7/28/2019 SIRPNET 2 http://slidepdf.com/reader/full/sirpnet-2 1/25
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 1/25
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 2/25
How to Enable VMware Viewor SIPR Hardware Token
W H I T E P A P E R / 2
Table of Contents
Introduction 3Background 3
Prerequisites 3
SIPRNet Hardware Token 4
What is the SIPRNet Hardware Token? 4
What the SIPRNet Hardware Token IS NOT 4
Zero Client Requirements 5
The Card Reader 5
Certifcates 5
Identiying Certifcates 5
Exporting Certifcates 10
Confgure View Server 18
Importing Root Certifcate to the Truststore 18
Importing NSS DoD Intermediate Certifcate to the Truststore 19
Importing NSS DoD Subordinate CA “#” Certifcate to the Truststore 19
Prepare Needed Files 21
Accessing VMware View 22
Limitations 24
Reerences 25
About the Author 25
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 3/25
W H I T E P A P E R / 3
How to Enable VMware Viewor SIPR Hardware Token
Introduction
Thepurposeothisdocumentistooutlinethestep-by-stepprocedureorimplementingSIPRNethardware
token(alsoreerredtoastheSIPRCAC)accesscardsintoaVMware®View™environmentThisisa“one-stopshop”orallFederalPIVinormationwithregardtoVMwareView
Background
TheprimarypurposesotheSIPRNethardwaretokenaretoprovidetrusteduseridenticationand
authenticationonSIPRNetandtoprovideimprovedinteroperabilityacrosstheDoDenterprisethrough
PK-enabledapplicationsTargetapplicationsincludesmartcardlogontotheSIPRNetWebsiteauthentication
andsecureemailCurrentlyauthenticationtotheSIPRNetisaccomplishedwithausernamepasswordThis
single-actorauthenticationmethodcreatessecuritygapsorusersanddicultpasswordgenerationschemes
complexpasswordrulesandtherequirementtorequentlychangethepasswordhamperstheenduser’sabilitytoefectivelyusethenetworkAdditionallybecausetheSIPRNethardwaretokenispopulatedwithaull
complementoPKIcerticates(ieidentitye-mailsigningande-mailencryption)itmaybeusedtodigitally
signandencrypte-mailontheSIPRNettherebyprovidingPKIassurancesoidenticationdataintegritynon-
repudiationandcondentialitytoelectronictransactions
Thisstep-by-stepguideisintendedtohelporganizationssuccessullyconguretheirVMwareView
environmenttoleverageSIPRNetHardwareTokentoaccesstheirSIPRViewVirtualdesktops
Prerequisites
AewbasicassumptionsaremaderegardingthestatusotheenvironmentthattheVMwareViewConnection
ServerisinstalledandproperlyconguredTheVMwareSecurityServer(serverrolenotrequired)isinstalled
andproperlyconguredTheenvironmentisconguredorsmartcardlogonandalltheneededNSSDoD
certicatesareloadedonthevirtualworkstationimageSmartcardmiddlewaremeterisinstalledonthe
workstationimageUsershaveobtainedSIPRNetHardwareTokencardromS-DEERSInthisdocumentall
reerencestomiddlewarereertometer
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 4/25
W H I T E P A P E R / 4
How to Enable VMware Viewor SIPR Hardware Token
SIPRNet Hardware Token
WhatistheSIPRNetHardwareToken?
TheSIPRNethardwaretokenisadistinctnewcard—theSaeNetSmartCard(SC)
Figure 1: SIPRHardwareToken
ItusesNationalSecuritySystem(NSS)PKIcerticates
• Identitycerticate(usedforSmartCardLogin)
•EmailSigningcerticate
•EmailEncryption certicate
SIPRNetUserIdenticationInormationisobtainedromS-DEERS
• S-DEERSistheSecure-DefenseEnrollmentEligibilityReportingSystem
• UserPrincipalName(UPN)onSIPR([email protected]; [email protected])
High-valueUNCLASSIFIEDItem
• ShouldbeprotectedlikeaCAC
• SIPRNettokenisclassiedSecretwhentokenisunlockedandinuseandUnclassifedwhenremovedfromthe
SIPRNetcardreader
• Allowscredentialstobetransportedsecurely
• Becomes“LOCKED”afterveconsecutiveincorrectPINattempts
WhattheSIPRNetHardwareTokenISNOT
TheSIPRNethardwaretoken
• Doesnotfacilitatecommonphysicalaccess
• IsnotaCACnoranalternatetoken
• IsnotanIDcard–Itcannotbeusedtoaccessmilitaryinstallationsorsecurefacilities)
•Containsnobarcodes
• Containsnophotoorprintedpersonaldata
•Hasnobiometrics
• CannotbeusedonNIPRnet–OnlySIPRNetmiddlewarecanaccessSIPRtoken’scerticates
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 5/25
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 6/25
W H I T E P A P E R / 6
How to Enable VMware Viewor SIPR Hardware Token
2. From the Console1 menu click on File.
Click Add/Remove Snap-i.
