How to Enable

How to Enable VMware® View™ for SIPR Hardware TokenW H I T E PA P E R

How to Enable VMware View for SIPR Hardware Token

W H I T E PA P E R / 2

Table of Contents

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

SIPRNet Hardware Token . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

What is the SIPRNet Hardware Token? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

What the SIPRNet Hardware Token IS NOT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Zero Client Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

The Card Reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Identifying Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Exporting Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Configure View Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Importing Root Certificate to the Truststore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Importing NSS DoD Intermediate Certificate to the Truststore . . . . . . . . . . . . . . . . . 19

Importing NSS DoD Subordinate CA “#” Certificate to the Truststore . . . . . . . . . . . 19

Prepare Needed Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Accessing VMware View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

About the Author . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25



IntroductionThe purpose of this document is to outline the step-by-step procedure for implementing SIPRNet hardware token (also referred to as the SIPR CAC) access cards into a VMware® View™ environment. This is a “one-stop shop” for all Federal PIV information with regard to VMware View.

BackgroundThe primary purposes of the SIPRNet hardware token are to provide trusted user identification and authentication on SIPRNet and to provide improved interoperability across the DoD enterprise through PK-enabled applications. Target applications include smart card logon to the SIPRNet, Web site authentication, and secure email. Currently, authentication to the SIPRNet is accomplished with a username/password. This single-factor authentication method creates security gaps for users, and difficult password generation schemes, complex password rules, and the requirement to frequently change the password hampers the end user’s ability to effectively use the network. Additionally, because the SIPRNet hardware token is populated with a full complement of PKI certificates (i.e., identity, e-mail signing, and e-mail encryption), it may be used to digitally sign and encrypt e-mail on the SIPRNet, thereby providing PKI assurances of identification, data integrity, non-repudiation, and confidentiality to electronic transactions.

This step-by-step guide is intended to help organizations successfully configure their VMware View environment to leverage SIPRNet Hardware Token to access their SIPR View/Virtual desktops.

PrerequisitesA few basic assumptions are made regarding the status of the environment that the VMware View Connection Server is installed and properly configured. The VMware Security Server (server role not required) is installed and properly configured. The environment is configured for smart card logon and all the needed NSS DoD certificates are loaded on the virtual workstation image. Smartcard middleware 90meter is installed on the workstation image. Users have obtained SIPRNet Hardware Token card from S-DEERS. In this document all references to middleware refer to 90meter.



SIPRNet Hardware Token

What is the SIPRNet Hardware Token?

The SIPRNet hardware token is a distinct new card — the SafeNet Smart Card 650 (SC650).

Figure 1: SIPR Hardware Token

It uses National Security System (NSS) PKI certificates:

• Identitycertificate(usedforSmart Card Login)

•EmailSigning certificate

•EmailEncryption certificate

SIPRNet User Identification Information is obtained from S-DEERS

•S-DEERSistheSecure-DefenseEnrollmentEligibilityReportingSystem

•UserPrincipalName(UPN)onSIPR([email protected];[email protected])

High-value UNCLASSIFIED Item

•ShouldbeprotectedlikeaCAC

•SIPRNettokenisclassifiedSecretwhentokenisunlockedandinuseandUnclassifedwhenremovedfromtheSIPRNet card reader

•Allowscredentialstobetransportedsecurely

•Becomes“LOCKED”afterfiveconsecutiveincorrectPINattempts

What the SIPRNet Hardware Token IS NOT

The SIPRNet hardware token:

•Doesnotfacilitatecommonphysicalaccess

• IsnotaCACnoranalternatetoken

• IsnotanIDcard–Itcannotbeusedtoaccessmilitaryinstallationsorsecurefacilities)

•Containsnobarcodes

•Containsnophotoorprintedpersonaldata

•Hasnobiometrics

•CannotbeusedonNIPRnet–OnlySIPRNetmiddlewarecanaccessSIPRtoken’scertificates



Zero Client RequirementsThe VMware View Connection Server must be configured with the intermediate root certificate that issued the card being used. Directions to accomplish this are located below.

Allzeroclientsmustberunningfirmwareversion3.5.1orhigherinordertoproperlyreadtheSIPRNethardwaretoken card.

Zero clients can handle at most 50 certificates from the VMware Connection Server. If your Connection server keyfile contains more than 50 certificates you must reduce the list to 50 or fewer.

