ACE Management Server Administrator’s Manual VMware ACE 2.6 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
ACE Management Server Administrator’s Manual You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2007–2009 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents About This Book 7 1 Introduction 9 Features of ACE Management Server 9 System Requirements 10 Required Hardware 10 Supported Operating Systems 10 Supported External Databases 10 Supported Proxies 11 Required Web Browsers 11 Licensing 11 2 Planning an ACE Management Server Deployment 13 Deployment Components 13 Host System Options 14 Windows Hosts 14 Linux Hosts 14 Server Appliance Option 14 Database Options 15 Active Directory Authentication Options 15 Performing Capacity Planning 15 Database T
ACE Management Server Administrator’s Manual 4 Configuration Options for ACE Management Server 29 Prerequisites for Configuring the Server 29 Create Users and Groups for Integration with Active Directory 29 Set Up an External Database 30 Creating a System DSN Entry for an External Database 31 Increase the Number of Database Connections Allowed 32 Enable Database Connection Pooling on Linux 33 Set Up a Connection Between the Server Appliance and an External Database Prepare Custom Security Certificates 33 V
Contents Appendix: Database Schema and Audit Event Log Data 55 Using Database Reporting Tools 55 Database Schema 55 Querying the Audit Event Log Data 59 Glossary 63 Index 65 VMware, Inc.
ACE Management Server Administrator’s Manual 6 VMware, Inc.
About This Book This manual, the VMware ACE Management Server Administrator’s Manual, provides information about installing and using the VMware® ACE Management Server, which enables you to manage ACE instances in real time. Using ACE Management Server is optional, but doing so provides the following benefits: Manage activation of ACE packages. Manage authentication of those activated packages. Dynamically deliver policy updates to managed ACE instances.
ACE Management Server Administrator’s Manual VMware Professional Services VMware Education Services courses offer extensive hands‐on labs, case study examples, and course materials designed to be used as on‐the‐job reference tools. Courses are available onsite, in the classroom, and live online. For onsite pilot programs and implementation best practices, VMware Consulting Services provides offerings to help you assess, plan, build, and manage your virtual environment.
1 Introduction 1 The VMware ACE Management Server enables you to manage VMware ACE instances, to dynamically publish policy changes for those instances, and to test and deploy packages more easily.
ACE Management Server Administrator’s Manual ACE Management Server is easy to install and configure. Client traffic can be proxied by easily available products. The server uses easily available software components: Apache Web server 2.0 The default SQLite database store The server setup uses industry‐standard protocols: HTTPS and LDAP XML‐RPC for message encapsulation ACE Management Server offers extensibility and availability: You can create and use more than one ACE Management Server.
Chapter 1 Introduction Supported External Databases An SQLite database engine is embedded in ACE Management Server. Although this database is adequate for testing purposes, use one of the following external databases in production environments: For a Windows‐based ACE Management Server – Microsoft SQL Server 2000 or higher; Oracle Database 10g If you use a Microsoft SQL Server database, the database must be hosted on a system that uses the same locale as the system that hosts ACE Management Server.
ACE Management Server Administrator’s Manual 12 VMware, Inc.
2 Planning an ACE Management Server Deployment 2 This chapter provides guidelines for deploying VMware ACE Management Server instances, including capacity planning and best practices.
ACE Management Server Administrator’s Manual Figure 2-1.
Chapter 2 Planning an ACE Management Server Deployment Database Options ACE Management Server offers the following database options: Embedded SQLite database – The default mode of ACE Management Server works with an embedded SQLite 3 database engine. The SQLite database engine is initialized during server installation and requires no special configuration. The embedded database supports up to several gigabytes of data.
ACE Management Server Administrator’s Manual ACE policy configuration Load balancers for very large deployments (more than 5,000 clients) Table 2‐1 lists recommendations for the number of clients supported based on the hardware you are using. The figures for recommended clients reserve some server processing power so that interactive clients receive responses in a timely fashion and the server satisfies increases in demand. Table 2-1.
