To specify a local acceptance policy on an individual Connection Server instance or security server, you must add properties to the locked.properties file. If the locked.properties file does not yet exist on the server, you must create it.

About this task

You add a secureProtocols.n entry for each security protocol that you want to configure. Use the following syntax: secureProtocols.n=security protocol.

You add an enabledCipherSuite.n entry for each cipher suite that you want to configure. Use the following syntax: enabledCipherSuite.n=cipher suite.

The variable n is an integer that you add sequentially (1, 2, 3) to each type of entry.

You add an honorClientOrder entry to control the precedence of cipher suites. Normally, the server's ordering of cipher suites is unimportant and the client's ordering is used. To use the server's ordering of cipher suites instead, use the following syntax:

honorClientOrder=false

Make sure that the entries in the locked.properties file have the correct syntax and the names of the cipher suites and security protocols are spelled correctly. Any errors in the file can cause the negotiation between the client and server to fail.

Procedure

  1. Create or edit the locked.properties file in the SSL gateway configuration folder on the Connection Server or security server computer.

    For example: install_directory\VMware\VMware View\Server\sslgateway\conf\

  2. Add secureProtocols.n and enabledCipherSuite.n entries, including the associated security protocols and cipher suites.
  3. Save the locked.properties file.
  4. Restart the VMware Horizon View Connection Server service or VMware Horizon View Security Server service to make your changes take effect.

Default Acceptance Policies on an Individual Server

The following example shows the entries in the locked.properties file that are needed to specify the default policies:

# The following list should be ordered with the latest protocol first:

secureProtocols.1=TLSv1.2
secureProtocols.2=TLSv1.1

# This setting must be the latest protocol given in the list above:

preferredSecureProtocol=TLSv1.2

# The order of the following list is unimportant unless honorClientOrder is false:

enabledCipherSuite.1=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
enabledCipherSuite.2=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
enabledCipherSuite.3=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
enabledCipherSuite.4=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
enabledCipherSuite.5=TLS_RSA_WITH_AES_128_CBC_SHA
enabledCipherSuite.6=TLS_RSA_WITH_AES_256_CBC_SHA

# Use the client's ordering of cipher suites (ignores the ordering given above):

honorClientOrder=true