Create and Configure the VMware Identity Manager Connector
Installing the VMware Identity Manager Connector:
The VMware Identity Manager Connector is an on-premises component of Workspace ONE Access that provides directory integration, user authentication, and integration with resources such as Horizon 7. The VMware Identity Manager Connector is deployed in outbound connection mode and does not require inbound port 443 to be opened. The VMware Identity Manager Connector communicates with Workspace ONE Access through a websocket-based communication channel.
You initiated a task that would run the the VMware Identity Manager Connector installer for you at the beginning of this lab in the interest of time. You will now be configuring the VMware Identity Manager Connector after the installation completes to integrate the connector with your Workspace ONE Access tenant and to configure SSL. The connector installs with a self-signed certificate that you will replace with a wildcard certificate.
The VMware Identity Manager Connector installer is a simple install that requires minimal input to complete. If you wish to view the official VMware documentation for installing the VMware Identity Manager Connector, please reference this article.
The following VMware Identity Manager Connector installer configurations were made on your behalf in the interest of time:
- The latest major JRE version has been installed.
- The connector hostname was configured as conn-01.corp.local over port 443.
NOTE: Only port 443 is supported for VMware Identity Manager Connector. - The connector was configured to run as a domain user account (CORP\administrator).
NOTE: A Domain user account is required if you wish to connect Active Directory over Integrated Windows Authentication or use Kerberos authentication. - The default destination folder (
C:\VMware\
) was used.
Continue to the next step when you are ready to begin configuring your local VMware Identity Manager Connector.
1. Add a Legacy Connector in Workspace ONE Access
This Hands-on Lab is using the Legacy Connector (19.03), so you will need to add a Legacy Connector instead of the new 20.01 connector.
- Click Identity & Access Management
- Click Setup
- Click Legacy Connectors
- Select Use legacy connectors
- Click OK
3. Generate the Connector Activation Code
- Enter
Lab
for the Connector ID Name - Click Generate Activation Code
3.1. Copy the Connector Activation Code
- Double-click the Connector Activation Code textbox to select the activation code
- Right-click and click Copy
- Click OK
3.2. Confirm the Connector is Created
When the Connectors page loads, you will see that the Lab connector you created now exists but the hostname shows Connector not activated.
The Connector Activation Code you copied in the previous step will supplied to your locally installed VMware Identity Manager Connector to activate and integrate the service with this Lab connector you just created. Until the Connector Activation Code is supplied, this connector will be inactive.
4. Activate the Connector
To activate the locally installed VMware Identity Manager Connector, you need to connect to the connector setup page. The setup page is available at {hostname}:8443/cfg
, where {hostname} is the value you provided during the VMware Identity Manager Connector installer (already configured as conn-01.corp.local for you).
In Google Chrome,
- Click the WS1 bookmark folder
- Right-click the Conn-01 Setup bookmark
- Click Open in new tab
This bookmark has been pre-set for your convenience to navigate to the VMware Identity Manager Connector setup page, which is available at https://conn-01.corp.local:8443/cfg
.
4.1. Accept the SSL Certificate Error
- Click the tab you just opened
- Click Advanced
- Click Proceed to conn-01.corp.local (unsafe)
Why am I seeing an SSL Certificate issue for this page?
This is because the VMware Identity Manager Connector installs with a self-signed certificate when the installer completes. We have not yet configured a SSL certificate for you so that you can complete this step yourself to learn the process. Because the self-signed certificate does not match our host (conn-01.corp.local), you see this SSL certificate error.
NOTE: If you do not see the page load, then the VMware Identity Manager Connector Installer has not finished and launched the connector service. Wait a few moments and then refresh the page and try again.
4.2. Create the Appliance Administrator Account Credentials
First you will configure the Appliance Administrator Account (admin) for future logins. You will need to provide these appliance administrator credentials to modify the appliance.
- Enter
VMware1!
for the password - Enter
VMware1!
to confirm the password - Click Continue
4.3. Paste the Activation Code
- Right-Click inside the Activation Code textbox and click Paste to paste the Activation Code copied from the previous step when creating the "Lab" Connector from the Workspace ONE Access Console
- Click Continue
NOTE: While the page loads and refreshes, DO NOT close or manually refresh the page until you see the Setup is Complete screen shown in the next step! It may take several minutes for the appliance to confirm the activation code.
4.4. Supply the Outbound Proxy Information (IF NEEDED)
IMPORTANT: If prompted for the Outbound Proxy, follow the below steps. If you are not prompted for this information, skip to the next step.
The Hands-on Labs infrastructure requires an outbound proxy to reach your SaaS Workspace ONE Access tenant, so you will configure that now. If your environment does not have an outbound proxy, you would not need to confirm these settings.
