/ Preparing to Manage a VMware Environment Page 1



Similar documents
Installing and Configuring vcenter Multi-Hypervisor Manager

How to Create a Delegated Administrator User Role / To create a Delegated Administrator user role Page 1

Managing Multi-Hypervisor Environments with vcenter Server

How-to: Single Sign-On

How to Backup and Restore a VM using Veeam

OnCommand Unified Manager 6.3

OnCommand Performance Manager 1.1

How To Enable A Websphere To Communicate With Ssl On An Ipad From Aaya One X Portal On A Pc Or Macbook Or Ipad (For Acedo) On A Network With A Password Protected (

Deployment and Configuration Guide

RSA Authentication Manager 8.1 Virtual Appliance Getting Started

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

vsphere Security ESXi 6.0 vcenter Server 6.0 EN

Kaseya 2. User Guide. Version 6.1

Step by step guide for installing highly available System Centre 2012 Virtual Machine Manager Management server:

RSA Security Analytics

Click Studios. Passwordstate. Password Discovery, Reset and Validation. Requirements

VMware vcenter Log Insight Administration Guide

Installing and Configuring vcenter Support Assistant

13.1 Backup virtual machines running on VMware ESXi / ESX Server

Administrator Guide. v 11

OnCommand Performance Manager 2.0

Secure Messaging Server Console... 2

Setting Up SSL on IIS6 for MEGA Advisor

Advanced Service Design

NexentaConnect for VMware Virtual SAN

OnCommand Performance Manager 1.1

RSA envision Windows Eventing Collector Service Deployment Overview Guide

RSA Authentication Manager 8.1 Setup and Configuration Guide. Revision 2

Using LDAP Authentication in a PowerCenter Domain

Index C, D. Background Intelligent Transfer Service (BITS), 174, 191

NSi Mobile Installation Guide. Version 6.2

vcenter CapacityIQ Installation Guide

Enterprise Manager. Version 6.2. Installation Guide

How to Secure a Groove Manager Web Site

Introducing ZENworks 11 SP4. Experience Added Value and Improved Capabilities. Article. Article Reprint. Endpoint Management

Clearswift Information Governance

Active Directory Adapter with 64-bit Support Installation and Configuration Guide

CA Performance Center

RoomWizard Synchronization Software Manual Installation Instructions

STERLING SECURE PROXY. Raj Kumar Integration Management, Inc.

VMware vcenter Log Insight Installation and Administration Guide

Preinstallation Requirements Guide

Configuring Security Features of Session Recording

F-Secure Messaging Security Gateway. Deployment Guide

Clustering VirtualCenter 2.5 Using Microsoft Cluster Services

AD RMS Step-by-Step Guide

Basic Exchange Setup Guide

How To - Implement Single Sign On Authentication with Active Directory

Security IIS Service Lesson 6

Experian Secure Transport Service

Replacing vcenter Server 4.0 Certificates VMware vsphere 4.0

Using Emergency Restore to recover the vcenter Server has the following benefits as compared to the above methods:

Table of Contents. Online backup Manager User s Guide

Dell SupportAssist Version 2.0 for Dell OpenManage Essentials Quick Start Guide

Cisco SSL Encryption Utility

Integration Guide. Microsoft Active Directory Rights Management Services (AD RMS) Microsoft Windows Server 2008

Installing and Configuring vcloud Connector

Outline SSS Microsoft Windows Server 2008 Hyper-V Virtualization

CA NetQoS Performance Center

Installing and Configuring WhatsUp Gold

RealPresence Platform Director

Deploying Personal Virtual Desktops by Using RemoteApp and Desktop Connection Step-by-Step Guide

MadCap Software. Upgrading Guide. Pulse

StarWind SMI-S Agent: Storage Provider for SCVMM April 2012

vsphere Security ESXi 5.5 vcenter Server 5.5 EN

Virtual Storage Console for VMware vsphere

SSL CONFIGURATION GUIDE

Introducing ZENworks 11 SP4

Active Directory Management. Agent Deployment Guide

How to Troubleshoot VMM / Configuration Settings Checked by the VMMCA Page 1

Password Reset Server Installation Guide Windows 8 / 8.1 Windows Server 2012 / R2

vsphere Upgrade vsphere 6.0 EN

NexentaConnect for VMware Virtual SAN

Basic Exchange Setup Guide

Out n About! for Outlook Electronic In/Out Status Board. Administrators Guide. Version 3.x

