Manualshelf

Installation guide

ManualsBrandsVMware ManualsOtherVCM 5.3 - CONFIGURATION MANAGER SECURITY ENVIRONMENT REQUIREMENTS
31323334353637383940
Certificates are defined by the X.509 RFC standard, which includes fields that form a contract between the
creator and consumer. The Enhanced Key Usage extension specifies the use for which the certificate is
valid, including Server Authentication.
Enterprise and Collector Certificates
An Enterprise Certificate and one or more Collector Certificates enable secure HTTP Collector and Agent
communication in VCM. The Enterprise Certificate enables VCM to operate in a multi-Collector
environment. Agents have the Enterprise Certificate in their trusted certificate stores, and they use the
Enterprise Certificate to validate any certificate issued by the Enterprise Certificate. All Collector
Certificates are expected to be issued by the Enterprise Certificate, which is critical in environments where
a single Agent is shared between multiple Collectors.
Server authentication is required to establish a TLS connection with an Agent. All VCM Collectors should
have a common Enterprise Certificate. Each Collector Certificate is issued by the Enterprise Certificate,
and is capable of Server Authentication. Collector Certificates in VCM must adhere to the requirements
for secure communications certificates. See "Secure Communications Certificates" on the previous page.
n The Collector Certificate initiates and secures a TLS communication channel with an HTTP Agent. The
Agent must be able to establish that the Collector Certificate can be trusted, which means that the
Collector Certificate is valid and the certification path starting with the Collector Certificate ends with a
trusted certificate. By design, the Enterprise Certificate is installed in the Agent’s trusted store. The trust
chain ends with the Enterprise Certificate.
n Self-signed Agent Certificates are generated during Agent installation, upon first contact from the
Collector. Agent Certificates are used for Mutual Authentication only. VCM support for Mutual
Authentication requires the administrator to manually verify the fingerprint of each Agent's certificate
before marking those Agents as trusted in Administration > Certificates.
n The Collector Certificate and associated private key must be available to the Collector. This certificate is
stored in the local machine personal system store.
Delivering Initial Certificates to Agents
VCM Agents use the Enterprise Certificate to validate Collector Certificates. The Agent must have access
to the Enterprise Certificate as a trusted certificate. In most cases, VCM delivers and installs the Enterprise
Certificate as needed during the HTTP Agent installation.
When you manually install Windows HTTP or VCM Remote client components, you must specify a path
to the PEM file that provides the Enterprise Certificate and the Collector's public key.
Installing the Agent from a Disk (Windows only)
The VCM Installation DVD does not contain customer-specific certificates. If HTTP is specified, the manual
VCM installer requests the location of the Enterprise Certificate file during the installation. You must have
the Enterprise Certificate file available at installation time. You can copy the certificate file, which has a
.pem extension, from the CollectorData folder on the Collector. You must copy the certificate file
when you run the manual installer directly using CMAgentInstall.exe or when you use the Agent
Only option in the DVD auto-run program.
vCenter Configuration Manager Advanced Installation Guide
34
VMware, Inc.