Hello,
I'm running serveral NICE DCV Servers on Windows and Linux EC2 Instances, for most of them I'm using the DCV Session Manager along with an internal authentication portal from which one can obtain a dcv://[...]?authToken=[...]#sessionId URI for authentication (all these sessions are of the "virtual" type, and the NICE DCV Servers themselves serve multiple users at once).
The downside to such a solution is that - obviously - it requires provisioning a seperate server to run the Session Manager, along with additional infrastructure for the SSO portal etc. Due to this, for Windows instances which I run, the simpler "system" i.e. username+password authentication is used (these are different in that they serve only a single user via a "console" session).
This is quite inconvinient, however, comparatively to using the URIs and could also, in theory, expose the server to an impersonation attack due to a stolen password. However... some time ago in the official NICE DCV Administrator Guide's "Parameter reference", I've noticed two parameters in the [security] section which can be set: "ca-file" and "certificate-to-user-file" (mentioned in my question's title):
https://docs.aws.amazon.com/dcv/latest/adminguide/config-param-ref.html#security
Knowing this, as well as the fact that AppStream provides a client-certificate authentication feature:
https://aws.amazon.com/blogs/desktop-and-application-streaming/how-to-configure-certificate-based-authentication-for-amazon-appstream-2-0
(...I mention this, because I believe AppStream is also DCV-protocol based?) I presume there might just be some way to do the same (authenticate via a client's TLS certificate) on a self-managed DCV Server. Unfortunately... from what I can gather in terms of further info - this seems to be then end of the road. By which I mean the format of this "certificate-to-user-file" doesn't seem to be described anywhere and for that matter, the rest of the procedure (if one exists) isn't described either.
So, my question would be - broadly:
- Is there any way to setup client TLS certificate authentication on a self-managed NICE DCV Server?
- If so, how would one do it?
- Otherwise... what purpose does this mysterious
"security/certificate-to-user-file" parameter serve? How should the file be formatted?
Any answers would me much appreciated!
Much thanks!
Michał Schwarz
AWS 官方已更新 1 年前
Could you still provide documentation for "certificate-to-user-file"? I am currently evaluating NICE DCV and would be truly interested in this feature.
Thank you so much for your answer!
If I understand you correctly, it would mean that the abovementioned parameters serve a role approximating the
"auth-token-verifier"...? (I don't know if "approximate" is 100% the correct word, but I believe the gist of what I'm trying to say is clear)