Setting up SSL and Sun Ray Connector for VMware VDM

Friday Nov 14, 2008

There is a problem with the certificate that comes with the VDM connector. The VDM server's certificate uses a default host name, which won't match the actual host name, so the SSL authentication will fail.
You'll need to generate one with the correct value and import it into the connection broker.

Here's the full set of instructions for using SSL:

1. Using the Windows command prompt, create a new keystore containing a public‐private key pair (filling in the appropriate password and hostname).

%JAVA_HOME%\bin\keytool -genkey -keyalg RSA -keystore keys.p12 -storetype pkcs12 -storepass <keystore_pass> -dname "cn=<hostname>"

To configure the VDM Connection Server to use the new certificate:

1. Place the new certificate file, keys.p12, in the following location on each VDM Connection Server (standard, replica, or security server):

C:\Program Files\VMware\VMware VDM\Server\sslgateway\conf

2. Create or edit the following file on each server:

C:\ProgramFiles\VMware\VMwareVDM\Server\sslgateway\conf\locked.properties

3. Add the following properties, using the password from the previous step.

    keyfile=keys.p12
    keypass=<keystore_pass>

4. Restart the VDM service.

    Assuming your environment is configured to use SSL, a message like the following appears in the event log:

13:57:40,676 INFO <Thread-1> (NetHandler) Using SSL certificate store: keys.p12 with password of 6 characters

  This message indicates that the configuration is in use.


(There are more details in the VDM Installation and Administration Guide under 'Installing SSL Certificates')

---

The new certificate needs to be downloaded from VDM and installed into the keystore on the Sun Ray server.

1. Save the certificate using a web browser.

   Firefox:

    To do this in firefox you need the Cert View Plus extension:

https://addons.mozilla.org/en-US/firefox/addon/1964

    Open the VDM connection broker web interface.
    When you are asked to accept the certificate, choose Examine Certificate and then Export.
    Save the certificate to file.

   Internet Explorer:

     Open the VDM connection broker web interface
     In the security alert, choose View Certificate, open the Details tab, and then Copy to File, and follow the steps in the wizard.

2. Copy the certificate file to the Sun Ray server where the VDM connector is installed.

3. Install the certificate into the keystore for VDM with the following command:

keytool -import -file <VDM_certificate> -trustcacerts -v -keystore /etc/opt/SUNWkio/sessions/vdm/keystore

   If you previously imported a certificate you will get the message:

'Certificate not imported, alias <mykey> already exists'.

   It is safe to delete the old keystore and rerun the command.

4. Edit the file:

  /etc/opt/SUNWkio/session/vdm/vdm

  Change the following line, using the password from the previous step:

   javaKeyStorePass=<keystore_pass>

5. There is a error in the vdm kiosk session, it can be fixed with the following
    set of commands:

    sed 's/trustStore=$javaKeyStorePass /trustStorePassword=$javaKeyStorePass /' /etc/opt/SUNWkio/sessions/vdm/vdm > /tmp/vdm

    cp /tmp/vdm /etc/opt/SUNWkio/sessions/vdm/vdm

6. Restart any existing VDM connector kiosk sessions.

The VDM connector should now be to able to correctly authenticate SSL connections to VDM server.