VMware vCenter Configuration Manager Administration Guide vCenter Configuration Manager 5.7 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
vCenter Configuration Manager Administration Guide You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com © 2006–2013 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents About This Book Getting Started with VCM Understanding User Access Running VCM as Administrator on the Collector Log In to VCM Getting Familiar with the Portal General Information Bar Toolbar Navigation Sliders Customizing VCM for your Environment Installing and Getting Started with VCM Tools Install the VCM Tools Only VCM Import/Export and Content Wizard Tools Run the Import/Export Tool Run the Content Wizard to Access Additional Compliance Content Run the Deployment Utility Package Studio Found
vCenter Configuration Manager Administration Guide Discover vCloud Director vApp Virtual Machines Configure vShield Manager Collections Configure ESX Service Console OS Collections Configure the Collector as an Agent Proxy Configure Virtual Machine Hosts Copy Files to the ESX/ESXi Servers Collect ESX Logs Data Virtualization Collection Results Configure the vSphere Client VCM Plug-In Register the vSphere Client VCM Plug-In Configuring the vSphere Client VCM Plug-In Integration Settings Manage Machines from
Contents Windows Custom Information Change Management Collecting Windows Custom Information Create Your Own WCI PowerShell Collection Script Verify that Your Custom PowerShell Script is Valid Install PowerShell Collect Windows Custom Information Data Run the Script-Based Collection Filter View Windows Custom Information Job Status Details Windows Custom Information Collection Results Run Windows Custom Information Reports Troubleshooting Custom PowerShell Scripts 107 108 108 109 110 110 111 112 113 114 11
vCenter Configuration Manager Administration Guide Running Machine Group Compliance Getting Started with SCAP Compliance Conduct SCAP Compliance Assessments Provisioning Physical or Virtual Machine Operating Systems Operating System Provisioning Components How Operating System Provisioning Works Configure Operating System Provisioning Servers Add Operating System Provisioning Servers Set the Trust Status for Operating System Provisioning Servers Collect Operating System Distributions Discover Provisionabl
Contents VCM Remote Management Workflow Configuring VCM Remote Connection Types Using Certificates With VCM Remote Configure and Install the VCM Remote Client Configure the VCM Remote Settings Install the VCM Remote Client Connect VCM Remote Client Machines to the Network VCM Remote Collection Results Tracking Unmanaged Hardware and Software Asset Data Configure Asset Data Fields Review Available Asset Data Fields Add an Asset Data Field Edit an Asset Data Field Delete a VCM for Assets Data Field Change t
vCenter Configuration Manager Administration Guide 8 VMware, Inc.
About This Book The VCM Administration Guide describes the steps required to configure VCM to collect and manage data from your virtual and physical environment. Read this document and complete the associated procedures to prepare for a successful implementation of the components.
vCenter Configuration Manager Administration Guide Technical Support and Education Resources The following technical support resources are available to you. To access the current version of this book and other books, go to http://www.vmware.com/support/pubs. Online and Telephone To use online support to submit technical support requests, view your Support product and contract information, and register your products, go to http://www.vmware.com/support.
1 Getting Started with VCM When you use VCM, you must understand user access and how to start VCM from any physical or virtual machine. You must also familiarize yourself with the VCM Web Console features. This chapter includes the following topics: Understanding User Access 11 Log In to VCM 12 Getting Familiar with the Portal 13 Customizing VCM for your Environment 16 Understanding User Access User access determines who has access to VCM and with what roles.
vCenter Configuration Manager Administration Guide n Remote command execution n Change actions against target managed machines n Change rollback n Compliance enforcement n Patch deployment n Software deployment n OS provisioning n Machine reboots All VCM user accounts must have the following rights on the VCM Collector machine. n Ability to log on locally to access IIS n Read access to the System32 folder n Write access to the CMFiles$\Exported_Reports folder to export reports n If d
Getting Started with VCM Procedure 1. To connect to VCM from a physical or virtual machine on your network, open Internet Explorer and type http:///VCM. 2. Type your user network credentials. 3. (Optional) Select Automatically log on using this role to have VCM log you in. 4. Click Log On. Your VCM user account can have multiple roles.
vCenter Configuration Manager Administration Guide n Log Out: Exits the Web Console. The Web Console closes and the VCM Logon screen appears. n About: Displays information about how to contact VMware Technical Support and version information for VCM and all of its components. This information may be important when you contact VMware Technical Support. n Help: Opens the online Help for the currently-active display.
Getting Started with VCM Navigation Sliders The navigation sliders on the left side of the Web Console include the items listed and described in the following table. The individual items that you see in VCM vary depending on the components that you have licensed. n Active Directory and AD objects based on your role. n Patching options are available based on your role. n Administration is visible only to users who have Administrative rights to VCM as part of their VCM role.
vCenter Configuration Manager Administration Guide Slider Action Active Directory n View, export, or print enterprise-wide, summary information for Active Directory objects. n Review alert notifications for the selected AD location. n Review Active Directory-related changes that occurred from one collection to the next. n View collected information about Active Directory objects such as Users, Groups, Contacts, Computers, Printers, Shares, and Organizational Units.
Getting Started with VCM Create a machine group structure that matches the organization of the machines in your environment. With these machine groups, you can manage specific machines in your environment such as all SQL Servers in a particular location. You can apply specific changes or create roles and rules for those machines independently from other machines in your environment. This approach ensures that you can restrict access to critical machines to the appropriate users with rights to VCM.
vCenter Configuration Manager Administration Guide 18 VMware, Inc.
Installing and Getting Started with VCM Tools 2 VCM Installation Manager installs several VCM components and tools on the Collector machine during the installation. This chapter includes the following topics: Install the VCM Tools Only 19 VCM Import/Export and Content Wizard Tools 20 Run the Deployment Utility 21 Package Studio 21 Foundation Checker 22 Install the VCM Tools Only You can install the VCM tools on a non-Collector Windows machine.
vCenter Configuration Manager Administration Guide c. To install a subset of tools, clear the Tools check box and select only the individual tools to install. 4. Click Next. 5. Complete the remaining instructions and click Next. 6. On the Installation Complete page, click Finish. 7. On the Installation Manager page, click Exit. VCM Import/Export and Content Wizard Tools Use the Import/Export Tool and the Content Wizard Tool to move or update VCM business objects.
Installing and Getting Started with VCM Tools Run the Content Wizard to Access Additional Compliance Content Use the Content Wizard to import additional VMware content such as VCM Compliance Content Packages. These packages are not available in VCM until you download and import them. Check the VCM Compliance Content Packages to determine if you need to import them. Prerequisites Install the Content Wizard. See "Installing and Getting Started with VCM Tools" on page 19. Procedure 1.
vCenter Configuration Manager Administration Guide Foundation Checker Use the Foundation Checker tool to verify that a Windows machine designated as a VCM Collector meets all of the prerequisites necessary to install VCM. Installation Manager uses VCM Foundation Checker to check a machine’s viability for a successful VCM deployment.
3 Configuring VMware Cloud Infrastructure VCM collects information from your instances of vCenter Server, vCloud Director, and vShield Manager so that you can then use the information to manage and maintain your virtual environment. The collected data appears in the Console under the Virtual Environments node. The information is organized in logical groupings based on the information sources, including vCenter Server, vCloud Director, and vShield Manager.
vCenter Configuration Manager Administration Guide Figure 3–1. Virtual Environments Configuration Diagram Managing Agents Virtual Environments The Managing Agent machines must have the 5.5 Agent or later installed. They must also be configured to manage the secure communication between the vCenter Server, vCloud Director, and vShield Manager instances and the Collector.
Configuring VMware Cloud Infrastructure Managing Instances of vCloud Director and vApp Virtual Machines You collect data from vCloud Director instances regarding their configurations, resources managed by vCloud Director, and to identify and manage the vApp virtual machine guest operating systems. To fully manage the guest machines, you install the VCM Agent on the virtual machines and manage their operating system.
vCenter Configuration Manager Administration Guide Linux data type and ESX log data from the ESX service console operating system. 9. "Configure the vSphere Client VCM Plug-In" on page 56 The vSphere Client VCM Plug-In provides contextual access to VCM change, compliance, and management functions. It also provides direct access to collected vCenter Server, virtual machine host, and virtual machine guest data.
Configuring VMware Cloud Infrastructure Prerequisites Verify that the Windows machine that you designated as the Managing Agent is licensed and that it has the VCM Agent 5.5 or later installed. See "Configure Windows Machines" on page 87. Procedure 1. Click Administration. 2. Select Machines Manager > Licensed Machines > Licensed Windows Machines. 3. Select the target machines and click Collect on the VCM toolbar. 4. Select Machine Data and click OK. 5.
vCenter Configuration Manager Administration Guide What to do next n If your Collector is not configured to use HTTPS, set the HTTPS bypass. See "Configure HTTPS Bypass Setting for Virtual Environments " on page 28. n Identify the Windows machines as Managing Agents. See "Enable Managing Agent Machines for Virtual Environments" on page 28.
Configuring VMware Cloud Infrastructure What to do next n To maintain secure communication, you need the SSL certificates from your instances of vCenter Server, vCloud Director, and vShield Manager. See "Obtain the SSL Certificate Thumbprint" on page 29. n Configure the collections from your instances of vCenter Server, vCloud Director, and vShield Manager. n See "Configure vCenter Server Data Collections" on page 29. n See "Configure vCloud Director Collections" on page 37.
vCenter Configuration Manager Administration Guide Procedure 1. "Add vCenter Server Instances" on page 30 Add the vCenter Server instances to VCM so that you can license and collect vCenter Server data using the Managing Agent. 2. "Configure the vCenter Server Settings" on page 31 Configure the Managing Agent, communication, and vCenter Server access options so that VCM can collect host and guest data from the vCenter Server instances. 3.
Configuring VMware Cloud Infrastructure The machine information is added to the list. 7. (Optional) Add other vCenter Server instances as needed. 8. When all your vCenter Server are added to the list, click Next. 9. On the Information page, review the summary and click Finish. What to do next n Configure the vCenter Server settings. See "Configure the vCenter Server Settings" on page 31. n Manage the Windows operating systems on which vCenter Server instances are running.
vCenter Configuration Manager Administration Guide 5. On the Managing Agent and Communication Settings page, configure the settings that are applied to all selected vCenter Server instances and click Next. Option Description Managing Agent Select the Windows machine to manage communication between the Collector and the vCenter Server instances. This Windows machine must have the 5.5 Agent or later installed. You can use the Collector as your managing agent.
Configuring VMware Cloud Infrastructure Procedure 1. Click Administration. 2. Select Machines Manager > Licensed Machines > Licensed Virtual Environments. 3. Select the vCenter Server instances and click Collect on the VCM toolbar. 4. On the Collection Type page, select Machine Data and click OK. 5. On the Machines page, verify that the Selected list includes all the vCenter Server instances from which you are collecting and click Next. 6.
vCenter Configuration Manager Administration Guide Configure vCenter Server Scheduled Collections Configure VCM to regularly collect vCenter Server data from your vCenter Server machine groups to ensure that you are using current results when you are viewing the data and when running reports or compliance. This action is not required, but scheduling your collections improves your configuration management efficiency. Procedure 1.
Configuring VMware Cloud Infrastructure Procedure 1. Click Administration. 2. Select Job Manager > Scheduled. 3. Click Add. 4. Select Collection and click Next. 5. Type a job name and description and click Next. For example, vCenter Server Collections. 6. Select Default filter set and click Next. 7. Select your vCenter Server machine group and click Next. For example, vCenter Server Instances. 8. Configure when the collection job runs and click Next. For example, every four hours starting today. 9.
vCenter Configuration Manager Administration Guide Procedure 1. Click Administration. 2. Select Machines Manager > Available Machines > Licensed Virtual Environments. 3. Select the vCenter Servers and click Collect on the VCM toolbar. 4. On the Collection Type page, select Machine Data and click OK. 5. On the Machines page, verify that the Selected list includes all the vCenter Servers from which you are collecting and click Next. 6.
Configuring VMware Cloud Infrastructure What to do next n For Windows operating system guest machines on which you installed the Agent, collect from the Windows virtual machines. See "Collect Windows Data" on page 93. If you did not install the Agent, see "Install the VCM Windows Agent on Your Windows Machines" on page 91. n For Linux or UNIX operating system guest machines you must install the Agent. See "Configure Collections from Linux, UNIX, and Mac OS X Machines" on page 120.
vCenter Configuration Manager Administration Guide Procedure 1. Click Administration. 2. Select Machines Manager > Available Machines. 3. Click Add Machines. 4. On the Add Machines page, select Basic: Name, Domain, Type, Automatically license machines, and click Next. 5. On the Manually Add Machines - Basic page, configure these options to identify the instances of vCloud Director. Option Description Machine Name of the vCloud Director instance.
