nasolsi
asked on
Citrix Xendesktop 7.1 cannot connect to VMware vSphere 5.5 due to ssl certificate error
Hello Experts,
Could you please help me with ssl certificate connection issue between citrix XenDesktop Studio and VMware vSphere server.
Let me give you more info on what I've done so far to make more understandable: I'm using vmware workstation 7 to set up my own home virtual environment. I've set up two DC's and one member server with Windows Server 2008 R2 SP1, one Win 7 Pro client, one DDC (desktop delivery controller) with Citrix Xendesktop 7.1 30-days trial version and one VM with VMware vSphere 5.5 30-days trial. I've successfully installed all of the Xendesktop 7.1components (xendesktop, licence server, SQL server,desktop director, desktop studio) on the same server and named it DDC. I've also successfully installed VMware vSphere 5.5 on other VM. When I started setting up and deploying desktop studio I was prompted for host address, username and password so I put in https://ip address of the vSphere server (taken from the vSphere server itself) and username: root and root's password (these logon credentials are completely the same and match to these that I'd set up when I was installing vSpehere server) and I kept getting SSL certificate connection error message (see the screen shot) and I couldn't have established ssl connection between Xendesktop Studion (DDC) and my vmware vSphere infrastructure due to unknown VMware vSphere's ssl certificate. I did try importing and installing vmware ssl certificate from DDC as I clicked on ''View Certificate'' and imported successfully into DDC's Certificate Store\Trusted People\Local Computer but still no luck as I kept getting this ssl error connection message.
I did try exporting ssl certificate directly from vSphere server but I couldn't find any oprions for that as I don't have experience in vSphere and also not familiar with vSphere's management interface. I don't know how to launch any vClient web interface neither from vSphere server nor from DDC.
Could you please help me or give me any advice on how to resolve this ssl certificate connection issue to get connected Xendesktop studio to vSphere host infrastructure and how to launch vCenter web client to get access to vSphere server remotely.
Thank you in advance.
SSL-Certificate.docx
Could you please help me with ssl certificate connection issue between citrix XenDesktop Studio and VMware vSphere server.
Let me give you more info on what I've done so far to make more understandable: I'm using vmware workstation 7 to set up my own home virtual environment. I've set up two DC's and one member server with Windows Server 2008 R2 SP1, one Win 7 Pro client, one DDC (desktop delivery controller) with Citrix Xendesktop 7.1 30-days trial version and one VM with VMware vSphere 5.5 30-days trial. I've successfully installed all of the Xendesktop 7.1components (xendesktop, licence server, SQL server,desktop director, desktop studio) on the same server and named it DDC. I've also successfully installed VMware vSphere 5.5 on other VM. When I started setting up and deploying desktop studio I was prompted for host address, username and password so I put in https://ip address of the vSphere server (taken from the vSphere server itself) and username: root and root's password (these logon credentials are completely the same and match to these that I'd set up when I was installing vSpehere server) and I kept getting SSL certificate connection error message (see the screen shot) and I couldn't have established ssl connection between Xendesktop Studion (DDC) and my vmware vSphere infrastructure due to unknown VMware vSphere's ssl certificate. I did try importing and installing vmware ssl certificate from DDC as I clicked on ''View Certificate'' and imported successfully into DDC's Certificate Store\Trusted People\Local Computer but still no luck as I kept getting this ssl error connection message.
I did try exporting ssl certificate directly from vSphere server but I couldn't find any oprions for that as I don't have experience in vSphere and also not familiar with vSphere's management interface. I don't know how to launch any vClient web interface neither from vSphere server nor from DDC.
Could you please help me or give me any advice on how to resolve this ssl certificate connection issue to get connected Xendesktop studio to vSphere host infrastructure and how to launch vCenter web client to get access to vSphere server remotely.
Thank you in advance.