Chapter 2 Planning an ACE Management Server Deployment Network Bandwidth and Policy Update Frequency The amount of network bandwidth that ACE Management Server and ACE instances require depends on the frequency of policy updates that you configure. Table 2‐3 shows the amount of bandwidth needed when you use a policy update frequency value of 10 minutes. Table 2-3. Network Bandwidth Required with a Policy Update Frequency of 10 Minutes Number of Clients Bandwidth Required 100 0.125Mb/sec. 1,000 1.
ACE Management Server Administrator’s Manual Security Features and Considerations By default, ACE Management Server uses the Secure Sockets Layer (SSL) protocol to provide encrypted and secure communications.
Chapter 2 Planning an ACE Management Server Deployment VMware Player checks the integrity of the certificate store included in the package every time it communicates with the server. VMware Player does not trust any certificates stored on the host machine on which it is running. Instead, it relies on a complete certification chain that is included in the ACE package. The use of self‐signed certificates is adequate for most security needs.
ACE Management Server Administrator’s Manual Deployment Planning Worksheet Use the deployment planning worksheet to record your choice of server system, database, security certificates, and optional components for a production environment. Table 2-5. Worksheet for ACE Management Server in a Production Environment Component Considerations Decision Active Directory integration Performance is better when the ACE Management Server is installed on a Windows host.
3 Installing and Configuring ACE Management Server 3 This chapter includes the following topics: “Preparing for Installation” on page 21 “Installing and Upgrading ACE Management Server” on page 22 “Verify That the Apache Service Is Started or Restarted” on page 25 “Start and Configure ACE Management Server” on page 26 “Log In to ACE Management Server” on page 26 Preparing for Installation Before you install ACE Management Server, you must plan your deployment.
ACE Management Server Administrator’s Manual Configure TLS in Your Browser Transport Layer Security (TLS) must be configured on your Web browser to operate ACE Management Server. To configure TLS in your browser Depending on the type of browser, do one of the following: For an Internet Explorer browser: a Choose Tools > Internet Options > Advanced and scroll down to Security. b Select the Use TLS 1.0 check box and click OK. For a Mozilla browser: a Choose Tools > Options > Advanced.
Chapter 3 Installing and Configuring ACE Management Server 3 Follow the prompts in the installation wizard. 4 If you are using a computer that has a firewall enabled and you see a message at the end of the installation asking whether you want to unblock the Apache service, choose Unblock. ACE Management Server does not work properly if you do not unblock the Apache service. After ACE Management Server is installed, you can configure it. See “Start and Configure ACE Management Server” on page 26.
ACE Management Server Administrator’s Manual 3 For a SUSE Linux Enterprise Server 9 server, ensure that the LDAP module (mod_ldap) is configured for loading: a Open the following file with a text editor: /etc/sysconfig/apache2 b Add the ldap config option to the APACHE_MODULES variable. c Save and close the file. After ACE Management Server is installed, you can configure it. See “Start and Configure ACE Management Server” on page 26.
Chapter 3 Installing and Configuring ACE Management Server 8 9 (Optional) To reconfigure any update options, for example, to disable automatic downloads of updates, use the Appliance Management and Configuration application, as follows: a Leave the ACE Management Server appliance running. b Browse to https://:8080. c In the connection dialog box, type root in the user name field and your network or root password in the password field.
ACE Management Server Administrator’s Manual c Enter the appropriate command: To start the service if it is stopped, enter the following command: /etc/init.d/apache2 start To restart the service, enter the following commands: /etc/init.d/apache2 stop /etc/init.d/apache2 start On Red Hat Enterprise Linux 4: a Open a terminal window on the host or in the virtual machine. b As root, enter the following command: /etc/init.
Chapter 3 Installing and Configuring ACE Management Server 3 Complete the information on each tab and click Next. The only fields that require changes and do not have default settings are the Serial Number field on the Licensing tab and the Administrator password on the Access Control tab. For information about specific fields and tabs, click Help on the tab. Log In to ACE Management Server The first time you log in to ACE Management Server, you must set a password.
ACE Management Server Administrator’s Manual 3 Enter login credentials. If you use Active Directory for authentication, see Table 3‐2. In multidomain environments, you might be required to enter a domain (for example, eng.com). 28 VMware, Inc.
