5.0
Table Of Contents
- Site Recovery Manager Administration Guide
- Contents
- About This Book
- Administering VMware vCenter Site Recovery Manager
- Installing and Updating Site Recovery Manager
- Configuring the SRM Database
- About the vSphere Replication Management Database
- Install the SRM Server
- Upgrading SRM
- Install Storage Replication Adapters
- Install the SRM Client Plug-In
- Connect the Sites
- Revert to a Previous Release
- Repair or Modify the Installation of a Site Recovery Manager Server
- Install the SRM License Key
- Establishing Inventory Mappings and Placeholder Datastores
- Configuring Array-Based Protection
- Installing vSphere Replication Servers
- Creating Protection Groups and Replicating Virtual Machines
- Limitations to Protection and Recovery of Virtual Machines
- Create Array-Based Protection Groups
- Create vSphere Replication Protection Groups
- Configure Replication for a Single Virtual Machine
- Configure Replication for Multiple Virtual Machines
- Replicate Virtual Machines Using Physical Couriering
- Move a Virtual Machine to a New vSphere Replication Server
- Apply Inventory Mappings to All Members of a Protection Group
- Recovery Plans and Reprotection
- Customizing Site Recovery Manager
- Customizing a Recovery Plan
- Configure Protection for a Virtual Machine or Template
- Configure Resource Mappings for a Virtual Machine
- Configure SRM Alarms
- Working with Advanced Settings
- Troubleshooting SRM
- Index
Certificate-Based Authentication
If you have or can acquire a PKCS#12 certificate signed by a trusted authority, use certificate-based
authentication. Public key certificates signed by a trusted authority streamline many SRM operations and
provide the highest level of security. Certificates used by SRM have special requirements. See “Requirements
When Using Public Key Certificates,” on page 19.
Credential-Based Authentication
If you are using credential-based authentication, SRM stores a user name and password that you specify during
installation, and then uses those credentials when connecting to vCenter. SRM also creates a special-purpose
certificate for its own use. This certificate includes additional information that you supply during installation.
That information, an Organization name and Organization Unit name, must be identical for both members of
an SRM server pair.
NOTE Even though SRM creates and uses this special-purpose certificate when you choose credential-based
authentication, credential-based authentication is not equivalent to certificate-based authentication in either
security or operational simplicity.
Certificate Warnings
If you are using credential-based authentication, attempts by the SRM server to connect to vCenter produce a
certificate warning because the trust relationship asserted by the special-purpose certificates created by SRM
and vCenter cannot be verified by SSL. A warning allows you to verify the thumbprint of the certificate used
by the other server and confirm its identity. To avoid these warnings, use certificate-based authentication and
obtain your certificate from a trusted certificate authority.
Requirements When Using Public Key Certificates
If you installed SSL certificates issued by a trusted certificate authority (CA) on the vCenter Server that supports
SRM, the certificates you create for use by SRM must meet specific criteria.
While SRM uses standard PKCS#12 certificate for authentication, it places a few specific requirements on the
contents of certain fields of those certificates. These requirements apply to the certificates used by both members
of an SRM server pair (the protected site and the recovery site).
n
The certificates must have a Subject Name value constructed from the following componants.
n
A Common Name (CN) attribute, whose value must be the same for both members of the pair. A
string such as "SRM" is appropriate here.
n
An Organization (O) attribute, whose value must be the same as the value of this attribute in the
supporting vCenter Server's certificate.
n
An Organizational Unit (OU) attribute, whose value must be the same as the value of this attribute
in the supporting vCenter Server's certificate.
n
The certificate used by each member of an SRM server pair must include a Subject Alternative Name
attribute whose value is the fully-qualified domain name of the SRM server host. (This value will be
different for each member of the SRM server pair.) Because this name is subject to a case-sensitive
comparison, use lowercase letters when specifying the name during SRM installation.
n
If you are using an openssl CA, modify the openssl configuration file to include a line like the
following if the SRM server host's fully-qualified domain name is srm1.example.com:
subjectAltName = DNS: srm1.example.com
n
If you are using a Microsoft CA, refer to http://support.microsoft.com/kb/931351 for information on
how to set the Subject Alternative Name.
Chapter 1 Administering VMware vCenter Site Recovery Manager
VMware, Inc. 19