ACE Management Server Administrator’s Manual VMware ACE 2.7 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
ACE Management Server Administrator’s Manual You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2007–2010 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents About This Book 5 1 Introduction 7 Features of ACE Management Server 7 System Requirements 8 Required Hardware 8 Supported Operating Systems 8 Supported External Databases 9 Supported Proxies 9 Required Web Browsers 9 Licensing 9 2 Planning an ACE Management Server Deployment 11 Deployment Components 11 Host System Options 12 Windows Hosts 12 Linux Hosts 12 Server Appliance Option 12 Database Options 13 Active Directory Authentication Options 13 Performing Capacity Planning 13 Database Throughp
ACE Management Server Administrator’s Manual Increase the Number of Database Connections Allowed 30 Enable Database Connection Pooling on Linux 31 Set Up a Connection Between the Server Appliance and an External Database Prepare Custom Security Certificates 32 View the Properties of the Self‐Signed Certificate File 32 Starting ACE Management Server Configuration 33 Viewing and Changing Licensing Information 33 Using an External Database 33 Creating Access Control 34 Uploading Custom SSL Certificates 34 Log
About This Book This manual, the VMware ACE Management Server Administrator’s Manual, provides information about installing and using the VMware® ACE Management Server, which enables you to manage ACE instances in real time. Using ACE Management Server is optional, but doing so provides the following benefits: Manage activation of ACE packages. Manage authentication of those activated packages. Dynamically deliver policy updates to managed ACE instances.
ACE Management Server Administrator’s Manual VMware Professional Services VMware Education Services courses offer extensive hands‐on labs, case study examples, and course materials designed to be used as on‐the‐job reference tools. Courses are available onsite, in the classroom, and live online. For onsite pilot programs and implementation best practices, VMware Consulting Services provides offerings to help you assess, plan, build, and manage your virtual environment.
1 Introduction 1 The VMware ACE Management Server enables you to manage VMware ACE instances, to dynamically publish policy changes for those instances, and to test and deploy packages more easily.
ACE Management Server Administrator’s Manual ACE Management Server is easy to install and configure. Client traffic can be proxied by easily available products. The server uses easily available software components: Apache Web server 2.0 The default SQLite database store The server setup uses industry‐standard protocols: HTTPS and LDAP XML‐RPC for message encapsulation ACE Management Server offers extensibility and availability: You can create and use more than one ACE Management Server.
Chapter 1 Introduction Supported External Databases An SQLite database engine is embedded in ACE Management Server. Although this database is adequate for testing purposes, use one of the following external databases in production environments: For a Windows‐based ACE Management Server – Microsoft SQL Server 2000 or higher; Oracle Database 10g If you use a Microsoft SQL Server database, the database must be hosted on a system that uses the same locale as the system that hosts ACE Management Server.
ACE Management Server Administrator’s Manual 10 VMware, Inc.
2 Planning an ACE Management Server Deployment 2 This chapter provides guidelines for deploying VMware ACE Management Server instances, including capacity planning and best practices.
ACE Management Server Administrator’s Manual Figure 2-1.
Chapter 2 Planning an ACE Management Server Deployment Database Options ACE Management Server offers the following database options: Embedded SQLite database – The default mode of ACE Management Server works with an embedded SQLite 3 database engine. The SQLite database engine is initialized during server installation and requires no special configuration. The embedded database supports up to several gigabytes of data.
ACE Management Server Administrator’s Manual ACE policy configuration Load balancers for very large deployments (more than 5,000 clients) Table 2‐1 lists recommendations for the number of clients supported based on the hardware you are using. The figures for recommended clients reserve some server processing power so that interactive clients receive responses in a timely fashion and the server satisfies increases in demand. Table 2-1.
Chapter 2 Planning an ACE Management Server Deployment Network Bandwidth and Policy Update Frequency The amount of network bandwidth that ACE Management Server and ACE instances require depends on the frequency of policy updates that you configure. Table 2‐3 shows the amount of bandwidth needed when you use a policy update frequency value of 10 minutes. Table 2-3. Network Bandwidth Required with a Policy Update Frequency of 10 Minutes Number of Clients Bandwidth Required 100 0.125Mb/sec. 1,000 1.
