Enterprise Hybrid Cloud Security Management Solution

Enterprise Hybrid Cloud
Security Management
Version 4.1.2
February 2018
H16335.2
Solution Guide
Abstract
This solution guide provides information about the features and configuration options
available for securing system operations for a hybrid cloud. The guide explains why,
when, and how to use these security features.
Copyright © 2018 Dell Inc. or its subsidiaries. All rights reserved.
Published February 2018
Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.
THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.“ DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH
RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED IN THIS PUBLICATION REQUIRES AN
APPLICABLE SOFTWARE LICENSE.
Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners. Published
in the USA.
Dell EMC
Hopkinton, Massachusetts 01748-9103
1-508-435-1000 In North America 1-866-464-7381
www.DellEMC.com
2
Enterprise Hybrid Cloud
CONTENTS
Chapter 1
Executive Summary
9
Solution overview........................................................................................10
Key benefits of Enterprise Hybrid Cloud..................................................... 10
Document purpose......................................................................................10
Audience......................................................................................................11
Essential reading..........................................................................................11
Terminology.................................................................................................11
We value your feedback.............................................................................. 12
Chapter 2
Public Key Infrastructure
13
Public key infrastructure overview.............................................................. 14
Enterprise PKI architecture.........................................................................14
Enterprise PKI solution integration..............................................................16
Active Directory—LDAP over SSL/TLS certificates...................... 16
VMware vCenter Platform Services Controller...............................17
Dell EMC Avamar........................................................................... 18
Chapter 3
Converged Authentication
19
Security and authentication........................................................................20
Active Directory Domain Services.................................................. 21
IWA and Microsoft SQL Server service accounts........................... 21
Active Directory integration........................................................................22
VMware vRealize Automation: Tenant identity stores....................22
VMware Platform Services Controller........................................................ 23
VMware vRealize Automation........................................................ 23
TACACS+ authentication integration..........................................................24
VMware Identity Manager.......................................................................... 24
Chapter 4
Centralized Log Management
25
Log management overview......................................................................... 26
VMware vRealize Log Insight remote syslog architecture...........................27
Centralized logging integration...................................................................29
Content packs for VMware vRealize Log Insight......................................... 31
Configuring alerts....................................................................................... 32
Chapter 5
Network Security
37
Network Security overview........................................................................ 38
Solution architecture.................................................................................. 38
Physical connectivity.....................................................................39
Logical network topology............................................................... 41
Overlay networks with VXLAN.......................................................43
Supporting infrastructure services................................................ 43
Network environment for data protection..................................... 43
Automation and provisioning..........................................................44
VMware NSX for vSphere.......................................................................... 44
NSX Distributed Logical Router..................................................... 44
NSX Distributed Firewall................................................................45
Enterprise Hybrid Cloud
3
CONTENTS
NSX Flow Monitoring.................................................................... 45
NSX Logical Load Balancer............................................................45
NSX Service Composer................................................................. 45
Security groups, policies, and tags................................................ 46
VMware NSX for vSphere extensibility with Palo Alto Networks firewalls....
46
VMware NSX firewall policy creation..........................................................47
Multiple firewall rule criteria...........................................................47
Dynamic rules................................................................................ 47
N-tier application considerations................................................................ 48
Traditional three-tier architecture................................................. 48
Two-tier applications..................................................................... 49
Cross-vCenter NSX....................................................................................50
Universal network objects.............................................................. 51
Universal controller cluster.............................................................51
Universal firewall rules................................................................... 51
Universal security objects.............................................................. 51
Micro-segmentation use cases................................................................... 52
Use case 1: On-demand with security tags.................................... 52
Use case 2: N-tier virtual applications............................................54
Use case 3: Converged N-tier virtual applications......................... 56
Use case 4: App Isolation for component machines....................... 57
Chapter 6
Configuration Management
59
Configuration management overview......................................................... 60
VMware vCenter Server host profiles........................................................ 60
VMware vSphere Update Manager.............................................................63
Baselines....................................................................................... 64
Baseline groups............................................................................. 66
Audit compliance........................................................................... 67
VMware vRealize Configuration Manager...................................................68
Configuration compliance.............................................................. 68
Risk badge and compliance scores.................................................69
Operational compliance................................................................. 70
Use case 1: Configuring a custom compliance standard...............................71
Use case 2: Applying exceptions to compliance templates..........................73
Chapter 7
Multitenancy
75
Multitenancy overview............................................................................... 76
Secure separation.......................................................................................76
Network segmentation.................................................................. 76
Tenant and enterprise Edge routers...............................................77
Tenant authentication.................................................................... 77
Role-based access control..........................................................................78
vRealize Automation groups and roles........................................... 78
Entitlements.................................................................................. 80
Chapter 8
Data Security
81
Data security overview............................................................................... 82
CloudLink SecureVM.................................................................................. 82
Platform support........................................................................... 82
Policy-based management..........................................................................83
Defining authorized IP addresses for virtual machines................... 83
Changing the global policy for virtual machine start up..................83
4
Enterprise Hybrid Cloud
CONTENTS
Encrypting virtual machine volumes...............................................83
Decrypting virtual machine volumes.............................................. 84
Changing the volume encryption policy for a Windows virtual
machine......................................................................................... 84
Integration with the service catalog........................................................... 84
Chapter 9
Certificate Update Procedures for EHC Components
85
Enterprise Hybrid Cloud certificate update overview .................................86
EHC Trusted PKI Hierarchy........................................................... 86
EHC SSL component trust dependency........................................ 88
Overview of certificate update procedures....................................88
Updating vCenter Platform Service Controller........................................... 92
Replacing PSC Machine SSL certificates...................................... 93
Replacing PSC Solution User SSL certificates...............................94
Updating VMware vCenter Server certificates........................................... 95
Replacing vCenter Server Machine SSL certificates..................... 96
Replacing vCenter Server Solution User SSL certificates.............. 97
Updating additional components after vCenter Server updates.....99
Updating Automation Pod Platform Services Controller............................ 101
Updating SRM certificates........................................................................ 101
Updating NSX certificates........................................................................ 104
Updating ViPR certificates........................................................................105
Updating the vRealize Automation Appliance............................................ 106
Updating vRealize Automation Web IaaS certificates................................108
Updating vRealize Automation Manager IaaS certificates..........................110
Updating the active vRealize Automation Application Services certificate....