SSL-Certificate.docx
Joseph Nyaema
Vcentwr needs to be a trusted root ca. Please follow steps in install vcenter certificate on broker
ASKER
Hi Nyaema,
Thank you for your reply.
I've got one more question regarding to the solution you gave me:
''Unfortunately this does not work in all cases. But luckily there is another option to make it work:
1. Connect to your vCenter server and browse to „C:\ProgramData\VMware\VMw
The reason why I've asked you this question is that I don't know how to connect remotely to vSphere server and what commands need to be run on vSphere server itself because I'm not familiar with vSphere management interface.
Thank you in advance.
Thank you for your reply.
I've got one more question regarding to the solution you gave me:
''Unfortunately this does not work in all cases. But luckily there is another option to make it work:
1. Connect to your vCenter server and browse to „C:\ProgramData\VMware\VMw
The reason why I've asked you this question is that I don't know how to connect remotely to vSphere server and what commands need to be run on vSphere server itself because I'm not familiar with vSphere management interface.
Thank you in advance.
You need to alter files on the VMware vSphere vCenter Server.
So you would need to connect to the server via RDP, and then stop the vCenter Service, and replace those files.
It's covered in detail in this document
VMware KB: Implementing CA signed SSL certificates with vSphere
So you would need to connect to the server via RDP, and then stop the vCenter Service, and replace those files.
It's covered in detail in this document
VMware KB: Implementing CA signed SSL certificates with vSphere
follow the instructions for browser and just enter https://ipaddress instead of hostname
and import the certificate. This is the self signed certificate.
and import the certificate. This is the self signed certificate.
ASKER
I've done exactly the same thing and it didn't work.
You have followed all the instructions, and have a CA Root Signed Certificate ?
Did you generate a Certificate Request, using OpenSSL ?
see my EE Article, Step by Step Tutorial Instructions with Screenshots
Part 12: HOW TO: Configure and Replace the SSL Certificate on a VMware vSphere Hypervisor 5.1 (ESXi 5.1) Host Server
this is for the ESXi server, but VMware vCenter Server generation is the same, just use it's IP Address and FQDN.
Did you generate a Certificate Request, using OpenSSL ?
see my EE Article, Step by Step Tutorial Instructions with Screenshots
Part 12: HOW TO: Configure and Replace the SSL Certificate on a VMware vSphere Hypervisor 5.1 (ESXi 5.1) Host Server
this is for the ESXi server, but VMware vCenter Server generation is the same, just use it's IP Address and FQDN.
ASKER
Thank you to all of you for your help.
I keep getting this ssl error message.
What I've done so far: managed to install vSphere web client and I can now manage to log into vSphere host, I've also enable ssh service and I can now log on and manage vSphere host through putty.
Could please give me advice on how to change vSphere host ssl certificate through vSphere web client and or putty.
Thank you in advance
I keep getting this ssl error message.
What I've done so far: managed to install vSphere web client and I can now manage to log into vSphere host, I've also enable ssh service and I can now log on and manage vSphere host through putty.
Could please give me advice on how to change vSphere host ssl certificate through vSphere web client and or putty.
Thank you in advance
ASKER
Hello again,
I've also found this citrix article:
Replace the default XenServer SSL certificate
Updated: 2012-08-23
Citrix recommends using HTTPS to secure communication between XenDesktop and XenServer. To use HTTPS you must replace the default SSL certificate installed with XenServer with one from a trusted certificate authority:
1.Modify /etc/pki/tls/openssl.cnf as follows:
a.Request extensions by uncommenting the following line:
req_extensions = v3_reqb.
Modify the section for requested sections to read as follows:
[v3_req]
basicConstraints = CA:FALSE
keyUsage = keyEncipherment
extendedKeyUsage = serverAuth2.Generate a certificate request:
openssl genrsa -out [servername].private 2048openssl req -new -outform PEM -out [servername].request -keyform PEM -key [servername].private -days 365where [servername] is the name of the XenServer host. This generates a request for a 1 year (365 day) certificate in the file called [servername].request.
