Download   Report
  1. No category

How to Enable VMware® View™ for SIPR Hardware Token

How to Enable
VMware® View™ for
SIPR Hardware Token
W H I T E PA P E R
How to Enable VMware View
for SIPR Hardware Token
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Background. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
SIPRNet Hardware Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
What is the SIPRNet Hardware Token? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
What the SIPRNet Hardware Token IS NOT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Zero Client Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
The Card Reader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Identifying Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Exporting Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Configure View Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Importing Root Certificate to the Truststore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Importing NSS DoD Intermediate Certificate to the Truststore . . . . . . . . . . . . . . . . . . 19
Importing NSS DoD Subordinate CA “#” Certificate to the Truststore. . . . . . . . . . . . 19
Prepare Needed Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Accessing VMware View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
About the Author. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
W H I T E PA P E R / 2
How to Enable VMware View
for SIPR Hardware Token
Introduction
The purpose of this document is to outline the step-by-step procedure for implementing SIPRNet hardware
token (also referred to as the SIPR CAC) access cards into a VMware® View™ environment. This is a “one-stop
shop” for all Federal PIV information with regard to VMware View.
Background
The primary purposes of the SIPRNet hardware token are to provide trusted user identification and
authentication on SIPRNet and to provide improved interoperability across the DoD enterprise through
PK-enabled applications. Target applications include smart card logon to the SIPRNet, Web site authentication,
and secure email. Currently, authentication to the SIPRNet is accomplished with a username/password. This
single-factor authentication method creates security gaps for users, and difficult password generation schemes,
complex password rules, and the requirement to frequently change the password hampers the end user’s
ability to effectively use the network. Additionally, because the SIPRNet hardware token is populated with a full
complement of PKI certificates (i.e., identity, e-mail signing, and e-mail encryption), it may be used to digitally
sign and encrypt e-mail on the SIPRNet, thereby providing PKI assurances of identification, data integrity, nonrepudiation, and confidentiality to electronic transactions.
This step-by-step guide is intended to help organizations successfully configure their VMware View
environment to leverage SIPRNet Hardware Token to access their SIPR View/Virtual desktops.
Prerequisites
A few basic assumptions are made regarding the status of the environment that the VMware View Connection
Server is installed and properly configured. The VMware Security Server (server role not required) is installed
and properly configured. The environment is configured for smart card logon and all the needed NSS DoD
certificates are loaded on the virtual workstation image. Smartcard middleware 90meter is installed on the
workstation image. Users have obtained SIPRNet Hardware Token card from S-DEERS. In this document all
references to middleware refer to 90meter.
W H I T E PA P E R / 3
How to Enable VMware View
for SIPR Hardware Token
SIPRNet Hardware Token
What is the SIPRNet Hardware Token?
The SIPRNet hardware token is a distinct new card — the SafeNet Smart Card 650 (SC650).
Figure 1: SIPR Hardware Token
It uses National Security System (NSS) PKI certificates:
• Identity certificate (used for Smart Card Login)
• Email Signing certificate
• Email Encryption certificate
SIPRNet User Identification Information is obtained from S-DEERS
• S-DEERS is the Secure-Defense Enrollment Eligibility Reporting System
• User Principal Name (UPN) on SIPR ([email protected]; example [email protected])
High-value UNCLASSIFIED Item
• Should be protected like a CAC
• SIPRNet token is classified Secret when token is unlocked and in use and Unclassifed when removed from the
SIPRNet card reader
• Allows credentials to be transported securely
• Becomes “LOCKED” after five consecutive incorrect PIN attempts
What the SIPRNet Hardware Token IS NOT
The SIPRNet hardware token:
• Does not facilitate common physical access
• Is not a CAC nor an alternate token
• Is not an ID card – It cannot be used to access military installations or secure facilities)
• Contains no barcodes
• Contains no photo or printed personal data
• Has no biometrics
• Cannot be used on NIPRnet – Only SIPRNet middleware can access SIPR token’s certificates
W H I T E PA P E R / 4
How to Enable VMware View
for SIPR Hardware Token
Zero Client Requirements
The VMware View Connection Server must be configured with the intermediate root certificate that issued the