- Click Enable for Proxy
- Enter
router-110.corp.local:3128
for the Proxy host with port
NOTE: If you do have an outbound proxy, note that the Proxy host MUST be a hostname and cannot be configured with an IP address! - Enter
*.corp.local
for the Non-Proxied hosts list - Click Continue
NOTE: While the page loads and refreshes, DO NOT close or manually refresh the page until you see the Setup is Complete screen shown in the next step! It may take several minutes for the appliance to confirm the activation code.
4.5. Confirm the Setup Completed
When the configuration has saved successfully, you will see the Setup is complete page.
Continue to the next step when this screen is displayed.
5. Configure the Connector SSL Certificate
- Click the WS1 Bookmark folder
- Click the Conn-01 SSL Configuration bookmark
Now that the Connector is activated, you will need to configure the SSL certificate. This can be configured at the following URL, which has been bookmarked for your convenience: https://conn-01.corp.local:8443/cfg/ssl
.
5.1. Login to the Appliance (IF NEEDED)
If prompted, login to the Connector appliance using the credentials you configured during setup.
- Enter
VMware1!
- Click Login
NOTE: If you are not prompted to login, continue to the next step.
5.2. Import the Certificate File
You will now supply a trusted wildcard certificate.
- Click the Server Certificate tab
- Select Custom Certificate for SSL Certificate
- Click Choose File for the Import Certificate File
5.3. Select the PFX File
- Click Documents
- Click HOL
- Click Workspace ONE Access
- Click corp.local.wildcard.pfx
- Click Open
5.4. Provide the PFX Password
Because a PFX is provided rather than a PEM certificate with a private key file, you will need to enter the password for the PFX file.
- Enter
VMware1!
for the password - Click Save
NOTE: After clicking save, the certificate will be installed and the server will be restarted. DO NOT manually refresh or navigate away from the page while this completes! This process may take a few minutes.
Once the loading wheel disappears, continue to the next step.
5.5. Login to the Appliance (IF NEEDED)
If prompted, login to the Connector appliance using the credentials you configured during setup.
- Enter
VMware1!
- Click Login
NOTE: If you are not prompted to login, continue to the next step.
6. Update Proxy Configuration
The page will automatically refresh once the SSL configuration is saved and applied.
- Click Proxy Configuration.
- Select Enable for the Proxy setting.
- Enter
router-110.corp.local:3128
for the proxy host with port. - Enter
*.corp.local
for the Non-Proxied hosts. - Click Save.
6.1. Close Connector Configuration Page
- Wait until you see the
Checking if server is up ... 1/10
line output to the console. You will be closing this window to confirm that the SSL certificate applied successfully, so you will not wait for this page to refresh. - Click Close on the current tab once the
Checking if server is up ... 1/10
line is output.
7. Confirming the Connector SSL Certificate Install
You will now navigate to the connector page in an incognito browser to confirm the SSL certificate was applied.
- Click the Options (...) button in Google Chrome
- Click New incognito window
7.1. Return to the Connector Appliance page
- Click the WS1 bookmark folder
- Click the Conn-01 SSL Configuration bookmark
7.2. Confirm the SSL Certificate is Trusted
- Click the Secure link next to the address
- Confirm that you see the connection is secure and that the Certificate is trusted and marked as valid
- Click Close to close the incognito session
You have now configured the SSL certificate for your Connector!
7.3. Restart the VMware IDM Connector Service (IF NEEDED)
If the certificate successfully updated, continue to Verify the Connector Activated. If the VMware Identity Manager Configuration page is still presenting the old certificate (conn-01.corp.local), you can manually restart the VMware IDM Connector service to apply this change.
Double-click the Conn-01.rdp link on the Main Console desktop.
- Click the Windows Services shortcut on the task bar.
- Scroll down to find the VMware IDM Connector service.
- Right-click the VMware IDM Connector service.
- Click Restart.
- Click Close (X) on the remote desktop connection bar for the conn-01.corp.local server to return to the main console.
Once the service restarts, you can navigate back to the Connector configuration page (https://conn-01.corp.local:8443/cfg/
) to confirm the cert applied successfully on a restart.
NOTE: Once navigating back to the Connector configuration page, it may take a minute or two for the page to load as the VMware IDM Connector service provides this page and will still be coming online again after the restart. If so, wait a minute or two and attempt to re-load the page to see if the service is back online.
8. Verify the Connector Activated
Return to the Workspace ONE Access Admin Console tab,
- Click the Refresh button in the browser
- Click Identity & Access Management
- Click Setup
- Click Legacy Connectors
- Confirm that the Lab Connector now shows the Hostname as conn-01.corp.local.
This confirms that you have successfully setup and installed the VMware Identity Manager Windows Connector!