I’ve just come across a new issue where the latest release of VMware Horizon fails to connect to an SQL Server to configure the Event Database.
The only error message you get is “An error occurred while attempting to configure the database. Double check the database parameters and ensure that the database is not down, restarting, or otherwise unavailable.”
This problem is caused by VMware Horizon dropping support for certificate signature algorithms including SHA1 and SHA512.
Finding the cause of an error in VMware Horizon
To confirm this is the problem you are experiencing, lets check in the Connection Server debug log stored in the following location on your Connection Server:
C:\ProgramData\VMware\VDM\logs\ debug-[year]-[month]-[timestamp].txt
For confirmation that this is the issue you are facing, you are looking for the keyphrase “DATABASE_CONNECTION_FAILED#” which shows that “Certificates do not conform to algorithm constraints.”
ERROR (1EF4-23E0) <ajp-nio-127.0.0.1-8009-exec-8> [FaultUtilBase] InvalidRequest: {#DATABASE_CONNECTION_FAILED#} Unable to update database settings; database connection failed: SQL exception when connecting to database: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Certificates do not conform to algorithm constraints". ClientConnectionId:xxxx
ERROR (1EF4-23E0) <ajp-nio-127.0.0.1-8009-exec-8> [RestApiServlet] Unexpected fault:(vdi.fault.InvalidRequest) {
errorMessage = {#DATABASE_CONNECTION_FAILED#} Unable to update database settings; database connection failed: SQL exception when connecting to database: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption. Error: "Certificates do not conform to algorithm constraints". ClientConnectionId:xxxx
} for uri /view-vlsi/rest/v1/EventDatabase/update
Unfortunately, this does not tell us about what certificate algorithm is being used by the SQL server.
The Database Server being used for the Event Database is using Windows Server 2016 and SQL Server 2016. The DBA had not configured an SSL certificate against the database, or the SQL Server as a whole.
So without full access to confirm, we worked on the assumption that it had a default self signed certificate from when it was originally installed and this was likely SHA1.
To fix this we need to add these certificate signature algorithms to the override in the VMware Horizon ADAM database.
You can find details about connecting to the ADAM Database on VMware KB2012377
Connect to the VMware Horizon ADAM Database
- Start the ADSI Edit utility on your Horizon Connection Server.
- In the console tree, select Connect to.
- In the Select or type a Distinguished Name or Naming Context text box, type the distinguished name
DC=vdi, DC=vmware, DC=int
- In the Select or type a domain or server text box, select or type
localhost:389
or the fully qualified domain name (FQDN) of the View Connection Server computer followed by port 389. - Click OK.
- Select and expand DC=vdi,dc=vmware,dc=int to expand.
- Go to
ou=properties
thenou=global
and go to properties oncn=common
- Find the LDAP attribute
pae-SSLServerSignatureSchemes
and add the following entry:\LIST:rsa_pkcs1_sha256,rsa_pkcs1_sha384,rsa_pkcs1_sha1
- Find the LDAP attribute
pae-SSLClientSignatureSchemes
and add the following entry:\LIST:rsa_pkcs1_sha256,rsa_pkcs1_sha384,rsa_pkcs1_sha1
- IMPORTANT: The new list must include at least rsa_pkcs1_sha256 and rsa_pkcs1_sha384 to avoid breaking other outgoing connections.
- In my example below I have needed to add SHA512withRSA as well as SHA1 for my vCenter Connection.
- Restart the Connection server service on all brokers in the cluster.
- Configure your Event Configuration as required and you should no longer receive the “An error occurred while attempting to configure the database.” error message and you will start recording events.
References
For reference, the default list of schemes is as follows:
rsa_pss_rsae_sha384
rsa_pss_rsae_sha256
rsa_pss_pss_sha384
rsa_pss_pss_sha256
rsa_pkcs1_sha384
rsa_pkcs1_sha256
If you require SHA1 you need to add
rsa_pkcs1_sha1,rsa_pss_rsae_sha1,rsa_pss_pss_sha1
If you require SHA512 you need to add
rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_pss_sha512
If you require both SHA1 for SQL and SHA512 for the vCenter connection, like I did, you need to add the following otherwise the vCenter connection will fail again.
rsa_pkcs1_sha1
, rsa_pkcs1_sha512,rsa_pss_rsae_sha512,rsa_pss_pss_sha512
VMware have also depreciated other protocols and ciphers in Horizon
The following protocols and ciphers are disabled by default:
- SSLv3
- TLSv1 and TLSv1.1
- RC4
NOTE: It is not possible to enable support for ECDSA certificates. These certificates have never been supported.
Further details of these are HERE