Note: This version of the topic applies to Horizon 8 Security versions 2111.2 and 2306 and later. It describes security-related settings in LDAP that cannot be modified using APIs, the administration console, or provided command-line tools. Security-related settings are provided in Horizon LDAP under the object path cn=common,ou=global,ou=properties,dc=vdi,dc=vmware,dc=int. If you have full administrative privileges, you can use an LDAP editor such as the ADSI Edit utility to change the value of these settings on a connection broker instance. The change propagates automatically to all other connection broker instances in a cluster.
Security-Related Settings in Horizon LDAP
| Attribute | Description |
|---|---|
pae-AgentLogCollectionDisabled |
This setting can be used to prevent downloading of DCT archives from Horizon Agents, using either APIs or the administration console. Log collection is still possible from Connection Servers in VMware Horizon View environments. Set to 1 to deactivate agent log collection. |
pae-DisallowEnhancedSecurityMode |
This setting can be used to prevent the use of Enhanced message security. Use this if you want to deactivate automatic certificate management. Once this is set to 1, the Horizon View environment begins the transition to Enabled message security mode automatically. Setting this attribute back to 0 or removing it allows Enhanced message security to be chosen once more, but does not trigger an automatic transition. |
pae-enableDbSSL |
If you configure an Event Database, the connection is not protected by TLS by default. Set this attribute to 1 to activate TLS on the connection. |
pae-managedCertificateAdvanceRollOver |
For auto-managed certificates, this attribute can be set to force certificates to be renewed before they expire. Specify the number of days in advance of the expiry date that this should be done. The maximum period is 90 days. If not specified, this setting defaults to 0 days, and so roll-over happens at expiry. |
pae-MsgSecOptions |
This is a multi-valued attribute where each value is itself a name-value pair (for example,
Warning: When adding or modifying a name-value pair, be very careful not to remove other values.
Currently the only name-value pair that can be set is
The key length can be changed immediately after the first connection broker instance is installed and before additional servers and desktops are created. After this, it must not be changed. |
pae-noManagedCertificate |
This setting can be used to deactivate automatic certificate management. When this is set to 1, certificates are no longer renewed automatically and self-signed certificates in the certificate stores are ignored. All certificates must be CA signed and admin-managed. This setting is not compatible with Enhanced message security. Before setting to 1, you must switch message security to Enabled. If you selected FIPS compatibility when installing Horizon View, the "vdm" certificate must be CA signed but others need not be, unless this is set to 1. All Connection Servers in a CPA configuration should have the root certificate that was used to generate the Enrollment client certificate (vdm.ec) of other PODs. |
pae-SSLCertificateSignatureAlgorithm |
This specifies the certificate signature algorithm to use for auto-managed certificates. If not specified, it defaults to For more examples see Default Global Policies for Security Protocols and Cipher Suites. |
pae-CertAuthMappingControl |
Specifies whether there is smart card support. A value of 0 or absent means no smart card support. Other possible values are:
|
pae-CertAuthMapping |
The default value is <not set>, and will take a String for Certificate mapping of Certificate-based authentication is done based on all the strings provided. Mapping should be provided based on supported certificate properties eg: Issuer, public_key, subject_alternative_name, provided in CertAuthMappingNames. |