How To Set Up Egnyte For Netapp Sync For Netapp

Virtual Storage Console 4.0 for VMware vsphere Installation and Administration Guide

Installation & Configuration Guide

Basic System Administration ESX Server and Virtual Center 2.0.1

Quick Start Guide. Cerberus FTP is distributed in Canada through C&C Software. Visit us today at

Enabling Active Directory Authentication with ESX Server 1

Table of Contents Introduction and System Requirements 9 Installing VMware Server 35

ECA IIS Instructions. January 2005

AD RMS Microsoft Federation Gateway Support Installation and Configuration Guide... 3 About this guide... 3

Knowledge Base Article: Article 218 Revision 2 How to connect BAI to a Remote SQL Server Database?

Microsoft SQL Server Security Best Practices

Exchange 2010 PKI Configuration Guide

VMTurbo Operations Manager 4.5 Installing and Updating Operations Manager

Rally Installation Guide

Cisco Nexus 1000V Virtual Ethernet Module Software Installation Guide, Release 4.0(4)SV1(1)

Integrating VMware Horizon Workspace and VMware Horizon View TECHNICAL WHITE PAPER

PowerChute TM Network Shutdown Security Features & Deployment

NetIQ Aegis Adapter for VMware vcenter Server

Basic System Administration ESX Server 3.0 and VirtualCenter 2.0

Microsoft Virtual Labs. Administering the IIS 7 File Transfer Protocol (FTP) Server

Installation Logon Recording Basis. By AD Logon Name AD Logon Name(recommended) By Windows Logon Name IP Address

EMC Data Domain Management Center

Testing New Applications In The DMZ Using VMware ESX. Ivan Dell Era Software Engineer IBM

Sophos SafeGuard Native Device Encryption for Mac Administrator help. Product version: 7

VMware vcenter Log Insight Getting Started Guide

Transcription:

Configuring Security for a Managed VMWare Enviroment in VMM

Preparing to Manage a VMware Environment... 2 Decide Whether to Manage Your VMware Environment in Secure Mode... 2 Create a Dedicated Account for Communications with VirtualCenter... 3 Decide What Credentials to Use for File Transfer Operations... 3 Follow Security Best Practices for Accounts and Authentication... 4 Integrating Your VMware Environment with VMM... 5 Add the VirtualCenter Server to VMM... 5 Enable Full Management of ESX Server Hosts... 5 Enable Access to VMware Virtual Machines Through the VMM Self-Service Portal... 6 Optional Configuration Tasks... 6 How to Automate Certificate Registration for ESX Server Hosts... 6 To register self-signed certificates on the VMM server for ESX Server hosts... 6 How to Automate Public Key Entry for Non-Embedded ESX Server Hosts... 7 To add public keys to VMM for non-embedded ESX Server hosts... 7 How to Change Virtual Machine Delegate Credentials for a Managed Host... 8 To change virtual machine delegate credentials for ESX Server hosts... 8 / Preparing to Manage a VMware Environment Page 1

This topic explains the security decisions you need to make before taking a VMware Infrastructure 3 (VI3) environment under management by System Center Virtual Machine Manager (VMM), and it also explains how to configure security in VMM for the VirtualCenter server and the ESX Server hosts. VMM manages a VMware environment by using a combination of the VirtualCenter WebServices API, for management and SFTP, and HTTPS, for file transfer operations. Preparing to Manage a VMware Environment Before you integrate your VMware environment with VMM, you need to decide how to handle the following security issues: Do you want to manage your VMware environment in secure mode, requiring authentication of each ESX Server host on all protocols used for communication? What account will VMM use for communications with VirtualCenter? For file transfers between hosts running non-embedded ESX Server (VMware ESX Server 3.5, VMware ESX Server 3.0.2) and Windows Server based computers, will VMM use the default root credentials or a lower-privilege virtual machine delegate in ESX Server? Decide Whether to Manage Your VMware Environment in Secure Mode Before adding the VirtualCenter server to VMM, decide whether you want to manage the VMware environment in secure mode in VMM. When you add a VirtualCenter server to VMM, VMM turns on secure mode by default. If your environment does not require that level of authentication, you can turn off secure mode. Secure mode on When you manage a VMware environment in secure mode, VMM authenticates each ESX Server host on all protocols used for communication. In secure mode, Secure Sockets Layer (SSL) over HTTPS (for embedded ESX Server) requires certificate authentication, and SFTP over Secure Shell (SSH) (for non-embedded ESX Server) requires host public key authentication. VMM retrieves and verifies both. If you configure all ESX Server hosts to use certification authority (CA)-signed certificates, the trust relationship of SSL channels can be established seamlessly. However, for nonembedded versions of ESX Server, if you use the self-signed certificates that VMware creates on ESX Server hosts during installation, you must verify the certificate when you configure security for the ESX Server in VMM. If you are managing a large number of embedded ESX Server hosts, you might find it more convenient to copy the certificates manually from each host and use a script to add them to the Trusted People certificate store on the VMM host. For instructions, see How to Automate Certificate Registration for ESX Server Hosts, later in this topic. For non-embedded versions of ESX Server, you also will need to add the SSH public keys to the VMM database. For this task also, you can either validate the public key when you configure security for individual hosts in VMM or use a script to update the VMM database with public keys for all of your non-embedded ESX Server hosts. For instructions, see How to Automate Public Key Entry for Non-Embedded ESX Server Hosts, later in this topic. Secure mode off For environments that do not require the use of certificate authentication or RSA public key validation between VMM and ESX Server hosts during VirtualCenter operations, you can turn secure mode off. / Preparing to Manage a VMware Environment Page 2

