4.6. How to Set Up Public Key Authentication

Public Key Authentication requires some specific configuration on the Active Directory server and the Oracle VDI hosts prior to setting up the user directory in Oracle VDI Manager.

Steps

  1. Follow the configuration steps 1 to 5 described for Kerberos Authentication. See Section 4.5, “How to Set Up Kerberos Authentication”.

  2. Create a client certificate for each of the Oracle VDI hosts.

    The Oracle VDI keystore for the client certificate is located at /etc/opt/SUNWvda/sslkeystore and the password is changeit.

    1. Generate a key pair (private/public key) for the client certificate.

      On the Oracle VDI host, log in as superuser (root) and use the Java keytool utility to generate the key pair in the Oracle VDI keystore.

      keytool -genkey -keyalg rsa \
      -keystore /etc/opt/SUNWvda/sslkeystore \
      -storepass changeit -keypass changeit \
      -alias your_alias
      
    2. Generate a Certificate Signing Request (CSR) for client certificate.

      On the Oracle VDI host, use keytool to generate the certificate request.

      keytool -certreq \
      -keystore /etc/opt/SUNWvda/sslkeystore \
      -storepass changeit -keypass changeit \
      -alias your_alias \
      -file certreq_file
      

      The alias must be the same as the alias used when generating the key pair. Aliases are case-insensitive.

    3. Create the certificate.

      1. Copy the CSR file to the server hosting the Active Directory.

      2. Using Internet Explorer, go to "http://localhost/certsrv".

      3. Log in.

      4. On the Microsoft Certificate Services page, click Request a Certificate.

      5. On the Request a Certificate page, click Advanced Certificate Request.

      6. On the Advanced Certificate Request page, click Submit a Certificate Request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

      7. On the Submit a Certificate Request or Renewal Request page, paste the contents of the CSR into the Saved Request text box or browse to the CSR file.

      8. Select an appropriate template from the Certificate Templates list. (Administrator is recommended).

      9. Click Submit.

      10. On the Certificate Issued page, ensure Base 64 Encoded is selected and click Download Certificate Chain.

      11. Save the certificate file.

    4. Import the certificate on the Oracle VDI host.

      1. Copy the certificate file to the Oracle VDI host.

      2. Import the certificate into the Oracle VDI keystore.

        keytool -import \
        -keystore /etc/opt/SUNWvda/sslkeystore \
        -storepass changeit -keypass changeit \
        -trustcacerts -file certificate_file \
        -alias your_alias
        
  3. Restart the VDA Service.

    # /opt/SUNWvda/sbin/vda-service restart
  4. Configure the user directory in Oracle VDI Manager.

    1. In the Oracle VDI Manager, go to SettingsCompany.

    2. In the Companies table, click New to activate the New Company wizard.

    3. Select Active Directory Type, and click Next.

    4. Select Public Key Authentication.

    5. Enter the domain for the Active Directory.

      For example, my.company.com.

    6. The following step shows the SSL certificates of the Active Directory servers. Click Next to permanently accept the certificates.

    7. Click Next to review your choices before completing the configuration.