111
Updating vRealize Orchestrator certificates.............................................. 113
Updating vRealize Operations certificates................................................. 114
Updating vRealize Business certificates.....................................................114
Updating Log Insight certificates............................................................... 116
Updating Avamar certificates.................................................................... 116
Enabling encrypted server authentication..................................... 118
Updating the Avamar Proxy certificate......................................... 118
Updating RecoverPoint for Virtual Machines certificates.......................... 118
Updating CloudLink certificates................................................................ 120
Updating ESXi certificates........................................................................ 120
Updating the Data Protection Advisor (DPA) certificate...........................122
Updating VAMI appliance certificates....................................................... 124
Running EHC validation workflows............................................................126
Chapter 10
Password Management
129
Password management overview.............................................................. 130
Service accounts.......................................................................................130
Changing the RecoverPoint for Virtual Machines Shadow Copy user
service account............................................................................ 137
Removing a shadow user.............................................................. 138
SQL Server service accounts.................................................................... 138
Changing the svc_iaas account and password............................. 138
Changing the svc_sqlsvr account password.................................140
Changing the svc_sqlvragent account password.......................... 141
Changing the svc_vcenter account password...............................141
Changing the svc_vum account password....................................142
Changing the svc_srm account password.................................... 143
Enterprise Hybrid Cloud
5
CONTENTS
Changing the svc_vro account password..................................... 143
Active Directory bind service accounts..................................................... 144
Changing the adbind_vra account password................................ 145
Changing the adbind_vro account password................................ 145
Changing the adbind_vrops account password............................ 146
Changing the adbind_vipr account password............................... 147
Changing the adbind_logi account password................................147
Changing the adbind_dpa account password............................... 148
Changing the adbind_sso account password................................148
Changing the adbind_rp4vm account password........................... 149
Enterprise Hybrid Cloud application accounts........................................... 149
Changing the app_vrb_vcenter account password...................... 150
Changing the app_nsx_vcenter account password...................... 150
Changing the app_logi_vcenter account password.......................151
Changing the app_vro_vcenter account password....................... 151
Changing the app_vrops_vcenter account password................... 152
Changing the app_vrops_vra account password.......................... 152
Changing the app_vipr_vcenter account password......................153
Changing the app_avamar_vcenter account password................ 153
Changing the app_avamar_soap account password..................... 154
Changing the app_nsx_sso account password............................. 154
Changing the app_vro_sso account password............................. 154
Changing the app_logi_vrops account password......................... 155
Changing the app_vro_vipr account password............................ 155
Changing the app_vra_nsx account password............................. 156
Changing the app_vra_vro account password............................. 156
Changing the app_vro_iaas account password.............................157
Changing the app_vipr_vplex account password..........................157
Changing the app_vipr_rpa account password.............................158
Changing the app_vro_dpa account password.............................158
Changing the app_vro_srm account password.............................159
Changing the app_vro_sql account password.............................. 159
Changing the app_vro_nsx account password............................. 160
Changing the app_vro_rest account password............................ 160
Changing the app_vro_rp4vm account password......................... 161
Changing the app_srm_vcenter account password...................... 161
Changing the app_vum_vcenter account password......................161
Changing the app_vrpa_vcenter account password.....................162
Enterprise Hybrid Cloud adapter accounts................................................ 162
Changing adp_vrops_vcenter account password......................... 162
Changing adp_vrops_vipr account password............................... 163
EHC interactive user accounts.................................................................. 164
Changing the ehc_sysadmin account password........................... 165
Changing the ehc_tenant_admin account password.................... 166
Enterprise Hybrid Cloud local accounts.....................................................166
Changing the dd4avamar/av0xddboost account password.......... 166
Changing the app_vipr_rp account password...............................167
Changing the app_srm_rp account password...............................167
Changing the app_vrb_vrops account password..........................168
Changing the configurationAdmin account password...................168
Changing the tenantAdmin account password............................. 169
Dell EMC ViPR physical resources............................................................ 169
Changing the Cisco MDS account password ............................... 169
Changing the Brocade account password.....................................170
Changing the Vblock compute system account password............ 170
Changing the storage provider account password........................170
6
Enterprise Hybrid Cloud
CONTENTS
Changing the VNX account password........................................... 171
Changing the EMC XtremIO account password............................ 171
Changing the EMC VPLEX account password...............................171
Changing the RecoverPoint password..........................................172
Chapter 11
References
173
Enterprise Hybrid Cloud documentation....................................................174
Enterprise Hybrid Cloud security documentation...................................... 174
Other documentation................................................................................ 177
VMware Knowledge Base ......................................................................... 178
Appendix A
Enterprise Hybrid Cloud Security Data
179
Security data............................................................................................ 180
Enterprise Hybrid Cloud
7
CONTENTS
8
Enterprise Hybrid Cloud
CHAPTER 1
Executive Summary
This chapter presents the following topics:
l
l
l
l
l
l
l
Solution overview............................................................................................... 10
Key benefits of Enterprise Hybrid Cloud............................................................. 10
Document purpose............................................................................................. 10
Audience............................................................................................................. 11
Essential reading................................................................................................. 11
Terminology........................................................................................................ 11
We value your feedback......................................................................................12
Executive Summary
9
Executive Summary
Solution overview
Many organizations are looking for ways to drive more business value, redefine their
business models, and build an enhanced customer experience in an increasingly digital
world. IT must deliver enterprise IT services and applications with greater speed and
agility, while reducing costs and minimizing risks.
A hybrid cloud helps organizations innovate rapidly while still delivering enterprisegrade performance, resiliency, and security. Enterprise Hybrid Cloud 4.1.2 delivers this
by combining the control, reliability, and confidence of a private cloud with the
simplicity, flexibility, and cost efficiency of public clouds to transform delivery of IT
services. Enterprise Hybrid Cloud delivers automated infrastructure services for
traditional enterprise applications across private and public clouds with greater speed,
scalability, and agility, while reducing costs and minimizing risks. Workflows and
application blueprints transform what was once manual into automated, on-demand
infrastructure provisioning, with management insights and cost transparency. A selfservice catalog empowers business users to procure traditional enterprise applications
and IT services on demand, with service levels that align with workload and cost
objectives. Built-in security and data protection allow you to run your hybrid cloud
with confidence.
Enterprise Hybrid Cloud 4.1.2 is the foundation for infrastructure as a service (IaaS).
Enterprise Hybrid Cloud is designed to deliver IaaS to meet your specific business
needs with add-on options for data protection, virtual machine encryption,
applications, application-lifecycle automation for continuous delivery, ecosystem
extensions, and more. IT can start delivering value to the business two times faster
with Enterprise Hybrid Cloud when compared to building your own IaaS solution.