Configuring VMware Cloud Infrastructure Procedure 1. Click Administration. 2. Select Machines Manager > Licensed Machines > Licensed Virtual Environments. 3. Select the vCloud Director instances and click Configure Settings. 4. On the Virtual Environment page, verify that the vCloud Director instances appear in the lower pane and click Next. 5. On the Managing Agent and Communication Settings page, configure the settings that are applied to all selected vCloud Director instances and click Next.
vCenter Configuration Manager Administration Guide Prerequisites Configure the vCloud Director settings. See "Configure the vCloud Director Settings" on page 38. Procedure 1. Click Administration. 2. Select Machines Manager > Licensed Machines > Licensed Virtual Environments. 3. Select the vCloud Director instances and click Collect on the VCM toolbar. 4. On the Collection Type page, select Machine Data and click OK. 5.
Configuring VMware Cloud Infrastructure Option Description Reports Run a configured vCloud Director report. Click Reports and select Machine Group Reports > Virtual Environments > vCloud Director Managed VMs. The report includes the vCloud Director Instance, Organization, Organization virtual datacenter, vApp Name, the VC Machine Name, and the related networking data. Create reports based collected vCloud Director objects. Click Reports and select Virtual Object Reports.
vCenter Configuration Manager Administration Guide vCloud Director 1.0 and 1.5 support a variety of vApp network configurations. VCM supports these scenarios. n VCM is located in the vApp with the virtual machines that it is managing. n The vApp has a direct connection to the org network. n The vApp has a direct connection to the external network. n The vApp has a one-to-one IP address NAT connection to the organization network with direct connection to the external network.
Configuring VMware Cloud Infrastructure In a NAT mapped network environment, your best practice is to install the Agent on the vApp template machines. You must manually install the Agent with the HTTP mode enabled, but you must not collect data from these template machines. Collecting from the template machines generates machine-specific information that will cause the virtual machines created from the template to run incomplete collections.
vCenter Configuration Manager Administration Guide Option Description Machine Name Format Select the format used to display the virtual machine name. You can select the vCenter name for the virtual machine or select a combination of names for the virtual machine that includes the vApp that contains the virtual machine, the vCloud Director organization, and the vCloud Director instance. With these formats, you can easily sort, group, and display the data in VCM.
Configuring VMware Cloud Infrastructure Option Description Use a proxy server Select Yes if you use a proxy server for communication between the Collector and the Agents on the virtual Windows machines. Select No if you do not use a proxy server or if you are managing Linux or UNIX machines. If the machines you add are Windows machines, you can select a proxy server for communication between the Collector and the Agents on managed machines that are located on the other side of a proxy server.
vCenter Configuration Manager Administration Guide Option Description vDC Name To run the query against a virtual datacenter in a vCloud Director instance, type Filter the name of the virtual datacenter. SQL wildcard expressions are allowed. Discovers all virtual machines in the virtual datacenter. vApp Name Filter To run the query against a vApp, type the name of the vApp. VM Name Filter To run the query to add a specific virtual machine, type the name of the machine.
Configuring VMware Cloud Infrastructure Configure vShield Manager Collections Configure collections from your vShield Manager instances so that you can run reports on the collected data. Prerequisites n Configure your Managing Agent machines. See "Configure Managing Agent Machines for Virtual Environment Management" on page 26. n To maintain secure communication, you need the SSL certificates from your instances of vShield Manager. See "Obtain the SSL Certificate Thumbprint" on page 29. Procedure 1.
vCenter Configuration Manager Administration Guide Option Description Machine Name of the instance of vShield Manager. Domain Domain to which the instance of vShield Manager belongs. Type Domain type. Machine Type Select vShield. 6. Click Add. The machine information is added to the list. 7. (Optional) Add other instances of vShield Manager as needed. 8. When all your instances of vShield Manager are added to the list, click Next. 9. On the Information page, review the summary and click Finish.
Configuring VMware Cloud Infrastructure 5. On the Managing Agent and Communication Settings page, configure the settings that are applied to all selected vShield Manager instances and click Next. Option Description Managing Agent Select the Windows machine to manage communication between the Collector and the vShield Manager instances. This Windows machine must have the 5.5 Agent or later installed. You can use the Collector as your managing agent.
vCenter Configuration Manager Administration Guide Procedure 1. Click Administration. 2. Select Machines Manager > Licensed Machines > Licensed Virtual Environments. 3. Select the vShield Manager instances and click Collect on the VCM toolbar. 4. On the Collection Type page, select Machine Data and click OK. 5. On the Machines page, verify that the Selected list includes all the vShield Manager instances from which you are collecting and click Next. 6.
Configuring VMware Cloud Infrastructure 1. "Configure the Collector as an Agent Proxy" on page 51 The Agent Proxy machine is a Windows machine configured to communicate with ESX and ESXi servers and to remotely collect data from those servers. The Collector automatically meets the Agent Proxy requirements. You license the Collector and then collect the Machines data type. 2. "Configure Virtual Machine Hosts" on page 52 License virtual machine hosts to generate a file containing machine names and settings.
vCenter Configuration Manager Administration Guide 4. License the Collector. a. Select Machines Manager > Available Machines. b. Select the Collector in the data grid and click License c. On the Machines page of the Available Machines License wizard, verify that the Collector machine name appears in the Selected list and click Next. d. Review the Product License Details page and click Next. e. Review the Important page and click Finish. f.
Configuring VMware Cloud Infrastructure Procedure 1. Click Administration. 2. Select Machines Manager > Licensed Machines > Licensed ESX/ESXi Hosts. 3. Select the ESX host and click Configure Settings. 4. Add the machines to be configured to the lower grid and click Next. The selected machines will use the same Agent Proxy and the same SSH and Web Services settings. 5. Configure the settings on the Agent Proxy and Communication Setting page.
vCenter Configuration Manager Administration Guide What to do next Copy the copy SSH public key file, the csiprep.py file, and the csiprep.config file to the target ESX machines. See "Copy Files to the ESX/ESXi Servers" on page 54. Copy Files to the ESX/ESXi Servers To import target machine information and copy the required files from VCM, you use the UNIX/ESX/vSphere Deployment Utility on your Agent Proxy machines.
Configuring VMware Cloud Infrastructure 8. (Optional) Configure the default server location. The following settings are automatically configured to the default server locations. If you need to change the paths, click the ellipsis button. n SSH Public Key file (ESX 3.x only) n Log Files Location n csiprep.py File (ESX 3.x only) n csiprep.config File (ESX 3.x only) 9. (Optional) Configure the VCM user name and password.
vCenter Configuration Manager Administration Guide Virtualization Collection Results You have several options for reviewing and using ESX Logs data in VCM. The data used is only as current as the last collection, and the amount of time it takes for the data to display is based on the volume or complexity of the data requested. Option Description Console View ESX logs. Click Console and select Virtual Environments > ESX Logs.
Configuring VMware Cloud Infrastructure Prerequisites n Verify that you are using VMware vCenter 4 Server. n Verify that the VMware vSphere Client is installed. n Verify that the VMware Tools is installed on the virtual machines. Procedure 1. On the VCM Collector, browse to [path]\VMware\VCM\Tools\vSphere Client VCM Plugin\bin and double-click VCVPInstaller.exe. 2. In the VCVP Plug-in Registration dialog box, configure the following options.
vCenter Configuration Manager Administration Guide Prerequisites Verify that the vSphere Client VCM Plug-In is registered. See "Register the vSphere Client VCM Plug-In" on page 56. Procedure 1. Select Administration > Settings > Integrated Products > VMware > vSphere Client VCM Plug-In. 2. Select the setting that you want to configure and click Edit Settings. 3. On the Settings Wizard page for each setting, configure the options.
Running Compliance for the VMware Cloud Infrastructure 4 Compliance templates evaluate the virtual environment object data to determine if the objects meet the criteria in the rules. If the property values on an object do not meet the criteria, and if there is no exception defined, then the object is flagged as noncompliant. When an object is non compliant, the template results provide the details of the settings or configurations that do not match the rules.
vCenter Configuration Manager Administration Guide The example used in this procedure is whether VMware Tools is running on guest virtual machines on all vCenter Server instances, but excluding vCenter_Dev. Prerequisites Collect virtual environments data. See "Configure Virtual Environments Collections" on page 25. Procedure 1. "Create Virtual Environment Compliance Rule Groups" on page 60 Rule groups contain compliance rules and filters.
Running Compliance for the VMware Cloud Infrastructure What to do next Add a rule to the rule group. See "Create and Test Virtual Environment Compliance Rules" on page 61. Create and Test Virtual Environment Compliance Rules You create rules that define the ideal values that objects should have to be considered compliant. The data types correspond to the collected virtual environments data that is displayed in the Console.
vCenter Configuration Manager Administration Guide Create and Test Virtual Environment Compliance Filters You can create filters that limit the objects on which the templates run to only the objects that meet the filter criteria.If filters are not defined, the rules are run against all objects in the selected virtual objects group. The example used in this procedure is whether VMware Tools is running on guest virtual machines on all vCenter Server instances, but excluding vCenter_Dev.
Running Compliance for the VMware Cloud Infrastructure The example used in this procedure is whether VMware Tools is running on guest virtual machines on all vCenter Server instances, but excluding vCenter_Dev. Prerequisites n Create a rule group. See "Create Virtual Environment Compliance Rule Groups" on page 60. n Create a rule. See "Create and Test Virtual Environment Compliance Rules" on page 61. n Create compliance filters. See "Create and Test Virtual Environment Compliance Filters" on page 62.
vCenter Configuration Manager Administration Guide Prerequisites Create a rule group. See "Create and Test Virtual Environment Compliance Rules" on page 61. Procedure 1. Click Compliance. 2. Select Virtual Environment Compliance > Templates. 3. Click Add. 4. Type the Name and Description in the text boxes and click Next. For example, Tools Running Not vCenter_Dev and a description. 5. Move the rule group, for this example, Guest Tools Running, to the list on the right and click Next. 6.
Running Compliance for the VMware Cloud Infrastructure What to do next n If you find results that you want to temporarily make compliant or noncompliant, create an exception. See "Create Virtual Environment Compliance Exceptions" on page 67. n Evaluate the results and resolve any issues on the noncompliant objects. Create Virtual Environment Compliance Exceptions To temporarily or permanently override the specific template results, use exceptions rather than explicitly resolve noncompliant results.
vCenter Configuration Manager Administration Guide 8. To define the exception values, modify, delete, or add to the properties, operators, and values for the selected results. In this example, you are specifying the RHEL_60_ProdDev as the exception. a. Click Add. b. In the properties drop-down menu, select Object. c. Select = as the rule operator. d. Click the ellipsis button and select RHEL_60_ProdDev in the property values dialog box and click OK. 9. Click Finish. What to do next n Run the template.
Running Compliance for the VMware Cloud Infrastructure Procedure 1. Click Compliance. 2. Select Virtual Environments Compliance > Templates > {template name}. 3. In the Status column, identify the rule results that are noncompliant. 4. Identify the affected physical or virtual machines or virtual objects, and determine the expected value of the property. For example, click and drag the Status column heading and the Rule column heading to the filter.
vCenter Configuration Manager Administration Guide To create an exception in this example, a virtual machine, RHEL_60_ProdDev, is approved to be excluded from the noncompliant results because you never require VMware Tools to be running on this machine. Prerequisites Create a template. See "Create Virtual Environment Compliance Templates" on page 63. Procedure 1. Click Compliance. 2. Select Virtual Environment Compliance > Templates > template name. 3.
Running Compliance for the VMware Cloud Infrastructure Prerequisites Create at least on virtual environments compliance template. See "Create and Run Virtual Environment Compliance Templates" on page 59. Procedure 1. "Create Virtual Environment Compliance Alert Rules" on page 69 Alert rules are the conditions you define that determine when an alert is generated. Virtual environment alert rules are based on virtual environment compliance templates. 2.
vCenter Configuration Manager Administration Guide Prerequisites n Verify that you have virtual environment alert rules. See "Create Virtual Environment Compliance Alert Rules" on page 69. n Review the automated response options, which you configure in this procedure, in the online Help. Procedure 1. Click Administration. 2. Select Alerts > Virtual Environments Configurations. 3.
