Hi,
I am gonig to try at my View 5.1 infrastructure (two brokers with load balancing) install aditional replica broker. And after that install security broker which will be paired with newly installed broker. The final sceanrio will be two brokers for internal VDI and one replica paired with security broker for connection from outside of LAN. All brokers has same LDAP, pools and vCenter (view composer).
ESXi and vCenter are 5.0.
When i have launched installer and confirm for installation strange table with ssl warning appears (shown below). I cannot remember saw this warning with first installation of first two brokers. I do not know if I translate it corectly but screen say that my brokers wil go down until i renew or create new SSL certificate for brokers. I have for two installed brokers valid SSL certificate.
My installed brokers will go down?
It is necessary to create new ssl certificate for this new broker?
Is it going to be problem with my vcenter server?
Is ti possible install new replica and security broker without ssl?
Have I create new ssl certificate with "all names in" - alll brokers?
Sorry, maybe for stupid question, but I am not so familiar with SSL and certificate creation.
Maybe i am unnecessary scared but i do not go down whole VDI.
thanks for replies
JZ
Hi JZ,
VMware has changed the way the servers (vcs, vss, composer, vcenter, etc) communicate/haddle certificates in View 5.0 and newer. That has became mandatory.
You can start by having a look at this documents:
Understanding SSL Certificates for View Servers
Obtaining SSL Certificates for VMware View Servers:
http://pubs.vmware.com/view-51/topic/com.vmware.ICbase/PDF/view-51-obtaining-certificates.pdf
I hope it can be helpful.
Cheers,
Elcio
I have the same question. Will the VDI infrastructure actually fail to function? we don't have valid certs yet - the upgrade was today. Everything appears to be fine for now.
What should I expect to break if i don't add real certs?
clifforg wrote:
Will the VDI infrastructure actually fail to function? we don't have valid certs yet - the upgrade was today. Everything appears to be fine for now.
No, it won't fail, but the main thing is that without a trusted CA signed SSL server certificate on your View Connection Server (and/or Security Server), your View Client users will not get the assurance that they are connecting to a genuine trusted environment and therefore the environment is more susceptible to a potential man-in-the-middle (MITM) attack.
Similarly with internal server communications, having proper trusted CA signed certificates for SSL communications will make the environment more secure.
This is generally true with SSL communications and is the reason for using trusted CA certificate signing. It is to provide this assurance.
It is therefore strongly recommended in a production View environment that the temporary (get-you-started) self-signed SSL certificaes are replaced with proper trusted CA signed ones.
Mark
Hi,
thank you for your response.
Is it correct that I need to have SSL certificate for all brokers names (three internal brokers, security gateway + load balancer name), with all names in as subject alternative name?
Please check if I have true:
scenario 1: internal connection with actual valid SSL - everything ok
secnario 2: external connection through Security gateway without trusted SSL - error of untrusted SSL appear, but i can skip it and connect (if i change ssl connection settings)
JZ
