Solved

Citrix Xendesktop 7.1 cannot connect to VMware vSphere 5.5 due to ssl certificate error

Posted on 2013-12-27
31
9,167 Views
Last Modified: 2014-02-26
Hello Experts,

Could you please help me with ssl certificate connection issue between citrix XenDesktop Studio and VMware vSphere server.

Let me give you more info on what I've done so far to make more understandable: I'm using vmware workstation 7 to set up my own home virtual environment. I've set up two DC's and one member server with Windows Server 2008 R2 SP1, one Win 7 Pro client, one DDC (desktop delivery controller) with Citrix Xendesktop 7.1 30-days trial version and one VM with VMware vSphere 5.5 30-days trial. I've successfully installed all of the Xendesktop 7.1components (xendesktop, licence server, SQL server,desktop director, desktop studio) on the same server and named it DDC. I've also successfully installed VMware vSphere 5.5 on other VM. When I started setting up and deploying desktop studio I was prompted for host address, username and password so I put in https://ip address of the vSphere server (taken from the vSphere server itself) and username: root and root's password (these logon credentials are completely the same and match to these that I'd set up when I was installing vSpehere server) and I kept getting SSL certificate connection error message (see the screen shot) and I couldn't have established ssl connection between Xendesktop Studion (DDC) and my vmware vSphere infrastructure due to unknown VMware vSphere's ssl certificate. I did try importing and installing vmware ssl certificate from DDC as I clicked on ''View Certificate'' and imported successfully into DDC's Certificate Store\Trusted People\Local Computer but still no luck as I kept getting this ssl error connection message.
I did try exporting ssl certificate directly from vSphere server but I couldn't find any oprions for that as I don't have experience in vSphere and also not familiar with vSphere's management interface. I don't know how to launch any vClient web interface neither from vSphere server nor from DDC.

Could you please help me or give me any advice on how to resolve this ssl certificate connection issue to get connected Xendesktop studio to vSphere host infrastructure and how to launch vCenter web client to get access to vSphere server remotely.

Thank you in advance.
SSL-Certificate.docx
0
Comment
Question by:nasolsi
  • 11
  • 7
  • 4
  • +4
31 Comments
 
LVL 16

Expert Comment

by:Nyaema
Comment Utility
Vcentwr needs to be a trusted root ca. Please follow steps in install vcenter certificate on broker
0
 

Author Comment

by:nasolsi
Comment Utility
Hi Nyaema,

Thank you for your reply.

I've got one more question regarding to the solution you gave me:

''Unfortunately this does not work in all cases. But luckily there is another option to make it work:

1. Connect to your vCenter server and browse to „C:\ProgramData\VMware\VMware VirtualCenter\SSL“- how can find VMware's SSL certificate? - from my PC itself where vmware workstation installation files are and go to C:\ProgramFiles\VMware\VMware VirtualCenter\SSL or I need to do it from VM where vSphere is installed on.

The reason why I've asked you this question is that I don't know how to connect remotely to vSphere server and what commands need to be run on vSphere server itself because I'm not familiar with vSphere management interface.

Thank you in advance.
0
 
LVL 117

Expert Comment

by:Andrew Hancock (VMware vExpert / EE MVE)
Comment Utility
You need to alter files on the VMware vSphere vCenter Server.

So you would need to connect to the server via RDP, and then stop the vCenter Service, and replace those files.

It's covered in detail in this document

VMware KB: Implementing CA signed SSL certificates with vSphere
0
 
LVL 16

Expert Comment

by:Nyaema
Comment Utility
follow the instructions for browser and just enter https://ipaddress instead of hostname
and import the certificate.  This is the self signed certificate.
0
 

Author Comment

by:nasolsi
Comment Utility
I've done exactly the same thing and it didn't work.
0
 
LVL 117

Expert Comment

by:Andrew Hancock (VMware vExpert / EE MVE)
Comment Utility
You have followed all the instructions, and have a CA Root Signed Certificate ?

Did you generate a Certificate Request, using OpenSSL ?

see my EE Article, Step by Step Tutorial Instructions with Screenshots

Part 12: HOW TO: Configure and Replace the SSL Certificate on a VMware vSphere Hypervisor 5.1 (ESXi 5.1) Host Server

this is for the ESXi server, but VMware vCenter Server generation is the same, just use it's IP Address and FQDN.
0
 

Author Comment

by:nasolsi
Comment Utility
Thank you to all of you for your help.

