OpenManage Integration for VMware vCenter version 5.2 Security Configuration Guide October 2020 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2010 - 2020 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents Figures..........................................................................................................................................5 Tables........................................................................................................................................... 6 Chapter 1: PREFACE......................................................................................................................7 Chapter 2: Deployment models..........................................
Chapter 4: Miscellaneous Configuration and Management........................................................... 23 OpenManage Integration for VMware vCenter (OMIVV) licensing...................................................................... 23 Protect authenticity and integrity................................................................................................................................. 23 Manage backup and restore in OMIVV..............................................................
Figures 1 Security Controls Map.............................................................................................................................................. 9 2 Security error message...........................................................................................................................................
Tables 6 1 Revision History.......................................................................................................................................................... 7 2 Privilege groups........................................................................................................................................................ 15 3 Preloaded accounts...............................................................................................................................
1 PREFACE As part of an effort to improve its product lines, Dell EMC periodically releases revisions of its software and hardware. Some functions that are described in this document might not be supported by all versions of the software or hardware currently in use. The product release notes provide the most up-to-date information about product features. Contact your Dell EMC technical support professional if a product does not function properly or does not function as described in this document.
2 Deployment models You can deploy OpenManage Integration for VMware vCenter (OMIVV) as an OVF in VMware vCenter environment. Topics: • • Open Virtualization Format (OVF) deployment Security profiles Open Virtualization Format (OVF) deployment If you have VMware vSphere virtual machine environment, it is recommended that you deploy OMIVV as an Open Virtualization Format (OVF).
3 Product and Subsystem Security Topics: • • • • • • • • • • • • Security controls map Authentication Login security settings Authentication types and setup considerations User and credential management Network security Data security Cryptography Auditing and logging Serviceability OMIVV OS update Product code integrity Security controls map OMIVV performs deployment, inventory, and update of PowerEdge servers using iDRAC and receives SNMP traps from iDRAC.
Authentication Access control Access control settings provide protection of resources against unauthorized access. OMIVV plug-in pages accessed by VMware vCenter users with appropriate roles and privileges configured in VMware vCenter. OMIVV administration console access is given to OMIVV appliance admin account.
Local user account lockout After 6 consecutive failed attempts to login to the local user account, OMIVV temporarily locks out the user for a period of one minute. Automatic session timeout Idle browser session timeout By default, after 15 minutes of inactivity, the OMIVV session times out and you are automatically logged out. Authentication types and setup considerations vCenter user authentication OMIVV depends on vCenter authentication for access for plug-in pages.
b. In the Password box, enter the password. c. In the Verify Password box, enter the password again. d. Select the Register vSphere Lifecycle Manager check box. Selecting the Register vSphere Lifecycle Manager check box allows you to use vSphere Lifecycle Manager feature from vCenter 7.0 and later. 5. Click Register. The following error message is displayed if vCenter registration fails: Could not contact the given vCenter server due to wrong credentials. Check the username and password.
Required privileges for non-administrator users To register OMIVV with vCenter, a non-administrator user must have the following privileges: While registering a vCenter server with OMIVV by a non-administrator user, a message is displayed if the following privileges are not assigned: ● Alarms ○ Create alarm ○ Modify alarm ○ Remove alarm ● Extension ○ Register extension ○ Unregister extension ○ Update extension ● Global ○ Cancel task ○ Log event ○ Settings ● Health Update Provider ○ Register ○ Unregister ○ U
NOTE: If a vCenter server is registered using non-administrator user to access any OMIVV features, non-administrator user must have Dell privileges. For more information about assigning Dell privileges, see Assign Dell privileges to existing role on page 14. Assign Dell privileges to existing role About this task If specific pages of OMIVV are accessed with no Dell privileges that are assigned to the logged-in user, the 2000000 error is displayed.
A secure Administration Console session has a 15 minutes idle time-out, and the session is only valid in the current browser window and/or tab. If you try to open the session in a new window or tab, a security error is prompted that asks for a valid session. This action also prevents the user from clicking any malicious URL that can attack the Administration Console session. Figure 2.
○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ ○ Post events/alerts to vCenter Configure event settings on the event settings page Restore default alerts on the event settings page Check DRS status on clusters while configuring alerts/events settings Reboot host after performing update or any other configuration action Monitor vCenter tasks status/progress Create vCenter tasks, for example firmware update task, host configuration task, and inventory task Update vCenter task status/progress Get host profiles Add host to data
User and credential management Preloaded accounts The following table describes the preloaded OMIVV accounts: Table 3. Preloaded accounts User account Description OpenManage Integration for VMware vCenter administrator The default user for OMIVV web application administration. Read only user. OMIVV provides a single default local read only user account. The administrator can log into OMIVV using the VM remote console only.
Steps 1. Open the OMIVV web console. 2. In the OpenManage Integration for VMware vCenter Virtual Appliance Setup utility, click Change Admin Password. Complete the instructions on the screen to set the password. 3. In the Current Password text box, enter the current admin password. 4. Enter a new password in the New Password text box. 5. Retype the new password in the Confirm New Password text box. 6. Click Change Admin Password. Authorization OMIVV appliance supports a single administrative user.
Table 5.
● Authentication ● Digital signatures Manage certificate OMIVV uses certificates for secure HTTP access (HTTPS). By default, OMIVV installs and uses the self-signed certificate for the HTTPS secure transactions. For stronger security, it is recommended to use the Certificate Authority (CA) signed or custom certificates. The self-signed certificate is sufficient to establish an encrypted channel between web browsers and the server. The self-signed certificate cannot be used for authentication.
Upload HTTPS certificate Prerequisites Ensure that the certificate uses the PEM format. About this task You can use the HTTPS certificates for secure communication with OMIVV appliance and host systems or vCenter. To set up this type of secure communication, send the CSR certificate to a signing authority, and then upload the resulting CSR using the admin console.
2. In the Troubleshooting Bundle dialog box, click CREATE. Depending on the size of the logs, creating the bundle may take some time. 3. To save the file, click DOWNLOAD. Serviceability The support website https://www.dell.com/support provides access to licensing information, product documentation, advisories, downloads, and troubleshooting information. This information helps you to resolve a product issue before you contact support team. Special login is not required to OMIVV for service personnel.
4 Miscellaneous Configuration and Management Topics: • • • OpenManage Integration for VMware vCenter (OMIVV) licensing Protect authenticity and integrity Manage backup and restore in OMIVV OpenManage Integration for VMware vCenter (OMIVV) licensing OMIVV has two types of licenses: ● Evaluation license—when the OMIVV appliance is powered on for the first time, an evaluation license is automatically installed. The trial version contains an evaluation license for five hosts (servers) managed by OMIVV.
Manage backup and restore in OMIVV To protect OMIVV from a disaster scenario, it is recommended that you perform backups of OMIVV. If required, you can restore OMIVV from these backups. For more information about backup and restore, see the OMIVV User's Guide available at https://www.dell.com/support.
