Knowledge
- Import certificates
- Turn on certificate based authentication
- Identify RSA instance
- Identify authentication requirements for RSA and Smart Cards
You may have noticed you have a couple of errors on your Events Dashboard every time you log into View Administrator. This is due to using the default Self Signed Certificates.
Not a problem you say, it doesn’t really concern me, however when we role out too production, your users might get slightly annoyed that they have to click on ‘continue’ constantly when connecting to the the View Security/Connection Server.
We could just turn off the SSL by turning checking ‘do not verify server identify certificates’. However this isn’t very elegant and can pose a security risk.
A few prerequisites before we crack on:
- Any Connection/Security Servers /Load Balancers which are client facing require an SSL certificate
- If you use a load balancer which has an SSL certificate and you enable secure tunnel, then the Security Server or Connection Server requires an SSL certificate as well as the View Client makes a secondary tunnel directly to the Security/Connection Server.
- Local Mode, if you enable SSL for this, you also require an SSL certificate
Generally speaking you would want to use a Trusted Root Certificate Authority such as Verisign or Thwarte for any Security Servers and/or Load Balancers which are public facing.
If you have a PKI infrastructure internally, with an Enterprise Certificate Authority then you can use these to replace your Self Signed Certificate on your Connection Servers.
In this particular blog post, we aren’t going to cover generating a certificate request from a Trusted Root Authority as VMware have kindly written an excellent KB entitled Using Microsoft Certreq to generate and import a signed certificate into View 5.1
Import Certificates
To enable the creation of a PKI infrastructure on my home lab, I have added the role ‘Active Directory Certificate Services’ to my domain controller VMF-DC01.
We will be using the Web Server certificate for server authentication, however by default we won’t be able to enroll any servers using this as they won’t be trusted.
After you have installed the Active Directory Certificate Services role, run the command ‘certtmpl.msc’ which loads up the default certificate templates.
We want to create a duplicate of the Web Server certificate, by Right Clicking and selecting Duplicate
Give it the name VMware View (I know very original) and go to the Request Handling Tab and select ‘Allow private key to be exported’
Next onto the Security Tab, I have created a Security Group called ‘View Servers’ and entered the computer accounts VMF-CON01 and VMF-TR01 which are my Connection and Transfer Server.
I have then granted the Read and Enroll rights to the Security Group ‘View Servers’ This is really important as without this when we go to request a Certificate, you won’t have access to any templates.
Onto our Connection Server VMF-CON01 and click Start > Run and enter MMC. Add a Snap In and Choose Certificates and Computer Account > Local Computer
We want to expand Personal and Select Certificates
I have already deleted my Self Signed Certificate, I’m feeling that confident!
Right Click Certificates > All Tasks > Request New Certificate
Click Next
Select Active Directory Enrollment Policy and hit next
Select VMware View and click on ‘More information is required to enroll this certificate. Click here to configure settings’.
Select Command Name from Type and enter your NetBios name, in my case VMF-CON01 and Add this to the request.
I also recommend adding in the Subject Alternate Names as well, you can achieve this by selecting DNS under ‘Alternative Name’ and entering your FQDN, in my case VMF-CON01.vmfocus.local
Note this needs to match the URL and Server Name in your Connection Server Settings.
Just a side note if you don’t follow these settings and enter the FQDN in Common Name and NetBios in the Alternate Name, you will get ‘Server’s certificate does not match the URL’ in View.
Click on the General Tab and enter vdm which is a name that View continues to lookup.
Hit OK to apply and then Click Enroll
After you click Finish you will see the installed Certificate
To ensure the View Connection Server uses this Certificate we can either restart the Connection Server or restart the ‘VMware View Connection Server’ service.
I have opted to restart the service, so let’s check the View Administrator Dashboard. Happy days our Connection Server is green with no problems reported.
Turn On Certificate Based Authentication
By default Certificate Based Authentication is enabled for Client Connections.
This can be changed by going to View Configuration > Global Settings > Edit
TOP TIP If you change this setting then all Client Connections are dropped
Identify RSA Instance
Err, I don’t really know what VMware mean by this, I presume it is in relation to Two Factor Authentication.
To identify if you are using Two Factor Authentication, go into View Configuration > Servers > Connection Servers > Edit > Authentication Tab
Identify Authentication Requirements for RSA and Smart Cards
The authentication requirements for RSA are:
- Disabled
- RSA SecurID
- RADIUS
The authentication requirements for Smart Cards are:
- Not allowed
- Optional
- Required
Felt this objective was a strange one, as it pulls experience and understanding from PKI and Two Factor Authentication which may not be in every View Administrators arsenal.
VMFocus 