4.0
Table Of Contents
- Site Recovery Manager Administration Guide
- Contents
- About This Book
- Administering VMware vCenter Site Recovery Manager
- Installing and Updating Site Recovery Manager
- Configuring the Protected and Recovery Sites
- Test Recovery, Recovery, and Failback
- Customizing Site Recovery Manager
- Assign Roles and Permissions
- Customizing a Recovery Plan
- Configure Protection for a Virtual Machine or Template
- Configure SRM Alarms
- Working with Advanced Settings
- Avoiding Replication of Paging Files and Other Transient Data
- Troubleshooting SRM
- Index
Credential-Based Authentication
If you are using credential-based authentication, SRM stores a user name and password that you specify during
installation, and then uses those credentials when connecting to vCenter or another SRM server. SRM also
creates a special-purpose certificate for its own use. This certificate includes additional information that you
supply during installation. That information, an Organization name and Organization Unit name, must be
identical for both members of an SRM server pair.
NOTE Even though SRM creates and uses this special-purpose certificate when you choose credential-based
authentication, credential-based authentication is not equivalent to certificate-based authentication in either
security or operational simplicity.
Certificate Warnings
If you are using credential-based authentication, attempts by the SRM server to connect to vCenter produce a
certificate warning because the trust relationship asserted by the special-purpose certificates created by SRM
and vCenter cannot be verified by SSL. The warning dialog allows you to specify a disposition for the current
instance of the problem, for all instances of the problem when making connection to a specific host, or for all
instances of the problem for all hosts. To avoid these warnings, use certificate-based authentication and obtain
your certificate from a trusted certificate authority.
Requirements When Using Public Key Certificates
If you have installed SSL certificates issued by a trusted certificate authority (CA) on the vCenter server that
supports SRM, the certificates you create for use by SRM must meet certain specific criteria.
While SRM uses standard PKCS#12 certificate for authentication, it places a few specific requirements on the
contents of certain field of those certificates. These requirements apply to the certificates used by both members
of an SRM server pair (the protected site and the recovery site).
n
The certificates must have a Subject Name value constructed from:
n
A Common Name (CN) attribute, whose value must be the same for both members of the pair. A
string such as "SRM" is appropriate here.
n
An Organization (O) attribute, whose value must be the same as the value of this attribute in the
supporting vCenter server's certificate.
n
An Organizational Unit (OU) attribute, whose value must be the same as the value of this attribute
in the supporting vCenter server's certificate.
n
The certificate used by each member of an SRM server pair must include a Subject Alternative Name
attribute whose value is the fully-qualified domain name of the SRM server host. (This value will be
different for each member of the SRM server pair.) If you are using an openssl CA, modify the openssl
configuration file to include a line like the following if the SRM server host's fully-qualified domain name
is srm1.example.com:
subjectAltName = DNS: srm1.example.com
If you are using a Microsoft CA, refer to http://support.microsoft.com/kb/931351 for information on how
to set the Subject Alternative Name.
n
The certificate used by each member of an SRM server pair must include an "Extended Key Usage" attribute
whose value is "serverAuth, clientAuth". If you are using an openssl CA, modify the openssl configuration
file to include a line like the following:
extendedKeyUsage = serverAuth, clientAuth
Chapter 1 Administering VMware vCenter Site Recovery Manager
VMware, Inc. 15