6.2

Table Of Contents

Managing Authentication in

vRealize Operations for Horizon 4

RMI servers provide a certificate that the agents use to authenticate the Horizon adapter. Broker agents use

SSL/TLS client authentication with a certificate that the Horizon adapter uses to authenticate the broker

agents. Desktop agents provide tokens that the Horizon adapter uses to authenticate the desktop agents.

To increase security, you can replace the default self-signed certificates that the Horizon adapter and broker

agents use. You can also reissue desktop authentication tokens.

This chapter includes the following topics:

“Understanding Authentication for Each Component,” on page 15

“Certificate and Trust Store Files,” on page 16

“Replacing the Default Certificates,” on page 18

“Certificate Pairing,” on page 21

“Reissue Horizon Desktop Authentication Tokens,” on page 21

“SSL/TLS and Authentication-Related Log Messages,” on page 22

Understanding Authentication for Each Component

Each vRealize Operations for Horizon component handles authentication differently.

Horizon Adapter Authentication

When an RMI connection is established between the desktop message server and a desktop agent, or

between the broker message server and a broker agent, the agent requests a certificate from the server to

perform authentication. This certificate is validated against the agent's trust store before proceeding with the

connection. If the server does not provide a certificate, or the server certificate cannot be validated, the

connection is rejected.

When the Horizon adapter is first installed, a self-signed certificate is generated. The desktop message

server and broker message server use this self-signed certificate by default to authenticate to their agents.

Because this certificate is generated dynamically, you must manually pair the Horizon adapter and broker

agent before the agents can communicate with the Horizon adapter. For more information, see “Certificate

Pairing,” on page 21.

VMware, Inc.