Transcription

UNCLASSIFIEDDoD Public Key Enablement (PKE) Reference GuideConfiguring VMware Horizon View Versions 5.2 and 5.3 for Use with DoDPKIContact: [email protected]: http://iase.disa.mil/pki-pkeConfiguring VMware HorizonView Versions 5.2 and 5.3 for Usewith DoD PKI5 November 2014Version 1.0DOD PKE TeamUNCLASSIFIED

Configuring VMware Horizon View for Use with DoD PKIRevision HistoryIssue Date11/5/14Revision1.0Change DescriptionInitial ReleaseiiUNCLASSIFIEDUNCLASSIFIED

Configuring VMware Horizon View for Use with DoD PKIUNCLASSIFIEDContentsINTRODUCTION . 1PURPOSE. 1SCOPE . 1GETTING STARTED . 2BASELINE . 2PREREQUISITES . 2CREATING A MASTER VIRTUAL MACHINE . 4CONFIGURING VMWARE HORIZON VIEW 5.2/3 . 5MANAGEMENT OF THE VIEW VIRTUAL DESKTOP AGENT . 5CONFIGURE AND DEPLOY VIEW VIRTUAL DESKTOPS . 5CONFIGURING SMART CARDS FOR VMWARE HORIZON VIEW 5.2/3 . 6CONFIGURING SECURE SOCKET LAYER (SSL) ON VMWARE HORIZON VIEW 5.2/3 CONNECTION BROKER . 6SETTING UP SMART CARD USE . 7CONFIGURING DOD SERVER CERTIFICATE FRIENDLY NAME FOR UPGRADE INSTALLS. 7CONFIGURING DOD SERVER CERTIFICATE FRIENDLY NAME FOR NEW INSTALLS OR CERTIFICATE REPLACEMENT . 7CONFIGURING SMART CARD AUTHENTICATION FOR VIEW. 8CONFIGURING CRL AND OCSP CHECKING . 9APPENDIX A: SUPPLEMENTAL INFORMATION. 10WEB SITE . 10TECHNICAL SUPPORT . 10APPENDIX B: ACRONYMS . 11APPENDIX C: REFERENCES . 12iiiUNCLASSIFIED

Configuring VMware Horizon View for Use with DoD PKIUNCLASSIFIEDIntroductionThe DoD Public Key Enablement (PKE) reference guides are developed to help anorganization augment their security posture through the use of the DoD Public KeyInfrastructure (PKI). The PKE reference guides contain procedures for enablingproducts and associated technologies to leverage the security services offered by theDoD PKI.PurposeThis guide is written for DoD system or network administrators and providesinstructions for configuring the VMware Horizon View product suite to utilize DoDPKI in accordance with DoD best practices. The VMware Horizon View product suitedelivers virtualized desktop services to your enterprise, leveraging your existing cloudcomputing environment to provide a centrally managed desktop service capability.This desktop service can deploy user centric customization that can satisfy a mix ofoperating and software application requirements supporting a range of end users,helpdesk staff, and IT administrators.The VMware Horizon View product suite implements a secure interface, the VMwareView Connection Broker, that facilitates access to the Virtual Desktop Infrastructure andVirtual Desktop environment. The View Connection Broker component provides theuser interface to the Virtual Desktop Infrastructure and is responsible for authenticatingand encrypting the user session.ScopeThis document is written to guide system and network administrators for the PKE ofthe VMware Horizon View product using DoD issued certificates. The documentassumes the user has basic knowledge of configuration and administration of theVMware Horizon View components and basic knowledge of the DoD PKI. The scopeand configuration procedures provided by this PKE guide outline configuration stepsthat are required to provision a DoD PKI server certificate to the VMware Horizon Viewservice. These steps also include configuration settings that are necessary to enableDoD Common Access Card (CAC) authentication and prerequisite vendor referenceguides needed to deploy a VMware Horizon View infrastructure.1UNCLASSIFIED

