Security
Table Of Contents
- View Security
- Contents
- View Security
- View Security Reference
- View Accounts
- View Security Settings
- View Resources
- View Log Files
- View TCP and UDP Ports
- Services on a View Connection Server Host
- Services on a Security Server
- Configuring Security Protocols and Cipher Suites on a View Connection Server Instance or on a Security Server
- Default Global Policies for Security Protocols and Cipher Suites
- Updating JCE Policy Files to Support High-Strength Cipher Suites
- Configuring Global Acceptance and Proposal Policies
- Configure Acceptance Policies on Individual View Servers
- Internet Engineering Task Force Standards
- Perfect Forward Secrecy
- SSLv3 Is Disabled in View
- Deploying USB Devices in a Secure View Environment
- Index
Updating JCE Policy Files to Support High-Strength Cipher Suites
You can add high-strength cipher suites for greater assurance, but first you must update the
local_policy.jar and US_export_policy.jar policy files for JRE 7 on each View Connection Server instance
and security server. You update these policy files by downloading the Java Cryptography Extension (JCE)
Unlimited Strength Jurisdiction Policy Files 7 from the Oracle Java SE Download site.
If you include high-strength cipher suites in the list and do not replace the policy files, you cannot restart the
VMware Horizon View Connection Server service.
The policy files are located in the C:\Program Files\VMware\VMware View\Server\jre\lib\security
directory.
For more information about downloading the JCE Unlimited Strength Jurisdiction Policy Files 7, see the
Oracle Java SE Download site: http://www.oracle.com/technetwork/java/javase/downloads/index.html.
After you update the policy files, you must create backups of the files. If you upgrade the View Connection
Server instance or security server, any changes that you have made to these files might be overwritten, and
you might have to restore the files from the backup.
Configuring Global Acceptance and Proposal Policies
The default global acceptance and proposal policies are defined in View LDAP attributes. These policies
apply to all View Connection Server instances in a replicated group. To change a global policy, you can edit
View LDAP on any View Connection Server instance.
Each policy is a single-valued attribute in the following View LDAP location:
cn=common,ou=global,ou=properties,dc=vdi,dc=vmware,dc=int
Global Acceptance and Proposal Policies Defined in View LDAP
You can edit the View LDAP attributes that define global acceptance and proposal policies.
Global Acceptance Polices
The following attribute lists security protocols. You must order the list by placing the latest protocol first:
pae-ServerSSLSecureProtocols = "\LIST:TLSv1.1,TLSv1"
The following attribute lists the cipher suites. The order of the cipher suites is unimportant. This example
shows an abbreviated list:
pae-ServerSSLCipherSuites = "\LIST:TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_
WITH_AES_128_CBC_SHA"
Global Proposal Policies
The following attribute lists security protocols. You must order the list by placing the latest protocol first:
pae-ClientSSLSecureProtocols = "\LIST:TLSv1.1,TLSv1"
The following attribute lists the cipher suites. This list should be in order of preference. Place the most
preferred cipher suite first, the second-most preferred suite next, and so on. This example shows an
abbreviated list:
pae-ClientSSLCipherSuites = "\LIST:TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_
WITH_AES_128_CBC_SHA"
Chapter 1 View Security Reference
VMware, Inc. 23