Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-246892 | HRZV-7X-000011 | SV-246892r768636_rule | Medium |
Description |
---|
The Horizon Connection Server can be configured to check the revocation status of PKI certificates over both OCSP and CRL. This capability is disabled by default and must be enabled post-deployment. There are a number of other configurations that are supported, including OCSP and CRL location override but those will be site and architecture specific. The suggested configuration is OCSP with failover to CRL and override the AIA locations via a local OCSP responder, if present. See below: enableRevocationChecking=true ocspCRLFailover=true ocspSendNonce=true enableOCSP=true allowCertCRLs=false crlLocation=http://<crl.myagency.mil> ocspURL=http://<ca.myagency.mil/ocsp ocspSigningCert=ca.myagency.mil.cer Set enableRevocationChecking to true to enable smart card certificate revocation checking. Set ocspCRLFailover to enable CRL checking is OCSP fails. Set ocspSendNonce to true to prevent OCSP repeated responses. Set enableOCSP to true to enable OCSP certificate revocation checking. Set allowCertCRLs to false to disable pulling the CRL distribution point from the certificate. Set crlLocation to the local file of http URL to use for the CRL distribution point. Set ocspURL to the URL of the OCSP Responder. Set ocspSigningCert to the location of the file that contains the OCSP Responder's signing certificate. |
STIG | Date |
---|---|
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide | 2021-07-30 |
Check Text ( C-50324r768634_chk ) |
---|
On the Horizon Connection Server, navigate to " If a file named "locked.properties" does not exist in this path, this is a finding. Open "locked.properties" in a text editor. Find the "enableRevocationChecking" setting. If "enableRevocationChecking" does not exist, this is a finding. If "enableRevocationChecking" is not set to "true", this is a finding. |
Fix Text (F-50278r768635_fix) |
---|
On the Horizon Connection Server, navigate to " Open "locked.properties" in a text editor. Add or change the following line: enableRevocationChecking=true Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect. |