Key benefits of Enterprise Hybrid Cloud
The key benefits of Enterprise Hybrid Cloud are agility, simplicity, and security.
l
Agility—Transform your IT organization through automated delivery of IaaS with
on-demand access to traditional enterprise applications and IT services.
l
Simplicity—Pre-engineered, validated, and tested, Enterprise Hybrid Cloud is the
foundation for IaaS with add-on options to meet your specific business needs. It
integrates best-of-class technologies, professional services, and single contact
support into an easy-to-consume engineered solution.
l
Security—Enterprise Hybrid Cloud 4.1.2 ensures that applications and business
data are protected with options for virtual machine encryption, secure network
isolation, segmentation, and enhanced network security to minimize risk.
Document purpose
This solution guide provides information about the features and configuration options
that are available for securing system operations in an on-premises implementation of
Enterprise Hybrid Cloud 4.1.2. It explains why, when, and how to use these security
features.
This guide does not address public key infrastructure (PKI) policies, registration
authorities (RAs), validation authorities (VAs), or other components that are typically
used in the PKI. Design considerations for these components are outside the scope of
this solution guide.
10
Enterprise Hybrid Cloud
Executive Summary
Audience
This solution is intended for security architects, practitioners, and administrators
responsible for the overall configuration and operation of the solution. Readers should
be familiar with the VMware vRealize Suite, storage technologies, hybrid cloud
infrastructure, and general IT functions.
Essential reading
Read these documents for more information about various aspects of Enterprise
Hybrid Cloud.
l
Enterprise Hybrid Cloud 4.1.2 Reference Architecture Guide
l
Enterprise Hybrid Cloud 4.1.2 Concepts and Architecture Guide
l
Enterprise Hybrid Cloud 4.1.2 Administration Guide
l
Enterprise Hybrid Cloud 4.1.2 Infrastructure and Operations Management Guide
Terminology
Learn about the terminology used in this guide.
Term
Definition
CA
Certificate Authority
CRL
Certificate Revocation List—Contains a list of serial numbers for revoked
certificates
DFW
VMware NSX Distributed Firewall
DLR
VMware NSX Distributed Logical Router
ESR
VMware NSX Edge Services Router
IIS MMC
Internet Information Services Microsoft Management Console
LI
An abbreviation for vRealize Log Insight used in diagrams in this solution
guide
PSC
An abbreviation for Platform Services Controller
SAN
Subject Alternative Name
SSL
Secure Socket Layer
STS
Security Token Service—A VMware vCenter Single Sign-On (SSO)
authentication interface
vRCM
An abbreviation for VMware vRealize Configuration Manager used in
diagrams and code samples in this solution guide
vRO
An abbreviation for VMware vRealize Orchestrator used in diagrams and
code samples in this solution guide
vRA
An abbreviation for VMware vRealize Automation used in diagrams and
code samples in this solution guide
Audience
11
Executive Summary
Term
Definition
vRB
An abbreviation for vRealize Business used in diagrams and code samples in
this solution guide
vR Ops
An abbreviation for VMware vRealize Operations Manager used in diagrams
and code samples in this solution guide
vRealize
Automation
blueprint
A specification for a virtual, cloud, or physical machine that is published as
a catalog item in the vRealize Automation service catalog
vRealize
Automation
business group
A set of users, often corresponding to a line of business, department, or
other organizational unit (OU), that can be associated with a set of catalog
services and infrastructure resources
vRealize
Automation
fabric group
A collection of virtualization compute resources and cloud endpoints that is
managed by one or more vRealize Automation fabric administrators
vIDM
An abbreviation for VMware Identity Manager used in diagrams in this
solution guide. vIDM is a service that extends on-premises directory
infrastructure to provide a seamless SSO experience to web, mobile, SaaS,
and legacy applications that may be consumed as a service or downloaded
and installed on-premises. vIDM integrates with AirWatch Enterprise
Mobility Management to enable industry-first, seamless SSO to native
mobile apps. vIDM is packaged with an enterprise app store, SAML identity
provider (IDP), application usage analytics, conditional access policy
engine, and more.
We value your feedback
Dell EMC and the authors of this document welcome your feedback on the solution
and the solution documentation.
Contact Solution Feedback with your comments.
Authors: Jon Dupre, Sarang Chalikwar, Robert Porter, Donna Renfro
12
Enterprise Hybrid Cloud
CHAPTER 2
Public Key Infrastructure
This chapter provides an overview of integrating the Enterprise Hybrid Cloud platform
stack and supporting infrastructure into an enterprise PKI hierarchy and includes the
following topics:
l
l
l
Public key infrastructure overview......................................................................14
Enterprise PKI architecture................................................................................ 14
Enterprise PKI solution integration..................................................................... 16
Public Key Infrastructure
13
Public Key Infrastructure
Public key infrastructure overview
The solution stack required to deliver hybrid cloud services must provide simple
centralized management to securely manage services and enforce policies. You can
integrate an Enterprise Hybrid Cloud platform stack with an enterprise public key
infrastructure (PKI) to ensure authenticity, strengthen authentication, and encrypt
administrative communications.
A significant challenge in securing any environment is ensuring the authenticity of the
interfaces to which users and administrators submit their credentials and the
confidentiality of related network communications. Enterprise Hybrid Cloud uses PKI
integration to implement trusted certificates that enable administrators to secure data
in-transit, verify the authenticity, protect from man-in-the-middle attack, and so on.
Always follow best practices when designing your organization's PKI infrastructure
and take additional security measures to safeguard the private keys used by the CAs.
In a virtualized environment, use network-based hardware security modules (HSMs)
to store the CA private keys in a secure manner with tamper protection. HSMs can
also provide offloading of cryptographic processing for symmetric or asymmetric
needs where performance and speed is a requirement.
Note
Enterprise Hybrid Cloud implements Transport Layer Security (TLS)-compatible
configurations and certificates. All references to Secure Sockets Layer (SSL) in this
solution guide imply TLS compatibility.
Enterprise PKI architecture
Integrating a PKI into a multitenant hybrid cloud environment ensures that all the
components that use or rely on X.509 v3 certificates and technology are trusted.
By default, components are installed or factory-shipped with self-signed X.509 v3
certificates that are untrusted, because you cannot verify the authenticity of who
issued or signed them. In such an environment, an attacker could impersonate a device
or application to perform man-in-the-middle attacks or to harvest administrative
credentials for subsequent use in compromising other systems on the network. The
impact of such an attack is serious because of the privileges that are usually given to
systems administrators to fulfill their duties. Certain regulated industries and
governments require the use of trusted certificates only.
Integration with a trusted PKI addresses this problem by establishing a chain of trustfrom the trusted X.509 v3 certificate received from the issuing certification authority
(CA) and installed on the device or application, through to the root CA. In addition, the
PKI provides a means to validate this trust by publishing Authority Information Access
(AIA) locations and Certificate Revocation Lists (CRLs).
