Update: Slightly changed the discussing regarding the required certificate template type. The key to creating a certificate that will work with View is enabling the “allow private key export” option on the certificate. A “computer” or “web server” certificate will work, IF this option is enabled when the certificate is created.
This is the first post in a short series on configuring VMware View 5.1, using vSphere 5.0 Update 1, on Windows Server 2008 R2 SP1. The article assumes you already have vCenter 5.0 running in the environment, and are using Microsoft SQL Server 2008 R2, so I won’t cover how to install those products.
Other articles in this series include:
VMware View 5.1 Installation Part 2 – Composer
Having worked a lot with XenDesktop 5.5 in the past, it is interesting to see work flow for a View 5.1 installation. The first component I installed is the View Connection server, which can NOT be installed on the vCenter server. It will complain about port 80 being taken, so start off with a fresh Windows Server 2008 R2 SP1 VM for this component.
After you have provisioned a fresh VM for the View connection manager, we need to get our certificate house in order to ensure properly trusted SSL connections to this server. After the certificate is created and installed, we proceed with the basic View Connection server installation process, and finally verify the SSL certificate is working. The next article will cover the View Composer, which requires a database back-end, unlike View Connection server.
Take note the SSL certificate configuration process for View 5.1 is *completely* different from View 5.0 and previous versions. DO NOT follow VMware KB article 1008705 for View 5.1. You can find all of the View 5.1 documentation here. Should you try the View 5.0 and earlier instructions you can expect errors such as the following to be logged:
Couldn’t create SSL socket factory com.vmware.vdi.ice.server.u.a(SourceFile:529)
java.lang.NullPointerException: invalid null input
To properly configure View 5.1 connection server, follow these steps:
1. On what will be your new View Connection server open a blank MMC, add the Certificates snap-in, and manage certificates for your Computer Account.
2. Open your personal certificates and review any existing certificates you may have. In this case I have Autoenroll configured, so the server automatically got a “computer” certificate installed. However, View Connection server can’t use this certificate if it was issued with all default settings, which prohibit exporting the private key.
If you try to use this certificate, the built-in web server will barf and you won’t get the login screen. The reason for this, is the default computer certificate template does not allow the private key to be exported, which View requires. So you could either alter the computer certificate request to allow private key export, or create a web server template (or request) with the allow private key export enabled.
3. Right click in the right pane and select Request New Certificate. Click Next, and on the following screen if you have a Windows CA that is online and configured to issue computer certificates, you should see something similar to the following picture. Click Next.
7. Click OK, then click on Enroll. If all goes well, you should now see a new certificate with a friendly name of vdm in your certificate store. Note that the intended purposes is only Server Authentication.
8. Start the VMware View Connection Server installation process, and modify the installation directory as you see fit. I always install software on the D: drive, as shown below.
10. Enter a strong recovery password and optional password reminder.
14. It is extremely unfortunate that the View console relies on Adobe Flash player, as it is riddled with nearly weekly critical security vulnerabilities. So you must install Flash player on whatever machine you want to access the View administrator console from. VMware really needs to update the interface to HTML5.