How to replace SSL certificate for WEB?

I have a feature request... a frustration we have encountered is that after a certain amount of time the html5 client becomes non responsive & it seems to be a logoff for security reasons, which I can understand, but the screen still appears to be active. Would it be possible if the session activity times out, to let it return to the login screen? Thx guys!!

Thanks for the comment, Garth!
Actually this is exactly how the client is behaving. It seems that you are hitting some kind of bug.
What exactly do you see when you are logged off?

The client looks to be active but when you try to perform any action, it simply does not respond. The refresh icon simply starts turning & then I restart my browser, log in again & all is well.

Thanks, we will try to find what is causing that.

After deploying the 4.3 OVA and following the setup guide here: https://blogs.vmware.com/vsphere/2016/03/vsphere-html5-web-client-fling-getting-started.html

We are receiving the following error:
[400] An error occurred while sending an authentication request to the vCenter Single Sign-On server - An error occurred when processing the metadata during vCenter Single Sign-On setup - LookupService URL is invalid, URL cannot be null..

Searching the error, it looks to be certificate related:
https://kb.vmware.com/s/article/52541

Our Platform Service Controller is local to our Windows vCenter server, deployed with v6.0 patch U3j. We don't use PSC, only thick client and web client for vSphere administration. Has anyone run into this issue and know a possible fix?

Hi DGalmo,
Please, have a look in the drop down menu.
There are new and actual versions of the documentations.
Have a look at h5_client_deployment_instructions_and_helpful_tips_v29.pdf
Some of the paths where to copy the files have changed.
Best regards,
Kaloyan Iliev

Thanks for the reply Kaloyan. I've looked over the document and my paths are correct:

/etc/vmware/vsphere-ui/store.jks
/etc/vmware/vsphere-ui/webclient.properties
/etc/vmware/vsphere-ui/config/ds.properties

I've changed ownership of the folder to user vsphere-ui and verified our DNS and NTP servers on the appliance. Time is in sync between our H5 and vCenter appliances.

I've followed the "For windows VC with embedded PSC:*" section to a T and still have the "LookupService URL is invalid, URL cannot be null" error.

There is some confusion on the document though, as it states to edit the webclient.properties file with our local store.jks path depending on the PSC we are using. Since we are using Windows, shouldn't this be Windows path? The batch file doesn't copy store.jks out to the local path however, and I had to do some trial and error to even get the UI to show in a webpage and even give me the error I'm receiving. I'm not sure where to go from here, but we need this working before Flash is removed from Edge/Chrome browsers early next year, and we won't have an opportunity to upgrade to 6.5/6.7 until after that occurs.

Here is the tail of the log file if it helps any:
localhost:~ # tail -100 /usr/lib/vmware-vsphere-ui/server/logs/vsphere_client_virgo.log

