2.7
Table Of Contents
- ACE Management Server Administrator’s Manual
- Contents
- About This Book
- Introduction
- Planning an ACE Management Server Deployment
- Installing and Configuring ACE Management Server
- Configuration Options for ACE Management Server
- Prerequisites for Configuring the Server
- Starting ACE Management Server Configuration
- Viewing and Changing Licensing Information
- Using an External Database
- Creating Access Control
- Uploading Custom SSL Certificates
- Logging Events
- Applying Configuration Settings
- Load-Balancing Multiple ACE Management Server Instances
- Typical Setup Using Load-Balanced ACE Management Server Instances
- Install the Required Services for Load Balancing
- Use the Same SSL Certificate on All Servers
- Create New SSL Certificates and Keys for Each Server
- Installing and Configuring the Load Balancer
- Verify That ACE Instances Are Using the Load Balancer
- Managing ACE Instances
- Viewing ACE Instances That the Server Manages
- Search for an Instance
- Sort by Column Heading and Change Column Width
- Show, Hide, and Move Columns in the Instance View
- Create or Delete Custom Columns in the Instance View
- View Instance Details
- Reactivate, Deactivate, or Delete an ACE Instance
- Change a Copy Protection ID
- Reset the Authentication Password
- Add Information for Custom Columns
- Troubleshooting and Maintenance
- Appendix: Database Schema and Audit Event Log Data
- Glossary
- Index
ACE Management Server Administrator’s Manual
32 VMware, Inc.
Prepare Custom Security Certificates
TousecustomSSLcertificates,eitheryourownself‐signedcertificatesorthoseofathird‐partyorinternalCA
(certificateauthority),youmustprovidethecertificate,key,and(inthecaseofCAs)certificatechainfiles.
ThesefilesmustbePEMencoded.
Afteryoucreateorobtainthesefiles,upload
themtoACEManagementServerbyusingtheCustomSSL
CertificatestabintheACEManagementServerSetupapplication.
FormoreinformationabouthowVMwareACEusesSSLcertificates,see“UsingSSLCertificatesandProtocol”
onpage 16.
To prepare custom security certificates
1 Createorprovidetheneededfiles:
Foryourownself‐signedcertificate,usetheopensslutilitytocreateanewself‐signedcertificate.
Forathird‐partyCAorinternalCA,obtainanSSLcertificatesignedbythatCA,anda
certificate‐verificationchainfile.
ThechainfileisaconcatenationofeverycertificaterequiredtoverifythenewSSLcertificateyou
createdorobtained.DependingontheCAandcertificateissued,anexample
chainfilecouldbea
concatenationoftherootcertificate,oneormoreintermediarycertificates,andtheservercertificate.
EachoftheindividualpiecesmustbeSHA‐1encodedandinPEMformatbeforeconcatenation.Steps
forobtainingthecertificatechainvary,dependingonwhichhostoperatingsystemyouareusing
and
onthesourcefromwhichtheCAcertificateisobtained.ACAauthoritymayprovidethecomplete
chainoryoumayneedtoassemblethechainyourself.
Aprivate‐keyfile.SSLencryptsdatathroughtheuseofapublic‐keyandprivate‐keypair.Thepublic
keyisknowntoeveryoneandtheprivatekeyisknownonlytothemessagerecipient.
ThecertificatesignaturesmustusetheSHA1algorithmdigest.ThefilesmustbePEM‐encoded.
2 Rename
thefiles,asfollows:
Renametheprivatekeyfiletoserver.key.
Renamethecertificatefiletoserver.crt.
Renamethecertificatechainfiletochain.crt.
YoucannowusetheACEManagementServerSetupapplicationtouploadthecertificatefiles.
View the Properties of the Self-Signed Certificate File
ThisfileisstoredintheSSLdirectoryintheVMwareACEManagementServerprogramdirectory.
To view the properties of the self-signed certificate file
Dooneofthefollowing:
OnaWindowshost,navigatetothelocationoftheserver.crtfileanddouble‐clickthefilename.
OnaLinuxhost,usethefollowingcommand:
openssl x509 -in /var/lib/vmware/acesc/ssl/server.crt -text
Toreplaceanexpiredcertificate,see“PrepareCustomSecurityCertificates”onpage 32.Donotmodify
certificatestomakethempermanent.