VMware vRealize Operations for Horizon Security VMware vRealize Operations for Horizon 6.
VMware vRealize Operations for Horizon Security You can find the most up-to-date technical documentation on the VMware Web site at: https://docs.vmware.com/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2016 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents 1 VMware vRealize Operations for Horizon Security 5 2 Managing RMI Communication in vRealize Operations for Horizon 7 RMI Services 7 Default Ports for RMI Services 8 Changing the Default RMI Service Ports 9 RMI Service Port Properties 9 Change the Default RMI Service Ports 9 Update the vRealize Operations Manager Firewall RMI Considerations for Remote Collector Use 10 10 3 Changing the Default TLS Configuration in vRealize Operations for Horizon 11 Default TLS Protocols and Ciphers 11 TLS Config
VMware vRealize Operations for Horizon Security 4 VMware, Inc.
VMware vRealize Operations for Horizon Security 1 VMware vRealize Operations for Horizon Security provides information about security in VMware vRealize™ ® Operations for Horizon , including how to modify default ports for RMI services, change the default SSL/TLS configuration for servers and agents, and replace default self-signed certificates. This information is intended for anyone who wants to implement vRealize Operations for Horizon. VMware, Inc.
VMware vRealize Operations for Horizon Security 6 VMware, Inc.
Managing RMI Communication in vRealize Operations for Horizon 2 The vRealize Operations for Horizon components communicate by using Remote Method Invocation (RMI). The Horizon adapter exposes RMI services that can be called by an external client. The Horizon adapter acts as a server and the broker and desktop agents act as clients. You can change the default ports for these RMI services.
VMware vRealize Operations for Horizon Security Default Ports for RMI Services The RMI services use certain default ports. The default ports are left open on the firewall on cluster nodes and remote collector nodes. Table 2‑1. Default Ports for RMI Services RMI Service Default Port RMI registry 3091 Desktop message server 3092/3099 Broker message server 3093/3101 Certificate management server 3094/3100 Note Ports 3091 to 3094 ports are opened in firewall by vRealize Operations for Horizon.
Chapter 2 Managing RMI Communication in vRealize Operations for Horizon Figure 2‑2. Communication Ports Used with Broker Agent 6.2/6.2.1 Broker Agent Version 6.2 or later (View Connection Server) Adapter Response (Require topo refresh, etc.) Send Topology Data Lookup Adapter 3091 Version 6.2 or later (vROps node) 3099 Lookup Pair 3101 3100 Send Desktop Data Adapter Response (Require session refresh, require action, etc.) Desktop Agent Version 6.
VMware vRealize Operations for Horizon Security 2 In a text editor, open the msgserver.properties file. Platform File Location Linux /usr/lib/vmwarevcops/user/plugins/inbound/V4V_adapter3/work/msgserver.prop erties Windows C:\vmware\vcenteroperations\user\plugins\inbound\V4V_adapter3\work\msgserver .properties 3 Modify the properties for the RMI service ports that you want to change. 4 Save your changes and close the msgserver.properties file.
Changing the Default TLS Configuration in vRealize Operations for Horizon 3 The vRealize Operations for Horizon broker message server uses an TLS channel to communicate with the broker agents. The vRealize Operations for Horizon desktop message server uses an TLS channel to communicate with the desktop agents. You can change the default TLS configuration for servers and agents by modifying TLS configuration properties.
VMware vRealize Operations for Horizon Security TLS Configuration Properties The TLS protocols and ciphers for the desktop and broker message servers are specified in properties in the msgserver.properties file. The TLS protocols and ciphers for the desktop and broker agents are specified in properties in the msgclient.properties file. Table 3‑1. SSL/TLS Configuration Properties Property Default Value sslProtocols List of accepted TLS protocols, separated by commas. TLSv1.
Chapter 3 Changing the Default TLS Configuration in vRealize Operations for Horizon Prerequisites n For the desktop agents, verify that you can connect to the remote desktop virtual machine or RDS host where Horizon Agent is installed. n For a broker agent, verify that you can connect to the Horizon Connection Server host where the broker agent is installed. n Become familiar with the TLS configuration properties. See “TLS Configuration Properties,” on page 12.
VMware vRealize Operations for Horizon Security 14 VMware, Inc.
Managing Authentication in vRealize Operations for Horizon 4 RMI servers provide a certificate that the agents use to authenticate the Horizon adapter. Broker agents use SSL/TLS client authentication with a certificate that the Horizon adapter uses to authenticate the broker agents. Desktop agents provide tokens that the Horizon adapter uses to authenticate the desktop agents. To increase security, you can replace the default self-signed certificates that the Horizon adapter and broker agents use.
VMware vRealize Operations for Horizon Security Broker Agent Authentication When an RMI connection is established to the broker message server, the broker message server requests a certificate from the client to perform client authentication. The certificate is validated against the View adapter's trust store before proceeding with the connection. If the client does not provide a certificate, or the agent's certificate cannot be validated, the connection is rejected.
Chapter 4 Managing Authentication in vRealize Operations for Horizon Table 4‑2. Adapter Key Store Configuration Properties in the msgserver.properties File Property Default Value Description keyfile v4v-adapter.jks Name of the key store file that contains the adapter certificate. keypass Password to the key store file that contains the adapter certificate. The password is dynamically generated. trustfile v4v-truststore.
VMware vRealize Operations for Horizon Security Replacing the Default Certificates By default, the View adapter and the broker agent use self-signed certificates for authentication and data encryption. For increased security, you can replace the default self-signed certificates with certificates that are signed by a certificate authority. Replace the Default Certificate for the View Adapter A self-signed certificate is generated when you first install the View adapter.
Chapter 4 Managing Authentication in vRealize Operations for Horizon 5 Upload the certificate signing request to a certificate authority and request a signed certificate. If the certificate authority requests a password for the certificate private key, use the password configured for the certificate store. The certificate authority returns a signed certificate. 6 To import the certificate, copy the certificate file to the View adapter work directory and run the keytool utility with the –import option.
VMware vRealize Operations for Horizon Security 2 Use the keytool utility with the -selfcert to generate a new self-signed certificate. Because the default self-signed certificate is issued to VMware, you must generate a new self-signed certificate before you request a signed certificate. The signed certificate must be issued to your organization. For example: keytool –selfcert –alias v4v-brokeragent –dname dn-of-org –keystore v4v-brokeragent.
Chapter 4 Managing Authentication in vRealize Operations for Horizon Certificate Pairing Before broker agents can communicate with the View adapter, the adapter certificate must be shared with the agents, and the broker agent certificate must be shared with the adapter. The process of sharing these certificates if referred to as certificate pairing. The following actions occur during the certificate pairing process: 1 The broker agent's certificate is encrypted with the adapter's server key.
VMware vRealize Operations for Horizon Security You can view log messages and modify logging levels in the vRealize Operations Manager user interface. For more information, see the VMware vRealize Operations for Horizon Administration document. 22 VMware, Inc.
Index A about 5 authentication broker agent 16 desktop agent 16 Horizon adapter authentication 15 C certificate management adapter 16 broker agent 17 certificate pairing 21 D default certificates 18 L log messages 21 M msgclient.properties file 12 msgserver.
VMware vRealize Operations for Horizon Security 24 VMware, Inc.