[2019-11-13T09:53:15.934-05:00] [ERROR] https-jsse-nio-9443-exec-4 70000006 100001 ###### c.v.vsphere.client.security.websso.WebssoLogoutRequestHandler The handling of the WebSSO logout request failed javax.servlet.ServletException: An error occurred when processing the metadata during vCenter Single Sign-On setup - LookupService URL is invalid, URL cannot be null..
at com.vmware.vsphere.client.security.websso.MetadataGeneratorImpl.processMetadata(MetadataGeneratorImpl.java:318)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:333)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:207)
at com.sun.proxy.$Proxy265.processMetadata(Unknown Source)
at com.vmware.vsphere.client.security.websso.WebssoLogoutRequestHandler.handleRequest(WebssoLogoutRequestHandler.java:53)
at org.springframework.web.context.support.HttpRequestHandlerServlet.service(HttpRequestHandlerServlet.java:67)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at org.eclipse.equinox.http.servlet.internal.HttpServiceRuntimeImpl$LegacyServlet.service(HttpServiceRuntimeImpl.java:1256)
at org.eclipse.equinox.http.servlet.internal.registration.EndpointRegistration.service(EndpointRegistration.java:153)
at org.eclipse.equinox.http.servlet.internal.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:50)
at com.vmware.o6jia.context.web.filter.WelcomeFileFilter.doFilter(WelcomeFileFilter.java:48)
at org.eclipse.equinox.http.servlet.internal.HttpServiceRuntimeImpl$LegacyFilterFactory$LegacyFilter.doFilter(HttpServiceRuntimeImpl.java:1215)
at org.eclipse.equinox.http.servlet.internal.registration.FilterRegistration.doFilter(FilterRegistration.java:121)
at org.eclipse.equinox.http.servlet.internal.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:45)
at com.vmware.vise.extensionfw.DeploymentFilter.doFilter(DeploymentFilter.java:55)
at com.vmware.o6jia.context.web.filter.ContextPathAwareDelegatingFilter.doFilter(ContextPathAwareDelegatingFilter.java:50)
at org.eclipse.equinox.http.servlet.internal.HttpServiceRuntimeImpl$LegacyFilterFactory$LegacyFilter.doFilter(HttpServiceRuntimeImpl.java:1215)
at org.eclipse.equinox.http.servlet.internal.registration.FilterRegistration.doFilter(FilterRegistration.java:121)
at org.eclipse.equinox.http.servlet.internal.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:45)
at com.vmware.vsphere.client.logging.MDCLogFilter.doFilterInternal(MDCLogFilter.java:41)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at com.vmware.o6jia.context.web.filter.ContextPathAwareDelegatingFilter.doFilter(ContextPathAwareDelegatingFilter.java:50)
at org.eclipse.equinox.http.servlet.internal.HttpServiceRuntimeImpl$LegacyFilterFactory$LegacyFilter.doFilter(HttpServiceRuntimeImpl.java:1215)
at org.eclipse.equinox.http.servlet.internal.registration.FilterRegistration.doFilter(FilterRegistration.java:121)
at org.eclipse.equinox.http.servlet.internal.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:45)
at com.vmware.vise.util.i18n.I18nFilter.doFilterInternal(I18nFilter.java:43)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at com.vmware.o6jia.context.web.filter.ContextPathAwareDelegatingFilter.doFilter(ContextPathAwareDelegatingFilter.java:50)
at org.eclipse.equinox.http.servlet.internal.HttpServiceRuntimeImpl$LegacyFilterFactory$LegacyFilter.doFilter(HttpServiceRuntimeImpl.java:1215)
at org.eclipse.equinox.http.servlet.internal.registration.FilterRegistration.doFilter(FilterRegistration.java:121)
at org.eclipse.equinox.http.servlet.internal.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:45)
at com.vmware.vise.security.SessionManagementFilter.doFilter(SessionManagementFilter.java:212)
at com.vmware.o6jia.context.web.filter.ContextPathAwareDelegatingFilter.doFilter(ContextPathAwareDelegatingFilter.java:50)
at org.eclipse.equinox.http.servlet.internal.HttpServiceRuntimeImpl$LegacyFilterFactory$LegacyFilter.doFilter(HttpServiceRuntimeImpl.java:1215)
at org.eclipse.equinox.http.servlet.internal.registration.FilterRegistration.doFilter(FilterRegistration.java:121)
at org.eclipse.equinox.http.servlet.internal.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:45)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:208)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:347)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:263)
at com.vmware.o6jia.context.web.filter.ContextPathAwareDelegatingFilter.doFilter(ContextPathAwareDelegatingFilter.java:50)
at org.eclipse.equinox.http.servlet.internal.HttpServiceRuntimeImpl$LegacyFilterFactory$LegacyFilter.doFilter(HttpServiceRuntimeImpl.java:1215)
at org.eclipse.equinox.http.servlet.internal.registration.FilterRegistration.doFilter(FilterRegistration.java:121)
at org.eclipse.equinox.http.servlet.internal.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:45)
at com.vmware.o6jia.context.web.filter.ContextPathAwareDelegatingFilter.doFilter(ContextPathAwareDelegatingFilter.java:46)
at org.eclipse.equinox.http.servlet.internal.HttpServiceRuntimeImpl$LegacyFilterFactory$LegacyFilter.doFilter(HttpServiceRuntimeImpl.java:1215)
at org.eclipse.equinox.http.servlet.internal.registration.FilterRegistration.doFilter(FilterRegistration.java:121)
at org.eclipse.equinox.http.servlet.internal.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:45)
at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at com.vmware.o6jia.context.web.filter.ContextPathAwareDelegatingFilter.doFilter(ContextPathAwareDelegatingFilter.java:50)
at org.eclipse.equinox.http.servlet.internal.HttpServiceRuntimeImpl$LegacyFilterFactory$LegacyFilter.doFilter(HttpServiceRuntimeImpl.java:1215)
at org.eclipse.equinox.http.servlet.internal.registration.FilterRegistration.doFilter(FilterRegistration.java:121)
at org.eclipse.equinox.http.servlet.internal.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:45)
at com.vmware.o6jia.context.web.filter.ContextPathAwareDelegatingFilter.doFilter(ContextPathAwareDelegatingFilter.java:46)
at org.eclipse.equinox.http.servlet.internal.HttpServiceRuntimeImpl$LegacyFilterFactory$LegacyFilter.doFilter(HttpServiceRuntimeImpl.java:1215)
at org.eclipse.equinox.http.servlet.internal.registration.FilterRegistration.doFilter(FilterRegistration.java:121)
at org.eclipse.equinox.http.servlet.internal.servlet.FilterChainImpl.doFilter(FilterChainImpl.java:45)
at org.eclipse.equinox.http.servlet.internal.servlet.ResponseStateHandler.processRequest(ResponseStateHandler.java:70)
at org.eclipse.equinox.http.servlet.internal.context.DispatchTargets.doDispatch(DispatchTargets.java:132)
at org.eclipse.equinox.http.servlet.internal.servlet.ProxyServlet.service(ProxyServlet.java:100)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at org.eclipse.equinox.servletbridge.BridgeServlet.service(BridgeServlet.java:152)
at com.vmware.vsphere.bridge.BridgeServletEx.service(BridgeServletEx.java:21)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.vmware.vsphere.bridge.DenyConfigurationFilesFilter.doFilter(DenyConfigurationFilesFilter.java:45)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:493)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:137)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:679)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:660)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:798)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:808)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)