4 Configuration Options for ACE Management Server 4 After you install ACE Management Server, you must use the browser‐based ACE Management Server Setup application to configure the server.
ACE Management Server Administrator’s Manual To create users and groups for integration with Active Directory 1 Create a user that ACE Management Server can use to connect to the LDAP server and use for querying. Make a note of the sAMAccountName value for that user (for example, aceuser.) 2 Create an ACE Administrators group in the domain. 3 Add ACE administrator users to the ACE Administrators group. 4 (Optional) Create a Help Desk group and assign users to it for the Help Desk role.
Chapter 4 Configuration Options for ACE Management Server 3 4 (Optional) If ACE Management Server is going to connect to the database over the network (TCP socket connection), ensure that the following are in place: TCP connectivity is enabled in the database configuration options. The TCP connection is not blocked by firewall settings on the database server or the ACE Management Server host.
ACE Management Server Administrator’s Manual Create a System DSN Entry for a Linux Database On Linux systems, you use a text editor or the ODBCConfig graphical (X11) utility to create a system DSN entry. The ODBCConfig utility mimics the Windows ODBC Data Sources Control Panel plug‐in. Before you begin, determine the correct ODBC driver: On Red Hat Enterprise Server, the driver is located at /usr/lib/libodbcpsql.so.
Chapter 4 Configuration Options for ACE Management Server To increase the number of database connections allowed 1 Inspect the Apache configuration file on the ACE Management Server host to determine the number of parallel threads or processes that might start at the same time. 2 Configure the database to allow as many connections as the Apache server. See your database documentation.
ACE Management Server Administrator’s Manual Prepare Custom Security Certificates To use custom SSL certificates, either your own self‐signed certificates or those of a third‐party or internal CA (certificate authority), you must provide the certificate, key, and (in the case of CAs) certificate chain files. These files must be PEM encoded. After you create or obtain these files, upload them to ACE Management Server by using the Custom SSL Certificates tab in the ACE Management Server Setup application.
Chapter 4 Configuration Options for ACE Management Server The text that appears on the Start tab changes, depending on whether you have done an initial configuration: If this page says This server has not been configured yet, you must click Start to complete the configuration setup wizard. If this page says This server is configured, the Next and Previous wizard buttons do not appear. You can navigate to other tabs by clicking a tab.
ACE Management Server Administrator’s Manual Creating Access Control On the Access Control tab, you can create a local Administrator role and Help Desk role or use Active Directory for authenticating users with these roles. Before you can configure the ACE Management Server to use a domain account for authentication, you must create users and groups so that ACE Management Server can connect to the LDAP server. See “Create Users and Groups for Integration with Active Directory” on page 29.
Chapter 4 Configuration Options for ACE Management Server When you click Upload certificates, a summary page displays the files and locations you specify on this tab. Note the location of any backup files. You might need to use the backup if you find that the new file is invalid when you click Apply. See “Restore a Backup Copy of an SSL Certificate” on page 52. After you upload custom SSL certificates, you must update any existing ACE‐enabled virtual machines to use a new certificate and key file.
ACE Management Server Administrator’s Manual 38 VMware, Inc.
5 Load-Balancing Multiple ACE Management Server Instances 5 If you have thousands of clients, you can configure multiple VMware ACE Management Server instances to work together. You can set up two or more servers and use them with a load balancer.
ACE Management Server Administrator’s Manual Typical Setup Using Load-Balanced ACE Management Server Instances A single ACE Management Server can handle a preset number of clients, but you can add more servers to your ACE Management Server infrastructure by using load balancing. When you add more servers to the load‐balancing group, the number of clients that you can serve scales linearly.
Chapter 5 Load-Balancing Multiple ACE Management Server Instances 3 To verify that both ACE Management Server instances are working properly, start Workstation and connect to each ACE Management Server directly: a In Workstation, choose File > Connect to ACE Management Server. b Enter the IP or host name of the machine where ACE Management Server is installed, change the number in the Port field if necessary, and click OK.
