Horizon Adapter instances and broker agents must share certificates with each other before they can communicate. This process is called pairing.
Upon installation, Horizon Adapter instances and broker agents generate self-signed certificates that are used by default for authentication. Because these certificates are generated dynamically, you must manually pair the Horizon Adapter instance and broker agent.
The certificate pairing process is as follows:
- The broker agent encrypts its certificate with the server key configured for the adapter instance.
- The broker agent opens a connection to the certificate management server, and the encrypted certificate is sent to the adapter instance.
- The adapter decrypts the broker agent certificate by using the server key. If decryption fails, an error is returned to the broker agent and the process is discontinued.
- The adapter instance places the valid broker agent certificate in its trust store.
- The adapter instance encrypts its own certificate with the server key configured for the instance.
- The adapter instance sends the encrypted certificate to the broker agent.
- The broker agent decrypts the adapter instance certificate by using the server key. If decryption fails, an error is returned to the user and the process is discontinued.
- The broker agent places the adapter instance certificate in its trust store.
- The adapter instance certificate is sent to all desktop sources and RDS hosts in the Horizon pod.
- The desktop agents on those desktop sources place the adapter instance certificate in their trust stores.
Note: If the certificate used by the adapter instance or broker agent changes, you must pair the adapter instance and broker agent again.