The PKI used in the solution is based on the deployment of Microsoft Active Directory
Certificate Services. Part of hardening the enterprise hybrid cloud infrastructure is to
replace the self-signed X.509 v3 certificates with valid signed certificates from a
trusted CA. Note that some organizations may choose to use an external entity for
this.
The following figure shows an example for which we configured an internal CA using a
hierarchical structure with the root CA at the top level; the root CA can be either
offline or air-gapped. Note that an air-gapped root CA is removed from the network,
14
Enterprise Hybrid Cloud
Public Key Infrastructure
and AIA and CRL updates are transferred manually. Subordinate CAs are tiered in the
Active Directory forest.
This figure shows the hierarchal architecture of the PKI environment with the root
self-signed certificate, the issuing CA certificate, and the end-entity certificates. The
architecture also shows the trust relationship between the end-entity certificates and
the end user.
Figure 1 PKI hierarchy for Enterprise Hybrid Cloud platform
The end-entity certificate and CA certificate contain CRL distribution points. Dell
EMC strongly recommends that the CRL Distribution point be accessible from the
Enterprise Hybrid Cloud environment. Otherwise, the customer needs to manually
import the CRL periodically.
The subordinate CA usually issues the end-entity certificates. The end-entity
certificate subject should contain the fully qualified domain name (FQDN) as a
common Name (CN), and optionally, an IP address as part of the Subject Alternative
Name (SAN).
In production environments, systems are commonly managed and accessed using the
system IP address, hostname, or FQDN. When PKI is introduced, this behavior can
result in certificate validation errors that can cause the integration to fail. To resolve
this problem, you can issue a certificate that contains a SAN with one or more items of
subject information. In distributed or highly available environments, load balancers
must be configured with multiple FQDNs and IP addresses. This requires use of the
subjectAltName extension in certificates.
When designing a PKI, it is important to consider the security implications of enabling
the subjectAltName extension. Your security policy may require certain controls and
processes to be put in place that are beyond the scope of this solution guide. The
Microsoft TechNet Library topic How to Request a Certificate with a Custom Subject
Alternative Name describes security best practices for enabling subject alternative
names in certificates.
Note
For security reasons, avoid using wildcard certificates and sharing private keys on
different VMs.
Enterprise PKI architecture
15
Public Key Infrastructure
Enterprise PKI solution integration
This section lists Enterprise Hybrid Cloud components that you should integrate into
your enterprise PKI hierarchy and describes some advanced security features that use
PKI for authentication.
The following solution components can be integrated into a PKI:
l
VMware vRealize Log Insight
l
VMware vRealize Orchestrator
l
VMware vRealize Operations Manager
l
VMware vRealize Automation (certificates)
l
VMware vRealize Business for Cloud (certificates)
l
VMware vSphere ESXi
l
VMware vCenter Server
l
VMware Platform Services Controller
l
VMware Site Recovery Manager
l
VMware NSX for vSphere
l
Dell EMC Avamar™
l
Dell EMC Data Protection Advisor™
l
Dell EMC Data Domain™
l
Dell EMC RecoverPoint™ for VMs
l
Dell EMC Unisphere™
l
Dell EMC ViPR™
l
CloudLink SecureVM modular add-on for virtual machine encryption
Active Directory—LDAP over SSL/TLS certificates
You can significantly strengthen the security of authentication and authorization
communications by encrypting the entire Lightweight Directory Access Protocol
(LDAP) session with SSL/TLS, known as LDAP over SSL or LDAPS.
LDAP is the protocol by which many applications submit authentication or
authorization requests. LDAP introduces a significant security risk because usernames
and authorization requests are passed over the network unencrypted. This can quickly
lead to credentials becoming compromised.
By default, Active Directory is not configured to support LDAPS, so certain steps must
be taken to enable integration of Active Directory Domain Services (ADDS) with a
trusted PKI to enable LDAPS. For more information, see the Microsoft TechNet article
LDAP over SSL (LDAPS) Certificate.
The LDAPS certificate is issued by the subordinate CA and requested on each
participating domain controller using the Certificates snap-in in the Microsoft
Management Console (MMC). The certificate is installed in the domain controller
certificate store and is applied by ADDS to LDAP communications to secure
authentication and authorization requests through TLS encryption.
16
Enterprise Hybrid Cloud
Public Key Infrastructure
VMware vCenter Platform Services Controller
Learn about the services available from VMware vCenter Platform Services Controller
(PSC).
In addition to providing SSO, VMware Platform Services Controller (PSC) for vSphere
6.x includes the following platform services:
l
l
l
l
Licensing Service
Certificate Authority (VMCA)
Certificate Store (VECS)
Lookup Service for Component Registrations
Note
While designed to streamline certificate management in vSphere, VMCA does not yet
possess the feature-rich capabilities of an enterprise-grade PKI. Therefore, we
recommend that you integrate vCenter services directly with your enterprise PKI
using the "custom" mode, as defined in VMware Certificate Authority overview, and
using VMCA Root Certificates in a browser.
The PSC includes a Security Token Service (STS) that enables administrators or
applications to authenticate within a defined security domain or identity source such
as Active Directory or OpenLDAP. After successful authentication, the PSC SSO STS
exchanges the authentication credentials for a Security Assertion Markup Language
(SAML) 2.0 token. The client uses this token to interact with the various vSphere
platform applications.
During interaction between components, the client verifies the authenticity of the
certificate that is presented during the TLS handshake phase. The verification
protects against man-in-the-middle attacks.
Each PSC SSO-enabled component registers with SSO using the client end-entity
certificate and requires a unique certificate. vRealize Automation Application Services
and VMware vRealize Business for Cloud integrate with SSO through vRealize
Automation.
The subject Distinguished Name (DN) value is stored in the SSO database as the
primary key for each certificate, rather than the hash, thumbprint, or any other
attribute. This is important where multiple vCenter Server services are deployed in a
single virtual machine, as recommended by VMware. In this case, the Common Name
(CN) and other attributes might be identical, which can lead to the same subject DN
being used across services. To ensure that the new TLS certificate for each vCenter
service has a unique subject DN encoded within the certificate, specify an additional
attribute, such as a unique Organizational Unit (OU), for each certificate request.
Note
A unique OU ensures a unique subject DN, however, you can use other attributes, too.
A unique OU is not mandatory because it is only part of the subject DN. For more
information about identifying the constituent components of a subject DN, see
Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List
(CRL) Profile.