3. Click Certifcates and then click Add.
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 7/25
W H I T E P A P E R / 7
How to Enable VMware Viewor SIPR Hardware Token
4. Click OK.
5. Click + to expand Certifcates.
6. Click + to expand Personal.
7. Click Certifcates.
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 8/25
W H I T E P A P E R / 8
How to Enable VMware Viewor SIPR Hardware Token
On the right pane identify the CA (Certicate Authority) that issued the personal certicates.
In this example, the CA is NSS DoD Subordinate CA 1.
9. The next task is to identiy the NSS Root CA “#” that issued the personal certicates CA (e.g. NSS DoD
Subordinate CA 1).
10.Click + to expand Trusted Root Certifcation Authorities.
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 9/25
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 10/25
W H I T E P A P E R / 1 0
How to Enable VMware Viewor SIPR Hardware Token
ExportingCertifcates
ExportNSSRootCA“”Certiicate
1. Create a older to store the exported certicates (e.g., C:\Certs).
2. From the Certicates management console, right-click NSS Root CA 1 > Click All Tasks > Click Export.
3. At the Welcome to the certifcate Export Wizard, click Next.
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 11/25
W H I T E P A P E R / 1 1
How to Enable VMware Viewor SIPR Hardware Token
4. For Export File Format, select Base-64 encoded X.509 (.CER) and click Next.
5. Type in the older and lename to store the certicate (e.g., C:\Certs\NSS_DoD_CAs.cer ) and click Next.
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 12/25
W H I T E P A P E R / 1 2
How to Enable VMware Viewor SIPR Hardware Token
6. Click Finish.
7. Click OK.
Note: I applicable, repeat steps above or remaining NSS DoD Root CA “#” (e.g., NSS DoD Root CA 2, etc.).
ExportNSSDoDIntermediateCA“”Certiicate
1. From the Certicates console, right-click NSS DoD Intermediate CA ”#” certicate (e.g., NSS DoD
Intermediate CA 1) > select All Tasks > click Export.
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 13/25
W H I T E P A P E R / 1 3
How to Enable VMware Viewor SIPR Hardware Token
2. At the Welcome to the Certifcate Export Wizard, click Next.
3. For Export File Format, select Base-64 encoded X.509 (.CER) and click Next.
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 14/25
W H I T E P A P E R / 1 4
How to Enable VMware Viewor SIPR Hardware Token
4. Enter the older directory and name or the certicate (e.g., C:\Certs\NSS_DoD_Intermediate_CA_1.cer )
and click Next.
5. Click Finish.
6. Click OK.
Note: I applicable, repeat steps above or all remaining NSS DoD Intermediate CA ”#” certicates
(e.g., NSS DoD Intermediate CA 2, etc.).
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 15/25
W H I T E P A P E R / 1 5
How to Enable VMware Viewor SIPR Hardware Token
ExportNSSDoDIntermediateCA“”Certiicate
1. From the Certifcates console, right-click on a NSS DoD Subordinate CA ”#” certicate (example NSS DoD Subordinate CA 1) and select All Tasks => Click Export.
2. At the Welcome to the Certifcate Export Wizard, click Next.
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 16/25
W H I T E P A P E R / 1 6
How to Enable VMware Viewor SIPR Hardware Token
3. For Export File Format, select Base-64 encoded X.509 (.CER) and click Next.
4. Enter the older directory and name or the certicate (example, C:\Certs\ NSS_DoD_Subordinate_CA_1.
cer) and click Next.
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 17/25
W H I T E P A P E R / 1 7
How to Enable VMware Viewor SIPR Hardware Token
5. Click Finish.
6. Click OK.
Note: I applicable, repeat steps above or all remaining NSS DoD Subordinate CA ”#” certicates (e.g.,
NSS DoD Subordinate CA 2, etc.).
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 18/25
W H I T E P A P E R / 1 8
How to Enable VMware Viewor SIPR Hardware Token
Confgure View Server
AtthispointyouhavesuccessullyextractedallthenecessarycerticatestoenableVMwareViewtoreadtheSIPRhardwaretokenNowwehavetoputitalltogetherintoakeystoreleorVMwareView
Copythe“Certs”older(containingalltheexportedcerticates)tothe“C\”directoryontheVMwareView
ConnectionServerorSecurityServer
LogontotheVMwareViewConnectionServerorSecurityServerandopenthecommandthe command
promptwindow(useRunasAdministrator ifusingWindowsServer2008andabove).
