To specify a local acceptance policy on an individual Connection Server instance , you must add properties to the locked.properties file. If the locked.properties file does not yet exist on the server, you must create it.

You add a secureProtocols.n entry for each security protocol that you want to configure. Use the following syntax: secureProtocols.n=security protocol.

You add an enabledCipherSuite.n entry for each cipher suite that you want to configure. Use the following syntax: enabledCipherSuite.n=cipher suite.

The variable n is an integer that you add sequentially (1, 2, 3) to each type of entry.

You add an honorClientOrder entry to control the precedence of cipher suites. Normally, the server's ordering of cipher suites is unimportant and the client's ordering is used. To use the server's ordering of cipher suites instead, use the following syntax:

honorClientOrder=false

Make sure that the entries in the locked.properties file have the correct syntax and the names of the cipher suites and security protocols are spelled correctly. Any errors in the file can cause the negotiation between the client and server to fail.

Procedure

  1. Create or edit the locked.properties file in the TLS/SSL gateway configuration folder on the Connection Server computer.
    For example: install_directory\VMware\VMware View\Server\sslgateway\conf\
  2. Add secureProtocols.n and enabledCipherSuite.n entries, including the associated security protocols and cipher suites.
  3. Save the locked.properties file.
  4. Restart the VMware Horizon Connection Server service to make your changes take effect.

Example: Default Acceptance Policies on an Individual Server

The following example shows the entries in the locked.properties file that are needed to specify the default policies:

# The following list should be ordered with the latest protocol first:

secureProtocols.1=TLSv1.2

# This setting must be the latest protocol given in the list above:

preferredSecureProtocol=TLSv1.2

# The order of the following list is unimportant unless honorClientOrder is false:

enabledCipherSuite.1=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
enabledCipherSuite.2=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
enabledCipherSuite.3=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
enabledCipherSuite.4=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

# Use the client's ordering of cipher suites (ignores the ordering given above):

honorClientOrder=true
Note: In FIPS mode, only GCM cipher suites are enabled.