Create a Dedicated Account for Communications with VirtualCenter For communications with the VirtualCenter server, VMM requires an account that has Administrator rights at the Host and Cluster level in VirtualCenter. You can use a local account on the computer that has VirtualCenter installed or an Active Directory account. As a security best practice, create a dedicated service account that is not used by any other user or process. Decide What Credentials to Use for File Transfer Operations Next you need to decide which account to use for file transfer operations between hosts running non-embedded versions of ESX Server and Windows Server based computers. This type of file transfer is required for operations such as a creating a virtual machine with a virtual hard disk stored on a VMM library server or storing a VMware virtual machine in the VMM library. To perform this type of file transfer, VMM accesses ESX Server hosts directly. For non-embedded versions of ESX Server, VMM must have the credentials of the virtual machine delegate in ESX Server to gain the needed access to virtual machine files on the host. By default, ESX Server uses root credentials on the host for the delegate. If you don t want to use root credentials, you can configure a lower-privilege account as the virtual machine delegate. Important In VI3 environments, using a virtual machine delegate is considered experimental by VMware. In VMware vsphere 4, ESX and ESXi do not support delegate user functionality. Your only option is to use root credentials. Regardless of your choice, you must perform additional configuration to give VMM the needed access: If ESX Server is using the default root credentials as the virtual machine delegate, you must enable SSH root login on each ESX Server host. For instructions, refer to guidelines for SSH security. To avoid enabling SSH remote logon to the highly privileged root, configure a virtual machine delegate account for each ESX Server host. To perform file-level actions on the ESX Server host, the account must meet the following requirements: The account must be a member of the Administrator role in ESX Server. You must use the same delegate user (by default, vimuser) on all ESX Server 3i hosts that use the NFS datastore. For more information about configuring virtual machine delegates, refer to VMware Documentation (http://go.microsoft.com/fwlink/?linkid=163914). Caution After you configure virtual machine delegate credentials in VirtualCenter, you must restart the ESX Server host. That can cause loss of state for any running virtual machines. To avoid this, you should shut down or migrate any running virtual machines before you change the credentials. For a procedure, see How to Change Virtual Machine Delegate Credentials for a Managed Host, later in this topic. / Create a Dedicated Account for Communications with VirtualCenter Page 3

