9 Replies Latest reply on Dec 2, 2010 3:07 PM by psyber

    Will vCenter Mobile Access Support SSL connections?

    DMHigley Lurker

       

      Hi,

       

       

      In the demo, the browser connection appeared to be plain http.

       

       

      Will SSL connections be supported?

       

       

      Will a certificate be auto-created?

       

       

      Can we load our own certificate or wildcard certificate?

       

       

      This is a great feature as long as it is secure.

       

       

      -Dan

       

       

        • 1. Re: Will vCenter Mobile Access Support SSL connections?
          Enthusiast

          Initial version comes default as http and you can always load your own certificate and turn off http port

          • 2. Re: Will vCenter Mobile Access Support SSL connections?
            ronaldmendozaftb Lurker

            Okay, I'm Apache-illiterate. Can someone provide a step-by-step process to request and assign a certificate from a 2003 CA?

            • 3. Re: Will vCenter Mobile Access Support SSL connections?
              Enthusiast

              If you have a valid certificate, import the certificate to the keystore

               

              NOTE: The java keytool is avaiable inside the appliance under the directory /usr/lib/vmware/mobile/java/jre1.6.0_11/bin

               

               

              cd /usr/lib/vmware/mobile/java/jre1.6.0_11/bin

               

               

               

               

               

              chmod +x ./keytool

               

               

              ./keytool -import -trustcacerts -alias server -file <your certificate> -keystore /root/your_site_name.jks

               

               

              Edit the file /usr/lib/vmware/mobile/tomcat/apache-tomcat-6.0.16/conf/server.xml and uncomment the connector for port="8443" and update the connector information.

               

               

              Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keyAlias="server" keystoreFile="/root/your_site_name.jks" keypass="your_keystore_password" />

               

               

              Restart tomcat using the command "service mobile restart"

               

               

              For self-signed certificate installation, there are couple of ways to do that. One way is to use openssl and please folowing the instructructions in the forum post http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1007362

               

               

              You can install self-signed using the java keytool also.

               

               

              ./keytool -genkey -keyalg RSA -keysize 1024 -alias alias -keystore /root/your_site_name.jks

               

               

              (Follow the instructions, also you can specify a different path for the key store)

               

               

              After creating the certificate, edit the file /usr/lib/vmware/mobile/tomcat/apache-tomcat-6.0.16/conf/server.xml and uncomment the connector for port="8443" and add keystoreFile and keystorePass parameters.

               

               

              <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

              maxThreads="150" scheme="https" secure="true"

              clientAuth="false" sslProtocol="TLS"

              keystoreFile="/root/your_site_name.jks"

              keystorePass="tomcat" keystoreType="JKS" />

               

               

              NOTE: The keystorePass is the password that you used when you created the self-signed certificate

               

               

              To restart the server, use the command ("service mobile restart")

               

               

              Let me know if you still have problem installating the certificate.

              • 4. Re: Will vCenter Mobile Access Support SSL connections?
                handers101 Novice

                 

                Hi After following the instructions for this i still cannot SSL the appliance.

                 

                 

                i used open ssl to gen a cer using 2003 certsrv

                 

                 

                then

                 

                 

                ./keytool -import -trustcacerts -alias server -file vmobile.cer -keystore /root/vmobile.jks

                 

                 

                then

                 

                 

                altered server.xml

                 

                 

                adding in 

                 

                 

                <Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keyAlias="server" keystoreFile="/root/vmobile.jks" keypass="********" />

                 

                 

                over the top of the 8443 connector.

                 

                 

                restarted the sevices yet still can only get to http not https

                 

                 

                Any Ideas?

                 

                 

                 

                 

                 

                Many Thanks!!!

                 

                 

                • 5. Re: Will vCenter Mobile Access Support SSL connections?
                  Hot Shot

                  Did you comment out the Connector port="80" regular http handler?  It goes without saying but you'll need to makre sure you enter https explicitly when typing the url into your device, no automatic redirection will occur from http to https even with that change.  Also, be aware that some devices will reject self-signed certs but it is worth a try.