3.Have the certificate request contained in [server name].request signed by a certificate authority. This can be either a commercial certificate authority or an internal corporate certificate authority such as Microsoft Certificate Services.
4.After the new certificate has been signed, move the existing certificate:
mv /etc/xensource/xapi-ssl.pe
cat [servername].public [servername].private > [servername].peminstall -m 0400 [servername].pem /etc/xensource/xapi-ssl.pe
PEMFILE="/etc/ssl/certs/[s
/etc/init.d/xapissl restartIf you are using a private certificate authority you may need to install your root certificate on the controller.
Install a certificate on the controller
1.Locate the root certificate file in Windows Explorer.
2.Right-click the root certificate file and select Install Certificate. The Certificate Manager Install Wizard appears.
3.On the Welcome page, click Next.
4.On the Certificate Store page, select Place all certificates in the following store.
5.Click Browse.
6.Select Show physical stores.
7.Expand Trusted Root Certification Authorities, then select Local Computer.
8.Select Local Computer.
9.Click OK.
10.Follow the instructions in the wizard to complete the install.
Do I need to use cmd to modify xendesktop server ssl certificate and where to find /etc/pki/tls/openssl.cnf directory?
I've also found this citrix article:
Replace the default XenServer SSL certificate
Updated: 2012-08-23
Citrix recommends using HTTPS to secure communication between XenDesktop and XenServer. To use HTTPS you must replace the default SSL certificate installed with XenServer with one from a trusted certificate authority:
1.Modify /etc/pki/tls/openssl.cnf as follows:
a.Request extensions by uncommenting the following line:
req_extensions = v3_reqb.
Modify the section for requested sections to read as follows:
[v3_req]
basicConstraints = CA:FALSE
keyUsage = keyEncipherment
extendedKeyUsage = serverAuth2.Generate a certificate request:
openssl genrsa -out [servername].private 2048openssl req -new -outform PEM -out [servername].request -keyform PEM -key [servername].private -days 365where [servername] is the name of the XenServer host. This generates a request for a 1 year (365 day) certificate in the file called [servername].request.
3.Have the certificate request contained in [server name].request signed by a certificate authority. This can be either a commercial certificate authority or an internal corporate certificate authority such as Microsoft Certificate Services.
4.After the new certificate has been signed, move the existing certificate:
mv /etc/xensource/xapi-ssl.pe
cat [servername].public [servername].private > [servername].peminstall -m 0400 [servername].pem /etc/xensource/xapi-ssl.pe
PEMFILE="/etc/ssl/certs/[s
/etc/init.d/xapissl restartIf you are using a private certificate authority you may need to install your root certificate on the controller.
Install a certificate on the controller
1.Locate the root certificate file in Windows Explorer.
2.Right-click the root certificate file and select Install Certificate. The Certificate Manager Install Wizard appears.
3.On the Welcome page, click Next.
4.On the Certificate Store page, select Place all certificates in the following store.
5.Click Browse.
6.Select Show physical stores.
7.Expand Trusted Root Certification Authorities, then select Local Computer.
8.Select Local Computer.
9.Click OK.
10.Follow the instructions in the wizard to complete the install.
Do I need to use cmd to modify xendesktop server ssl certificate and where to find /etc/pki/tls/openssl.cnf directory?
ASKER
Could you please have a look at the screen shot about Desktop Studio connection logon credentails to vSphere.
If they are not correct, could you please type in the correct logon credentials.
Studio-Connection.JPG
If they are not correct, could you please type in the correct logon credentials.
Studio-Connection.JPG
ASKER
Hello experts,
I did follow the steps from the following citrix article: http://support.citrix.com/article/CTX138640 about replacing “httpsWithRedirect” with “httpAndHttps” but I couldn't see the content of the proxy.xml file to make the change.
Here is my putty's outcome:
login as: root
Using keyboard-interactive authentication.
