How to integrate OPSWAT Central Management with VMWare's UAG (Unified Access Gateway) system?

OPSWAT Central Management contains the MetaAccess feature suite, which can be leveraged by VMware Unified Access Gateway (UAG) 3.1+ and Horizon clients 7.3.1+ for Windows and macOS. For more information about this integration, please refer to MetaAccess documentation on this subject.
Due to OPSWAT Central Management's nature of being deployed on-premise, the process to integrate with UAG is slightly different from MetaAccess's. Please follow the guidelines below

  1. OPSWAT Central Management will need to be put into HTTPS mode to integrate with UAG. Please refer to this article to enable HTTPS mode.

  2. Confirm the type of certificate used for the OPSWAT Central Management server. If the certificate is self-signed, it may need to be imported into UAG environment for verification.
    To confirm if UAG can verify the certificate, run the following command from a terminal of the UAG environment, which can be accessed via SSH.

    curl -v <OCM’s address>/o/op/login

    For example:

    curl -v https://ocmserver:9114/o/op/login

    The command should returns with the status code 200 OK and the content of OPSWAT Central Management's login page if the server can be reached from the UAG environment. Skip to step 7 if this step succeeds

  3. If step 2 fails, you will need to import your certificate into the UAG environment. Copy the certificate file to the UAG's environment, via SSH for example.
    (Optional) To check the validity of the certificate, from a terminal in UAG environment, run the below command:

    curl -v --cacert <path to certficate> <OCM’s address>/o/op/login

    For example:

    curl -v --cacert /root/ocm.crt https://ocmserver:9114/o/op/login

    Similar to step 2, the command should return the status code 200 OK if the certificate works.

  4. Locate the java folder that the UAG application is running from. By default, this folder is / usr/java/jre-vmware.
    To more precisely locate this folder, you can use the below command in the terminal, which should return the running java process and its location:

    ps aux | grep java

    Navigate to this folder via the cd command.

  5. Run the below command to import the certificate to the java trust store, where /root/ocm.crt is assumed as the location of the copied certificate.

    "bin/keytool" -importcert -keystore "lib/security/cacerts" -storepass changeit -alias "ocmCA" -file "/root/ocm.crt”

    Please note that the storepass parameter provided above is the default value and may be different in your UAG environment.

  6. Confirm the import and restart the UAG machine to ensure that the change is propagated correctly.
    images/download/attachments/4089877/image2020-8-20_17-2-42.png

  7. Log into the OPSWAT Central Management's oauth console at <ocm server>/o/op/login to set up the actual integration with UAG.
    Select Register New Application and fill in the required information. Then select Save and take note of the client key and client secret for use in later steps.

    • Application name: The application's name

    • Description: A description of the application

    • Website URL: Your organization's domain

    • Callback URL: Can be set as http://127.0.0.1/opswat.

  8. Log into the UAG Admin Console. Navigate to Advanced Settings and select Endpoint Compliance Check Provider Settings.
    Select Add and from the Endpoint Compliance Check Provider dropdown list, select OPSWAT.
    images/download/attachments/4089877/image2020-8-20_16-46-29.png

  9. Fill in Client Key and Client Secret as obtained from step 7.
    For Hostname, fill in the address of the OPSWAT Central Management in the format of <server name>:<port>, for example, ocmserver:9114
    Adjust the rest of the settings to your preference then select Save to complete the process.
    images/download/attachments/4089877/image2020-8-20_16-57-2.png