How to setup VMware vCenter "web" client on Pale Moon [Feb 2018]

Post your tutorials for using applications or performing related tasks here.
Note: Not for "how do I...?" Questions!
Forum rules
Tutorials and Howtos should only relate to developed software, and not to third party applications. e.g.: Don't post a generic Howto for configuring a firewall.
If you have a question how to do something, you should use one of the support boards, not this board. It is meant for people to document and post instructions.
klipkyle
Hobby Astronomer
Hobby Astronomer
Posts: 27
Joined: 2018-01-28, 23:11

How to setup VMware vCenter "web" client on Pale Moon [Feb 2018]

Unread post by klipkyle » 2018-02-08, 21:38

How to setup VMware vCenter "web" client on Pale Moon [Feb 2018]

Introduction

The VMware vCenter "web" client has a thorny history. In vCenter 5 through 6.0, the "web" client is a mixture of Adobe Flash and custom NPAPI plugins. Unfortunately for VMware, the "big two" browsers (Google Chrome and Mozilla Firefox) wish to rid the web of Flash and NPAPI.

As a result, I have spent increasing amounts of time over the past year maintaining configurations that can run the "web" client. (As part of my current job, I need to make sure the software that I develop deploys properly in various configurations of VMware.)

I am happy to report that all versions of the VMware vCenter "web" client that I have tested work under the 32-bit version of Pale Moon on Windows 10.

History/Background

When I started using the VMware "web" client in January 2017, the vCenter "web" client worked on Google Chrome until about April 2017. Then, Google Chrome began taking increasingly fascist steps to lie to websites about Adobe Flash not being installed. This made things difficult. Google Chrome then disabled NPAPI plugins. This broke the vCenter "web" client.

I configured Firefox to talk to vCenter. Firefox at the time was making large platform changes, so I installed Firefox 52 ESR, and the vCenter "web" client was appeased.

However, Firefox 52 ESR will reach end of life on 18 August 2018, and NPAPI support in Firefox will end with Firefox 52 ESR. Seeing that my platform is about to crumble under me for a third time, I proactively started looking for solutions. I have so far been impressed with Pale Moon's ability to run Firefox NPAPI plugins.

Ingredients

Required Software

Windows 10 64-bit

Unless otherwise noted, the base platform used is Windows 10 64-bit. Although I have not tested it, I suspect that the vCenter "web" client will work in Pale Moon on earlier versions of Windows.

Pale Moon (32-bit version)

Unless otherwise noted, the edition of Pale Moon installed is 27.7.2 32-bit version. The goal is to retain compatibility with 32-bit only NPAPI plugins.

Your mileage may vary with the 64-bit version of Pale Moon. In my testing, vCenter 6.0 and later work fine with 64-bit Pale Moon. However, earlier incarnations require 32-bit Pale Moon.

Adobe Flash

Almost all VMware "web" client stuff requires Adobe Flash. Download Adobe Flash from the official download page. Append "&standalone=1" to the download URL to download a full package instead of a stub installer. Test your installation by loading the About page of Adobe Flash in Pale Moon.

Client Integration Plugin

The vCenter "web" client in versions 6.0 and earlier requires the Client Integration Plugin (vmware-csd) to perform certain tasks such as OVA deployment. The Client Integration Plugin is a piece of software that runs locally and allows vCenter to ask your computer what is on the local file system.

vCenter will prompt you to download and install the Client Integration Plugin if it is not installed. Sometimes, if the Client Integration Plugin is installed but not configured correctly, vCenter will prompt you to download and install it again!

Now for the annoying part: each version of vCenter has its own Client Integration Plugin. You must install the version corresponding to the version of vCenter. Some versions are 32-bit only (<6.0), and some are 32-bit and 64-bit (6.0).

Optional software

VMware Remote Console (VMRC)

The VMware Remote Console allows from the Web UI easy invocation of a native application that interacts with the console of a VM. There is a standalone VMRC that can be installed, but a VMware account is required to download it. Alternatively, VMware Workstation (if you have it installed) assumes the role of VMRC and opens the console inside VMware Workstation.

Plan B software

Always have a backup plan. If the "web" client breaks again for any reason, you can fall back to one of these lesser or "legacy" clients.