I keep getting this ssl error message.

What I've done so far: managed to install vSphere web client and I can now manage to log into vSphere host, I've also enable ssh service and I can now log on and manage vSphere host through putty.

Could please give me advice on how to change vSphere host ssl certificate through vSphere web client and or putty.

Thank you in advance
0
 

Author Comment

by:nasolsi
Comment Utility
Hello again,

I've also found this citrix article:

Replace the default XenServer SSL certificate
Updated: 2012-08-23

Citrix recommends using HTTPS to secure communication between XenDesktop and XenServer. To use HTTPS you must replace the default SSL certificate installed with XenServer with one from a trusted certificate authority:

1.Modify /etc/pki/tls/openssl.cnf as follows:
a.Request extensions by uncommenting the following line:
req_extensions = v3_reqb.
Modify the section for requested sections to read as follows:
[v3_req]
basicConstraints = CA:FALSE
keyUsage = keyEncipherment
extendedKeyUsage = serverAuth2.Generate a certificate request:
openssl genrsa -out [servername].private 2048openssl req -new -outform PEM -out [servername].request -keyform PEM -key [servername].private -days 365where [servername] is the name of the XenServer host. This generates a request for a 1 year (365 day) certificate in the file called [servername].request.
3.Have the certificate request contained in [server name].request signed by a certificate authority. This can be either a commercial certificate authority or an internal corporate certificate authority such as Microsoft Certificate Services.
4.After the new certificate has been signed, move the existing certificate:
mv /etc/xensource/xapi-ssl.pem /etc/xensource/xapi-ssl.pem_orig5.Add the new signed certificate to the XenServer host and tighten the access rights:
cat [servername].public [servername].private > [servername].peminstall -m 0400 [servername].pem /etc/xensource/xapi-ssl.pem6.Edit the file /etc/init.d/xapissl, using the line:
PEMFILE="/etc/ssl/certs/[servername].pem"7.Restart the XenServer communications service by entering the following command:
/etc/init.d/xapissl restartIf you are using a private certificate authority you may need to install your root certificate on the controller.
Install a certificate on the controller
1.Locate the root certificate file in Windows Explorer.
2.Right-click the root certificate file and select Install Certificate. The Certificate Manager Install Wizard appears.
3.On the Welcome page, click Next.
4.On the Certificate Store page, select Place all certificates in the following store.
5.Click Browse.
6.Select Show physical stores.
7.Expand Trusted Root Certification Authorities, then select Local Computer.
8.Select Local Computer.
9.Click OK.
10.Follow the instructions in the wizard to complete the install.

Do I need to use cmd to modify xendesktop server ssl certificate and where to find /etc/pki/tls/openssl.cnf directory?
0
 

Author Comment

by:nasolsi
Comment Utility
Could you please have a look at the screen shot about Desktop Studio connection logon credentails to vSphere.

If they are not correct, could you please type in the correct logon credentials.
Studio-Connection.JPG
0
 

Author Comment

by:nasolsi
Comment Utility
Hello experts,

I did follow the steps from the following citrix article: http://support.citrix.com/article/CTX138640 about replacing “httpsWithRedirect” with “httpAndHttps” but I couldn't see  the content of the proxy.xml file to make the change.
Here is my putty's outcome:

login as: root
Using keyboard-interactive authentication.
Password:
The time and date of this login have been sent to the system logs.

VMware offers supported, powerful system administration tools.  Please
see www.vmware.com/go/sysadmintools for details.

The ESXi Shell can be disabled by an administrative user. See the
vSphere Security documentation for more information.
~ # cd etc/vmware
/etc/vmware # find /etc|grep proxy
/etc/init.d/rhttpproxy
/etc/vmware/hostd/proxy.xml
/etc/vmware/rhttpproxy
/etc/vmware/rhttpproxy/endpoints.conf
/etc/vmware/rhttpproxy/default-config.xml
/etc/vmware/rhttpproxy/config.xml
/etc/vmsyslog.conf.d/rhttpproxy.conf
/etc/vmware # vi proxy.xml

~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
- proxy.xml 1/1 100%

~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
~
- proxy.xml 1/1 100%


What am I doing wrong?
Why am I not able to see the content of the proxy.xml file and make any change?

Could you please provide me with correct commands to be able to see the content of the proxy.xml file and make any changes.