Running Compliance for the VMware Cloud Infrastructure Procedure 1. Click Administration. 2. Select Job Manager > Scheduled. 3. Click Add. 4. Select Compliance and click Next. 5. Type a name and description in the text boxes and click Next. 6. Select the virtual environment template and click Next. 7. Select the virtual objects against which to run the template assessment and click Next. 8. Configure frequency, time of day, and duration for the job and click Finish. 9.
vCenter Configuration Manager Administration Guide 72 VMware, Inc.
5 Configuring vCenter Operations Manager Integration Integration of VCM with vCenter Operations Manager reports VCM configuration change events and standard compliance results in vCenter Operations Manager.
vCenter Configuration Manager Administration Guide Procedure 1. In VCM, click Administration. 2. Select Settings > Integrated Products > VMware > vCenter Operations Manager > Change Events. 3. Configure VCM to report a UNIX data type, such as UNIX Patch Assessment, to vCenter Operations Manager. a. Select UNIX Patch Assessment - Report to vCenter Operations Manager, and click Edit Setting. b. Click Yes to report the data. c. Click Next and click Finish. 4.
Configuring vCenter Operations Manager Integration Prerequisites n Ensure that the VCM adapter is registered with the correct user account in vCenter Operations Manager. See "VCM Registration in vCenter Operations Manager for Integration" on page 73. n Verify that VCM is configured to collect data from the same vCenter Server instances thatvCenter Operations Manager manages. See "Configure vCenter Server Data Collections" on page 29.
vCenter Configuration Manager Administration Guide Prerequisites n Use the Content Wizard tool to download compliance templates created by VMware,for example, the vSphere Hardening Guides and other standards. The Content Wizard is available from the Start menu on the Collector machine. n Create compliance templates that are specific to your environment to include in the mappings. The template names should not include the | character.
Configuring vCenter Operations Manager Integration Option Description Roll Up Type Select the method used to calculate how the score for the templates in a mapping is determined. Scores are always between 0 and 100. A score of 0 indicates the that all the rules are noncompliant. A score of 100 indicates that all the rules are compliant. Select Group Context n Simple Percentage: Percentage of the template results that are compliant.
vCenter Configuration Manager Administration Guide Procedure 1. Click Compliance. 2. Select vCenter Operations Manager Badge Mapping > Mappings. 3. Select a mapping and click Run. 4. Click OK. All templates included in the mapping are run and the score calculated. The template results are in the individual template results data grid and the score is available in the vCenter Operations Manager Compliance Rollup dashboard.
Configuring vCenter Operations Manager Integration Procedure 1. Click Administration. 2. Select Job Manager > Scheduled and click Add. 3. Select vCenter Operations Manager Compliance Badge Mapping Run and click Next. 4. Type a name and description and click Next. 5. Select one mapping and click Next. 6. Use the scheduling options to schedule when the mapping runs. Schedule the job to run at the frequency at which you want refreshed results to be available to pull into vCenter Operations Manager.
vCenter Configuration Manager Administration Guide What to do next Resolve the noncompliant results. See "Resolve Noncompliant Virtual Environments Template Results" on page 66. Scoring Badges for vCenter Operations Manager Standards Compliance Badge scores are values that appear in a vCenter Operations Manager Compliance badge, and which also contribute to the dashboard values for the Risk badge.
Configuring vCenter Operations Manager Integration Compliance mappings should include templates that evaluate your environment in a way that helps to identify performance issues. For example, you have an object setting that should be addressed if it is found to be noncompliant from the configuration standard, but it does not require immediate attention. n VCM Only scores are available only in VCM. The VCM Only mapping scores are not pulled into vCenter Operations Manager.
vCenter Configuration Manager Administration Guide Simple Rule Percentage is the percentage of compliance rules in the templates that passed as compliant. If any of the results are non-compliant, the rule is non-compliant. This option does not weight the rules based on severity. For example, the simple rule percentage is 40. This score is calculated based on two compliant rules out of a total of five rules. Table 5–3.
Configuring vCenter Operations Manager Integration Table 5–5.
vCenter Configuration Manager Administration Guide Detail Level Score Midpoint Magnitude Calculation Adjusted Score 100 50 10 100-50=50 100 50*10%=5 100+5=105 Table 5–7.
Auditing Security Changes in Your Environment 6 The VCM Auditing capability tracks all changes in the security aspects of VCM. Security-related events are written to the Windows Event Log, which is stored on the Collector, and is independent of the VCM application. The format of the event log prohibits any modifications to the recorded entries, which makes it a secure and tamper-proof auditing record of changes in security.
vCenter Configuration Manager Administration Guide Procedure 1. To view the VCM Auditing settings, click Administration. 2. Select Settings > General Settings > Auditing. 3. To change an auditing setting, highlight a setting and click Edit Setting. When you change an auditing setting, the VCM Auditing data grid displays the user’s name in the Last Modified By column. What to do next For details about the Auditing settings and the Windows Event Log, see the online help. 86 VMware, Inc.
7 Configuring Windows Machines To manage your virtual and physical Windows machines, you must verify domains and accounts, discover and license those machines, install the VCM Agent, and collect Windows data from those machines. You can also collect Windows Custom Information.
vCenter Configuration Manager Administration Guide Procedure 1. Verify Available Domains Allow VCM access to each domain so that the VCM Collector can interact with the Windows machines in your environment. 2. Check the Network Authority Verify that at least one domain account with administrator privileges is available to act as a network authority account for VCM. 3.
Configuring Windows Machines What to do next Verify that a network authority account is available and create other necessary domain accounts. See "Check the Network Authority" on page 89. Check the Network Authority Verify that at least one domain account with administrator privileges is available to act as a network authority account for VCM.
vCenter Configuration Manager Administration Guide Discover Windows Machines In your network, identify the Windows machines that you are managing with VCM. To discover the available Windows machines, VCM uses general discovery rules to identify many Windows machines or uses specific discovery rules to identify particular Windows machines. The time required to perform an initial discovery depends on the size and composition of your network.
Configuring Windows Machines The number of discovered Windows, UNIX, or Linux machines might exceed the number of your available licenses. If that happens, the number available goes negative and appears in red to indicate that you do not have enough licenses. For servers and workstations, exceeding the limit on your license key produces warnings but does not restrict VCM operation. License key counts that are over the limit are recorded and maintained for auditing purposes.
vCenter Configuration Manager Administration Guide Locking the VCM Agent on VCM managed machines is typically done in environments that have multiple VCM Collectors, to help prevent these Agents from being unintentionally upgraded or removed. The VCM Agent on the VCM Collector is locked, because it is installed as part of the VCM installation and is required for VCM Collector operations. The version of the VCM Agent on the Collector must also match the version of VCM installed.
Configuring Windows Machines Option Description Install using a proxy server For Windows Proxies and Windows Agents only. If the target machine is separated from the Collector by a proxy server, this option instructs the installation process to check for available proxy servers. Lock the machine after installation Ensures that VCM will not uninstall the Agent or replace it with a different version. Reinstall Agent Overwrites an installed Agent. 6.
vCenter Configuration Manager Administration Guide A delta collection includes only the differences between the data on the target machine and the data stored in the VCM database. If you need a full collection, you can specify that VCM collect all data again. A full collection can take a significant amount of time depending on the number of VCM managed Windows machines from which you are collecting.
Configuring Windows Machines After the initial discovery is finished, perform a weekly discovery to update the list of available Windows machines. To schedule a VCM discovery job, click Administration, select Job Manager > Scheduled, and follow the wizard. Option Description Console Displays dashboards and reports based on collected data. Use the Console to view data that is relevant to day-to-day operations, troubleshooting, and analysis.
vCenter Configuration Manager Administration Guide Figure 7–1. Windows Custom Information Collection Process To extend the data collected by VCM from managed Windows machines using other VCM data types, collect Windows Custom Information. The example used to get you started collecting WCI data is for Powershell. Follow the same basic procedures to configure and run Python scripts. Configure the prerequisites and create and validate your script.
Configuring Windows Machines Prerequisites n Write your own PowerShell script to return data in a VCM compatible, element-normal XML format, or obtain PowerShell scripts from VMware Professional Services or another source. See "Using PowerShell Scripts for WCI Collections" on page 97. n Understand the script signing policies if you use PowerShell 2.0. See "PowerShell Script Signing Policies" on page 101. n Set the PowerShell execution policy on the VCM managed machine.
vCenter Configuration Manager Administration Guide Guidelines in PowerShell Scripting for WCI When you develop custom PowerShell scripts to collect the Windows Custom Information (WCI) data type from VCM managed Windows machines, follow these guidelines. n Make XML element names unique at the same level. For example, you can specify two child nodes that are not siblings. n Make attributes unique at the same level. n Use unique XML element names to generate valid VCM XML.
Configuring Windows Machines The split method of PowerShell strings in the $schtasks script separates the columns of the $schtasks rows into separate values in arrays. n Column names row provides the names to use for attributes. n Corresponding data from the scheduled task rows provides the values to use for these attributes. The top-level name of is an arbitrary name that you apply to distinguish the results of this script from other results.
vCenter Configuration Manager Administration Guide Column Names Include Spaces Running the schtasks command without any options displays a column name of Next Run Time. Because this name includes spaces, you cannot use it as an attribute name in an XML document. Running the schtasks command verbosely generates other column names that include spaces. Although you cannot use these invalid names as attribute names, you can preserve the names by using VCM encoding standards.
Configuring Windows Machines To preserve the user-friendly name, use the task name as the element name for the task rows. When you create a collection filter that uses your script, you must select the incremental duplicate handling option so that the collection process includes an incremental entry in the list of entries where the same task name appears multiple times. For example, in a sample test environment, many Windows machines had more than one task named GoogleUpdateTaskMachineCore.
vCenter Configuration Manager Administration Guide n In-line: The default WCI filter uses an in-line script to collect basic information about the PowerShell version, .NET version, and execution policy settings. The in-line option requires a collection script that is represented as a single line of PowerShell code. Because the filter runs an in-line script on the PowerShell command line, instead of using a file, the execution policy does not apply.
Configuring Windows Machines The schtasks command returns basic information about scheduled tasks. The data returned by schtasks includes multiple rows. PowerShell structures the $schtasks variable in an array. For example, $schtasks[0] represents the first row. To view the result set, use $schtasks[n], which displays the following status: n $schtasks[0] is blank. n $schtasks[1] contains column names. n $schtasks[2] is the first row of task data.
vCenter Configuration Manager Administration Guide function ToCMBase64String([string]$input_string) { return [string]("cmbase64-" + [System.Convert]::ToBase64String ([System.Text.Encoding]::UNICODE.GetBytes ($input_string))).
Configuring Windows Machines { $hostcol = $j++ } else { if (([string]$cols[$j]).toupper() -eq "TASKNAME") { $namecol = $j++ } else { $j++ } } } #save first column name, to check for repeated column rows $firstcol = $cols[0] #encode each column name for ($j=0;$j -lt $cols.count;$j++) { $cols[$j] = [string](ToCMBase64String($cols[$j])) } #loop through each row #start at $k+1, because the first row may blank, and the first populated row is column names for ($i=$k+1;$i -lt $schtasks.
vCenter Configuration Manager Administration Guide if ($task[0] -ne $firstcol) { #if we did not find a TaskName column, just tag each row as Task-n if ($namecol -gt -1) { $clTasks += "<" + [string](ToCMBase64String($task [$namecol])) + ">" } else { $clTasks += ("") } for ($j=0;$j -lt $task.
Configuring Windows Machines } #end row loop } $clTasks += ("") write-host $clTasks 5. After you generate your PowerShell script, perform the following steps: n Build a collection filter in VCM. n Paste the content of your script into the collection filter. n Collect data using the script-based collection filter. To view the collected WCI data in VCM, click Console and select Windows Operating System > Custom Information > List View.
vCenter Configuration Manager Administration Guide Collecting Windows Custom Information To collect Windows Custom Information (WCI) using script-based filters, you create and verify your custom PowerShell scripts, install PowerShell on the VCM managed machines, and use VCM to collect the WCI data. VCM supports PowerShell and Python to create WCI collections. These procedures use PowerShell as the example. Procedure 1.
