How to setup SRVDM and VMWare View SSL
By user12609114 on Jan 07, 2009
This entry assumes that you have a non ssl working SRVDM View environment. If you don't check out this entry on how to get one.
The SSL certificate that comes with the default install of View is not a valid one. You will get hostname mismatch errors if you use the VMWare clients, and you will not be able to connect through the Sun Ray client. In order to get the Sun Ray connector for VMWare View to connect we need to either move a valid certificate in place, or create a self signed one. The steps below can be found in the View Documentation.
First lets create a self signed certificate. If you have a signed certificate already skip this step. On your VMWare View server start a command prompt and switch to the following directory:
C:\\Program Files\\VMware\\VMware View\\Server\\jre\\bin>
Once there execute the following command;
keytool -genkey -keyalg "RSA" -keystore keys.p12 -storetype pkcs12 -validity 360
You will be asked a series of questions which will be used to create your certificate. Make sure you remember what you make the password! Also the first question which is your name is somewhat misleading. It needs to be the name of the server.
We need to move the certificate we created, keys.12, from the C:\\Program Files\\VMware\\VMware View\\Server\\jre\\bin to C:\\Program Files\\VMware\\View Manager\\Server\\sslgateway\\conf.
Next we need to create the file, C:\\ProgramFiles\\VMware\\View Manager\\Server\\sslgateway\\conf\\locked.properties and insert the following 2 lines into it:
Where secret is the password you used to create the certificate above.
Restart the VMWare View Connection Server.
In the View admin site, in the event log you should see a line about using the keys.p12 file.
Now when you go back to your View site, through the web interface, you should be able to connect without getting name errors. Note you will still get an error about a self signed cert, but that is the only one you should get now.
Install the certificate on Sun Ray Servers:
The readme that comes with the SRVDM provides us a command on how to import the certificate into SRVDM. That is all well and good, if we have the certificate! When you go to the View Admin Site, you needed to add a security exception because it is a self signed certificate. If you have a non-self signed certificate, Firefox will automatically store the certificate for you. In either case the following steps using firefox can be used to get the certificate.
We can use firefox to export the certificate. The challenge is that since we are using a self signed certificate you can only do it while you are adding the security exemption. In firefox go to preferences. Click on the advanced tab, encryption, view certificates.
You should see your certificate, but notice the export button is grayed out.
We need to click on delete and start the process over to get our cert. Once the certificate is deleted, return to the View admin site. You will get the cert error again, and click on add exception. Click on Get Certificate, before clicking on confirm exception click on the view button.
Next we need to click on the details tab and then export
Name the cert and save it someplace appropriately. Close out the windows and confirm the security exemption to get back into the View website.
Now that we have the cert in hand we can import into our Sun Ray servers. First you need to copy (scp) the cert we just saved to the the Sun Ray server. Once there we need to run the following command changing VDM certificate to the file name you gave the cert during the export above. Also make sure to note the password you use.
#keytool -import -file <VDM certificate> -trustcacerts -v -keystore /etc/opt/SUNWkio/sessions/vdm/keystore
Next we need to edit /etc/opt/SUNWkio/sessions/vdm/vdm and insert the password
Line 17 has the word javaKeyStorePass, we need to add the password we set in the step above into the file.
NOTE! There is a typo that will prevent things from working. You must correct the typo with the following 2 commands:
#sed 's/trustStore=$javaKeyStorePass /trustStorePassword=$javaKeyStorePass /' /etc/opt/SUNWkio/sessions/vdm/vdm > /tmp/vdm
#cp /tmp/vdm /etc/opt/SUNWkio/sessions/vdm/vdm
We need to restart the kiosk sessions on the Sun Ray server. Since this a POC server and we have made lots of changes, I suggest doing a cold restart.
# /opt/SUNWut/sbin/utrestart -c
When the Sun Rays come back up, you should receive the VIew log in and be good to go.
If things are not working for you, one of my colleagues wrote a great blog entry about how to debug things which can be found here.
My same colleague also wrote an entry about how to get the certificate working in VDM versions prior to view which can be found here. Note the typo directions above are from this entry.