Thursday, July 2, 2009
Remote administration of VMware Server 2
VMware Server 2.0 implements the new (well, for free Server users at least — ESX and ESXi have had it for ages) web interface for administration. When you install the server the listener for this is configured for ports 8222 and 8333. The former is only reachable if you’re coming in locally. Remote users have to use the latter, which is supposed to provide a “secure” SSL session, by dialing up https://[fully qualified hostname]:8333. Of course there’s a trick (or two) to making that work.
1. Turn off your popup blocker;
2. Accept the bogus SSL certificate that the server ships with.
On second thought, don’t turn off your popup blocker, wise guy, so you’ll get to stare at the blank gray screen that results when the login box popup is blocked (without the usual request to allow the popup).
As someone recently noted there are really two purposes to an SSL session. One is to provide an encrypted channel for communications. The other is to give the user some assurance that the site they’re connected to is actually who it says it is. That’s why we’ve implemented chains of trust using SSL certificates. The shipping bogus SSL cert for VMware server gives you the former, but not the latter.
Have no fear though, muchachos, you can actually install a legit certificate and key to replace VMware’s bogus pair and resolve this crisis. Got this from a piece by Arun Stephens, VMware Server 2.0 – using your own SSL certificate.
The location of the cert and key are kept in /etc/vmware/hostd/config.xml. The shipping location is /etc/vmware/ssl.
To make any change effective you need to make sure every VMware process on your machine is down, and then restart. On an RHEL type system I’d do a /etc/init.d/vmware stop and then make sure everything’s dead by doing a ps -ef | grep -i vmware and ps -ef | grep http. Just make sure not to kill any of your non-VMware httpd processes!