Sarah Fortune

VirtualCenter unable to decrypt passwords

Tuesday Feb 03, 2009

There is a long standing problem in VirtualCenter 2.5 where cloning fails with this error:

 The VirtualCenter server is unable to decrypt passwords stored in the customization specification.

It happens apparently randomly, but can be caused by installing Internet Explorer 7 on the VirtualCenter host. There is an ongoing thread in VMware communities about it: http://communities.vmware.com/thread/54721. There were rumours that the problem was going to be fixed in update 3, but it shows up in update 1, 2 and 3.

One of the solutions is to export the customisation spec, edit it so that the password is stored in plain text, and import it back into VirtualCenter.

If storing the password in plaintext isn't acceptable, replacing the SSL certificate in VirtualCenter can also fix the problem, provided the new certificate uses the password that is hardcoded into VirtualCenter.

Fix the problem by using plain text passwords
  1. Export the customisation spec, and edit the saved XML file.
  2. Locate the password section:
           <password>
          <_type>vim.vm.customization.Password</_type>
          <plainText>false</plainText>          
          <value>MJwe3zWdcKeAfZIBKDwhY6D+mSPBHMadN3oDFZxf3gjaQRZ9s/0IM6gumgiDjAGxGSPMJEbq4uyIZjUI57e3CVhIK7EmpZNgQTjQrV2D6wcmQSyTY5MUbpZXRicBjKVQY0Ln2TVXFe4Rke3R4W98pYwNr+SLy2NPYua5Hbs7vSk=</value>
        </password>
  3. Change the value <plainText>false</plainText> to <plainText>true</plainText>
    And <value>MJwe3zWdcKeAfZIB ... etc... </value> to the actual password, e.g. <value>Password01</value>.
    So the password section should look like this:
           <password>
          <_type>vim.vm.customization.Password</_type>
          <plainText>true</plainText>          
          <value>Password01</value>
        </password>
  4. Import the XML back into VirtualCenter as a new customisation spec.

Fix the problem by replacing the SSL ceritificate
  1. Follow these instructions to generate and install a new certificate. Be warned it a pretty long process and requires you to install software your VirtualCenter server. http://vmetc.com/2008/07/22/guides-for-replacing-the-virtualcenter-certificate/
  2. There is one step in the instructions needs to be modified, you have to change the password to the one that VirtualCenter expects.This command:
         openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:vmware -out rui.pfx
    Should be replaced with:
        openssl pkcs12 -export -in rui.crt -inkey rui.key -name rui -passout pass:testpassword -out rui.pfx
  3. After you have replaced the certificate you will have to reconnect the ESX servers in VirtualCenter, and recreate the customisation specs. At this point it is safe to install Internet Explorer 7 on the server.

[0] Comments
Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 03:14PM Feb 03, 2009 by Sarah Fortune in Sun
Tags:

Sun VDI: How to use virtual machines with multiple network adapters

Thursday Jan 08, 2009

Using virtual machines with more than one network interface can be problematic.  Sun VDI expects RDP to be available on the primary interface. If RDP is actually running on a different interface, then the machine may not be prepared successfully or assigned to users.

The problem arises in determining which exactly is the primary interface. The VMware documentation would lead us to believe that it is the primary interface listed in Windows. But, this is not the case. In fact, the primary interface is determined by the order of the network adapters in VirtualCenter. The network adapter with the highest number, usually the one which was added most recently, is the primary network adapter.

How to change the network of the primary adapter

  1. Edit the virtual machine settings in VirtualCenter.
  2. Select the network adapter with the highest number, e.g Network Adapter 3.
  3. This is the primary network interface. Change the network label to the appropriate network for RDP.
  4. You may need to adjust the other network adapters so that the virtual machine is assigned to all the correct networks.

VirtualCenter edit settings


[0] Comments
Like this post? del.icio.us | furl | slashdot | technorati | digg
Posted at 07:17PM Jan 08, 2009 by Sarah Fortune in Sun
Tags:

Setting up SSL and Sun Ray Connector for VMware VDM

Friday Nov 14, 2008


There is a problem with the certificate that comes with the VDM connector. The VDM server's certificate uses a default host name, which won't match the actual host name, so the SSL authentication will fail.
You'll need to generate one with the correct value and import it into the connection broker.

Here's the full set of instructions for using SSL:

1. Using the Windows command prompt, create a new keystore containing a publicā€private key pair (filling in the appropriate password and hostname).

%JAVA_HOME%\bin\keytool -genkey -keyalg RSA -keystore keys.p12 -storetype pkcs12 -storepass <keystore_pass> -dname "cn=<hostname>"


To configure the VDM Connection Server to use the new certificate:

1. Place the new certificate file, keys.p12, in the following location on each VDM Connection Server (standard, replica, or security server):

C:\Program Files\VMware\VMware VDM\Server\sslgateway\conf


2. Create or edit the following file on each server:

C:\ProgramFiles\VMware\VMwareVDM\Server\sslgateway\conf\locked.properties


3. Add the following properties, using the password from the previous step.

    keyfile=keys.p12
    keypass=<keystore_pass>



4. Restart the VDM service.

    Assuming your environment is configured to use SSL, a message like the following appears in the event log:

13:57:40,676 INFO <Thread-1> (NetHandler) Using SSL certificate store: keys.p12 with password of 6 characters


  This message indicates that the configuration is in use.


(There are more details in the VDM Installation and Administration Guide under 'Installing SSL Certificates')


The new certificate needs to be downloaded from VDM and installed into the keystore on the Sun Ray server.

1. Save the certificate using a web browser.

   Firefox:

    To do this in firefox you need the Cert View Plus extension:

https://addons.mozilla.org/en-US/firefox/addon/1964

    Open the VDM connection broker web interface.
    When you are asked to accept the certificate, choose Examine Certificate and then Export.
    Save the certificate to file.

   Internet Explorer:

     Open the VDM connection broker web interface
     In the security alert, choose View Certificate, open the Details tab, and then Copy to File, and follow the steps in the wizard.

2. Copy the certificate file to the Sun Ray server where the VDM connector is installed.

3. Install the certificate into the keystore for VDM with the following command:

keytool -import -file <VDM_certificate> -trustcacerts -v -keystore /etc/opt/SUNWkio/sessions/vdm/keystore

 
  
   If you previously imported a certificate you will get the message:

 
  
 'Certificate not imported, alias <mykey> already exists'.
 
  
 
  
   It is safe to delete the old keystore and rerun the command.

 
4. Edit the file:

 
 
  
  /etc/opt/SUNWkio/session/vdm/vdm
 
  
 
  Change the following line, using the password from the previous step:

 
 
  
   javaKeyStorePass=<keystore_pass>
 
  
 
5. There is a error in the vdm kiosk session, it can be fixed with the following

    set of commands:

 
 
  
    sed 's/trustStore=$javaKeyStorePass /trustStorePassword=$javaKeyStorePass /' /etc/opt/SUNWkio/sessions/vdm/vdm > /tmp/vdm
 
  
 
 
  
    cp /tmp/vdm /etc/opt/SUNWkio/sessions/vdm/vdm
 
  
 
6. Restart any existing VDM connector kiosk sessions.

 
The VDM connector should now be to able to correctly authenticate SSL 
connections to VDM server.

 

 

            	

	
	
	
	

	                            [2] Comments



		
		
    
	 	

	
	
	
	

		
		

		Like this post?
		
del.icio.us
 | 
furl
 | 
slashdot
 | 		
technorati
 | 
digg
		

		
		
		
		

		Posted at 04:51PM Nov 14, 2008
            by Sarah Fortune in Sun
            

			Tags: