Initial Configuration

Initial Configuration

Synchronize Time with Connection Server

The clock in both the Connection Server and JMP server hosts must be synchronized in order for the authentication process between the two servers to be successful.

Important: For the purposes of this quick-start, we assume that you are performing these exercises in a test environment. Changing the time-synchronization configuration of a Connection Server or ESXi host in a test environment does not carry the same risks as changing the configuration of a production environment component. If you are performing this exercise using a production Connection Server or ESXi host, consult with the proper administrators before changing time-synchronization settings.

Prerequisites for Synchronizing Time

To complete this exercise, you will need:

  • VMware Tools – You will use VMware Tools command-line options to turn on time synchronization with the ESXi host for the Connection Server VM and the JMP server VM. Therefore, VMware Tools must be installed in the VMs.
  • Connection Server version – To use the JMP integrated workflow, the Connection Server version must be Horizon 7 version 7.5 or later.

1. Use the timesync Option to Turn On Time Synchronization for the VMs

  1. On the Connection Server system, open a command prompt, and change directories to the C:\Program Files\VMware\VMware Tools directory.
  2. Run the following command to find out whether time synchronization is disabled:

    VMwareToolboxCmd.exe timesync status
  3. If Disabled is returned, run the following command:

    VMwareToolboxCmd.exe timesync enable
  4. Repeat these steps on the JMP server system.

Both the JMP server and the Connection Server now synchronize time with the ESXi host.

2. Configure Time Synchronization on the ESXi Host or Hosts

  1. In vSphere Client, select the ESXi host for the Connection Server and the JMP server.

    If you do not know which ESXi host to use, select the VM for the Connection Server or JMP server and use the Summary tab to determine the ESXi host.

    Note: The JMP server might use a different host from the Connection Server.
  2. Select the Configure tab.
  3. Under the System settings, select Time Configuration.
  4. Click Edit.

3. Enable NTP

  1. Select Use Network Time Protocol (Enable NTP client).
  2. Enter the IP address or fully qualified domain name of one or more NTP servers to synchronize with.
  3. Click OK.
  4. If the JMP server VM and the Connection Server VM use different ESXi hosts, repeat the steps to configure NTP on the other ESXi host. Be sure to use the same NTP server or servers.

Place the Root Certificate from the AD Server in the JMP Configuration Folder

In this exercise, you will export the root CA certificate of the Active Directory domain controller into a certificate file named adCA.pem and place this file in a configuration folder on the JMP server.

Prerequisites for Obtaining the AD Server's Root Certificate

Active Directory must be configured for LDAP over SSL (LDAPS) or StartTLS (LDAP over TLS).

1. Start the Microsoft Management Console

  1. Log in to the operating system of the Active Directory server, and right-click the Windows Start icon.
  2. Select Run.
  3. Type mmc.
  4. Click OK.

2. Add Snap-in for Certificate Manager

Select File > Add/Remove Snap-in.

3. Select the Certificates Snap-in

  1. Select Certificates.
  2. Click Add.

4. Select Computer Account

Because you want to export the root certificate for the server, select Computer account, and click Next.

5. Select the Local Computer

Select Local Computer (the computer this console is running on), and click Finish.

6. Click OK in the Snap-in Dialog Box

With the Certificates snap-in added to the Selected snap-ins list, click OK.

7. Locate the Server's Certificate in the Personal Folder

  1. Expand the Certificates > Personal folder, and select the Certificates folder.
  2. Right-click a certificate name and select Open. You can select any of the certificates in this folder to determine the root certificate.
  3. On the Certification Path tab, note the top-most item. The name of the root certificate is displayed.

8. Locate and Export the Root Certificate

  1. Expand the Trusted Root Certification Authorities folder, and select the Certificates folder.
  2. Right-click the certificate name. This is the certificate that was listed on the Certification Path tab in the previous step.
  3. Select All Tasks > Export.