[2019-11-13T09:53:34.251-05:00] [INFO ] health-status-8 com.vmware.vise.vim.cm.healthstatus.AppServerHealthService Memory usage: used=348,248,592; max=954,728,448; percentage=36.47619307139364%. Status: GREEN
[2019-11-13T09:53:34.251-05:00] [INFO ] health-status-8 c.v.v.v.cm.HealthStatusRequestHandler$HealthStatusCollectorTask Determined health status 'GREEN' in 0 ms
localhost:~ #

Hi DGalmo,
1. You can not just copy the store.jks. It must be generated from the BAT file or it won't work. Does it show you any error when you start the BAT file?

2. The paths in webclient.properties are correctly described in the documentation. The generated webclient.properties will be copied and used on the Fling Linux VM. The path in it to the keystore should be the path to the keystore in the Fling VM.
keystore.jks.path=/etc/vmware/vsphere-ui/store.jks

Please try to generate all the files using the BAT script.
NOTE: If you have installed vCenter into any folder other than default (%PROGRAMFILES%), the script may not find the appropriate files. You will need to edit the file and replace the two references to %PROGRAMFILES% with the appropriate path so that the “KEYTOOL” and “VECS_CLI” paths line up. These two variables are at the top of the file.
You may also need to change this at the end of the file to the correct path (this is for the ds.properties file):
SET CLIENT_DIR=%PROGRAMDATA%\VMware\vCenterServer\cfg\vsphere-ui

If you have any problems I will try to respond as soon as possible.