Because of the changes in vSphere 6, the vCenter Certificate Automation Tool 5.5 is
no longer needed to address the complexities of PSC SSO PKI requirements. VMware
has simplified certificate management through the VMware Endpoint Certificate Store
(VECS). The VECS serves as a local (client-side) repository for certificates, private
VMware vCenter Platform Services Controller
17
Public Key Infrastructure
keys, and other certificate information that can be stored in a keystore. VECS must be
used to store all vCenter certificates, keys, and so on. ESXi certificates are stored
locally on each host and not in VECS. See Manually reviewing certificates in VMware
Endpoint Certificate Store for vSphere 6.0 (2111411) for more information about
managing certificates in VECS.
Dell EMC Avamar
Avamar clients and Avamar servers use TLS certificates and PKI for authentication
and optional data-in-flight encryption. Avamar supports the X.509 v3 standard for
formatting digital certificates.
Certificate acceptance workflow
Avamar uses a specific workflow when a client validates a server certificate and when
a server validates a client certificate. Avamar obtains the FQDN and compares it to
the CN field of the certificate. Avamar also checks for an IP address match in the list
of IP addresses in the SAN field of the certificate. If there is no match (including
wildcards), then the certificate is rejected and the connection terminated.
One-way authentication
With one-way authentication, the Avamar client requests authentication from the
Avamar server, and the server sends the certificate to the client. The client then
validates the certificate using the certificate acceptance workflow. One-way
authentication is also called server-to-client authentication.
Two-way authentication
When two-way authentication, also referred to as mutual authentication, is enabled,
the Avamar server provides authentication to the Avamar client and the Avamar client
provides authentication to the Avamar server:
l
The Avamar client requests authentication from the Avamar server, and the server
sends the certificate to the client. The client then validates the certificate, using
the certificate acceptance workflow.
l
The Avamar server requests authentication from the Avamar client, and the client
sends the certificate to the server. The server then validates the certificate, using
the certificate acceptance workflow.
Usually, one-way authentication provides sufficient security. To provide an extra level
of security, set up two-way authentication. Both configurations support data-in-flight
encryption.
18
Enterprise Hybrid Cloud
CHAPTER 3
Converged Authentication
The infrastructure solutions stack required to deliver hybrid cloud services must
provide an easy means of centralized management, so that the services can be
securely managed and policies enforced. You can achieve integration with a common
directory to support LDAPS, Kerberos, vIDM, and TACACS+ authentication services,
streamline administration and policy enforcement, and provide tighter control over
administrative and end-user authentication. This chapter presents the following
topics:
l
l
l
l
l
Security and authentication............................................................................... 20
Active Directory integration............................................................................... 22
VMware Platform Services Controller................................................................ 23
TACACS+ authentication integration................................................................. 24
VMware Identity Manager..................................................................................24
Converged Authentication
19
Converged Authentication
Security and authentication
Significant challenges in securing any environment include managing different local
authentication mechanisms and differing account and password policies.
To address these challenges, Enterprise Hybrid Cloud uses Active Directory as a
centralized identity management system for VMware and Dell EMC components. The
solution also uses Kerberos, LDAPS, and Terminal Access Controller Access Control
System Plus (TACACS+) authentication protocols to integrate each solution
component with Active Directory and ensure that all authentication and authorization
communications are encrypted.
Active Directory provides a single point of control for account management and policy
enforcement. the following figure shows the hierarchy of authentication
communication paths used in Enterprise Hybrid Cloud.
Figure 2 Authentication relationships between the solution components
20
Enterprise Hybrid Cloud
Converged Authentication
Active Directory Domain Services
Many of the systems and services that comprise an Enterprise Hybrid Cloud do not
natively integrate with Active Directory but do support LDAPS integration when
domain controllers are configured to enable such support. Active Directory exclusively
uses a server authentication certificate in the ADDS certificate store for LDAPS
connections.
Before you implement LDAPS, ensure that you consider the following important
details:
l
Automatic certificate enrollment (auto-enrollment) cannot be used with
certificates in the ADDS personal certificate store
l
Current command-line tools do not allow certificate management of the ADDS
personal certificate store
l
Certificates must be imported into the store and not moved through the
certificates console
Installation of the server authentication certificate in the ADDS certificate store is only
required on a server that has multiple certificates for server authentication in the local
computer certificates store. If possible, the best solution is to have only one
certificate in the local computer personal certificate store.
IWA and Microsoft SQL Server service accounts
In a production environment, it is a security best practice to use service accounts to
track and control applications and to mitigate the impact of a potential systems
compromise.
The Integrated Windows Authentication (IWA) feature in Microsoft SQL Server
provides better security than SQL Server authentication by taking advantage of Active
Directory user security and account mechanisms. Enterprise Hybrid Cloud uses IWA
for the SQL Server databases and service accounts for vCenter Server, vRealize
Automation IaaS, and VMware vSphere Update Manager.
Integrated Windows Authentication
When an application connects through an Active Directory user account, SQL Server
validates the account name and password using the Active Directory principal token in
the operating system. This means that Active Directory confirms the user identity.
SQL Server does not request the password and does not perform the identity
validation.
Integrated Windows Authentication uses the Kerberos secure authentication protocol
and provides a centralized mechanism for account management, including password
policy enforcement, account lockout, and password expiration. Integrated Windows
Authentication offers additional password policies that are not available for SQL
Server logins.
Microsoft SQL Server service accounts
Microsoft recommends isolating each SQL Server service under a separate, low-rights
Active Directory or local user account. By using the principle of least privilege (POLP),
this reduces the risk that one compromised service could be used to compromise
other services.
During installation of SQL Server, you can configure the service account for each
service. You can later use SQL Server Configuration Manager to manage or replace
the accounts.
The hierarchy of accounts (from least privileged to most privileged) is:
Active Directory Domain Services
21
Converged Authentication
1. Domain user (non-administrative)
2. Local user (non-administrative)
3. Network service account
4. Local system account
5. Local user (administrative)
6. Domain user (administrative)
Account types 1 and 2 are preferred because they best encompass the principle of
least privilege. Account type 3 is a shared account and any applications or services
running under this account would potentially have access to each other's data. Local
system is a built-in account with very high privileges; it has extensive privileges on the
local system and acts as the persona of the computer on the network. Account types
5 and 6 are less secure because they grant too many unneeded privileges. Enterprise
Hybrid Cloud uses domain user (non-administrative) accounts.
Active Directory integration
The solution components listed here can be directly integrated with Active Directory.
l
VMware vRealize Log Insight
l
VMware vRealize Operations Manager
l
VMware vRealize Automation: Tenant identity stores
l
VMware vSphere ESXi hypervisor
l
Dell EMC VMAX™
l
Dell EMC Unity™ Hybrid Flash Array
l
Dell EMC VNX™
l
Dell EMC ScaleIO™
l
Dell EMC VPLEX™
l
Avamar
l
Data Protection Advisor
l
ViPR
l
CloudLink SecureVM modular add-on for virtual machine encryption
We used Active Directory groups mapped to corresponding roles in each of these
components. Membership of the Active Directory groups confers rights associated
with the roles to administrative and end users.
