How to Enable VMware® View™ for SIPR Hardware Token W H I T E PA P E R How to Enable VMware View for SIPR Hardware Token Table of Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Background. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 SIPRNet Hardware Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 What is the SIPRNet Hardware Token? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 What the SIPRNet Hardware Token IS NOT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Zero Client Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 The Card Reader. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Identifying Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Exporting Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 Configure View Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Importing Root Certificate to the Truststore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Importing NSS DoD Intermediate Certificate to the Truststore . . . . . . . . . . . . . . . . . . 19 Importing NSS DoD Subordinate CA “#” Certificate to the Truststore. . . . . . . . . . . . 19 Prepare Needed Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 Accessing VMware View. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 About the Author. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 W H I T E PA P E R / 2 How to Enable VMware View for SIPR Hardware Token Introduction The purpose of this document is to outline the step-by-step procedure for implementing SIPRNet hardware token (also referred to as the SIPR CAC) access cards into a VMware® View™ environment. This is a “one-stop shop” for all Federal PIV information with regard to VMware View. Background The primary purposes of the SIPRNet hardware token are to provide trusted user identification and authentication on SIPRNet and to provide improved interoperability across the DoD enterprise through PK-enabled applications. Target applications include smart card logon to the SIPRNet, Web site authentication, and secure email. Currently, authentication to the SIPRNet is accomplished with a username/password. This single-factor authentication method creates security gaps for users, and difficult password generation schemes, complex password rules, and the requirement to frequently change the password hampers the end user’s ability to effectively use the network. Additionally, because the SIPRNet hardware token is populated with a full complement of PKI certificates (i.e., identity, e-mail signing, and e-mail encryption), it may be used to digitally sign and encrypt e-mail on the SIPRNet, thereby providing PKI assurances of identification, data integrity, nonrepudiation, and confidentiality to electronic transactions. This step-by-step guide is intended to help organizations successfully configure their VMware View environment to leverage SIPRNet Hardware Token to access their SIPR View/Virtual desktops. Prerequisites A few basic assumptions are made regarding the status of the environment that the VMware View Connection Server is installed and properly configured. The VMware Security Server (server role not required) is installed and properly configured. The environment is configured for smart card logon and all the needed NSS DoD certificates are loaded on the virtual workstation image. Smartcard middleware 90meter is installed on the workstation image. Users have obtained SIPRNet Hardware Token card from S-DEERS. In this document all references to middleware refer to 90meter. W H I T E PA P E R / 3 How to Enable VMware View for SIPR Hardware Token SIPRNet Hardware Token What is the SIPRNet Hardware Token? The SIPRNet hardware token is a distinct new card — the SafeNet Smart Card 650 (SC650). Figure 1: SIPR Hardware Token It uses National Security System (NSS) PKI certificates: • Identity certificate (used for Smart Card Login) • Email Signing certificate • Email Encryption certificate SIPRNet User Identification Information is obtained from S-DEERS • S-DEERS is the Secure-Defense Enrollment Eligibility Reporting System • User Principal Name (UPN) on SIPR (EDIPI+PCC@smil.mil; example 123456789.A@smil.mil) High-value UNCLASSIFIED Item • Should be protected like a CAC • SIPRNet token is classified Secret when token is unlocked and in use and Unclassifed when removed from the SIPRNet card reader • Allows credentials to be transported securely • Becomes “LOCKED” after five consecutive incorrect PIN attempts What the SIPRNet Hardware Token IS NOT The SIPRNet hardware token: • Does not facilitate common physical access • Is not a CAC nor an alternate token • Is not an ID card – It cannot be used to access military installations or secure facilities) • Contains no barcodes • Contains no photo or printed personal data • Has no biometrics • Cannot be used on NIPRnet – Only SIPRNet middleware can access SIPR token’s certificates W H I T E PA P E R / 4 How to Enable VMware View for SIPR Hardware Token Zero Client Requirements The VMware View Connection Server must be configured with the intermediate root certificate that issued the card being used. Directions