6.3

Table Of Contents

Managing Authentication in

vRealize Operations for Horizon 4

RMI servers provide a certicate that the agents use to authenticate the Horizon adapter. Broker agents use

SSL/TLS client authentication with a certicate that the Horizon adapter uses to authenticate the broker

agents. Desktop agents provide tokens that the Horizon adapter uses to authenticate the desktop agents.

To increase security, you can replace the default self-signed certicates that the Horizon adapter and broker

agents use. You can also reissue desktop authentication tokens.

This chapter includes the following topics:

“Understanding Authentication for Each Component,” on page 15

“Certicate and Trust Store Files,” on page 16

“Replacing the Default Certicates,” on page 18

“Certicate Pairing,” on page 21

“Reissue Horizon Desktop Authentication Tokens,” on page 21

“SSL/TLS and Authentication-Related Log Messages,” on page 21

Understanding Authentication for Each Component

Each vRealize Operations for Horizon component handles authentication dierently.

Horizon Adapter Authentication

When an RMI connection is established between the desktop message server and a desktop agent, or

between the broker message server and a broker agent, the agent requests a certicate from the server to

perform authentication. This certicate is validated against the agent's trust store before proceeding with the

connection. If the server does not provide a certicate, or the server certicate cannot be validated, the

connection is rejected.

When the Horizon adapter is rst installed, a self-signed certicate is generated. The desktop message

server and broker message server use this self-signed certicate by default to authenticate to their agents.

Because this certicate is generated dynamically, you must manually pair the Horizon adapter and broker

agent before the agents can communicate with the Horizon adapter. For more information, see “Certicate

Pairing,” on page 21.

VMware, Inc.