9. Export a Base-64 Encoded Certificate

In the Certificate Export Wizard, select Base-64 encoded X.509 (.CER), and click Next.

10. Name the File adCA.pem

Type the file name adCA.pem, and click Next.

11. Complete the Wizard

Note that the completion page displays the location of the file, and click Finish.

12. Copy the Exported Certificate to the JMP Server

Copy the adCA.pem file to the JMP Server XMS configuration folder, in the following location:

C:\Program Files (x86)\VMware\JMP\com\XMS\config\adCA.pem

Note: To verify that the file uses the .pem extension rather than the .cer extension, you can click the View tab at the top of the window and select the File name extensions check box. For example, if the file name is adCA.cert.pem.cer, rename the file to remove the .cer at the end of the file name. The file must have a .pem file extension.

Place the Certificate for Connection Server in the JMP com Folder

In this exercise, you will export the server certificate of the Connection Server into a certificate file named horizon.cert.pem and place this file in the com folder on the JMP server.

Prerequisites for Placing the Connection Server Certificate on the JMP Server

You must have credentials for a user account that has administrator privileges on the Connection Server system and on the JMP server system.

1. Start the Microsoft Management Console

  1. Log in to the operating system of the Connection Server, and right-click the Windows Start icon.
  2. Select Run.
  3. Type mmc.
  4. Click OK.

2. Add Snap-in for Certificate Manager

Select File > Add/Remove Snap-in.

3. Select the Certificates Snap-in

  1. Select Certificates.
  2. Click Add.

4. Select Computer Account

Because you want to export the server certificate for the server, select Computer account, and click Next.

5. Select the Local Computer

Select Local Computer (the computer this console is running on), and click Finish.

6. Click OK in the Snap-in Dialog Box

With the Certificates snap-in added to the Selected snap-ins list, click OK.

7. Locate the Server's Certificate in the Personal Folder

  1. Expand the Certificates > Personal folder, and select the Certificates folder.
  2. Right-click the certificate name and select Properties.
  3. Verify that the friendly name of the certificate is vdm. If not, find the certificate in that folder that has the friendly name vdm.
  4. Close the dialog box.

8. Export the Server Certificate

Right-click the certificate and select All Tasks > Export.

9. Do Not Export a Private Key

In the Certificate Export Wizard, on the Export Private Key page, select No, do not export the private key, and click Next.

10. Export a Base-64 Encoded Certificate

In the Certificate Export Wizard, select Base-64 encoded X.509 (.CER), and click Next.

11. Name the File horizon.cert.pem

Type the file name horizon.cert.pem, and click Next.

12. Complete the Wizard

Note that the completion page displays the location of the file, and click Finish.

13. Copy the Exported Certificate to the JMP Server

Copy the horizon.cert.pem file to the JMP server home folder (com), in the following location:

C:\Program Files (x86)\VMware\JMP\com\horizon.cert.pem

Note: To verify that the file uses the .pem extension rather than the .cer extension, you can click the View tab at the top of the window and select the File name extensions check box. For example, if the file name is horizon.cert.pem.cer, rename the file to remove the .cer at the end of the file name. The file must have a .pem file extension.

Place the Certificate for App Volumes Server in the JMP com Folder

In this exercise, you will export the self-signed certificate of the App Volumes Manager instance into a certificate file named av-selfsigned.cert.pem and place this file in the com folder on the JMP server.

Prerequisites for Placing the App Volumes Manager Certificate on the JMP Server

To perform this exercise, you need the following:

  • App Volumes Manager is installed and set up. For instructions for installing and configuring App Volumes Manager, see Reviewer's Guide for VMware App Volumes, and see the VMware App Volumes documentation. App Volumes 2.14 or later is required.
  • To save the certificate file to the correct location, you must have credentials for a user account that has administrator privileges on the JMP server system.

