VMware Communities > Developer Community > VMware vSphere™ Web Services SDK, CIM SDK > Discussions
Up to Discussions in VMware vSphere™ Web Services SDK, CIM SDK

This Question is Answered

1 "correct" answer available (10 pts) 2 "helpful" answers available (6 pts)
4 Replies Last post: Oct 5, 2007 12:53 PM by itguybri
Reply

HTTPS to the VC server without spreading new certificates?

Aug 30, 2007 8:53 AM

Click to view itguybri's profile Enthusiast itguybri 56 posts since
Apr 28, 2006
Does anyone have a solution for connecting to a VC server remotely without creating and installing new certificates on the VC server?

(actually using the VMware certificate that is delivered with Virtual Center)

We are trying to make things as easy as possible on our admins and don't want to have to go down the road of generating internal certificates if there is a way to run secure with the VMware certificate.

Thanks!
Reply Re: HTTPS to the VC server without spreading new certificates? Aug 30, 2007 9:57 PM
Click to view dkaur's profile Expert dkaur 229 posts since
Jun 1, 2007 VMware
For VirtualCenter Server, the certificate supplied with VC is rui.crt and is avaialbe under C:\Documents and Settings\All Users\Application Data\VMware\VMware VirutalCenter\SSL\

Copy the certificates from the server to the certificate sub directory of the development workstation, using a unique filename for the certificate (assuming you are copying multiple default certificates from multiple Server systems, for example).

Next, Import the server certificate into the certificate store following the specific instructions for your programming language (Java, C#).

Navigate to the certificate sub directory. For example, on Windows:
cd c:\VMware-certs

For Java:

Use the Java keytool utility to import a certificate. The syntax is as follows:

keytool -import -file <certificate-filename> -alias <server-name> -keystore vmware.keystore

For example:
C:\VMware-Certs>keytool -import -file rui.crt -alias sdkpubs01 -keystore vmware.keystore

You will be prompted to create a password for the keystore you are creating:
Enter keystore password:

Create a password for the keystore by entering it at the prompt. The keystore utility displays the certificate
information at the console. For example:
Owner: OID.1.2.840.113549.1.9.2="1183400896,564d7761726520496e632e",
CN=sdkpubslab-01.vmware.com, EMAILADDRESS=ssl-certificates@vmware.com,
OU=VMware ESX Server Certificate, O="VMware, Inc.", L=Palo Alto,
ST=California, C=US Issuer:
OID.1.2.840.113549.1.9.2="1183400896,564d7761726520496e632e",
CN=sdkpubslab-01.vmware.com, EMAILADDRESS=ssl-certificates@vmware.com,
OU=VMware ESX Server Certificate, O="VMware, Inc.", L=Palo Alto,
ST=California, C=US Serial number: 0 Valid from: Mon Jul 02 11:28:17 PDT 2007
until: Mon Aug 31 11:28:17 PDT 2026
Certificate fingerprints:
MD5: . . .61:35:C0:C4
SHA1: 4C:...78:B2
At the end of the certificate information, a prompt displays a request for confirmation that the certificate
should be trusted:

Trust this certificate? [no]:

Type yes (and press <Enter>) to respond to the prompt and import the certificate into the vmware.store keystore.

The console displays:
Certificate was added to keystore

###############

The other option is to bypass the SSL,
e.g. add this one line just before or after you do the SSL keystore setup.

AxisProperties.setProperty("axis.socketSecureFactory", "
org.apache.axis.components.net.SunFakeTrustSocketFactory
");
Reply Re: HTTPS to the VC server without spreading new certificates? Oct 3, 2007 3:11 PM
in response to: dkaur
Click to view itguybri's profile Enthusiast itguybri 56 posts since
Apr 28, 2006

We are using Windows (so I am using the IE import instructions from the Developers Setup Guide) and the problem is that we get the attached error, therefore not allowing the https connection to be used.

The root of the problem is tha thte VMware generated certificate DOES NOT reflect the name of the VC Server. That is what produces the error.

I have tried adding the server to trusted sites, etc. and nothing works.

If there is a way to regenerate the certificate within Tomcat so it matches the name of the server then we would have an excellent solution (the Root CA would be VMware, the trusted would be VCServerName)


Attachments:
Reply Re: HTTPS to the VC server without spreading new certificates? Oct 5, 2007 12:52 PM
in response to: itguybri
Click to view itguybri's profile Enthusiast itguybri 56 posts since
Apr 28, 2006

I actually figured out a solution on my own.

The problem with the certificate is two-fold.

1. You have to install the certificate to trust the VMware root authority

2. The common name on the certificate is VMware - so you have to spoof DNS so your target VC host can be called with an HTTPS call to VMware

https://<Virtual Center server name>/sdk results in a certificate validation error because the common name does not match

If you edit your hosts file on the workstation you are using to reference the IP of your virtual center server with the name of vmware then it all works.

https://vmware/sdk


Reply Re: HTTPS to the VC server without spreading new certificates? Oct 5, 2007 12:53 PM
Click to view itguybri's profile Enthusiast itguybri 56 posts since
Apr 28, 2006
I discovered my own solution.

Thanks VMware for having instructions that are well documented but incomplete.
Actions
Up to Discussions in VMware vSphere™ Web Services SDK, CIM SDK