5.7
Table Of Contents
- VMware vCenter Configuration Manager Security Guide
- Contents
- About This Book
- Introduction to VCM Security
- Domain Infrastructure
- VCM Installation Kits
- Server Zone Security
- VCM Collector Server
- SQL Server
- Web Server
- VCM Agent Systems and Managed Machines
- VCM User Interface System
- Software Provisioning Components
- Operating System Provisioning Components
- Decommissioning
- Authentication
- Transport Layer Security
- Keys and Certificates
- How VCM Uses Certificates
- Installing Certificates for the VCM Collector
- Changing Certificates
- Delivering Initial Certificates to Agents
- Storing and Transporting Certificates
- Mark a Certificate as Authorized on Windows
- Creating Certificates Using Makecert
- Update the Collector Certificate Thumbprint in the VCM Database
- Managing the VCM UNIX Agent Certificate Store
- Supplemental References
- Index
thumbprint.
use <insert your VCM SB name here>
update ecm_sysdat_configuration_values
set configuration_value = upper(replace(
'xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx'
,' ',''))
where configuration_name='config_security_certificate_fingerprint'
Managing the VCM UNIX Agent Certificate Store
The VCM UNIX Agent certificate store is a protected data storage area that holds Enterprise and Collector
certificates for server authentication, and the Agent certificate and private key for mutual authentication.
Although this store is not encrypted, it is protected from casual viewing.
Much of the interaction with the VCM UNIX Agent certificate store is taken care of for the user. VCM
UNIX installation packages are updated with the Enterprise certificate if one is specified when the Collector
is installed. This certificate is inserted into the certificate store during the VCM UNIX Agent installation
process. The user can select an alternative certificate directory during the VCM UNIX Agent installation.
IMPORTANT The self-signed root of the trust chain for the Collector certificate is not always the Enterprise
certificate. In Linux and UNIX, you also must manually add the self-signed root of the trust chain for the
Collector certificate to the Agent certificate store, when the self-signed root is different than the Enterprise
certificate.
Additionally, when VCM Collector certificates are updated with extended expiration dates, in many cases
the new certificate is added to the store.
Using CSI_ManageCertificateStore
With the CSI_ManageCertificateStore command-line tool, you can view and modify the contents of the
VCM UNIX Agent certificate store.
In these examples, the UNIX VCM Agent was installed to the default location of /opt/CMAgent. If your
installation is different, adjust the instructions to fit your situation.
Environment Variables
Typically, CSI_ManageCertificateStore is run as root, but any login that is a member of the cfgsoft group
can run it as well.
To use CSI_ManageCertificateStore, first set the following environment variables:
LD_LIBRARY_PATH=/opt/CMAgent/CFC/3.0/lib:/opt/CMAgent/ThirdParty/1.0/lib:$
LD_LIBRARY_PATH
export LD_LIBRARY_PATH
CSI_REGISTRY_PATH=/opt/CMAgent
export CSI_REGISTRY_PATH
PATH=/opt/CMAgent/CFC/3.0/bin:$PATH
export PATH
For HPUX platforms, use SHLIB_PATH in place of LD_LIBRARY_PATH.
For AIX platforms, use LIBPATH in place of LD_LIBRARY_PATH.
Authentication
VMware, Inc.
75