VMware Horizon Community
nevgeo1
Enthusiast
Enthusiast
‎04-11-2015 10:36 PM
Jump to solution

Disable Protocols and Ciphers in VMware View Security and Connection Servers

Hi ,

In my recent deployment I have got a request from the customer for disabling few protocols and Cipher in both VMware View Connection Server and Security server. I read some articles and found that this was achieved by editing the locked.properties file . But when we edited and replaced the file the users were not able to connect to there virtual desktop, so we reverted back and the desktops worked fine.

In few blogs I found that we don't need to edit the locked.properties file in VMware Horizon View 6 . If some one has performed this operation please guide me through .Below are the details of the protocols and ciphers that need to be disabled

Diffie-Hellman Key

Disable SSL v2/V3 and enable TLS 1.1 & 1.2

Disable RC4 cipher

Enable Forward Secrecy (If possible)


VMware view 6 is the Connection server and Security Server.


Thank you.

1 Solution

Accepted Solutions
PFu72
Contributor
Contributor
‎04-13-2015 07:30 AM
Jump to solution

Hi,

I put together the following steps (extracted from the manual):

1. Update the JCE Policy Files to Support High-Strength Cipher Suites

You can add high-strength cipher suites for greater assurance, but first you must update the local_policy.jar and US_export_policy.jar policy files for JRE 7 on each View Connection Server instance and security server. You update these policy files by downloading the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 from the Oracle Java SE Download site.

If you include high-strength cipher suites in the list and do not replace the policy files, you cannot restart the VMware Horizon View Connection Server service.

The policy files are located in the C:\Program Files\VMware\VMware View\Server\jre\lib\security directory.

For more information about downloading the JCE Unlimited Strength Jurisdiction Policy Files 7, see the Oracle Java SE Download site: http://www.oracle.com/technetwork/java/javase/downloads/index.html.

After you update the policy files, you must create backups of the files. If you upgrade the View Connection Server instance or security server, any changes that you have made to these files might be overwritten, and you might have to restore the files from the backup.

2. Change the Global Acceptance Polices with ADSI Edit

  • Start the ADSI Edit utility on your View Connection Server computer.
  • In the console tree, select Connect to
  • In the Select or type a Distinguished Name or Naming Context text box, type the distinguished name
    DC=vdi, DC=vmware, DC=int.
  • In the Select or type a domain or server text box, select or type localhost:389 or the fully qualified domain name (FQDN) of the View Connection Server computer followed by port 389.

For example: localhost:389 or mycomputer.mydomain.com:389

  • Expand the ADSI Edit tree, expand OU=Properties, select OU=Global, and select OU=Common in the right pane.
  • On the object CN=Common, OU=Global, OU=Properties, select each attribute that you want to change and type the new list of security protocols or cipher suites.
    I used the following settings:

pae-ServerSSLCipherSuites:      \LIST:TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256

pae-ServerSSLSecureProtocols_   \LIST:TLSv1.1,TLSv1.2

It is not the highest possible, but they are working with all our clients devices.

  • Restart the VMware Horizon View Connection Server service (Connection and Security server).

This will not Enable Forward Secrecy (If possible) but the other points are covered.

If someone can give a tip to Enable Forward Secrecy, I would appreciate.

View solution in original post

6 Replies
PFu72
Contributor
Contributor
‎04-13-2015 07:30 AM
Jump to solution

Hi,

I put together the following steps (extracted from the manual):

1. Update the JCE Policy Files to Support High-Strength Cipher Suites

You can add high-strength cipher suites for greater assurance, but first you must update the local_policy.jar and US_export_policy.jar policy files for JRE 7 on each View Connection Server instance and security server. You update these policy files by downloading the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 7 from the Oracle Java SE Download site.

If you include high-strength cipher suites in the list and do not replace the policy files, you cannot restart the VMware Horizon View Connection Server service.

The policy files are located in the C:\Program Files\VMware\VMware View\Server\jre\lib\security directory.

For more information about downloading the JCE Unlimited Strength Jurisdiction Policy Files 7, see the Oracle Java SE Download site: http://www.oracle.com/technetwork/java/javase/downloads/index.html.

After you update the policy files, you must create backups of the files. If you upgrade the View Connection Server instance or security server, any changes that you have made to these files might be overwritten, and you might have to restore the files from the backup.