Configuring VMware Horizon View for Use with DoD PKIUNCLASSIFIEDGetting StartedBaselineThis guide was developed using VMware Horizon View 5.2/3 on VMware ESXi 5.0serving Windows 7 desktop clients in a Windows 2008 R2 domain. This is an examplearchitecture. There are other virtualization environments and design implementationsthat can be used to provide secure access to a Virtual Desktop Infrastructure (VDI)using the DoD PKI.The following diagram represents the example architecture:PrerequisitesThis guide assumes that VMware Horizon View 5.2/3 has been installed andconfigured for basic connectivity on a Windows Server 2008 R2 instance. This instancealso had a valid DoD server certificate issued to it. Please refer to the Obtaining a PKICertificate for DoD Server guide located on the DoD PKE website athttp://iase.disa.mil/pki-pke under For Administrators, Integrators & Developers WebServers for instructions on requesting this server certificate. This server certificate needsto have its friendly name modified for use with Horizon View. Instructions for thismodification can be found in the section below. For instructions on installing andconfiguring a VMware Horizon View 5.2/3 environment, refer to the VMware Horizon2UNCLASSIFIED

Configuring VMware Horizon View for Use with DoD PKIUNCLASSIFIEDView 5.2/3 Administrator’s Guide at ase/PDF/horizon-view-52-administration.pdfThe Windows domain is configured for smart card logon with DoD PKI credentials.Refer to the Microsoft Windows Server 2008: Enabling Smart Card Logon guide and theMicrosoft Windows Server 2003: Enabling Smart Card Logon guide available from the DoDPKE site at http://iase.disa.mil/pki-pke under For Administrators, Integrators, andDevelopers Network Configuration for detailed instructions. The following is a list ofconfiguration(s) used and requirements for this guide. The Vmware Horizon View 5.2/3 server is acting as a VDI Connection Brokerand the View virtual desktops have the proper middleware installed andpatched to the most recent version. The latest hotfixes and operating system patches on all View servers areinstalled. The VMware Horizon View 5.2/3 Connection Broker is a part of the WindowsSmart Card Enabled domain. The reader has the administrative privileges necessary to complete the steps inthis guide.3UNCLASSIFIED

Configuring VMware Horizon View for Use with DoD PKIUNCLASSIFIEDCreating a Master Virtual MachineThis section is intended for administrators who are delivering desktops through virtualmachines (VMs). In this example architecture, this section is to be performed on theVMware ESXi platform. It describes how to create a base image that can be used tobuild your desktop VM environment. These steps also include also provisioning stepsto install smartcard middleware software on the base image.1) In VMware vCenter, create a New Virtual Machine and install a Windows Vistaor Windows 7 operating system for the Master Image for Vmware Horizon View5.2/3.2) After the installation of the operating system is complete, run Windows Updateand install all applicable updates on the New Master Image for the operatingsystem.3) Install VMware Tools onto the New Master Image.4) Install Smartcard middleware onto the New Master Image.5) Install the Vmware Horizon View 5.2/3 Agent onto the New Master Image.6) Shut down the New Master Image. The Master Image will be referenced as thetemplate to deploy View virtual desktops.NOTE: Refer to vendor documentation for individual installation specifics for othervendors and implementation models.4UNCLASSIFIED

Configuring VMware Horizon View for Use with DoD PKIUNCLASSIFIEDConfiguring VMware Horizon View 5.2/3This section provides references to VMware’s documentation that will guide theVMware administrator through the process of creating and provisioning virtualMachines in their Virtual Desktop Infrastructure. The creation and deployment ofdesktop VMs requires specific configuration procedures that integrate your desktopVMs into the VMware Horizon View product suite. The deployment of desktop VMsrequires specific Horizon View provisioning steps that create and provision desktopVMs with Horizon View compatible configurations and invoke pre-deploymentsettings that install and enable smartcard support to the Virtual Desktop Infrastructure.Additional Horizon View configuration steps must also be implemented to allocate andassign virtual desktop resource pools to the user.Management of the View Virtual Desktop AgentRefer to the section entitled Creating and Preparing Virtual Machines in the VMwareHorizon View 5.2/3 Administration Guide documentation.Configure and Deploy View Virtual DesktopsRefer to the section entitled Creating Desktop Pools in the VMware Horizon View 5.2/3Administration Guide documentation.NOTE: This will register the virtual desktop pools with its associated Entitlements.5UNCLASSIFIED

