2.6

ManualsBrandsVMware ManualsComputer equipmentACE

Table Of Contents

ACE Management Server Administrator’s Manual

ACE Management Server Administrator’s Manual

36 VMware, Inc.

Creating Access Control

OntheAccessControltab,youcancreatealocalAdministratorroleandHelpDeskroleoruseActive

Directoryforauthenticatinguserswiththeseroles.

BeforeyoucanconfiguretheACEManagementServertouseadomainaccountforauthentication,youmust

createusersandgroupssothatACEManagement

ServercanconnecttotheLDAPserver.See“CreateUsers

andGroupsforIntegrationwithActiveDirectory”onpage 29.

Usethefollowinginformationtohelpyoucompletethefieldsforauthentication:

 Localaccount–IfyouspecifyapasswordfortheAdministratorroleandforgetorloseit,youmustdelete

theserverconfigurationfile.Deletingthisfilesetstheserverbacktoitsinitialstate.Youmustreconfigure

theserverandsettheadministratorpasswordagain.

See“DeletetheServerConfiguration

FileandSetaNewAdministratorPassword”onpage 52.

 Domainaccount(LDAP)–TouseActiveDirectoryforauthentication,specifythehostandcredentials

thattheACEManagementServerusestoconnecttoandquerythedomaincontroller:

 HostName–Enterafullyqualifieddomainname(forexample,ldap.vmware.com)insteadofanIP

addressorhostnamewithnoparentdomainname(forexample,ldap).

 QueryUsersAMAcountNameandQueryUserPassword–Usethepasswordandshortnamefor

theuseraccountyoucreatedforthispurposeinActiveDirectory.

 QueryUserDomain–ThedomainmustbethedomainforwhichtheLDAPhostisadomain

controller.

 AdminGroupDNandHelpDeskGroupDN–(Optional)Enterthedistinguishednameforthese

groups,whichyoucreatedforthispurposeinActiveDirectory(forexample,

cn=Users,dc=simplecorp,dc=com).

Ifthisoptionisnotenabled,anyonewhologsintotheHelpDeskapplicationmustbeamemberof

theACE

Administratorsgroup.

 HelpDeskRoleorGroupDN–CreatingaHelpDeskroleallowsyoutopermitcertainuserstoperform

HelpDesktasksfromtheHelpDeskapplication.Usersinthisrolecannotaccessotheradministrative

tools.YoucanstilllogintotheHelpDeskWebapplicationwithyouradministrative

LDAPcredentialsor

localAdministratorpassword.

IfyoumakechangestotheinformationontheAccessControltab,youmustclickApplyorCancelbeforeyou

cannavigatetoanothertab.

Uploading Custom SSL Certificates

TohaveACEManagementServerusecustomSSLcertificates,eitheryourownself‐signedcertificatesorthose

ofathird‐partyorinternalCA(certificateauthority),usetheCustomSSLCertificatestabtouploadthe

PEM‐encodedfiles.

BeforeyoucanuploadcustomSSLcertificates,youmustcreateandrenamethe

certificatefiles.See“Prepare

CustomSecurityCertificates”onpage 34.

Bydefault,duringACEManagementServerinstallation,thefollowingtwofilesarecreated:

 server.key–ThisRSA1024‐bitkeyistheprivatekey.

 server.crt–Thisself‐signedcertificateisvalidfor10yearsfromthedateandtimeatwhichtheserveris

installed.Itssignatureisverifiedbythepublickey,whichisembeddedinthecertificate.Thecertificate

fileisencodedinPEMformat.

WhenyourunanACEinstance,

theVMwarePlayerapplicationusesthecompletecertificationchainthatis

includedinitspackage,notonthehost,toverifyconnectionsmadetoACEManagementServer.Therefore,

theuseofself‐signedcertificatesisadequateformostsecurityneeds.Formoreinformationabouthow

VMwareACEusessecuritycertificates,see

“UsingSSLCertificatesandProtocol”onpage 18.