Atthecommandpromptwindow changetothec\directory
Typeintheollowingcommand(assumingVMwareVieworSecurityserverwasinstalledintheC\Program
Filesdirectory)
cd “c:\Program Files\VMware\VMware View\Server\jre\bin\”
ImportingRootCertifcatetotheTruststore
1. To import the NSS DoD Root CA # certicate (e.g., NSS DoD Root CA 1) to the Truststore, type in the
ollowing command:
Keytool –import –alias NSSDODRootCA1 –fle “C:\Certs\NSS_DOD_Root_CA_1.cer” –
keystore dhdw.key
2. Press Enter to execute the command.
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 19/25
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 20/25
W H I T E P A P E R / 2 0
How to Enable VMware Viewor SIPR Hardware Token
ImportingNSSDoDSubordinateCA“”CertifcatetotheTruststore
1. To import NSS DoD Subordinate CA ”#” certicates (example, NSS DoD Subordinate CA 1) to the
Truststore, type in this command:
Keytool –import –alias NSSDoDSubordinateCA1 –fle “C:\Certs\ NSS_DoD_
Subordinate_CA_1.cer” –keystore dhdw.key
2. Press Enter to execute the command.
3. Enter a keystore password (use a password you’ll remember) and press Enter.
Note: I applicable, repeat steps above or all remaining NSS DoD certicates.
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 21/25
W H I T E P A P E R / 2 1
How to Enable VMware Viewor SIPR Hardware Token
PrepareNeededFiles
1. Ater successully importing all the necessary certicates to the Truststore, browse to the C:\Program
Files\VMware\VMware View\Server\jre\bin\ directory.
2. Locate and copy the dhdw.key le to C:\Program Files\VMware\VMware View\Server\sslgateway\con\
(assuming VMware View or Security server was installed in C:\Program Files directory).
3. In the C:\Program Files\VMware\VMware View\Server\sslgateway\con directory, create a new text le
and name it locked.properties. (Note: The le extension should be .properties NOT .txt).
4. Right-click the locked.properties le and select Edit.
5. Type the ollowing entries in the locked.properties le:
• trustKeyle=dhdw.key
• trustStoretype=JKS
•useCertAuth=true
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 22/25
W H I T E P A P E R / 2 2
How to Enable VMware Viewor SIPR Hardware Token
6. Save and close locked.properties le.
7. Veriy the C:\Program Files\VMware\VMware View\Server\sslgateway\con directory contains the
locked.properties and dhdw.key les.
8. Reboot the VMware View Connection or Security server.
AccessingVMwareViewNoteIndividualViewLoginresultmayvary
1. Insert the SIPRNet hardware token card into the card reader and press Connect on the screen.
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 23/25
W H I T E P A P E R / 2 3
How to Enable VMware Viewor SIPR Hardware Token
2. The Smart Card Holder Verication window appears.
3. Enter the PIN or the SIPRNet hardware token card and click OK.
4. The Authentication veries the PIN on the card and access to View.
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 24/25
W H I T E P A P E R / 2 4
How to Enable VMware Viewor SIPR Hardware Token
5. Ater successul authentication, a connection with the View Connection Server veries what Pool is
assigned and prepares a list o desktops.
6. A virtual desktop is prepared or the zero client to connect to.
Limitations
Hereareaewlimitationstobeawareo
• TheVMwareViewClientforMacOSXdoesnotsupportsmart-cardauthentication.
• Whenusingsmart-cardauthentication,usersmustlogobeforeswitchingtoadierentdisplayprotocol.
• CheckingtheLogInAsCurrentUseroptionintheVMwareViewClientwillcausetheusertobepromptedforasmart-cardPINasecondtimewhenconnectingtoWindows
• IftheSmartCardAuthenticationpolicyissettoOptional,LocalModeusersmustusesmart-card
authenticationtoaccesstheirdesktopsorthecheckoutoperation
• HP’sRGSprotocolisnotsupportedwithsmart-cardauthentication.
7/28/2019 SIRPNET 2
http://slidepdf.com/reader/full/sirpnet-2 25/25
How to Enable VMware Viewor SIPR Hardware Token
Reerences
VMwareViewAdministrationGuide.Section7–SettingUpUserAuthentication
http://www.vmware.com/pdf/view45_admin_guide.pdf
TeradiciPCOIPZeroClient
http://www.teradici.com/
meterMiddleware
http://90meter.com/product2.shtml
About the Author
DHDWConsultingauthoredthiswhitepaperDHDW Consultingisaprogressiveinnovativetechnologyenabler
withprovencompellingsolutionsFrominitialconceptiontodesignimplementationandsustainmentindustryexpertsandpeersalikehaverecognizedtheiruniqueperspectiveandapproachtoachievingthesingulargoal
oexceedingcustomerexpectations
Related Documents
