VMware vsphere Replication Security Guide



Similar documents
VMware vcenter Log Insight Security Guide

VMware vcenter Log Insight Security Guide

vsphere Replication for Disaster Recovery to Cloud

vsphere Replication for Disaster Recovery to Cloud

Installing and Configuring vcloud Connector

Installing and Configuring vcenter Support Assistant

vsphere Upgrade vsphere 6.0 EN

VMware vcenter Log Insight Getting Started Guide

Installing and Configuring vcenter Multi-Hypervisor Manager

vrealize Air Compliance OVA Installation and Deployment Guide

VMware Software Manager - Download Service User's Guide

VMware vcloud Air - Disaster Recovery User's Guide

Installing and Configuring vcloud Connector

vcloud Director User's Guide

Management Pack for vrealize Infrastructure Navigator

vsphere Upgrade Update 1 ESXi 6.0 vcenter Server 6.0 EN

Getting Started with ESXi Embedded

Offline Data Transfer to VMWare vcloud Hybrid Service

VMware vsphere Replication Administration

Managing Multi-Hypervisor Environments with vcenter Server

vsphere Security ESXi 6.0 vcenter Server 6.0 EN

VMware vcenter Log Insight Getting Started Guide

Advanced Service Design

vcloud Suite Licensing

Reconfiguring VMware vsphere Update Manager

VMware vcenter Configuration Manager and VMware vcenter Application Discovery Manager Integration Guide

Using the vcenter Orchestrator Plug-In for vsphere Auto Deploy 1.0

VMware Identity Manager Connector Installation and Configuration

Site Recovery Manager Installation and Configuration

Installing and Administering VMware vsphere Update Manager

Deployment and Configuration Guide

VMware vcenter Log Insight Administration Guide

ESX 4 Patch Management Guide ESX 4.0

Upgrading Horizon Workspace

VMware vsphere Data Protection Evaluation Guide REVISED APRIL 2015

VMware vcenter Operations Standard Installation and Administration Guide

Reconfiguration of VMware vcenter Update Manager

vcenter Support Assistant User's Guide

VMware vcenter Configuration Manager SQL Migration Helper Tool User's Guide vcenter Configuration Manager 5.6

Request Manager Installation and Configuration Guide

VMware vsphere Replication Administration

vcloud Automation Center Support Matrix vcloud Automation Center 5.2

VMware vcloud Air Networking Guide

VMware Data Recovery. Administrator's Guide EN

F-Secure Messaging Security Gateway. Deployment Guide

Reconfiguring VMware vsphere Update Manager

Active Directory Solution 1.0 Guide

vsphere Security ESXi 5.5 vcenter Server 5.5 EN

vsphere App HA Installation and Configuration Guide

VMware vsphere Replication Administration

Upgrading VMware Identity Manager Connector

vcloud Automation Center Support Matrix vcloud Automation Center 5.1

VMware vcenter Log Insight Installation and Administration Guide

Infrastructure Navigator Installation and Administration Guide

vcloud Air - Virtual Private Cloud OnDemand Networking Guide

Migrating to vcloud Automation Center 6.1

vcenter Configuration Manager Backup and Disaster Recovery Guide VCM 5.3

vshield Quick Start Guide vshield Manager 4.1 vshield Edge 1.0 vshield App 1.0 vshield Endpoint 1.0

Syncplicity On-Premise Storage Connector

Veeam Backup Enterprise Manager. Version 7.0

Monitoring Hybrid Cloud Applications in VMware vcloud Air

VMware vsphere Data Protection 5.8 TECHNICAL OVERVIEW REVISED AUGUST 2014

Web Application Firewall

vsphere Installation and Setup

Site Recovery Manager Installation and Configuration

VMware vcloud Automation Center 6.1

Advanced Service Design

vshield Administration Guide

VMware vsphere Data Protection 6.0

vrealize Infrastructure Navigator Installation and Configuration Guide

Technical Note. vsphere Deployment Worksheet on page 2. Express Configuration on page 3. Single VLAN Configuration on page 5

