Tag Archives: VMWare

vCenter 5.1 - vSphere Web Client - Log Browser - Unauthorized access ' faultDetail:'null' Error

Symptom: When you click on the Log Browser link from the vSphere Web Client, you receive the following error:

faultCode:Server.Processing faultString:'javax.servlet.ServletException : java.lang.Exception: https://MYVCENTER.MYDOMAIN.local:12443/vmwb/logbrowser: Unauthorized access ' faultDetail:'null'

Resolution: You need to replace the SSL certificate for the Log Browser service with a valid one. Assuming you have applied a valid certificate on your SSO instance, Web Client, and have done the necessary steps to generate the rui.pfx, rui.key, and rui.crt files, here are the steps to apply the certificate:

  1. Stop the VMware Log Browser service
  2. Navigate to C:\Program Files\VMware\Infrastructure\vSphereWebClient\logbrowser\conf via Windows Explorer
  3. Backup the rui.crt, rui.key, rui.pfx to your Desktop (or some other folder incase we have to roll-back)
  4. Replace the rui.crt, rui.key, rui.pfx files with the ones you have created.
  5. Next, we need to create a new java keystore with the chain trust for our certificate
    1. Open up an elevated command prompt
    2. Change directories to the VMware JRE
      1. cd /d C:\Program Files\VMware\Infrastructure\jre\bin
    3. Generate the new keystore (Do not change the testpassword or changeit password) (Change the Paths to point to your pfx certificate and the destination path to output the java Keystore)
      1. keytool -v -importkeystore -srckeystore C:\PATHTOYOURSSOCERTPFXFILE\rui.pfx -srcstoretype pkcs12 -srcstorepass testpassword -srcalias rui -destkeystore C:\OUTPUTPATHYOUKNOWMAYBEYOURDESKTOP\rui.jks -deststoretype JKS -deststorepass changeit -destkeypass changeit
    4. Copy the C:\OUTPUTPATHYOUKNOWMAYBEYOURDESKTOP\rui.jks to:
      1.  C:\Program Files\VMware\Infrastructure\SSOServer\Security\
    5. Login to your vSphere Web Client with the admin@System-domain account
    6. Navigate to Administration > Sign-On and Discovery > Configuration
    7. Click on the STS Certificate tab and the click Edit
    8. Select the rui.jks file from C:\Program Files\VMware\Infrastructure\SSOServer\Security\
    9. When prompted for a keystore password enter changeit
    10. Click on the rui line to highlight it, then click OK
    11. Enter changeit again for the password
    12. Acknowledge the dialog box that says you need to restart the server in order for the changes to take effect.
      1. Note, if you receive the following error below, that means you have not fully established a certificate trust.  If you have an intermediate certificate, you will need to put all of those certificates inside of your pfx file (see my notes at the end).
        1. The last operation failed for the entity with the following error message.An error ocurred while updating server configuration

    13. Reboot your server
  6. Log back into your vSphere Web Client
  7.  Click on the Log Browser link and verify the error has been resolved

----Notes for people with tiered PKI environments----
If you have intermediate certificates, when you generate the pfx file you HAVE to import the entire chain into the pfx, otherwise the certificate will not be imported when using the vSphere Web Client.  To include the chain in your pfx file, use the following command:

openssl.exe pkcs12 -export -in C:\PATHTOMYSSOCERT\rui.crt -inkey C:\PATHTOMYSSOPRIVATEKEY\rui.key -name "rui" -chain -CAfile C:\PATHTOCACHAIN\certs.pem -passout pass:testpassword -out C:\PATHTOOUTPUTPFXFILE\rui.pfx

Notice the certs.pem file I have created.  This includes the public keys from each intermediate cert, and then followed by the root certificate.  I.e. Your file will look something like this:

-----BEGIN CERTIFICATE-----
INTERMEDIATECERTIFICATEBASE64STUFFHERE.crt
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
ROOTCERTIFICATEBASE64STUFFHERE.crt
-----END CERTIFICATE-----

Where the first BEGIN CERTIFICATE would be your intermediate certificate, and the second certificate your root certificate.  If you have multiple intermediate certificates, always put them before the root.  The root certificate should be the last in the pem file.

