vrealize Air Compliance OVA Installation and Deployment Guide 14 July 2015 vrealize Air Compliance This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs. EN-001718-00
vrealize Air Compliance OVA Installation and Deployment Guide You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright 2015 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents 1 VMware vrealize Air Compliance 5 2 Using the Initial Setup Wizard for vrealize Air Compliance 7 Initial Setup Wizard 7 User Scenario: Setting Up vrealize Air Compliance 9 3 Install and Deploy the vrealize Air Compliance Connect OVA 11 Prepare to Monitor Your vcenter Server Instance 12 Log in to vcenter Server and Deploy the OVA 12 Verify that vcenter Server is Registered 14 Index 15 VMware, Inc. 3
vrealize Air Compliance OVA Installation and Deployment Guide 4 VMware, Inc.
VMware vrealize Air Compliance 1 vrealize Air Compliance is an application that monitors your VMware vsphere infrastructure, including your vcenter Server instance, data centers, clusters, hosts, virtual machines, and distributed port groups. It returns the results to your vrealize Air Compliance instance through a secure connection to your deployed service. Virtual machine monitoring includes settings related to the virtual machines that vcenter Server manages. vrealize Air Compliance does not assess settings for operating system settings that reside in guest machines. You do not manage user accounts or credentials in vrealize Air Compliance, because the VMware vrealize Air portal manages user accounts and credentials to log in to the hosted application. VMware, Inc. 5
vrealize Air Compliance OVA Installation and Deployment Guide The vrealize Air Compliance Connect OVA is an on-premises OVA that you deploy in your environment. The OVA monitors changes made to your objects, gathers data about those objects, and assesses the compliance of those objects. The OVA is stateless, which means that it does not store the configuration of objects or compliance results, and does not require or store any credentials after deployment. Connection Ports The following ports are used between the vrealize Air Compliance Connect OVA and vcenter Server. Host service. Use HTTPS port 443. Local network to vcenter Server. Use ports 80, 443, 8085, 8089, 9443, 10109, 10443. Supported Browsers You must use one of the following browser versions. Current versions and the immediate previous versions of Chrome and Firefox (32-bit or 64-bit) Internet Explorer 10 or 11 6 VMware, Inc.
Using the Initial Setup Wizard for 2 vrealize Air Compliance As a system administrator, when you first log in to vrealize Air Compliance, you must perform several steps in the Initial Setup wizard to download and deploy the vrealize Air Compliance Connect OVA, which is the on-premises client OVA, and generate a one-time key to use during deployment. With the Initial Setup wizard, you can assign the available compliance standards and profiles globally to all of the objects in your environment so that you can begin to immediately assess those objects to ensure that they comply with your regulatory standards. IMPORTANT If you are using a trial license, the standards and profiles assignment option is not available in the Initial Setup wizard. After you set up your vrealize Air Compliance instance, users can log in to monitor and ensure compliance of your vcenter Server instance, data centers, clusters, hosts, virtual machines, and distributed port groups. If you prefer to not use the Initial Setup wizard, or if you have already deployed one vrealize Air Compliance Connect OVA to establish the on-premises client, you can cancel the wizard and follow the manual steps. See Chapter 3, Install and Deploy the vrealize Air Compliance Connect OVA, on page 11. This chapter includes the following topics: Initial Setup Wizard, on page 7 User Scenario: Setting Up vrealize Air Compliance, on page 9 Initial Setup Wizard When you log in to your vrealize Air Compliance instance for the first time, the vrealize Air Compliance Connect OVA is not yet deployed, and the Initial Setup wizard appears. This wizard leads you through the steps to download and deploy the on-premises client. This wizard also appears on next login if you remove all of your on-premises clients. Download the vrealize Air Compliance Connect OVA As a system administrator, you first download the vrealize Air Compliance Connect OVA, which contains the vrealize Air Compliance on-premises client. Then you verify the SHA-1 hash. If you are not aware of the prerequisite steps that you must perform before you deploy the OVA, see Chapter 3, Install and Deploy the vrealize Air Compliance Connect OVA, on page 11. VMware, Inc. 7
vrealize Air Compliance OVA Installation and Deployment Guide Option Download the OVA Verify Hash Description The OVA contains the on-premises client that connects to the runtime services in the vrealize Air portal. The on-premises client integrates with your vcenter Server to run compliance assessments when changes occur on your objects. The Initial Setup wizard displays the SHA-1 hash value of the OVA download so that you can verify the integrity of the OVA. The OVA that you download has the filename: vrac_client.ova You must verify the SHA-1 hash. For Windows, click the link to view the knowledge base article on the Microsoft Support Web site for information on how to compute the MD5 or SHA-1 cryptographic hash values for a file. For Linux and UNIX, run the command 'sha1sum {filename}'. For example: 'sha1sum myova.ova'. Although sha1sum is typically installed, be aware that specific versions of Linux might have different utilities installed. For Mac, click the link to view the knowledge base article on the Apple Support Web site for information on how to verify a