2.6

ManualsBrandsVMware ManualsComputer equipmentACE

Table Of Contents

ACE Management Server Administrator’s Manual

ACE Management Server Administrator’s Manual

18 VMware, Inc.

Security Features and Considerations

Bydefault,ACEManagementServerusestheSecureSocketsLayer(SSL)protocoltoprovideencryptedand

securecommunications.

FollowingisanoverviewofsecurityfeaturesandrecommendationsonhowtoconfiguretheACE

ManagementServertoavoidsecurityproblems:

 TraffictoandfromclientsisprotectedbyHTTPS–Bydefault,ACEManagementServercreatesa

self‐signedcertificatewhenyouinstallittouseforHTTPStraffic.Thesecertificatesaresecure,butyou

canalsoconfigureACEManagementServertouseyourowncertificateandkeypairs.

 TrafficfromACEManagementServertoActiveDirectoryisencrypted–Iftheserverisintegratedwith

anActiveDirectoryservice,itcommunicateswiththeservicethroughanSSL‐protectedlink.LDAPtraffic 

isencryptedattheapplicationlayer.CredentialsareprotectedbyusingtheKerberosprotocolto

authenticatecredentials.

 Sensitiveconfigurationoptionsareencrypted–Passwordsstoredintheconfigurationfileareencrypted.

 Databasesecurity–Thedatabasestorecontainssensitivedatasuchascryptographickeys.Configure

yourdatabasesecuritysothatitisprotectedfromintrusionandprotectedincaseofdataloss.Formore

informationaboutfeaturesthatareavailabletoprotectyourdata,seeyourdatabasedocumentation.

SSLencryptsdatathrough

theuseofapublic‐keyandprivate‐keypair.Thepublickeyisknowntoeveryone

andtheprivatekeyisknownonlytothemessagerecipient.URLs thatrequireanSSLconnectionstartwith

https.

DuringACEManagementServerinstallation,thefollowingtwofilesarecreated:

 server.key–AnRSA1024‐bitkey,thisistheprivatekey.

 server.crt–Aself‐signedcertificate.Itssignatureisverifiedbythepublickey,whichisembeddedin

thecertificate.Thispubliccertificateisvalidfor10yearsfromthedateandtimeatwhichtheserveris

installed.ThecertificatefileisencodedinPEMformat.

Bydefault,thesefiles

arestoredintheSSLdirectoryintheVMwareACEManagementServerprogram

directory.

VMwarePlayer,whichrunstheACEinstances,doesnottrustanycertificatesstoredonthehostmachineon

whichitisrunning.Instead,itreliesonacompletecertificationchainthatisincludedintheACE

package.

Usingself‐signedcertificatesisadequateformostsecurityneeds.

Youcan,however,useacertificateissuedbyacertificateauthority.IfyouhavemultipleACEManagement

Serverinstances,youcanuseonecertificateforalloryoucanuseadifferentcertificateoneachone.

Using SSL Certificates and Protocol

WhenanACE‐enabledvirtualmachineconnectstoanACEManagementServer,itdownloadsthepublic

certificateforthatserverandanychainofcertificatesrequiredtoverifytheserver’spubliccertificate.Aserver

certificatemighthaveachainofseveralcertificatesthatmustbeverifiedstepbystepuntilthe

verification

processreachestheroot,ortrusted,certificateinthecertificatestore.Thefirsttimeaconnectionismadetoa

serverbyanyACE‐enabledvirtualmachineonaWorkstationadministratormachine,thecertificateandits

verificationaredownloadedtotheWorkstationhostsystem.

Thestoreorcollectionofcertificates

thatisdownloadedwhenanACE‐enabledvirtualmachineconnectstoa

serverisincludedineachACEpackagethatyoucreatewiththatvirtualmachine.ItissavedintheACE

Resourcesdirectory.WhenyoudeployandrunanACEinstanceofthisACE‐enabledvirtualmachine,the

VMwarePlayer

applicationusesthecertificatesincludedinthepackagetoverifyconnectionsmadetotheACE

ManagementServer.ItverifiesthatthecertificatesthatareintheACEpackagematchthosethattheserver

provides.Iftheydonotmatchexactly,VMware Playerdisplaysanerrormessageanddoesnotrunthe

instance.