6.5
Table Of Contents
- VMware vRealize Operations for Horizon Security
- Contents
- VMware vRealize Operations for Horizon Security
- Managing RMI Communication in vRealize Operations for Horizon
- Changing the Default TLS Configuration in vRealize Operations for Horizon
- Managing Authentication in vRealize Operations for Horizon
- Index
Broker Agent Authentication
When an RMI connection is established to the broker message server, the broker message server requests a
certicate from the client to perform client authentication. The certicate is validated against the View
adapter's trust store before proceeding with the connection. If the client does not provide a certicate, or the
agent's certicate cannot be validated, the connection is rejected.
When the broker agent is rst installed, a self-signed certicate is generated. The broker agent uses this self-
signed certicate by default to authenticate to the View adapter. Because this certicate is generated
dynamically, you must manually pair the View adapter and broker agent before the broker agent can
communicate with the View adapter. For more information, see “Certicate Pairing,” on page 21.
Desktop Agent Authentication
Connections to the desktop message server require an authentication token to verify that the connection is
coming from a valid desktop agent.
The desktop agent generates a unique authentication token for each remote desktop. In addition, the
desktop agent generates a serverID for the Horizon server and write the serverID into vRealize Operations
Manager. When a desktop agent aempts to send data to the vRealize Operations for Horizon adapter, the
adapter veries whether the authentication token has been cached in memory.
If there is no server with same name, the adapter caches the server name and authentication token in
memory. If the server has been cached, compare the cached authentication token and the one sent. If the
tokens are same, accept the message, else reject the desktop agent message. The vRealize Operations for
Horizon adapter also checks whether a VM with same serverID exists in vRealize Operations Manager, and
adds the VM into the topology when a VM with the same name exists.
Certificate and Trust Store Files
The vRealize Operations for Horizon components use a certicate trust store to store trusted certicates and
root certicates for certicate authorities. Certicates and trust stores are stored in Java key store format.
View Adapter Certificate and Trust Store Files
The certicate and trust store les for the View adapter are in the adapter's work directory. These les are in
Java key store format.
The work directory is on the node where the View adapter is installed. On Linux, the path to the work
directory is /usr/lib/vmwarevcops/user/plugins/inbound/V4V_adapter3/. On Windows, the path to the work
directory is C:\vmware\vcenteroperations\user\plugins\inbound\V4V_adapter3\.
You can use the Java keytool utility to view and control the certicate store and trust store les.
Table 4‑1. Java Key Stores in the work Directory
Java Key Store Description
v4v-adapter.jks
Contains the certicate that the adapter uses to authenticate itself to agents.
v4v-truststore.jks
Contains the trust store that the adapter uses to authenticate the broker agent
certicate.
The names of the key store les and their credentials are dened in the msgserver.properties le, which is
also in the work directory.
VMware vRealize Operations for Horizon Security
16 VMware, Inc.