SHA-1 digest (checksum) for Mac OS X. See Prepare to Monitor Your vcenter Server Instance, on page 12. Deploy the vrealize Air Compliance Connect OVA Before you deploy the OVA, verify that you have performed the prerequisite steps. See Chapter 3, Install and Deploy the vrealize Air Compliance Connect OVA, on page 11. You can use the vsphere Web Client or the legacy vsphere Client to log in to your vcenter Server instance and deploy the OVA that you downloaded. Option Deploy OVA Description You deploy the OVA to the vcenter Server instance that you intend to monitor. One-Time Key You use the one-time key when you deploy the OVA. The key is valid for 24 hours. Highlight and right-click the one-time key to copy it. Steps to Deploy the OVA When you deploy the OVA, you must enter the vrealize Air URL that you received in email for your deployed instance of vrealize Air Compliance. For example: https://home.vrealizeair.vmware.com/vrac/12345 In the vsphere Web Client, you right-click your vcenter Server instance and select All vcenter Actions > Deploy OVF Template. 1 Select the downloaded OVA named vrac_client.ova. 2 Follow the prompts to deploy the OVA. After you complete the wizard, you must verify that your vcenter Server is registered. See Verify that vcenter Server is Registered, on page 14. For more information about deploying the OVA, see the manual steps in Log in to vcenter Server and Deploy the OVA, on page 12. Set Up Your Compliance Needs vrealize Air discovers objects in your environment based on your registered vcenter Server instances. When you have a standard or extended license, you can use the Initial Setup wizard to apply the standards and profiles to all discovered objects so that you can immediately begin to monitor and assess your objects for compliance. With the standard license, you can apply vsphere Hardening Guide versions to all of your objects. With the extended license, you can apply additional compliance standards and profiles, such as HIPAA, PCI DSS, and more. 8 VMware, Inc.
Chapter 2 Using the Initial Setup Wizard for vrealize Air Compliance When you use the Initial Setup wizard to apply compliance standards and profiles to objects, those standards and profiles apply globally to all of the objects in your environment, including all of your vcenter Server instances and objects, and any new objects that are added. For more information about licenses, see the vrealize Air Documentation Center. User Scenario: Setting Up vrealize Air Compliance As a virtual infrastructure administrator who is responsible to maintain HIPAA compliance for the hosts and virtual machines in your vsphere 5.5 environment, you must monitor and assess those objects on a regular basis to ensure that they comply with all HIPAA regulatory standards. You are audited every three months to ensure that these objects maintain compliance. In this scenario, you log in to your vrealize Air Compliance instance for the first time. The Initial Setup wizard appears, and you follow the wizard steps to download and deploy the vrealize Air Compliance Connect OVA, and verify that your vcenter Server is registered with vrealize Air Compliance. You are required to ensure that vrealize Air Compliance continually assesses your hosts and virtual machines against a specific set of HIPAA compliance rules for your vsphere 5.5 environment. To ensure compliance of these objects, you apply the vsphere 5.5 version of HIPAA standards and profiles to your vcenter Server instance and all of your data centers, clusters, hosts, and virtual machines. This scenario uses the vsphere Web Client to log in to your vcenter Server instance and deploy the OVA. Prerequisites Verify that you performed the prerequisite steps. See Chapter 3, Install and Deploy the vrealize Air Compliance Connect OVA, on page 11. Verify that you have an extended license for vrealize Air Compliance. Verify that you have the vrealize Air URL that you received in email for your deployed instance of vrealize Air Compliance. Procedure 1 In the Initial Setup wizard, download the OVA and verify the SHA-1 hash. a b Click Download the OVA. To ensure the integrity of the OVA, follow the prompts to verify the SHA-1 hash, then click Next. 2 Deploy the OVA. a b c d Highlight the one-time key, right-click, and select Copy so that you can use the key when you deploy the OVA. Log in to the vsphere Web Client. Right-click your vcenter Server and select All vcenter Actions > Deploy OVF Template. Follow the prompts to select the OVA that you downloaded, enter the one-time key and your vrealize Air URL, and deploy the OVA. 3 To enforce compliance for your vsphere 5.5 environment so that it meets HIPAA requirements, apply the HIPAA standards to all of the objects that vrealize Air Compliance discovers for your registered vcenter Server instance. a Click Apply selected profiles to all discovered objects now. b Expand HIPAA for vsphere 5.5. c d Select the HIPAA Compliance Configuration check box. Click Finish. VMware, Inc. 9
vrealize Air Compliance OVA Installation and Deployment Guide You have applied the HIPAA compliance standards to all of the discovered objects in your vsphere 5.5 environment based on your registered vcenter Server instance. vrealize Air Compliance immediately starts to assess all objects against the vsphere 5.5 HIPAA compliance standards, and displays the compliance scores for your objects on the Summary tab. What to do next Monitor your vcenter Server instance, data centers, clusters, hosts, virtual machines, and distributed virtual port groups on a regular basis to ensure compliance with your regulatory standards. For more information about the compliance standards and profiles, or to create your own, see the vrealize Air Compliance Documentation Center. 10 VMware, Inc.