card being used. Directions to accomplish this are located below.
All zero clients must be running firmware version 3.5.1 or higher in order to properly read the SIPRNet hardware
token card.
Zero clients can handle at most 50 certificates from the VMware Connection Server. If your Connection server
keyfile contains more than 50 certificates you must reduce the list to 50 or fewer.
The Card Reader
The card reader must be one of the following:
• OmniKey 5321
• OmniKey 3021
• OmniKey 3121
• Gemalto GemPC Twin
Certificates
This section will explain how to identify and extract the necessary certificates to enable VMware View to accept
the SIPR hardware token for logins.
An initial SIPRNet Hardware Token logon to a computer or server is required to capture the certificates.
Additionally, you must have administrator access to the VMware View Connection server and/or VMware View
Security Server.
Identifying Certificates
1. From the computer that you logon with your CAC/PIV, open the run window, type in mmc and click OK.
W H I T E PA P E R / 5
How to Enable VMware View
for SIPR Hardware Token
2.From the Console1 menu click on File.
Click Add/Remove Snap-i.
3.Click Certificates and then click Add.
W H I T E PA P E R / 6
How to Enable VMware View
for SIPR Hardware Token
4.Click OK.
5.Click + to expand Certificates.
6.Click + to expand Personal.
7.Click Certificates.
W H I T E PA P E R / 7
How to Enable VMware View
for SIPR Hardware Token
8. On the right pane, identify the CA (Certificate Authority) that issued the personal certificates.
In this example, the CA is NSS DoD Subordinate CA 1.
9.The next task is to identify the NSS Root CA “#” that issued the personal certificates CA (e.g. NSS DoD
Subordinate CA 1).
10.Click + to expand Trusted Root Certification Authorities.
W H I T E PA P E R / 8
How to Enable VMware View
for SIPR Hardware Token
11.Click Certificates.
12. On the right-hand pane, under the Issued By column, NSS DoD Subordinate CA 1 certificate was issued
and signed by NSS DoD Intermediate CA 1. That root certificate needs to be exported in addition to NSS
Root CA 1.
W H I T E PA P E R / 9
How to Enable VMware View
for SIPR Hardware Token
Exporting Certificates
Export NSS Root CA “#” Certificate
1.Create a folder to store the exported certificates (e.g., C:\Certs).
2.From the Certificates management console, right-click NSS Root CA 1 > Click All Tasks > Click Export.
3.At the Welcome to the certificate Export Wizard, click Next.
W H I T E PA P E R / 1 0
How to Enable VMware View
for SIPR Hardware Token
4.For Export File Format, select Base-64 encoded X.509 (.CER) and click Next.
5.Type in the folder and filename to store the certificate (e.g., C:\Certs\NSS_DoD_CAs.cer) and click Next.
W H I T E PA P E R / 1 1
How to Enable VMware View
for SIPR Hardware Token
6.Click Finish.
7.Click OK.
Note: If applicable, repeat steps above for remaining NSS DoD Root CA “#” (e.g., NSS DoD Root CA 2, etc.).
Export NSS DoD Intermediate CA “#” Certificate
1.From the Certificates console, right-click NSS DoD Intermediate CA ”#” certificate (e.g., NSS DoD
Intermediate CA 1) > select All Tasks > click Export.
W H I T E PA P E R / 1 2
How to Enable VMware View
for SIPR Hardware Token
2.At the Welcome to the Certificate Export Wizard, click Next.
3.For Export File Format, select Base-64 encoded X.509 (.CER) and click Next.
W H I T E PA P E R / 1 3
How to Enable VMware View
for SIPR Hardware Token
4.Enter the folder directory and name for the certificate (e.g., C:\Certs\NSS_DoD_Intermediate_CA_1.cer)
and click Next.
5.Click Finish.
6.Click OK.
Note: If applicable, repeat steps above for all remaining NSS DoD Intermediate CA ”#” certificates
(e.g., NSS DoD Intermediate CA 2, etc.).
W H I T E PA P E R / 1 4
How to Enable VMware View
for SIPR Hardware Token
Export NSS DoD Intermediate CA “#” Certificate
1.From the Certificates console, right-click on a NSS DoD Subordinate CA ”#” certificate
(example NSS DoD Subordinate CA 1) and select All Tasks => Click Export.
2.At the Welcome to the Certificate Export Wizard, click Next.
W H I T E PA P E R / 1 5
How to Enable VMware View
for SIPR Hardware Token
3.For Export File Format, select Base-64 encoded X.509 (.CER) and click Next.
4.Enter the folder directory and name for the certificate (example, C:\Certs\ NSS_DoD_Subordinate_CA_1.
cer) and click Next.
W H I T E PA P E R / 1 6
How to Enable VMware View
for SIPR Hardware Token
5.Click Finish.
6.Click OK.
Note: If applicable, repeat steps above for all remaining NSS DoD Subordinate CA ”#” certificates (e.g.,
NSS DoD Subordinate CA 2, etc.).
W H I T E PA P E R / 1 7
How to Enable VMware View
for SIPR Hardware Token
Configure View Server
At this point you have successfully extracted all the necessary certificates to enable VMware View to read the
SIPR hardware token. Now we have to put it all together into a keystore file for VMware View.
Copy the “Certs” folder (containing all the exported certificates) to the “C:\” directory on the VMware View
Connection Server or Security Server.
Logon to the VMware View Connection Server or Security Server and open the command the command
prompt window (use Run as Administrator if using Windows Server 2008 and above).