Configuring VMware Horizon View for Use with DoD PKIUNCLASSIFIEDConfiguring Smart Cards for VMware HorizonView 5.2/3The section provides configuration steps that will enable the VMware administrator toissue a DoD PKI server certificate to the Horizon View Connection Broker and settingsnecessary to require DoD CAC authentication to the Horizon View application. Thesteps outlined in this section provide vendor reference material that guides theadministrator and details configuration steps to configure and install a third partyCertification Authority (CA) issued certificate. The VMware Horizon View 5.2/3Installation Guidei in the Configuring SSL Certificates for View Servers chapteroutlines the steps that the administrator must follow to create the certificate signingrequest (CSR) and configuration steps taken to install the server certificate. DoDspecific references have been provided that can be used to determine what DoD PKIenrollment page is applicable to their organization. Once the CSR has been createdusing the vendor documentation, the CSR must then be submitted to a DoD PKIenrollment page in order to receive and provision a DoD PKI server certificate.Additional vendor documentation has been provided as reference material to configurebackend authorization with the Horizon View application. Refer to the VMwareHorizon View 5.2/3 Administration Guideii in the Setting Up User Authenticationchapter to configure backend authorization. The VMware Horizon View productsupports the ability to use Active Directory as the backend directory resource.Configuration steps outlined in this guide provide instructions for authorizing usersusing the users’ certificate attributes stored on the DoD CAC. The VMware HorizonView product leverages the DoD CAC user certificate attributes, specifically the userprincipal, to identify and map the user to a user account stored in Active Directory.Configuring Secure Socket Layer (SSL) on VMware HorizonView 5.2/3 Connection BrokerRefer to the VMware Horizon View 5.2/3 Installation Guide documentation referencingConfiguring SSL Certificates for View Servers. Use this documentation to generate anRSA key pair, CSR, and install a DoD PKI server certificate. Submit the CSR to yourproper CA using the instructions found in the Obtaining a DoD PKI Certificate for aWeb Server reference guide available from the DoD PKE site athttp://iase.disa.mil/pki-pke/ under For Administrators, Integrators and Developers WebServers. The reference guide is unclassified; however, a DoD PKI certificate is requiredfor access.6UNCLASSIFIED

Configuring VMware Horizon View for Use with DoD PKIUNCLASSIFIEDSetting Up Smart Card UseRefer to the VMware Horizon View 5.2/3 Administration Guide documentationreferencing Setting Up User Authentication for additional information. Use thisdocumentation to configure Horizon View’s backend authorization features.Configuring DoD Server Certificate Friendly Name forUpgrade InstallsThese section provides you with configuration steps that will ensure local systemcertificate settings are compatible with Horizon View software upgrades. If upgradingan existing system to Horizon View version 5.2/3, the friendly name of the current DoDcertificate on the system needs to be changed. The DoD server certificate friendly nameneeds to be changed to vdm. Also, the Horizon View application requires that only asingle instance of the vdm friend name exists or the server may randomly choose whichcertificate to use on a system restart or reboot.1) The DoD server certificate needs to have its friendly name changed to vdm.2) Open an mmc console and add the certificates snap in. Navigate to Certificates (Local Computer) Personal Certificates.3) Open properties on the DoD Server Certificate and open the general tab. UnderFriendly Name add the text vdm.Configuring DoD Server Certificate Friendly Name for NewInstalls or Certificate ReplacementThis section provides you with configuration steps that will ensure local systemcertificate settings are compatible with new Horizon View software installs. In the caseof a new install or the replacement of the old DoD Server certificate, several extra stepsmay be required. Also, the Horizon View application requires that only a singleinstance of the vdm friend name exists or the server may randomly choose whichcertificate to use on a system restart or reboot.1) Obtain the root certificate from the CA and add the certificate to the ServerTruststore File.2) If a DoD server certificate has not been obtained, obtain one now.3) The DoD server certificate needs to have its friendly name changed to vdm.4) Open an mmc console and add the certificates snap in. Navigate to Certificates (Local Computer) Personal Certificates.5) Remove VDM from the VMware generated self-signed certificate if it exists.6) Remove VDM from the old DoD server certificate if it exists.7UNCLASSIFIED