Note
VPLEX does not currently support the mapping of roles to either Active Directory or
LDAP directory-based groups.
VMware vRealize Automation: Tenant identity stores
Enable LDAPS for higher security.
Enterprise Hybrid Cloud uses an Active Directory identity store to enable tenant
integration with Active Directory. By default, authentication and authorization occur
over LDAP. To enable LDAPS, import the CA chain into the Java cacerts keystore on
the vRealize Automation virtual appliance. Use the ldaps: // protocol designator
when specifying the identity store's Active Directory URL.
22
Enterprise Hybrid Cloud
Converged Authentication
Note
The protocol designator can be specified only when adding the identity store. To
change from using ldap: // to ldaps: //, delete the identity store and re-create
it with the correct designator.
VMware Platform Services Controller
VMware Platform Services Controller (PSC) is an authentication broker and security
token exchange solution that interacts with the enterprise identity store (Active
Directory or OpenLDAP) on behalf of registered solutions to authenticate users.
l
The VMware vCenter Server can be directly integrated with the PSC.
l
The VMware NSX for vSphere can be indirectly integrated with Active Directory
through PSC SSO.
Dell EMC recommends using the PSC installed on Windows because it provides
greater visibility, ease of management, and the ability to use a single namespace
throughout the Enterprise Hybrid Cloud Automation Pod. The PSC also simplifies
deployments at scale, and a dedicated PSC providing SSO services in the Automation
Pod is mandatory for implementation of a disaster recovery architecture where a
multi-site PSC architecture is required.
VMware vRealize Automation
Learn about the differences between default tenant and non-default tenant.
Default tenant
The PSC provides SSO capability for vRealize Automation users. The native Active
Directory identity store type:
l
Uses Kerberos to authenticate with Active Directory
l
Does not require a search base DN, making it easier to find the correct Active
Directory store
l
Can be used only with the default tenant
When you have configured the default tenant's identity store, you can add tenant
administrators and infrastructure administrators. We recommend using Active
Directory groups to assign these roles to vRealize Automation administrative users.
Tenant administrators are responsible for configuring tenant-specific branding, and for
managing identity stores, users, groups, entitlements, and shared blueprints within the
context of their tenant. IaaS administrators are responsible for configuring
infrastructure source endpoints in IaaS, appointing fabric administrators, and
monitoring IaaS logs.
Non-default tenant
vRealize Automation 7.1 allows the definition of multiple tenants, and each tenant
must be associated with at least one identity store. While identity stores can be
OpenLDAP or Active Directory, Enterprise Hybrid Cloud uses Active Directory.
Optionally, you can configure the domain alias with a value that allows users to log in
by using userid@domain-alias as a username instead of userid@identitystore-domain. This value must be a unique value across all identity stores.
Tenant and infrastructure administrators must be configured for each tenant that is
configured in vRealize Automation. We used Active Directory groups to assign these
roles to hybrid cloud tenant administrative users.
VMware Platform Services Controller
23
Converged Authentication
TACACS+ authentication integration
TACACS+ provides an increased level of security through authentication,
authorization, and accounting services and is a publicly documented TCP/IP protocol.
TACACS+ encrypts credentials that are passed from the client device to the TACACS
+ system and can be configured to use Active Directory as its authentication directory
to enable centralized authentication.
VMware Identity Manager
In vRealize Automation version 7, authentication is drastically simplified and improved
with the integration of VMware Identity Manager. VMware Identity Manager is no
longer a separate identity appliance in the deployment topology. This means that
customers no longer have to worry about issues encountered with maintaining,
upgrading, and being dependent on a separate identity virtual appliance. vRealize
Automation and VMware Identity Manager use the same database instance, which
reduces deployment complexity and allows database scale solutions to work for both
systems and lockstep.
VMware Identity Manager supports different authentication methods, such as
username/password, Kerberos, SAML authentication, smart card / certificate, RSA
SecurID, RADIUS, and so on.
24
Enterprise Hybrid Cloud
CHAPTER 4
Centralized Log Management
VMware vRealize Log Insight provides administrators with a single point of visibility
into the environment and with alert notifications through email or vRealize Operations
Manager. Where an organization already has a Security Information and Event
Management (SIEM) system in place, Log Insight can act as an aggregator to forward
events to the SIEM, providing the security team with a single integration point for the
entire solution. This chapter presents the following topics:
l
l
l
l
l
Log management overview................................................................................ 26
VMware vRealize Log Insight remote syslog architecture.................................. 27
Centralized logging integration.......................................................................... 29
Content packs for VMware vRealize Log Insight.................................................31
Configuring alerts...............................................................................................32
Centralized Log Management
25
Centralized Log Management
Log management overview
Many key solution resources continuously record operational and security-related
events to a local log. When a security incident occurs, log files can help you track
down the root cause. Without log file consolidation, investigating the root cause can
be laborious and time-consuming. Running a reliable and secure data center is a
continual process of planning, delivering, and operating. Without a consolidated view
of your infrastructure's system log data, your data center is incomplete and at risk.
The risks include:
l
Lack of central and holistic visibility into security-related events
l
Inability to easily correlate events that would indicate a security breach
l
Log files are overwritten causing you to lose log entries that are critical for
security, compliance, and troubleshooting
l
Increased downtime for applications and servers, because more time is needed to
locate and search system log files when problems occur
l
Security risks such as malicious attacks or unauthorized logins could be occurring
without your knowledge
l
Loss of historical system logs, leaving you unprepared to report local
authentications or maintain compliance
Consolidated system logging is a critical data center feature that is commonly not
implemented because of its complexity. Many IT organizations rely solely on data
center monitoring tools, which, while useful, mostly focus on raw metrics-such as
CPU utilization, memory consumption, and storage I/O-but completely ignore log files
and security events. When system log files are ignored, valuable security information
is overlooked.
Every component in Enterprise Hybrid Cloud, and every virtual machine, including
operating system and applications, generates numerous log messages per day.
Troubleshooting and finding root causes for issues in the environment is challenging
unless the logs can be aggregated and queried.
