is CN=view.tcpdump.com, OU=IT, O=TCPDump, L=Phoenixville, ST=PA, C=US correct?[no]: yes Enter key password for (RETURN if same as keystore password):

   
   

Creating the Certificate Signing Request

We are now ready to create the certificate signing request. We will continue with the use of the keytool:

1. From the command prompt, enter the following:
   'keytool -certreq -keyalg "RSA" -file certificate.csr -keystore keys.p12 -storetype pkcs12'
   
   

   C:\Program Files\VMware\VMware View\Server\sslgateway\conf>keytool -certreq -keyalg "RSA" -file certificate.csr -keystore keys.p12 -storetype pkcs12 Enter keystore password: MY_PASSWORD

   
   
2. This will create a file called 'certificate.csr' in your working directory. You may now submit the 'certificate.csr' to a CA in accordance with their enrollment process requesting a certificate in PKCS7 format.
   
   

Importing a Certificate to the Key Store

1. Copy the text file containing the CA issued key to the directory that contains your keystore. In our example, this is:
   'C:\Program Files\VMware\VMware View\Server\sslgateway\'
   
   
2. From the command prompt, enter the following replacing with the file name of your certificate:
   'keytool -import -keystore keys.p12 -storetype pkcs12 -keyalg "RSA" -trustcacerts -file '
   
   

   C:\Program Files\VMware\VMware View\Server\sslgateway\conf>keytool -import -keystore keys.p12 -storetype pkcs12 -keyalg "RSA" -trustcacerts -file thwat_test_key.p7

   
   
3. You will be asked to provide the password to your keystore:
   
   

   Enter keystore password: MY_PASSWORD

   
   
4. After providing the correct password, you will see an informational screen similar to the below with details about your certificate and the issuing CA:
   
   

   Top-level certificate in reply: Owner: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA Issuer: CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR TESTING PURPOSES ONLY, C=ZA Serial number: 0 Valid from: Wed Jul 31 20:00:00 EDT 1996 until: Thu Dec 31 16:59:59 EST 2020 Certificate fingerprints: MD5: 5E:E0:0E:1D:17:B7:CA:A5:7D:36:D6:02:DF:4D:26:A4 SHA1: 39:C6:9D:27:AF:DC:EB:47:D6:33:36:6A:B2:05:F1:47:A9:B4:DA:EA

   
   
5. If you used a test certificate, as we did in the example above, you will receive an additional prompt that the issuer is not trusted. Answer this question with a 'yes' or 'y':
   
   

   ... is not trusted. Install reply anyway? [no]: y

   
   
6. If everything worked, you should see a message indicating that the certificate was added to the keystore:
   
   

   Certificate reply was installed in keystore

   
   
   

Configure View to use the new certificate

1. If the locked.properties file does not exist, create it. If the file already exists, edit it:
   'C:\Program Files\VMware\View Manager\Server\sslgateway\conf\locked.properties'
   
   

   C:\Program Files\VMware\VMware View\Server\sslgateway\conf>notepad locked.properties

   
   
2. Add the following to the file replacing with your keystore's password:
   keyfile=keys.p12
   keypass=
   
   
   
   
3. Save the locked.properties file and exit notepad.
   
   
4. Restart the View Connection Server service.
   
   If working from the Security Server:
   

   C:\>net stop "VMware View Security Server" The VMware View Security Server service is stopping.. The VMware View Security Server service was stopped successfully. C:\>net start "VMware View Security Server" The VMware View Security Server service is starting. The VMware View Security Server service was started successfully.

   
   If working from the Connection Server:
   

   C:\>net stop "VMware View Connection Server" The VMware View Connection Server service is stopping.... The VMware View Connection Server service was stopped successfully. C:\>net start "VMware View Connection Server" The VMware View Connection Server service is starting. The VMware View Connection Server service was started successfully.

   
   
5. Using your web browser, navigate to your View Manager server and test out your new certificate!

Add this page to your favorite website

Comments

Add New Search

anurdh65  - SSL certificate |13/08/2009 05:18:59 Very Nice information. My friend bought the SSL certificate from http://www.tucktail.com/ but i dont know whether it is firmware or not. Reply | Quote

thirt |22/08/2009 19:41:35 Hi anurdh65, I'm not sure what you mean by firmware. Can you elaborate a bit more for me? Thanks, Tom Reply | Quote

Rashid Iqbal  - OWA not working in vmware after configuring the ss |29/06/2010 08:53:01 I install the ssl certificate for OWA. before installing the ssl I can access the owa for email but after installing the ssl certicate and trying to access the email through https://test.abc.com/exchange. getting error: the page cannot be displayed. I am doing all this in VMWare virtual machine. kindly help me to sort out this issue. Regards, Rashid Reply | Quote

Siddharth |27/12/2011 10:57:50 Hi, Somehow I am not able to make this work Used a go daddy cert and downloaded it as a tomcat server certificate as Vmware support suggests All steps work find while importing the certificate Once security server services are restarted I see the server only listening on http://*:80 Any clues Reply | Quote

MrSanchez |02/03/2012 13:10:38 Hi, Had a problem with go daddy certs too. What you need to do is convert the PEM certificate (.crt, .cer) to PKCS#7 format as mentioned above. I used the following website www.sslshopper.com to convert. When converting there will be an option for Chain Certificate File, it says optional but had to choose my gd_intermediate.crt. Reply | Quote

MrSanchez |02/03/2012 13:29:08 Hi All, I also had a problem with the locked.properties file. Had to create it in notepad and VMware support had me add the following line: storetype=pkcs12. So my file ended up looking like this: clientHost=viewservername.com clientPort=443 clientProtocol=https keyfile=keys.p12 keypass=MY_PASS storetype=pkcs12 Hope it helps someone. Thanks to the people running this website, came in very handy. Hasta la vista! Reply | Quote

GMTX |26/04/2012 15:10:52 Just one thing to add about generating the keystore. If you want more than 1024 bit keys (and these days you do), add the -keysize parameter to the command that generates the store, for example: keytool -genkey -keyalg "RSA" -keysize 2048 -keystore keys.p12 -storetype pkcs12 -validity 360 Reply | Quote

Write comment
Name:
Email:	do not notifynotify
Website:
Title:
UBBCode:	-color-aquablackbluefuchsiagraygreenlimemaroonnavyolivepurpleredsilvertealwhiteyellow -size-tinysmallmediumlargehuge
	Please input the anti-spam code that you can read in the image.

!joomlacomment 4.0 Copyright (C) 2009 Compojoom.com . All rights reserved."