6.5.1
Table Of Contents
- vSphere Availability
- Contents
- About vSphere Availability
- Business Continuity and Minimizing Downtime
- Creating and Using vSphere HA Clusters
- Providing Fault Tolerance for Virtual Machines
- vCenter High Availability
- Plan the vCenter HA Deployment
- Configure the Network
- Configure vCenter HA With the Basic Option
- Configure vCenter HA With the Advanced Option
- Manage the vCenter HA Configuration
- Set Up SNMP Traps
- Set Up Your Environment to Use Custom Certificates
- Manage vCenter HA SSH Keys
- Initiate a vCenter HA Failover
- Edit the vCenter HA Cluster Configuration
- Perform Backup and Restore Operations
- Remove a vCenter HA Configuration
- Reboot All vCenter HA Nodes
- Change the Appliance Environment
- Collecting Support Bundles for a vCenter HA Node
- Troubleshoot Your vCenter HA Environment
- Patching a vCenter High Availability Environment
- Using Microsoft Clustering Service for vCenter Server on Windows High Availability
- Index
vSphere HA Security
vSphere HA is enhanced by several security features.
Select firewall ports
opened
vSphere HA uses TCP and UDP port 8182 for agent-to-agent communication.
The rewall ports open and close automatically to ensure they are open only
when needed.
Configuration files
protected using file
system permissions
vSphere HA stores conguration information on the local storage or on
ramdisk if there is no local datastore. These les are protected using le
system permissions and they are accessible only to the root user. Hosts
without local storage are only supported if they are managed by Auto
Deploy.
Detailed logging
The location where vSphere HA places log les depends on the version of
host.
n
For ESXi 5.x hosts, vSphere HA writes to syslog only by default, so logs
are placed where syslog is congured to put them. The log le names for
vSphere HA are prepended with fdm, fault domain manager, which is a
service of vSphere HA.
n
For legacy ESXi 4.x hosts, vSphere HA writes to /var/log/vmware/fdm on
local disk, as well as syslog if it is congured.
n
For legacy ESX 4.x hosts, vSphere HA writes to /var/log/vmware/fdm.
Secure vSphere HA
logins
vSphere HA logs onto the vSphere HA agents using a user account, vpxuser,
created by vCenter Server. This account is the same account used by vCenter
Server to manage the host. vCenter Server creates a random password for
this account and changes the password periodically. The time period is set by
the vCenter Server VirtualCenter.VimPasswordExpirationInDays
seing. Users with administrative privileges on the root folder of the host can
log in to the agent.
Secure communication
All communication between vCenter Server and the vSphere HA agent is
done over SSL. Agent-to-agent communication also uses SSL except for
election messages, which occur over UDP. Election messages are veried
over SSL so that a rogue agent can prevent only the host on which the agent
is running from being elected as a master host. In this case, a conguration
issue for the cluster is issued so the user is aware of the problem.
Host SSL certificate
verification required
vSphere HA requires that each host have a veried SSL certicate. Each host
generates a self-signed certicate when it is booted for the rst time. This
certicate can then be regenerated or replaced with one issued by an
authority. If the certicate is replaced, vSphere HA needs to be recongured
on the host. If a host becomes disconnected from vCenter Server after its
certicate is updated and the ESXi or ESX Host agent is restarted, then
vSphere HA is automatically recongured when the host is reconnected to
vCenter Server. If the disconnection does not occur because vCenter Server
host SSL certicate verication is disabled at the time, verify the new
certicate and recongure vSphere HA on the host.
vSphere Availability
18 VMware, Inc.