How to Setup a SSL Certificate on a View Connection Server and Security Gateway

gunnarb — Thu, 12 Jan 2012 22:21:32 GMT

Step 1:

Add this to the system path:

C:\Program Files\Vmware\Vmware View\Server\jre\bin

Step2:

Don't try and make the CSR yourself, just go to this site and have one auto created:

https://www.digicert.com/easy-csr/keytool.htm

That should return a keytool command like this:

keytool -genkey -alias server -keyalg RSA -keysize 2048 -keystore star_gunnarberger_com.jks -dname "CN=*.gunnarberger.com,OU=Information Technology, O=GunnarBerger.com, L=Athens, ST=Georgia, C=US" && keytool -certreq -alias server -file star_gunnarberger_com.csr -keystore star_gunnarberger_com.jks && echo Your certificate signing request is in star_gunnarberger_com.csr. Your keystore file is star_gunnarberger_com.jks. Thanks for using the DigiCert keytool CSR helper.

NOTE: The keytool command I used above was for a wildcard cert so it was *.gunnarberger.com, had I wanted view.gunnarberger.com the tool would have been different (I just wanted to explain why my example has a astrick in it).

After you execute this command you will have to type in a password for this file 3 or 4 times. For simplicity just keep the password the same throughout.

The command you just issued is going to give you a CSR file and a JKS (Java Keystore). I put both of these files into a directory on the root of my hard drive. C:\cert

Step 3:

You'll need to go to your CA of your choice and upload the CSR. I used http://www.rapidssl.com/ because its cheap and I'm cheap.

All CAs have different steps you have to take before they will generate a cert. The more expensive the cert, the longer it takes (becuase it means that did more to make sure you are you.) With RapidSSL, it took about 15 minutes, so they probably aren't the best CA in the world. Eventually they will email you a link to download your cert which you will need to make sure and download this in PKCS7 format or (.p7s).

Now I you should have a file called <filename>.p7s

I go right ahead and drop that file to the same C:\cert directory

Inside the C:\cert directory you should now have three files

<filename>.cer

<filename>.jks

<filename>.p7s

Step 4:

Now that you have all three of these you need to execute the following command

keytool -import -alias server -trustcacerts -file <filename>.p7s -keystore <filename>.jks

Here is a screen shot of me executing this command.

If you don't get "Certificate reply was installed in keystore" I don't know what to tell you, call someone.

Step 5:

Finally, we need to get the View Connection Server to actually use the cert we just added to TomCat. Thankfully this is pretty easy.

Copy the <filename>.jks file into the following directory:

C:\Program Files\Vmware\VMware View\Server\sslgateway\conf\

Step 6:

While you are in that directory use notepad to create a new file that is called locked.properties

Inside that file put the following (again using notepad)

keyfile=<name of keyfile>

keypass=<password>

storetype=jks

Step 7:

Restart the VMware View Connection Server Service

Troubleshoot:

It takes a few minutes for this to come back, even after the service says it is up. It always takes just enough time for me to freak out and think I broke something. So to ease my mind I learned to just look at the log file, so go ahead and open the following directory:

C:\ProgramData\VMware\VDM\logs\

Inside that directory you will find a log file called, log-<DATE>.txt look for todays date. Open that file and go to the very bottom. Also, you can just search for "SSL" that tends to bring you to the line you are lookig for.

11:41:00,292 INFO <Thread-1> [m] The Secure Gateway Server is using SSL certificate store <filename>.jks with password of 8 characters

NOTE: If you don't see your jks file but instead see vdm.p12, then it didn't work, this is the default certificate. I had this happen on a couple servers and I ended up just rebooting the server and after the reboot it worked... no idea why, its Windows what more can I say.

Additional Server:

So you have more than one server to do, well good news, all you have to do is take the locked.properties file and the <filename>.jks file and copy them to the new server. Start at Step 5 above and work your way down. You can repeat this over and over, if you use a wildcard cert at least, or if you are sharing a name like view.domain.com in your cert and just want to have that on each server. Just make sure your DNS is setup correctly and you should be good.

article How to Setup a SSL Certificate on a View Connection Server and Security Gateway in Horizon Documents