5.6
Table Of Contents
- VMware vCenter Configuration Manager Security Guide
- Contents
- About This Book
- Introduction to VCM Security
- Domain Infrastructure
- VCM Installation Kits
- Server Zone Security
- VCM Collector Server
- SQL Server
- Web Server
- VCM Agent Systems and Managed Machines
- VCM User Interface System
- Software Provisioning Components
- Operating System Provisioning Components
- Decommissioning
- Authentication
- Transport Layer Security
- Keys and Certificates
- How VCM Uses Certificates
- Installing Certificates for the VCM Collector
- Changing Certificates
- Delivering Initial Certificates to Agents
- Storing and Transporting Certificates
- Mark a Certificate as Authorized on Windows
- Creating Certificates Using Makecert
- Update the Collector Certificate Thumbprint in the VCM Database
- Managing the VCM UNIX Agent Certificate Store
- Supplemental References
- Index
VCM Installation Kits
3
VCM Installation Kits
Like the systems on which VCM runs, the software installation kits for VCM must be secured and
protected from tampering.
Sources for Installation Kits
Secure operation of VCM requires that its product software kit not be tampered with and that it is intact as
delivered by VMware. The best practice is to ensure that each kit is obtained directly from VMware, from
another secure and trusted source, or that it is verified.
VMware ships VCM and add-on products on CD/DVD and in packages signed by the VMware Software
Publisher Certificate. The kit can reach customer machines in the following ways:
n
Physical CD/DVD
n
Download from
http://downloads.vmware.com
n
ClickOnce download from the server zone
n
Agent push install by the Collector service
n
Patching Agent push by VCM Patching
n
Thin client user interface by HTTP
n
VCM Remote updates
n
Patching deployed patches and updates
n
VMware VCM software provisioning
n
SMS
n
Group Policy
n
VCM Remote Command file attachments
You can verify EXE and MSI installers with the chktrust.exe certificate verification tool from the Microsoft
Developer Network. Alternatively, you can verify using signtool.exe, also available from Microsoft.
Protecting Installation Kits
VCM installation kits that are stored on writable media must be protected from tampering before
installation. Authenticode signatures on installation kits are verified before installation. For example:
C:\> signtool verify /a /v "CMAgent<version>.msi"
VMware, Inc.
19