How To: vSphere Client to vCenter Using HTTP
When developing SimDK I had to perform a lot of traffic captures to see what was actually occurring between vSphere clients and the vSphere SDK web service. Wireshark worked wonderfully for listening to messages between PowerShell or Perl and vCenter because these clients can connect to the vCenter server over HTTP without SSL encryption. The vSphere client, however, is (seemingly) hardwired to use SSL, and I was having no luck listening to the traffic between it and the vCenter server. Even when I decrypted the traffic using VMware’s provided key, Wireshark was not able to reassemble all the packets in the correct order, and anything short of all the traffic was useless to me. Hence began my quest to discover how to connect to the vCenter server with the vSphere client using HTTP. The official response from VMware was that you cannot configure the vSphere client to communicate with the vCenter server without SSL.
Here’s how to configure the vSphere client to communicate with the vCenter server without SSL.
It’s actually a deceptively simple process.
- On the vCenter server edit the file C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\proxy.xml and change all instances of httpsWithRedirect to httpAndHttps.
- Open the Service Control Manager (SCM) and restart the VMware VirtualCenter Management Webservices and VMware VirtualCenter Server services (you may only need to restart the first one, I cannot remember, so restart them both to be safe).
- On your client open the path the vSphere client Launcher folder. For example, C:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\Launcher.
- Copy the files VpxClient.exe and VpxClient.exe.config. Name the copies VpxClient-http.exe and VpxClient-http.exe.config.
- Edit the file VpxClient-http.exe.config and change the line <add key = “protocolports” value = “https:443″/> to <add key = “protocolports” value = “http:80″/>.
- Launch the vSphere client with the copied executable and try connecting to the vCenter server you just reconfigured to accept non-SSL connections. You should receive a warning similar to the following:
Connecting to a vCenter server with the vSphere client using HTTP
Congratulations! You just did what VMware said couldn’t be done :)
And FYI, if you tell the vSphere client to remember your response above, you can tell it to forget that memory by removing the server you connected to from this registry key HKEY_CURRENT_USER\Software\VMware\Virtual Infrastructure Client\Preferences\UI\SavedDialogResponses.
Filed under: security, virtualization | 3 Comments
Tags: client, http, https, security, ssl, vmware, vsphere
Hi Andrew, thanks for those instructions! We have been using an intermediary SSL-”proxy” (socat, linux-based, I guess there are similar apps for Windows) to dump the traffic up until now, but this here might be a viable alternative. P.S.: The sourceforge URL for SimDK in this post has a typo (fourge instead of forge).
FYI: There is no actual need to edit anything on the client, you can just enter “http://your.address” into the “IP address / Name” field and it will use http instead of https.
The bit about the server setting was helpful though, thanks.
Very nifty!