ACE Management Server Administrator’s Manual Security Features and Considerations By default, ACE Management Server uses the Secure Sockets Layer (SSL) protocol to provide encrypted and secure communications.
Chapter 2 Planning an ACE Management Server Deployment VMware Player checks the integrity of the certificate store included in the package every time it communicates with the server. VMware Player does not trust any certificates stored on the host machine on which it is running. Instead, it relies on a complete certification chain that is included in the ACE package. The use of self‐signed certificates is adequate for most security needs.
ACE Management Server Administrator’s Manual Deployment Planning Worksheet Use the deployment planning worksheet to record your choice of server system, database, security certificates, and optional components for a production environment. Table 2-5. Worksheet for ACE Management Server in a Production Environment Component Considerations Decision Active Directory integration Performance is better when the ACE Management Server is installed on a Windows host.
3 Installing and Configuring ACE Management Server 3 This chapter includes the following topics: “Preparing for Installation” on page 19 “Installing and Upgrading ACE Management Server” on page 20 “Verify That the Apache Service Is Started or Restarted” on page 23 “Start and Configure ACE Management Server” on page 24 “Log In to ACE Management Server” on page 25 Preparing for Installation Before you install ACE Management Server, you must plan your deployment.
ACE Management Server Administrator’s Manual Configure TLS in Your Browser Transport Layer Security (TLS) must be configured on your Web browser to operate ACE Management Server. To configure TLS in your browser Depending on the type of browser, do one of the following: For an Internet Explorer browser: a Choose Tools > Internet Options > Advanced and scroll down to Security. b Select the Use TLS 1.0 check box and click OK. For a Mozilla browser: a Choose Tools > Options > Advanced.
Chapter 3 Installing and Configuring ACE Management Server 3 Follow the prompts in the installation wizard. 4 If you are using a computer that has a firewall enabled and you see a message at the end of the installation asking whether you want to unblock the Apache service, choose Unblock. ACE Management Server does not work properly if you do not unblock the Apache service. After ACE Management Server is installed, you can configure it. See “Start and Configure ACE Management Server” on page 24.
ACE Management Server Administrator’s Manual 3 For a SUSE Linux Enterprise Server 9 server, ensure that the LDAP module (mod_ldap) is configured for loading: a Open the following file with a text editor: /etc/sysconfig/apache2 b Add the ldap config option to the APACHE_MODULES variable. c Save and close the file. After ACE Management Server is installed, you can configure it. See “Start and Configure ACE Management Server” on page 24.
Chapter 3 Installing and Configuring ACE Management Server 8 9 (Optional) To reconfigure any update options, for example, to disable automatic downloads of updates, use the Appliance Management and Configuration application, as follows: a Leave the ACE Management Server appliance running. b Browse to https://:8080. c In the connection dialog box, type root in the user name field and your network or root password in the password field.
ACE Management Server Administrator’s Manual c Enter the appropriate command: To start the service if it is stopped, enter the following command: /etc/init.d/apache2 start To restart the service, enter the following commands: /etc/init.d/apache2 stop /etc/init.d/apache2 start On Red Hat Enterprise Linux 4: a Open a terminal window on the host or in the virtual machine. b As root, enter the following command: /etc/init.
Chapter 3 Installing and Configuring ACE Management Server 3 Complete the information on each tab and click Next. The only fields that require changes and do not have default settings are the Serial Number field on the Licensing tab and the Administrator password on the Access Control tab. For information about specific fields and tabs, click Help on the tab. Log In to ACE Management Server The first time you log in to ACE Management Server, you must set a password.
ACE Management Server Administrator’s Manual 3 Enter login credentials. If you use Active Directory for authentication, see Table 3‐2. In multidomain environments, you might be required to enter a domain (for example, eng.com). 26 VMware, Inc.
4 Configuration Options for ACE Management Server 4 After you install ACE Management Server, you must use the browser‐based ACE Management Server Setup application to configure the server.
