Security-related settings are provided in Horizon LDAP under the object path cn=common,ou=global,ou=properties,dc=vdi,dc=vmware,dc=int. You can use the ADSI Edit utility to change the value of these settings on a connection broker instance. The change propagates automatically to all other connection broker instances in a group.

Table 1. Security-Related Settings in Horizon LDAP
Name-value pair Description
keysize The attribute is pae-MSGSecOptions.

When the message security mode is set to Enhanced, TLS is used to secure JMS connections rather than using per-message encryption. In enhanced message security mode, validation applies to only one message type.

For enhanced message mode, VMware recommends a key size of 2048 bits.
  • If your system is running in FIPS mode, it is already set to 2048 by default.
  • If your system is not running in FIPS mode, the default value is 512. If you are not using enhanced message security mode, VMware recommends not changing the default from 512 bits because increasing the key size affects performance and scalability. If you are using enhanced message security mode, VMware recommends increasing the value to 2048. If you want all keys to be 2048 bits, the DSA key size must be changed immediately after the first connection broker instance is installed and before additional servers and desktops are created.

Auto-renew self-signed certificates

You can set the number of days before certificate expiry to auto-renew self-signed certificates with the pae-managedCertificateAdvanceRollOver attribute.

Specify a value to replace the self-signed certificate with a future or pending certificate within the specified number of days prior to the current certificate expiration.

By default this value is not set. The valid range is 1-90.