VCP5-DT Objective 2.7–Enable RSA/Smart Card

Objective 2.7 – Enable RSA/Smart Card

For this objective I used the following resources:

  • VMware View Administration guide
  • VMware KB Article 1008705 – Guidelines for generating and importing an SSL certificate for the View Connection Server for View 5.0.1 and earlier
  • VMware KB Article 2021537 – Requesting an SSL Certificate for VMware using Microsoft Internet Information Services (IIS)

Knowledge

Import Certificates

This is probably the most challenging section of any of the objectives so far. This topic alone could fill pages of information. Currently my lab environment is not configured to give this section the proper detail needed, in the future I may revisit for a more step by step process. What is described below is taken from a very well written VMware KB Article, “Guidelines for generating and importing an SSL certificate for the View Connection Server for View 5.0.1 and earlier”. Picking up from Step 4 in that KB article:

Import the Signed Certificate into a keystore file, open a command prompt and run this command using keytool:

  • pkcs keykeytool –import –keystore <keys.p12> –storetype pkcs12 –storepass <secret> –keyalg “RSA” –trustcacerts –file <certificate.p7>
  • jks key – keytool – importcert –keystore <keys.jks> –storepass <secret> –keyalg “RSA” –trustcacerts –file <certificate.p7>

If you try this in your on lab I would also suggest taking a look at VMware KB Article 2021537, “Requesting an SSL Certificate for VMware View Using Microsoft Internet Information Services (IIS)”.

Turn on Certificate Based Authentication

By default certificate based authentication is enabled in View. The steps below show were to enable/disable this feature.

Step 1 – Connect and login into the VMware View Administrator console:

LogIn

Step 2 – Under “View Configuration” select “Global Settings”, in the right hand pane click “Edit” under “Global Settings”:

Pic2b

Step 3 – As mentioned before “Require SSL for client connections and View Administrator” is enabled by default:

Pic3f

Step 4 – If you are going to enable/disable feature, the “More Information” dialog makes note of having to restart the View Connection Server service to enable the new configuration:

Pic4b

Identify RSA Instance

Within the View Administrator interface I was not able to locate a location that named the “RSA Instance”. The steps outlined below will walk you through how to enable RSA SecurID authentication for your View environment. During the configuration process you would provide an “agent configuration file” that would specify RSA Authentication Manager server.

Step 1 – Connect and login into the VMware View Administrator console:

LogIn

Step 2 – Under “View Configuration” select “Servers”. In the right hand pane under “View Connection Servers” click “Edit”:

Pic3a

Step 3 – From the settings dialog click the “Authentication” tab. Check the box to enable “RSA SecurID 2-Factor Authentication”:

Pic3c

Step 4 – Click “Upload Files” to upload the sdconf.rec file:

Pic4c

Identify Authentication Requirements for RSA and Smart Cards

RSA SecurID Authentication

  • RSA Authentication Manager
  • RSA SecurID token

Smart Card Requirements (software/hardware)

  • View Client
  • Windows compatible smart card reader
  • Smart card middleware
  • Product specific application drivers
  • Cards and readers use either PKCS#11 or Microsoft CyrptoAPI provider
  • Key size of either 1024-bit or 2048-bit

-Jason