VMware vRealize Operations for Horizon - 6.2 Installation Manual
VMware vRealize Operations for
Horizon Security
vRealize Operations for Horizon 6.2
This document supports the version of each product listed and
supports all subsequent versions until the document is
replaced by a new edition. To check for more recent editions
of this document, see http://www.vmware.com/support/pubs.
EN-001979-00
VMware vRealize Operations for Horizon Security
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2015 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2 VMware, Inc.
Contents
VMware vRealize Operations for Horizon Security 5
1
Managing RMI Communication in vRealize Operations for Horizon 7
2
RMI Services 7
Default Ports for RMI Services 8
Changing the Default RMI Service Ports 8
RMI Considerations for Remote Collector Use 9
Changing the Default TLS Configuration in vRealize Operations for Horizon 11
3
Default TLS Protocols and Ciphers 11
TLS Configuration Properties 12
Change the Default TLS Configuration for Servers 12
Change the Default TLS Configuration for Agents 12
Managing Authentication in vRealize Operations for Horizon 15
4
Understanding Authentication for Each Component 15
Certificate and Trust Store Files 16
Replacing the Default Certificates 18
Certificate Pairing 21
Reissue Horizon Desktop Authentication Tokens 21
SSL/TLS and Authentication-Related Log Messages 22
Index 23
VMware, Inc. 3
VMware vRealize Operations for Horizon Security
4 VMware, Inc.
VMware vRealize Operations for
Horizon Security 1
VMware vRealize Operations for Horizon Security provides information about security in VMware vRealize™ Operations for Horizon®, including how to modify default ports for RMI services, change the default SSL/TLS configuration for servers and agents, and replace default self-signed certificates.
This information is intended for anyone who wants to implement vRealize Operations for Horizon.
VMware, Inc. 5
VMware vRealize Operations for Horizon Security
6 VMware, Inc.
Managing RMI Communication in
vRealize Operations for Horizon 2
The vRealize Operations for Horizon components communicate by using Remote Method Invocation (RMI).
The Horizon adapter exposes RMI services that can be called by an external client. The Horizon adapter acts
as a server and the broker and desktop agents act as clients. You can change the default ports for these RMI
services.
For detailed descriptions of the vRealize Operations for Horizon components, see the
VMware vRealize Operations for Horizon Installation document.
For detailed descriptions of the vRealize Operations for Horizon components, see GUID-2F4628D5-
A8C0-44A3-ADED-077F5B24B004#GUID-2F4628D5-A8C0-44A3-ADED-077F5B24B004.
This chapter includes the following topics:
“RMI Services,” on page 7
n
“Default Ports for RMI Services,” on page 8
n
“Changing the Default RMI Service Ports,” on page 8
n
“RMI Considerations for Remote Collector Use,” on page 9
n
RMI Services
The Horizon adapter exposes the following RMI services.
RMI registry service
Desktop message
server
Broker message server
Certificate management
server
The broker and desktop agents initially connect to the RMI registry service
and request the address of a specific RMI server. Because the RMI registry
service is used only for lookup and no sensitive data is transmitted to it, it
does not use an encrypted channel.
The desktop agents connect to the desktop message server and use it to send
desktop performance data to the Horizon adapter. The desktop message
server uses an SSL/TLS channel to encrypt the data that is sent from the
desktop agents.
The broker agent connects to the broker message server and uses it for
sending Horizon inventory information to the Horizon adapter. The broker
message server uses an SSL/TLS channel to encrypt the data that is sent from
the broker agent.
The broker agent connects to the certificate management server during the
certificate pairing process. The certificate management server does not use an
encrypted channel. Certificates are encrypted by using the server key during
the certificate pairing process. For information, see “Certificate Pairing,” on
page 21.
VMware, Inc. 7
VMware vRealize Operations for Horizon Security
Default Ports for RMI Services
The RMI services use certain default ports. The default ports are left open on the firewall on cluster nodes
and remote collector nodes.
Table 2‑1. Default Ports for RMI Services
RMI Service Default Port
RMI registry 3091
Desktop message server 3092/3099
Broker message server 3093/3101
Certificate management server 3094/3100
NOTE Ports 3091 to 3094 ports are opened in firewall by VrOPS. You need to manually open the ports 3099,
3100, and 3101 in VrOPS firewall.
Changing the Default RMI Service Ports
You can change the default ports for the RMI registry service, desktop message server, broker message
server, and certificate management server.
RMI Service Port Properties
The RMI service ports are defined in properties in the msgserver.properties file on the server where the
Horizon adapter is running.
Table 2‑2. RMI Service Port Properties
RMI Service Property
RMI registry registry-port
Desktop message server desktop-port
Broker message server broker-port
Certificate management server certificate-port
Change the Default RMI Service Ports
You can change the default RMI service ports by modifying the msgserver.properties file on the server
where the Horizon adapter is running.
Prerequisites
Verify that you can connect to the node where the Horizon adapter is running.
n
Become familiar with the RMI service port properties. See “RMI Service Port Properties,” on page 8.
n
Procedure
1 Log in to the node where the Horizon adapter is running.
8 VMware, Inc.
Loading...