Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
A Connection Server upgrade appears to be completed but the console fails to load.You see the following error in the Connection Server Debug log:Location of Horizon View log files (1027744) [BrokerMessageSecurity]Could not configure message security: Invalid parameter for levelString: null Additional Loglines: Message validation failure: Signature validation failed: Key not found for identity: Message validation failure: Mismatch of signature 'tunnel/ | MSMessageSecurity] Failed to sign message MSMessageSecurity] Failed to sign message: Cannot sign message This issue does not travel when you revert to your previous build of horizon.
If upgrading to Horizon 2209 when message security is set to MIXED, JMS does not operate correctly. Message security needs to be set as ON or ENHANCEDWhen you first install VMware Horizon on a system, the message security mode defaults to Enhanced.If you upgrade VMware Horizon from a previous release, the message security remains unchanged from its existing setting.
MIXED message security is meant to be a transitional mode and we do not expect the environment to remain in this state beyond one day. Upgrades to Horizon 2209 in this state have been found to fail.Message Security Mode for Horizon Components in VMware Horizon 8Executive Overview: Ensure Replication is healthy between components.Verify any change in mode successfully propagates.Ensure all components are on the new security mode and Horizon is operational and healthy before proceeding with the upgrade.Should you follow the guidelines below and you cannot fully move from the transitional state, please see For detailed guidance on clearing a stuck transitional state, please see Enhanced Security Status is stuck in PENDING ENHANCED after changing Message Security Mode from Enabled or Mixed to Enhanced in Global Settings in Horizon (91923)
Note: Before Proceeding with a Security Mode change Verify your dashboard icons for every connection server are green. Ensure no replication issues exist before the upgrade. Any red icons may indicate an issue with replication which needs to be corrected before any change in message security statusForcing replication between ADAM databases (1021805) documents command line options to verify replication status and next steps Ensure all connection servers and agents are available in order to ensure the change is activated. Set message security to ON or ENHANCED before upgrading and ensure all components have moved to your chosen steady-state mode. Because the change is made in phases, this field shows the progress through the phases: Waiting for Message Bus restart is the first phase. This state is displayed until you manually restart either all Connection Server instances in the pod or the VMware Horizon Message Bus Component service on all Connection Server hosts in the pod.Pending Enhanced is the next state. After all Horizon Message Bus Component services have been restarted, the system begins changing the message security mode to Enhanced for all desktops.Enhanced is the final state, indicating that all components are now using Enhanced message security mode. Procedure: The Message Security Status setting can be changed via the command line or the administrative console.Administrative Console:1.Navigate to Settings -> Global Settings -> Security SettingsLocation: https://brokerfqdn/admin/#/main/global_settings/securitySettingsSample Screenshot:. After you change the setting, the new setting takes place in stages. You must manually restart the VMware Horizon Message Bus Component service on all connection broker hosts in the pod, or restart the connection broker instances.After the services are restarted, the connection broker instances reconfigure the message security mode on all desktops, changing the mode to your new setting.To monitor the progress in the console, go to Settings > Global Settings. On the Security Settings tab, the Enhanced Security Status item will show the new setting when all components have made the transition. Command Line: Alternatively, you can use the vdmutil command-line utility to monitor progress. See Using the vdmutil Utility to Configure JMS Message Security Mode.Sample Commands (note: case sensitive)Check the Current Security Mode: PS C:\Users\user1> vdmutil --getMsgSecLevel --authAs username --authDomain domain --authPassword Password MsgSecLevel: ENHANCED Check any components awaiting transition to a new mode: PS C:\Users\user1> vdmutil --listPendingMsgSecStatus --authAs username --authDomain domain --authPassword Password MsgSecMode: ENHANCED MsgSecLevel: ENHANCED The local Pod has successfully entered ENHANCED mode After successfully changing the mode and verifying that every single component has completed the transition, please ensure you can both successfully connect to your horizon administrative dashboard and that a desktop can be successfully launched. The upgrade to 2209 should then be successful.
If the described symptoms are seen after upgrading to 2209 or later, revert to your previous version and follow the resolution steps.
Stable message security modes are ON and ENHANCED.Enhanced message security gives much better performance and is recommended.New installations operate with enhanced message security.For more details on message security please refer to Message Security Mode Options