5.0
Table Of Contents
- Site Recovery Manager Administration Guide
- Contents
- About This Book
- Administering VMware vCenter Site Recovery Manager
- Installing and Updating Site Recovery Manager
- Configuring the SRM Database
- About the vSphere Replication Management Database
- Install the SRM Server
- Upgrading SRM
- Install Storage Replication Adapters
- Install the SRM Client Plug-In
- Connect the Sites
- Revert to a Previous Release
- Repair or Modify the Installation of a Site Recovery Manager Server
- Install the SRM License Key
- Establishing Inventory Mappings and Placeholder Datastores
- Configuring Array-Based Protection
- Installing vSphere Replication Servers
- Creating Protection Groups and Replicating Virtual Machines
- Limitations to Protection and Recovery of Virtual Machines
- Create Array-Based Protection Groups
- Create vSphere Replication Protection Groups
- Configure Replication for a Single Virtual Machine
- Configure Replication for Multiple Virtual Machines
- Replicate Virtual Machines Using Physical Couriering
- Move a Virtual Machine to a New vSphere Replication Server
- Apply Inventory Mappings to All Members of a Protection Group
- Recovery Plans and Reprotection
- Customizing Site Recovery Manager
- Customizing a Recovery Plan
- Configure Protection for a Virtual Machine or Template
- Configure Resource Mappings for a Virtual Machine
- Configure SRM Alarms
- Working with Advanced Settings
- Troubleshooting SRM
- Index
n
The certificate used by each member of an SRM server pair must include an extendedKeyUsage or
enhancedKeyUsage attribute whose value is serverAuth, clientAuth. If you are using an openssl CA,
modify the openssl configuration file to include a line like the following:
extendedKeyUsage = serverAuth, clientAuth
n
The SRM certificate password must not exceed 31 characters.
Understanding Roles and Permissions
SRM provides disaster recovery by performing operations on behalf of users. These operations involve
managing objects, such as recovery plans or protection groups, and performing operations, such as replicating
or powering off virtual machines. SRM must be able to complete these tasks, when appropriate, and refuse to
complete operations when they are not authorized. To achieve this goal, SRM uses permissions and roles.
the following are key terms related to permissions and roles.
Privilege
The right to perform an action. Examples of privileges include creating a
recovery plan or modifying a protection group.
Role
A collection of privileges. Default roles are designed to provide the privileges
associated with some user role such as users who will manage protection
groups or complete recoveries.
Permissions
A role granted to a particular user or group (also known as a principal) on some
object. A permission is the intersection of role, object, and principal.
A permission is the intersection of a privilege and an object. For example, the
privilege to modify a protection group as it applies to a specific protection
group in the inventory.
SRM determines if the operation is permitted when protection is configured, rather than at the time the
operation is to be completed. After SRM verifies that the appropriate permissions are assigned on vSphere
resources, future actions are carried out on behalf of users by SRM using the vSphere administrator context.
For configuration operations, user permissions are validated when the operation is requested. Other operations
require two phases of validation.
1 During configuration, SRM verifies that the user configuring the system has the required permissions to
complete the configuration on the vCenter object. For example, a user must have permission to protect a
virtual machine and use resources on a secondary vCenter Server that the recovered virtual machine
would use.
2 The user executing the configuration must have permissions to complete the task. For example, a user
must have permissions to execute a recovery plan. The task is then completed in the administrative context.
As a result, a user who completes a particular task, such as a failover, does not have to have permissions to act
on vSphere resources. The action is authorized by the role, but is completed by SRM acting as an administrator.
These operations are carried out using the administrator credentials provided during site pairing.
SRM maintains a database of permissions for internal SRM objects using a model similar to the one used by
vCenter Servers. SRM verifies its own SRM privileges even on vCenter objects. For example, SRM checks for
Recovery Use permission on the target datastore rather than multiple low-level permissions, such as Allocate
space.
Site Recovery Manager Administration Guide
20 VMware, Inc.