Configuring Windows Machines WCI internally stores data in a hierarchy, so your collection script must provide the complete data structure in the standard tree view. The root element in the XML result data set becomes a top-level root element in the WCI data type node. Child elements appear in the same locations in VCM as the locations they populate in the XML document returned by the script. Prerequisites n Understand how to write and run PowerShell scripts.
vCenter Configuration Manager Administration Guide What to do next Install PowerShell on your VCM managed machines. See "Install PowerShell" on page 110. Install PowerShell Verify that PowerShell 2.0 is installed on each VCM managed Windows machine used to collect Windows Custom Information (WCI). PowerShell 2.0 is supported on all platforms that support PowerShell 1.0. n PowerShell is installed by default on Windows 2008 R2 and Windows 7 machines.
Configuring Windows Machines CAUTION Do not limit collections to deltas when you select a data type in the Collect wizard. If you limit collections to deltas, VCM purges all existing WCI data from the managed machine's master file and from the VCM database, and replaces the WCI data with newly collected data. You must select the option in the Collect wizard so that VCM does not purge WCI data during collections. Prerequisites See "Prerequisites to Collect Windows Custom Information" on page 96.
vCenter Configuration Manager Administration Guide Procedure 1. On your VCM Collector, click Collect. 2. On the Collection Type page, select Machine Data and click OK. 3. On the Machines page, select the managed machines from which to collect WCI data and click Next. 4. Click Select Data types to collect from these machines and click Next. VCM runs a default collection filter for the data type you select. 5. Select Do not limit collection to deltas and click Next.
Configuring Windows Machines Procedure 1. On your VCM Collector, click Administration. 2. Select Job Manager > History > Instant Collections > Past 24 Hours. 3. In the Instant Collections pane, select a collection job that includes WCI data. 4. In the Job History Machine Detail pane, select View Details. A single row appears for each WCI filter that ran in the collection job. Information about the WCI script and the script results parsing appears in the row. 5.
vCenter Configuration Manager Administration Guide Procedure 1. On your Collector, click Console. 2. Select Windows > Operating System > Custom Information. 3. Select a view of the collected WCI data. Option Description Tree View Standard Tree hierarchy view based on the data structure in your PowerShell script. Tree View Consolidated Tree hierarchy that displays data across multiple elements simultaneously with the data consolidated from one level of the tree.
Configuring Windows Machines Troubleshooting Custom PowerShell Scripts If you encounter problems when you run custom PowerShell scripts, run the script as a .ps1 file and correct any errors before you use the script with a VCM collection filter. Prerequisites n Verify that your script runs in PowerShell. See "Verify that Your Custom PowerShell Script is Valid" on page 109. n Understand the PowerShell script signing policies. See "PowerShell Script Signing Policies" on page 101. Procedure 1.
vCenter Configuration Manager Administration Guide 116 VMware, Inc.
Configuring Linux, UNIX, and Mac OS X Machines 8 To manage machines running Linux, UNIX, and Mac OS X operating systems, you must license the machines, install the VCM Agent on the machines, and begin collecting data. The Agent manages the communication between the VCM Collector and the Linux, UNIX, and Mac OS X machines. You can use VCM to install the Agent on the target machines, or you can install the Agent using a manual process. For the manual Agent installation process, see the online Help.
vCenter Configuration Manager Administration Guide Figure 8–1. Linux, UNIX, and Mac OS X Managed Machines Diagram Installation Delegates for Linux, UNIX, and Mac OS X Agent Installations The Installation Delegate machines run a supported Windows operating system and must have the 5.5 Agent or later installed. They must also be configured to manage the secure communication between the target Linux, UNIX, or Mac OS X machines and the Collector.
Configuring Linux, UNIX, and Mac OS X Machines Linux, UNIX, or Mac OS X Installation Credentials The installation credentials required to install the VCM Agent on Linux, UNIX, or Mac OS X machines must have sufficient privileges to copy the Agent files to the target machines and run the installation process. You have several options for providing the credentials, including during installation process at a job or object level, or configuring the credentials as administrative parameters.
vCenter Configuration Manager Administration Guide 1. Installation wizard Object level credentials 2. Installation wizard Job level credentials 3. Administrative parameter Machine context credentials 4. Administrative parameter Machine Group context credentials 5. Administrative parameter Domain context credentials 6. Administrative parameter SRF Action Script Global context credentials Credential Processing Scenarios The following scenarios further demonstrates how the credentials are processed.
Configuring Linux, UNIX, and Mac OS X Machines 5. "Install the VCM Agent on Linux, UNIX, and Mac OS X Operating Systems" on page 125 To enable communication between the Collector and the managed machines, install the VCM Agent on Linux, UNIX, or Mac OS X machines. 6. "Collect Linux, UNIX, and Mac OS X Data" on page 132 To begin managing the machine on which you installed the VCM Agent, you must perform an initial collection, which adds the data to VCM.
vCenter Configuration Manager Administration Guide Prerequisites Verify that the Installation Delegate machine is licensed and that it has the VCM Agent 5.5 or later installed. See "Configure Windows Machines" on page 87. Procedure 1. Click Administration. 2. Select Machines Manager > Licensed Machines > Licensed Windows Machines. 3. Select the target machines and click Collect on the VCM toolbar. 4. Select Machine Data and click OK. 5.
Configuring Linux, UNIX, and Mac OS X Machines Enable Installation Delegate Machines for Linux Agent Installation Installation Delegate machines must be enabled to perform the necessary communication between the VCM Collector and your target Linux, UNIX, and Mac OS X machines. Prerequisites Ensure that the Installation Delegate machines are trusted machines. See "Set the Trust Status for Linux Agent Installation Delegate Machines" on page 122. Procedure 1. Click Administration. 2.
vCenter Configuration Manager Administration Guide When you use VCM to install the Agent, the installation process uses SSH to copy the Agent files from the Installation Delegate machine to the target machines using ordinary user credentials, and then installs the Agent as root user. Sensitive administration passwords are stored using the Local Data Protection Service API.
Configuring Linux, UNIX, and Mac OS X Machines a. Configure machine information. Option Action Machine Type the name of the machine. You can use NetBIOS or Fully-Qualified Domain Name (FQDN) notation for the name. If your Collector cannot resolve a host name with a DNS Server, use an IP address rather than a machine name. Domain Type or select the domain to which the machine belongs. Type Select the domain type. Machine Type Select the machine type. Port Type the port number.
vCenter Configuration Manager Administration Guide This procedure uses VCM to install the Agent on your target machines. You might also use a manual process. See the online Help for the steps to manually install the Agent on your Linux, UNIX, and Mac OS X machines. Prerequisites n If you are not using the Collector as your Installation Delegate machine, configure a managed Windows machine as your Installation Delegate.
Configuring Linux, UNIX, and Mac OS X Machines If you select User Name, Password, and Root Password at the object level, you configure each target machine individually. If you select the options at the job level, you configure the options for all the target machines for this installation action. The default Thread Pool Size is 10. This option determines how many Agent installations can run in parallel during one installation actions.
vCenter Configuration Manager Administration Guide Installation Options with Default Values Description CSI_BIND_IP Binds the Agent to a single IP address. This value is only honored in daemon mode. CSI_NO_LOGIN_SHELL= +S:+A :+/sbin/noshell+/bin/false+ /sbin/false+/usr/bin/false +/sbin/nologin The CSI_USER account must not have a login shell. This parameter lists all valid no-login shells and is used to verify the CSI_USER has no-login shell.
Configuring Linux, UNIX, and Mac OS X Machines Installation Options with Default Values Description CSI_USER=csi_acct Keep the default value. The user assigned to the cfgsoft group. The CSI listener process runs under this user. CSI_CFGSOFT_GID=500 Keep the default value. The Group ID of the cfgsoft group. This value can change if the GID is already in use. This group is for high-security access.
vCenter Configuration Manager Administration Guide Installation Options with Default Values Description CSI_PARENT_LOG_ DIRECTORY=default Specifies where agent operational log files are kept. The log directory is CSI_PARENT_LOG_DIRECTORY/CMAgent/log. The default value indicates to use these values. CSI_KEEP_CSIINSTALL=N 130 n Linux: /var/log n AIX, HP-UX, and Solaris: /var/adm n Mac OS X: log ->private/var/log/CMAgent/log Recommend keeping the default value.
Configuring Linux, UNIX, and Mac OS X Machines Installation Options with Default Values Description CSI_LOCALE= Keep the locale configuration option unspecified in the csi.config file when installing the Agent. If you configure the value, it supercedes the data encoding locale on the target operating system. The locale, which should be a UTF-8 locale, affects the internal data conversions on non-ASCII data performed by VCM, but the setting does not affect how the collected data is displayed in VCM.
vCenter Configuration Manager Administration Guide Installation Options with Default Values Description scripts use the previous precedence rules to evaluate and generate a default value that is displayed during the installation of the Agent. If you select a non-UTF-8 locale, the Agent installation uses the locale, but the process logs and displays a warning.
Configuring Linux, UNIX, and Mac OS X Machines What to do next n Review the collected data from the managed machines. See "Linux, UNIX, and Mac OS X Collection Results" on page 133. n (Optional) Schedule regular data collections from managed machines. See "Configure Scheduled Linux, UNIX, and Mac OS X Collections" on page 133. Linux, UNIX, and Mac OS X Collection Results Collected Linux, UNIX, and Mac OS X data appears in the VCM data grids and is available for several management actions.
vCenter Configuration Manager Administration Guide This action is not required, but scheduling your collections improves your configuration management efficiency. Prerequisites Verify that your Linux, UNIX, and Mac OS X machines are managed machines. See "Configure Collections from Linux, UNIX, and Mac OS X Machines" on page 120. Procedure 1.
Configuring Linux, UNIX, and Mac OS X Machines 12. To add more than one operating system to your filter, select or for the Connect the conditions below with option. 13. Click Add, configure the filter, and click Next. a. In the data property drop-down list, select OS Name. b. In the operator drop-down list, select like. c. In the property value text box, type or select the operating systems. You can use % as a wild card.
vCenter Configuration Manager Administration Guide Procedure 1. Click Administration. 2. Select Job Manager > Scheduled. 3. Click Add. 4. Select Collection and click Next. 5. Type a job name and description and click Next. For example, Dynamic Linux Collection. 6. Select Default filter set and click Next. 7. Select your Linux machine group and click Next. For example, Dynamic Linux Group. 8. Configure when the collection job runs and click Next. For example, every four hours starting today. 9.
9 Patching Managed Machines VCM patch assessment, deployment, and verification ensures continuous security in your environment through proactive compliance of your IT infrastructure. VCM ensures that your managed machines have the latest security patches and other software installed.
vCenter Configuration Manager Administration Guide Deploying patches to Linux, UNIX, or Windows managed machines requires the use of a patch assessment template. After you patch Linux, UNIX, or Windows managed machines, VCM runs a delta collection on the patching data for the managed machines to ensure that the next assessment provides the correct patch status. VCM retains the Linux and UNIX patching change actions in the change log. These actions are available in VCM Compliance and VCM Reports.
Patching Managed Machines n You must manage your own patch repository. A temporary expansion of the patches occurs in the /tmp directory. For single-user mode, patches are extracted to /var/tmp. If you do not use the machine group mapping to define an alternate location for the patches, VCM uses the default location of /tmp. n Store the Linux and UNIX patches in a location that is available locally to the VCM managed machine, such as an NFS mount or a local hard drive.
vCenter Configuration Manager Administration Guide If you encounter problems during automatic or manual patch deployment, see the VCM Troubleshooting Guide. Requirements to Patch Solaris Machines in Single-User Mode VCM can deploy patches to Solaris machines in single-user mode (run level 1). In this mode, only the system administrator uses the managed machine, and minimal system services are running, such as logins.
Patching Managed Machines Procedure 1. Store the patches in a local location on the target managed machine. You can extract the patches in this location, if desired. On Solaris machines, do not use the location of /tmp, because reboots initiated by the patches clear the content in this directory. 2. Verify that adequate disk space exists on the managed machines for VCM to extract the patches. n For Linux and UNIX machines other than Solaris, verify that adequate space exists in /tmp.
vCenter Configuration Manager Administration Guide Figure 9–1. Manually Patching Managed Machines with VCM To manually patch Linux and UNIX machines, you can use a Red Hat Linux 6, 64-bit patching repository machine with the Software Content Repository (SCR) Tool installed. You configure the communication protocols on the patching repository machine, download and configure the Software Content Repository (SCR) Tool, and download the patches.
