Configuring the HTTPS Protocol

It is recommended that the VMware VirtualCenter and ESX Servers are configured to use HTTPS protocol. The default configuration is HTTPS. If your environment is configured to use HTTP, you can skip this section.

Configuring the VMware VirtualCenter Server

To configure the VirtualCenter server to use HTTPS:

1. Open the vpxd.cfg file that is located at:

   C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\vpxd.cfg.

2. Modify the /sdk namespace in the <http> and <https> sections under the <proxyDatabase> tag to switch the redirect from HTTP to HTTPS.

3. Save the configuration and restart the VirtualCenter service (click Start > All Programs > Administration > Services).

Configuring the ESX Server

To configure ESX servers to use HTTPS:

1. Open the config.xml file that is located at: /etc/vmware/hostd/config.xml.

2. Modify the /sdk namespace in the <http> and <https> sections under the <proxyDatabase> tag to switch the redirect from HTTP to HTTPS.

3. Save the configuration and restart the service using "service mgmt-vmware restart".

Obtain Security Certificates

From the TA Master machine, obtain a security certificate for each target server using the Microsoft Internet Explorer Certificate Cache.

Internet Explorer

To obtain target server security certificates:

1. Navigate to the ESX Server or VirtualCenter Management Server using the HTTPS protocol:

   https://servername

2. Click View Certificate to open the Certificate dialog.

3. Click Install Certificate.

4. Click Next on the Certificate Import WizardWelcome panel.

5. Use the default option Automatically select the certificate store based on the type of certificate on the Certificate Store tab and click Next.

6. Click Finish on the Completing Certificate Import Wizard panel. A Security Warning message appears informing you that you are about to install a certificate from a certification authority.

7. Click Yes to continue with the certificate installation. A message stating The import was successful appears.

8. Click OK to close the message and return to the Certificate dialog.

9. Click OK on the Certificate dialog.

10. Click Yes to continue with the original HTTPS request for the server on the Security Alert message. The server (VMware ESX Server 3, VMware VirtualCenter 2) Welcome page appears. The certificate has now been installed in Internet Explorer’s certificate cache.

11. Repeat the process for each ESX Server and VirtualCenter Management Server that you want to connect to with the VMware Adapter.

Mozilla Firefox

To obtain target server security certificates:

1. Click Options on the Tools menu to display the Options dialog.

2. Click Advanced, and then click the Encryptions tab.

3. Click View Certificates to display the Certificate Manager dialog.

4. Click the Servers tab.

5. Click Add Exception to display the Add Security Exception dialog.

6. Click Get Certificate.

7. Click Confirm Security Exception.

Export Security Certificates

After you have obtained the security certificates for the target servers, export them from the Internet Explorer or Mozilla Firefox cache to a local directory.

Internet Explorer

To export the cached certificates to a local directory:

1. Create this directory for the certificates on the local computer:

   C:\VMware-Certs

   Note: You should not change the name of the directory C:\VMware-Certs. Several of the VI SDK batch files assume this path as the location of the keystore and will fail if you do not use this path.

2. Click Tools > Internet Options in Internet Explorer.

3. Click the Content tab on the Internet Options dialog.

4. Click Certificates in the Certificates area.

5. Click the Trusted Root Certification Authorities tab On the Certificates dialog to display the list of trusted certificates. This list should contain the certificates for the target servers that were obtained in the previous procedure. See Obtain Security Certificates.

6. Scroll through the list of certificates to find the certificates.

   • For an ESX server, the certificate name matches the DNS name of the server.

   • For a VirtualCenter server, the certificate name is VMware.

7. Perform this procedure for each target server certificate:

   1. Click the certificate and click Export to launch the Certificate Export Wizard.

   2. Click Next on the Welcome panel.

   3. Use the default option DER encoded binary X.509 (.CER) on the Export File Format panel and click Next.

   4. Enter the complete path to the VMware-Certs directory and a unique name for the certificate on the File To Export panel:

      C:\VMware-Certs\servername.cer

   5. Click Next.

   6. Click Finish on the Completing the Certificate Export Wizard panel to complete the export. A message stating The export was successful appears.

   7. Click OK to close the message box.

8. Click Close to exit the Certificates dialog after all target server certificates have been exported.

9. Click OK to close the Internet Options dialog.

Mozilla Firefox

To export the cached certificates to a local directory:

1. Create the directory for the certificates on the local computer:

   C:\VMware-Certs

   Note: You should not change the name of the directory C:\VMware-Certs. Several of the VI SDK batch files assume this path as the location of the keystore and will fail if you do not use this path.

2. Click Tools > Options in Mozilla Firefox.

3. Click the Encryptions tab on the Options dialog.

4. Click View Certificates to display the Certificate Manager dialog.

5. Click the Servers tab.

6. Scroll through the list of certificates to find the certificates.

   • For an ESX server, the certificate name matches the DNS name of the server.

   • For a VirtualCenter server, the certificate name is VMware.

7. Click the certificate and click Export.

8. Click Close to exit the Certificates dialog after all target server certificates have been exported.

9. Click OK to close the Options dialog.

Import Target Server Certificates into the Java Keystore

Import the target server certificates into a local Java keystore.

Note: These instructions assume that a JRE or JDK is in your system PATH.

To import certificates into Java keystore:

1. Open a Windows Command Prompt window.

2. Change to the directory where the certificates are stored by entering this command:

   cd c:\VMware-Certs

3. Use the Java keytool utility to import a certificate. This syntax is used:

   keytool -import -file <certificate-filename> -alias <server-name> -keystore vmware.keystore

   Example: C:\VMware-Certs>keytool -import -file rui.crt -alias sdkpubs01 -keystore vmware.keystore

4. Enter a password at the prompt when prompted to create a password for the keystore. The keystore utility appears the certificate information.

5. Type Yes at the Trust this certificate? [no] prompt and press Enter. The certificate is imported into the vmware.keystore keystore and this message appears: Certificate was added to keystore

6. Repeat this procedure for each target server.

7. Navigate to this folder where the TA VMware adapter is installed and create a new directory named config:

   <install dir>\master\services\{49ED3946-6C3C-4165-A09E-B2A723051BDD}\config

8. Create a text file named service.props if it doesn’t already exist.

9. Open the service.props text file and add this line:

   Keystore=c:\\VMware-Certs\\vmware.keystore

   Note: Note the use of escaped backslashes for Windows directories.

   See Configuring service.props for information about general and adapter-specific properties that can be set to control things like logging and connection properties.