5.5
Table Of Contents
- Site Recovery Manager Installation and Configuration
- Contents
- About Site Recovery Manager Installation and Configuration
- Overview of VMware vCenter Site Recovery Manager
- Site Recovery Manager System Requirements
- Creating the SRM Database
- SRM Authentication
- Installing SRM
- Upgrading SRM
- Configuring Array-Based Protection
- Installing vSphere Replication
- Deploy the vSphere Replication Appliance
- Configure vSphere Replication Connections
- Reconfigure the vSphere Replication Appliance
- Reconfigure General vSphere Replication Settings
- Change the SSL Certificate of the vSphere Replication Appliance
- Change the Password of the vSphere Replication Appliance
- Change Keystore and Truststore Passwords of the vSphere Replication Appliance
- Configure vSphere Replication Network Settings
- Configure vSphere Replication System Settings
- Reconfigure vSphere Replication to Use an External Database
- Use the Embedded vSphere Replication Database
- Deploy an Additional vSphere Replication Server
- Register an Additional vSphere Replication Server
- Reconfigure vSphere Replication Server Settings
- Unregister and Remove a vSphere Replication Server
- Uninstall vSphere Replication
- Unregister vSphere Replication from vCenter Server if the Appliance Was Deleted
- Upgrading vSphere Replication
- Creating SRM Placeholders and Mappings
- Installing SRM to Use with a Shared Recovery Site
- Limitations of Using SRM in Shared Recovery Site Configuration
- SRM Licenses in a Shared Recovery Site Configuration
- Install SRM In a Shared Recovery Site Configuration
- Install SRM Server on Multiple Protected Sites to Use with a Shared Recovery Site
- Install Multiple SRM Server Instances on a Shared Recovery Site
- Install the SRM Client Plug-In In a Shared Recovery Site Configuration
- Connect to SRM in a Shared Recovery Site Configuration
- Connect the SRM Sites in a Shared Recovery Site Configuration
- Configure Placeholders and Mappings in a Shared Recovery Site Configuration
- Use Array-Based Replication in a Shared Recovery Site Configuration
- Use vSphere Replication in a Shared Recovery Site Configuration
- Troubleshooting SRM Installation and Configuration
- Cannot Restore SQL Database to a 32-Bit Target Virtual Machine During SRM Upgrade
- SRM Server Does Not Start
- vSphere Client Cannot Connect to SRM
- Site Pairing Fails Because of Different Certificate Trust Methods
- Error at vService Bindings When Deploying the vSphere Replication Appliance
- OVF Package is Invalid and Cannot be Deployed
- vSphere Replication Appliance or vSphere Replication Server Does Not Deploy from the SRM Interface
- Connection Errors Between vSphere Replication and SQL Server Cannot be Resolved
- 404 Error Message when Attempting to Pair vSphere Replication Appliances
- vSphere Replication Service Fails with Unresolved Host Error
- Increase the Memory of the vSphere Replication Server for Large Deployments
- vSphere Replication Appliance Extension Cannot Be Deleted
- Uploading a Valid Certificate to vSphere Replication Results in a Warning
- vSphere Replication Status Shows as Disconnected
- vSphere Replication Server Registration Takes Several Minutes
- vSphere Replication is Inaccessible After Changing vCenter Server Certificate
- Index
vSphere Replication can trust remote server certificates either by verifying the validity of the certificate and
its thumbprint or by verifying the thumbprint only. The default is to verify by thumbprint only. You can
activate the verification of the certificate validity in the virtual appliance management interface (VAMI) of
the vSphere Replication appliance by selecting the option Accept only SSL certificates signed by a trusted
Certificate Authority when you upload a certificate.
Thumbprint Verification
vSphere Replication checks for a thumbprint match. vSphere Replication
trusts remote server certificates if it can verify the the thumbprints through
secure vSphere platform channels or, in some rare cases, after the user
confirms them. vSphere Replication only takes certificate thumbprints into
account when verifying the certificates and does not check certificate
validity.
Verification of
Thumbprint and
Certificate Validity
vSphere Replication checks the thumbprint and checks that all server
certificates are valid. If you select the Accept only SSL certificates signed by
a trusted Certificate Authority option, vSphere Replication refuses to
communicate with a server with an invalid certificate. When verifying
certificate validity, vSphere Replication checks expiration dates, subject
names and the certificate issuing authorities.
In both modes, vSphere Replication retrieves thumbprints from vCenter Server. vSphere Replication refuses
to communicate with a server if the automatically determined thumbprint differs from the actual
thumbprint that it detects while communicating with the respective server.
You can mix trust modes between vSphere Replication appliances at different sites. A pair of
vSphere Replication appliances can work successfully even if you configure them to use different trust
modes.
Requirements When Using a Public Key Certificate with vSphere Replication
If you enforce verification of certificate validity by selecting Accept only SSL certificates signed by a
trusted Certificate Authority in the virtual appliance management interface (VAMI) of the
vSphere Replication appliance, some fields of the certificate request must meet certain requirements.
vSphere Replication can only import and use certificates and private keys from a file in the PKCS#12 format.
Sometimes these files have a .pfx extension.
n
The certificate must be issued for the same server name as the value in the VRM Host setting in the
VAMI. Setting the certificate subject name accordingly is sufficient, if you put a host name in the VRM
Host setting. If any of the certificate Subject Alternative Name fields of the certificate matches the VRM
Host setting, this will work as well.
n
vSphere Replication checks the issue and expiration dates of the certificate against the current date, to
ensure that the certificate has not expired.
n
If you use your own certificate authority, for example one that you create and manage with the
OpenSSL tools, you must add the fully qualified domain name or IP address to the OpenSSL
configuration file.
n
If the fully qualified domain name of the appliance is VR1.example.com, add subjectAltName = DNS:
VR1.example.com to the OpenSSL configuration file.
n
If you use the IP address of the appliance, add subjectAltName = IP: vr-appliance-ip-address to
the OpenSSL configuration file.
n
vSphere Replication requires a trust chain to a well-known root certificate authority.
vSphere Replication trusts all the certificate authorities that the Java Virtual Machine trusts. Also, you
can manually import additional trusted CA certificates in /opt/vmware/hms/security/hms-
truststore.jks on the vSphere Replication appliance.
Chapter 8 Installing vSphere Replication
VMware, Inc. 59