I'm really sorry for all these issues but I don't have any experience in Citrix and VMware and just want to get a bit more experience in these technologies.

Thank you in advance.
0
 
LVL 117

Expert Comment

by:Andrew Hancock (VMware vExpert / EE MVE)
Comment Utility
the instructions you are following are possibly for ESX and not ESXi (which is the server and product you have!).

They are different products.
0
 

Author Comment

by:nasolsi
Comment Utility
Hi Andrew,

I'm using VMware ESXi 5.5.0.

Could you please provide me the correct instructions for VMware ESXi 5.5.0.

Thank you in advance
0
 
LVL 25

Expert Comment

by:Tony1044
Comment Utility
Forgive me if this is repeated information as I've only scan read through the other answers (it's been a long day) but there are step by step instructions here:

http://blogs.citrix.com/2013/12/18/using-the-default-vmware-vcenter-server-certificate-in-xendesktop-pocs/
0
 

Author Comment

by:nasolsi
Comment Utility
Hi Tony1044,

Thank you for your response.

I did install vSphere's ssl certificate a few times into Trusted People\Local Computer, Trusted Root Certification Authorities, Pesronal, Trusted Publisher, Intermidiate Certification Authorities and still no luck.

Regarding your instructions I've got one question:
''Unfortunately this does not work in all cases. But luckily there is another option to make it work:
1. Connect to your vCenter server and browse to „C:\ProgramData\VMware\VMware VirtualCenter\SSL“
2. Copy the cacert.pem file to your XenDesktop Broker (to the C:\Temp directory for example)''- how to browse to vSphere host and get access to C:\ProgramData\VMware\VMware VirtualCenter\SSL? and How to copy the cacert.pem file to XenDesktop Broker?- the reason why I'm asking you all these questions is that I'm able to get access to vSphere hypervisor either through vSphere web client installed on DDC or ssh access through putty from DDC.
I coudn't find any option within vSphere web client to browse to „C:\ProgramData\VMware\VMware VirtualCenter\SSL“ or to export ssl certificate from vSphere hypervisor. There is option only to import certificate.

Could you please help me because I spent 3 days trying solving this ssl connection issue and my XenDesktop 7.1  30- day trial copy is runing out, and I haven't yet done any practise.

Thank you in advance.
0
 
LVL 25

Expert Comment

by:Tony1044
Comment Utility
Two options to get to that path - either browse to \\vcenter server name\c$\ProgramData\VMware\VMware VirtualCenter\SSL

Or RDP / log into the vcenter server and browse to that folder then copy it to a share you can access from both the vcenter server and the Citrix server. Or copy to a pen drive etc.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 19

Expert Comment

by:compdigit44
Comment Utility
Actually in VMware Workstation can't you copy files from the host to guest VM's???
0
 

Author Comment

by:nasolsi
Comment Utility
hello,

I couldn't establish rdp to vSphere host.
How can I enable rdp on vSphere?

I've enable ssh and get access to vSphere through putty.
0
 
LVL 25

Expert Comment

by:Tony1044
Comment Utility
Not the vSphere host - the vCenter server.
0
 
LVL 19

Expert Comment

by:compdigit44
Comment Utility
log into the vm right Computer -> Properties -> Remote and allow remote connections to computer
0
 
LVL 19

Expert Comment

by:compdigit44
Comment Utility
Also check out the following link on how to share files between the host and guest vm's..

http://pubs.vmware.com/workstation-10/index.jsp?topic=%2Fcom.vmware.ws.using.doc%2FGUID-D6D9A5FD-7F5F-4C95-AFAB-EDE9335F5562.html
0
 

Author Comment

by:nasolsi
Comment Utility
Hello Tony1044,

I found the certificate in \\vcenter server name\c$\ProgramData\VMware\VMware VirtualCenter\SSL and copied to the folder that is shared with other vm's.
I've installed it already and will it give it a test today, and let you know.

Thanks a lot for your help.
0
 
LVL 8

Expert Comment

by:piyushranusri
Comment Utility
will ask you to please raise a call with vm ware support team, saw lots of user are facing this issue and only the solution is that 5.5 has this bug feature.
in EE also have users reporting this issue.



please share the output.
0
 
LVL 25

Expert Comment

by:Tony1044
Comment Utility
piyushranusri - what issue are other users seeing? Could you provide links?