The Card Reader

The card reader must be one of the following:

•OmniKey5321

•OmniKey3021

•OmniKey3121

•GemaltoGemPCTwin

CertificatesThis section will explain how to identify and extract the necessary certificates to enable VMware View to accept the SIPR hardware token for logins.

An initial SIPRNet Hardware Token logon to a computer or server is required to capture the certificates.

Additionally, you must have administrator access to the VMware View Connection server and/or VMware View Security Server.

Identifying Certificates

1. From the computer that you logon with your CAC/PIV, open the run window, type in mmc and click OK.



2. From the Console1 menu click on File.

Click Add/Remove Snap-i.

3. Click Certificates and then click Add.



4. Click OK.

5. Click + to expand Certificates.

6. Click + to expand Personal.

7. Click Certificates.



8. On the right pane, identify the CA (Certificate Authority) that issued the personal certificates. In this example, the CA is NSS DoD Subordinate CA 1.

9. The next task is to identify the NSS Root CA “#” that issued the personal certificates CA (e.g. NSS DoD Subordinate CA 1).

10. Click + to expand Trusted Root Certification Authorities.



11. Click Certificates.

12.On the right-hand pane, under the Issued By column, NSS DoD Subordinate CA 1 certificate was issued and signed by NSS DoD Intermediate CA 1. That root certificate needs to be exported in addition to NSS Root CA 1.

W H I T E PA P E R / 1 0


Exporting Certificates

Export NSS Root CA “#” Certificate

1. Create a folder to store the exported certificates (e.g., C:\Certs).

2. From the Certificates management console, right-click NSS Root CA 1 > Click All Tasks > Click Export.

3. At the Welcome to the certificate Export Wizard, click Next.



4. For Export File Format, select Base-64 encoded X.509 (.CER) and click Next.

5. Type in the folder and filename to store the certificate (e.g., C:\Certs\NSS_DoD_CAs.cer) and click Next.



6. Click Finish.

7. Click OK.

Note: If applicable, repeat steps above for remaining NSS DoD Root CA “#” (e.g., NSS DoD Root CA 2, etc.).

Export NSS DoD Intermediate CA “#” Certificate

1. From the Certificates console, right-click NSS DoD Intermediate CA ”#” certificate (e.g., NSS DoD Intermediate CA 1) > select All Tasks > click Export.



2. At the Welcome to the Certificate Export Wizard, click Next.




4. Enter the folder directory and name for the certificate (e.g., C:\Certs\NSS_DoD_Intermediate_CA_1.cer) and click Next.

5. Click Finish.

6. Click OK.

Note: If applicable, repeat steps above for all remaining NSS DoD Intermediate CA ”#” certificates (e.g., NSS DoD Intermediate CA 2, etc.).



Export NSS DoD Intermediate CA “#” Certificate

1. From the Certificates console, right-click on a NSS DoD Subordinate CA ”#” certificate (example NSS DoD Subordinate CA 1) and select All Tasks => Click Export.

2. At the Welcome to the Certificate Export Wizard, click Next.




4. Enter the folder directory and name for the certificate (example, C:\Certs\ NSS_DoD_Subordinate_CA_1.cer) and click Next.



5. Click Finish.

6. Click OK.

Note: If applicable, repeat steps above for all remaining NSS DoD Subordinate CA ”#” certificates (e.g., NSS DoD Subordinate CA 2, etc.).



Configure View ServerAt this point you have successfully extracted all the necessary certificates to enable VMware View to read the SIPR hardware token. Now we have to put it all together into a keystore file for VMware View.

Copy the “Certs” folder (containing all the exported certificates) to the “C:\” directory on the VMware View Connection Server or Security Server.

Logon to the VMware View Connection Server or Security Server and open the command the command prompt window (use Run as AdministratorifusingWindowsServer2008andabove).

At the command prompt window, change to the c:\ directory.