1. Log In to App Volumes Manager from the JMP Server

Log in to the JMP server system as an administrator, open a browser and type in the URL to the App Volumes Manager host; for example, https://<app_vol_mgr_server.mycompany.com>. For the example in this exercise, we used a Firefox browser.

In the production environment, this URL might point to a load balancer fronting two App Volumes Managers.

2. Open the Site Information Dialog Box

Click the Show Site Information icon to access the certificate information.

3. View the Certificate

On the Security tab, click View Certificate.

4. Export the Certificate

On the Details tab, click Export.

5. Save the Exported Certificate to the JMP Server

  1. For Save as type, select a PEM-formated certificate type.
  2. For File name, type av-selfsigned.cert.pem.
  3. For the folder on the local drive, navigate to C:\Program Files (x86)\VMware\JMP\com.
  4. Click Save.

6. Open the Services Applet

  1. To open the Services applet, right-click the Start button, and select Run.
  2. Type services.msc.
  3. Click OK.

7. Restart the JMP Services

For each of the following JMP services:

  • VMware JMP API Service
  • VMware JMP File Share Service
  • VMware JMP Platform Services
  1. Right-click the service name.
  2. Select Restart.

Use the Horizon Console to Add the JMP Server

After you have installed the JMP server and placed the certificate files from the various servers in the correct location on the JMP server, you are ready to configure settings for the JMP integrated workflow.

Prerequisites for Adding the JMP Server

Before you perform this exercise, you need:

  • Administrator account – This is a domain account for the Administrator user (<domain-name>\Administrator). You will add this user to Horizon Administrator.
  • JMP server URL – Use the fully qualified domain name of the JMP server machine.
  • Connection Server certificate – This certificate must be exported in the correct format and placed on the JMP server machine in the correct location. See Place the Certificate for Connection Server in the JMP com Folder.

Important: For the purposes of this quick-start, because you are using a test environment rather than a production environment, you do not need to install CA-signed security certificates on your servers. However, if you do not use a CA-signed TLS certificate for the JMP server, your browser most likely will not recognize the default TLS certificate, and you will not be able to successfully complete this exercise. To resolve this issue, use either of the following options:

If you do not use either of these options, when you attempt to add the JMP server, you might get the following error message.

1. Add a New User to Horizon Administrator

  1. Log in to Horizon Administrator and navigate to View Configuration > Administrators.
  2. Click Add User or Group.

2. Add the Domain Administrator User

  1. In the Add Administrator or Permission dialog box, click Add.
  2. In the Find User or Group dialog box, select the domain for the Connection Server and JMP server.
  3. In the Name/User name text box, enter Administrator.
  4. Click Find.
  5. Select the domain Administrator user in the list.
  6. Click OK.

3. Give the User the Administrators Role

  1. On the Select administrators or groups page, click Next.
  2. On the Select a role page, select Administrators.
  3. Click Next.

4. Select the Root Access Group for the User

  1. Select the check box for Root ( / ).
  2. Click Finish.

The domain Administrator account now has full Horizon Administrator permissions.

5. Click Settings in the Horizon Console

Log in to the Horizon Console as the <domain-name>\Administrator (not as BUILTIN\Administrator), and click Settings. This <domain-name>\Administrator user is the user you just added in the previous steps.

The URL for the Horizon Console uses the following format:

https://<connection_server>.<domain>.com/newadmin

6. Click Add JMP Server

On the JMP Server tab, click Add JMP Server.

7. Add the JMP Server URL

Use the following format:

https://<jmp_server>.<domain>.com/

If you receive an error message, verify that:

  • In Horizon Administrator, you have added the <Domain>\Administrator user and given that user the Administrators role at the root level of Horizon Administrator.
  • You have exported the Connection Server certificate with the friendly name vdm to a base-64-encoded .pem file and placed it in the following location on the JMP server: C:\Program Files (x86)\VMware\JMP\com\horizon.cert.pem, as described in Place the Certificate for Connection Server in the JMP com Folder.
  • You have either installed a CA-signed TLS certificate on the JMP server, or you have configured your browser to accept the default self-signed certificate. See Configure the Browser to Accept the Default JMP Server Certificate.

