1 2 3 Previous Next 34 Replies Latest reply on Jul 23, 2009 1:30 AM by warlord_mit

    VI constantly asks for Client Certificates?

    warlord_mit Novice

       

      Hi,

       

       

      I've got vmware-server 2 running on a Fedora 9 host.

       

       

      Every time I log in to my VI web Access I receive multiple certificate request dialogs requesting

      me to select a personal certificate to identify myself with. As I have

      no relevant personal certificate so I cancel these requests and am

      finally able to type in my credentials. These dialogs pop up every 30-60 seconds which is a very big annoyance.  What is worse is that the server then times out waiting for my to click the dialog away.

       

       

      I fail to understand why I constantly receive all these certificate

      requests.  Is there some way to turn this off?

       

       

      My browser is Firefox, but apparently this happens with other browsers too.

       

       

       

       

       

        • 1. Re: VI constantly asks for Client Certificates?
          lakesideview Lurker

           

          If you don't want to get the certificate warning in firefox and IE, you need to install the certificate. If you use IE, you can just click view thecertificate and then choose to install certificate. You will be asked where you will install from the installation wizard, try to browse to the Trusted Root Certification Authorities and confirm. Restart the IE, the certifcate warning should be disappear and the certificate icon will be green. The firefox should also recognize the certifcate if you put it on Trusted Root.

           

           

          Alex

           

           

          • 2. Re: VI constantly asks for Client Certificates?
            warlord_mit Novice

            lakesideview:  Thanks for trying but you clearly either didn't read my post or didn't understand it.  This has nothing to do with the SERVER SSL Certificate.  That prompt appeared only once and I added it to my trusted certificate store.  No, the problem is that the server is asking firefox for a CLIENT certificate, and it keeps asking over and over and over again..  And every time it asks firefox pops up a dialog asking which certificate to supply.  Of course none of my certificates are valid, and it just keeps asking.

            • 3. Re: VI constantly asks for Client Certificates?
              lakesideview Lurker

              I guess you may have installed and unstalled the VMWare Server serveral times, and each time you may give different url, which is used for issue certificate. The certifcate has its signature even you use same name but different date. You must have the certifcate match the server asking. You may try to clearn the old certifcate and install the new one. If you are running Vista, you have to use MMC certificate snap-in to move the cerficate to trusted root for computer account. Using browser won't be able to solve the problem.

              • 4. Re: VI constantly asks for Client Certificates?
                warlord_mit Novice

                 

                lakesideview, thanks but you are still misunderstanding the problem.  First, my client is Linux.  While that is irrelevant to the question at hand, it will hopefully stop the slew of windows-specific answers.  Second, again, this has NOTHING to do with the SSL Server Certificate.  Do you understand the difference between a server certificate and a client certificate?  Based on your answers I assume the answer is "no", so I'll try to explain.  A server certificate is used to authenticate the server to the client.  SSL requires this.  It's the certificate that the server presents to you so you can verify the name of the server against the URL you're using.  That part of vmware is working just fine.

                 

                 

                The problem I'm having is with CLIENT certificates.  A Client Certificate is a certificate that you generate in your browser and it authenticates you, the user, to the SSL server.  It can be used by web services in lieu of a username/password to authenticate the user of the web service.  To do this a web service provides a special page that tells the browser to generate a certificate request which gets passed up to the server, signed, and then passed back to the browser for future use.  Then later in time the server can request the certificate from the client to verify that it's the same user.

                 

                 

                Any SSL server can be configured to ask the browser for a client certificate.  The Vmware webAccess server is configured this way.  Unfortunately there is no "special page" in webAccess to cause the certificate generation in the browser, and I have not been able to find a way to tell vmware to stop asking the client for a certificate.  THAT is the question -- How do I get vmware to stop asking my browser for a client certificate?  Every time vmware asks for a certificate (which is every 30-60 seconds) my browser pops up a dialog asking me which certificate to supply (I have several client certificates already, but none of them apply).

                 

                 

                Hopefully this better explains the problem at hand?

                 

                 

                • 5. Re: VI constantly asks for Client Certificates?
                  lakesideview Lurker

                   

                  Sound like you have session expired every 30-60 seconds. Check your brower setting if you never changed default VMWare Web Access under apache and tomcat.

                   

                   

                  I don't think you want to teach me CA or encrytion. I have been programing under unix and Windows more than 15 years. I think I know a little bit of such knowledge.

                   

                   

                   

                   

                   

                  • 6. Re: VI constantly asks for Client Certificates?
                    warlord_mit Novice

                    lakesideview,

                     

                    Sound like you have session expired every 30-60 seconds. Check your brower setting if you never changed default VMWare Web Access under apache and tomcat.

                    Okay, I'll bite at this one.  What (firefox) browser setting do you think I should be checking?  I've been to plenty of other SSL sites, even sites that DO require client certificates, and I've never had this kind of issue before.  Only VI seems to be doing it.  No, I did not change the default VMWare Web Access settings on apache or tomcat, but frankly I'd love to find the SSL settings there and turn off the "ask for client certificate" setting.  I know that apache's mod_ssl has such a configuration flag but I have no idea where VMware stores its apache or tomcat settings.