Install and Deploy the vrealize Air Compliance Connect OVA 3 To prepare to deploy the vrealize Air Compliance Connect OVA in your environment, you must perform the prerequisite steps and tasks. If you use the Initial Setup wizard instead of the manual steps to deploy the OVA, use these prerequisite steps and the instructions in Chapter 2, Using the Initial Setup Wizard for vrealize Air Compliance, on page 7. Prerequisites Verify that these prerequisites are met before you deploy the OVA. Verify that the user who deploys the OVA is a vcenter Server Administrator. Verify that the OVA can access the vcenter Server instance and the outbound HTTPS service. If you require a proxy, you can configure it and other authenticated proxies when you deploy the OVA. Verify that you can connect to the vcenter Server instance. Verify that you can connect to the proxy instance if you use one. For your network configuration, verify that you can connect to the vsphere SDK locally. Verify the network information to connect to the OVA. If you use an authenticated proxy, verify that you have a service account. If you intend to use a static IP address instead of DHCP for the OVA network configuration, identify all of your network information, including the IP address, subnet mask, default gateway, and DNS servers, and have this information available before you start to deploy the OVA. Verify that the time synchronization between the OVA and the vcenter Server point to same NTP servers. All times are UTC. You can use VMware tools to synchronize the time if the host system has NTP properly configured. Understand the vrealize Air Compliance Connect OVA, connection ports, and supported browsers. See Chapter 1, VMware vrealize Air Compliance, on page 5. This chapter includes the following topics: Prepare to Monitor Your vcenter Server Instance, on page 12 Log in to vcenter Server and Deploy the OVA, on page 12 Verify that vcenter Server is Registered, on page 14 VMware, Inc. 11
vrealize Air Compliance OVA Installation and Deployment Guide Prepare to Monitor Your vcenter Server Instance You must deploy the vrealize Air Compliance Connect OVA to the vcenter Server instance that you intend to monitor with vrealize Air Compliance. After you connect to the vrealize Air portal and download the OVA, if no other vcenter Server instances are registered, you can use the Initial Setup wizard to deploy the OVA. Otherwise, use the steps in the following procedure to deploy the OVA. Prerequisites Understand the requirements to install and deploy the vrealize Air Compliance Connect OVA. See Chapter 3, Install and Deploy the vrealize Air Compliance Connect OVA, on page 11. Have your vrealize Air URL and login credentials available to log in to the vrealize Air portal. The credentials were provided when you registered. Verify that you did not use the Initial Setup wizard to download the OVA. See Initial Setup Wizard, on page 7. Procedure 1 In your browser, enter the vrealize Air URL that you received in email for your deployed instance of vrealize Air Compliance. For example: https://home.vrealizeair.vmware.com/vrac/12345. 2 Use the login credentials in the email that you received to log in to your vrealize Air Compliance instance. 3 Click Administration, and click Registrations. 4 In the Download On-Premises Client pane, click Download the OVA. 5 Verify the SHA-1 hash. Option Windows Linux and UNIX Mac Action See the knowledge base article on the Microsoft Support Web site for information about how to compute the MD5 or SHA-1 cryptographic hash values for a file. Run the command 'sha1sum {filename}'. For example: 'sha1sum myova.ova'. Although sha1sum is typically installed, be aware that specific versions of Linux might have different utilities installed. See the knowledge base article on the Apple Support Web site for information about how to verify a SHA-1 digest (checksum) for Mac OS X. 6 During the OVA download, click Generate one-time key. 7 Write down the one-time key or copy it to the clipboard, so that you can use it when you deploy the OVA and register the vcenter Server instance with vrealize Air Compliance. What to do next Next you will log in to your vcenter Server instance and deploy the OVA. Log in to vcenter Server and Deploy the OVA You can use the vsphere Web Client or the legacy vsphere Client to log in to your vcenter Server instance. The process to install and deploy the OVA, which uses the Deploy OVF Template wizard, differs depending on which client you use. The OVA includes the virtual machine that hosts the vrealize Air Compliance on-premises client. 12 VMware, Inc.