If all goes well, the URL is validated.

Configure the Browser to Accept the Default JMP Server Certificate

If you do not use a CA-signed TLS certificate for the JMP server, your browser most likely will not recognize the default TLS certificate, and when you attempt to use the Horizon Console to add the JMP server, you see the following error message.

Figure 1: Attempting to Add the JMP Server When Its Certificate Is Not Trusted

After you succeed in adding the JMP server, if you attempt to use Horizon Console in a different browser or a browser on another computer, you might see the following error message.

Figure 2: Attempting to Access the JMP Server Settings from a Browser That Does Not Trust the JMP Server Certificate

You can either configure your browser to accept the self-signed certificate or you can install a CA-signed certificate on the JMP server, as described in Replace the Default TLS Certificate. The procedure for configuring your browser depends on which browser you are using:

Procedure for Configuring the Firefox Browser

Browser features and options can change as new versions are released. This procedure uses Firefox 60.0.2.

1. Browse to the URL for the JMP Server

As you can see, the browser cannot connect to the JMP server.

2. Open the Firefox Browser Menu

Click the menu button icon.

3. Select Options

4. Open the Privacy & Security Settings

Click Privacy & Security in the list of settings.

5. Click View Certificates in the Security Section

Scroll down to the Security section, and click View Certificates.

6. Click Add Exception on the Servers Tab

7. Enter an Exception for the JMP Server

  1. Enter the URL for the JMP server.
  2. Click Get Certificate.
  3. Select the Permanently store this exception check box.
  4. Click Confirm Security Exception.

8. Verify That the JMP Server Has Been Added to the List of Exceptions

On the Servers tab, verify that the JMP server is listed, and click OK.

You can now go back to the JMP Settings page in the Horizon Console. When you refresh your browser, the JMP server is validated.

Procedure for Configuring the Chrome Browser

Browser features and options can change as new versions are released. This procedure uses Google Chrome 67.0.3396.99.

1. Browse to the URL for the JMP Server and View Site Information

To view information about the self-signed certificate, click View site information.

2. Click Certificate

To open the Certificate dialog box, click Certificate.

3. Copy the Certificate Information to a File

On the Details tab, click Copy to File.

4. Click Next in the Certificate Export Wizard

5. Select the Base-64 Format

Select Base-64 encoded X.509 (.CER), and click Next.

6. Click Browse

7. Save the File

Name the file, and click Save. You can save the file in any location on your computer.

8. Click Next

9. Click Finish

The certificate file is saved with a .cer extension, as shown in the following screen shot. You do not need to install the certificate.

You can now go back to the JMP Settings page in the Horizon Console. When you refresh your browser, the JMP server is validated.

Procedure for Configuring the Internet Explorer Browser

Browser features and options can change as new versions are released. This procedure uses Internet Explorer 11.2312.14393.0.

1. Disable IE ESC If You Are Using Windows Server

In order to avoid responding to a large number of security alerts, saying that content has been blocked, you can use Windows Server Manager to disable IE enhanced security configuration. See How to Disable Internet Explorer Enhanced Security Configuration.

2. Click JMP Settings in the Horizon Console

Log in to the Horizon Console, and click Settings for the JMP server.

3. Click Yes in the Security Alert

Click Yes when the Security Alert dialog box prompts you. The JMP server is validated.

Add the Other Servers to the JMP Settings

In this exercise, you will add the URLs and credentials for accessing the servers for the components of the JMP integrated workflow, which includes the Connection Server, the Active Directory server, the App Volumes Manager server, and the User Environment Manager Configuration Share file server.