To address these challenges, Enterprise Hybrid Cloud uses VMware vRealize Log
Insight to deliver real-time log management and analysis, with machine learning-based
Intelligent Grouping and high-speed interactive search. vRealize Log Insight is a
powerful security tool that consolidates logs across the entire Enterprise Hybrid Cloud
and enables administrators to perform security auditing and compliance testing as well
as log querying, aggregation, correlation, and retention.
vRealize Log Insight is tightly integrated with vCenter Server and ESXi and includes
built-in knowledge and native support for vRealize Operations Manager. Alerts are
configured to notify security administrators by email or through the vRealize
Operations Manager dashboards.
The following figure shows how vRealize Log Insight integrates with the components
of Enterprise Hybrid Cloud for centralized logging.
26
Enterprise Hybrid Cloud
Centralized Log Management
Figure 3 Centralized logging of hybrid cloud components with vRealize Log Insight
Each component is configured to forward log messages to vRealize Log Insight using
remote syslog. vRealize Log Insight then enables you to search for security events
across all the consolidated data. For example, to search for logins across the
infrastructure, you can search across all the components that make up Enterprise
Hybrid Cloud, and view the results in a chart, as shown in the following figure. In
addition, you can create and save your own custom queries and custom security
dashboard.
Figure 4 Searching for security events with vRealize Log Insight
VMware vRealize Log Insight remote syslog architecture
For smaller instances of this platform, every device for which you want to collect
events is configured to send events directly to one or more vRealize Log Insight
instances, as shown in the following figure.
VMware vRealize Log Insight remote syslog architecture
27
Centralized Log Management
Figure 5 vRealize Log Insight client/server architecture
This client/server architecture is suited to environments that:
l
Are greenfield, with no syslog operations to date
l
Use automation or configuration management
l
Have fewer than 750 devices sending remote syslog data
For larger instances of this platform, you can implement a distributed vRealize Log
Insight deployment, with a master node and up to five worker nodes deployed in a
cluster configuration, as shown in the following figure. With this configuration, if any
node goes down, the load balancer can redirect traffic to the remaining nodes.
Note
A worker node stores forwarded syslog events and processes queries against log data
it stores on behalf of the master node.
28
Enterprise Hybrid Cloud
Centralized Log Management
Figure 6 Master node-worker node relationship
For information on sizing vRealize Log Insight for this platform, see the Enterprise
Hybrid Cloud 4.1.2 Reference Architecture Guide.
Centralized logging integration
Many syslog implementations only support the User Datagram Protocol (UDP).
vRealize Log Insight can receive syslog-formatted events over the UDP, TCP, and TLS
protocols. In high volume environments, TCP provides a significant performance
improvement over UDP. TCP supports more events over fewer connections and,
because TCP is a lossless protocol, it minimizes message loss. TLS ensures that event
details are transmitted over the network in a confidential manner.
vRealize Log Insight consolidates and archives all log data in Enterprise Hybrid Cloud
and creates a historical record that enables:
l
Storage of events in sufficient detail and with accuracy
l
Retention of audit logs for a determined period consistent with the enterprise
security policy
l
Identification of security incidents and policy violations as they occur
l
Auditing and forensic analysis
l
Establishment of baselines that can be used to detect future anomalous behavior
When data has been collected, you can use vRealize Log Insight to perform ad-hoc
searches across all the event data. The following figure shows an example of
successful logins by source query.
Centralized logging integration
29
Centralized Log Management
Figure 7 Example vRealize Log Insight dashboard for vCenter Server
You can save queries you perform often as Favorites and use them to create charts,
dashboard widgets, and alerts. In large environments with numerous log messages,
you can use runtime field extraction with vRealize Log Insight to instantly locate and
extract the most important data fields using regular expressions.
Configure the following components of the hybrid cloud management platform to
forward the application logs to vRealize Log Insight:
30
Enterprise Hybrid Cloud
l
ViPR
l
VMAX
l
VNX
l
Avamar
l
Data Protection Advisor
l
VMware vSphere ESXi hosts
l
VMware vRealize Automation
l
VMware vRealize Application Services
l
VMware vRealize Operations Manager
l
VMware vRealize Configuration Manager
l
VMware vRealize Business for Cloud
l
VMware NSX for vSphere Manager
Centralized Log Management
l
VMware vRealize Orchestrator
l
VMware vCenter Server
l
VMware vRealize Log Insight
l
All physical compute, fabric, and network devices
Content packs for VMware vRealize Log Insight
Analysis of forwarded events can be enhanced using pre-packaged VMware, Dell
EMC, partner, and community-provided content packs, which are available on the
VMware Solution Exchange.
Content packs are read-only plug-ins to vRealize Log Insight that provide predefined
knowledge about specific types of events, such as log messages. A content pack
provides knowledge about a specific set of events in a format that is easily understood
by security administrators, monitoring teams, and auditors. Each content pack is
delivered as a file, and can be imported through the vRealize Log Insight web UI.
The following content packs are available for components of Enterprise Hybrid Cloud:
l
Avamar content pack
l
VMAX content pack
l
VNX content pack
l
vRealize Automation 7.3 vRealize content pack for Log Insight
l
vRealize Operations Manager content pack for vRealize Log Insight
l
VMware vSphere content pack (bundled with vRealize Log Insight)
l
Additional content packs for Microsoft Windows, Microsoft Active Directory, and
other partner solutions
The content packs for Avamar, VNX, and VMAX provide dashboards and user-defined
fields specifically for those products. They enable administrators to analyze problems
on their VNX and VMAX arrays or backup infrastructure. Many of these content packs
include dashboards with security-related charts and widgets that provide at-a-glance
visibility into security-related events.
Custom dashboards and widgets can be manually created for components for which
content packs do not exist. Each widget provided by a content pack can be cloned and
added to a personalized dashboard that contains only the views required by the user.
The following figure shows an example of a customized vRealize Log Insight
dashboard that presents Avamar backup failures, vCenter and Windows authentication
failures, and ESXi host firewall changes. This dashboard was created using widgets
cloned from the content packs installed for Enterprise Hybrid Cloud.
Content packs for VMware vRealize Log Insight
31
Centralized Log Management
Figure 8 Custom vRealize Log Insight dashboard
The following figure shows another customized dashboard created from multiple
content packs.
Figure 9 Custom vRealize Log Insight security dashboard
Configuring alerts
Enterprise Hybrid Cloud uses vRealize Operations Manager to monitor the cloud
management platform, compute resources, and tenant workloads used in production.
vRealize Log Insight integration with vRealize Operations Manager enables you to
raise alerts for vRealize Log Insight queries and send notifications to Operations
Manager based on a configurable threshold, as shown in the following figure.
32
Enterprise Hybrid Cloud
Centralized Log Management
Figure 10 vRealize Log Insight alert configured to send a notification to vRealize Operations
Manager
You can also configure predefined alerts to be installed when content packs are
imported to vRealize Log Insight. The following figure shows an example of a number
of security-related alerts imported by the Microsoft Active Directory content pack.