At the command prompt window, change to the c:\ directory.
Type in the following command (assuming VMware View or Security server was installed in the C:\Program
Files directory):
cd “c:\Program Files\VMware\VMware View\Server\jre\bin\”
Importing Root Certificate to the Truststore
1.To import the NSS DoD Root CA # certificate (e.g., NSS DoD Root CA 1) to the Truststore, type in the
following command:
Keytool –import –alias NSSDODRootCA1 –file “C:\Certs\NSS_DOD_Root_CA_1.cer” –
keystore dhdw.key
2.Press Enter to execute the command.
W H I T E PA P E R / 1 8
How to Enable VMware View
for SIPR Hardware Token
3.Enter a keystore password (use a password you’ll remember) and press Enter.
Importing NSS DoD Intermediate Certificate to the Truststore
1.To import the NSS DoD Intermediate CA ”#” certificates (example NSS DoD Intermediate CA 1) to the
Truststore, type in this command:
Keytool –import –alias NSSDODIntermediateCA1 –file “C:\Certs\ NSS_DoD_
Intermediate_CA_1.cer” –keystore dhdw.key
2.Press Enter to execute the command.
3.Enter a keystore password (use a password you’ll remember) and press Enter.
W H I T E PA P E R / 1 9
How to Enable VMware View
for SIPR Hardware Token
Importing NSS DoD Subordinate CA “#” Certificate to the Truststore
1.To import NSS DoD Subordinate CA ”#” certificates (example, NSS DoD Subordinate CA 1) to the
Truststore, type in this command:
Keytool –import –alias NSSDoDSubordinateCA1 –file “C:\Certs\ NSS_DoD_
Subordinate_CA_1.cer” –keystore dhdw.key
2.Press Enter to execute the command.
3.Enter a keystore password (use a password you’ll remember) and press Enter.
Note: If applicable, repeat steps above for all remaining NSS DoD certificates.
W H I T E PA P E R / 2 0
How to Enable VMware View
for SIPR Hardware Token
Prepare Needed Files
1.After successfully importing all the necessary certificates to the Truststore, browse to the C:\Program
Files\VMware\VMware View\Server\jre\bin\ directory.
2.Locate and copy the dhdw.key file to C:\Program Files\VMware\VMware View\Server\sslgateway\conf\
(assuming VMware View or Security server was installed in C:\Program Files directory).
3.In the C:\Program Files\VMware\VMware View\Server\sslgateway\conf directory, create a new text file
and name it locked.properties. (Note: The file extension should be .properties NOT .txt).
4.Right-click the locked.properties file and select Edit.
5.Type the following entries in the locked.properties file:
• trustKeyfile=dhdw.key
• trustStoretype=JKS
• useCertAuth=true
W H I T E PA P E R / 2 1
How to Enable VMware View
for SIPR Hardware Token
6. Save and close locked.properties file.
7.Verify the C:\Program Files\VMware\VMware View\Server\sslgateway\conf directory contains the
locked.properties and dhdw.key files.
8.Reboot the VMware View Connection or Security server.
Accessing VMware View
Note: Individual View Login result may vary
1.Insert the SIPRNet hardware token card into the card reader and press Connect on the screen.
W H I T E PA P E R / 2 2
How to Enable VMware View
for SIPR Hardware Token
2.The Smart Card Holder Verification window appears.
3.Enter the PIN for the SIPRNet hardware token card and click OK.
4.The Authentication verifies the PIN on the card and access to View.
W H I T E PA P E R / 2 3
How to Enable VMware View
for SIPR Hardware Token
5.After successful authentication, a connection with the View Connection Server verifies what Pool is
assigned and prepares a list of desktops.
6.A virtual desktop is prepared for the zero client to connect to.
Limitations
Here are a few limitations to be aware of:
• The VMware View Client for Mac OS X does not support smart-card authentication.
• When using smart-card authentication, users must log off before switching to a different display protocol.
• Checking the LogIn As Current User option in the VMware View Client will cause the user to be prompted for
a smart-card PIN a second time when connecting to Windows.
• If the Smart Card Authentication policy is set to Optional, Local Mode users must use smart-card
authentication to access their desktops for the checkout operation.
• HP’s RGS protocol is not supported with smart-card authentication.
W H I T E PA P E R / 2 4
How to Enable VMware View
for SIPR Hardware Token
References
VMware View Administration Guide. Section 7 – Setting Up User Authentication
http://www.vmware.com/pdf/view45_admin_guide.pdf
Teradici PCOIP Zero Client
http://www.teradici.com/
90meter Middleware
http://90meter.com/product2.shtml
About the Author
DHDW Consulting authored this white paper. DHDW Consulting is a progressive, innovative technology enabler
with proven, compelling solutions. From initial conception to design, implementation and sustainment industry
experts and peers alike have recognized their unique perspective and approach to achieving the singular goal
of exceeding customer expectations.
VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com
Copyright © 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be
trademarks of their respective companies. Item No: VMW-WP-SIPR-USLET-20120429-WEB
VMware Professional Services: Business Continuity and Disaster Recovery Practice