Password:
The time and date of this login have been sent to the system logs.
VMware offers supported, powerful system administration tools. Please
see www.vmware.com/go/sysadmintools for details.
The ESXi Shell can be disabled by an administrative user. See the
vSphere Security documentation for more information.
~ # cd etc/vmware
/etc/vmware # find /etc|grep proxy
/etc/init.d/rhttpproxy
/etc/vmware/hostd/proxy.xm
/etc/vmware/rhttpproxy
/etc/vmware/rhttpproxy/end
/etc/vmware/rhttpproxy/def
/etc/vmware/rhttpproxy/con
/etc/vmsyslog.conf.d/rhttp
/etc/vmware # vi proxy.xml
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
- proxy.xml 1/1 100%
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
- proxy.xml 1/1 100%
What am I doing wrong?
Why am I not able to see the content of the proxy.xml file and make any change?
Could you please provide me with correct commands to be able to see the content of the proxy.xml file and make any changes.
I'm really sorry for all these issues but I don't have any experience in Citrix and VMware and just want to get a bit more experience in these technologies.
Thank you in advance.
I did follow the steps from the following citrix article: http://support.citrix.com/article/CTX138640 about replacing “httpsWithRedirect” with “httpAndHttps” but I couldn't see the content of the proxy.xml file to make the change.
Here is my putty's outcome:
login as: root
Using keyboard-interactive authentication.
Password:
The time and date of this login have been sent to the system logs.
VMware offers supported, powerful system administration tools. Please
see www.vmware.com/go/sysadmintools for details.
The ESXi Shell can be disabled by an administrative user. See the
vSphere Security documentation for more information.
~ # cd etc/vmware
/etc/vmware # find /etc|grep proxy
/etc/init.d/rhttpproxy
/etc/vmware/hostd/proxy.xm
/etc/vmware/rhttpproxy
/etc/vmware/rhttpproxy/end
/etc/vmware/rhttpproxy/def
/etc/vmware/rhttpproxy/con
/etc/vmsyslog.conf.d/rhttp
/etc/vmware # vi proxy.xml
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
- proxy.xml 1/1 100%
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
- proxy.xml 1/1 100%
What am I doing wrong?
Why am I not able to see the content of the proxy.xml file and make any change?
Could you please provide me with correct commands to be able to see the content of the proxy.xml file and make any changes.
I'm really sorry for all these issues but I don't have any experience in Citrix and VMware and just want to get a bit more experience in these technologies.
Thank you in advance.
the instructions you are following are possibly for ESX and not ESXi (which is the server and product you have!).
They are different products.
They are different products.
ASKER
Hi Andrew,
I'm using VMware ESXi 5.5.0.
Could you please provide me the correct instructions for VMware ESXi 5.5.0.
Thank you in advance
I'm using VMware ESXi 5.5.0.
Could you please provide me the correct instructions for VMware ESXi 5.5.0.
Thank you in advance
Forgive me if this is repeated information as I've only scan read through the other answers (it's been a long day) but there are step by step instructions here:
http://blogs.citrix.com/2013/12/18/using-the-default-vmware-vcenter-server-certificate-in-xendesktop-pocs/
http://blogs.citrix.com/2013/12/18/using-the-default-vmware-vcenter-server-certificate-in-xendesktop-pocs/
ASKER
Hi Tony1044,
Thank you for your response.
I did install vSphere's ssl certificate a few times into Trusted People\Local Computer, Trusted Root Certification Authorities, Pesronal, Trusted Publisher, Intermidiate Certification Authorities and still no luck.
Regarding your instructions I've got one question:
''Unfortunately this does not work in all cases. But luckily there is another option to make it work:
1. Connect to your vCenter server and browse to „C:\ProgramData\VMware\VMw
2. Copy the cacert.pem file to your XenDesktop Broker (to the C:\Temp directory for example)''- how to browse to vSphere host and get access to C:\ProgramData\VMware\VMwa
I coudn't find any option within vSphere web client to browse to „C:\ProgramData\VMware\VMw
Could you please help me because I spent 3 days trying solving this ssl connection issue and my XenDesktop 7.1 30- day trial copy is runing out, and I haven't yet done any practise.