to accomplish this are located below. All zero clients must be running firmware version 3.5.1 or higher in order to properly read the SIPRNet hardware token card. Zero clients can handle at most 50 certificates from the VMware Connection Server. If your Connection server keyfile contains more than 50 certificates you must reduce the list to 50 or fewer. The Card Reader The card reader must be one of the following: • OmniKey 5321 • OmniKey 3021 • OmniKey 3121 • Gemalto GemPC Twin Certificates This section will explain how to identify and extract the necessary certificates to enable VMware View to accept the SIPR hardware token for logins. An initial SIPRNet Hardware Token logon to a computer or server is required to capture the certificates. Additionally, you must have administrator access to the VMware View Connection server and/or VMware View Security Server. Identifying Certificates 1. From the computer that you logon with your CAC/PIV, open the run window, type in mmc and click OK. W H I T E PA P E R / 5 How to Enable VMware View for SIPR Hardware Token 2.From the Console1 menu click on File. Click Add/Remove Snap-i. 3.Click Certificates and then click Add. W H I T E PA P E R / 6 How to Enable VMware View for SIPR Hardware Token 4.Click OK. 5.Click + to expand Certificates. 6.Click + to expand Personal. 7.Click Certificates. W H I T E PA P E R / 7 How to Enable VMware View for SIPR Hardware Token 8. On the right pane, identify the CA (Certificate Authority) that issued the personal certificates. In this example, the CA is NSS DoD Subordinate CA 1. 9.The next task is to identify the NSS Root CA “#” that issued the personal certificates CA (e.g. NSS DoD Subordinate CA 1). 10.Click + to expand Trusted Root Certification Authorities. W H I T E PA P E R / 8 How to Enable VMware View for SIPR Hardware Token 11.Click Certificates. 12. On the right-hand pane, under the Issued By column, NSS DoD Subordinate CA 1 certificate was issued and signed by NSS DoD Intermediate CA 1. That root certificate needs to be exported in addition to NSS Root CA 1. W H I T E PA P E R / 9 How to Enable VMware View for SIPR Hardware Token Exporting Certificates Export NSS Root CA “#” Certificate 1.Create a folder to store the exported certificates (e.g., C:\Certs). 2.From the Certificates management console, right-click NSS Root CA 1 > Click All Tasks > Click Export. 3.At the Welcome to the certificate Export Wizard, click Next. W H I T E PA P E R / 1 0 How to Enable VMware View for SIPR Hardware Token 4.For Export File Format, select Base-64 encoded X.509 (.CER) and click Next. 5.Type in the folder and filename to store the certificate (e.g., C:\Certs\NSS_DoD_CAs.cer) and click Next. W H I T E PA P E R / 1 1 How to Enable VMware View for SIPR Hardware Token 6.Click Finish. 7.Click OK. Note: If applicable, repeat steps above for remaining NSS DoD Root CA “#” (e.g., NSS DoD Root CA 2, etc.). Export NSS DoD Intermediate CA “#” Certificate 1.From the Certificates console, right-click NSS DoD Intermediate CA ”#” certificate (e.g., NSS DoD Intermediate CA 1) > select All Tasks > click Export. W H I T E PA P E R / 1 2 How to Enable VMware View for SIPR Hardware Token 2.At the Welcome to the Certificate Export Wizard, click Next. 3.For Export File Format, select Base-64 encoded X.509 (.CER) and click Next. W H I T E PA P E R / 1 3 How to Enable VMware View for SIPR Hardware Token 4.Enter the folder directory and name for the certificate (e.g., C:\Certs\NSS_DoD_Intermediate_CA_1.cer) and click Next. 5.Click Finish. 6.Click OK. Note: If applicable, repeat steps above for all remaining NSS DoD Intermediate CA ”#” certificates (e.g., NSS DoD Intermediate CA 2, etc.). W H I T E PA P E R / 1 4 How to Enable VMware View for SIPR Hardware Token Export NSS DoD Intermediate CA “#” Certificate 1.From the Certificates console, right-click on a NSS DoD Subordinate CA ”#” certificate (example NSS DoD Subordinate CA 1) and select All Tasks => Click Export. 2.At the Welcome to the Certificate Export Wizard, click Next. W H I T E PA P E R / 1 5 How to Enable VMware View for SIPR Hardware Token 3.For Export File Format, select Base-64 encoded X.509 (.CER) and click Next. 4.Enter the folder directory and name for the certificate (example, C:\Certs\ NSS_DoD_Subordinate_CA_1. cer) and click Next. W H I T E PA P E R / 1 6 How to Enable VMware View for SIPR Hardware Token 5.Click Finish. 