VMware Horizon Community
znncool
Contributor
Contributor
‎07-05-2018 07:57 PM

VMware Horizon View Blast Secure Gateway (Unable to start)

VMware Horizon View Blast Secure Gateway

The service is in a suspended state, and an error is reported after clicking recovery. First time installation, please help me.

Windows Server 2016 X64

New windows, first install VMware-viewconnectionserver-x86_64-7.5.0-8583568.exe

windows event information:

1.Started C:\Program Files\VMware\VMware View\Server\appblastgateway\run-absg.cmd  for service VMBlastSG in C:\Program Files\VMware\VMware View\Server\appblastgateway\.

2.Program C:\Program Files\VMware\VMware View\Server\appblastgateway\run-absg.cmd for service VMBlastSG exited with return code 0.

3.Killing process tree of process 9448 for service VMBlastSG with exit code 0

4.Killing PID 9448 in process tree of PID 9448 because service VMBlastSG is stopping.

5.Service VMBlastSG action for exit code 0 is Restart. Attempting to restart C:\Program Files\VMware\VMware View\Server\appblastgateway\run-absg.cmd.

6.Registry key AppParameters is unset for service VMBlastSG. No flags will be passed to C:\Program Files\VMware\VMware View\Server\appblastgateway\run-absg.cmd when it starts.

7.Service VMBlastSG ran for less than 1500 milliseconds. Restart will be delayed by 256000 milliseconds.

C:\ProgramData\VMware\VDM\logs\Blast Secure Gateway\absg.log  information:

[2018-07-06 12:17:13.143] [INFO]     188 [absg-master] - Node.js version: v6.14.1

[2018-07-06 12:17:13.146] [INFO]     188 [absg-master] - ABSG configuration: { PlayStoredLog: [Function],

  fipsMode: false,

  destHttps: true,

  localPort: 8443,

  localAddr: '0.0.0.0',

  localHttps: true,

  localHttpsCipherSpec: '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES',

  localHttpsProtocolLow: 'tls1.1',

  localHttpsProtocolHigh: 'tls1.2',

  hmacAlgorithms: [ 'sha1', 'sha256' ],

  enableUDP: false,

  localUDPPort: 8443,

  localUDPAddr: '0.0.0.0',

  externAddr: '127.0.0.1',

  externPort: 8443,

  externHttps: true,

  externDomain: '',

  adminAddr: '127.0.0.1',

  adminPort: 8123,

  autostart: false,

  logReplaceConsole: true,

  logLevel: 'INFO',

  logFilesize: 8388608,

  logBackupCount: 16,

  logFilename: 'C:\\ProgramData\\VMware\\VDM\\logs\\Blast Secure Gateway\\absg.log',

  logTraceUDP: 0,

  certificateStore: 'windows-local-machine',

  certificateFolder: 'MY',

  certificateName: 'vdm',

  productMode: true,

  displayConfig: true,

  maxUriLength: 2083,

  requestTimeout: 120000,

  sessionIdleTimeout: 60000,

  webSocketSessionIdleTimeout: 120000,

  removeUserAgentHeader: false,

  addProxyAgentHeader: true,

  removeJSessionId: false,

  allowMany2OneAccess: false,

  allowManyRoutesToDest: true,

  ipProtocol: 'IPv4',

  useExternalForwarder: true,

  labelGenerationMaxRandomAttempts: 10000,

  auxFlowLabelPrefixGenerationMaxRandomAttempts: 10000,

  auxFlowsAllowed: true,

  externalForwarderFlowCleanUpPeriodSec: 600,

  externalForwarderFlowCleanUpEnabledMainFlow: true,

  externalForwarderFlowCleanUpEnabledAuxFlow: true,

  logPath: 'C:\\ProgramData\\VMware\\VDM\\logs\\Blast Secure Gateway',

  https: {},

  localOnlyAddr: '127.0.0.1',

  anyInterfaceAddr: '0.0.0.0',

  numWorkers: 8,

  hideToken: false,

  doLoadbalance: true,

  pidWidth: 7,

  externalForwarderPath: 'C:\\Program Files\\VMware\\VMware View\\Server\\appblastgateway\\udpforwarder.exe',

  numUDPWorkers: 0,

  udpVersion: 1,

  isTraceEnabled: false,

  isDebugEnabled: false }

[2018-07-06 12:17:13.175] [ERROR]     188 [absg-master] - keystoreutil.exe failed to load certificate from [ 'windows-local-machine', 'MY', 'vdm' ] 1 Failed to acquire private key handle (error 2148073492)

8 Replies
techguy129
Expert
Expert
‎07-06-2018 11:54 AM

Did you add a certificate to the local store and renamed its friendly name to vdm?

