When you configure OCSP certificate revocation checking, Horizon 7 sends a verification request to an OCSP Responder to determine the revocation status of a smart card user certificate.

Prerequisites

Familiarize yourself with the locked.properties file properties for OCSP certificate revocation checking. See Smart Card Certificate Revocation Checking Properties.

Procedure

  1. Create or edit the locked.properties file in the TLS/SSL gateway configuration folder on the Connection Server or security server host.
    For example: install_directory\VMware\VMware View\Server\sslgateway\conf\locked.properties
  2. Add the enableRevocationChecking, enableOCSP, ocspURL, and ocspSigningCert properties to the locked.properties file.
    1. Set enableRevocationChecking to true to enable smart card certificate revocation checking.
    2. Set enableOCSP to true to enable OCSP certificate revocation checking.
    3. Set ocspURL to the URL of the OCSP Responder.
    4. Set ocspSigningCert to the location of the file that contains the OCSP Responder's signing certificate.
  3. Restart the Connection Server service or security server service to make your changes take effect.

Example: locked.properties File

The file shown enables smart card authentication and smart card certificate revocation checking, configures both CRL and OCSP certificate revocation checking, specifies the OCSP Responder location, and identifies the file that contains the OCSP signing certificate. 

trustKeyfile=lonqa.key
trustStoretype=jks
useCertAuth=true
enableRevocationChecking=true
enableOCSP=true
allowCertCRLs=true
ocspSigningCert=te-ca.signing.cer
ocspURL=http://te-ca.lonqa.int/ocsp