VMware Horizon View Blast Secure Gateway
The service is in a suspended state, and an error is reported after clicking recovery. First time installation, please help me.
Windows Server 2016 X64
New windows, first install VMware-viewconnectionserver-x86_64-7.5.0-8583568.exe
windows event information:
1.Started C:\Program Files\VMware\VMware View\Server\appblastgateway\run-absg.cmd for service VMBlastSG in C:\Program Files\VMware\VMware View\Server\appblastgateway\.
2.Program C:\Program Files\VMware\VMware View\Server\appblastgateway\run-absg.cmd for service VMBlastSG exited with return code 0.
3.Killing process tree of process 9448 for service VMBlastSG with exit code 0
4.Killing PID 9448 in process tree of PID 9448 because service VMBlastSG is stopping.
5.Service VMBlastSG action for exit code 0 is Restart. Attempting to restart C:\Program Files\VMware\VMware View\Server\appblastgateway\run-absg.cmd.
6.Registry key AppParameters is unset for service VMBlastSG. No flags will be passed to C:\Program Files\VMware\VMware View\Server\appblastgateway\run-absg.cmd when it starts.
7.Service VMBlastSG ran for less than 1500 milliseconds. Restart will be delayed by 256000 milliseconds.
C:\ProgramData\VMware\VDM\logs\Blast Secure Gateway\absg.log information:
[2018-07-06 12:17:13.143] [INFO] 188 [absg-master] - Node.js version: v6.14.1
[2018-07-06 12:17:13.146] [INFO] 188 [absg-master] - ABSG configuration: { PlayStoredLog: [Function],
fipsMode: false,
destHttps: true,
localPort: 8443,
localAddr: '0.0.0.0',
localHttps: true,
localHttpsCipherSpec: '!aNULL:kECDH+AESGCM:ECDH+AESGCM:RSA+AESGCM:kECDH+AES:ECDH+AES:RSA+AES',
localHttpsProtocolLow: 'tls1.1',
localHttpsProtocolHigh: 'tls1.2',
hmacAlgorithms: [ 'sha1', 'sha256' ],
enableUDP: false,
localUDPPort: 8443,
localUDPAddr: '0.0.0.0',
externAddr: '127.0.0.1',
externPort: 8443,
externHttps: true,
externDomain: '',
adminAddr: '127.0.0.1',
adminPort: 8123,
autostart: false,
logReplaceConsole: true,
logLevel: 'INFO',
logFilesize: 8388608,
logBackupCount: 16,
logFilename: 'C:\\ProgramData\\VMware\\VDM\\logs\\Blast Secure Gateway\\absg.log',
logTraceUDP: 0,
certificateStore: 'windows-local-machine',
certificateFolder: 'MY',
certificateName: 'vdm',
productMode: true,
displayConfig: true,
maxUriLength: 2083,
requestTimeout: 120000,
sessionIdleTimeout: 60000,
webSocketSessionIdleTimeout: 120000,
removeUserAgentHeader: false,
addProxyAgentHeader: true,
removeJSessionId: false,
allowMany2OneAccess: false,
allowManyRoutesToDest: true,
ipProtocol: 'IPv4',
useExternalForwarder: true,
labelGenerationMaxRandomAttempts: 10000,
auxFlowLabelPrefixGenerationMaxRandomAttempts: 10000,
auxFlowsAllowed: true,
externalForwarderFlowCleanUpPeriodSec: 600,
externalForwarderFlowCleanUpEnabledMainFlow: true,
externalForwarderFlowCleanUpEnabledAuxFlow: true,
logPath: 'C:\\ProgramData\\VMware\\VDM\\logs\\Blast Secure Gateway',
https: {},
localOnlyAddr: '127.0.0.1',
anyInterfaceAddr: '0.0.0.0',
numWorkers: 8,
hideToken: false,
doLoadbalance: true,
pidWidth: 7,
externalForwarderPath: 'C:\\Program Files\\VMware\\VMware View\\Server\\appblastgateway\\udpforwarder.exe',
numUDPWorkers: 0,
udpVersion: 1,
isTraceEnabled: false,
isDebugEnabled: false }
[2018-07-06 12:17:13.175] [ERROR] 188 [absg-master] - keystoreutil.exe failed to load certificate from [ 'windows-local-machine', 'MY', 'vdm' ] 1 Failed to acquire private key handle (error 2148073492)
Did you add a certificate to the local store and renamed its friendly name to vdm?
Update the Certificates on a Connection Server Instance, Security Server, or View Composer
I have solved this problem, it requires a V1 version of the certificate, the V3 version of the certificate can not be used.
Hi. It does not matter if the certificate is "V1" or "V3". Check the following:
In my case, my keypair was there, looked correct, but was not exportable.
Just finished an upgrade from 6 > 7 - had the exact same issue. It appears that 6 doesn't require that the private key be exportable however 7 does! Re-applied the certificates ensuring the key was exportable, rebooted and all was fine.
These community threads save my butt. Thanks to everyone for their contributions. I'd like to contribute and help for a change.
I just deployed Connection server 7.10 and this problem is still alive and well.
My recommendations:
Thank you all for making my job easier!
Hi all - I found the solution.
First copy the below text and edit it to your servers' need. Save the file as request.inf.
;----------------- request.inf -----------------
[Version]
Signature="$Windows NT$"
[NewRequest]
Subject = "CN=View_Server_FQDN, OU=Organizational_Unit_Name, O=Organization_Name, L=City_Name, S=State_Name, C=Country_Name" ; ***EDIT THIS***
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
FriendlyName = "vdm"
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
OID=1.3.6.1.5.5.7.3.2 ; Client Authentication
[Extensions]
2.5.29.17 = "{text}" ; Subject Alternative Name - use for Chrome.
_continue_ = "dns=name1&" ; EDIT THIS - dont forget the &
_continue_ = "dns=name2&" ; EDIT THIS
_continue_ = "dns=name3&" ; EDIT THIS if you dont need, then delete the entire line.
;-----------------------------------------------
Next from Administrative Command Prompt
certreq -new request.inf <servername>.req
change the <servername> to horizon whatever.
Copy this servername.req to your local CA.
Import the request
Issue the certificate
Save to File the final cert. Save it as servername.cer
Copy this back to your horizon server
From Administrative Command Prompt
certreq -accept <servername>.cer
Stop the VMware Horizon View Connection Server
rename the old "vdm" certificate (right click - properties) and change the friendly name to "old-vdm"
You should only have 1 cert with "vdm"
Make sure that your Trusted Root Certificate Store has the CA of the new certificate.
Start the VMware Horizon View Connection Server
wait 1 minute.
The Blast service should be running state now.
Brilliant anwser.
You saved my day!
/Peter
Worked for me. Thank you very much.