The official VMware KB article on how to do this can be found here (note, it does not cover the pfx file creation for tiered PKI environments): http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2037927

VMware vCenter 5.1 - Preappend domain name

After upgrading from vCenter 5.0 to 5.1 (and installing the new Single-sign On service), you may have noticed that you now have to use the DOMAIN\Username format when logging into your vCenter instance. Personally, I find this very agrevating; luckily, there is an easy way to have vCenter just figure out what domain you are on.

In order to get this job done, this guide assumes you have the vCenter Web Client installed (I don't believe this can be done from the vSphere Client for Windows -- if there is a way, please leave a comment below with the instructions, so I can add them here).

  1. Navigate to your vCenter Web Client
  2. Login using your admin@System-Domain account
  3. On the left side, click on Administration
  4. Underneath Sign-On and Discovery, click on Configuration
  5. Click on the Add Identity button underneath the identity sources tab (it looks like a green + sign).
  6. Enter in your domain info if it isn't already there, test the connection, and click OK.
  7. Select your domain from the Identity Sources list and click on the Add to default domains button (Looks like a globe with an arrow on it)
  8. Click the Save button in the Default Domains list below the Identity Sources list.

That should do it.  Try logging in without the domain appended and it should be good to go 🙂

How do I install vCenter 5.1

Check out Derek Seaman's multi-step blog post. It is the most up-to-date guide with tons of information to get you going. It also refer's to many of the installation issues that were found in previous versions of vCenter. As I write this, the blog has already begun making notes for 5.1a instead of 5.1 GA. At this time, 5.1B is out (which I would recommend you install), but you should be able to get through the installation just fine.

http://derek858.blogspot.com/2012/09/vmware-vcenter-51-installation-part-1.html

And as a reference, I would recommend looking over the release notes for 5.1  There is a plethora of info you may want to know as a heads up, prior to the installation.

https://www.vmware.com/support/vsphere5/doc/vsphere-vcenter-server-510b-release-notes.html

https://www.vmware.com/support/vsphere5/doc/vsphere-vcenter-server-510a-release-notes.html

 

Good luck!

How to export a VM from Amazon EC2 to VMware On-Premise

Here are the instructions on how to communicate with Amazon's API to export a VM from Amazon EC2 to a VMware image that gets put into S3 storage.  From that point, you can simply download the VMware image and import it into your VMware environment.

0. Open up a command prompt

1. Setup your java path (you can use JRE or JDK):
set JAVA_HOME="C:\Program Files\Java\jre6"

2. Verify your version with this command (you should see the java version number):
%JAVA_HOME%\bin\java -version

3. Add the bin directory that contains the java executable to your path before other versions of java
set PATH=%java_home%\bin;"%Path%"

4. Verify you can see the java version by executing the following command:
java -version

5. Set the EC2_HOME path
SET EC2_HOME=c:\ec2-api-tools-1.6.5.4

6. Verify the ec2_home using
dir %EC2_HOME%

7. Update the path
set PATH="%PATH%";%EC2_HOME%\bin

8. Setup access key environment variables
set AWS_ACCESS_KEY=XXXXXXXXXXXXXXXXXX
set AWS_SECRET_KEY=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

9. Verify the tools setup -- if setup correctly, we should be able to view our available regions.
ec2-describe-regions

10. Execute the following command:
ec2-create-instance-export-task i-EC2INSTANCENAME -e VMware -f VMDK -c ova -b S3STORAGEBUCKET

Once you have executed the command above, you can use the following commands to track/manage the cloning process.