2. Change the Global Acceptance Polices with ADSI Edit

  • Start the ADSI Edit utility on your View Connection Server computer.
  • In the console tree, select Connect to
  • In the Select or type a Distinguished Name or Naming Context text box, type the distinguished name
    DC=vdi, DC=vmware, DC=int.
  • In the Select or type a domain or server text box, select or type localhost:389 or the fully qualified domain name (FQDN) of the View Connection Server computer followed by port 389.

For example: localhost:389 or mycomputer.mydomain.com:389

  • Expand the ADSI Edit tree, expand OU=Properties, select OU=Global, and select OU=Common in the right pane.
  • On the object CN=Common, OU=Global, OU=Properties, select each attribute that you want to change and type the new list of security protocols or cipher suites.
    I used the following settings:

pae-ServerSSLCipherSuites:      \LIST:TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256

pae-ServerSSLSecureProtocols_   \LIST:TLSv1.1,TLSv1.2

It is not the highest possible, but they are working with all our clients devices.

  • Restart the VMware Horizon View Connection Server service (Connection and Security server).

This will not Enable Forward Secrecy (If possible) but the other points are covered.

If someone can give a tip to Enable Forward Secrecy, I would appreciate.

mobinqasim786
Enthusiast
Enthusiast
‎05-22-2015 04:16 AM
Jump to solution

Hi Guys,

Did anyone manage to fix the following warning?

  "The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-"


Or this doesn't needed for VMware View?

Regards,

Mobin

0 Kudos
hermanc01
Enthusiast
Enthusiast
‎06-03-2015 06:41 AM
Jump to solution

Here's what I'm using that allows me to support Forward Secrecy and everything seems to be working as expected so far.

pae-ClientSSLCipherSuites = "\LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"

pae-ClientSSLSecureProtocols = "\LIST:TLSv1.2,TLSv1.1,TLSv1"

pae-ServerSSLCipherSuites = "\LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384"

pae-ServerSSLSecureProtocols = "\LIST:TLSv1.2,TLSv1.1,TLSv1"

I'm still getting "Secure Client-Initiated Renegotiation - Supported - DoS DANGER" though.  Anyone have any thoughts on that? 


Edit: I should note that I am receiving an "A" rating with those ciphers listed.

mobinqasim786
Enthusiast
Enthusiast
‎06-03-2015 09:10 AM
Jump to solution

Thanks for the post. I was able to to get A rating  by enabling Forward Secrecy as you mentioned. I can also see the following warnings but rating is A.


Secure Client-Initiated Renegotiation Supported   DoS DANGER.

Downgrade attack prevention     No, TLS_FALLBACK_SCSV not supported

Cheers

0 Kudos
mobinqasim786
Enthusiast
Enthusiast
‎06-14-2015 06:53 AM
Jump to solution

Guys,

After making changes I'm unable to connect to VDI using Dell FX100 zero-client

Hardware Version:Dell_FX100_Board_Rev_5.4
Firmware Version:3.3.0
Firmware Build ID:v321
Firmware Build Date:Feb 4 2011 12:15:07
PCoIP Processor Revision:1.0
Bootloader Version:2.1.0
Bootloader Build ID:v163
Bootloader Build Date:Aug 28 2008 16:56:13

In View Connection I only made changes to pae-ServerSSLCipherSuites  and pae-ServerSSLSecureProtocols . On the Security Server I've made changes to Cipher Suites and Protocols using registry editor. I can see ssllabs A raring but Dell FX100 unable to connetct to VDI.

Can someone please help?

Edited:  After applying  following changes I was able to connect through Dell FX100 zero client

pae-ServerSSLCipherSuites:
 \LIST:TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256

pae-ServerSSLSecureProtocols: 
\LIST:TLSv1,TLSv1.1,TLSv1.2 

But following changes doesn't worked with Dell FX100 zero client

paeServerSSLCipherSuites:
\LIST:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384


pae-ServerSSLSecureProtocols:  
\LIST:TLSv1,TLSv1.1,TLSv1.2

I think I'll have to live with The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-

Regards

0 Kudos
Anthony_ADS
Contributor
Contributor
‎08-04-2015 09:31 AM
Jump to solution

hermanc01

Hi there, could you possibly re-paste your clientsslciphersuites list please? the list I copied ended in TLS_, and consequently took down a large part of my estate once I changed the certificates used by VMware to CA certs. I don't think the formatting on this page is correct as it chops off the text in long lists.

Thanks

Anthony

0 Kudos