Manualshelf

Installation guide

ManualsBrandsVMware ManualsOtherVCM 5.3 - TRANSPORT LAYER SECURITY IMPLEMENTATION
21222324252627282930
Dedicating a Server to VCM
VCM relies on the server operating system to protect the confidentiality, integrity, and availability of
server zone data from other services or users that run on the VCM server zone systems.
When server zone systems are used for purposes other than VCM, the risk of granting unintended access
to VCM data exists if those services or users have server administrator rights.
Foundation Checker
The VCM Foundation Checker determines whether a machine configuration is compatible with VCM.
Candidate systems must pass the Foundation Checker evaluation before you install VCM. Do not install
VCM on systems that fail Foundation Checker.
Trusted Software
Even if server zone systems are dedicated to running VCM, you might need software packages beyond
those from VMware or Microsoft.
Install only trusted software, preferably software that is accompanied and verified by a software publisher
certificate. It is unsafe to run software of unaccountable origin on machines in the VCM server zone.
Routine Backup, Patching, and Virus Scanning
Routine maintenance functions like backups, patches, and virus scanning must be performed on VCM
servers. You can perform these functions using VCM.
Authentication Certificates
VCM establishes the validity of HTTPS SSL certificates that IIS uses, and TLS certificates used during
Collector-to-Agent communication. To verify the validity, VCM checks signatures up the trust chain, from
the certificate in question up to a certificate installed in one of the trusted certificate stores.
VCM assumes and trusts that:
n
A certificate in a trusted store is in fact trusted.
n
Certificate authorities that issue certificates in a trusted store are trusted.
n
Certificate services that manage certificates in a trusted certificate store, and the associated renewals
and revocations, are trusted.
IMPORTANT VCM trusts any certificates in the trusted store, even when they were not issued with VCM.
To view the contents of the trusted certificate stored on Microsoft platforms, use the Certmgr.exe
Certificate Manager Tool or the Microsoft Management Console (MMC) Certificates snap-in.
For more about authentication and certificates, see "Authentication" on page 57.
FIPS Cryptographic Service Providers
Most government and financial organizations require the use of FIPS cryptography. FIPS is also part of the
VCM Common Criteria Security Target. All cryptographic service providers (CSPs) installed in the zone
should be FIPS 140-validated.
Server Zone Security
VMware, Inc.
23