                     

                    I don't think you want to teach me CA or encrytion. I have been programing under unix and Windows more than 15 years. I think I know a little bit of such knowledge.

                    Sorry, but A does not imply B.  Years of programming does not imply any specific knowledge of Certificate Authorities, Encryption, or how certificates work.  Based on your previous two responses to me you certainly led me to believe you did NOT understand the concept of a "Client Certificate".  I'm still not convinced you do.  And no, I do not want to teach you "CA or encryption", but I've been in the security industry for almost 20 years so I could if necessary.  But honestly I just want to find the vmware apache/tomcat configuration and turn off the annoying client certificate request.

                    • 7. Re: VI constantly asks for Client Certificates?
                      jack-uk Novice

                       

                      Did you ever get this sorted?

                       

                       

                      I have the same problem on a server that I cannot get access to at the moment (yeah, I'm troubleshooting an issue where I can't test  the solution) but have done a bit of digging on the Tomcat documentation and come to the conclusion that it is not a Tomcat configuration option. It looks more like the hostd process is a reverse proxy feeding onto Tomcat.

                       

                       

                      The file /etc/vmware/hostd/proxy.xml seems to configure this, but there is no obvious way to turn off  client certificate checking.

                       

                       

                      • 8. Re: VI constantly asks for Client Certificates?
                        vmsecde Novice

                         

                        I too have this problem. I run VMWare Server 2 under Debian Lenny and I get constantly hammered with client certificate requests when using Firefox. Using IE7, I am only asked twice before logging in and then never again. While this is better than in Firefox, it's still not ideal.

                         

                         

                        So any ideas on this topic would be greatly appreciated.

                         

                         

                        • 9. Re: VI constantly asks for Client Certificates?
                          Jarra Lurker

                           

                          Well, for one thing I totally agree with you that lakesideview doesn't know the first thing about client certs. But here'sthe answer to your question about what to change to get the nagging client cert request disappear:

                           

                           

                          In tomcat\conf\server.xml -> look for <Connector port="8308" ... />.  Add the clientAuth="false" attribute:

                           

                           

                           

                          <Connector port="8308" maxHttpHeaderSize="8192" maxThreads="150"

                          minSpareThreads="25" maxSpareThreads="75" enableLookups="false"

                          redirectPort="8443" acceptCount="100" connectionTimeout="20000"

                          disableUploadTimeout="true" clientAuth="false" />

                           

                           

                          • 10. Re: VI constantly asks for Client Certificates?
                            guyrleech Virtuoso

                             

                            Tried this but unfortunately doesn't work and, yes, I had restarted the web access (and host agent) on my openSUSE host.

                             

                             

                            What I notice is that if I use IE7 to go to any non-existent URL on the server, say https://<server>/doesntexist, (running on port 443 now and not 8333), then it does the client certificate prompting so it must be something early on in the Tomcat scheme of things that is set to prompt for certificates. I also deleted the lines you referred to out of the server.xml file, restarted web access and browsed to https://<server>/ui and it still prompts for client certificates (as per my previous observation) before you get to a blank page rather than a login page, since the connector has effectively been disabled, so it definitely can't be this section which is causing the prompting.

                             

                             

                            Not knowing much about Tomcat, and not really wanting to learn the hard way, I don't really know where to look to sort it.

                             

                             

                            Ideas welcomed. Any Tomcat gurus out there?

                             

                             

                             

                             

                             

                            • 11. Re: VI constantly asks for Client Certificates?
                              Jarra Lurker

                               

                              You are not supposed to delete any lines, just to add clientAuth="false" at the end of the sequence. Then restart host agent. I've done this on several occations, and it worked every time.

                               

                               

                              But perhaps there's something else messing up in your environment. You describe the excact same symtoms that I experience though.

                               

                               

                               

                               

                               

                              • 12. Re: VI constantly asks for Client Certificates?
                                guyrleech Virtuoso

                                Sorry, perhaps I didn't make myself clear. I made the initial clientAuth addition, restarted web acces and I was still prompted for certificates in a new IE7 process on my client. I then deleted the connector completely to see what behaviour that would cause which was still to prompt for client certificates.

                                • 13. Re: VI constantly asks for Client Certificates?
                                  wjfang Lurker

                                   

                                  Has there been a solution for this yet? I have the same problem. There must be somewhere we can disable VI checking client certificate or we can tell VI what client certificate is acceptable. In config.xml, I find the certificate and private key used by the server, but I have no luck to find the place saying how to authenticate client certificate.

                                   

                                   

                                  Thanks!

                                   

                                   

                                  • 14. Re: VI constantly asks for Client Certificates?
                                    vmsecde Novice

                                     

                                    Unfortunatly, this doesn't work

                                     

                                     

                                    But I didn't expect it to, since the connector on port  8308 is a non-SSL connector anyway. The SSL connectors have the clientAuth="false" attributes per default in the configuration file.

                                     

                                     

                                    What is interesting - I installed VMware Server on a Windows machine and there I do not get asked for a client certificate. So maybe this is a Linux-only problem? This is just a guess, though.

                                     

                                     

                                    1 2 3 Previous Next