Best regards,
Kaloyan Iliev

Please also check in the webclient.proerties file the values for:
cm.url
ls.url
They must not be empty or mis-formatted.

Hi Kaloyan,

Still looking for a response as we will be unable to upgrade to 6.5/6.7 by the time flash is removed from browser support next year, we will need to get this Fling working for us before then!

Hi DGalmo,
I will check and someone will contact you soon.

Best regards,
Kaloyan Iliev

Just to clarify:
1. You generated all the files on the Windows VC with embedded PSC using the BAT file.
2. The paths in the webclient.properties point to /etc/vmware/vsphere-ui/
3. All the files are copied to their corresponding sub-folders on /etc/vmware/vsphere-ui/
4. User vsphere-ui owns and has permission to /etc/vmware/vsphere-ui/
5. You restarted the vsphere-ui service after the above actions and still see the error when you login to https://<Fing IP>/ui/ that it can not connect to the SSO

Hi Kaloyan,

Yes what you have outlined is correct. If someone on your team needs to webex to troubleshoot this issue on my end, you can send me an invite via email. I opened a ticket with the regular support channel but they directed me here which was very off-putting as we'd like to get this working.

If you could please edit out our vcenter name I would appreciate it, I missed it before posting and cannot edit it out.

Thanks Kaloyan,

I have gernerated the files with the provided Batch but that is where we are still recieving this error. Here are the contents of our webclient.propertiesfile:

ls.url=domain.com
#
# Generated webclient.properties file.
# Copy this file to the right location along with the generated store.jks (see path below).
#
# The keystore and cm.url settings allow to connect your local Web Client server to your VCSA
# or vCenter for Windows. For additional properties see the content of webclient.properties
# in /etc/vmware/vsphere-client or C:\ProgramData\VMware\vCenterServer\cfg\vsphere-client\
#
# Do not change.
afd.disabled=true
#
keystore.jks.password=vmw@re
#
# Set the correct value of keystore.jks.path based on your PSC OS.
# Linux: /etc/vmware/vsphere-client/store.jks
# Windows: C:\ProgramData/VMware/vCenterServer/cfg/store.jks
keystore.jks.path=/etc/vmware/vsphere-ui/store.jks
#
# ComponentManager url with the DNS name of your vCenter Server for Windows host.
cm.url=https://ourvcenterserver.domain.com/cm/sdk/
ls.url=https://ourvcenterserver.domain.com/lookupservice/sdk
vapi.hostid=8cdb39e0-fed7-11e6-b242-000c291f3236
psc.dc=domain.com
psc.domain.name=vsphere.local
psc.rhttp.proxy.port=443
# Unique install id
installation.id=92B82058-F9E1-4501-B9B8-32480AEBFA75
#
# Other useful webclient.properties flags
show.allusers.tasks=true
large.inventory.mode=true
aggregationThreshold.VirtualMachine=100

Hi DGalmo,
Did you manage to fix your env?
Best regards,
Kaloyan Iliev

Hi DGalmo,
I see in your webclient.propertiesfile that you have twice ls.url.
The first time is only with your domain and the second time is ls.url=https://ourvcenterserver.domain.com/lookupservice/sdk
Please delete the first instance where it has only your domain and leave the second instance:
ls.url=https://ourvcenterserver.domain.com/lookupservice/sdk
Then restart the service and try again:
service-control --restart vsphere-ui

Thanks Kaloyan, I was out of the office the past couple days. I've removed the ls.url=domain.com reference and restarted the service, but I am still receiving the following error on the UI screen:

[400] An error occurred while sending a logout request to the vCenter Single Sign-On server - An error occurred when processing the metadata during vCenter Single Sign-On setup - LookupService URL is invalid, URL cannot be null..

