Manualshelf

Installation guide

ManualsBrandsVMware ManualsOtherVCM 5.3 - TRANSPORT LAYER SECURITY IMPLEMENTATION
51525354555657585960
Besides being difficult to copy securely, copying a private key presents the risk of sharing it with more
than one machine, a configuration that is unsupported. Always generate a distinct key for each Collector
during the installation process. Because TLS mutual authentication is used by default, the process of
installing the Agent also creates a distinct key for each Agent.
Enterprise Certificate Key and Web Server Keys
If the Enterprise certificate server is the same machine as the VCM Collector being decommissioned, the
private key must be manually transferred by exporting it using the Microsoft Management Console
(MMC) Certificates snap-in. Use Copy To File, select the PFX file format, enable strong protection, and
select to delete the private key if the export is successful.
The resulting PFX file can safely be transported to the replacement machine over a network because the
file is passphrase protected.
Perform the same process to obtain a copy of the Web server keys before decommissioning the VCM
Web server.
Removal of Agent Keys at Uninstallation
When you uninstall an Agent, erase its private key unless it is to be used with an updated Agent on the
same managed machine. For Windows Agents, the MMC Certificates snap-in can erase both a certificate
and its private key.
Network Authority Accounts
After Collectors or Agents are decommissioned, any special Network Authority accounts that were
created specifically for them are not required. The need for the accounts is described in the VCM
Administration Guide.
Disable or remove these Network Authority accounts by using the VCM Administration panel and the
account management tools for your domain.
Erasing Server Disks
Server zone system disks contain collected data and login credentials from managed machines. Do not
discard these disks or use them for other purposes unless they are fully erased. See "Erasing versus
Deleting" on page 53.
NOTE Using these disks with a replacement Collector is a safe alternative to discarding them, and it
preserves the previous collection results.
Erasing Virtual Machines
If a virtual machine participated in your VCM environment, and you do not plan to use the virtual
machine for another purpose, fully erase the files that make up the virtual machine. See "Erasing versus
Deleting" on page 53.
Virtual machines sometimes have a source machine behind them. For example, they can be cloned from a
parent virtual machine, be based on a template, be a conversion from a physical machine, and so on. If the
source machine was an original that participated in your VCM environment, you might have additional
files or disks to decommission in order to fully destroy confidential data or keys. Furthermore, there may
be other clones or copies to locate, siblings and cousins to the virtual machine that you started with.
VCM Security Guide
54
VMware, Inc.