OpenManage Integration for VMware vCenter version 5.2 Security Configuration Guide October 2020 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2010 - 2020 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents Figures..........................................................................................................................................5 Tables........................................................................................................................................... 6 Chapter 1: PREFACE......................................................................................................................7 Chapter 2: Deployment models..........................................
Chapter 4: Miscellaneous Configuration and Management........................................................... 23 OpenManage Integration for VMware vCenter (OMIVV) licensing...................................................................... 23 Protect authenticity and integrity................................................................................................................................. 23 Manage backup and restore in OMIVV..............................................................
Figures 1 Security Controls Map.............................................................................................................................................. 9 2 Security error message...........................................................................................................................................
Tables 6 1 Revision History.......................................................................................................................................................... 7 2 Privilege groups........................................................................................................................................................ 15 3 Preloaded accounts...............................................................................................................................
1 PREFACE As part of an effort to improve its product lines, Dell EMC periodically releases revisions of its software and hardware. Some functions that are described in this document might not be supported by all versions of the software or hardware currently in use. The product release notes provide the most up-to-date information about product features. Contact your Dell EMC technical support professional if a product does not function properly or does not function as described in this document.
2 Deployment models You can deploy OpenManage Integration for VMware vCenter (OMIVV) as an OVF in VMware vCenter environment. Topics: • • Open Virtualization Format (OVF) deployment Security profiles Open Virtualization Format (OVF) deployment If you have VMware vSphere virtual machine environment, it is recommended that you deploy OMIVV as an Open Virtualization Format (OVF).
3 Product and Subsystem Security Topics: • • • • • • • • • • • • Security controls map Authentication Login security settings Authentication types and setup considerations User and credential management Network security Data security Cryptography Auditing and logging Serviceability OMIVV OS update Product code integrity Security controls map OMIVV performs deployment, inventory, and update of PowerEdge servers using iDRAC and receives SNMP traps from iDRAC.
Authentication Access control Access control settings provide protection of resources against unauthorized access. OMIVV plug-in pages accessed by VMware vCenter users with appropriate roles and privileges configured in VMware vCenter. OMIVV administration console access is given to OMIVV appliance admin account.
Local user account lockout After 6 consecutive failed attempts to login to the local user account, OMIVV temporarily locks out the user for a period of one minute. Automatic session timeout Idle browser session timeout By default, after 15 minutes of inactivity, the OMIVV session times out and you are automatically logged out. Authentication types and setup considerations vCenter user authentication OMIVV depends on vCenter authentication for access for plug-in pages.
c. In the Verify Password box, enter the password again. d. Select the Register vSphere Lifecycle Manager check box. Selecting the Register vSphere Lifecycle Manager check box allows you to use vSphere Lifecycle Manager feature from vCenter 7.0 and later. 5. Click Register. The following error message is displayed if vCenter registration fails: Could not contact the given vCenter server due to wrong credentials. Check the username and password.
● Alarms ○ Create alarm ○ Modify alarm ○ Remove alarm ● Extension ○ Register extension ○ Unregister extension ○ Update extension ● Global ○ Cancel task ○ Log event ○ Settings ● Health Update Provider ○ Register ○ Unregister ○ Update ● Host ○ CIM ■ CIM Interaction ● Host.
You can edit an existing role to assign the Dell privileges. Steps 1. Log in to the vSphere Client (HTML-5) with administrative rights. 2. In vSphere Client (HTML-5), expand Menu, click Administration → Roles. 3. From the Roles provider drop-down list, select a vCenter server. 4. From the Roles list, select Dell-Operational, and then click PRIVILEGES. 5. To assign the Dell privileges, click the edit icon [ The Edit Role page is displayed. ]. 6.
Figure 2. Security error message Access control authentication, authorization, and roles To perform vCenter operations, OpenManage Integration for VMware vCenter uses the current user session of vSphere client and the stored administration credentials for the OpenManage Integration. The OpenManage Integration for VMware vCenter uses the vCenter server's built-in roles and privileges model to authorize user actions with the OpenManage Integration and the vCenter managed objects (hosts and clusters).
● ● ● ● ● ● ○ Check DRS status on clusters while configuring alerts/events settings ○ Reboot host after performing update or any other configuration action ○ Monitor vCenter tasks status/progress ○ Create vCenter tasks, for example firmware update task, host configuration task, and inventory task ○ Update vCenter task status/progress ○ Get host profiles ○ Add host to data center ○ Add host to cluster ○ Apply profile to host ○ Get CIM credentials ○ Configure hosts for compliance ○ Get the compliance ta
Table 3. Preloaded accounts User account Description OpenManage Integration for VMware vCenter administrator The default user for OMIVV web application administration. Read only user. OMIVV provides a single default local read only user account. The administrator can log into OMIVV using the VM remote console only. This account can be used during troubleshooting to view critical appliance status and logs. Linux operating system root The root operation system account is not accessible.
Authorization OMIVV appliance supports a single administrative user.
Table 5. Outbound ports Port number Layer 4 Protocol Service 587 TCP SMTP 636 TCP, UDP LDAPS 902 TCP VMware ESXi 2049 TCP, UDP NFS 2052 TCP, UDP mountd, clearvisn 3009 TCP Data Domain REST API 5672 TCP RabbitMQ over amqp 8443 TCP MCSDK 8443 is an alternative for 443 9002 TCP Data Protection Advisor REST API 9443 TCP Avamar Management Console web service Inbound ports The inbound ports that are available to be used by a remote system when connecting to OMIVV.
The self-signed certificate is sufficient to establish an encrypted channel between web browsers and the server. The self-signed certificate cannot be used for authentication. You can use the following types of certificates for OMIVV authentication: ● A self-signed certificate OMIVV generates self-signed certificates when the hostname of the appliance changes. ● A certificate that is signed by a trusted certificate authority (CA) vendor. NOTE: Consider company policies when creating certificates.
admin console. There is also a default certificate that is self-signed and can be used for secure communication—this certificate is unique to every installation. Steps 1. On the APPLIANCE MANAGEMENT page, click Upload Certificate in the HTTPS CERTIFICATES area. 2. Click OK in the UPLOAD CERTIFICATE dialog box. 3. To upload the certificate, click Browse, and then click Upload. To check the status, go to Event Console of vSphere Client of registered vCenters.
Serviceability The support website https://www.dell.com/support provides access to licensing information, product documentation, advisories, downloads, and troubleshooting information. This information helps you to resolve a product issue before you contact support team. Special login is not required to OMIVV for service personnel. If the troubleshooting bundle is not sufficient, the personnel can enable the root user to collect more information.
4 Miscellaneous Configuration and Management Topics: • • • OpenManage Integration for VMware vCenter (OMIVV) licensing Protect authenticity and integrity Manage backup and restore in OMIVV OpenManage Integration for VMware vCenter (OMIVV) licensing OMIVV has two types of licenses: ● Evaluation license—when the OMIVV appliance is powered on for the first time, an evaluation license is automatically installed. The trial version contains an evaluation license for five hosts (servers) managed by OMIVV.
Manage backup and restore in OMIVV To protect OMIVV from a disaster scenario, it is recommended that you perform backups of OMIVV. If required, you can restore OMIVV from these backups. For more information about backup and restore, see the OMIVV User's Guide available at https://www.dell.com/support.