Configuring VMware Horizon View for Use with DoD PKIUNCLASSIFIED7) Open properties on the DoD Server Certificate and open the general tab. UnderFriendly Name add the text vdm.Configuring Smart Card Authentication for ViewThis section provides procedures that will enable DoD CAC authentication to theHorizon View application. These steps configure the Horizon View application to useDOD PKI CA trust anchors to authenticate and validate DoD CAC user certificates.Additional steps also outline configurations that must be implemented to only allowDoD CAC authentication as an allowed authentication factor.1) To add the certificate, run the following command on the VMware Horizon View5.2/3 server:keytool -import -alias alias -file root certificate -keystore truststorefile.key2) Copy the trust store file to the SSL gateway folder on the View Connectionserver.install directory\VMware\Vmware View\Server\sslgateway\conf\truststorefile.key3) Next, edit the locked.properties file in the SSL gateway folder on the ViewConnection Server.install directory\VMware\Vmware View \Server\sslgateway\conf\locked.properties4) Add the trustKeyfile, trustStoretype, and useCertAuth properties to thelocked.properties file.a) Set trustKeyfile to the name of your trust store file.b) Set trustStoretype to JKS.c) Set useCertAuth to true to enable certificate authentication.5) Restart the View Connection Server service.6) Next, login to the View Administrator console and in the left pane, expand ViewConfiguration and select Servers.7) Select the View Connection server and click Edit.8) On the Authentication tab, configure smart card authentication to Required.9) Configure the smart card removal policy to disconnect user sessions on smartcard removal, if applicable.10) Click OK and restart the View Connection server service.8UNCLASSIFIED

Configuring VMware Horizon View for Use with DoD PKIUNCLASSIFIEDConfiguring CRL and OCSP checkingFor configuring CRL checking, OCSP checking, or OCSP checking with CRL fallback,follow the configuration instructions available in the VMware Horizon ViewAdministration Guide in the section Using Smartcard Certificate Revocation Checking.9UNCLASSIFIED

Configuring VMware Horizon View for Use with DoD PKIAppendix A: Supplemental InformationWeb SitePlease visit the URL below for additional information.http://iase.disa.mil/pki-pkeTechnical SupportContact technical support at the email address [email protected]

Configuring VMware Horizon View for Use with DoD PKIAppendix B: mmon Access CardCertificate Revocation ListCertificate Signing RequestDepartment of DefenseFully Qualified Domain NameOnline Certificate Status ProtocolPublic Key EnablementPublic Key InfrastructureRivest, Shamir, and AdlemanSecure Socket LayerUniform Resource LocatorVirtual Desktop InfrastructureVirtual Machine11UNCLASSIFIEDUNCLASSIFIED

Configuring VMware Horizon View for Use with DoD PKIUNCLASSIFIEDAppendix C: ReferencesThe resources below were used to help develop the content of this document.“VMware Horizon View 5.2/3 Installation Guide”, ase/PDF/view-50-installation.pdf.i“VMware Horizon View 5.2/3 Administration Smart Card Certificate Authentication with VMware Horizon View 5.2/3 andAbove”, ntication-WP-EN.pdf12UNCLASSIFIED

The Vmware Horizon View 5.2/3 server is acting as a VDI Connection Broker and the View virtual desktops have the proper middleware installed and patched to the most recent version. The latest hotfixes and operating system patches on all View servers are installed. The VMware Horizon