6.4

Broker Agent Authentication
When an RMI connection is established to the broker message server, the broker message server requests a
certicate from the client to perform client authentication. The certicate is validated against the View
adapter's trust store before proceeding with the connection. If the client does not provide a certicate, or the
agent's certicate cannot be validated, the connection is rejected.
When the broker agent is rst installed, a self-signed certicate is generated. The broker agent uses this self-
signed certicate by default to authenticate to the View adapter. Because this certicate is generated
dynamically, you must manually pair the View adapter and broker agent before the broker agent can
communicate with the View adapter. For more information, see “Certicate Pairing,” on page 21.
Desktop Agent Authentication
Connections to the desktop message server require an authentication token to verify that the connection is
coming from a valid desktop agent.
The desktop agent generates a unique authentication token for each remote desktop. In addition, the
desktop agent generates a serverID for the Horizon server and write the serverID into vRealize Operations
Manager. When a desktop agent aempts to send data to the vRealize Operations for Horizon adapter, the
adapter veries whether the authentication token has been cached in memory.
If there is no server with same name, the adapter caches the server name and authentication token in
memory. If the server has been cached, compare the cached authentication token and the one sent. If the
tokens are same, accept the message, else reject the desktop agent message. The vRealize Operations for
Horizon adapter also checks whether a VM with same serverID exists in vRealize Operations Manager, and
adds the VM into the topology when a VM with the same name exists.
Certificate and Trust Store Files
The vRealize Operations for Horizon components use a certicate trust store to store trusted certicates and
root certicates for certicate authorities. Certicates and trust stores are stored in Java key store format.
View Adapter Certificate and Trust Store Files
The certicate and trust store les for the View adapter are in the adapter's work directory. These les are in
Java key store format.
The work directory is on the node where the View adapter is installed. On Linux, the path to the work
directory is /usr/lib/vmwarevcops/user/plugins/inbound/V4V_adapter3/. On Windows, the path to the work
directory is C:\vmware\vcenteroperations\user\plugins\inbound\V4V_adapter3\.
You can use the Java keytool utility to view and control the certicate store and trust store les.
Table 41. Java Key Stores in the work Directory
Java Key Store Description
v4v-adapter.jks
Contains the certicate that the adapter uses to authenticate itself to agents.
v4v-truststore.jks
Contains the trust store that the adapter uses to authenticate the broker agent
certicate.
The names of the key store les and their credentials are dened in the msgserver.properties le, which is
also in the work directory.
VMware vRealize Operations for Horizon Security
16 VMware, Inc.