ACE Management Server Administrator’s Manual Create New SSL Certificates and Keys for Each Server If you do not want to use the same SSL certificate and key for each ACE Management Server, you must create new SSL certificates and keys for each server. If you plan to obtain SSL certificates from a certificate authority, you must create certificate chains. Figure 5‐2 provides an overview of determining which certificates are included in a chain. Figure 5-2.
Chapter 5 Load-Balancing Multiple ACE Management Server Instances 3 Join all of the certificate chain files into one file. If you can, eliminate the duplicate entries. 4 Convert the server’s SSL certificates to PEM format. 5 Add the server’s SSL certificates in PEM format to the certificate chain file. 6 On the Custom SSL Certificates tab, upload the SSL certificate file, the SSL key file, and the certificate chain file: a Specify the key file in the Server Private Key field.
ACE Management Server Administrator’s Manual 44 VMware, Inc.
6 Managing ACE Instances 6 After ACE Management Server is installed and configured, you can do the following: View ACE instances that are managed by a particular ACE Management Server. Revoke and re‐enable an instance. Fix various problems with the ACE instances as reported by instance users.
ACE Management Server Administrator’s Manual Use the VMware ACE Help Desk Application ACE administrators and help desk assistants can access ACE instances through the VMware ACE Help Desk Web application. You can use the Help Desk to reactivate an instance, change the instance’s expiration date, and reset a user password if it is lost or forgotten. To use the VMware ACE Help Desk application 1 Open a Web browser and go to https://:8000.
Chapter 6 Managing ACE Instances To use the instance view in Workstation 1 From the Workstation menu bar, choose File > Connect to ACE Management Server. 2 Specify the fully qualified host name or the IP address and click OK. In most cases, the default port number does not need to be changed. 3 Complete the login window. Use the following information to help you complete the fields that appear in this window: User Name and Password – Enter credentials for administering the ACE Management Server.
ACE Management Server Administrator’s Manual Sort by Column Heading and Change Column Width You can reorder the instances in the table alphabetically or numerically, depending on the selected column’s contents, in ascending or descending order. To sort by column heading and change column width 1 Click the column heading of the column to sort. Click again to re‐sort in the opposite (ascending or descending) order. 2 To change column widths, click a column divider and drag it to a new width.
Chapter 6 Managing ACE Instances View Instance Details The Instance Details page displays all of the same information shown on the summary page, and it includes information about the ACE instance’s policy settings. You can reactivate, deactivate, or change the expiration date from the Instance Details page, as you can from the summary page.
ACE Management Server Administrator’s Manual To change a copy protection ID 1 Select the instance by clicking its instance row. 2 Click the View detail icon at the top of the table or double‐click the instance row. 3 Do one of the following: In the VMware ACE Help Desk, replace the alphanumeric string in the Copy Protection ID field with a new ID and click the Save icon at the top of the page. In Workstation, click the Policies tab, replace the copy protection ID with a new ID, and click OK.
7 Troubleshooting and Maintenance 7 This chapter includes the following topics: “Troubleshooting Configuration Problems” on page 51 “Configuring Multiple ACE Management Server Instances to Use SSL” on page 53 “Database Backup” on page 53 Troubleshooting Configuration Problems Common configuration problems include resolving connection problems and port conflicts and resetting ACE administrator passwords.
ACE Management Server Administrator’s Manual 3 Locate the section header for the Virtual Server configuration for port 443. This line looks similar to the following: 4 Change the port number in the section header to the desired port number. For example, to change to port 8443, change 443 to 8443. 5 Save the file. 6 Stop and start the Apache service. For instructions, see “Verify That the Apache Service Is Started or Restarted” on page 25.
Chapter 7 Troubleshooting and Maintenance To restore a backup copy of an SSL certificate 1 Navigate to the ACE Management Server directory where the backup is stored. The filenames use the following format: .-
ACE Management Server Administrator’s Manual Database Backup If you are using an external database, use a backup and recovery strategy that is appropriate for your database system. Back up your ACE Management Server database on a regular basis to ensure that the database can be recovered promptly if needed. If you are using the embedded database, you can use standard file‐backup tools, such as ntbackup or dd. The data is stored in one of the following locations: Windows – C:\Program Files\VMware\VMware
Appendix: Database Schema and Audit Event Log Data This appendix explains the format of the data stored in the database and the best ways to access this data. This appendix includes the following topics: “Using Database Reporting Tools” on page 55 “Database Schema” on page 55 “Querying the Audit Event Log Data” on page 59 Using Database Reporting Tools You can use a third‐party database management or reporting tool with the VMware ACE Management Server database.