The OP simply wanted guidance on how to get to the vCenter certificate at this point in time - not sure what you are suggesting is the issue, hence some details would be helpful.
0
 
LVL 19

Accepted Solution

by:
compdigit44 earned 400 total points
Comment Utility
Actually according to the following link Citrix doesn't look like they are supporting XenDesktop 7.1 on vSphere 5.5 yet..

http://support.citrix.com/servlet/KbServlet/download/29061-102-707409/CTX131239_XD_Supported%20Hypervisors_2013.pdf

As a test try to install vpshere 5.1 and see if you are able to connect your XenDesktop 7.1 DDC to the ESXi 5.1 server
0
 

Author Comment

by:nasolsi
Comment Utility
Hello Tony1044,

Just to let you know that this didn't work again. I kept getting the same ssl connection error message.
I'll give up on try intergrating XenDesktop 7.1 with WMware vShere as host hypervisor.
I was looking for any other solution on how to build up my own citrix environment for training and found an article on how to deploy XenDesktop 7.1 using the XenDesktop Service Tamplate for System Center Virtual Machine Manager 2008 R2.
I've successfully installed System Center Virtual Machine Manager 2008 R2 on my member server with Windows Server 2008 R2 but couldn't deploy xendesktop 7.1 with System Center Virtual Machine Manager 2008 R2 because of unknown database path. I've installed SQL Server 2005 SP3 that was included in System Center Virtual Machine Manager 2008 R2 installation files, and when I was prompted for database path I wasn't able to provide the correct database path because I didn't know where to find it from and I'm not SQL professional. So I came up with solution to  deploy xendesktop 7.1 with System Center Virtual Machine Manager 2008 R2 using already configured XenDesktop Service Tamplate for System Center Virtual Machine Manager 2008 R2.
I hope this is going to work.
I'll let you know for the result and reward you a points.

Thank you for your help.
0
 
LVL 25

Expert Comment

by:Tony1044
Comment Utility
Compdigit - you're quite right!

It's also prominent by absence in the System Requirement on eDocs: http://support.citrix.com/proddocs/topic/xendesktop-71/cds-system-requirements-71.html :

Host
Supported platforms:

•XenServer:
          •XenServer 6.2

          •XenServer 6.1

          •XenServer 6.0.2

•VMware vSphere. No support is provided for vSphere vCenter Linked Mode operation.
          •VMware vSphere 5.1 Update 1

          •VMware vSphere 5.0 Update 2
0
 
LVL 7

Expert Comment

by:Senior IT System Engineer
Comment Utility
So in this case we shall wait for the XD 7.5 instead ?
0
 
LVL 25

Expert Comment

by:Tony1044
Comment Utility
Well according to their latest supported hypervisor document, as released on February 14th 2014, http://support.citrix.com/servlet/KbServlet/download/29061-102-708399/CitrixSupportedHypervisors.pdf XD 7.1 now supports 5.5 'with issues'

Those issues are here: http://support.citrix.com/article/CTX140135
0
 
LVL 7

Expert Comment

by:Senior IT System Engineer
Comment Utility
What ports that needs to be opened from the Citrix Delivery Controller server into VMware VCenter server ?

is it just TCP 443 bi directional ?
0
 
LVL 25

Expert Comment

by:Tony1044
Comment Utility
List of ports here: http://support.citrix.com/servlet/KbServlet/download/2389-102-654859/CitrixPorts_by_Port_1103.pdf

I don't know which need to go both ways - as you can see the Citrix doc doesn't make that clear, so for the extra little effort I always get them opened bidirectionally
0
 
LVL 7

Expert Comment

by:Senior IT System Engineer
Comment Utility
That's why I got confused myself here as well.

Thanks man
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

This article will show you how to create an ISO CD-ROM/DVD-ROM image (*.iso), and MD5 checksum signature, for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5). It's a good idea to compare checksums, because many installations fail because of a corr…
In this step by step tutorial with screenshots, we will show you HOW TO: Enable SSH Remote Access on a VMware vSphere Hypervisor 6.5 (ESXi 6.5). This is important if you need to enable SSH remote access for additional troubleshooting of the ESXi hos…
Teach the user how to join ESXi hosts to Active Directory domains Open vSphere Client: Join ESXi host to AD domain: Verify ESXi computer account in AD: Configure permissions for domain user in ESXi: Test domain user login to ESXi host:
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now