  • Use ec2-describe-export-tasks to monitor the export progress
  • Use ec2-cancel-export-task to cancel an export task prior to completion

 

Notes: You could easily take steps 1-8 to setup an automated script to connect to amazon's services.  If you would like more information on these steps, here was a great article I ran across explaining everything in detail.

http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/SettingUp_CommandLine.html

 

Replacing SSL Certificates on View Connection Servers 5.1

Here are the steps involved to change the SSL certificates from the default VMware Self-Signed certificate to one signed by either your internal CA or a public CA.  This tutorial works for both the View Connection Server or Security Server services.  An official KB article by VMware on this subject can be found here: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2020913

In this particular guide, we cover generating an SSL certificate with an Internal CA.  If we wanted to sign our server with a public CA, we could use a tool like openSSL to generate a certificate request, send the request to a public CA.  Next, we would import a PFX12 file with the private and public key into the Local computer's Personal certificates and change set Friendly Name to vdm.

Opening the Certificates Management Console

  1. In the Connection Server, click Start, type mmc, and click OK.
  2. Click File > Add/Remove Snap-in.
  3. Select Certificates and click Add.
  4. Select Computer account and click Next.
  5. Select Local computer and click Finish > OK.

Requesting a new certificate

  1. Expand Certificates and click Personal.
  2. Under Object Type, right-click and select All Tasks > Request New Certificate.
  3. Read the information on certificate enrollment and click Next.
  4. Click Active Directory Enrollment Policy > Next.
  5. Select the template for certificate enrollment and click Details > Properties.
    1. Notes:
      1. Ensure you choose the Windows Server 2003 certificate template option. Do NOT choose Windows Server 2008.
        For information on creating a certificate template, see the Microsoft Technet article Creating Certificate Templates.
      2. If you notice that the service starts but you are unable to navigate to the SSL page, this is because the Windows Server template was set to Server 2008.
  6. Click the General tab.
  7. Under Friendly name, type vdm.
  8. Click the Private Key tab.
  9. Click the arrow next to Key options and select the Make private key exportable option.
  10. Click OK > Enroll.
  11. Click Finish.
  12. Restart the Connection Server service.Notes:
    • If you use any browser other than Internet Explorer to access the View Administration console, you must add an exception for the connection to be trusted.
    • It may take a few minutes for the certificate to be recognized as valid in the View Administration console.

All credit for this guide goes to VMware for this information. This post is merely for archival purposes and self-reflections on the subject.

Replacing SSL Certificates on View Connection Servers 5.0

This process does NOT work for VMWare View 5.1 only 5.0

Here are the steps involved to change the SSL certificates from the default VMware Self-Signed certificate to one signed by either your internal CA or a public CA.  This tutorial works for both the View Connection Server or Security Server services.

  1. Navigate to the following directory via command prompt (if running server 2008, make sure you run command prompt as an administrator):
    1. C:\Program Files\VMware\VMware View\Server\jre\bin
  2. Execute the following command to generate a new Java Keystore:
    1. keytool -genkeypair -keyalg "RSA" -keysize 2048 -keystore keys.jks -storepass secret
      1. Note: This will ask for your first and last name, type in your FQDN here (I.e. viewserver.mydomain.com); also hit RETURN to use the same password as your keystore password when you are done.
  3. Execute the following command to generate a CSR:
    1. keytool -certreq -file certificate.csr -keystore keys.jks -storepass secret
  4. Sign the certificate.csr file that was just generated with your certificate authority (GoDaddy, Verisign, Internal CA, etc.)
  5. Copy the signed .cer or .crt file that you just received from your CA to the same keytool directory
  6. Copy any root or intermediate public certificates to the same keytool direcotry
  7. Execute the following commands for each of your root and intermediate certificates
    1. Root CA Example
      1. keytool -importcert -keystore keys.jks -storepass secret -alias rootCA -file rootCA.cer
    2. Intermediate CA Example
      1. keytool -importcert -keystore keys.jks -storepass secret -alias intermediateCA -file intermediateCA.cer
  8. Execute the following command to import your public certificate for your certificate.csr file:
    1. keytool -importcert -keystore keys.jks -storepass secret -keyalg "RSA" -trustcacerts -file certificate.cer
  9. Next, we need to configure a View Connection Server Instance or Security Server to use the new certificate
    1. Move the keys.jks file that we just created (C:\Program Files\VMware\VMware View\Server\jre\bin\keys.jks) to the following directory:
      1. c:\Program Files\VMware\VMware View\Server\sslgateway\conf\keys.jks
    2. Next, we need to add the keyfile, keypass, and storetype properties to the locked.properties file
      1. If the locked.properties file does not already exist,go ahead and create a new file with notepad.
      2. Once the locked.properties file is open, ensure the following lines are in it:
        1. keyfile=keys.jks
        2. keypass=secret
        3. storetype=jks
  10. Restart the View Connection Server service or Security Server service for your changes to take effect.
  11. Once you have verified the new certificate works, delete the following files from C:\Program Files\VMware\VMware View\Server\jre\bin
    1. certificate.cer
    2. rootCA.cer
    3. intermediateCA.cer
    4. certficate.csr