Patching Managed Machines Getting Started with VCM Manual Patching You can use VCM to manually assess the patching state of Linux, UNIX, and Windows managed machines, and manually deploy patches to those machines. n "Getting Started with VCM Manual Patching for Linux and UNIX Managed Machines" on page 143 n "Getting Started with VCM Manual Patching for Windows Managed Machines" on page 150 To configure your environment for automated patching with VCM 5.
vCenter Configuration Manager Administration Guide What to do next Run patch status reports on Linux, UNIX, and Windows managed machines. See "Running Patching Reports" on page 180. Configuring the Patching Repository for Manual Patching To manually patch Linux and UNIX machines, you can use a Red Hat Linux 6, 64-bit patching repository machine with the Software Content Repository (SCR) Tool installed.
Patching Managed Machines Procedure 1. Click Patching. 2. Select Linux or UNIX platform > Bulletins > By Bulletin. 3. Click Check for Update, select an update option, and click Next. VCM locates the bulletins and copies them to your local file system. What to do next Identify the patch bulletins collection criteria. See "Create Linux and UNIX Patch Assessment Filters" on page 145.
vCenter Configuration Manager Administration Guide Linux and UNIX patch assessments require you to collect new patch status data from managed machines. These patch assessments operate differently from VCM patch assessments on Windows managed machines, which run on previously collected data. If you did not collect machine data, the patch assessment results might not appear and the managed machine might not be available for deployment, which would result in a patch-machine mismatch status.
Patching Managed Machines 8. To view the patch assessment results, click Linux or UNIX platform and click Assessment Results > All Bulletins. What to do next Review the results of the patch assessment and obtain the required patches. See "Review Patch Assessment Results" on page 147. Review Patch Assessment Results You can view the results of the patch assessment of Linux and UNIX managed machines.
vCenter Configuration Manager Administration Guide Icon Status Incorrect MD5 Description MD5 Hash generated from the patch signature (PLS) file, which contains the content and signature, does not match the expected value on the Linux or UNIX managed machine. Be aware that MD5 is NOT validated against the vendor MD5 hash data. Patch Patch status of the managed machine cannot be determined.
Patching Managed Machines IMPORTANT If a failure occurs at any time during the patch deployment job, the System Administrator must check the status of the system, resolve any issues, then reassess the managed machines. In a job chain, a failure in any step of the job breaks the job chain, which causes all subsequent job steps to not run. Prerequisites n Verify that your Linux and UNIX managed machines and operating systems are supported for patch deployment. See the VCM Installation Guide.
vCenter Configuration Manager Administration Guide a. Select Stage patches manually, and set the time and date for patch staging. b. Select whether to have VCM deploy the patches to target managed machines immediately or later, and set the time and date for patch deployment. 10. Set the reboot schedule options and click Next. a. Select whether to reboot the managed machine after VCM installs the patches. b. If you have VCM reboot the machine, set the reboot message and delay. 11.
Patching Managed Machines 3. "View Windows Bulletin Details" on page 152 You can view detailed information about Windows patch bulletins, including technical details, recommendations, and whether a reboot of the managed machine is required. 4. "Collect Data from Windows Machines by Using the VCM Patching Filter Sets" on page 153 To obtain the current patch status of Windows managed machines, collect patch data from those machines.
vCenter Configuration Manager Administration Guide Download Patches for Windows Patch Deployment You can download patches for deployment to Windows managed machines based on the bulletins included in a patch assessment template. When you download patches, VCM first determines whether the patches exist on the VCM Collector, then checks the download Web site. If VCM finds the patches, you can download them.
Patching Managed Machines What to do next Use filter sets to collect data from Windows managed machines. See "Collect Data from Windows Machines by Using the VCM Patching Filter Sets" on page 153. Collect Data from Windows Machines by Using the VCM Patching Filter Sets To obtain the current patch status of Windows managed machines, collect patch data from those machines. VCM requires that you collect current information about the File System, Hotfixes, Registry, and Services Windows data types.
vCenter Configuration Manager Administration Guide Procedure 1. Click Patching and select Windows > Bulletins > By Bulletin. 2. Select a bulletin. 3. Click Details, read the technical details for the affected products and vendor recommendations, and read the deployment summary to identify any issues that might interfere with the distribution of the bulletin. 4. Click On the Web to link to vendor information about the bulletin. 5. Review all of the bulletins to include in the assessment template. 6.
Patching Managed Machines The Not Patched column displays machines that require a patch or a reboot for an applied patch. From the Summary view, you can navigate to the affected managed machines. What to do next Deploy patches. See "Deploy Patches to Windows Machines" on page 155. Deploy Patches to Windows Machines You can deploy patches to Windows machines that are managed by VCM. These machines appear in the Licensed Machines node in VCM Administration Machines Manager.
vCenter Configuration Manager Administration Guide 11. Click Next again to either schedule the deploy job or to instruct VCM to run the job immediately. 12. On the Reboot Options page, select to not reboot the machine and click Next. 13. On the confirmation page, click Finish to deploy the patch. When the deployment finishes, VCM runs a delta collection of the Patching Security Bulletins filter set to update the assessment information. 14.
Patching Managed Machines Figure 9–2. Automatic Patching of Linux and UNIX Managed Machines with VCM Prerequisites Understand the patch assessment and deployment actions, and perform the prerequisite tasks. See "Prerequisite Tasks and Requirements" on page 138. Procedure 1.
vCenter Configuration Manager Administration Guide To ensure that Linux, UNIX, and Windows managed machines always include the latest patches, you can have VCM deploy patches to the managed machines when certain events occur in your environment. After you perform the initial configuration for the automatic deployment, no intervention is required to deploy patches to managed machines. 5.
Patching Managed Machines Procedure 1. Download and install the latest version of Java and the Oracle Java Cryptography Extension (JCE), which is used for Software Content Repository (SCR) Tool password encryption. 2. Install the VCM 5.7 Linux Agent on the patching repository machine. See the VCM online help. 3. Install and configure the service that supports the desired communication method used by the managed machines. 4. Configure the communication protocol.
vCenter Configuration Manager Administration Guide Prerequisites Verify that you can access the VCM documentation page at https://www.vmware.com/support/pubs/vcm_pubs.html. Procedure 1. On the VCM documentation page, click Current Product Download. 2. On the Download VMware vCenter Configuration Manager Web site, click Drivers & Tools. 3. Expand VMware vCenter Configuration Manager Tools. 4. For your VCM version, click Go to Downloads. 5.
Patching Managed Machines Procedure 1. On the patching repository machine, download the runtime properties files tarball from the same Web site where you downloaded the SCR Tool tarball or zip file. 2. Extract the contents of the runtime properties tarball into the /SCR/conf directory. The properties files must be named as follows. n AIX-rt.properties n HPUX-rt.properties n logging.properties n MAC-rt.properties n SOLARIS-rt.properties n REDHAT-rt.properties n SUSE-rt.properties 3.
vCenter Configuration Manager Administration Guide Follow this procedure for each Red Hat Linux alternate location patch repository machine in your environment. Procedure 1. On the Red Hat Linux alternate location machine, configure the protocol to receive patches from the patching repository machine. 2. Configure the protocol to communicate with the target managed machines so that the managed machines can copy patches from the alternate location machines. What to do next Configure VCM.
Patching Managed Machines Figure 9–3. Staging Linux and UNIX Patches on VCM Managed Machines To simplify the configuration for how Linux and UNIX managed machines obtain and extract patches during patch staging and deployment, you map machine groups and network locations. To stage and deploy the patches to target managed machines, you select a patching repository or an alternate location machine. See the VCM online help.
vCenter Configuration Manager Administration Guide n Verify that the machine groups to be used for Linux and UNIX patching are defined in VCM, and add any new machine groups for VCM to patch specific groups of managed machines. See the VCM online help. n (Optional) If your VCM Collector is not configured to use HTTPS, before you add a patch staging configuration you must allow the Collector to bypass the HTTPS setting. Select Administration > Settings > General Setting > Collector.
Patching Managed Machines Procedure 1. In VCM on the VCM Collector, to set the repository status for the patching repository machine, click Administration and click Certificates. 2. (Optional) If the patching repository status is set for a different patching repository machine, disable the patching repository status to stop using that machine as the patching repository. a. In the Certificates data grid, click the existing Red Hat Linux machine that has the Patching Repository Status enabled. b.
vCenter Configuration Manager Administration Guide Procedure 1. In VCM, click Administration. 2. Click Settings > General Settings > Patching > UNIX > Patch Staging. 3. Click Add. 4. Type a unique name for the patching repository, type a description, and click Next. 5. Select the staging method for the Linux and UNIX managed machines to obtain the patch files for deployment, and click Next.
Patching Managed Machines 8. (Optional) If you selected Obtain patches from an Alternate Location, you must provide the path and connection information to copy the patches from the alternate location machine to the target managed machines. a. (Optional) If necessary, change the path where the patches reside. VCM populates this path from the previous screen to match it to the patching repository file structure. b.
vCenter Configuration Manager Administration Guide Procedure 1. Click Administration and select Settings > General Settings > Patching > Machine Group Mapping. 2. Select a machine group and click Edit. 3. Select a deployment type. Option Description Standard VCM deploys the Linux and UNIX patches from a standard predefined patch Deployment directory, such as /tmp, on the target managed machines. The standard path for deployment is defined in UNIX Additional Settings.
Patching Managed Machines The base path directory contains directories for the SCR Tool binary files, configuration files, logs. Prerequisites Configure the machine group mapping for VCM to use to patch the target managed machines. See "Configure the Machine Group Mapping to Use the Patch Staging Configuration" on page 167. Procedure 1. In VCM, click Administration. 2. Select Settings > General Settings > Patching > UNIX > Additional Settings. 3.
vCenter Configuration Manager Administration Guide You can also use VCM's automatic event-driven and scheduled patching for managed Windows machines. For a list of supported machines for VCM patching, see the VCM Installation Guide. To configure VCM for automatic, event-driven patch deployment, see "Configure VCM for Automatic Event-Driven Patch Assessment and Deployment" on page 170.
Patching Managed Machines Procedure 1. "Generate a Patch Assessment Template" on page 171 To configure VCM for automatic, event-driven patch deployment, you must generate a patch assessment template to use with the automatic patch deployment mapping. 2. "Run a Patch Assessment on Managed Machines" on page 172 You must run the patch assessment template to collect patch status data from the managed machines. 3.
vCenter Configuration Manager Administration Guide Procedure 1. To generate a static or dynamic patch assessment template and include the relevant patch bulletins, click Patching and select All UNIX/Linux Platforms > Assessment Templates. 2. Click Add to add a patch assessment template. a. To add a static patch assessment template, add available patch bulletins to the template. b. To add a dynamic patch assessment template, define a filter with one or more filter rules.
Patching Managed Machines Procedure 1. To add patching exceptions for VCM to apply during the automatic deployment of patches to a group of managed machines, click Patching. 2. Select All UNIX/Linux Platforms > Exceptions. 3. Click Add and name the patching exception. 4. Select the machine group to which the patching exception applies. 5. Set the patching exception override options and expiration date. 6. Add one or more rules for the patch exception.
vCenter Configuration Manager Administration Guide Procedure 1. To modify the automatic patching settings, click Administration. 2. Click Settings > General Settings > Patching > UNIX > Additional Settings. 3. According to your patch assessment and deployment strategy, click Edit Setting for each of the automatic patch deployment settings, then modify and save the setting.
Patching Managed Machines What to do next n Generate a patch deployment mapping. See "Generate a Patch Deployment Mapping" on page 175. n (Optional) You can schedule an automatic patch deployment. When you schedule VCM to run an automatic patch deployment later, and collected patch data or scheduled the patch data collection after you created the automatic deployment but before the scheduled time to run the automatic deployment. VCM begins the automatic patch deployment at the scheduled time.
vCenter Configuration Manager Administration Guide What to do next n After VCM triggers a patch assessment, view the patch assessment results. See the VCM online help. n (Optional) You can schedule an automatic patch deployment. When you schedule VCM to run an automatic patch deployment later, and collected patch data or scheduled the patch data collection after you created the automatic deployment but before the scheduled time to run the automatic deployment.
Patching Managed Machines How the Linux and UNIX Patch Staging Works As a patch administrator, you can stage patches on target Linux and UNIX managed machines for VCM to deploy. With patch staging, the patches are available in a directory on the target managed machines in preparation for deployment. Target managed machines copy the patches from either the patching repository machine or an alternate location machine.
vCenter Configuration Manager Administration Guide Related Topics n For steps to stage Linux and UNIX patches for deployment, see "Configuring VCM to Work with the Patching Repository and Alternate Locations" on page 162 and "Configure How Managed Machines Stage Patches for Deployment" on page 165. n For a description of events that VCM uses to trigger an automatic patch deployment, see "Configure VCM for Automatic Event-Driven Patch Assessment and Deployment" on page 170.
