VCAP-DTA Section 8 Notes

By | February 11, 2014

Section 8 – Secure a View Implementation

 Objective 8.1 – Configure and Deploy Certificates

Configure two Factor/Smart Card Authentication including truststore

  • Obtain the root CA certificate or export the certificate from the Microsoft CA (PKI)
  • Verify that the keytool utility is added to the system path on your View Connection Server or security server host (see Administration guide). Location below:-
    • VMware\VMwareView\Server\jre\bin
    • On your View Connection\Security Server, use the keytool utility to import the root certificate into the server truststore file.
    • keytool -import -alias alias -file root_certificate.cer –keystore truststorefile.key
    • Copy the truststore file to the SSL gateway configuration folder on the View Connection\Security server.
      • o   VMware\VMwareView\Server\sslgateway\conf\truststorefile.key
    • Create or edit the locked.properties file in SSL gateway configuration folder on View Connection\Security server h
      • VMware\VMware View\Server\sslgateway\conf\locked.properties
    • Example locked.properties shown below, specifies that the root certificate for all trusted users is located in the file lonqa.key, sets the trust store type to JKS, and enables certificate authentication.
      • trustKeyfile=lonqa.key
      • trustStoretype=JKS
      • useCertAuth=true
    • Restart the View Connection\Security Server service.
    • Configure Smartcard authentication via View>Config>Servers>Connection Servers
      • Optional or Required
    • Configure any smartcard removal policies in same window
    • Restart View Connection Server service

Configuring smartcard authentication

VMware Pubs 

  • Configure and deploy View certificates
    • Install Microsoft CA role as ‘root CA’ on server
    • Use provided template for request.inf  – VMware KB
    • Amend as required (Country can only be 2 letters). Include SAN entries, if required.
    • Use certreq tool to generate a request using   certreq –new request.inf request.txt
    • Browse to CA server http://server/certsrv and choose Request Certificate>Advanced Certificate
    • Submit a certificate request using Base-64-encoded…
    • Paste the request.txt contents into the ‘Saved Request’ field and submit.
    • Change Certificate template to ‘Web Server’
    • Download certificates and import into certificates local computer on specific server (Connection\Security\Composer). Import into Personal>Certificates
    • Open properties of old certificate, rename ‘Friendly name’ to ‘old-vdm’ old certificate
    • Open properties of new certificate, ensure ‘Friendly name’ is set to ‘vdm’
    • Restart View Connection Server service
  • Configure certificate revocation checking using the locked.properties file

Create or edit the locked.properties file in the SSL gateway configuration folder on the View Connection\Security Server – VMware\VMware View\Server\sslgateway\conf\locked.properties

enableRevocationChecking=true

Example file:-

trustKeyfile=lonqa.key

trustStoretype=JKS

useCertAuth=true

enableRevocationChecking=true

crlLocation=http://root.ocsp.net/certEnroll/ocsp-ROOT_CA.crl

Smartcard revocation checking

  • Perform a certificate replacement using sviconfig

View Composer requires an SSL certificate that is signed by a CA (certificate authority). If you intend to replace an existing certificate or the default, self-signed certificate with a new certificate after you install View Composer, you must import the new certificate and run the SviConfig ReplaceCertificate utility to bind your new certificate to the port used by View Composer

  • Stop View Composer service
  • ProgramFilesx86>VMware>Composer
  • SviConfig –operation=replacecertificate –delete=false
  • Start View Composer service

Objective 8.2 – Harden View Components and View Desktops

**See View Administration and View Security guides**

Leave a Reply