Type in the following command (assuming VMware View or Security server was installed in the C:\Program Files directory):

cd “c:\Program Files\VMware\VMware View\Server\jre\bin\”

Importing Root Certificate to the Truststore

1. To import the NSS DoD Root CA # certificate (e.g., NSS DoD Root CA 1) to the Truststore, type in the following command:

Keytool –import –alias NSSDODRootCA1 –file “C:\Certs\NSS_DOD_Root_CA_1.cer” –keystore dhdw.key

2. Press Enter to execute the command.



3. Enter a keystore password (use a password you’ll remember) and press Enter.

Importing NSS DoD Intermediate Certificate to the Truststore

1. To import the NSS DoD Intermediate CA ”#” certificates (example NSS DoD Intermediate CA 1) to the Truststore, type in this command:

Keytool –import –alias NSSDODIntermediateCA1 –file “C:\Certs\ NSS_DoD_Intermediate_CA_1.cer” –keystore dhdw.key





Importing NSS DoD Subordinate CA “#” Certificate to the Truststore

1. To import NSS DoD Subordinate CA ”#” certificates (example, NSS DoD Subordinate CA 1) to the Truststore, type in this command:

Keytool –import –alias NSSDoDSubordinateCA1 –file “C:\Certs\ NSS_DoD_Subordinate_CA_1.cer” –keystore dhdw.key



Note: If applicable, repeat steps above for all remaining NSS DoD certificates.



Prepare Needed Files

1. After successfully importing all the necessary certificates to the Truststore, browse to the C:\Program Files\VMware\VMware View\Server\jre\bin\ directory.

2. Locate and copy the dhdw.key file to C:\Program Files\VMware\VMware View\Server\sslgateway\conf\ (assuming VMware View or Security server was installed in C:\Program Files directory).

3. In the C:\Program Files\VMware\VMware View\Server\sslgateway\conf directory, create a new text file and name it locked.properties. (Note: The file extension should be .properties NOT .txt).

4. Right-click the locked.properties file and select Edit.

5. Type the following entries in the locked.properties file:

• trustKeyfile=dhdw.key

• trustStoretype=JKS

•useCertAuth=true



6. Save and close locked.properties file.

7. Verify the C:\Program Files\VMware\VMware View\Server\sslgateway\conf directory contains the locked.properties and dhdw.key files.

8. Reboot the VMware View Connection or Security server.

Accessing VMware View

Note: Individual View Login result may vary

1. Insert the SIPRNet hardware token card into the card reader and press Connect on the screen.



2. The Smart Card Holder Verification window appears.

3. Enter the PIN for the SIPRNet hardware token card and click OK.

4. The Authentication verifies the PIN on the card and access to View.



5. After successful authentication, a connection with the View Connection Server verifies what Pool is assigned and prepares a list of desktops.

6. A virtual desktop is prepared for the zero client to connect to.

LimitationsHere are a few limitations to be aware of:

•TheVMwareViewClientforMacOSXdoesnotsupportsmart-cardauthentication.

•Whenusingsmart-cardauthentication,usersmustlogoffbeforeswitchingtoadifferentdisplayprotocol.

•CheckingtheLogInAsCurrentUseroptionintheVMwareViewClientwillcausetheusertobepromptedfora smart-card PIN a second time when connecting to Windows.

• IftheSmartCardAuthenticationpolicyissettoOptional,LocalModeusersmustusesmart-cardauthentication to access their desktops for the checkout operation.

•HP’sRGSprotocolisnotsupportedwithsmart-cardauthentication.

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www .vmware .comCopyright © 2012 VMware, Inc . All rights reserved . This product is protected by U .S . and international copyright and intellectual property laws . VMware products are covered by one or more patents listed athttp://www .vmware .com/go/patents . VMware is a registered trademark or trademark of VMware, Inc . in the United States and/or other jurisdictions . All other marks and names mentioned herein may be trademarks of their respective companies . Item No: VMW-WP-SIPR-USLET-20120429-WEB


ReferencesVMwareViewAdministrationGuide.Section7–SettingUpUserAuthentication http://www.vmware.com/pdf/view45_admin_guide.pdf

TeradiciPCOIPZeroClient http://www.teradici.com/

90meter Middleware http://90meter.com/product2.shtml

About the AuthorDHDW Consulting authored this white paper. DHDW Consulting is a progressive, innovative technology enabler with proven, compelling solutions. From initial conception to design, implementation and sustainment industry experts and peers alike have recognized their unique perspective and approach to achieving the singular goal of exceeding customer expectations.

http://www.vmware.com/pdf/view45_admin_guide.pdf

http://www.teradici.com/

http://90meter.com/product2.shtml

http://www.dhdw.com

Documents

How to Enable