Step 1: Install the Pulse Client and Depedencies
- From the Linux client, run the following command to install the Pulse client:
sudo dpkg --install /mnt/hgfs/shared_dir/pulse-5.3R1.i386.deb
- Install the dependency packages by running the following script:
/usr/local/pulse/PulseClient.sh install_dependency_packages
Step 2: Verify Pulse installation
Go to Applications and confirm that the Pulse client is installed with the following application icon:
Step 3: Install the client-side certificate to the Pulse certificate store
- Run the following command to see the options for installing the certificate to the Pulse certificate store:
/usr/local/pulse/PulseClient.sh install_certficates
Important! Pay close attention to the username stated during certificate installation. The certificate will only be available to the following user. It is not recommend to proceed as 'root'.
- Enter 'y' to confirm the client certificate is being installed for the local signed-in user.
- The client certificate installation options will be displayed on screen along with options to view and delete certificates from the Pulse Linux certificate store.
Step 4a: Install a certificate in .pem or .der format
- To install the certificate in .pem or .der format, use the following command:
/usr/local/pulse/PulseClient.sh install_certficates -inpriv </PathtoCertPasswordFile/passwordFile.key>
-inpub </locationOfCertificate/cert.pem>
- Specify the location and file name of the private key password file with the -inpriv option.
- Specify the location and file name of the certificate file with the -inpub option.
Example:
/usr/local/pulse/PulseClient.sh install_certificates -inpriv /mnt/hgfs/shared_dir/certs/fruitCert.key
-inpub /mtn/hgfs/shared_dir/certs/fruitCert.pem
(In the example above the private key password file and the certificate file are located in the same network share directory. The files can be in different directories. Just be sure to specify the proper location for each.)
- Enter 'y' to verify the certificate is being installed for the local user.
- Verify that the certificate was successfully installed with the output: Successfully added certificate to Pulse Certificate store.
Note: If the import fails, ensure "Login" exists in the "Password and Keys" menu. If it does not exist, log out and login again should create the Login keyring.
Step 4b: Install a certificate in .pfx or .p12 format
- To install the certificate in .pfx format, use the following command:
/usr/local/pulse/PulseClient.sh install_certificates -inpfx /mnt/hgfs/shared_dir/10.30.113.196.pfx
- Enter 'y' to confirm the client certificate is being installed for the local signed-in user.
- Enter the import password.
- Verify that the certificate was successfully installed with the output: Successfully added certificate to Pulse Certificate store.
Note: If the import fails, ensure "Login" exists in the "Password and Keys" menu. If it does not exist, log out and login again should create the Login keyring.
Step 5: Add new connection to Pulse and connect
- Launch Pulse and click the '+' button to add a connection.
- Add a name for the connection.
- Enter the connection URL. (Obtain from PCS admin.)
- Click Save. The connection will be added to the Pulse connection list.
- Click Connect to launch the new connection.
- If multiple certificates are found in the Pulse certificate store they will be displayed under the connection.
- Click View to display the certificate details for each certificate.
- Select the certificate and click Continue.
- The "Connect" button will change to "Disconnect" once the connection is complete.
- Click the expand button for the active connection to view the status.
- Click File > Connections > Advanced to confirm VPN connectivity.
Troubleshooting Steps:
Run the following command to check if certificate is installed:
/usr/local/pulse/./PulseClient_x86_64.sh list_installed_certificates
This should list all installed certificates. If "No Certificates Found" appears, then check the following directory for a .PEM certificate.
ls -l ~/.pulsesecure/pulse/certificates/
-rw-r--r--@ 1 JTAC JTAC 1570 Sep 5 11:24 jTf65alvZgxc-pub.pem
If a .PEM certificate does not exist, then change the file extension to .PEM using MV command, then run the list_installed_certificates switch again.
If the certificate is not listed:
If the certificate is not listed, then check the permission on the files in ~/.pulsesecure/pulse/certificates/ directory. In the above example, JTAC has permission to both the public key file. If the current login user is different, then execute chown command to ensure the current login user has permission to the following files.
For example, if the current login user is support, then the following command would be executed:
sudo chown support ~./pulsesecure/pulse/certificates/public.*
If the certificate is listed:
Check the pulsesvc.log for the following entries:
cert_store.error Failed to find the keys from gnome keyring
for certificate public_tmp (cert_store.cpp:186)
pulseui.info No certificate found in cert store (pulseCertAuth.cpp:244)
- Ensure the private key entry exists under "Password and Keys"
- An entry for Pulse Service should exist
- In Details tab
- The owner is pulsesvc
- The key-name matches the public key filename in the certificate directory.
- Ensure the complete certificate chain is installed under Trusted Client CAs on the Pulse Connect Secure device (including all root certificate, intermediate certificate(s) and the signer certificate).
- Under Trusted Client CAs, confirm the checkbox is enabled for Participate in Client Certificate Negotiation for the CA that signs the end user certificates.
Refer to the
Configuring Options for Trusted Client CA Certificates section in the PCS Admin Guide for more details.