Hmmm, so your chain is only two certificates, not the typical root - intermediate - self signed
Am I missing here something ? regards, thomas -----Ursprüngliche Nachricht----- Von: sunray-users-boun...@filibeto.org [mailto:sunray-users-boun...@filibeto.org] Im Auftrag von Volker A. Brandt Gesendet: Dienstag, 15. Oktober 2013 23:23 An: sunray-users@filibeto.org Betreff: [SunRay-Users] Keystore file for SSL connections SRS 5.4.1 -> VMware Horizon View 5.2 Hello all! I need help solving a problem involving the keystore file containing the SSL certificate the uttsc connector needs for SSL connections to a pair of VMware Horizon View servers. Customer is running an environment with four secondary servers providing the sessions, and a primary server running the datastore and provding the firmware. The Sun Ray software is running in kiosk mode, connecting every user directly to the Horizon View login screen. The VMware environment was rebuilt using the latest version, Horizon View 5.2. Two of the Sun Ray servers were upgraded from S10 U9 to U11, and from SRSS 5.2 to SRS 5.4.1. The other two servers are still running the old software version. When the new View environment was built, a self-signed certificate for SSL connections was generated on each of the two View servers. Each server has the certificate of the other server imported, so that any client presenting one of the certificates should be able to get a connection from each of the View servers. The two certificates were then exported to a file using a browser and saving the certificates locally on the machine the browser was running. This was done on both a Windows PC using IE, and a Solaris system using Firefox, yielding identical certificates. To import the new certificate in the Sun Ray environment, a new keystore file was generated using the keytool command as described in the SRS documentation. This was done on each of the four Sun Ray servers, running both the old and the new software version. All four servers could generate the keystore file correctly. However, the two servers running SRS 5.4.1 are unable to get sessions from the Horizon View servers. The log file always shows the message javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target This is an indication that the SSL certificates are not installed correctly. The keystore is present, is owned by root, has permissions 0644, and the location and keystore password are correctly entered in the "vdm" script. I tried: - adding one cert to the keystore using the default alias "mykey" as described in the Sun Ray documentation - adding both certs to the keystore using specific aliases "viewhost-1" and "viewhost-2" - copying over the keystore file generated on the SRSS 5.2 servers (containing one cert) to the SRS 5.4.1 servers Unfortunately, nothing worked. My questions: - Has anyone seen this problem before? - How can I debug this? - Do the aliases I specify when adding two certs to one keystore have to exactly match the host names of the View servers? - Is there another way of exporting the certs from the View servers, other than via browser? (Unfortunately, I know nothing about VMware, a colleague tried to follow the VMware docs for keytool on the Windows command line but could not locate the keystore, and a cert file created via the GUI was refused by the Solaris keytool as not being an X.509 cert). - Is it possible that the mixed operations (two servers on 5.2 and two on 5.4.1, with primary also on 5.2) are causing problems? Any and all help is most welcome. Thanks -- Volker -- ------------------------------------------------------------------------ Volker A. Brandt Consulting and Support for Oracle Solaris Brandt & Brandt Computer GmbH WWW: http://www.bb-c.de/ Am Wiesenpfad 6, 53340 Meckenheim Email: v...@bb-c.de Handelsregister: Amtsgericht Bonn, HRB 10513 Schuhgröße: 46 Geschäftsführer: Rainer J. H. Brandt und Volker A. Brandt _______________________________________________ SunRay-Users mailing list SunRay-Users@filibeto.org http://www.filibeto.org/mailman/listinfo/sunray-users _________________ Diese Nachricht wurde vom OeNB Mailserver TLS verschluesselt empfangen _______________________________________________ SunRay-Users mailing list SunRay-Users@filibeto.org http://www.filibeto.org/mailman/listinfo/sunray-users