February 5, 2013 - Sven Huisman

Secure your VMware View security server!

Recently, one of my customers had a security scan performed on the infrastructure and the result was that the VMware View security server was configured to support a couple of weak cipher suites. As it turns out, there is a VMware KB-article that describes how to configure the security server with SSL protocols and Cipher suites: Configure cipher suites and security protocols on a View Connection server instance or security server in View 4.5 and later.

How to solve this:

– Create a text-file called: locked.properties (Usually located in “c:\program files\VMware\VMware View\Server\sslgateway\conf\”)

– The locked.properties file should look like this:

secureProtocols.1=SSLv3
secureProtocols.2=TLSv1
enabledCipherSuite.1=SSL_RSA_WITH_RC4_128_MD5
enabledCipherSuite.2=SSL_RSA_WITH_RC4_128_SHA
enabledCipherSuite.3=TLS_RSA_WITH_AES_128_CBC_SHA
enabledCipherSuite.4=TLS_DHE_RSA_WITH_AES_128_CBC_SHA
enabledCipherSuite.5=TLS_DHE_DSS_WITH_AES_128_CBC_SHA
enabledCipherSuite.6=SSL_RSA_WITH_3DES_EDE_CBC_SHA
enabledCipherSuite.7=SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
enabledCipherSuite.8=SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

How do you know these are safe cipher suites that you can use? I found the following website and you can see that the Cipher suites mentioned in the KB-article are safe to use:

http://www.techstacks.com/howto/j2se5_ssl_cipher_strength.html

Virtual Desktop Security Server / SSL / View / VMware /

Comments

  • Totie Bash says:

    Thanks, I spent lots of time with locked.properties file when I smartcard enable my View environment. It looks like I have to revisit the file to plug these in.

  • Jimmy says:

    Great article. Unfortunately I am currently experiencing the same issues with View 5.0 Connection and Security servers. I attempted to create the locked.properties file mirroring the one you posted, but after rescanning with Retina I still receive the SSL Weak Cipher Strength Supported findings on port 4172. Additionally, when I have the locked.properties file saved in the mentioned file directory, this particular Connection server appears to not be able to communicate with the other Connection servers. When I log into the Admin console there is a ? mark next to the Connection server.

    Any additional assistance on the SSL issue would be most appreciative.