Rule ID
SV-246891r879612_rule
Version
V1R2
CCIs
The Horizon Connection Server performs certificate revocation checking on its own certificate and on those of the security servers paired to it. Each instance also checks the certificates of vCenter and View Composer servers whenever it establishes a connection to them. If a SAML 2.0 authenticator is configured for use by a Connection Server instance, the Connection Server also performs certificate revocation checking on the SAML 2.0 server certificate. By default, all certificates in the chain are checked except the root certificate. This must be changed so that the full path, including the root, is validated.
On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to "HKLM\Software\VMware, Inc.\VMware VDM\Security". Locate the "CertificateRevocationCheckType" key. If the "CertificateRevocationCheckType" key does not exist, this is a finding. If the "CertificateRevocationCheckType" key does not have a value of "3", this is a finding.
On the Horizon Connection Server, launch the Registry Editor. Traverse the registry tree to "HKLM\Software\VMware, Inc.\VMware VDM\Security". If the "CertificateRevocationCheckType" key exists: Right click "CertificateRevocationCheckType", select "Modify..." and set the value to "3" (without quotes). Click "OK". Otherwise: Right-click on the "Security" folder and select New >> DWORD (32 bit) Value. Set the name to "CertificateRevocationCheckType" (without quotes). Right-click "CertificateRevocationCheckType", select "Modify..." and set the value to "3" (without quotes). Click "OK". Restart the "VMware Horizon View Connection Server" service for changes to take effect.