Patching Managed Machines The patch assessment and deployment process for Linux and UNIX does not use remote commands. If you deploy a patch using a user-created remote command, the patch is not assessed until you run another assessment. When VCM deploys patches to managed machines, a job is created for each machine. When a reboot of the managed machine is required, VCM creates a deployment job and a reboot job for the machine. The deployment occurs either immediately or when scheduled.
vCenter Configuration Manager Administration Guide Running Patching Reports VCM uses trends, details, template summaries, bulletins, affected software products, and patch deployment history to generate patch status reports for Linux, UNIX, and Windows managed machines. With real-time patch assessment reports, you can generate SQL reports for managed machines that are assessed against bulletins and affected software products.
Running and Enforcing Compliance 10 Compliance compares your virtual or physical machines running Linux, UNIX, Mac OS X, or Windows operating systems against configuration standards that you download, or that you create, to determine if the machines meet the standards. The results of the compliance run notify you which machines meet configuration settings meet the standards and which ones do not meet the standards.
vCenter Configuration Manager Administration Guide To assist you with managing your environment, you can download compliance templates from the VMware Center for Policy and Compliance. The available templates include, for example, SOX, HIPAA, PCI DSS, and VMware vSphere hardening and other regulatory compliance templates. Download and Import Compliance Content You can use the Content Wizard Tool to download and install selected compliance templates directly to theVCM database.
Running and Enforcing Compliance You can create your own compliance templates or modify templates that you downloaded from the Center for Policy and Compliance. Prerequisites n Collect data from your virtual and physical machines for the data types against which your compliance templates and filter sets run. See "Collect Linux, UNIX, and Mac OS X Data" on page 132 and "Collect Windows Data" on page 93.
vCenter Configuration Manager Administration Guide The collection filter set that is selected is used when calculating data age for the rules in the compliance templates. The filter set must collect the same data types that are included in the rules in the rule group. If the filter set does not collect the same data types, no data age is calculated. This procedure demonstrates how to check whether your Linux machines, except those running 64-bit operating systems, have at least a 5GB hard drive capacity.
Running and Enforcing Compliance Procedure 1. Click Compliance. 2. Select Machine Group Compliance > Rule Groups > rule group name > Rules. 3. Click Add. 4. Type the name and description in the text boxes and click Next. For example, Linux and UNIX Disk Cap > 5 GB. 5. Expand Linux, select Disk Info - Hard Drive, and click Next. 6. Select Basic and click Next. 7. Click Add and configure the rules with the ideal values. a. In the properties drop-down menu, select Total Capacity (MB). b.
vCenter Configuration Manager Administration Guide Procedure 1. Click Compliance. 2. Select Machine Group > Rule Groups > rule group name > Filters. 3. Click Add. 4. Type the name and description in the text boxes and click Next. For example, Architecture not x86_64. 5. Expand Linux, select Machines - General, and click Next. The collected data for this data type includes machine architecture. 6. Select Basic and click Next. 7.
Running and Enforcing Compliance Procedure 1. Click Compliance. 2. Select Machine Group Compliance > Rule Groups. Capacity 5GB - Linux and UNIX is the example in this procedure. 3. Select your new rule group and click Preview. 4. Select Do not apply machine filters to preview and click OK. When you test a rule, test first without the filter to ensure that the rule returns the expected results. 5. Review the data in the Non-compliant results window to verify that your rule is behaving as expected. 6.
vCenter Configuration Manager Administration Guide Procedure 1. Click Compliance. 2. Select Machine Group Compliance > Templates. 3. Click Add. 4. Type the name and description in the text boxes and click Next. For example, Disk Cap > 5 GB not 64bit. 5. Move the rule group to the list on the right and click Next. For example, Capacity 5GB - Linux and UNIX. 6. Select Return both compliant and non-compliant and click Next.
Running and Enforcing Compliance What to do next n Evaluate the results and resolve any issues on the noncompliant objects. "Resolve Noncompliant Compliance Template Results" on page 189. n If you find results that you want to temporarily make compliant or noncompliant, create an exception. See "Create Machine Group Compliance Exceptions" on page 191. Resolve Noncompliant Compliance Template Results The results for the compliance templates indicate whether the rules was compliant or noncompliant.
vCenter Configuration Manager Administration Guide Procedure 1. Click Compliance. 2. Select Machine Groups Compliance > Templates > {template name}. 3. In the Status column, select the rule results that are noncompliant and enforceable, indicated by the NoncompliantEnforceable icon, and click Enforce. 4. Select Selected items(s) only and click Next. 5. Review the Information page to ensure that you understand the number of items affected by the enforcement change and click Finish. 6.
Running and Enforcing Compliance Manually Enforce Compliance Template Results You can resolve noncompliant results by directly accessing the virtual or physical machine, or by accessing the object in vCenter Server, to change the noncompliant configuration setting. Procedure n Using your allowed methods, change the noncompliant setting value on the machine or object to the required compliant value.
vCenter Configuration Manager Administration Guide selected results. In this example, to specify RHEL_60_TestDev as the exception, remove all the property rows, except for the row containing the Machine property. 9. Click Finish. What to do next n Run the template. See "Run Machine Group Compliance Templates" on page 188. n Create alerts and schedule regular runs of your compliance templates. See "Configure Alerts and Schedule Machine Group Compliance Runs" on page 192.
Running and Enforcing Compliance 6. Select a compliance template and click Next. 7. Review the configured actions and click Finish. What to do next Create a virtual environments configuration that includes this rule. See "Create Machine Group Compliance Alert Configurations" on page 193.
vCenter Configuration Manager Administration Guide Prerequisites n Schedule a regular collection of the data types for the machine groups against which you are running the machine group compliance templates. For example, see "Configure Scheduled Linux, UNIX, and Mac OS X Collections" on page 133. n Create machine group compliance templates. See "Create and Run Machine Group Compliance Templates" on page 182. n Create machine group compliance alerts.
Running and Enforcing Compliance vulnerabilities To calculate CVSS scores that apply to your unique environment, go to the CVSS scoring Web site, fill in the form, and click the Update Scores button. http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 This release of VCM is compatible with the SCAP 1.0 validation program and is for Windows platforms only.
vCenter Configuration Manager Administration Guide Run an SCAP Assessment Run an SCAP assessment that compares your managed machine configuration against a profile in a standard SCAP benchmark. Prerequisites Import the benchmark. See "Import an SCAP Benchmark" on page 195. Procedure 1. Click Compliance. 2. Select SCAP Compliance > Benchmarks > benchmark name > profile name. 3. Click Run Assessment. 4. Highlight the machines to assess, and click the down arrow to select them. 5.
Running and Enforcing Compliance Upon successful export, VCM creates a file with a name based on the machine name, output format, and time stamp in the following folder on the Collector. \\{machine-name}\CMFiles$\SCAP\Export You can export the formats that are viewable from the data grid, as well as others. Prerequisites Run the assessment. See "Run an SCAP Assessment" on page 196. Procedure 1. Click Compliance. 2. Select SCAP Compliance > Benchmarks > benchmark name > profile name. 3. Click Export. 4.
vCenter Configuration Manager Administration Guide 198 VMware, Inc.
11 Provisioning Physical or Virtual Machine Operating Systems Operating system (OS) provisioning is the process of installing operating systems to physical or virtual machines. As part of the provisioning process, you can add newly provisioned machines to VCM. OS provisioning enables you to quickly deploy one or more physical or virtual machines to meet expanding business needs. Some of these machines may have limited use and lifespan, and may be reprovisioned for other purposes.
vCenter Configuration Manager Administration Guide Figure 11–1. Relationship of OS Provisioning Components Patching the Operating System Provisioning Server Exclude the OS Provisioning Server instances from your automated patching in VCM. Patching the operating system will elevate the minor version and may leave the OS Provisioning Server in an unsupported state.
Provisioning Physical or Virtual Machine Operating Systems provision the target machines. The OS Provisioning Server creates an installation session for the target machines based on the configured OS distribution settings. 6. Reboot the target machines. As each target machine requests an IP address from the DHCP server and requests a PXE boot, OS Provisioning Server checks the machine's MAC address to determine if the machine has an installation session waiting on the OS Provisioning Server.
vCenter Configuration Manager Administration Guide when the target machines are set to network boot and attempt to PXE boot. 5. "Provision Machines with Operating System Distributions" on page 204 The OS provisioning process installs one Windows or Linux operating system distribution on one or more physical or virtual machines using OS provisioning. Continuous provisioned machine management is based on the latest data you collect from the OS Provisioning Server.
Provisioning Physical or Virtual Machine Operating Systems Procedure 1. Click Administration. 2. Select Certificates. 3. Select the OS Provisioning Server machines and click Change Trust Status. 4. Add any additional OS Provisioning Server instances to trust to the lower data grid. 5. Select Check to trust or uncheck to untrust the selected machines and click Next. 6. Review the number of machines affected and click Finish.
vCenter Configuration Manager Administration Guide Procedure 1. On target machines, configure the BIOS to network boot. 2. Start the machines on your provisioning network. 3. In VCM, click Administration. 4. Select Machines Manager > OS Provisioning > Provisionable Machines. 5. On the data grid toolbar, click Refresh. This action collects data from the OS Provisioning Server and the provisionable machines appear in the data grid when the collection is finished. The machines are identified by MAC address.
Provisioning Physical or Virtual Machine Operating Systems n Identify or create any postinstallation scripts that you want to run on the target machine after it is provisioned with the new operating system. The postinstallation scripts are copied to the target machine along with the OS distribution and runs after the operating system is installed. Procedure 1. Click Administration. 2. Select Machines Manager > OS Provisioning > Provisionable Machines. 3.
vCenter Configuration Manager Administration Guide 7. On the Select OS Distribution page, select the Windows operating system that you are installing on the selected machines and click Next. 8. On the Settings page, configure the options required for your selected Windows OS distribution and click Next. Option Description Product License Key (Optional for Windows 2008. Required for Windows 2003 and Windows 7.) Type a license matching the operating system you are installing.
Provisioning Physical or Virtual Machine Operating Systems Option Description Use DHCP to determine IP address Use your designated DHCP to assign IP address, subnet, default gateway, and DNS. If not selected, you must manually add the information on the Machine-Specific Settings page. License these machines for License the machines for VCM management. VCM 9. On the Machine-Specific Settings page, type the HostName and click Next. The HostName is limited to 15 characters.
vCenter Configuration Manager Administration Guide Provision Linux Machines Provisioning physical or virtual machines with a Linux operating system installs the selected operating system and the VCM Agent on one or more of your Linux machines. You can install one OS distribution on one or more target machines. To install a different OS distribution, configure a new OS provisioning action.
Provisioning Physical or Virtual Machine Operating Systems 7. On the Select OS Distribution page, select the a Linux operating system that you are installing on the selected machines and click Next. 8. On the Settings page, configure the options required for your selected Linux OS distribution and click Next. Option Description Product License Key Type the license to use when installing the operating system on the target machines. The license must match the operating system you are installing.
vCenter Configuration Manager Administration Guide Option Description Mount Point Type the location of the mount point for the partition. For example, /, /boot, /usr, /var/log. You use the first partition for the operating system and then specify a second mount point for user home directories. The mount points value must meet the specific criteria. Volume Name n / and /boot are required mount points. n Duplicate mount points are not allowed.
Provisioning Physical or Virtual Machine Operating Systems Option Description File System Select the type of file system. For a swap partition, the mount point and the file system type should be swap. Supported File System options by operating system. Operating Supported System File System /home, /tmp, swap ext4, swap, swap vfat, xfs RHEL 5.4 and 5.5 ext2, ext3, and 5.2 swap, vfat SLES 10.0 and 11.
vCenter Configuration Manager Administration Guide Option Description Grow partition to use all remaining space Select the option to allow the logical volume to fill available space up to the maximum size specified for the volume. Remove Click to delete the selected row from the custom volume plan list. You can select the option for only one partition. If you select this option, you can specify a Volume Size of 0MB. 12. On the Confirmation page, click Finish.
