3.6. Setting Up Public Key Authentication

Public Key Authentication requires some specific configuration on the Active Directory server and the Oracle VDI hosts prior to setting up the user directory in Oracle VDI Manager.

Steps

  1. Follow the configuration steps 1 to 5 described for Kerberos Authentication. See Section 3.5, “Setting Up Kerberos Authentication”.

  2. Create a client certificate for each of the Oracle VDI hosts.

    The Oracle VDI keystore for the client certificate is located at /etc/opt/SUNWvda/sslkeystore and the password is changeit.

    1. Generate a key pair (private/public key) for the client certificate.

      On the Oracle VDI host, log in as superuser (root) and use the Java keytool utility to generate the key pair in the Oracle VDI keystore.

      keytool -genkey -keyalg rsa \
      -keystore /etc/opt/SUNWvda/sslkeystore \
      -storepass changeit -keypass changeit \
      -alias your_alias
      
    2. Generate a Certificate Signing Request (CSR) for client certificate.

      On the Oracle VDI host, use keytool to generate the certificate request.

      keytool -certreq \
      -keystore /etc/opt/SUNWvda/sslkeystore \
      -storepass changeit -keypass changeit \
      -alias your_alias \
      -file certreq_file
      

      The alias must be the same as the alias used when generating the key pair. Aliases are case-insensitive.

    3. Create the certificate.

      1. Copy the CSR file to the server hosting Active Directory.

      2. Using Internet Explorer, go to "http://localhost/certsrv".

      3. Log in.

      4. On the Microsoft Certificate Services page, click Request a Certificate.

      5. On the Request a Certificate page, click Advanced Certificate Request.

      6. On the Advanced Certificate Request page, click Submit a Certificate Request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

      7. On the Submit a Certificate Request or Renewal Request page, paste the contents of the CSR into the Saved Request text box or browse to the CSR file.

      8. Select an appropriate template from the Certificate Templates list.

        Administrator is recommended.

      9. Click Submit.

      10. On the Certificate Issued page, ensure Base 64 Encoded is selected and click Download Certificate Chain.

      11. Save the certificate file.

    4. Import the certificate on the Oracle VDI host.

      1. Copy the certificate file to the Oracle VDI host.

      2. Import the certificate into the Oracle VDI keystore.

        keytool -import \
        -keystore /etc/opt/SUNWvda/sslkeystore \
        -storepass changeit -keypass changeit \
        -trustcacerts -file certificate_file \
        -alias your_alias
        
  3. Restart the VDA Service.

    # /opt/SUNWvda/sbin/vda-service restart
  4. Configure the user directory in Oracle VDI Manager.

    1. In Oracle VDI Manager, go to Settings and then Company.

    2. In the Companies table, click New.

      The New Company wizard is displayed.

    3. On the Choose User Directory step, select Active Directory.

    4. On the Specify Connection step, configure public key authentication.

      1. Select Public Key Authentication.

      2. In the Domain field, enter the Active Directory domain name.

        For example, my.company.com.

    5. On the Verify Certificate step, check that the SSL certificate details are correct.

    6. On the Define Company step, enter the company details.

      1. In the Name field, enter the name of the company.

      2. (Optional) In the E-Mail Domain Name field, enter one or more email domain names.

        Enter multiple domain names as a comma-separated list.

        If you enter an email domain, users can log in with their email address.

      3. (Optional) In the Comments field, enter any notes about the company.

    7. On the Review step, check the configuration of the company and click Finish.

      The new company is added to the Companies table.