7.0
Table Of Contents
- Deploying and Configuring Access Point
- Contents
- Deploying and Configuring Access Point
- Introduction to Access Point
- System Requirements and Deployment
- Configuring Access Point
- Collecting Logs from the Access Point Appliance
- Setting Up Smart Card Authentication
- Setting Up Two-Factor Authentication
- Index
When you use the REST API to get the configuration data for smart card authentication, you see a list of the
items you can configure. For example, you can use a GET request with the following URL:
https://access-point-appliance.example.com:9443/rest/v1/config/authmethod/certificate-auth
If you have not changed any configuration settings, the following default settings are returned.
"enableOCSP": null,
"ocspSigningCert": null,
"caCertificates": null,
"displayName": "CertificateAuthAdapter",
"versionNum": null,
"enableAlternateUPN": "",
"className": "com.vmware.horizon.adapters.certificateAdapter.CertificateAuthAdapter",
"sendOCSPNonce": null,
"enabled": "false",
"enableCertCRL": "true",
"enableOCSPCRLFailover": "true",
"enableConsentForm": null,
"ocspURL": null,
"jarFile": "/opt/vmware/gateway/data/authbroker/certificate-auth-adapter-0.1.jar",
"enableCertRevocation": "",
"name": "certificate-auth",
"certificatePolicies": null,
"consentForm": null,
"authMethod": "urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient",
"crlLocation": null,
"enableEmail": "",
"crlCacheSize": "100"
Table 5‑1. Smart Card Certificate Properties That You Can Configure
Property Name Description Valid Values
enableOCSP Specifies whether to use Online Certificate Status
Protocol (OCSP) for certificate revocation checking.
When this setting is enabled, Access Point sends a
request to an OCSP responder to determine the
revocation status of a specific user certificate.
The default is true.
true or false
ocspSigningCert Specifies the path to the OCSP responder's
certificate, if known.
Path to the file on the OCSP responder
host (for
example, /path/to/file.cer).
caCertificates (Required) Specifies one or more trusted CA
certificates in PEM format.
Each certificate's text has the format
"-----BEGIN
CERTIFICATE------ ... -----END
CERTIFICATE------" where the
ellipsis points (...) indicate the middle
content of the certificate text. Separate
multiple certificates with spaces.
enableAlternateUPN Specifies whether to use alternative fields in the
Subject Alternative Name.
Smart card logins use the user principal name
(UPN) from Active Directory to validate user
accounts.
If the domain a smart card user resides in is
different from the domain that your root certificate
was issued from, you must set the user's UPN to
the Subject Alternative Name (SAN) contained in
the root certificate of the trusted CA.
true or false
Chapter 5 Setting Up Smart Card Authentication
VMware, Inc. 59