ACE Management Server Administrator’s Manual To create users and groups for integration with Active Directory 1 Create a user that ACE Management Server can use to connect to the LDAP server and use for querying. Make a note of the sAMAccountName value for that user (for example, aceuser.) 2 Create an ACE Administrators group in the domain. 3 Add ACE administrator users to the ACE Administrators group. 4 (Optional) Create a Help Desk group and assign users to it for the Help Desk role.
Chapter 4 Configuration Options for ACE Management Server 3 4 (Optional) If ACE Management Server is going to connect to the database over the network (TCP socket connection), ensure that the following are in place: TCP connectivity is enabled in the database configuration options. The TCP connection is not blocked by firewall settings on the database server or the ACE Management Server host.
ACE Management Server Administrator’s Manual Create a System DSN Entry for a Linux Database On Linux systems, you use a text editor or the ODBCConfig graphical (X11) utility to create a system DSN entry. The ODBCConfig utility mimics the Windows ODBC Data Sources Control Panel plug‐in. Before you begin, determine the correct ODBC driver: On Red Hat Enterprise Server, the driver is located at /usr/lib/libodbcpsql.so.
Chapter 4 Configuration Options for ACE Management Server To increase the number of database connections allowed 1 Inspect the Apache configuration file on the ACE Management Server host to determine the number of parallel threads or processes that might start at the same time. 2 Configure the database to allow as many connections as the Apache server. See your database documentation.
ACE Management Server Administrator’s Manual Prepare Custom Security Certificates To use custom SSL certificates, either your own self‐signed certificates or those of a third‐party or internal CA (certificate authority), you must provide the certificate, key, and (in the case of CAs) certificate chain files. These files must be PEM encoded. After you create or obtain these files, upload them to ACE Management Server by using the Custom SSL Certificates tab in the ACE Management Server Setup application.
Chapter 4 Configuration Options for ACE Management Server Starting ACE Management Server Configuration If you plan to use Active Directory integration (using LDAP), an external database, or custom SSL certificates, you must perform some setup tasks before configuring the ACE Management Server. See “Prerequisites for Configuring the Server” on page 27.
ACE Management Server Administrator’s Manual If you are upgrading the server from the previous release, the database schema is upgraded automatically and you do not lose your previous data. The upgrade is performed on the first start of the upgraded server, even if you do not rerun the setup application. If you make changes to the information on the Database tab, you must click Apply or Cancel before you can navigate to another tab.
Chapter 4 Configuration Options for ACE Management Server By default, during ACE Management Server installation, the following two files are created: server.key – This RSA 1024‐bit key is the private key. server.crt – This self‐signed certificate is valid for 10 years from the date and time at which the server is installed. Its signature is verified by the public key, which is embedded in the certificate. The certificate file is encoded in PEM format.
ACE Management Server Administrator’s Manual Use the Event Log Purging control to configure the amount of logging information retained. The purge maintenance process runs approximately every six hours. If you make changes to the information on the Logging tab, you must click Apply or Cancel before you can navigate to another tab. Applying Configuration Settings The Restart page appears when you click Apply on one of the tabs. You must restart the server for the configuration settings to take effect.
5 Load-Balancing Multiple ACE Management Server Instances 5 If you have thousands of clients, you can configure multiple VMware ACE Management Server instances to work together. You can set up two or more servers and use them with a load balancer.
ACE Management Server Administrator’s Manual Typical Setup Using Load-Balanced ACE Management Server Instances A single ACE Management Server can handle a preset number of clients, but you can add more servers to your ACE Management Server infrastructure by using load balancing. When you add more servers to the load‐balancing group, the number of clients that you can serve scales linearly.
Chapter 5 Load-Balancing Multiple ACE Management Server Instances 3 To verify that both ACE Management Server instances are working properly, start Workstation and connect to each ACE Management Server directly: a In Workstation, choose File > Connect to ACE Management Server. b Enter the IP or host name of the machine where ACE Management Server is installed, change the number in the Port field if necessary, and click OK.
ACE Management Server Administrator’s Manual Create New SSL Certificates and Keys for Each Server If you do not want to use the same SSL certificate and key for each ACE Management Server, you must create new SSL certificates and keys for each server. If you plan to obtain SSL certificates from a certificate authority, you must create certificate chains. Figure 5‐2 provides an overview of determining which certificates are included in a chain. Figure 5-2.
