Security

Table Of Contents

Default Global Policies for Security Protocols and Cipher

Suites

Global acceptance and proposal policies enable certain security protocols and cipher suites by default.

Table 4‑1. Default Global Policies

Default Security Protocols Default Cipher Suites

TLS 1.2

TLS 1.1

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA

GCM cipher suites are not enabled by default for performance reasons.

Conﬁguring Global Acceptance and Proposal Policies

Global acceptance and proposal policies are defined in View LDAP attributes. These policies apply to all

View Connection Server instances and security servers in a replicated group. To change a global policy,

you can edit View LDAP on any View Connection Server instance.

Each policy is a single-valued attribute in the following View LDAP location:

cn=common,ou=global,ou=properties,dc=vdi,dc=vmware,dc=int

Global Acceptance and Proposal Policies Deﬁned in View LDAP

You can edit the View LDAP attributes that define global acceptance and proposal policies.

Global Acceptance Policies

The following attribute lists security protocols. You must order the list by placing the latest protocol first:

pae-ServerSSLSecureProtocols = \LIST:TLSv1.2,TLSv1.1,TLSv1

The following attribute lists the cipher suites. This example shows an abbreviated list:

pae-ServerSSLCipherSuites = \LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA

The following attribute controls the precedence of cipher suites. Normally, the server's ordering of cipher

suites is unimportant and the client's ordering is used. To use the server's ordering of cipher suites

instead, set the following attribute:

pae-ServerSSLHonorClientOrder = 0

View Security

VMware, Inc. 21