Update the Certificates on a Connection Server Instance, Security Server, or View Composer

0 Kudos
znncool
Contributor
Contributor
‎07-06-2018 11:57 AM

I have solved this problem, it requires a V1 version of the certificate, the V3 version of the certificate can not be used.

0 Kudos
rcarsey1
Contributor
Contributor
‎06-07-2019 08:46 AM

Hi.   It does not matter if the certificate is "V1" or "V3".   Check the following:

  1. Make sure you have ONE keypair (public certifiate & private key) whose friendly name is:    vdm
  2. Make sure the keypair is stored in the right place.   mmc.exe >  Certificates > Computer Account > Personal > Certificates.
  3. Make sure the certificate actually has a private key associated with it (make sure you see a key in the upper-left corner of the certificate icon for that cert).
  4. Make sure that the private key is EXPORTABLE!!!!
    1. To see if its exportable, right click the cert > All Tasks > Export > Next.
    2. When it asks you if you want to export the private key, the option for YES should be selectable.  
    3. If it is not selectable, then you have previously imported this cert/key and did not click "Mark this key as exportable"
    4. There is an unsupported, commandline way to change the marking of an existing keypair, but its usually easier to just delete and re-import the keypair correctly.

In my case, my keypair was there, looked correct, but was not exportable.

Eamundo
Contributor
Contributor
‎08-26-2019 12:45 AM

Just finished an upgrade from 6 > 7 - had the exact same issue. It appears that 6 doesn't require that the private key be exportable however 7 does! Re-applied the certificates ensuring the key was exportable, rebooted and all was fine.

jkopp
Enthusiast
Enthusiast
‎11-13-2019 05:06 AM

These community threads save my butt.  Thanks to everyone for their contributions.  I'd like to contribute and help for a change. Smiley Happy

I just deployed Connection server 7.10 and this problem is still alive and well.

My recommendations:

Thank you all for making my job easier!

Joeatffcu
Contributor
Contributor
‎06-10-2020 12:12 PM

Hi all - I found the solution.

First copy the below text and edit it to your servers' need. Save the file as request.inf.

;----------------- request.inf -----------------

[Version]

Signature="$Windows NT$"

[NewRequest]

Subject = "CN=View_Server_FQDN, OU=Organizational_Unit_Name, O=Organization_Name, L=City_Name, S=State_Name, C=Country_Name" ; ***EDIT THIS***

KeySpec = 1

KeyLength = 2048

Exportable = TRUE

FriendlyName = "vdm"

MachineKeySet = TRUE

SMIME = False

PrivateKeyArchive = FALSE

UserProtected = FALSE

UseExistingKeySet = FALSE

ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

ProviderType = 12

RequestType = PKCS10

KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

OID=1.3.6.1.5.5.7.3.2 ; Client Authentication

[Extensions]

2.5.29.17 = "{text}" ; Subject Alternative Name - use for Chrome.

_continue_ = "dns=name1&" ; EDIT THIS - dont forget the & 

_continue_ = "dns=name2&" ; EDIT THIS

_continue_ = "dns=name3&" ; EDIT THIS if you dont need, then delete the entire line.

;-----------------------------------------------

Next from Administrative Command Prompt

certreq -new request.inf <servername>.req

change the <servername> to horizon whatever.

Copy this servername.req to your local CA.

Import the request

Issue the certificate

Save to File the final cert. Save it as servername.cer

Copy this back to your horizon server

From Administrative Command Prompt

certreq -accept <servername>.cer

Stop the VMware Horizon View Connection Server

rename the old "vdm" certificate (right click - properties) and change the friendly name to "old-vdm"

You should only have 1 cert with "vdm"

Make sure that your Trusted Root Certificate Store has the CA of the new certificate.

Start the VMware Horizon View Connection Server

wait 1 minute.

The Blast service should be running state now.

UCL
Enthusiast
Enthusiast
‎07-08-2020 03:18 PM

Brilliant anwser.

You saved my day!

/Peter

0 Kudos
RobertNikogosia
Contributor
Contributor
‎10-05-2020 04:37 AM

Worked for me. Thank you very much.

0 Kudos