VMM uses a different file transfer protocol for embedded versions of ESX Server (VMware ESX Server 3i and later) than for non-embedded versions (VMware ESX Server 3.5, VMware ESX Server 3.0.2). Similarly to Windows Server Core, for greater security on the host computer, embedded versions of ESX Server install minimal code and no local console. File transfers to ESX Server hosts use the following protocols: Embedded ESX Server VMM uses HTTPS over default port 443 for file transfers. In secure mode, encryption using Secure Sockets Layer (SSL) requires certificate authentication. Non-embedded ESX Server VMM uses SFTP over default port 22. In secure mode, encryption using Secure Shell (SSH) requires RSA public key authentication. Follow Security Best Practices for Accounts and Authentication When you add your VirtualCenter server to VMM and configure security for the ESX Server hosts, follow security best practices for accounts and authentication: Use Active Directory Domain Services (AD DS) to maintain all administrative accounts in a multi-platform environment By using AD DS uniformly, you can enable a single administrator to manage all accounts and apply the same account policies (password strengths, expiration, classification, and so forth) throughout all of the environments. In addition, Active Directory s implementation of the Kerberos protocol can provide authentication services for all accounts in each domain, allowing users to prove their identity to one another in a secure manner when communicating. Verify self-signed certificates and RSA public keys before accepting them in VMM When you configure security settings for a managed ESX Server host in secure mode, VMM retrieves the self-signed certificate that VMware created when ESX Server was installed. For non-embedded versions of ESX Server, VMM also retrieves an RSA public key from the host computer. When you configure security for the host in VMM, always verify the certificate and public key on the host computer before you update the security settings in VMM. Optionally, use CA-signed certificates instead of self-signed certificates For greater security and ease of management, use certificates from a trusted CA instead of self-signed certificates for authentication of the VirtualCenter server and your ESX Server hosts. CAsigned certificates do not require verification in VMM. Important If you are managing a VMware vsphere (formerly known as VMware VirtualCenter 4, or VI4) infrastructure in VMM, vsphere validates host certificates by default. In VirtualCenter 2.5, host certificate checking is turned off by default. To enable file transfers in a managed vsphere infrastructure, you can use any of the following methods: Use CA-signed certificates on all ESX Server hosts, and add the certificate for the Certificate Authority server to the certificate store for the Trusted Root Certificate Authority on the VirtualCenter server. If you use self-signed certificates, add each host certificate to the certificate store for the Trusted Root Certificate Authority on the VirtualCenter server. Turn off host certificate checks in the VirtualCenter management server configuration. For more information, see your VMware documentation. / Follow Security Best Practices for Accounts and Authentication Page 4

Integrating Your VMware Environment with VMM After making the security decisions described in the previous sections, you are ready to add your VirtualCenter server to VMM and then configure security for the ESX Server hosts. If you plan to allow virtual machine self-service, you also will need to enable users to download the VMware ActiveX control that they must install so that they can open the VMM Self-Service Portal. Add the VirtualCenter Server to VMM VMM performs supported management tasks in a VMware environment by communicating with VirtualCenter. For these communications, VMM uses the WebServices API on default port 443. Encryption is performed through HTTPS using SSL. While adding the VirtualCenter server, you configure all of these options, specifying the following: The TCP/IP port to use for connections to the VirtualCenter server (default port 443). The account credentials to use for connections to the VirtualCenter server. You can use a local account or an Active Directory domain account as long as the account has administrative rights in VirtualCenter at the Host and Cluster level. The account does not need to be a local administrator on the operating system. You should use a dedicated account that is not used by any other user or process. If you are using a self-signed certificate for the VirtualCenter server, you must import the certificate to the Trusted People certificate store on the VMM server to verify the computer s identity. That is not required if you use a CA-signed certificate. This operation requires an account that is a member of the local Administrators group on the VMM computer. If the VMM service is running under a domain account rather than Local System, the operation must be run under that domain account. For more information, see How to Add a VMware VirtualCenter Server (http://go.microsoft.com/fwlink/?linkid=128560). Enable Full Management of ESX Server Hosts When you add a VMware VirtualCenter server to VMM, VMM discovers the ESX Server hosts and adds them to VMM with OK (Limited) status. OK (Limited) status indicates that VMM does not have the information required to perform file transfers on the hosts. While a host has OK (Limited) status, the VMM administrator can perform a limited set of management tasks that do not require file transfers. To change a host s status to OK and enable full management in VMM, you must provide VMM with the credentials for the virtual machine delegate on the host (either root or the lower-privileged account that you configured earlier). Additionally, if secure mode is enabled, VMM must be able to identify the host by its SSL certificate and, for non-embedded versions of ESX Server, by the host s SSH public key. To provide the needed information, update the host s properties in VMM. For more information, see How to Set Credentials for Communicating with a Host (http://go.microsoft.com/fwlink/?linkid=162973). / Integrating Your VMware Environment with VMM Page 5

