OpenManage Integration for VMware vCenter version 5.3 Security Configuration Guide March 2021 Rev.
Notes, cautions, and warnings NOTE: A NOTE indicates important information that helps you make better use of your product. CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem. WARNING: A WARNING indicates a potential for property damage, personal injury, or death. © 2010 - 2021 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.
Contents Figures..........................................................................................................................................5 Tables........................................................................................................................................... 6 Chapter 1: PREFACE......................................................................................................................7 Chapter 2: Terms used in this document................................
Product code integrity..................................................................................................................................................... 23 Chapter 5: Miscellaneous Configuration and Management........................................................... 24 OpenManage Integration for VMware vCenter (OMIVV) licensing...................................................................... 24 Protect authenticity and integrity......................................................
Figures 1 Security Controls Map............................................................................................................................................ 10 2 Security error message...........................................................................................................................................
Tables 6 1 Revision History.......................................................................................................................................................... 7 2 Terms used in this document.................................................................................................................................. 8 3 Privilege groups.............................................................................................................................................
1 PREFACE As part of an effort to improve its product lines, Dell EMC periodically releases revisions of its software and hardware. Some functions that are described in this document might not be supported by all versions of the software or hardware currently in use. The product release notes provide the most up-to-date information about product features. Contact your Dell EMC technical support professional if a product does not function properly or does not function as described in this document.
2 Terms used in this document Table 2.
3 Deployment models You can deploy OpenManage Integration for VMware vCenter (OMIVV) as an OVF in VMware vCenter environment. Topics: • • Open Virtualization Format (OVF) deployment Security profiles Open Virtualization Format (OVF) deployment If you have VMware vSphere virtual machine environment, it is recommended that you deploy OMIVV as an Open Virtualization Format (OVF).
4 Product and Subsystem Security Topics: • • • • • • • • • • • • Security controls map Authentication Login security settings Authentication types and setup considerations User and credential management Network security Data security Cryptography Auditing and logging Serviceability OMIVV OS update Product code integrity Security controls map OMIVV performs deployment, inventory, and update of PowerEdge servers using iDRAC and receives SNMP traps from iDRAC.
Authentication Access control Access control settings provide protection of resources against unauthorized access. OMIVV plug-in pages can be accessed by VMware vCenter users with appropriate roles and privileges configured in VMware vCenter. OMIVV administration console and RESTFul APIs access is given to OMIVV appliance admin account.
Local user account lockout After 6 consecutive failed attempts to login to the local user account, OMIVV temporarily locks out the user for a period of one minute. Automatic session timeout Idle browser session timeout By default, after 15 minutes of inactivity, the OMIVV session times out and you are automatically logged out.
b. In the Password box, enter the password. c. In the Verify Password box, enter the password again. d. Select the Register vSphere Lifecycle Manager check box. Selecting the Register vSphere Lifecycle Manager check box allows you to use vSphere Lifecycle Manager feature from vCenter 7.0 and later. 5. Click Register. The following error message is displayed if vCenter registration fails: Could not contact the given vCenter server due to wrong credentials. Check the username and password.
Required privileges for non-administrator users To register OMIVV with vCenter, a non-administrator user must have the following privileges: While registering a vCenter server with OMIVV by a non-administrator user, a message is displayed if the following privileges are not assigned: ● Alarms ○ Create alarm ○ Modify alarm ○ Remove alarm ● Extension ○ Register extension ○ Unregister extension ○ Update extension ● Global ○ Cancel task ○ Log event ○ Settings ● Health Update Provider ○ Register ○ Unregister ○ U
Assign Dell privileges to existing role About this task If specific pages of OMIVV are accessed with no Dell privileges that are assigned to the logged-in user, the 2000000 error is displayed. You can edit an existing role to assign the Dell privileges. Steps 1. Log in to the vSphere Client (HTML-5) with administrative rights. 2. In vSphere Client (HTML-5), expand Menu, click Administration → Roles. 3. From the Roles provider drop-down list, select a vCenter server. 4.
Figure 2. Security error message Access control authentication, authorization, and roles To perform vCenter operations, OpenManage Integration for VMware vCenter uses the current user session of vSphere client and the stored administration credentials for the OpenManage Integration. The OpenManage Integration for VMware vCenter uses the vCenter server's built-in roles and privileges model to authorize user actions with the OpenManage Integration and the vCenter managed objects (hosts and clusters).
● ● ● ● ● ● ○ Restore default alerts on the event settings page ○ Check DRS status on clusters while configuring alerts/events settings ○ Reboot host after performing update or any other configuration action ○ Monitor vCenter tasks status/progress ○ Create vCenter tasks, for example firmware update task, host configuration task, and inventory task ○ Update vCenter task status/progress ○ Get host profiles ○ Add host to data center ○ Add host to cluster ○ Apply profile to host ○ Get CIM credentials ○ Co
Preloaded accounts The following table describes the preloaded OMIVV accounts: Table 4. Preloaded accounts User account Description OpenManage Integration for VMware vCenter administrator The default user for OMIVV web application administration. Read only user. OMIVV provides a single default local read only user account. The administrator can log into OMIVV using the VM remote console only. This account can be used during troubleshooting to view critical appliance status and logs.
3. In the Current Password text box, enter the current admin password. 4. Enter a new password in the New Password text box. 5. Retype the new password in the Confirm New Password text box. 6. Click Change Admin Password. Authorization OMIVV appliance supports a single administrative user.
Table 6.
● Digital signatures Manage certificate OMIVV uses certificates for secure HTTP access (HTTPS). By default, OMIVV installs and uses the self-signed certificate for the HTTPS secure transactions. For stronger security, it is recommended to use the Certificate Authority (CA) signed or custom certificates. The self-signed certificate is sufficient to establish an encrypted channel between web browsers and the server. The self-signed certificate cannot be used for authentication.
Upload HTTPS certificate Prerequisites Ensure that the certificate uses the PEM format. About this task You can use the HTTPS certificates for secure communication with OMIVV appliance and host systems or vCenter. To set up this type of secure communication, send the CSR certificate to a signing authority, and then upload the resulting CSR using the admin console.
2. In the Troubleshooting Bundle dialog box, click CREATE. Depending on the size of the logs, creating the bundle may take some time. 3. To save the file, click DOWNLOAD. The Dell EMC OMIVV Administration Console log in page is displayed. 4. Log in to Dell EMC OMIVV Administration Console. 5. Download the troubleshooting bundle. For more information, see Generate and download the troubleshooting bundle on page 23.
5 Miscellaneous Configuration and Management Topics: • • • OpenManage Integration for VMware vCenter (OMIVV) licensing Protect authenticity and integrity Manage backup and restore in OMIVV OpenManage Integration for VMware vCenter (OMIVV) licensing OMIVV has two types of licenses: ● Evaluation license—when the OMIVV appliance is powered on for the first time, an evaluation license is automatically installed. The trial version contains an evaluation license for five hosts (servers) managed by OMIVV.
To ensure communication integrity, it is recommended to use CA-signed certificate. Manage backup and restore in OMIVV To protect OMIVV from a disaster scenario, it is recommended that you perform backups of OMIVV. If required, you can restore OMIVV from these backups. For more information about backup and restore, see the OMIVV User's Guide available at https://www.dell.com/support.