Provisioning Physical or Virtual Machine Operating Systems Procedure 1. On the Linux machine, log in as root. 2. Run the ntpdate -u command to update the machine clock. For example, ntpdate -u ntp-time.for.mydomain. 3. Open the /etc/ntp.conf file and add the NTP servers used in your environment. You can add multiple NTP servers similar to these examples. server ntp-time.for.mydomain server otherntp.server.org server ntp.research.gov 4.
vCenter Configuration Manager Administration Guide Option Description Administration View administrative details about the OS Provisioning Server. n To view all provisioned machines, click Administration and select Machines Manager > OS Provisioning > Provisioned Machines. n To view the provisioned Windows machines, click Administration and select Machines Manager > Licensed Machines > Licensed Windows Machines.
Provisioning Physical or Virtual Machine Operating Systems 9. When you are certain that the selected machines are those you want to reprovision, select the Proceed with re-provisioning of the operating system on the selected machines check box. 10. Click Finish. The OS Provisioning Server starts jobs for each of the selected machines. Each job creates a configured session for the specified machines.
vCenter Configuration Manager Administration Guide 216 VMware, Inc.
12 Provisioning Software on Managed Machines Software provisioning is the process you use to create software packages, publish the packages to repositories, and then install packages on one or more target machines. To support the provisioning process, the VCM Software Provisioning components consist of VMware vCenter Configuration Manager Package Studio, software package repositories, and Package Manager.
vCenter Configuration Manager Administration Guide If you are using the software provisioning components in conjunction with VMware vCenter Configuration Manager (VCM), you can use VCM to add and remove sources, and to install and remove packages. Software Provisioning Component Relationships The following diagram displays the general relationship between Package Studio, repositories, and Package Manager in a working environment. Figure 12–1.
Provisioning Software on Managed Machines n Software Repository for Windows: Installed on at least one Windows machine in your environment, and installed on the same machine with Package Studio. Install the repository before installing Package Studio. n VMware vCenter Configuration Manager Package Studio: Installed on the same machine as your software repository. n Package Manager: Installed on all Windows machines on which you are managing software provisioning.
vCenter Configuration Manager Administration Guide Procedure 1. Double-click Repository.msi. 2. On the Welcome page, click Next. 3. Review the license agreement, select the appropriate options to continue, and click Next. 4. On the Installation Folder page, use the default path or click Change to modify the path, and click Next. 5. On the Virtual Directory page, use the default name or type a new name in the text box, and click Next. 6. On the Ready to Install page, click Install. 7.
Provisioning Software on Managed Machines Procedure 1. Double-click PackageStudio.msi. 2. On the Welcome page, click Next. 3. Review the license agreement, select the appropriate options to continue, and click Next. 4. On the Installation Folder page, use the default path or click Change to modify the path, and click Next. 5. On the Repository Root Folder page, verify the path is to your installed repository files. If the path is not accurate, click Change. When the path is correct, click Next. 6.
vCenter Configuration Manager Administration Guide The Package Studio is installed to the location specified during installation. The default location is C:\Program Files\VMware\VCM\Tools\Package Studio (on 32-bit machines) or C:\Program Files (x86)\VMware\VCM\Tools\Package Studio (on 64-bit machines). To start Package Studio, click Start and select All Programs > VMware vCenter Configuration Manager > Tools > Package Studio, or open the Package Studio folder and double-click PackageStudio.exe.
Provisioning Software on Managed Machines Prerequisites Verify that the target machine meets the supported hardware, operating system, and software requirements. See the VCM Installation Guide for currently supported platforms and requirements. Verifying the Installation of the Agent Extensions for Provisioning If you do not know whether the machines are ready to use provisioning, you can verify the version of the Agent Extensions for Provisioning.
vCenter Configuration Manager Administration Guide a. Click Properties and type a Name, Version, Description, and select the Architecture. These fields are required. You have the option to update the other fields, depending on you requirements. Configuring the package with Depends, Conflicts, Provides, and adding and configuring the installation and removal files. b. Click Files and import the installation files, add pre-command files, configure the commands and arguments, and add post-command files. c.
Provisioning Software on Managed Machines Procedure 1. On a Windows 2008 machines, select Start > All Programs > VMware vCenter Configuration Manager > Tools. 2. Right-click Package Studio and select Properties. 3. Click the Compatibility tab. 4. In the Privilege Level area, select Run this program as an administrator and click Apply. 5. Click OK. 6. Select Start > All Programs > VMware vCenter Configuration Manager > Tools > Package Studio. 7. On the User Account Control dialog box, click Yes.
vCenter Configuration Manager Administration Guide Prerequisites n Package Manager is installed on the target machines. Package Manager is installed when you install the VCM 5.3 Agent or later. See "Install Package Manager on Managed Machines" on page 222. n Verify that you created software provisioning packages using VMware vCenter Configuration Manager Package Studio and published the packages to the repositories. See "Creating Packages" on page 223. Procedure 1. Click Collect. 2.
Provisioning Software on Managed Machines 5. On the Data Types page, expand Windows, and select Software Provisioning - Repositories, and click Next. 6. On the Confirmation page, review the information, resolve any conflicts, and click Finish. You can monitor the process in the Jobs Manager. See "Viewing Provisioning Jobs in the Job Manager" on page 230. What to do next n When the collection is finished, view the collected data.
vCenter Configuration Manager Administration Guide n Package Manager Source Lists: Select this option if you have already added sources to at least one Package Manager and you want to add the source to other Package Managers. When you click OK, the selected source populates the Platform and Section on the Enter or Select Source page. n VCM Managed Repositories: Select this option if the source has not yet been added to a Package Manager.
Provisioning Software on Managed Machines Determine whether a package is installed or removed based on the state of the signature. Option Description Install secure signed package only The package must be signed and the public key of the signing certificate you used to sign the package is available on all the machines on which you are installing or removing the package.
vCenter Configuration Manager Administration Guide Option Description Administration Displays current jobs running, and job history. Use the job history when troubleshooting the processing of a job. See "Viewing Provisioning Jobs in the Job Manager" on page 230. Define user access rules and roles to specify what level of access users have to the Software Provisioning data and actions in VCM.
Provisioning Software on Managed Machines a. In the IF area, click Add. b. Select Source Repository URI = YourRepository. c. Select Must Exist. d. In the THEN area, click Add and select Platform = Any and Section = Release. e. Click Next. 9. On the Options page, configure the settings. a. Select a Severity in the drop-down menu. b. Select Make available for enforcement where possible. c. Select Software Provisioning action. d. Select Add Source in the drop-down menu and click Define Action. e.
vCenter Configuration Manager Administration Guide 6. On the Data Type page, expand Windows, select the data type on which you are basing the rule, and click Next. The data type does not need to be software based. In this example, select Services. 7. On the Rule Type for Services page, select Conditional (if/then) and click Next. 8. On the Conditional Data properties page, configure the options and click Next. a. In the IF section, click Add. b. Select Services Name = XService. c. Select Must Exist. d.
13 Configuring Active Directory Environments VCM for Active Directory collects Active Directory objects across domains and forests, and displays them through a single console. The information is consolidated and organized under the Active Directory slider, allowing you to view your Active Directory structure, troubleshoot issues, detect change, and ensure compliance. You can filter, sort, and group Active Directory data to pinpoint the specific area of interest.
vCenter Configuration Manager Administration Guide 5. "License Domain Controllers" on page 236 To manage domain controllers, you must license them in VCM. 6. "Install the VCM Windows Agent on Your Domain Controllers" on page 237 Install the VCM Windows Agent on each domain controller so that you can collect data and manage the virtual or physical machines. 7.
Configuring Active Directory Environments Procedure 1. Click Administration. 2. Select Settings > Network Authority > Available Accounts. 3. To add a new domain account, click Add. 4. Type the domain name, user name, and password, and click Next. 5. Click Finish to add the account. What to do next Assign the network authority account to the domain so that VCM can access the domain controllers in the domain. See "Assign Network Authority Accounts" on page 235.
vCenter Configuration Manager Administration Guide NOTE You can use the Discovered Machines Import Tool (DMIT), which imports machines discovered by the Network Mapper (Nmap), to import many physical and virtual machines at one time into the VCM database. Download DMIT from the VMware Web site. Prerequisites Assign a Network Authority Account that VCM can use for access. See "Assign Network Authority Accounts" on page 235. Procedure 1. Click Administration. 2. Select Machines Manager > Discovery Rules. 3.
Configuring Active Directory Environments Procedure 1. Click Administration. 2. Select Machines Manager > Available Machines. 3. Select the domain controllers to license. 4. Click License. 5. Verify that the domain controllers to license appear in the Selected list. Use the arrows to move the domain controllers. 6. Click Next to view your Product License Details. The licensed domain controller count increases by the number of licensed machines. 7. Click Next.
vCenter Configuration Manager Administration Guide Procedure 1. Click Administration. 2. Select Machines Manager > Licensed Machines > Licensed Windows Machines. 3. In the data grid, select one or more domain controllers on which to install the Agent and click Install. 4. On the Machines page, verify that the target machines appear in the Selected list and click Next. 5. On the Install Options page, select the default installation options and click Next. 6.
Configuring Active Directory Environments Procedure 1. On the VCM toolbar, click Collect. 2. On the Collection Type page, select and click OK. 3. On the Machines page, select the domain controllers from which to collect data and click Next. To move all visible domain controllers to the selection window, use the double arrow. 4. Select the Do not limit collection to deltas check box. This option ensures that a full collection occurs during the initial set up of VCM for Active Directory. 5.
vCenter Configuration Manager Administration Guide Install VCM for Active Directory on the Domain Controllers To use VCM to collect Active Directory data from your environment, install VCM for Active Directory on your domain controllers. VCM for Active Directory will operate with only a single domain controller configured with VCM for Active Directory, which will serve as both the forest data source (FDS) and replication data source (RDS).
Configuring Active Directory Environments Procedure 1. Click Administration. 2. Select Machines Manager > Additional Components > VCM for Active Directory. 3. Click Determine Forest. 4. Move the domain controllers on which to determine the forest to the lower pane. Determine the forest for all available domain controllers. 5. Click Next. 6. Click Finish. What to do next Run the domain controller setup action and identify your FDS and RDS. See "Run the Domain Controller Setup Action" on page 241.
vCenter Configuration Manager Administration Guide n Active Directory schema collection n Active Directory specifier collection n Active Directory structure collection The information obtained from the third collection identifies the organizational unit (OU) structure that supports the use of VCM for Active Directory. To view information, click Administration, and select Machines Manager > Additional Components > VCM for Active Directory. What to do next Collect Active Directory data.
Configuring Active Directory Environments Option Description Active Directory Dashboard Provides summary and day-to-day information about your Active Directory environment in a graphical format. n To view the dashboard, click Active Directory and select Dashboards > Managed Objects. Several Active Directory Dashboards are available. Active Directory Object Summary Provides summary information about your Active Directory environment in a textual format.
vCenter Configuration Manager Administration Guide 244 VMware, Inc.
Configuring Remote Machines 14 The VCM Remote client is the communication and management mechanism that you use to manage mobile Windows machines as they connect to and disconnect from the network. For Windows machines that are not continuously connected to the network, the VCM Remote client listens for network events indicating it has access to the VCM Remote-related components on the VCM Internet Information Services (IIS) server.
vCenter Configuration Manager Administration Guide Using Certificates With VCM Remote The use of certificates with VCM Remote ensures secure communication between VCM and the VCM Remote client when they are communicating outside your internal network. The communication between the Collector and the VCM Remote client is secured using Transport Layer Security (TLS) certificates. You can use the VCM certificate or you can use an existing Enterprise certificate.
Configuring Remote Machines Procedure 1. "Create Custom Collection Filter Sets" on page 247 You create custom collection filter sets for Dial-up, Broadband, or LAN connections to efficiently manage mobile machines using the VCM Remote client. To optimize results, create a different filter set for each connection type. 2. "Specify Custom Filter Sets in the VCM Remote Settings" on page 248 VCM Remote supports three connection types: broadband, dial-up, and LAN.
vCenter Configuration Manager Administration Guide What to do next n Repeat the procedure for all the connection types for which you configure filter sets. n Assign the filter sets to the appropriate VCM Remote settings. See "Specify Custom Filter Sets in the VCM Remote Settings" on page 248. Specify Custom Filter Sets in the VCM Remote Settings VCM Remote supports three connection types: broadband, dial-up, and LAN.
