6.0
Table Of Contents
- View Security
- Contents
- View Security
- View Security Reference
- View Accounts
- View Security Settings
- View Resources
- View Log Files
- View TCP and UDP Ports
- Services on a View Connection Server Host
- Services on a Security Server
- Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
- Index
Internet Engineering Task Force Standards
View Connection Server and security server comply with certain Internet Engineering Task Force (IETF)
Standards.
n
RFC 5746 Transport Layer Security (TLS) – Renegotiation Indication Extension, also known as secure
renegotiation, is enabled by default.
n
RFC 6797 HTTP Strict Transport Security (HSTS), also known as transport security, is enabled by
default.
n
RFC 7034 HTTP Header Field X-Frame-Options, also known as counter clickjacking, is disabled by
default. You can enable it by adding the entry x-frame-options=<options> to the file
locked.properties. For information on how to add properties to the file locked.properties, see
“Configure Acceptance Policies on Individual View Servers,” on page 24. The parameter <options> can
have one of the following values, which are case-sensitive:
n
OFF - Disable counter clickjacking (default).
n
DENY - Do not use frames.
n
SAMEORIGIN - Do not use foreign frames.
n
ALLOW-FROM <URL> - Do not use foreign frames except <URL>, where <URL> specifies an additional
trusted origin.
For more information on RFC 7034, see http://tools.ietf.org/html/rfc7034.
NOTE Counter clickjacking will prevent the proper operation of HTML Access when using a Blast
Secure Gateway (BSG), which is why it is not enabled by default.
Perfect Forward Secrecy
Perfect Forward Secrecy (PFS) assures that compromise of an SSL session does not mean compromise of
other SSL sessions that use the same server certificate. It is a property of cipher suites with DHE in their
names. Of the five cipher suites we enable by default, three have this property. The downside of PFS is
performance, so a balance needs to be struck.
View supports DHE-DSS, DHE-RSA, and ECDHE-RSA cipher suites. The first two can be enabled in
conjunction with standard DSS or RSA certificates. ECDHE-RSA has better performance but requires an
ECC certificate that is signed with an RSA key. Do not request from a CA an ECC certificate that is signed
with an EC key because View cannot use this.
Chapter 1 View Security Reference
VMware, Inc. 25