Chapter 3 Install and Deploy the vrealize Air Compliance Connect OVA Prerequisites Prepare to monitor your vcenter Server. See Prepare to Monitor Your vcenter Server Instance, on page 12. In vrealize Air Compliance, verify that the OVA download is finished. Verify that the user who deploys the OVA has the vcenter Service Extensions added to their account. Otherwise, the deployment will fail. Procedure 1 From the vsphere Web Client, log in to your vcenter Server instance. 2 Select the vcenter Server instance where you will deploy the OVA. 3 Right-click the vcenter Server instance in the navigation tree, and click All vcenter Actions > Deploy OVF Template. 4 Enter the required information to deploy the OVA template. a Select the source for the downloaded OVA. The filename of the downloaded OVA is vrac_client.ova. b c d Review the details and accept the EULA. Enter a name and destination for the deployed template, and a resource to run it. Select the location to store the deployed template. You can use thin provisioning because the OVA has one CPU, 4 GB RAM, and 10 GB of disk space. e Select a network for the OVA to use. 5 On the Customize template wizard page, provide the information to customize the template. Option vrac Registration Key vrac IP/Hostname If you use an HTTP proxy If you use a static IP address for your network Description Paste the one-time key. Enter the vrealize Air Compliance instance URL that you received when you registered. Enter the proxy host and port, and the proxy user name and password. The format for the proxy and port is: http://host:port Enter the network information under Networking Properties. 6 Verify that the vservice bindings are set to use the vcenter Extension Service. The user right or privilege is used to register the vcenter Server due to the secure key exchange, but is not used after the OVA is deployed. 7 On the Ready to complete wizard page, select the Power on after deployment check box to power on the client machine deployed by the OVA. 8 Click Finish to finish the deployment and power on the vrealize Air Compliance client virtual machine. VMware, Inc. 13
vrealize Air Compliance OVA Installation and Deployment Guide Verify that vcenter Server is Registered You must verify that your vcenter Server is registered with vrealize Air Compliance so that vrealize Air Compliance can run compliance assessments on the objects in your environment. Prerequisites Log in to vcenter Server and deploy the OVA to your environment. See Log in to vcenter Server and Deploy the OVA, on page 12. Procedure 1 In your vrealize Air Compliance instance, click Administration. 2 Click Registrations, and verify that your vcenter Server instance appears in the list of registered vcenter Server instances. After the OVA is deployed and the client virtual machine is started, vrealize Air Compliance displays the assessment results for your vsphere infrastructure immediately. By default, vrealize Air Compliance applies the profile named All Rules from the VMware vsphere Hardening Guide standard to your vcenter Server. The version of the standard applied is based on your version of vcenter Server. If vrealize Air Compliance detects a 5.0 version of vcenter Server, it applies the 5.0 standard. What to do next In vrealize Air Compliance, click an object in the navigation tree and verify that assessment results appear. If assessment results do not appear after five minutes, verify that the status of your vcenter Server indicates that vrealize Air Compliance is active in Administration > Registrations. If the status is not Active, contact VMware Customer Support. 14 VMware, Inc.
Index A administrator deploys OVA 11 B browsers, prerequisite 11 C compliance, vrealize Air 5 connection ports, prerequisite 11 credentials 5 D deploy OVA initial setup wizard 7 prerequisites 12 downloads, OVA 7, 12 H hash for OVA download 7 I initial setup wizard 7 installing, OVA 12 M manual steps to deploy OVA 11 monitoring, vcenter Server 12 N network configuration prerequisites 11 NTP servers prerequisite 11 O one-time key 7, 12 outbound HTTPS service prerequisite 11 OVA deploy 7 download 7 prerequisites to deploy 12 setup and deploy 7 setup in user scenario 9 stateless 5 OVA deployment 12 OVA download 11 OVA setup 9 proxy instance prerequisites 11 R registering vcenter Server with vrealize Air Compliance 14 S service account for authenticated proxy 11 setting up vrealize Air Compliance 9 setup steps 9 SHA-1 hash 12 stateless OVA 5 static IP address prerequisite 11 supported browsers 5 T time synchronization prerequisite 11 U user accounts 5 user scenario, initial setup 9 V vcenter Server instance 12 monitoring 12 registered instances 14 registering with vrealize Air Compliance 14 virtual machine monitoring 5 vrealize Air Compliance, instance 12 vrealize Air URL 12 vsphere infrastructure monitored 5 standard applied after registration 14 P prerequisites NTP servers 11 VMware, Inc. 15
vrealize Air Compliance OVA Installation and Deployment Guide 16 VMware, Inc.