Thank you in advance.
Thank you for your response.
I did install vSphere's ssl certificate a few times into Trusted People\Local Computer, Trusted Root Certification Authorities, Pesronal, Trusted Publisher, Intermidiate Certification Authorities and still no luck.
Regarding your instructions I've got one question:
''Unfortunately this does not work in all cases. But luckily there is another option to make it work:
1. Connect to your vCenter server and browse to „C:\ProgramData\VMware\VMw
2. Copy the cacert.pem file to your XenDesktop Broker (to the C:\Temp directory for example)''- how to browse to vSphere host and get access to C:\ProgramData\VMware\VMwa
I coudn't find any option within vSphere web client to browse to „C:\ProgramData\VMware\VMw
Could you please help me because I spent 3 days trying solving this ssl connection issue and my XenDesktop 7.1 30- day trial copy is runing out, and I haven't yet done any practise.
Thank you in advance.
Two options to get to that path - either browse to \\vcenter server name\c$\ProgramData\VMware
Or RDP / log into the vcenter server and browse to that folder then copy it to a share you can access from both the vcenter server and the Citrix server. Or copy to a pen drive etc.
Or RDP / log into the vcenter server and browse to that folder then copy it to a share you can access from both the vcenter server and the Citrix server. Or copy to a pen drive etc.
Actually in VMware Workstation can't you copy files from the host to guest VM's???
ASKER
hello,
I couldn't establish rdp to vSphere host.
How can I enable rdp on vSphere?
I've enable ssh and get access to vSphere through putty.
I couldn't establish rdp to vSphere host.
How can I enable rdp on vSphere?
I've enable ssh and get access to vSphere through putty.
Not the vSphere host - the vCenter server.
log into the vm right Computer -> Properties -> Remote and allow remote connections to computer
Also check out the following link on how to share files between the host and guest vm's..
http://pubs.vmware.com/workstation-10/index.jsp?topic=%2Fcom.vmware.ws.using.doc%2FGUID-D6D9A5FD-7F5F-4C95-AFAB-EDE9335F5562.html
http://pubs.vmware.com/workstation-10/index.jsp?topic=%2Fcom.vmware.ws.using.doc%2FGUID-D6D9A5FD-7F5F-4C95-AFAB-EDE9335F5562.html
ASKER
Hello Tony1044,
I found the certificate in \\vcenter server name\c$\ProgramData\VMware
I've installed it already and will it give it a test today, and let you know.
Thanks a lot for your help.
I found the certificate in \\vcenter server name\c$\ProgramData\VMware
I've installed it already and will it give it a test today, and let you know.
Thanks a lot for your help.
will ask you to please raise a call with vm ware support team, saw lots of user are facing this issue and only the solution is that 5.5 has this bug feature.
in EE also have users reporting this issue.
please share the output.
in EE also have users reporting this issue.
please share the output.
piyushranusri - what issue are other users seeing? Could you provide links?
The OP simply wanted guidance on how to get to the vCenter certificate at this point in time - not sure what you are suggesting is the issue, hence some details would be helpful.
The OP simply wanted guidance on how to get to the vCenter certificate at this point in time - not sure what you are suggesting is the issue, hence some details would be helpful.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello Tony1044,
Just to let you know that this didn't work again. I kept getting the same ssl connection error message.
I'll give up on try intergrating XenDesktop 7.1 with WMware vShere as host hypervisor.
I was looking for any other solution on how to build up my own citrix environment for training and found an article on how to deploy XenDesktop 7.1 using the XenDesktop Service Tamplate for System Center Virtual Machine Manager 2008 R2.