6.Click OK. Note: If applicable, repeat steps above for all remaining NSS DoD Subordinate CA ”#” certificates (e.g., NSS DoD Subordinate CA 2, etc.). W H I T E PA P E R / 1 7 How to Enable VMware View for SIPR Hardware Token Configure View Server At this point you have successfully extracted all the necessary certificates to enable VMware View to read the SIPR hardware token. Now we have to put it all together into a keystore file for VMware View. Copy the “Certs” folder (containing all the exported certificates) to the “C:\” directory on the VMware View Connection Server or Security Server. Logon to the VMware View Connection Server or Security Server and open the command the command prompt window (use Run as Administrator if using Windows Server 2008 and above). At the command prompt window, change to the c:\ directory. Type in the following command (assuming VMware View or Security server was installed in the C:\Program Files directory): cd “c:\Program Files\VMware\VMware View\Server\jre\bin\” Importing Root Certificate to the Truststore 1.To import the NSS DoD Root CA # certificate (e.g., NSS DoD Root CA 1) to the Truststore, type in the following command: Keytool –import –alias NSSDODRootCA1 –file “C:\Certs\NSS_DOD_Root_CA_1.cer” – keystore dhdw.key 2.Press Enter to execute the command. W H I T E PA P E R / 1 8 How to Enable VMware View for SIPR Hardware Token 3.Enter a keystore password (use a password you’ll remember) and press Enter. Importing NSS DoD Intermediate Certificate to the Truststore 1.To import the NSS DoD Intermediate CA ”#” certificates (example NSS DoD Intermediate CA 1) to the Truststore, type in this command: Keytool –import –alias NSSDODIntermediateCA1 –file “C:\Certs\ NSS_DoD_ Intermediate_CA_1.cer” –keystore dhdw.key 2.Press Enter to execute the command. 3.Enter a keystore password (use a password you’ll remember) and press Enter. W H I T E PA P E R / 1 9 How to Enable VMware View for SIPR Hardware Token Importing NSS DoD Subordinate CA “#” Certificate to the Truststore 1.To import NSS DoD Subordinate CA ”#” certificates (example, NSS DoD Subordinate CA 1) to the Truststore, type in this command: Keytool –import –alias NSSDoDSubordinateCA1 –file “C:\Certs\ NSS_DoD_ Subordinate_CA_1.cer” –keystore dhdw.key 2.Press Enter to execute the command. 3.Enter a keystore password (use a password you’ll remember) and press Enter. Note: If applicable, repeat steps above for all remaining NSS DoD certificates. W H I T E PA P E R / 2 0 How to Enable VMware View for SIPR Hardware Token Prepare Needed Files 1.After successfully importing all the necessary certificates to the Truststore, browse to the C:\Program Files\VMware\VMware View\Server\jre\bin\ directory. 2.Locate and copy the dhdw.key file to C:\Program Files\VMware\VMware View\Server\sslgateway\conf\ (assuming VMware View or Security server was installed in C:\Program Files directory). 3.In the C:\Program Files\VMware\VMware View\Server\sslgateway\conf directory, create a new text file and name it locked.properties. (Note: The file extension should be .properties NOT .txt). 4.Right-click the locked.properties file and select Edit. 5.Type the following entries in the locked.properties file: • trustKeyfile=dhdw.key • trustStoretype=JKS • useCertAuth=true W H I T E PA P E R / 2 1 How to Enable VMware View for SIPR Hardware Token 6. Save and close locked.properties file. 7.Verify the C:\Program Files\VMware\VMware View\Server\sslgateway\conf directory contains the locked.properties and dhdw.key files. 8.Reboot the VMware View Connection or Security server. Accessing VMware View Note: Individual View Login result may vary 1.Insert the SIPRNet hardware token card into the card reader and press Connect on the screen. W H I T E PA P E R / 2 2 How to Enable VMware View for SIPR Hardware Token 2.The Smart Card Holder Verification window appears. 3.Enter the PIN for the SIPRNet hardware token card and click OK. 4.The Authentication verifies the PIN on the card and access to View. W H I T E PA P E R / 2 3 How to Enable VMware View for SIPR Hardware Token 5.After successful authentication, a connection with the View Connection Server verifies what Pool is assigned and prepares a list of desktops. 6.A virtual desktop is prepared for the zero client to connect to. Limitations Here are a few limitations to be aware of: • The VMware View Client for Mac OS X does not support smart-card authentication. • When using smart-card authentication, users must log off before switching to a different display protocol. • Checking the LogIn As Current User option in the VMware View Client will cause the user to be prompted for a smart-card PIN a second time when connecting to Windows. • If the Smart Card Authentication policy is set to Optional, Local Mode users must use smart-card authentication to access their desktops for the checkout operation. • HP’s RGS protocol is not supported with smart-card authentication. W H I T E PA P E R / 2 4 How to Enable VMware View for SIPR Hardware Token References VMware View Administration Guide. Section 7 – Setting Up User Authentication http://www.vmware.com/pdf/view45_admin_guide.pdf Teradici PCOIP Zero Client http://www.teradici.com/ 90meter Middleware http://90meter.com/product2.shtml About the Author DHDW Consulting authored this white paper. DHDW Consulting is a progressive, innovative technology enabler with proven, compelling solutions. From initial conception to design, implementation and sustainment industry experts and peers alike have recognized their unique perspective and approach to achieving the singular goal of exceeding customer expectations. VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright © 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: VMW-WP-SIPR-USLET-20120429-WEB
© Copyright 2024