The Horizon Connection Server must validate client and administrator certificates.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-246892	HRZV-7X-000011	SV-246892r768636_rule		Medium

Description
The Horizon Connection Server can be configured to check the revocation status of PKI certificates over both OCSP and CRL. This capability is disabled by default and must be enabled post-deployment. There are a number of other configurations that are supported, including OCSP and CRL location override but those will be site and architecture specific. The suggested configuration is OCSP with failover to CRL and override the AIA locations via a local OCSP responder, if present. See below: enableRevocationChecking=true ocspCRLFailover=true ocspSendNonce=true enableOCSP=true allowCertCRLs=false crlLocation=http://<crl.myagency.mil> ocspURL=http://<ca.myagency.mil/ocsp ocspSigningCert=ca.myagency.mil.cer Set enableRevocationChecking to true to enable smart card certificate revocation checking. Set ocspCRLFailover to enable CRL checking is OCSP fails. Set ocspSendNonce to true to prevent OCSP repeated responses. Set enableOCSP to true to enable OCSP certificate revocation checking. Set allowCertCRLs to false to disable pulling the CRL distribution point from the certificate. Set crlLocation to the local file of http URL to use for the CRL distribution point. Set ocspURL to the URL of the OCSP Responder. Set ocspSigningCert to the location of the file that contains the OCSP Responder's signing certificate.

Description

The Horizon Connection Server can be configured to check the revocation status of PKI certificates over both OCSP and CRL. This capability is disabled by default and must be enabled post-deployment. There are a number of other configurations that are supported, including OCSP and CRL location override but those will be site and architecture specific. The suggested configuration is OCSP with failover to CRL and override the AIA locations via a local OCSP responder, if present. See below: enableRevocationChecking=true ocspCRLFailover=true ocspSendNonce=true enableOCSP=true allowCertCRLs=false crlLocation=http://<crl.myagency.mil> ocspURL=http://<ca.myagency.mil/ocsp ocspSigningCert=ca.myagency.mil.cer Set enableRevocationChecking to true to enable smart card certificate revocation checking. Set ocspCRLFailover to enable CRL checking is OCSP fails. Set ocspSendNonce to true to prevent OCSP repeated responses. Set enableOCSP to true to enable OCSP certificate revocation checking. Set allowCertCRLs to false to disable pulling the CRL distribution point from the certificate. Set crlLocation to the local file of http URL to use for the CRL distribution point. Set ocspURL to the URL of the OCSP Responder. Set ocspSigningCert to the location of the file that contains the OCSP Responder's signing certificate.

STIG	Date
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide	2021-07-30

Details

Check Text ( C-50324r768634_chk )
On the Horizon Connection Server, navigate to "\VMware\VMware View\Server\sslgateway\conf". If a file named "locked.properties" does not exist in this path, this is a finding. Open "locked.properties" in a text editor. Find the "enableRevocationChecking" setting. If "enableRevocationChecking" does not exist, this is a finding. If "enableRevocationChecking" is not set to "true", this is a finding.

Check Text ( C-50324r768634_chk )

On the Horizon Connection Server, navigate to "\VMware\VMware View\Server\sslgateway\conf".

If a file named "locked.properties" does not exist in this path, this is a finding.

Open "locked.properties" in a text editor. Find the "enableRevocationChecking" setting.

If "enableRevocationChecking" does not exist, this is a finding.

If "enableRevocationChecking" is not set to "true", this is a finding.

Fix Text (F-50278r768635_fix)
On the Horizon Connection Server, navigate to "\VMware\VMware View\Server\sslgateway\conf". Open "locked.properties" in a text editor. Add or change the following line: enableRevocationChecking=true Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.