ACE Management Server Administrator’s Manual ACE, Package, Instance, Access, and UserData records are never deleted from the database. They are marked as deleted with the deleted field set to TRUE, so that the previous information can be inspected for audit purposes. The guest and host operating system portions of the ACE policy set are stored in the PolicyDb_RuntimePolicy table in respective fields as strings, if their size is less than 2000 bytes.
Appendix: Database Schema and Audit Event Log Data DEFAULT 'FALSE' NOT NULL, /* Limit number of instances for this ID? */ accInstanceLimit INTEGER NOT NULL, /* Max no.
ACE Management Server Administrator’s Manual PRIMARY KEY(macPoolUID), FOREIGN KEY(aceUID) REFERENCES PolicyDb_Ace(aceUID)); /* Instance customization data */ CREATE TABLE PolicyDb_UserData ( userDataPK VARCHAR(516), /* Primary key */ aceUID VARCHAR(128), /* ACE for which this UserData is defined */ packageUID VARCHAR(128), /* Package for which this UserData is used */ activator VARCHAR(128), /* The user */ udataName VARCHAR(128), /* User data entry name */ udataType INTEGER NOT NULL, /* Attribute of the da
Appendix: Database Schema and Audit Event Log Data eventUID INTEGER, /* Primary key of the table (sequential) */ eventTs VARCHAR(21), /* Timestamp of the event creation in uSec */ loginName VARCHAR(128), /* Login user name of the actor */ aceUID VARCHAR(128), /* UID of the ACE affected by event */ packageUID VARCHAR(128), /* UID of the package affected by event */ instanceUID VARCHAR(128), /* UID of the instance affected by event */ policyVersion INTEGER, /* Version of ACE policy affected by event */ event
ACE Management Server Administrator’s Manual Table A-1.
Appendix: Database Schema and Audit Event Log Data ACE Management Server event logging contains an experimental tamper evidence feature. Every record in the event log (except the first one) must have a unique reference to the previous event, further enforced by the database foreign key and unique constraint. Each successive record has a unique ID incremented by 1, so missing records are immediately evident.
ACE Management Server Administrator’s Manual 62 VMware, Inc.
Glossary ACE instance A virtual machine that ACE administrators create, associate with virtual rights management (VRM) policies, and then package for deployment to users. ACE Management Server A server that the ACE administrator can install and use for activating and tracking ACE instances and for hosting dynamic policies for ACE instances. ACE‐enabled virtual machine A virtual machine template that the ACE administrator creates.
ACE Management Server Administrator’s Manual instance customization The act of customizing an ACE instance, thus making it unique from all other instances. The instance customization process automates the actions of the Microsoft Sysprep utility. It also provides the ACE administrator with features needed to set up an automated remote domain join process of the ACE instance to a company VPN network. managed ACE instance An ACE instance that an ACE Management Server manages. See also ACE Management Server.
Index A ACE instance log events for 37 on Linux host, fixing server connection problem 51 security certificates in 18 ACE Management Server Active Directory integration 15 changing port assignment 51 configuring 29 creating Active Directory user and group for 29 database backup 53 database schema 55 default port assignments 22 embedded database 15 external database option 15 features 9 fixing connection problem with ACE instance on Linux host 51 hardware requirements 10 installing 22 installing on Linux sy
ACE Management Server Administrator’s Manual port assignments, default 22 port for ACE Management Server 51 R reactivate an ACE instance 49 reset the password for an instance 50 Restart page 37 restarting the ACE Management Server 37 S searching for instances in Help Desk 47 security, SSL 17, 18 sort instances 47 SQLite database for ACE Management server 15 SSL certification, using 17, 18 SSL protocol, using 17, 18 stopping and starting the Apache service manually 25 T troubleshooting with the Help Desk