Chapter 5 Load-Balancing Multiple ACE Management Server Instances 3 Join all of the certificate chain files into one file. If you can, eliminate the duplicate entries. 4 Convert the server’s SSL certificates to PEM format. 5 Add the server’s SSL certificates in PEM format to the certificate chain file. 6 On the Custom SSL Certificates tab, upload the SSL certificate file, the SSL key file, and the certificate chain file: a Specify the key file in the Server Private Key field.
ACE Management Server Administrator’s Manual 42 VMware, Inc.
6 Managing ACE Instances 6 After ACE Management Server is installed and configured, you can do the following: View ACE instances that are managed by a particular ACE Management Server. Revoke and re‐enable an instance. Fix various problems with the ACE instances as reported by instance users.
ACE Management Server Administrator’s Manual Use the VMware ACE Help Desk Application ACE administrators and help desk assistants can access ACE instances through the VMware ACE Help Desk Web application. You can use the Help Desk to reactivate an instance, change the instance’s expiration date, and reset a user password if it is lost or forgotten. To use the VMware ACE Help Desk application 1 Open a Web browser and go to https://:8000.
Chapter 6 Managing ACE Instances To use the instance view in Workstation 1 From the Workstation menu bar, choose File > Connect to ACE Management Server. 2 Specify the fully qualified host name or the IP address and click OK. In most cases, the default port number does not need to be changed. 3 Complete the login window. Use the following information to help you complete the fields that appear in this window: User Name and Password – Enter credentials for administering the ACE Management Server.
ACE Management Server Administrator’s Manual Sort by Column Heading and Change Column Width You can reorder the instances in the table alphabetically or numerically, depending on the selected column’s contents, in ascending or descending order. To sort by column heading and change column width 1 Click the column heading of the column to sort. Click again to re‐sort in the opposite (ascending or descending) order. 2 To change column widths, click a column divider and drag it to a new width.
Chapter 6 Managing ACE Instances View Instance Details The Instance Details page displays all of the same information shown on the summary page, and it includes information about the ACE instance’s policy settings. You can reactivate, deactivate, or change the expiration date from the Instance Details page, as you can from the summary page.
ACE Management Server Administrator’s Manual To change a copy protection ID 1 Select the instance by clicking its instance row. 2 Click the View detail icon at the top of the table or double‐click the instance row. 3 Do one of the following: In the VMware ACE Help Desk, replace the alphanumeric string in the Copy Protection ID field with a new ID and click the Save icon at the top of the page. In Workstation, click the Policies tab, replace the copy protection ID with a new ID, and click OK.
7 Troubleshooting and Maintenance 7 This chapter includes the following topics: “Troubleshooting Configuration Problems” on page 49 “Configuring Multiple ACE Management Server Instances to Use SSL” on page 51 “Database Backup” on page 52 Troubleshooting Configuration Problems Common configuration problems include resolving connection problems and port conflicts and resetting ACE administrator passwords.
ACE Management Server Administrator’s Manual 3 Locate the section header for the Virtual Server configuration for port 443. This line looks similar to the following: 4 Change the port number in the section header to the desired port number. For example, to change to port 8443, change 443 to 8443. 5 Save the file. 6 Stop and start the Apache service. For instructions, see “Verify That the Apache Service Is Started or Restarted” on page 23.
Chapter 7 Troubleshooting and Maintenance To restore a backup copy of an SSL certificate 1 Navigate to the ACE Management Server directory where the backup is stored. The filenames use the following format: .-
ACE Management Server Administrator’s Manual Database Backup If you are using an external database, use a backup and recovery strategy that is appropriate for your database system. Back up your ACE Management Server database on a regular basis to ensure that the database can be recovered promptly if needed. If you are using the embedded database, you can use standard file‐backup tools, such as ntbackup or dd. The data is stored in one of the following locations: Windows – C:\Program Files\VMware\VMware
Appendix: Database Schema and Audit Event Log Data This appendix explains the format of the data stored in the database and the best ways to access this data. This appendix includes the following topics: “Using Database Reporting Tools” on page 53 “Database Schema” on page 53 “Querying the Audit Event Log Data” on page 57 Using Database Reporting Tools You can use a third‐party database management or reporting tool with the VMware ACE Management Server database.
