Symptom: When you click on the Log Browser link from the vSphere Web Client, you receive the following error:
faultCode:Server.Processing faultString:'javax.servlet.ServletException : java.lang.Exception: https://MYVCENTER.MYDOMAIN.local:12443/vmwb/logbrowser: Unauthorized access ' faultDetail:'null'
Resolution: You need to replace the SSL certificate for the Log Browser service with a valid one. Assuming you have applied a valid certificate on your SSO instance, Web Client, and have done the necessary steps to generate the rui.pfx, rui.key, and rui.crt files, here are the steps to apply the certificate:
- Stop the VMware Log Browser service
- Navigate to C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf via Windows Explorer
- Backup the rui.crt, rui.key, rui.pfx to your Desktop (or some other folder incase we have to roll-back)
- Replace the rui.crt, rui.key, rui.pfx files with the ones you have created.
- Next, we need to create a new java keystore with the chain trust for our certificate
- Open up an elevated command prompt
- Change directories to the VMware JRE
- cd /d C:\Program Files\VMware\Infrastructure\jre\bin
- Generate the new keystore (Do not change the testpassword or changeit password) (Change the Paths to point to your pfx certificate and the destination path to output the java Keystore)
- keytool -v -importkeystore -srckeystore C:\PATHTOYOURSSOCERTPFXFILE\rui.pfx -srcstoretype pkcs12 -srcstorepass testpassword -srcalias rui -destkeystore C:\OUTPUTPATHYOUKNOWMAYBEYOURDESKTOP\rui.jks -deststoretype JKS -deststorepass changeit -destkeypass changeit
- Copy the C:\OUTPUTPATHYOUKNOWMAYBEYOURDESKTOP\rui.jks to:
- C:\Program Files\VMware\Infrastructure\SSOServer\Security\
- Login to your vSphere Web Client with the [email protected] account
- Navigate to Administration > Sign-On and Discovery > Configuration
- Click on the STS Certificate tab and the click Edit
- Select the rui.jks file from C:\Program Files\VMware\Infrastructure\SSOServer\Security\
- When prompted for a keystore password enter changeit
- Click on the rui line to highlight it, then click OK
- Enter changeit again for the password
- Acknowledge the dialog box that says you need to restart the server in order for the changes to take effect.
- Note, if you receive the following error below, that means you have not fully established a certificate trust. If you have an intermediate certificate, you will need to put all of those certificates inside of your pfx file (see my notes at the end).
The last operation failed for the entity with the following error message.An error ocurred while updating server configuration
- Reboot your server
- Log back into your vSphere Web Client
- Click on the Log Browser link and verify the error has been resolved
----Notes for people with tiered PKI environments----
If you have intermediate certificates, when you generate the pfx file you HAVE to import the entire chain into the pfx, otherwise the certificate will not be imported when using the vSphere Web Client. To include the chain in your pfx file, use the following command:
openssl.exe pkcs12 -export -in C:\PATHTOMYSSOCERT\rui.crt -inkey C:\PATHTOMYSSOPRIVATEKEY\rui.key -name "rui" -chain -CAfile C:\PATHTOCACHAIN\certs.pem -passout pass:testpassword -out C:\PATHTOOUTPUTPFXFILE\rui.pfx
Notice the certs.pem file I have created. This includes the public keys from each intermediate cert, and then followed by the root certificate. I.e. Your file will look something like this:
Where the first BEGIN CERTIFICATE would be your intermediate certificate, and the second certificate your root certificate. If you have multiple intermediate certificates, always put them before the root. The root certificate should be the last in the pem file.
The official VMware KB article on how to do this can be found here (note, it does not cover the pfx file creation for tiered PKI environments): http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2037927