I've successfully installed System Center Virtual Machine Manager 2008 R2 on my member server with Windows Server 2008 R2 but couldn't deploy xendesktop 7.1 with System Center Virtual Machine Manager 2008 R2 because of unknown database path. I've installed SQL Server 2005 SP3 that was included in System Center Virtual Machine Manager 2008 R2 installation files, and when I was prompted for database path I wasn't able to provide the correct database path because I didn't know where to find it from and I'm not SQL professional. So I came up with solution to deploy xendesktop 7.1 with System Center Virtual Machine Manager 2008 R2 using already configured XenDesktop Service Tamplate for System Center Virtual Machine Manager 2008 R2.
I hope this is going to work.
I'll let you know for the result and reward you a points.
Thank you for your help.
Just to let you know that this didn't work again. I kept getting the same ssl connection error message.
I'll give up on try intergrating XenDesktop 7.1 with WMware vShere as host hypervisor.
I was looking for any other solution on how to build up my own citrix environment for training and found an article on how to deploy XenDesktop 7.1 using the XenDesktop Service Tamplate for System Center Virtual Machine Manager 2008 R2.
I've successfully installed System Center Virtual Machine Manager 2008 R2 on my member server with Windows Server 2008 R2 but couldn't deploy xendesktop 7.1 with System Center Virtual Machine Manager 2008 R2 because of unknown database path. I've installed SQL Server 2005 SP3 that was included in System Center Virtual Machine Manager 2008 R2 installation files, and when I was prompted for database path I wasn't able to provide the correct database path because I didn't know where to find it from and I'm not SQL professional. So I came up with solution to deploy xendesktop 7.1 with System Center Virtual Machine Manager 2008 R2 using already configured XenDesktop Service Tamplate for System Center Virtual Machine Manager 2008 R2.
I hope this is going to work.
I'll let you know for the result and reward you a points.
Thank you for your help.
Compdigit - you're quite right!
It's also prominent by absence in the System Requirement on eDocs: http://support.citrix.com/proddocs/topic/xendesktop-71/cds-system-requirements-71.html :
Host
Supported platforms:
•XenServer:
•XenServer 6.2
•XenServer 6.1
•XenServer 6.0.2
•VMware vSphere. No support is provided for vSphere vCenter Linked Mode operation.
•VMware vSphere 5.1 Update 1
•VMware vSphere 5.0 Update 2
It's also prominent by absence in the System Requirement on eDocs: http://support.citrix.com/proddocs/topic/xendesktop-71/cds-system-requirements-71.html :
Host
Supported platforms:
•XenServer:
•XenServer 6.2
•XenServer 6.1
•XenServer 6.0.2
•VMware vSphere. No support is provided for vSphere vCenter Linked Mode operation.
•VMware vSphere 5.1 Update 1
•VMware vSphere 5.0 Update 2
So in this case we shall wait for the XD 7.5 instead ?
Well according to their latest supported hypervisor document, as released on February 14th 2014, http://support.citrix.com/servlet/KbServlet/download/29061-102-708399/CitrixSupportedHypervisors.pdf XD 7.1 now supports 5.5 'with issues'
Those issues are here: http://support.citrix.com/article/CTX140135
Those issues are here: http://support.citrix.com/article/CTX140135
What ports that needs to be opened from the Citrix Delivery Controller server into VMware VCenter server ?
is it just TCP 443 bi directional ?
is it just TCP 443 bi directional ?
List of ports here: http://support.citrix.com/servlet/KbServlet/download/2389-102-654859/CitrixPorts_by_Port_1103.pdf
I don't know which need to go both ways - as you can see the Citrix doc doesn't make that clear, so for the extra little effort I always get them opened bidirectionally
I don't know which need to go both ways - as you can see the Citrix doc doesn't make that clear, so for the extra little effort I always get them opened bidirectionally
That's why I got confused myself here as well.
Thanks man
Thanks man