VMware Cloud Community
AdwaitPatankar
Contributor
Contributor
‎10-09-2015 05:21 AM

Getting VM console (HTML5 web) using pre-authenticated URL

We are trying to use HTML5 web console from vCenter 6.0 web client. We are doing this using vsphere APIs and launching

browser with console URL that has preauthenticated token (session clone ticket).

However, when we fire the preauthenticated URL (/vsphereclient/webconsole.html with necessary parameters), we are always routed to the SSO login page the first time around and after passing the authentication phase, then redirected to the VM console. This happens only for the first request. Any further ‘get vm console’ requests using the pre-authenticated URL work just fine and directly render the VM console. The moment we switch to a new browser window (or the incognito mode), it again asks for an explicit login on the SSO page.

What I would like to know is if

  1. What is the validity in terms of time for the session clone ticket? Is there a way to configure this setting?
  2. Is there a way to get around the JSESSIONID cookie? Is there any other step that is needed to be able to get the console without vCenter login screen because we have already authenticated and obtained the token.
Tags (1)
22 Replies
jpsider
Expert
Expert
‎03-27-2016 10:07 AM

The port would be specific to the VM, so kinda?

You need to setup a FW rule for a range of ports on your esx server.  Then keep track in a DB (lightweigh like mysql) of which vm is on which port.  Then you can connect to the esxhost:port where the port will be the specific port you have configured in the vm .vmx file.

Using a VNC Client to Connect to VMs in ESXi 5 | virtuallyGhetto

How to Create Custom Firewall Rules in ESXi 5.0 | virtuallyGhetto

0 Kudos
vittoriop77
Contributor
Contributor
‎03-29-2016 02:42 AM

Hello jpsider,

I started using webmks ticket with the HTML console provided by vmware.

Complete solution here: Vittorio Pavesi: vSphere 6 HTML Console

Thanks for your help !

Vittorio

gkaratsiolis
Contributor
Contributor
‎03-16-2017 08:12 AM

SOLUTION 1

If you want to bypass the JSESSIONID tomcat authentication just for the virtual console, you dont have to. The optimal way is to use the embedded VNC server. First you have to enable to each VM in the extra configuration:

RemoteDisplay.vnc.enabled = "true"

RemoteDisplay.vnc.port = "52000"

RemoteDisplay.vnc.password = "anypassword"

Now you can (or your customers) connect to your hypervisor ip address, port 5200 and pass "password" to access the machine.

If you dont want to expose your hypervisor machine (or ip), you have to use proxy. For this, you have to setup a new machine with a public ip let's say 195.170.100.100 and you have to install the noVNC proxy (its free and open source). The noVNC runs a local webserver on port 6800 and based on a token file with the following format:

token: host port

you can add your customer machine like (assume 195.170.100.50 is your esx host):

999-token-999: 195.170.100.50 52000

Now try with

http://195.170.100.50:6800/novnc_auto.html?token=999-token-999

it will open a web vnc console with the machine. No vmware, no hypervisors, no ticktets, no sessions, no sdks.

If you want to make it even more secure, you can create tokens on the fly. When your customer requires to open virtual console, create a token on the fly. And then run a cron job after X minutes to delete the token, so it will not work after some time.

SOLUTION 2

If you want to use open console or any other thing from the http client and you come against the JSESSIONID, open vmware http client and login manually from your browser and check for cookies. Copy the JESSIONID value and close the browser without log in.

Then create a small script (any programming language even bash) setting the coookie JSESSION=ID from the session id you have, to a url from the vmware client. Example

curl -v --cookie "JSESSIONID=E666666666666667777777777777777777" --insecure https://HTTPCLIENTHOST:9443/ui/data/properties/urn:vmomi:VirtualMachine

Run this every one minute in a cronjob. That would keep the session alive and you will have a JSESSIONID that will always available, bypassing the tomcat authentication error.

As the sessions are not stored in disk or database, in case of server restart, the id will reset and you have to manually obtain a new one.

Be aware, do not share and do not set this ID with your customers. Just use it internally run your own scripts and automate anything you want.

0 Kudos