ACE Management Server Administrator’s Manual Other dates and times are stored as decimal strings showing the number of seconds from 12:00 a.m 01/01/1970. ACE, Package, Instance, Access, and UserData records are never deleted from the database. They are marked as deleted with the deleted field set to TRUE, so that the previous information can be inspected for audit purposes.
Appendix: Database Schema and Audit Event Log Data identityType INTEGER NOT NULL, /* AD User, Group, or Token Value */ identityName VARCHAR(128), /* UI visible user/group name in AD case */ accUseInstanceLimit VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Limit number of instances for this ID? */ accInstanceLimit INTEGER NOT NULL, /* Max no.
ACE Management Server Administrator’s Manual mplTsCreated VARCHAR(21) DEFAULT 0 NOT NULL, /* Creation timestamp */ mplTsLastModified VARCHAR(21) DEFAULT 0 NOT NULL, /* Last modified timestamp */ deleted VARCHAR(7) DEFAULT 'FALSE', /* Is this entry deleted (tombstone) */ PRIMARY KEY(macPoolUID), FOREIGN KEY(aceUID) REFERENCES PolicyDb_Ace(aceUID)); /* Instance customization data */ CREATE TABLE PolicyDb_UserData ( userDataPK VARCHAR(516), /* Primary key */ aceUID VARCHAR(128), /* ACE for which this UserData
Appendix: Database Schema and Audit Event Log Data /* Audit Event Log data */ CREATE TABLE PolicyDb_Event ( eventUID INTEGER, /* Primary key of the table (sequential) */ eventTs VARCHAR(21), /* Timestamp of the event creation in uSec */ loginName VARCHAR(128), /* Login user name of the actor */ aceUID VARCHAR(128), /* UID of the ACE affected by event */ packageUID VARCHAR(128), /* UID of the package affected by event */ instanceUID VARCHAR(128), /* UID of the instance affected by event */ policyVersion INT
ACE Management Server Administrator’s Manual Table A-1. Log Entry Data Data Description Audit log event ID (PK) An incrementing integer Log timestamp In microseconds from 12:00 a.m.
Appendix: Database Schema and Audit Event Log Data ACE Management Server event logging contains an experimental tamper evidence feature. Every record in the event log (except the first one) must have a unique reference to the previous event, further enforced by the database foreign key and unique constraint. Each successive record has a unique ID incremented by 1, so missing records are immediately evident.
ACE Management Server Administrator’s Manual 60 VMware, Inc.
Glossary ACE instance A virtual machine that ACE administrators create, associate with virtual rights management (VRM) policies, and then package for deployment to users. ACE Management Server A server that the ACE administrator can install and use for activating and tracking ACE instances and for hosting dynamic policies for ACE instances. ACE‐enabled virtual machine A virtual machine template that the ACE administrator creates.
ACE Management Server Administrator’s Manual instance customization The act of customizing an ACE instance, thus making it unique from all other instances. The instance customization process automates the actions of the Microsoft Sysprep utility. It also provides the ACE administrator with features needed to set up an automated remote domain join process of the ACE instance to a company VPN network. managed ACE instance An ACE instance that an ACE Management Server manages. See also ACE Management Server.
Index A ACE instance log events for 35 on Linux host, fixing server connection problem 49 security certificates in 16 ACE Management Server Active Directory integration 13 changing port assignment 49 configuring 27 creating Active Directory user and group for 27 database backup 52 database schema 53 default port assignments 20 embedded database 13 external database option 13 features 7 fixing connection problem with ACE instance on Linux host 49 hardware requirements 8 installing 20 installing on Linux sys
ACE Management Server Administrator’s Manual R reactivate an ACE instance 47 reset the password for an instance 48 Restart page 36 restarting the ACE Management Server 36 S searching for instances in Help Desk 45 security, SSL 16 sort instances 46 SQLite database for ACE Management server 13 SSL certification, using 16 SSL protocol, using 16 stopping and starting the Apache service manually 23 T troubleshooting with the Help Desk application 44 U using the ACE Management Server 43 V view details for an