VMware vcenter Support Assistant 5.1.1

vcenter Chargeback User s Guide

OnCommand Performance Manager 1.1

vshield Quick Start Guide

Application Discovery Manager User s Guide vcenter Application Discovery Manager 6.2.1

VMware vcloud Automation Center 6.0

vcenter CapacityIQ Installation Guide

FortiAnalyzer VM (VMware) Install Guide

Acronis Backup & Recovery 10 Advanced Server Virtual Edition. Quick Start Guide

Installing and Configuring VMware vcenter Orchestrator

vsphere Data Protection Administration Guide vsphere Data Protection 6.0

Administering View Cloud Pod Architecture

VMware vcenter Discovered Machines Import Tool User's Guide Version for vcenter Configuration Manager 5.3

Getting Started Guide

VMware vcenter Configuration Manager Backup and Disaster Recovery Guide vcenter Configuration Manager 5.4.1

vshield Quick Start Guide

vrealize Operations Manager Customization and Administration Guide

F-SECURE MESSAGING SECURITY GATEWAY

Using Application Services

vcenter Server Appliance Configuration

How to Backup and Restore a VM using Veeam

Extensibility. vcloud Automation Center 6.0 EN

Uila SaaS Installation Guide

Virtual Appliance Setup Guide

Setup for Failover Clustering and Microsoft Cluster Service

Transcription:

VMware Security Guide 6.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs. EN-001758-00

VMware Security Guide You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright 2012 2015 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.

Contents 1 About VMware Security Guide 5 2 Security Reference 7 Services, Ports, and External Interfaces that the Virtual Appliance Uses 7 Configuration Files 10 Private Key, Certificate, and Keystore 11 License and EULA File 11 Log Files 11 User Accounts 13 Security Updates and Patches for 13 Index 15 VMware, Inc. 3

VMware Security Guide 4 VMware, Inc.

About VMware 1 Security Guide The VMware Security Guide provides a concise reference to the security features of. To help you protect your installation, this guide describes security features built into and the measures that you can take to safeguard it from attack. External interfaces, ports, and services that are necessary for the proper operation of Configuration options and settings that have security implications Location of log files and their purpose Required system accounts Information about obtaining the latest security patches Intended Audience This information is intended for IT decision makers, architects, administrators, and others who must familiarize themselves with the security components of. VMware, Inc. 5

VMware Security Guide 6 VMware, Inc.

Security 2 Reference You can use the Security Reference to learn about the security features of and the measures that you can take to safeguard your environment from attack. This chapter includes the following topics: Services, Ports, and External Interfaces that the Virtual Appliance Uses, on page 7 Configuration Files, on page 10 Private Key, Certificate, and Keystore, on page 11 License and EULA File, on page 11 Log Files, on page 11 User Accounts, on page 13 Security Updates and Patches for, on page 13 Services, Ports, and External Interfaces that the Virtual Appliance Uses The operation of depends on certain services, ports, and external interfaces. Services The operation of depends on several services that run on the virtual appliance. Table 2 1. Services Service Name Startup Type Description hms Automatic for the appliance. Disabled for the add-on appliance. Management Service hbrsrv Automatic Service sshd Automatic Disabled by default. VMware, Inc. 7

VMware Security Guide Table 2 1. Services (Continued) Service Name Startup Type Description ntp Automatic Time service for syncing-up with Internet Time Server through Network Time Protocol. NOTE After you install or upgrade a virtual appliance, you must synchronize the appliance with a time server. vaos Automatic Guest OS initialization that drives network settings, host name settings, ssh keys creation, EULA acceptance, boot scripts execution, and VAMI initialization. Communication Ports uses several communication ports and protocols. The appliance requires certain ports to be open. NOTE servers must have NFC traffic access to target ESXi hosts. Table 2 2. Ports Used by the Appliance Source Target Port Protocol Description vsphere Replicationappliance Remote vcenter Server 80 TCP All management traffic to the appliance goes to port 80 on the vcenter Server proxy system. server in the appliance server in the appliance Remote ESXi host 80 HTTP Used to establish the connection before initial replication starts. Remote ESXi host 902 TCP and UDP Used by servers to send replication traffic to the destination ESXi hosts. Browser vcenter Server proxy appliance appliance 5480 HTTPS virtual appliance management interface (VAMI) Web UI. 8043 SOAP Intra-site communication from the vcenter Server proxy to the appliance. 8 VMware, Inc.

