6.2
Table Of Contents
- VMware vRealize Operations for Horizon Security
- Contents
- VMware vRealize Operations for Horizon Security
- Managing RMI Communication in vRealize Operations for Horizon
- Changing the Default TLS Configuration in vRealize Operations for Horizon
- Managing Authentication in vRealize Operations for Horizon
- Index
Broker Agent Authentication
When an RMI connection is established to the broker message server, the broker message server requests a
certificate from the client to perform client authentication. The certificate is validated against the View
adapter's trust store before proceeding with the connection. If the client does not provide a certificate, or the
agent's certificate cannot be validated, the connection is rejected.
When the broker agent is first installed, a self-signed certificate is generated. The broker agent uses this self-
signed certificate by default to authenticate to the View adapter. Because this certificate is generated
dynamically, you must manually pair the View adapter and broker agent before the broker agent can
communicate with the View adapter. For more information, see “Certificate Pairing,” on page 21.
Desktop Agent Authentication
Connections to the desktop message server require an authentication token to verify that the connection is
coming from a valid desktop agent.
The desktop agent generates a unique authentication token for each remote desktop. In addition, the
desktop agent generates a serverID for the Horizon server and write the serverID into vRealize Operations
Manager. When a desktop agent attempts to send data to the vRealize Operations for Horizon adapter, the
adapter verifies whether the authentication token has been cached in memory.
If there is no server with same name, the adapter caches the server name and authentication token in
memory. If the server has been cached, compare the cached authentication token and the one sent. If the
tokens are same, accept the message, else reject the desktop agent message. The vRealize Operations for
Horizon adapter also checks whether a VM with same serverID exists in vRealize Operations Manager, and
adds the VM into the topology when a VM with the same name exists.
Certificate and Trust Store Files
The vRealize Operations for Horizon components use a certificate trust store to store trusted certificates and
root certificates for certificate authorities. Certificates and trust stores are stored in Java key store format.
View Adapter Certificate and Trust Store Files
The certificate and trust store files for the View adapter are in the adapter's work directory. These files are in
Java key store format.
The work directory is on the node where the View adapter is installed. On Linux, the path to the work
directory is /usr/lib/vmwarevcops/user/plugins/inbound/V4V_adapter3/. On Windows, the path to the work
directory is C:\vmware\vcenteroperations\user\plugins\inbound\V4V_adapter3\.
You can use the Java keytool utility to view and control the certificate store and trust store files.
Table 4‑1. Java Key Stores in the work Directory
Java Key Store Description
v4v-adapter.jks
Contains the certificate that the adapter uses to authenticate itself to agents.
v4v-truststore.jks
Contains the trust store that the adapter uses to authenticate the broker agent
certificate.
The names of the key store files and their credentials are defined in the msgserver.properties file, which is
also in the work directory.
VMware vRealize Operations for Horizon Security
16 VMware, Inc.