                  • 6. Re: Will vCenter Mobile Access Support SSL connections?
                    Enthusiast

                    If the self-signed certificate is generated using java keytool, it might expect they keystore type.

                     

                    Try adding the keystore type.

                     

                     

                    • 7. Re: Will vCenter Mobile Access Support SSL connections?
                      handers101 Novice

                       

                      Hi

                       

                       

                      Thanks for your help. I am getting a litle further now.

                       

                       

                      If i go to the url .....

                       

                       

                      http://vmobile.frontline-consultancy.co.uk:443/vim/login.jsp

                       

                       

                      I can see the site.

                       

                       

                      It seems something is mising in picking up the :443 - https link

                       

                       

                      if i https it does not work.

                       

                       

                      Below is my connector info....

                       

                       

                      <Connector port="443"

                       

                       

                      maxHttpHeaderSize="8192"

                       

                       

                      maxThreads="150"

                       

                       

                      minSpareThreads="25"

                       

                       

                      maxSpareThreads="75"

                       

                       

                      enableLookups="false"

                       

                       

                      disableUploadTimeout="true"

                       

                       

                      acceptCount="100"

                       

                       

                      scheme="https"

                       

                       

                      secure="true"

                       

                       

                      clientAuth="false"

                       

                       

                      sslProtocol="TLS"

                       

                       

                      keyAlias="server"

                       

                       

                      keystoreFile="/root/vmobile.frontline-consultancy.co.uk.jks"

                       

                       

                      keypass="*******"

                       

                       

                      keystoreType="JKS" />

                       

                       

                      is there something else i should be looking for?

                       

                       

                      Thanks!

                       

                       

                      • 8. Re: Will vCenter Mobile Access Support SSL connections?
                        Enthusiast

                        Did not see any issue with your connector attributes.  I tried in my VA with the following attributes and it works fine.

                         

                           

                         

                         

                        Check the log files and access logs to see any issues logged.   Some devices might reject self-signed certificates and look for that one too.

                        • 9. Re: Will vCenter Mobile Access Support SSL connections?
                          psyber Lurker

                          I couldn't get this to work the tomcat way so we just bypassed all this silliness with tomcat and installed apache with ssl and mod proxy ajp support and added a rewrite filter to redirect http to https. Works brilliantly.   (This is from memory and I have allowed puppet to molest this appliance so please point out anything I may have missed)

                           

                           

                          yum install httpd mod_ssl

                           



                          Comment out the default connector on port 80 in

                           

                          /usr/lib/vmware/mobile/tomcat/apache-tomcat-6.0.16/conf/server.xml

                           



                          in

                           

                          /etc/httpd/conf.d/proxy_ajp.conf

                           

                          add

                          ProxyPass / ajp://localhost:8009/
                          



                          fixup

                           

                          /etc/httpd/conf.d/ssl.conf

                           

                           

                          with the correct pathing and filenames for your cert and key or generate your own

                          this may be a useful link for that:

                          http://www.cyberciti.biz/faq/rhel-apache-httpd-mod-ssl-tutorial/



                          Also I can't be trusted to always remember to type the https so ...

                          Create

                           

                          /etc/httpd/conf.d/mobile.conf

                           

                          with the following contents

                          RewriteEngine On
                          RewriteCond %{HTTPS} off
                          RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [NE]
                          



                          Then run

                           

                          service mobile restart

                          service httpd start

                          chkconfig httpd on

                           



                          I also edited

                           

                          /usr/lib/vmware/mobile/tomcat/apache-tomcat-6.0.16/webapps/ROOT/index.html

                           

                          and replaced it with

                          <html>
                          <head>
                          <meta http-equiv="Refresh" content="0;url=/vim"/>
                          </head>
                          <body>
                          </body>
                          </html>
                          

                          so I don't even have to remember to type the vim at the end of the URL


                          TADA!