Manualshelf

Installation guide

ManualsBrandsVMware ManualsOtherVCM 5.3 - TRANSPORT LAYER SECURITY IMPLEMENTATION
61626364656667686970
First Contact
When a Collector first contacts an Agent, the Agent determines whether the Agent already has a certificate
and private key pair. If the Agent does not have a certificate and private key pair, it generates a self-signed
certificate and private key. The Agent stores these in its own certificate storage area, the Microsoft store on
Windows or the VCM certificate store on UNIX.
Next, the Agent certificate is sent to the Collector as part of the TLS handshake. If the Collector has already
stored a certificate for that Agent, the Collector compares the stored certificate with the incoming one and
rejects the TLS connection if they do not match. If the Collector has no certificate for the Agent, the
Collector stores the incoming Agent certificate, allows the TLS connection to succeed, but does not trust
the Agent certificate until you tell the Collector to do so as explained in "Encryption Between Collector and
Agent" on page 63.
Changes to Agent Certificates
When the Collector stores an Agent certificate, the Agent machine is associated with the Agent certificate
at the Collector. If the Agent attempts to use a different certificate to establish TLS communication with the
Collector, authentication fails.
The preceding scenario can happen, for example, if you uninstall and reinstall an Agent without preserving
the existing certificate and private key pair, which causes the Agent to generate a new certificate and
private key pair when contacted by the Collector. See "First Contact" on page 63.
If an Agent needs to use a new Agent certificate and re-establish mutual authentication with a Collector,
reset the stored certificate and security level at the Collector. Select Administration, and click Certificates.
Select the action to re-establish mutual authentication.
Encryption Between Collector and Agent
The Agent certificate and private key pair serve an additional function unrelated to the TLS handshake
with the Collector. The certificate and private key pair decrypt any encrypted, sensitive data that the
Collector sends to the Agent.
Although the creation and trust of the Agent certificate and private key pair is automatic when a Collector
first contacts an Agent, the encryption feature requires that you separately tell the Collector to trust the
Agent certificate. To mark an Agent certificate as trusted for data encryption, on the Collector, select
Administration, and click Certificates. Select one or more certificates, and select the action to Change
Trust Status.
Installing Certificates for the VCM Collector
You can generate certificates during VCM installation or create them and store them in the local certificate
store in advance. Either way, the VCM Installation Manager registers the certificates in VCM and
configures the Agents to trust these certificates.
Installing Certificates on the First Collector
VCMInstallation Manager lets you generate certificates during installation or browse to your certificate
store to select existing certificates. If you plan to use your own certificates, place the existing certificates on
the Collector before starting the installation, and in the following stores.
NOTE The certificates do not need to be separately available on the SQL Server system in a split
configuration.
Authentication
VMware, Inc.
63