4.1
Table Of Contents
- Site Recovery Manager Administration Guide
- Contents
- About This Book
- Administering VMware vCenter Site Recovery Manager
- Installing and Updating Site Recovery Manager
- Configuring the Protected and Recovery Sites
- Test Recovery, Recovery, and Failback
- Customizing Site Recovery Manager
- Assign Roles and Permissions
- Customizing a Recovery Plan
- Configure Protection for a Virtual Machine or Template
- Configure SRM Alarms
- Working with Advanced Settings
- Avoiding Replication of Paging Files and Other Transient Data
- Troubleshooting SRM
- Index
Requirements When Using Public Key Certificates
If you have installed SSL certificates issued by a trusted certificate authority (CA) on the vCenter server that
supports SRM, the certificates you create for use by SRM must meet certain specific criteria.
While SRM uses standard PKCS#12 certificate for authentication, it places a few specific requirements on the
contents
of
certain
field of those certificates. These requirements apply to the certificates used by both members
of an SRM server pair (the protected site and the recovery site).
n
The certificates must have a Subject Name value constructed from:
n
A Common Name (CN) attribute, whose value must be the same for both members of the pair. A
string such as "SRM" is appropriate here.
n
An Organization (O) attribute, whose value must be the same as the value of this attribute in the
supporting vCenter server's certificate.
n
An Organizational Unit (OU) attribute, whose value must be the same as the value of this attribute
in the supporting vCenter server's certificate.
n
The certificate used by each member of an SRM server pair must include a Subject Alternative Name
attribute whose value is the fully-qualified domain name of the SRM server host. (This value will be
different for each member of the SRM server pair.) Because this name is subject to a case-sensitive
comparison, it is a good idea to always use lower-case letters when specifying the name during SRM
installation.
n
If you are using an openssl CA, modify the openssl configuration file to include a line like the
following if the SRM server host's fully-qualified domain name is srm1.example.com:
subjectAltName = DNS: srm1.example.com
n
If you are using a Microsoft CA, refer to http://support.microsoft.com/kb/931351 for information on
how to set the Subject Alternative Name.
n
The certificate used by each member of an SRM server pair must include an "extendedKeyUsage" or
"enhancedKeyUsage" attribute whose value is "serverAuth, clientAuth". If you are using an openssl CA,
modify the openssl configuration file to include a line like the following:
extendedKeyUsage = serverAuth, clientAuth
How SRM Uses Network Ports
SRM servers use several network ports to communicate with each other, with client plug-ins, and with
vCenter. If any of these ports are in use by other applications or are blocked on your network, you must
reconfigure SRM to use different ones.
Table 1-3 lists the default network ports the SRM uses for intrasite (between hosts at a single site) and intersite
(between hosts at the protected and recovery sites) communications. You can change these defaults when you
install SRM.
Table 1-3. How SRM Uses Network Ports
Default Port
Protocol Endpoints
8095 SOAP SRM server and vCenter server
(intrasite only)
8096 HTTP vCenter server (for plug-in download)
9007 SOAP API clients
Site Recovery Manager Administration Guide
16 VMware, Inc.