Enabling certificate authentication for a VMware Identity Manager on-premises deployment requires setting SSL pass-through at the load balancer. In a DMZ deployment scenario, where the VMware Identity Manager service is deployed in the DMZ and the VMware Identity Manager connector is deployed in the internal network, if you do not want to allow inbound access to the connector, you can enable certificate authentication on the connector that is embedded in the VMware Identity Manager service.

About this task

In this scenario, use the embedded connector for certificate authentication only. Use the external connector for all other authentication methods.

To use the embedded connector for certificate authentication, you create a new Workspace identity provider for your directory, associate it with the embedded connector, and enable the Certificate Authentication adapter on the embedded connector. You can then configure your policies to use the certificate authentication method. Policies can also be set per app.

Note:

This feature does not support local directories. Also, this feature is applicable only for on-premises DMZ deployments and does not apply to any other installation scenarios.

Deployment Requirements

  • Linux deployments:

    • Enable SSL pass-through on port 6443 on the load balancer in front of the VMware Identity Manager appliance.

    • Open port 6443 (HTTPS) on the load balancer or firewall.

  • Windows deployments:

    1. Modify the install_dir\opt\vmware\horizon\workspace\conf\server.xml file.

      1. Open the install_dir\opt\vmware\horizon\workspace\conf\server.xml file for editing.

      2. Copy the Connector element that contains the attribute port="${nio-ssl.https.port}" and paste it under the original element.

      3. In the new Connector element, change port="${nio-ssl.https.port}" to port="6443".

        For example, the new element looks like the following:

           <Connector
                        URIEncoding="UTF-8"
                        SSLEnabled="true"
                        acceptCount="400"
                        acceptorThreadCount="2"
                        connectionTimeout="20000"
                        executor="tomcatThreadPool"
                        maxKeepAliveRequests="15"
                        port="6443"
                        address="${bind.address}" 
                        ipv6v6only="false"
                        protocol="org.apache.coyote.http11.Http11NioProtocol"
                        scheme="https"
                        secure="true"
                        maxHttpHeaderSize="32768">
                    <SSLHostConfig sslProtocol="${nio-ssl.ssl.protocol}"
                                   honorCipherOrder="true"
                     ...
        
                    </SSLHostConfig>
           </Connector>
        
      4. Save the file.

      5. Restart the service.

    2. Enable SSL pass-through on port 6443 on the load balancer in front of the VMware Identity Manager service.

    3. Open port 6443 (HTTPS) on the load balancer or firewall.

Procedure

  1. Create a new Workspace identity provider.
    1. Click the Identity & Access Management tab, then click the Identity Providers tab.
    2. Click Add Identity Provider and select Create Workspace IDP.
    3. Enter the information for the new identity provider.

      Option

      Description

      Identity Provider Name

      Enter a name for the identity provider.

      Users

      Select the directory for which you want to enable certificate authentication.

      Note:

      This feature does not support local directories.

      Connector(s)

      1. From the Add a Connector drop-down menu, select the embedded connector. The embedded connector has the same hostname as the service.

      2. Deselect the Bind to AD check box.

      3. Click Add Connector.

      Important:

      Do not select the Bind to AD option.

      Network

      Select the network ranges from which the identity provider can be accessed.

    4. Click Add.
  2. (Windows deployments only) Set port 6443 for the embedded connector.
    1. Click the Identity & Access Management tab and click Setup.
    2. In the Connectors page, click the new Workspace identity provider you created for the embedded connector.
    3. In the IdP Hostname text box, change the value from hostname to hostname:6443.
    4. Click Save.
  3. Enable the CertificateAuthAdapter on the embedded connector.
    1. Click Setup.
    2. In the Connectors page, find the embedded connector.

      The embedded connector has the same hostname as the service.

    3. In the embedded connector row, click the link in the Worker column.

      Each worker is associated with a directory. If multiple workers are listed, click the worker link for the directory for which you want to enable certificate authentication.

    4. Click the Auth Adapters tab.
    5. Click CertificateAuthAdapter.
    6. Configure and enable the adapter. See VMware Identity Manager Administration for information.
    7. Click Save.
  4. Verify that the Identity Providers page displays the Certificate Authentication method.
    1. Click Manage, then click the Identity Providers tab.
    2. Verify that Certificate Authentication appears in the Authentication Methods column for the new identity provider that you created.
  5. Configure policies to use the certificate authentication method according to your needs.
    1. Click Manage, then click the Identity Providers tab.
    2. Click the policy to edit.
    3. Configure policy rules to use the certificate authentication method as needed.

    See VMware Identity Manager Administration for more information about creating policies.