9 Posts
0
2375
Cannot get 5030 teradici client to handshake w/ WMS
Hello all!
I'm having a hard time getting my 5030 (fw 5.5.1) to handshake with WMS 3.2.1 44.
I have a certificate installed on both the device and the server and all I'm getting is the message "Idle - Failed to connect due to a certificate issue". I am unable to get help from professional services because they want an insane amount of money and want to bill my company for 40 hours of work where I'll only need less than one. Has anyone had experience with setting these devices up? It's an internally hosted WMS environment.
Thanks in advance!!
Steve Hurd
Volta Inc.
Louisville, KY
buffalobound
3 Apprentice
3 Apprentice
•
704 Posts
0
August 12th, 2021 05:00
It clearly does not like the certificate and you are right with your strategy. Load the cert locally, then after that, works move to the thumbprint via DHCP/DNS for automation (with blessing of C.O.N.G.R.E.S.S) of course
I still think you need to validate that the cert provided by your network team, is the same one you can see at https://wmsfqdn:5172
If they dont match, you will get the error.
buffalobound
3 Apprentice
3 Apprentice
•
704 Posts
0
August 9th, 2021 12:00
Which certificate did you load on the device?
The certificate to use is not the one at https://wmsserver
it is the one at https://wmsserver:5172
If you want to have your devices register with WMS, without manually loading the cert, then have a look at the admin guide.
Page 130 covers using DHCP Option tags or DNS_SRV records to provide the expected certificate thumbprint to the device.
https://dl.dell.com/topicspdf/wyse-wms_administrator-guide11_en-us.pdf
BeatleManiac
9 Posts
0
August 11th, 2021 10:00
It was one created for me by my customer's network team. It has the fqdn of the wms server, but I don't think it has an entry in the SAN field. I'm trying to get the devices manually registered first without making changes to DCHP options or DNS records. Both of those will take an act of c.o.n.g.r.e.s.s. (it wouldn't let me post using that word without the periods - weird) to approve by the Network team. I may have to go that route, but I want to try this first.
BeatleManiac
9 Posts
0
August 11th, 2021 11:00
This is the event log from the teradici zero client (I deleted the fqdn)
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :EM did not meet the full certificate verification requirement
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :Certificate verification overall result: FAILED
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :SHA256 fingerprint match setting: Always
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :SHA256 fingerprint match result: NOT DONE
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :Self-signed setting: Only trusted self-signed certificates are allowed
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :Self-signed result: FAILED
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :Server certificate is self-signed
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :Trusted setting: Untrusted certificates are never allowed
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :Trusted result: FAILED
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :Server certificate is NOT trusted
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :Server certificate chain has 1 certificate:
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :1) Leaf certificate PASSED
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM : subject localhost
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM : issued by localhost
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM : valid from 2021-07-14 15:22:16 to 2029-09-30 15:22:16
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :Certificate store has 1 trusted root/intermediate certificate:
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :1) =================is valid from
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM : 2021-07-23 02:05:49 to 2023-07-23 02:15:49
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :Validity setting: Check certificate validity when the current time is known
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :Validity result: PASSED
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :Current time is '2021-08-11 18:41:09'
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :Hostname setting: Only allow certificates with the correct subject
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :Hostname result: FAILED
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :Expected hostname: =====================
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :Server certificate subject and alternative names:
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :RSA key length: At least 1024-bit
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :ECC key length: No minimum length required
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :Key length result: PASSED
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :Server certificate key: RSA key, 2048-bit
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :Key usage field setting: Not required for any certificate in the chain
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :Key usage result: PASSED
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :Revocation setting: Attempt but continue if authority is unreachable
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :Revocation result: NOT DONE
2021-08-11T18:41:09.10Z> LVL:2 RC: 0 MGMT_PEM :No OCSP responder specified in server certificate
2021-08-11T18:41:09.11Z> LVL:1 RC:-500 WEBSOCKET :internal_msg_process_thread_entry: ws_open_ssl_verify_fn() failed. Closing connection...
BeatleManiac
9 Posts
0
August 12th, 2021 10:00
I was able to upload the self-signed cert to the Teradici device and got a connection! Now, I just need to bind the one I was given to port 5172 on the server.
buffalobound
3 Apprentice
3 Apprentice
•
704 Posts
0
August 12th, 2021 10:00
Page 129 of the admin guide covers the location of the cert, and the name.
We do not explicitly outline the steps to replace the self-signed certificate with a private one
https://dl.dell.com/topicspdf/wyse-wms_administrator-guide11_en-us.pdf
I am glad you got it working.
BeatleManiac
9 Posts
0
August 12th, 2021 10:00
It looks like that's exactly what is happening. The cert on the 5172 port is the self-signed one. How do I change it to the one I was assigned?
BeatleManiac
9 Posts
0
August 12th, 2021 11:00
Is it just standard tomcat-related instructions?
BeatleManiac
9 Posts
0
August 12th, 2021 11:00
For these devices, is it possible to do a vnc-like connection to them? Back when I used this product (ini file days) I had an option to vnc to the device's desktop for troubleshooting purposes. Can I still do that?
buffalobound
3 Apprentice
3 Apprentice
•
704 Posts
1
August 12th, 2021 12:00
Teradici based devices do not support VNC or any other remoting.