Installation guide
Figure 13–2. Shared Collector-Agent Relationship
To properly support the trust chain, mutual authentication, and multiple Collector environments,
Enterprise certificates in VCM must have the following properties:
n
Must be able to sign certificate requests.
n
Can be self-signed. If the certificate is self-signed, it is assumed that you trust it. The trust is
implemented by placing the certificate in the Trusted Root store (Windows) or in the VCM store
(UNIX).
n
Can be signed by another certificate in an existing PKI and placed in the trusted store.
n
Must be stored in the local machine Trusted Root Certification Authorities store on the Windows
Collector and Agents (Windows only).
n
On UNIX platforms, the Agent has a vendor-implemented certificate store. The Enterprise certificate
must be added to this store. The certificate is added during initial installation, but you must add
subsequent certificates manually using the CSI_ManageCertificateStore utility included with your VCM
UNIX Agent.
n
Can be authorized as explained in "Authorized Certificates in the Trust Chain" on page 62.
Collector Certificate
The Collector certificate must secure an initial TLS communication channel with the Agent. The Agent
must establish that the Collector certificate can be trusted. Because the Enterprise certificate is installed in
the managed machine (Agent) trusted store, the Collector is trusted whenever the Collector certificate was
issued by the same, trusted Enterprise certificate.
Collector certificates in VCM must adhere to the following requirements:
n
Must be kept in the local machine personal certificate store on the Collector.
n
Must be valid for server authentication (OID: 1.3.6.1.5.5.7.3.1).
Authentication
VMware, Inc.
61