C# (Thick) client

The old Windows-native vSphere Console still works through vCenter 6.0. It does everything that it used to do, but it does not take advantage of new features added to the "web" client.

The C# client cannot connect to vCenter 6.5. It can, however, connect to a bare-metal VMware ESXi 6.5 hypervisor.

VMware Workstation

VMware Workstation can connect to vCenter, even vCenter 6.5. This makes VMware Workstation a handy emergency console if things break (if you have access to VMware Workstation).

True HTML5 Web UIs

ESXi 6.5 and vCenter 6.5 have true HTML5 web UIs, but they have limitations. However, they do make good emergency consoles.

ovftool

When all else fails, bring out the command line. Ovftool can do everything that the GUI can do, but it has a steep learning curve and is rather painful to use.

VMware products

I have successfully wrangled Pale Moon so that it can talk to the following VMware products.

vCenter 6.5 "web" client

Use either the 32 or 64-bit version of Pale Moon.

Install Adobe Flash.

You are done! The vCenter 6.5 Web UI only requires Adobe Flash. I have successfully run the 6.5 Web UI fully-fledged on both Windows (32 and 64-bit Pale Moon) and Linux (64-bit Pale Moon).

Optionally install VMware Remote Console (or use VMware Workstation) for a native console application.

vCenter 6.0 "web" client

Use either the 32 or 64-bit version of Pale Moon.

Install Adobe Flash.

vCenter 6.0 requires the Client Integration Plugin 6.0 for some tasks, such as deploying an OVA. Install the Client Integration Plugin when prompted.

Exit Pale Moon. Import the SSL certificate that belongs to the Client Integration Plugin. (See the detailed explanation under Troubleshooting for more information about this certificate.) Launch a cmd.exe window and run the following command while Pale Moon is closed. (Replace "pfunk" with your real user name and "deadbeef" with the random alphanumeric prefix of your Pale Moon profile.)

Code: Select all

"C:\Program Files (x86)\VMware\Client Integration Plug-in 6.0\certutil.exe" -A -n vmware-localhost -t TC,, -i C:\ProgramData\VMware\CIP\csd\ssl\cert.pem -d "C:\Users\pfunk\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\deadbeef.default"
Verify that vmware-localhost appears in the output of the following command, as well as the Pale Moon Certificate Manager under Tools > Preferences > Advanced > Certificates > View Certificates > Authorities.

Code: Select all

"C:\Program Files (x86)\VMware\Client Integration Plug-in 6.0\certutil.exe" -L -d "C:\Users\pfunk\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\deadbeef.default"
That's it! If you are lucky, the Client Integration Plugin works in Pale Moon, and it is possible to deploy an OVA through the web interface.

The vCenter 6.0 Web UI with the Client Integration Plugin is by far the flakiest of all the configurations I have tested in this tutorial. In my testing, it often broke for no apparent reason under both Pale Moon and Firefox 52. (Tip: If you configure plugins as "Ask to Activate", try activating Flash before launching vmware-csd.)

vCloud 5.5

vCloud attempts to go beyond vCenter and provide a system for leasing computing resources to multiple organizations (the buzzy term is "private cloud"). The UI has a few more dependencies.

Use the 32-bit version of Pale Moon.

You need:
  • Adobe Flash
  • VMware Remote Console Plugin 5.5 (32-bit only) for viewing VM consoles
  • VMware Client Integration Plugin 5.5 (32-bit only) for deploying VMs.
I think my Remote Console Plugin was installed alongside VMware Workstation, but there are standalone versions. The UI should prompt you to install it. If not, search VMware's website and download it.

Install the VMware Client Integration Plugin 5.5. The UI will prompt you to install it. You may need to install the SSL certificate as indicated in the above section on vCenter 6.0.

White-list the three plugins listed above to run automatically on your vCloud's host.

Also, white-list pop-ups from your vCloud host. Otherwise, the console session will expire before you can manually allow the popup window.

I have personally verified that the Remote Console Plugin works on Pale Moon. As far as I can tell, the Client Integration Plugin works too, but there is currently something horribly wrong with the server side of my vCloud setup preventing me from uploading OVA images.