Chapter 2 Security Reference Table 2 2. Ports Used by the Appliance (Continued) Source Target Port Protocol Description appliance vsphere Web Client on the source site ESXi host on source site server vcenter Server Inventory Service on the target site server at the target site 8123 SOAP Intra-site management traffic from the Management server to additional server in the environment. 10443 HTTPS ThevSphere Replication UI uses the Inventory Service of the remote vcenter Server to list target datastores. 31031 Initial and outgoing replication traffic from the ESXi host at the source site to the appliance or server at the target site. If you deploy additional servers, you must open the ports that requires on those servers. Table 2 3. Ports Used by the Server Source Target Port Protocol Description server in the appliance Remote ESXi host 902 TCP and UDP Traffic between the server and the ESXi hosts on the same site. Specifically the traffic of the NFC service to the destination ESXi servers. Browser Management server ESXi host at the source site server server server 5480 HTTPS Administrator's Web browser. 8123 SOAP Intra-site management traffic from the appliance or Management server to the servers. 31031 Initial and outgoing replication traffic from the ESXi host at the source site to the appliance or server at the target site. VMware, Inc. 9

VMware Security Guide When you create a connection to the cloud, the vcloud Tunneling Agent in the appliance creates a tunnel to secure the transfer of replication data to your cloud organization. Table 2 4. Ports Required for Cloud Replications Source Destination Port Protocol Description The ESXi host at the source site The vcenter Server at the source site 80 TCP The vcenter Server reverse proxy forwards VIB ( vcloud Air Disaster Recovery firewall rules) download request to the appliance. The appliance at the source site vcloud API 443 REST over HTTPS appliance connects to this port to send replication data to a cloud organization. The ESXi host at the source site The appliance at the source site 10000-10010 TCP The vcloud Tunneling Agent opens one of these ports on the appliance. ESXi hosts connect to that port to send replication data to a cloud organization. Open Source and Third-Party Components For the complete text of the open source licenses, a list of all open source and third-party components, and the open source code used in, you can go to http://www.vmware.com/download/open_source.html and see the VMware Open Source and Licenses section under the VMware vsphere Open Source link. If certain open source license requires it, the Open Source Disclosure Package (ODP) contains text files with instructions how to build and replace the software libraries. Configuration Files Some configuration files contain settings that affect the security of. NOTE All security-related resources are protected with the correct permissions and ownership. Do not change the ownership or permissions of these files. File Location /opt/vmware/hms/conf/hms-configuration.xml Description The default system configuration of the Management server. /opt/vmware/hms/conf/embedded_db.cfg The configuration file for the embedded database. 10 VMware, Inc.

Chapter 2 Security Reference Private Key, Certificate, and Keystore The private key, the certificate, and the keystore of are located on the virtual appliance. NOTE All security-related resources are protected with the correct permissions and ownership. Do not change the ownership or permissions of these files. /etc/vmware/ssl/hbrsrv.crt /etc/vmware/ssl/hbrsrv.key /opt/vmware/hms/security/hms-keystore.jks /opt/vmware/hms/security/hms-truststore.jks License and EULA File The end-user license agreement (EULA) and open source license files are located in the virtual appliance. File Open Source License VMware Postgres License Pivotal TC Server End-user license agreement Location /usr/share/doc/vmware-vspherereplication/open_source_license /usr/share/doc/vmwarevspherereplication/vmware_postgres_9.3.6.0_open_source_licenses.txt /usr/share/doc/vmware-vspherereplication/pivotal-tc-server-standard-opensource-licenses-3.1.0.release.txt /opt/vmware/etc/isv/eula/language_code/0 Log Files The files that contain system messages are located in the virtual appliance. File Location /opt/vmware/hms/logs/hms-configtool.log /opt/vmware/hms/logs/hmsn.log /opt/vmware/var/log/lighttpd/error.log /var/log/vmware/ /var/log/boot.msg Description Used to log errors that occurred during the Virtual Appliance Management Interface (VAMI) configuration. Used to track the runtime information of Management server. The most recent log file is labeled hms.log, and hms.n.log files contain older log messages. The file with the highest n value contains the oldest messages. The VAMI error log file. Used to track errors in the VAMI operations. The folder contains the server log files. Used to track replication problems. Used to track the startup process of the appliance. Log Messages Related to Security The /opt/vmware/hms/logs/hms.log file contains login and logout event messages, authorization error messages, and certificate verification error messages in the following format. Login message VMware, Inc. 11

