This topic describes security-related settings in LDAP that cannot be modified using APIs, the administration console, or provided command-line tools. Security-related settings are provided in Horizon LDAP under the object path cn=common,ou=global,ou=properties,dc=vdi,dc=vmware,dc=int. If you have full administrative privileges, you can use an LDAP editor such as the ADSI Edit utility to change the value of these settings on a connection broker instance. The change propagates automatically to all other connection broker instances in a cluster.

Security-Related Settings in Horizon LDAP

Attribute Description
pae-AgentLogCollectionDisabled This setting can be used to prevent downloading of DCT archives from Horizon Agents, using either APIs or the administration console. Log collection is still possible from Connection Servers in VMware Horizon 8 environments.

Set to 1 to deactivate agent log collection.

pae-DisallowEnhancedSecurityMode

This setting can be used to prevent the use of Enhanced message security. Use this if you want to deactivate automatic certificate management.

Once this is set to 1, the Horizon 8 environment begins the transition to Enabled message security mode automatically.

Setting this attribute back to 0 or removing it allows Enhanced message security to be chosen once more, but does not trigger an automatic transition.

pae-enableDbSSL If you configure an Event Database, the connection is not protected by TLS by default. Set this attribute to 1 to activate TLS on the connection.
pae-managedCertificateAdvanceRollOver

For auto-managed certificates, this attribute can be set to force certificates to be renewed before they expire. Specify the number of days in advance of the expiry date that this should be done.

The maximum period is 90 days. If not specified, this setting defaults to 0 days, and so roll-over happens at expiry.

pae-MsgSecOptions

This is a multi-valued attribute where each value is itself a name-value pair (for example, course=fish).

Warning: When adding or modifying a name-value pair, be very careful not to remove other values.

Currently the only name-value pair that can be set is keysize. This specifies the length of the DSA message signing key. If not specified, it defaults to 512 bits.

  • If message security is Enabled or Mixed, every message is signed. Increasing the key length affects performance and scalability.
  • If message security is Enhanced, few messages are signed and VMware recommends a key length of 2048 bits.
  • If you selected FIPS compatibility when installing Horizon 8, keysize is already set to 2048.

The key length can be changed immediately after the first connection broker instance is installed and before additional servers and desktops are created. After this, it must not be changed.

pae-noManagedCertificate

This setting can be used to deactivate automatic certificate management.

When this is set to 1, certificates are no longer renewed automatically and self-signed certificates in the certificate stores are ignored.

All certificates must be CA signed and admin-managed.

This setting is not compatible with Enhanced message security. Before setting to 1, you must switch message security to Enabled.

If you selected FIPS compatibility when installing Horizon 8, the "vdm" certificate must be CA signed but others need not be, unless this is set to 1.

All Connection Servers in a CPA configuration should have the root certificate that was used to generate the Enrollment client certificate (vdm.ec) of other PODs.

pae-SSLCertificateSignatureAlgorithm

This specifies the certificate signature algorithm to use for auto-managed certificates. If not specified, it defaults to rsa_pkcs1_sha384.

For more examples see Default Global Policies for Security Protocols and Cipher Suites.