5.7
Table Of Contents
- VMware vCenter Configuration Manager Security Guide
- Contents
- About This Book
- Introduction to VCM Security
- Domain Infrastructure
- VCM Installation Kits
- Server Zone Security
- VCM Collector Server
- SQL Server
- Web Server
- VCM Agent Systems and Managed Machines
- VCM User Interface System
- Software Provisioning Components
- Operating System Provisioning Components
- Decommissioning
- Authentication
- Transport Layer Security
- Keys and Certificates
- How VCM Uses Certificates
- Installing Certificates for the VCM Collector
- Changing Certificates
- Delivering Initial Certificates to Agents
- Storing and Transporting Certificates
- Mark a Certificate as Authorized on Windows
- Creating Certificates Using Makecert
- Update the Collector Certificate Thumbprint in the VCM Database
- Managing the VCM UNIX Agent Certificate Store
- Supplemental References
- Index
n
Enable Automatic login with current username and password
n
Disable Navigate subframes across different domains
n
Disable Web sites in less privileged web content zone can navigate into this zone
n
Disable Display mixed content
When you allow automatic logins, Internet Explorer can transfer credentials to machines in the trusted
zone, specifically the VCM Web server, without user interaction. When this ability is combined with the IIS
setting to use integrated windows authentication, the result makes the login process resistant to spoofing
and cross-site scripting attacks. With this configuration, login prompting does not take place within the
context of the browser, but rather within the Windows login system, which is more resistant to cross-site
scripting attacks.
Trusted Software
Even if a user interface system is dedicated to running VCM, third party software packages are often
needed.
When that happens, install only trusted software, preferably software that is accompanied and verified by
a trustworthy software publisher certificate. It is unsafe to run software of unaccountable origin on
machines in the VCM user interface zone.
Verifying Certificates
When you connect to VCM from the user interface system, Internet Explorer prompts you to verify that
the certificates that VCM uses for authentication are correct.
Click to view certificate signing details before deciding to trust the software. If the signature is known to
you and valid, you can add the certificate to your trusted store so that you do not need to repeat the
verification every time that you connect.
HTTPS Certificate
The SSL certificate used for HTTPS with the VCM Web server might be issued by a trusted root certificate
authority or be self-issued.
When a certificate comes from a trusted authority, you do not receive any warning messages. When
Internet Explorer detects an untrusted certificate, review the signature details.
n
If you recognize the signature, you can add the certificate to the trusted store.
n
If the signature is suspicious, cancel and avoid opening the Web page.
Ideally, both VCM and SSRS are configured to use HTTPS. If VCM is configured for HTTPS, but SSRSis
not, Internet Explorer notifies you that you are viewing mixed content when you run SSRSreports or
dashboards in VCM. If you are notified that you are viewing mixed content, you must select No. If you
select Yes, you will view only the HTTPS-delivered content and the SSRSdata will be blocked.
NOTE Initially, Internet Explorer asks you to review the details of self-signed certificates. It treats self-
signed certificates as suspicious until you add them to the trusted store.
Trusted SSL certificates are those that are issued by members of the Microsoft Root Certificate Program,
listed on the Microsoft Web site.
VCM Security Guide
42
VMware, Inc.