UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Horizon Connection Server must validate client and administrator certificates.


Overview

Finding ID Version Rule ID IA Controls Severity
V-246892 HRZV-7X-000011 SV-246892r768636_rule Medium
Description
The Horizon Connection Server can be configured to check the revocation status of PKI certificates over both OCSP and CRL. This capability is disabled by default and must be enabled post-deployment. There are a number of other configurations that are supported, including OCSP and CRL location override but those will be site and architecture specific. The suggested configuration is OCSP with failover to CRL and override the AIA locations via a local OCSP responder, if present. See below: enableRevocationChecking=true ocspCRLFailover=true ocspSendNonce=true enableOCSP=true allowCertCRLs=false crlLocation=http://<crl.myagency.mil> ocspURL=http://<ca.myagency.mil/ocsp ocspSigningCert=ca.myagency.mil.cer Set enableRevocationChecking to true to enable smart card certificate revocation checking. Set ocspCRLFailover to enable CRL checking is OCSP fails. Set ocspSendNonce to true to prevent OCSP repeated responses. Set enableOCSP to true to enable OCSP certificate revocation checking. Set allowCertCRLs to false to disable pulling the CRL distribution point from the certificate. Set crlLocation to the local file of http URL to use for the CRL distribution point. Set ocspURL to the URL of the OCSP Responder. Set ocspSigningCert to the location of the file that contains the OCSP Responder's signing certificate.
STIG Date
VMware Horizon 7.13 Connection Server Security Technical Implementation Guide 2021-07-30

Details

Check Text ( C-50324r768634_chk )
On the Horizon Connection Server, navigate to "\VMware\VMware View\Server\sslgateway\conf".

If a file named "locked.properties" does not exist in this path, this is a finding.

Open "locked.properties" in a text editor. Find the "enableRevocationChecking" setting.

If "enableRevocationChecking" does not exist, this is a finding.

If "enableRevocationChecking" is not set to "true", this is a finding.
Fix Text (F-50278r768635_fix)
On the Horizon Connection Server, navigate to "\VMware\VMware View\Server\sslgateway\conf".

Open "locked.properties" in a text editor. Add or change the following line:

enableRevocationChecking=true

Save and close the file. Restart the "VMware Horizon View Connection Server" service for changes to take effect.