By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

NICE DCV client TLS certificate authentication ("security/certificate-to-user-file" configuration parameter usage)

0

Hello,

I'm running serveral NICE DCV Servers on Windows and Linux EC2 Instances, for most of them I'm using the DCV Session Manager along with an internal authentication portal from which one can obtain a dcv://[...]?authToken=[...]#sessionId URI for authentication (all these sessions are of the "virtual" type, and the NICE DCV Servers themselves serve multiple users at once).

The downside to such a solution is that - obviously - it requires provisioning a seperate server to run the Session Manager, along with additional infrastructure for the SSO portal etc. Due to this, for Windows instances which I run, the simpler "system" i.e. username+password authentication is used (these are different in that they serve only a single user via a "console" session).

This is quite inconvinient, however, comparatively to using the URIs and could also, in theory, expose the server to an impersonation attack due to a stolen password. However... some time ago in the official NICE DCV Administrator Guide's "Parameter reference", I've noticed two parameters in the [security] section which can be set: "ca-file" and "certificate-to-user-file" (mentioned in my question's title):

https://docs.aws.amazon.com/dcv/latest/adminguide/config-param-ref.html#security

Knowing this, as well as the fact that AppStream provides a client-certificate authentication feature:

https://aws.amazon.com/blogs/desktop-and-application-streaming/how-to-configure-certificate-based-authentication-for-amazon-appstream-2-0

(...I mention this, because I believe AppStream is also DCV-protocol based?) I presume there might just be some way to do the same (authenticate via a client's TLS certificate) on a self-managed DCV Server. Unfortunately... from what I can gather in terms of further info - this seems to be then end of the road. By which I mean the format of this "certificate-to-user-file" doesn't seem to be described anywhere and for that matter, the rest of the procedure (if one exists) isn't described either.

So, my question would be - broadly:

  • Is there any way to setup client TLS certificate authentication on a self-managed NICE DCV Server?
  • If so, how would one do it?
  • Otherwise... what purpose does this mysterious "security/certificate-to-user-file" parameter serve? How should the file be formatted?

Any answers would me much appreciated!

Much thanks!

Michał Schwarz

Topics
Compute
Tags
Amazon EC2NICE DCVWindows
Language
English
Michael Schwarz
asked 4 months ago410 views
1 Answer
1
Accepted Answer

Hey there, thank you for the question. The main difference is for EUC managed services (WorkSpaces & AppStream), they have infrastructure to support Certificate-Based Authentication, which allows the user to seamlessly signin to the desktop. The parameter you mentioned is for protocol authentication. It will validate the certificate to authenticate DCV to start streaming. This, however, does not authenticate the user into the OS.

If your goal is to replicate CBA, that is not possible on standalone DCV today. Since you are using virtual sessions, you could use an authentication token to authenticate the protocol and assign a virtual environment that is not attached to a known OS user. The allows the user to land on a logged in Linux desktop. I believe this is dependent gnome extension, which is only available on Ubuntu 22.04.

profile pictureAWS
Andrew_M
answered 2 months ago
profile picture
EXPERT
Giovanni Lauria
reviewed 22 days ago
  • Vista5233
    11 days ago

    Could you still provide documentation for "certificate-to-user-file"? I am currently evaluating NICE DCV and would be truly interested in this feature.

  • Michael Schwarz
    7 days ago

    Thank you so much for your answer!

    If I understand you correctly, it would mean that the abovementioned parameters serve a role approximating the "auth-token-verifier"...? (I don't know if "approximate" is 100% the correct word, but I believe the gist of what I'm trying to say is clear)

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content