Note: The steps for configuring the App Volumes Manager settings and the User Environment Manager configuration share settings are optional. When creating JMP assignments, you are not required to use these components, but later exercises in this quick-start tutorial do use these components.

Prerequisites for Adding the Other Servers to JMP Settings

Before you perform this exercise, you need:

  • Security certificates for the Active Directory and App Volumes machines – You can use CA-signed certificates or the default self-signed certificates. These certificates must be exported in the correct format and placed on the JMP server machine in the correct location. See Place the Root Certificate from the AD Server in the JMP Configuration Folder and Place the Certificate for App Volumes Server in the JMP com Folder.
  • Server information for the JMP components – Use the following table to organize the required information about the various servers involved in the JMP integrated workflow.
    Tip: The user (service) accounts for each of the components require the administrator-level role for that component. To simplify your setup in a test environment, you could create one account, with the user name Administrator, and use that account for all the server components. You could then use the same credentials for all four of the components.
Field Name Description Configuration Information for Your Server
Connection Server URL Example: https://connection_server.mycompany.com
Horizon 7 service account credentials User name and password for a user with the Administrators role in the root level in Horizon Administrator. For this exercise, we will use the domain Administrator user you added when you added the JMP server.
Horizon Administrator Service Account Domain NETBIOS domain name for the Horizon 7 service account, which does not include .com. Example: mycompany
Active Directory NETBIOS Name The same NETBIOS domain name as was used for the Service Account Domain. You will select this name from a drop-down list.
Active Directory Protocol The protocol used by your Active Directory. For the example in this exercise, our lab was set up to use LDAP (non-secure). For a production environment, the protocol is usually LDAP over TLS.
Active Directory Bind User Name and Bind Password Most likely, these are the credentials for the administrator user.
App Volumes Manager URL Example: https://app_vol_mgr.mycompany.com

App Volumes service account credentials User name and password for a user with the Administrators role in App Volumes Manager.

App Volumes Service Account Domain The NETBIOS domain name for the App Volumes service account, which does not include .com. Example: mycompany

User Environment Manager File Share UNC Path This is the UNC path to the User Environment Manage configuration share. For details on setting up this share, see Quick-Start Tutorial for User Environment Manager. Example: \\file\UEM_Config
User Environment Manager User Name and Password User name and password for a User Environment Manager administrator account to connect to the User Environment Manager configuration share.

Active Directory domain for User Environment Manager The NETBIOS domain name for the User Environment Manager user account. You will select this name from a drop-down list.

Table: Server Information for Configuring JMP Integrated Workflow Settings

1. Add the Connection Server

  1. Log in to the Horizon Console, and click Settings.
  2. Click the Horizon 7 tab.
  3. Click Add Credentials.

2. Add Credentials for Horizon Administrator

Add the information you gathered as part of Prerequisites for Adding the Other Servers to JMP Settings. The Connection Server URL is already populated.

3. Add the Active Directory Server

  1. Click the Active Directory tab.
  2. Click Add.

4. Add Credentials for the Active Directory Server

Add the information you gathered as part of Prerequisites for Adding the Other Servers to JMP Settings. After you select the domain from the NETBIOS Name list, the DNS Domain Name text box and the Context text box are automatically populated.

5. Add the App Volumes Manager Server

  1. Click the App Volumes tab.
  2. Click Add.

6. Add Credentials for App Volumes Manager

Add the information you gathered as part of Prerequisites for Adding the Other Servers to JMP Settings. If you use a load balancer in front of two App Volumes Managers, enter the URL for the load balancer in the App Volumes Server URL text box.

7. Add a User Environment Manager File Share

  1. Click the UEM tab.
  2. Click Add.

8. Add the Credentials for the User Environment Manager Configuration Share

Add the information you gathered as part of Prerequisites for Adding the Other Servers to JMP Settings.

You are now ready to create a JMP assignment. If you ever need to change any of the settings you just configured in this exercise, see Managing JMP Settings.