VMware View 5.1 and SSL Certificate Replacement

The procedure to replace SSL certificates has changed in recently released VMware View 5.1 and differs from 5.0 or earlier versions. The main difference is that native Windows certificate store is used. Also it is now necessary to replace or at least to verify self signed certificates otherwise the View infrastructure will not work properly.
Which servers need to replace the certificates? View Connection Managers, Security servers and View Composer. Also vCenter certificate must be replaced or validated.
Although the certificate replacement procedure is described in the manual, the description is very brief and it took me some time to figure it out. I also found an existing blog post which takes different angle here: http://my-virt.alfadir.net/2012/05/generate-view-5-1-certificat/.

The Setup

My lab configuration is following. View Composer is installed together with vCenter. I have two View Connection Managers; one for internal connections and one for external internet connections. I do not use Security server as I use port forwarding to the external View Connection Manager. All servers are in the domain with Enterprise CA which uses self signed certificate.

View Composer Certificate

My View Composer server is coexisting with vCenter so I did not need to generate new certificate. I just imported the vCenter certificate from C:\ProgramData\VMware\VMware VirtualCenter\SSL into the local Windows certificate (Personal) store via MMC Certificates Snap-in.

Select the .pfx file which contains both private key and the certificate.

Now we have to stop the View Composer process and run SviConfig command to replace the certificate:

C:\Program Files (x86)\VMware\VMware View Composer>SviConfig.exe -operation=replacecertificate -delete=false
and select the new certificate.

Start the View Composer process again and check the status in the View Administrator.

View Connection Servers

Here we have to generate the certificates. To do this I am again using the Certificates Snap-in. However prior to that I needed to give both of my Connection Server access to Web Server certificate template.
On my CA open the Certificate Templates Management Console Snap-in and open properties of Web Server certificate template.

Open the security tab and add both View Connection computers and give them read, write and enroll permissions.

Now we can go to each Connection Server Certificates Snap-in and right click, select All Tasks and Request New Certificate.

Select Active Directory Enrollment Policy and Web Server certificate template.

Now we have to add FQDN and additional info to the certificate. Click the More information is required … link.
Type in the Common name (FQDN), Country, Locality, Organization and any other info that will be visible inside the certificate. If your Connection server uses different internal (viewcs2.fojta.com) and public (public.url.com) Fully Qualified Domain Names add both and do the same for the Type: DNS field. The end result should look like this:

And do not forget to make private key exportable in the Private Key tab / Key options.

Click enroll and finish.
Now we should see the newly created certificate. Last thing we need to do is to change the certificate Friendly Name to vdm. This can be done in the certificate properties. Also we have to rename the original certificate (vdm.old)

Once this is done we can restart the View services.
Repeat for all other View Connection servers and check the result in the View Administrator.

View Clients

As I said at the beginning my CA uses self signed certificate so I have to make sure all the non-domain PCs I use to connect to my View desktops imported the CA Root certificate into the Trusted Root Certification Authorities store.

Advertisements

VCA4-DT Exam Experience

This is another blog post from the series of my certification preparation and exam experiences. This time it is about VMware Certified Associate 4 – Desktop (VCA4-DT or VCA410-DT) certification.

Although my goal is to get VCAP-DCA certification before vSphere 5 comes out, after getting the VCAP-DCD I decided to take two other (I thought easier) certifications that would demonstrate my broader IT knowledge. The first was ITIL V3 Foundation which was really easy and took me just week to prepare by reading HP course textbook. The other one was VCA4-DT certification which I took today.

The certification has no prerequisites and is entry level VMware View certification to VCP4-DT and VCAP4-DT (not available yet). As can be read from the exam blueprint its goal is to test skills and abilities monitoring and managing a View 4.x environment. I am more of a design guy than administrator so I knew I had to get more hands on View experience.

My preparation strategy was:

  • Create a test lab environment. I created full scale environment in my home lab with two connection servers (local and WAN access), view composer and transfer server. Packaged a few ThinApp applications and created Win XP IO optimized image. I had to uninstall VMware Workstation from my PC as it is not compatible with View Local mode client. I also dedicated a LUN for linked clones to speed up provisioning.
  • I took the VMware View: Fundamentals [V4.5] e-learning course from the VMware Partner University. It takes about 6 hours to complete.
  • Read the VMware View Architecture Planning Guide (about 70 pages)
  • Read some chapters from the VMware View Administration Guide (350 pages)
  • Followed the objectives from the exam blueprint
  • Took the mock VCA-DT and VCP-DT exams
  • All that took me about one and half week

The Exam

The exam contains 70 multiple choice questions. It took me about 1 hour to go through them. What I did not like that many of the questions asked about specific GUI items or the sequence of the GUI steps or what options are in the GUI. You either have to have photographic memory or be using the View Admin and View Client interfaces daily. Then there were some troubleshooting questions, log collections a few local mode and architecture questions. ThinApp was covered quite a lot and obviously the desktop provisioning. Only a few questions are situational. All the blueprint objectives were covered pretty thoroughly so do not skip any topic.

I thought I should have read all the chapters of the View Administration Guide including the command line tools and obviously spent more time with the View interfaces.

My final score was a pass with 433 out of 500.

VMware View Administrator Login Problem

VMware is slowly changing the way all its products are administered. Thick clients represented by VMware vSphere Client are replaced by rich web based GUI with Adobe Flash or Air plugins. For example the VMware View Administrator interface requires Internet Explorer 7/8 or Firefox 3.0 or 3.5 with Adobe Flash Player 10. With this supported combination I opened the admin page at the View Connection server and was greeted by this:

However after entering username and password and clicking Login button nothing was happening. No error message that would help me was displayed. I tried all supported browsers, reinstalled Flash Player searched VMware Knowledge Base and still nothing. Then I found the fix:

Right click the login dialog. As this is Flash object you will see Adobe Flash Player context menu. Select Settings, click the third icon called Local Storage, uncheck the Never Ask Again checkbox and move the slider to the right.

I hope this will save time to other people having the same problem as me.