VMware VCM 5.3 - TRANSPORT LAYER SECURITY IMPLEMENTATION Manuale Utente Pagina 1

vCenter Configuration ManagerTransport Layer SecurityImplementationVMware VCM 5.3WHITE PAPER

TLS Implementation for VCMTECHNICAL WHITE PAPER / 10The Collector CertificateThe Collector Certificate is issued by the Enterprise Certificate, and mu

TECHNICAL WHITE PAPER / 11lMust be usable for client authenticationlMust be issued by any Collector Certificate issued by the Enterprise Certificate,

TLS Implementation for VCMTECHNICAL WHITE PAPER / 12Creating and Installing Certificates for CollectorsCertificates can either be generated during VCM

TLS Implementation for VCMTECHNICAL WHITE PAPER / 13Changing CertificatesCertificates always have an expiration date, after which they are no longer v

TECHNICAL WHITE PAPER / 14After VCM installation, if you decide that you want to use different certificates than the ones that you either generatedor

TLS Implementation for VCMTECHNICAL WHITE PAPER / 15Delivering Initial Certificates to AgentsVCM Agents use Enterprise Certificates to validate Collec

TLS Implementation for VCMTECHNICAL WHITE PAPER / 16Installing the Agent from a Disk (Windows only)The VCM installation image/DVD does not contain cus

TECHNICAL WHITE PAPER / 17UNIX/Linux or Mac OS XEach UNIX/Linux or Mac OS X installation package is targeted for one or more supported platforms. To i

TLS Implementation for VCMTECHNICAL WHITE PAPER / 188. Select the certificate to be exported. Right-click, and then select All Tasks | Export.9. The C

TECHNICAL WHITE PAPER / 199. The File to Import dialog box appears. Select the file to import. Either format is acceptable: *.pfx or *.cer. The*.pem f

TECHNICAL WHITE PAPER / 2Table of ContentsIntroduction to TLS 4Server Authentication 4Mutual Authentication 4Certificates and Public Key Infrastructur

TLS Implementation for VCMTECHNICAL WHITE PAPER / 20Appendix A: Creating Certificates for TLS UsingMakecertVCM is designed to run in TLS mode with two

TLS Implementation for VCMTECHNICAL WHITE PAPER / 211. Use the following command to create the CM Enterprise Certificate:makecert -pe -n "<ent

TECHNICAL WHITE PAPER / 22Example:makecert -pe -n "CN=CM Collector Certificate BBBBBBBB-BBBB-BBBB-BBBB-BBBBBBBBBBBB" -sky exchange -sv "

TLS Implementation for VCMTECHNICAL WHITE PAPER / 23Import the Certificates on the Collector MachinesPerform the following procedure on the new Collec

TECHNICAL WHITE PAPER / 24-h 2 Max height of certificate chains. A value of 2 for the Enterprise allowsit to sign a Collector certificate capable of s

TLS Implementation for VCMTECHNICAL WHITE PAPER / 25-pe Make the private key exportable.-r Self sign the certificate.-sk <collector_key_name>Nam

TLS Implementation for VCMTECHNICAL WHITE PAPER / 26Appendix B: Updating the Collector CertificateThumbprint in the VCM Collector Database1. Within MM

TLS Implementation for VCMTECHNICAL WHITE PAPER / 27Appendix C: Managing the VCM UNIX AgentCertificate StoreThe VCM UNIX Agent certificate store is a

TLS Implementation for VCMTECHNICAL WHITE PAPER / 28CSI_ManageCertificateStore Options[root@localhost tmp]# CSI_ManageCertificateStore -?Usage: /opt/C

TECHNICAL WHITE PAPER / 29-u Update certificate in the certificate storeCommon uses:Insert a new certificate into the certificate store:/opt/CMAgent/C

TECHNICAL WHITE PAPER / 3Certificate Expiration 17Certificate Transport 17Exporting Certificates (Windows Only) 17Importing Certificates (Windows Only

TLS Implementation for VCMTECHNICAL WHITE PAPER / 30/opt/CMAgent/CFC/3.0/bin/CSI_ManageCertificateStore -e -g fingerprintExport existing certificates

TECHNICAL WHITE PAPER / 31Subject : O = CSI-SE, OU = VMware vCenter Configuration Manager, title = VCMCertificate 7529006C-222F-4EBF-A7E7-F6AB15DB626F

TLS Implementation for VCMTECHNICAL WHITE PAPER / 32Subject : O =VMware, Inc., OU = VMware vCenter Configuration Manager, title = VCMCertificate 75290

TECHNICAL WHITE PAPER / 33Subject : O = QAT, OU = VMware vCenter Configuration Manager, title = VCMCertificate 7529006C-222F-4EBF-A7E7-F6AB15DB626F, C

VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.comCopyright © 2010 VMware, Inc. All rights rese

TLS Implementation for VCMTECHNICAL WHITE PAPER / 4Introduction to TLSTransport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL),

TLS Implementation for VCMTECHNICAL WHITE PAPER / 5Certificates and Public Key InfrastructureA Public Key Infrastructure, or PKI, is a management syst

TLS Implementation for VCMTECHNICAL WHITE PAPER / 6Note VCM supports certificate expiration. However, it does not support revocation lists. Certificat

TECHNICAL WHITE PAPER / 7How VCM Uses CertificatesThere are three types of certificates that enable HTTP collector-agent communications in VCM:lEnterp

TLS Implementation for VCMTECHNICAL WHITE PAPER / 8Figure 2: Shared Collector-Agent RelationshipAs the diagram above illustrates, an Agent may communi

TECHNICAL WHITE PAPER / 9Figure 3: Trust Chain in a Shared Collector-Agent RelationshipIn addition, for Mutual Authentication in a shared Collector-Ag