VMware Security Guide 2015-03-23 15:54:05.558 DEBUG jvsl.security.authentication.sessionmap [tcweb-5] (..security.authentication.sessionmap) operationid=087657ec-ef0f-494c-9739-a4af62a5c049- HMS-1033 Adding new session to the session map:com.vmware.hms.security.authentication.hmsusersession@234f4bed:[ com.vmware.vim.binding.hms.usersession: key = site_...1b034, username = root, fullname = root, logintime =..., lastactivetime =..., hmsservers = null, locale = en, messagelocale = en ] Logout message 15-03-23 15:54:05.585 INFO jvsl.security.authorization [tcweb-8] (..security.authorization.sessionauthorizer) HmsSessionManager.HmsSessionManagerLogout called on session-manager by root@/10.26.233.124:50776 with opid 43263a64-1681-4459- a921-1d9406308dc8-hms-1036 Authorization message 2015-06-25 16:10:35.994 INFO jvsl.security.authorization [tcweb-5] (..security.authorization.sessionauthorizer) Authorization for method "HmsRemoteSiteManager.HmsRemoteSiteManagerFindHmsServer" failed. (vim.fault.nopermission) { faultcause = null, faultmessage = null, object = MoRef: type = HmsRemoteSiteManager, value = site-manager, serverguid = 18327b1adac2-44d9-972e-fa9dd99fce47, privilegeid = HmsRemote.com.vmware.vcHms.Hms.View } Certificate verification error message 2015-06-25 16:19:13.794 WARN jvsl.sessions [hms-main-thread-1] (..hms.net.serverregistryhms) Can not start HMS connection to remote site 'some-address.com' java.util.concurrent.executionexception: com.vmware.vim.vmomi.client.exception.sslexception: javax.net.ssl.sslhandshakeexception: com.vmware.vim.vmomi.client.exception.vlsicertificateexception: Server certificate chain is not trusted and thumbprint doesn't match 12 VMware, Inc.

Chapter 2 Security Reference User Accounts You must set up a root account for. The root account is used to access both the virtual appliance console and the Virtual Appliance Management Interface (VAMI). currently uses the root account as the administrator of the VAMI. No other user is created. When you deploy the virtual appliance, you set the password for the root account in the OVF Deployment wizard. The root password must be at least 8 characters long. Privileges Assigned to Default User Roles includes a set of roles. Each role includes a set of privileges, which allow users with those roles to complete different actions. See the topic Roles and Permissions in the Administration Guide. Security Updates and Patches for The virtual appliance uses SUSE Linux Enterprise Server 11 (x86_64), version 11, Service Pack 3 as the guest operating system. You can apply the latest security update or patch by using the corresponding ISO file. Before you apply an update or patch to the guest operating system, take into account the dependencies. See Services, Ports, and External Interfaces that the Virtual Appliance Uses, on page 7. To receive the latest security announcements, you can subscribe to the VMware Security Announcements mailing list at http://lists.vmware.com/. VMware, Inc. 13

VMware Security Guide 14 VMware, Inc.

Index C certificate 11 U user accounts 13 E embedded_db.cfg 10 EULA 11 G guest OS 13 H hms-configuration.xml 10 https 7 I intended audience 5 K keystore 11 L license file 11 licenses 11 logs 11 N ntp 7 P patches 13 ports 7 privileges 13 R root password 13 S security updates 13 security reference 7 services 7 sshd 7 system logs 11 T truststore 11 VMware, Inc. 15

VMware Security Guide 16 VMware, Inc.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information