5.6
Table Of Contents
- VMware vCenter Configuration Manager Security Guide
- Contents
- About This Book
- Introduction to VCM Security
- Domain Infrastructure
- VCM Installation Kits
- Server Zone Security
- VCM Collector Server
- SQL Server
- Web Server
- VCM Agent Systems and Managed Machines
- VCM User Interface System
- Software Provisioning Components
- Operating System Provisioning Components
- Decommissioning
- Authentication
- Transport Layer Security
- Keys and Certificates
- How VCM Uses Certificates
- Installing Certificates for the VCM Collector
- Changing Certificates
- Delivering Initial Certificates to Agents
- Storing and Transporting Certificates
- Mark a Certificate as Authorized on Windows
- Creating Certificates Using Makecert
- Update the Collector Certificate Thumbprint in the VCM Database
- Managing the VCM UNIX Agent Certificate Store
- Supplemental References
- Index
Figure 13–2. Shared Collector-Agent Relationship
To properly support the trust chain, mutual authentication, and multiple Collector environments,
Enterprise certificates in VCM must have the following properties:
n
Must be able to sign certificate requests.
n
Can be self-signed. If the certificate is self-signed, it is assumed that you trust it. The trust is
implemented by placing the certificate in the Trusted Root store (Windows) or in the VCM store
(UNIX).
n
Can be signed by another certificate in an existing PKI and placed in the trusted store.
n
Must be stored in the local machine Trusted Root Certification Authorities store on the Windows
Collector and Agents (Windows only).
n
On UNIX platforms, the Agent has a vendor-implemented certificate store. The Enterprise certificate
must be added to this store. The certificate is added during initial installation, but you must add
subsequent certificates manually using the CSI_ManageCertificateStore utility included with your VCM
UNIX Agent.
n
Can be authorized as explained in "Authorized Certificates in the Trust Chain" on page 62.
Collector Certificate
The Collector certificate must secure an initial TLS communication channel with the Agent. The Agent
must establish that the Collector certificate can be trusted. Because the Enterprise certificate is installed in
the managed machine (Agent) trusted store, the Collector is trusted whenever the Collector certificate was
issued by the same, trusted Enterprise certificate.
Collector certificates in VCM must adhere to the following requirements:
n
Must be kept in the local machine personal certificate store on the Collector.
n
Must be valid for server authentication (OID: 1.3.6.1.5.5.7.3.1).
Authentication
VMware, Inc.
61