6.4
Table Of Contents
- VMware vRealize Operations for Horizon Security
- Contents
- VMware vRealize Operations for Horizon Security
- Managing RMI Communication in vRealize Operations for Horizon
- Changing the Default TLS Configuration in vRealize Operations for Horizon
- Managing Authentication in vRealize Operations for Horizon
- Index
Certificate Pairing
Before broker agents can communicate with the View adapter, the adapter certicate must be shared with
the agents, and the broker agent certicate must be shared with the adapter. The process of sharing these
certicates if referred to as certicate pairing.
The following actions occur during the certicate pairing process:
1 The broker agent's certicate is encrypted with the adapter's server key.
2 A connection is opened to the certicate management server and the encrypted certicate is passed to
the adapter instance. The adapter decrypts the broker agent's certicate by using the server key. If
decryption fails, an error is returned to the broker agent.
3 The broker agent's certicate is placed in the adapter's trust store.
4 The adapter's certicate is encrypted with the adapter's server key.
5 The encrypted certicate is returned to the broker agent. The broker agent decrypts the adapter's
certicate by using the server key. If decryption fails, an error is returned to the user.
6 The adapter's certicate is placed in the broker agent's trust store. The broker certicate is stored in v4v-
brokeragent.jks and the adapter certicate is stored in v4v-truststore.jks.
7 The adapter's certicate is sent to all remote desktops and RDS hosts in the Horizon pod by using the
Horizon conguration store.
8 When the agent on the remote desktop or RDS host reads the Horizon conguration, it places the
adapter's certicate in the agent's trust store.
After the certicates are successfully paired, they are cached in the trust stores for each individual
component. If a new remote desktop is provisioned, the adapter's certicate is sent to the desktop by using
the Horizon conguration store, and you do not need to pair the certicates again. However, if either the
adapter or broker agent certicate changes, you must pair the certicates again.
You use the vRealize Operations View Broker Agent Seings wizard to pair certicates. For more
information, see the VMware vRealize Operations for Horizon Administration document.
Reissue Horizon Desktop Authentication Tokens
If you believe that the security of your Horizon environment might be compromised, you can issue a new
authentication token for each desktop virtual machine and RDS host in your Horizon environment by
restarting the Broker Agent service. By default, a new authentication token for each desktop virtual machine
and RDS host is issued every hour.
SSL/TLS and Authentication-Related Log Messages
The View adapter logs SSL/TLS conguration and authentication-related messages.
Table 4‑5. View Adapter Log Message Types
Log Message Type Description
CONFIGURATION The SSL/TLS conguration this currently being used.
AUTHENTICATION SUCCESS A remote desktop has been successfully authenticated.
AUTHENTICATION FAILED A remote desktop has failed authentication.
Only CONFIGURATION and AUTHENTICATION FAILED events are wrien to the log by default. To
troubleshoot problems, you can raise the logging level to log other types of events.
Chapter 4 Managing Authentication in vRealize Operations for Horizon
VMware, Inc. 21