Subscribe RSS Feed | Follow on Twitter

SSL certificates in VMware View environments

with one comment

An SSL certificate could be described as a data container that includes the identity of a computer, the public key and the digital signature of the publisher of the certificate. Certificates are used to confirm the authenticity of a website, or the the public key contained can be used to encrypt the connection between a client and a server.

Making no further action the View Server is using a self-signed certificate. When you open the website of the View Server it gives you a security warning back that states that the certificate comes from an untrusted source.

To use your own certificates that have been signed from a trusted Certification Authority (CA), you can use the keytool that comes with the view installation on the Connection Server. With this tool, you create a trust store on the View Server, where your certificates  can be integrated. Request a certificate from an authorized CA. This may be the CA of your company, or a third party such as thawte, VeriSign and GlobalSign. It is also possible to integrate already-signed certificates for your server. In the next section, you can read the entire process for requesting a certificate from the Microsoft Certification Authority. For certificates from other parties, please refer to their documentation.

Certificates are only used by Connection Servers which are having direct connections with the clients. If you are using the Security Server for connections the certificate is needed only by this server.

Companies that use the Active Directory as their directory service, also often use  the Microsoft Certification Authority for their security certificates. The following example explains the steps needed to apply for a certificate and then to integrate this in a VMware View Server. First, you must apply for a certificate from the CA. Use the Microsoft Internet Explorer on the View Server because only with this browser the  import and export of the certificate works without problems. "Open the Internet Explorer and type the correct address of your certification server in the address bar." This should be <certificatesrevername.fqdn> /certsrv/. Replace the wildcard certificate server name with the computer name of the appropriate server and fqdn with the fully qualified DNS domain name. Apply for a certificate on the website and mark it as exportable. After the newly requested certificate has been approved you revisit the site with Microsoft Internet Explorer and install the issued certificate. The certificate will be stored in the local certificate store now and you can export it in a file from there. In Internet Explorer perform the following action. »Click on the Tools menu and select Internet Options." This will open a window where you can change the properties and options of your Internet Explorer. »Select content from the tab and then click the button labeled Certificates. In the following dialog you have to select the certificate of your server and then export it to a directory on your hard disk. It is important that you export the certificate with the private key in the PFX file format. Name the certificate i.e. as server.pfx. After that you’ve to export the certificate for the CA of your company in the file format X509.

After a successful export of both security certificates, the trust store can be created. You have to use the keytool application. To use the application you should first adjust the environment variables on your computer so that the keytool can run without using long file paths. Open a Windows command line on the View server and type the following command:

set PATH =% PATH%,% Program Files% VMware \ VMware View \ Server \ jre \ bin \

Then switch the command prompt to the  directory where you’ve saved the certificates. Using the exported CA certificate in the keytool you’ll now generate the truststore. Replace <ca-alias name> by the name of the Certification Authority and <ca-certificate name.ce> by the real name of the CA certificate.

keytool-import-alias-file <ca-alias name> <ca-certificate name.ce>-keystore truststore

The newly created trust store and the PFX certificate must be copied to the subdirectory \sslgateway\conf in the program directory of the VMware Server View. If there is no file named locked.properties in the directory you’ve to create it as normal text file with Notepad. Otherwise, you open the existing file and modify it with the following parameters.

keyfile = server.pfx

keypass = <secret>

trustKeyfile = truststore

truststore type = JKS

useCertAuth = true

Please ensure that you’ve the correct password for the certificate in the keypass parameter. Afterwards the View Connection Server service must be restarted. This can be done via the Windows Services Manager. Check the Windows Event Log and the View server log files under c: \documents and settings\all users\application data\ vdm\logs for errors. If the View Connection Server service is not strating, there might be an issue with the certificate or password.

Similar Posts:

Written by Christoph Harding

May 15th, 2011 at 1:37 pm

Posted in VMware View

Tagged with , , , ,

  • Alan Wright

    Not valid in 5.1 thay have now changed this to use the MS certification store not Java