VMware Professional Services: Business Continuity and Disaster Recovery Practice

How to Install and Use SSS\Progman with Carsoft or INPA... First of all you must be able to use Carsoft,...

How to Install and Use SSS\Progman with Carsoft or INPA... First of all you must be able to use Carsoft,...

City of Alexandria, Louisiana Time, Simplify Management

City of Alexandria, Louisiana Time, Simplify Management

How to Setup Location Based Printing on a Zero Client. Note:

How to Setup Location Based Printing on a Zero Client. Note:

Stoll Knitting Machine Factory Gathers IT Threads With VMware

Stoll Knitting Machine Factory Gathers IT Threads With VMware

How to Install and Use SSS\Progman with Carsoft or INPA... First of all you must be able to use Carsoft,...

How to Install and Use SSS\Progman with Carsoft or INPA... First of all you must be able to use Carsoft,...

HP integrated VMware ESXi 3.5 Update 5 Getting Started Guide

HP integrated VMware ESXi 3.5 Update 5 Getting Started Guide

How to run BMW GT1 DIS or SSS system

How to run BMW GT1 DIS or SSS system

How To Convert an Acronis Backup File To a VMWare...

How To Convert an Acronis Backup File To a VMWare...

VMware vSphere What is VMware vSphere? Standard Edition

VMware vSphere What is VMware vSphere? Standard Edition

How to define a good eTwinning project

How to define a good eTwinning project

abcdocz.com

© Copyright 2024