Troubleshooting

Client Integration Plugin SSL certificate is installed in Firefox

Symptom: When running the Client Integration Plugin under Pale Moon, the plugin attempts to add a CA to Firefox's profile directory and then quits with a useless message:
The VMware Client Integration Plugin has updated its SSL certificate in Firefox.

Please restart Firefox.
Explanation: Verifying the logs under AppData\Local\VMware\CIP\ui\sessions\*, it's clear that the CA is added to Firefox's default profile directory.

The plugin's CA must be added to Pale Moon. From what I can determine, vmware-csd appears to run an HTTPS web server on localhost, and Pale Moon (through the Client Integration NPAPI plugin) talks to this HTTPS web server.

What's more is that the certificate isn't really a CA. It is missing the "CA:TRUE" flag from the X509 Basic Constraints Extension. (This is verifiable by running "openssl x509 -in cert.pem -text" on the certificate. There is no Basic Constraints section at all!)

Therefore, attempting to import the CA into the GUI of either Pale Moon or Firefox 52 will yield the following alert message.
This is not a certificate authority certificate, so it can't be imported into the certificate authority list.
Resolution: Manually add the CA with certutil. VMware provides a binary of certutil under the installation directory for Client Integration Plugin 6.0. Open cmd.exe and run the following command. Exit Pale Moon first. (Replace "pfunk" with your real user name and "deadbeef" with the random alphanumeric prefix of your Pale Moon profile.)

Code: Select all

"C:\Program Files (x86)\VMware\Client Integration Plug-in 6.0\certutil.exe" -A -n vmware-localhost -t TC,, -i C:\ProgramData\VMware\CIP\csd\ssl\cert.pem -d "C:\Users\pfunk\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\deadbeef.default"
Verify that "vmware-localhost" appears in the following list:

Code: Select all

"C:\Program Files (x86)\VMware\Client Integration Plug-in 6.0\certutil.exe" -L -d "C:\Users\pfunk\AppData\Roaming\Moonchild Productions\Pale Moon\Profiles\deadbeef.default"
Client Integration Plugin 6.0 *still* doesn't work

Symptom: when deploying an OVA from the vCenter 6.0 "web" client, the "web" client complains that the Client Integration Plugin is not installed and prompts to install it. The plugin is already installed and running.

Root problem: unknown. In my testing, I have seen this problem in both Firefox 52 and Pale Moon, so it is not a Pale Moon problem.

Workaround: Try resetting as much state as possible:
  1. Exit Pale Moon.
  2. Kill any remaining vmware-csd.exe processes.
  3. (Optionally) Reboot. ("Have you tried turning it off and on again?")
  4. If you configure plugins as "Ask to Activate", try activating Flash before launching vmware-csd.
Plugins are missing from Pale Moon

Symptom: Firefox 52 ESR (32-bit) is showing a multitude of plugins installed under about:addons. Pale Moon (64-bit) is only showing a few plugins.

Explanation: Some plugins are built for both 64-bit and 32-bit browsers. However, some plugins (particularly VMware plugins for vCenter <6.0) are built for only 32-bit browsers.

Resolution: Uninstall 64-bit Pale Moon and install 32-bit Pale Moon. (This will keep your profile data by default.)

Conclusion

Enterprise computing is all about predictability. Major breaking changes are painful in enterprise computing. If something breaks, money is lost (which angers management). If a UI changes, people need to be retrained (which costs time and/or sanity).

Mozilla Firefox and Google Chrome do not have the interests of enterprise computing in mind. They make major changes and break things with little warning and a complete disregard to software running in the wild. The VMware "web" client is one such application they broke.

Fortunately, the VMware "web" client runs under Pale Moon just as well as it ran under older versions of Firefox. I highly suspect that other such snowflake configurations will run under Pale Moon too. The reason is because Pale Moon is the true spiritual successor to the original Firefox.

Pale Moon has graduated. Now is the time to consider Pale Moon seriously in an enterprise environment. The Pale Moon team only makes a major change if there is a very strong reason to make it. A Pale Moon release two years from now will look and act a lot like the Pale Moon release of today (except it will probably be faster and more optimized).

I hope the information in this guide is useful and saves you the days of cumulative time I have spent configuring the VMware "web" client to work under Google Chrome, Firefox ESR, and finally Pale Moon.

Locked