If you are managing multiple ESX Server hosts, you can save time by scripting certificate registration on the VMM server and the addition of public keys to the VMM database. For procedures, see How to Automate Certificate Registration for ESX Server Hosts (for certificate registration) and How to Automate Public Key Entry for Non-Embedded ESX Server Hosts (for adding public keys to the VMM database), later in this topic. The exception to this requirement is a host that has an embedded version of ESX Server and for which a CA-signed certificate is in use. Even in secure mode, those hosts are added to VMM with OK status and full management capabilities. Enable Access to VMware Virtual Machines Through the VMM Self-Service Portal If you plan to allow users to manage VMware virtual machines through the VMM Self-Service Portal, you must enable the users to download and install a VMware ActiveX control. This control must be downloaded through a secure SSL channel. VMM connects to the VMware host by using SSL. However, to ensure that users can download and install the ActiveX control, you must enable SSL on the VMware host computers. Alternatively, you can install the Virtual Infrastructure client on the client machine, which will also install the ActiveX control, thereby eliminating the need to download the ActiveX control from the host. Optional Configuration Tasks The following sections provide procedures for automating certificate and public key registration and for changing virtual machine delegate credentials on your ESX Server hosts. How to Automate Certificate Registration for ESX Server Hosts The following procedure provides a sample script to automate certificate registration on the VMM server for multiple ESX Server hosts. To register the certificates, you must add them to the Trusted People local certificate store. To register self-signed certificates on the VMM server for ESX Server hosts 1. Manually copy the self-signed certificate from each ESX Server host. To retrieve a certificate: a. Log on to the service console as the root user. b. Change directories to /etc/vmware/hostd/ c. To identify the certificate file, use a text editor to open the config.xml file and find the following XML segment: / Enable Access to VMware Virtual Machines Through the VMM Self-Service Portal Page 6

<ssl> <!-- The server private key file --> <privatekey>/etc/vmware/ssl/rui.key</privatekey> <!-- The server side certificate file --> <certificate>/etc/vmware/ssl/rui.crt</certificate> </ssl> The sample code shows the default certificate file, /etc/vmware/ssl/rui.crt. d. Copy the certificate file. 2. On the VMM server, load the certificates to the Trusted People store. The following command adds the certificate for host1 to the Trusted People store: >certutil -addstore -enterprise TRUSTEDPEOPLE c:\temp\<host1>\cert.cer This operation requires an account that is a member of the local Administrators group on the VMM computer. If the VMM service is running under a domain account rather than Local System, the operation must be run under that domain account. Alternatively, you can retrieve the certificate for a host by updating the host s properties in the VMM Administrator Console. For instructions, see How to Set Credentials for Communicating with a Host (http://go.microsoft.com/fwlink/?linkid=162973). How to Automate Public Key Entry for Non-Embedded ESX Server Hosts The following procedure provides a sample script to automate public key entry in VMM for hosts running non-embedded versions of ESX Server (ESX Server 3.5 and ESX Server 3.0.2). To add public keys to VMM for non-embedded ESX Server hosts 1. Manually collect the public key from each host that is running ESX Server 3.5 or ESX Server 3.0.2. 2. Load the SSH public keys to the VMM database. The following Windows PowerShell VMM script adds the public key file for host1 to the VMM database: >$c = get-vmmserver localhost >$vmhost = get-vmhost <host1> >$vmhost associate-vmhost SshPublicKeyFile C:\<host1>\ssh_host_rsa_key.pub / How to Automate Public Key Entry for Non-Embedded ESX Server Hosts Page 7

Alternatively, you can retrieve the certificate and public key for a host when you configure the host s credentials by updating the host s properties in the VMM Administrator Console. For instructions, see How to Set Credentials for Communicating with a Host (http://go.microsoft.com/fwlink/?linkid=162973). How to Change Virtual Machine Delegate Credentials for a Managed Host If you decide to change the virtual machine delegate for your ESX Server hosts from the default root credentials to a lower-privilege account after adding the VirtualCenter server to VMM, use the following procedure to safeguard virtual machine state while you make the change. For more information about your options, see Decide What Credentials to Use for File Transfer Operations, earlier in this topic. Caution After you change virtual machine delegate credentials, you must restart the ESX Server host. That can cause loss of state for any running virtual machines. To avoid this, shut down or migrate the virtual machines before you change the credentials. To change virtual machine delegate credentials for ESX Server hosts 1. Shut down or migrate any running virtual machines on the ESX Server hosts. 2. In VirtualCenter, reset virtual machine delegate credentials for each ESX Server host. The account must be a member of the Administrator role in ESX Server. For ease of management, you might want to use the same virtual machine delegate on all ESX Server hosts. For information about configuring virtual machine delegates, see your ESX Server documentation. 3. Restart the ESX Server hosts. 4. In VMM, update the credentials for each ESX Server host with the account name and passport for the new Virtual Machine Delegate account. To update a host s credentials, in Hosts view of the VMM Administrator Console, right-click the host and then click Configure Security. / How to Change Virtual Machine Delegate Credentials for a Managed Host Page 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information