Configuring Remote Machines Procedure 1. Click Administration. 2. Select Settings > General Settings > VCM Remote. 3. On the VCM Remote Settings data grid, select each setting separately and click Edit Settings. Option Configuration Should Remote automatically install an Agent to the client (if required)? Click Yes. Allows VCM to install the Agent when contacted by the VCM Remote client the first time. Should Remote automatically upgrade an Agent to the Click Yes.
vCenter Configuration Manager Administration Guide 1. "Install the VCM Remote Client Manually" on page 250 The manual installation of the VCM Remote client is a wizard-based process that you use when you have direct access to the target machines. This process is a useful way to install the client if you are creating an image to install on other machines. 2.
Configuring Remote Machines 5. On the VCM Remote Client Information page, configure the options and click Next. Option Description Collector Machine Name Name of the Windows machine on which the VCM Collector and Microsoft IIS are installed. Path to ASP Page Path for the IIS default VCM Remote Web site. The must match the virtual directory name as it appears in the Collector's IIS. The default value is VCMRemote. 6.
vCenter Configuration Manager Administration Guide Procedure 1. On the target machine, create a folder and copy the files from the Collector to the target folder. File Description CM Remote Client.msi Located on the Collector at [install path] \VMware\VCM\AgentFiles. CM_Enterprise_Certificate_ xxx.pem (Optional) Located on the Collector at [install path] \VMware\VCM\CollectorData.
Configuring Remote Machines What to do next Connect the remote machine to the network to ensure that VCM completes the installation process. See "Connect VCM Remote Client Machines to the Network" on page 256 Install the VCM Remote Client Using Windows Remote Commands You use the Windows remote commands to deploy the VCM Remote client to multiple machines in your environment. The VCM Agent must be installed on the target machines.
vCenter Configuration Manager Administration Guide bInstallCert = 1 'If the value is 1, the Enterprise Certificate is installed. If the value is set to 0, the installation of the certificate is skipped and it is assumed that the certificate is already present. The Remote Client will NOT function until the Enterprise Certificate is installed as specified in Step 2 sCertFile = "EnterpriseCert" 'The filename of your enterprise certificate (.pem file) as identified in Step 2 sVirDir = "VCMRemote/EcmRemoteHttp.
Configuring Remote Machines Sub CheckVars() If sCollName = "" Then WScript.Quit Else sCollName = Trim(sCollName) End If If sVirDir = "" Then sVirDir = "vcmremote/ecmremotehttp.asp" Else sVirDir = Trim(sVirDir) End If If sInstallDir = "" Then sInstallDir = "c:\vcm remote client" Else sInstallDir = Trim(sInstallDir) End If If sAddRemove <> 0 And sAddRemove <> 1 Then sAddRemove = 1 'Set whether or not VCM Remote appears in the Add/Remove programs list.
vCenter Configuration Manager Administration Guide d. Click Next. 7. On the Files page, move the CM Remote Client.msi file and the .pem file to the list on the right, and click Next. 8. On the Important page, review and summary and click Finish. VCM saves and adds the command to Windows Remote Commands list. 9. In the Windows Remote Commands data grid, select your VCM Remote installation remote command and click Run. 10.
Configuring Remote Machines Option Description Administration View administrative details about the VCM Remote client. VMware, Inc. n To view the installed Remote client version, click Administration and select Machines Manager > Licensed Machines > Licensed Windows Machines. The Remote Client Version appears in the data grid. n To view the status of remote collection jobs, click Administration and select Job Manager > History > VCM Remote.
vCenter Configuration Manager Administration Guide 258 VMware, Inc.
15 Tracking Unmanaged Hardware and Software Asset Data VCM management extensions for assets integrates and manages hardware and software asset data that is not gathered through the automated managed machine collection processes of VCM. n Hardware: VCM for assets stores supplemental information (data that is not automatically collected) about physical and virtual machines that are managed by VCM.
vCenter Configuration Manager Administration Guide Changing the order of the VCM for assets data field list changes the order of columns when you view asset data in the VCM Console. 6. "Refresh Dynamic Asset Data Fields" on page 263 You can force VCM for assets to refresh the values in all fields that are configured to populate dynamically. Review Available Asset Data Fields VCM for assets is populated with a short list of data fields to get you started.
Tracking Unmanaged Hardware and Software Asset Data 4. Click Add. 5. Type a name and description for the new asset data field and click Next. The name is the column heading that appears when users view the data in the VCM Console. 6. Specify properties about the new data. a. Select the way to populate the data. n Manually: type free-form text n Lookup: select from a fixed or query-based list of values n Dynamically: query from other data b. Select the data type.
vCenter Configuration Manager Administration Guide 5. Click Edit. 6. Change the name or description for the data field and click Next. The name is the column heading that appears when users view the data in the VCM Console. 7. Click Next. You cannot change the data properties. 8. Click Next. 9. Select the roles that are allowed to edit the data. Only users assigned to these roles can edit the data using the VCM Console. 10. Review the settings and click Finish. What to do next Remove unwanted fields.
Tracking Unmanaged Hardware and Software Asset Data Prerequisites n Log in to VCM using an account with the Administrator role. n Identify the asset data that you want to store about your hardware or software. Procedure 1. Click Administration. 2. Select Settings > Asset Extensions Settings. 3. Select one of the following nodes.
vCenter Configuration Manager Administration Guide Configure Asset Data Values for VCM Machines Although the asset data for machines that are managed by VCM is collected, you can customize some data through VCM for assets. Prerequisites Log in to VCM with a role that has edit permission for asset configuration data. Procedure 1. Click Console. 2. Select Asset Extensions > Hardware Configuration Items > VCM Devices. 3. In the data grid, select the VCM machine. 4. Click Edit Values. 5.
Tracking Unmanaged Hardware and Software Asset Data Add Other Hardware Devices Use VCM for assets to keep track of your non-VCM managed hardware by adding information about the hardware devices directly to VCM. Prerequisites n Have an administrator configure the asset data fields that you need. See "Configure Asset Data Fields" on page 259. n Log in to VCM with a role that has edit permission for asset configuration data. Procedure 1. Click Console. 2.
vCenter Configuration Manager Administration Guide Prerequisites Log in to VCM with a role that has edit permission for asset configuration data. Procedure 1. Click Console. 2. Select Asset Extensions > Hardware Configuration Items > Other Devices. 3. In the data grid, select the asset. 4. Click Edit. 5. Change the details that identify the device, such as its name and model, and click Next. 6. Change the values for the asset data associated with the device and click Next.
Tracking Unmanaged Hardware and Software Asset Data Procedure 1. Click Console. 2. Select Asset Extensions > Hardware Configuration Items > Other Devices. 3. In the data grid, select the asset. 4. Click Delete. 5. Click OK. Configure Asset Data for Software A user with a role that has permission to edit asset data can use VCM for assets to gather information about the software on machines that are discovered and managed by VCM. Procedure 1.
vCenter Configuration Manager Administration Guide Procedure 1. Click Console. 2. Select Asset Extensions > Software Configuration Items. 3. Click Add Software. 4. Type a name and description and click Next. 5. Select the data type that VCM for assets will look for to detect the installed software and click Next. The options take you to custom wizard pages where you type or select what VCM for assets will look for in the database.
Tracking Unmanaged Hardware and Software Asset Data 6. Change the data type that VCM for assets will look for to detect the installed software and click Next. The options take you to custom wizard pages where you type or select what VCM for assets will look for in the database. n Software Inventory (Windows): Select a product from the software inventory (SI) list. n Registry (Windows): Type or select a Windows Registry path, key, and value.
vCenter Configuration Manager Administration Guide Edit Asset Data Values for Software You can change the details about a specific copy of software when the long term information, such as the application name or version, is going to remain the same. Prerequisites Log in to VCM with a role that has edit permission for asset configuration data. Procedure 1. Click Console. 2. Select Asset Extensions > Software Configuration Items. 3. In the data grid, select the software asset. 4. Click Edit Values. 5.
Managing Changes with Service Desk Integration 16 VCM Service Desk Integration tracks planned and unplanned changes to managed machines in your organization, and integrates change requests with your change management process. Service Desk Integration works by temporarily holding requested changes to managed machines while VCM integrates with your service desk application in order to pass the requests through your change management process or workflow.
vCenter Configuration Manager Administration Guide Procedure 1. Click Console. 2. Select Service Desk. 3. Under the Service Desk node, select any subnode. For example, click By RFC to view the data according to request for change (RFC). Under the By RFC sub-node, select an RFC to view the data for that item. Your subnodes and data views might differ from the defaults or from other organizations based on your requirements and specific implementation. What to do next Look at the status of change jobs.
Index A about this book 9 access by user 11 compliance content 21 active directory collection results 242 configuration 239 data collection 242 getting started 233 install 240 run determine forest action 240 run domain controller setup action 241 add servers provisoning, operating system 202 adding asset data field 260 hardware asset data 265 Linux machines 124 Mac OS X machines 124 multiple hardware asset data 265 multiple software asset data 268 repository sources 227 service desk integration 271 softwar
vCenter Configuration Manager Administration Guide availble domains domain controllers 234 B badge score vCenter Operations Manager 74, 76-80 base path of SCR Tool 168 bulletin details manual patching for Windows 152 bulletin updates manual patching for Linux and UNIX 144 manual patching for Windows 151 bulletins dynamic membership 171 C certificates remote client 246 change vCenter Operations Manager 73 change management WCI 107 checking network authority account 89, 234 collect domain controllers 238 E
Index configuration Active Directory 239 configuration of patch staging 163 configure SCR Tool 160 configuring alternate location machines 161 asset data field 259 event-driven patch assessment 170 event-driven patch deployment 170 hardware data 264 machine group mapping 167 managed machines patch staging 165 patching administration settings 173 patching repository 144, 158 protocols for patch staging 159 scheduled patch assess and deploy 176 software data 267 VCM with alternate locations 162-163 VCM with
vCenter Configuration Manager Administration Guide exploring Remote collection results 256 exporting SCAP assessment 197 F filter for WCI collections 111 filter sets remote 247 remove client 247 forest active directory 233 run determine forest action 240 foundation checker 19 installation 22 G getting started active directory 233 assets 259 auditing 85 launching 12 logging on 12 manual patch deployment for Linux and UNIX 148 manual patching 143 remote client 245 tools 19 virtualization 23 vSphere Client
Index patch deployment 148 patching getting started 143 running patching reports 180 Linux and UNIX patch staging 177 Linux and UNIX patching job chain 178 logs ESX 56 M Mac OS X add machines 124 agent installation 117 collect data 132 collecting schedule 135 scheduled collection 133 collection results 133 installing agent 125 machine group, create 134 Mac OS X agent enable installation 123 machine group mapping 163 configuring for patching 167 machine groups compliance 181 alerts 192 alerts, add 192 aler
vCenter Configuration Manager Administration Guide patch staging configuring for managed machines 165 how it works 177 Linux and UNIX 177 patches SCR Tool 159 patching 172 administrator privileges 138 AIX machines 141 alternate location 139 applicability of patches for deployment 174 assessment and deployment 137 assessment templates 142 assessments for Windows 153 bulletin details for Windows 152 bulletins dynamic membership 171 collections for Windows assessments 153 configuring event-driven assessments
Index rearranging asset data fields 262 Red Hat Linux machines for patching 169 refreshing dynamic asset data field 263 registering vSphere Client Plug-in 56 remediation compliance rule 231 remote collection results 256 filter sets 247 settings 246 remote client certificates 246 collector aware 246, 256 configure VCM remote 245 getting started 245 installation 249 installation, command line 251 installation, manual 250 installation, remote commands 253 network 256 settings 246 settings, custom filter sets
vCenter Configuration Manager Administration Guide run 77 schedule 78 vCenter Operations Manager 73-74, 76-80 T template deploy patches, membership changes 174 patch assessment 142 threshold data age deploy patches 174 time provisioning, Linux operating system Linux 212 time-out patching jobs 170, 179 ToCMBase64String 98 toolbar in portal 14 tools foundation checker 19 getting started 19 import/export, content 19 installation 19 job manager 19 trigger events for automated patching 169 troubleshooting patc
Index collection results 50 settings 48 vSphere Client Plug-in configuring 57 getting started 58 overview 56 registering 56 W WCI challenges CDATA 101 challenges in column names 100 challenges in scripting 98 challenges in task entries 100 change management 107 collecting data 108 collection 110 collection filter 111 collection results 113 custom collection scripts 109 executing PowerShell scripts 102 getting started 95 guidelines in scripting 98 job status reporting 112 prerequisites to collect 96 purge
vCenter Configuration Manager Administration Guide 282 VMware, Inc.