 

Allowing Copy/Paste/Clipboard access between View Desktop and Local Machine

Want to allow users to copy/paste rich-text from their local machine to their View VM?  Here is how to do it.
  1. Go to your View Connection server and browse to the following directory:
    1. c:\Program Files\VMware\VMware View\Server\extras\GroupPolicyFiles\
  2. Copy the pcoip.adm template and paste it on your domain controller's desktop/whereever you modify group policies for the domain.
  3. Create a new policy on the OU that you want for your virtual desktops (view clients)
  4. Edit the policy
  5. Expand Computer Configuration->Policies
  6. Right click on Administrative Templates and click Add/Remove Templates
  7. Click the Add... button and browse to the pcoip.adm file
  8. Click the Close button
  9. Expand Computer Configuration->Policies->Administrative Templates->Classic Administrative Templates (ADM)->PCoIP Session Variables->Overridable Administrator Defaults
  10. Modify the following policies to enable clipboard access
    1. Configure clipboard redirection
      1. I.e set this option to Enabled and configure clipboard redirection for Enabled in both directions.
    2. Configure PCoIP virtual channels
      1. Set this option to enabled
  11. Restart the desktop to ensure policies take over

Notes:

  • Overridable Administrator Defaults allow administrators to change the values.
  • Non-Overridable Administrator Settings prevent Administrators from changing the settings as well.
  • It is only possible to copy/paste rich-text.  Files are not supported at this time.

Manually deleting linked clones or stale virtual desktop entries from VMware View Manager 3.x, 4.x and 5.x

Here is the issue I was having when trying to remove a host from View:

Desktop Composer Fault: "Virtual Machine with Input Specification already exists"

 

VMware has a great write-up on the article here on how to remove a VM that cannot be removed through the View Adam panel:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1008658

How to replace SSL certificate on VMware Update Manager vCenter 5.1

Here is how to replace the SSL certificates on VMware Update Manager running under vCenter 5.1.  I found the text from the following document, just reposting for future reference/ease of access: http://www.vmware.com/files/pdf/techpaper/vsp_51_vcserver_esxi_certificates.pdf

  1. Back up the existing Update Manager certificates.
  2. Copy the newly created certificate files (rui.crt, rui.key, and rui.pfx) to the Update Manager SSL directory on the system where Update Manager is installed.
    1. Typically, the directory is C:\Program Files\VMware\Infrastructure\Update Manager\SSL.
  3. Stop the VMware vSphere Update Manager service.
  4. Change to the Update Manager installation directory.
    1. Typically, the directory is C:\Program Files\VMware\Infrastructure\Update Manager\.
  5. Run the file VMwareUpdateManagerUtility.exe.
    1. Note, this might take a couple of seconds to startup, there was a delay for me.
  6. In the Options pane, click SSL Certificate.
  7. In the Configuration pane, select Followed and verified the steps and click Apply.
    1. You should receive the following text when it is done: "Successfully applied the configuration."
  8. After the operation completes, start the VMware vSphere Update Manager service.

Method Invocation Result: vpx.fault.SecurityConfigFault when replacing vmware ssl certificates

Symptom: When replacing my VMWare certificates with signed certificates, I was receiving the following error when running the Invoke Certificates command:

Method Invocation Result: vpx.fault.SecurityConfigFault

Solution: Unfortunately, the only way I could figure out how to fix this issue was to reboot the vCenter server and try again. The error went away upon reboot.