VMware Workspace ONE Community
SLClarke
Contributor
Contributor
‎05-15-2013 09:38 PM

Setup issues

So for starters a bit of background. Our domain is named COMPANY.local. Setup another DNS zone for COMPANY.com.au, which contains the entries for the five appliances. Plus the DNS entry for the FQDN pointing to the gateway-va IP address (without a PTR recoard). From an external access point of view workspace.COMPANY.com.au is forwarded to our internal IP of the gateway-va.

Horizon vApp installs OK. During the wizard get the internal database error that others seem to be getting, So ran the below script on the configurator-va

cd /usr/local/horizon/lib/menu/secure

./wizardssl.hzn --makesslcert gateway-va  workspace.COMPANY.com.au

./wizardssl.hzn

Continue with the install including entering our *.COMPANY.com.au SSL cert. Plus add the connector to the domain. Manually set the timezone on each appliance, since the option is not available during install. Leaving me with a system that works OK accessing it both internally and externally using AD authentication. Except without a valid SSL certiciated. So then go back to the configurator-va and connector-va, despite entering the SSL certificate during the install. It is not displayed in the SSL fields on each device. Re-entered the SSL certificate, try to login with AD credentials and the system does not login with the error;


"Problem adding user to Horizon:Request failed: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"


So I am on about my 6th attempt at installed the vApp (thankfully it only takes about 30 minutes). What am I doing wrong? Or are their just major issues since it is version 1.0. Have read as many guides as possible to get an idea. Also at this point awaiting a response from VMware support regarding this issue.


Thanks for taking time to read this,


Steve

Reply
0 Kudos
8 Replies
sravuri
VMware Employee
VMware Employee
‎05-15-2013 09:47 PM

It looks like the certs are not quite right in the environment. You don't usually have to reinstall the vApp. Can you please double check the following?

1. Make sure you have put in the entire SSL cert chain the configurator web UI. The chain should have your cert + intermediate cert + root cert.

2. Make sure you have added the root and intermediate certs into all VAs (service, connector and data) using the steps described in documentation at this link (Applying SSL Certificate from Private CA)- Horizon Workspace Help

Reply
0 Kudos
SLClarke
Contributor
Contributor
‎05-15-2013 10:09 PM

Thanks, I will give it a shot and let you know the result. Feels like the release of this product was a bit rushed and missing a lot of options during the setup and wizard process.

What lead me down this path was "Applying an SSL Certificate from a Major Certificate Authority"

http://pubs.vmware.com/horizon-workspace-10/index.jsp#com.vmware.hs-install.doc_10/GUID-AF326FAF-FB4...

The certificate is from GoDaddy, is it a bad assumption that they are a major certificate authority?

Reply
0 Kudos
sravuri
VMware Employee
VMware Employee
‎05-15-2013 10:46 PM

Yes, unfortunately, GoDaddy is not trusted by the earlier version of Java (Java 1.6).

Also, Yes, the SSL cert issues were discovered later in the release cycle. We are working to improve this experience and avoid manual steps in our next release.

Reply
0 Kudos
SLClarke
Contributor
Contributor
‎05-16-2013 10:17 PM

So I have followed the steps listed in "Applying an SSL Certificate from a Private Certificate Authority" and appears to have completed OK. As advised in that doco I then follow the steps listed in "Applying an SSL Certificate from a Major Certificate Authority". Certicate loads OK on the configurator-va, except on the connector-va getting the error "Failed to initialize Java keystore handling."

What I do notice is when accessing workspace.COMPANY.com.au externally the browser is prompting for a login "https://workspace.COMPANY.com.au:443". I hit excape then the browser will goto to Horizon login page of "https://workspace.COMPANY.com.au/hc/login". This extra prompt only occured since adding the connector-va to the domain. Therefore I am thinking the SSL cert still needs to be loaded to the connector.

Thanks

Reply
0 Kudos
sravuri
VMware Employee
VMware Employee
‎05-16-2013 10:43 PM

In your case, the connector is being invoked via the gateway (IDP URL is the FQDN).. the URL in the browser has not changed (it has remained the FQDN, right?). So, the cert on the connector doesn't matter.

Ignoring the "Failed to initialize Java keystore handling." error you saw on the connector, is there any functionality problem you are seeing?

Is the browser prompting you to accept a cert? Is the login successful?

Reply
0 Kudos
SLClarke
Contributor
Contributor
‎05-16-2013 10:56 PM

Yes, that is correct the browser URL has not changed.

At the moment functionally internally is OK.

No, the browser is not prompting to accept a cert. Via Chrome I see the "green pad lock icon" :smileyplus:. Yes login is successful (but I need to login twice as explained below)

So in order for the site to work externally I need to login twice. Once via the browser popup and then again via the Horizon login screen.

If I do not login to the browser popup and hit escape, then just log in to Horizon then the applications tabs does not display any ThinApps.

Thanks again for your response.

Reply
0 Kudos
kpelt
Contributor
Contributor
‎05-17-2013 06:48 AM

Is this on a Windows machine?  Is UAC enabled?

Reply
0 Kudos
sravuri
VMware Employee
VMware Employee
‎05-17-2013 11:21 AM

You may have enabled Kerberos and that is why you are seeing the initial popup.. as kerberos is failing externally.

Reply
0 Kudos