Here is the updated webclient.properties file contents:

#
# Generated webclient.properties file.
# Copy this file to the right location along with the generated store.jks (see path below).
#
# The keystore and cm.url settings allow to connect your local Web Client server to your VCSA
# or vCenter for Windows. For additional properties see the content of webclient.properties
# in /etc/vmware/vsphere-client or C:\ProgramData\VMware\vCenterServer\cfg\vsphere-client\
#
# Do not change.
afd.disabled=true
#
keystore.jks.password=vmw@re
#
# Set the correct value of keystore.jks.path based on your PSC OS.
# Linux: /etc/vmware/vsphere-client/store.jks
# Windows: C:\ProgramData/VMware/vCenterServer/cfg/store.jks
keystore.jks.path=/etc/vmware/vsphere-ui/store.jks
#
# ComponentManager url with the DNS name of your vCenter Server for Windows host.
cm.url=https://servername.ourdomain.com/cm/sdk/
ls.url=https://servername.ourdomain.com/lookupservice/sdk
vapi.hostid=8cdb39e0-fed7-11e6-b242-000c291f3236
psc.dc=servername.ourdomain.com
psc.domain.name=vsphere.local
psc.rhttp.proxy.port=443
# Unique install id
installation.id=92B82058-F9E1-4501-B9B8-32480AEBFA75
#
# Other useful webclient.properties flags
show.allusers.tasks=true
large.inventory.mode=true
aggregationThreshold.VirtualMachine=100

Hi DGalmo,
I suspect you haven't restarted the service. It may have hung.
Please execute the following commands
service vsphere-ui stop
service vsphere-ui status
If there are still running java processes kill them.
Then start the service:
service vsphere-ui start
When you login go to:
https://<FLING IP>/ui/
Best regards,
Kaloyan Iliev

Hi Kaloyan,

I've done as you suggested and still the same issue. Here's the command output and status before starting the service back up. I also tried a full restart of the appliance which also did not work.

localhost:~ # service vsphere-ui status
● vsphere-ui.service - H5 vSphere Web Client
Loaded: loaded (/usr/lib/systemd/system/vsphere-ui.service; enabled; vendor preset: disabled)
Active: inactive (dead) since Thu 2019-12-05 01:44:37 UTC; 14s ago
Docs: https://labs.vmware.com/flings/vsphere-html5-web-client
Process: 29657 ExecStop=/usr/local/bin/vsphere-ui stop (code=exited, status=0/SUCCESS)
Process: 8126 ExecStart=/usr/local/bin/vsphere-ui start (code=exited, status=0/SUCCESS)
Main PID: 8146 (code=exited, status=0/SUCCESS)

Dec 04 12:34:07 localhost systemd[1]: Starting H5 vSphere Web Client...
Dec 04 12:34:07 localhost vsphere-ui[8126]: Starting vSphere Client Web Server
Dec 04 12:34:30 localhost systemd[1]: Started H5 vSphere Web Client.
Dec 05 01:44:34 localhost systemd[1]: Stopping H5 vSphere Web Client...
Dec 05 01:44:34 localhost vsphere-ui[29657]: Stopping vSphere Client Web Server
Dec 05 01:44:36 localhost vsphere-ui[29657]: Tomcat stopped.
Dec 05 01:44:37 localhost vsphere-ui[29657]: .
Dec 05 01:44:37 localhost systemd[1]: Stopped H5 vSphere Web Client.

Hi DGalmo,

Can you upload somewhere the full log file: /usr/lib/vmware-vsphere-ui/server/logs/vsphere_client_virgo.log and also webclient.properties from the Linux Fling VM.
The log messages suggest that the ls.url property is null in webclient.properties file.

Thanks and regards,
Todor

A short question from a rookie, could I consider VWware web gots the same capabilities of VWware vSphere?

Yes. This is very close to what we've released with vSphere 6.7+.