Figure 11 Examples of security alerts installed in vRealize Log Insight
In addition, the integration between vRealize Log Insight and vRealize Operations
Manager enables a Launch in context menu in the vRealize Operations Manager
Configuring alerts
33
Centralized Log Management
dashboard. You can use this menu to launch a vRealize Log Insight interactive
analytics dashboard that displays events related to the selected vRealize Operations
Manager object.
The example in the following figure uses the integration between Log Insight and
vRealize Operations Manager: the Actions menu in vRealize Operations Manager
triggers a search of all relevant Log Insight information on the selected item.
Figure 12 Search logs for the cloud management platform directly from vRealize Operation
Manager
The launch-in-context functionality filters the logs using the constraint hostname
equals each hostname, which displays only events that match the specified
criteria, as highlighted in the following figure.
34
Enterprise Hybrid Cloud
Centralized Log Management
Figure 13 vRealize Log Insight filtering logs for the management cluster components
For more information about vRealize Operations Manager and the role it plays in
Enterprise Hybrid Cloud, see the Enterprise Hybrid Cloud 4.1.2 Reference Architecture
Guide and the Enterprise Hybrid Cloud 4.1.2 Concepts and Architecture Guide.
Configuring alerts
35
Centralized Log Management
36
Enterprise Hybrid Cloud
CHAPTER 5
Network Security
Learn about the network architecture of Enterprise Hybrid Cloud, the design
considerations for the network environment, and recommended security best
practices. This chapter presents the following topics:
l
l
l
l
l
l
l
l
Network Security overview................................................................................ 38
Solution architecture..........................................................................................38
VMware NSX for vSphere.................................................................................. 44
VMware NSX for vSphere extensibility with Palo Alto Networks firewalls..........46
VMware NSX firewall policy creation................................................................. 47
N-tier application considerations........................................................................48
Cross-vCenter NSX........................................................................................... 50
Micro-segmentation use cases...........................................................................52
Network Security
37
Network Security
Network Security overview
Use this chapter as a reference to begin the networking and security planning and
design process for your hybrid cloud and to set the stage for a successful
implementation.
This chapter discusses the security aspects of Enterprise Hybrid Cloud networking,
introduces VMware NSX for vSphere, and demonstrates the value of NSX network
and security integration in Enterprise Hybrid Cloud. Focusing on the network
infrastructure and deployment options, the chapter describes the key elements for
creating a secure service offering and the processes required to implement and secure
the network infrastructure. In addition, it includes common use cases for providing
connectivity and security to dynamically provisioned application workloads.
Solution architecture
Enterprise Hybrid Cloud requires architecture that:
l
Is resilient to failure
l
Provides distributed deployment with high availability
l
Provides optimal throughput for workloads
l
Ensures multitenancy and secure separation
The following figure shows a logical representation of the hybrid cloud environment
and highlights the management, network, and tenant compute pods and clusters.
38
Enterprise Hybrid Cloud
Network Security
Figure 14 Enterprise Hybrid Cloud environment
Physical connectivity
When designing the physical architecture, our main considerations were high
availability, performance, and scalability.
As shown in the example network topology, each layer of the physical architecture is
fault-tolerant, with physically redundant connectivity throughout. The loss of any one
infrastructure component or link does not result in loss of service to the tenant; if the
architecture is scaled appropriately, the loss of a component or link does not affect
service performance.
The following figure also shows the connectivity between the physical storage,
network, and converged fabric components deployed in Enterprise Hybrid Cloud.
Physical connectivity
39
Network Security
Figure 15 Physical topology of the network
Virtual link aggregation
The network design uses IEEE 802.1AX virtual link aggregation (vLAG) trunks to
provide seamless operation in the event of a hardware or link failure by enabling fault
tolerance and high-speed links between the distribution, access, and converged layers.
Note
Link aggregation (LAG) is variously known across vendors' implementations as virtual
port channels, split multi-link trunks, multi-chassis trunking, or multi-switch link
aggregation.
vLAG trunks bundle multiple physical Ethernet links between two or more devices into
a single logical link. If a physical link or switch fails, the traffic is automatically
redistributed over the remaining physical links. Because multiple physical links are
considered a single logical link in a vLAG trunk, physical link failures do not result in
loops. If the status of a member link changes, vLAG prevents a service-interrupting
spanning-tree recalculation and resulting convergence.
vLAG trunks also load balance traffic across all available links by using a load-balancing
algorithm to determine the physical port used. This provides an aggregate bandwidth
equal to the sum of the bandwidth across all the physical links.
Configuring vLAG
For vLAG trunks to function, cross-connect one or more physical links between the
distribution and access switches, and between the access and converged layer
switches, as shown in Figure 15 on page 40. vLAG trunks are dedicated to carrying the
40
Enterprise Hybrid Cloud
Network Security
virtual local area networks (VLANs) and corresponding data. Typically, you should
ensure that the 10 GbE ports used are in dedicated mode to avoid oversubscription
issues and potential packet loss.
Depending on the vendor, a separate link that is not a member of the vLAG trunk
might be required between each switch pair to synchronize state and prevent any
packet duplication. This control link can be a Layer 2 or Layer 3 link between the
switches. While the link typically does not carry regular network traffic, it is critical to
the fault-tolerant operation of the design. The control link does not have to be
configured as a LAG, but the LAG configuration provides fault tolerance. You can
optionally configure the control link to sit in its own virtual routing and forwarding
(VRF) table to enable reuse of the same control-link IP addresses on every pair of
devices.
Physical network connectivity to the compute layer is provided over a converged
network and Fibre Channel fabric to the fabric extenders on the compute blade
chassis. Each link is capable of 10 Gb/s, which enables four 10 GbE network interfaces
to be presented to each ESXi host.
Logical network topology
The logical network topology for Enterprise Hybrid Cloud is designed to address the
requirements of multitenancy and secure separation of the tenant resources. The
topology is also designed to align with security best practices from vendors such as
VMware, that segment networks according to purpose or traffic type. For example,
configuring an isolated network segment for VMware vSphere vMotion traffic
between ESXi hosts helps prevent attacks in which the unencrypted transfer is
intercepted by an attacker and reconstructed to gain access to potentially sensitive
data.
The following figure shows the logical topology of the solution's physical and virtual
networks. We used VLANs to provide segmentation of the networks at Layer 2 in the
cloud management pod (Automation Pod), because that environment is likely to be
static and is an extension of existing management networks.
We configured the trunks on the physical network infrastructure to allow access by
only the VLANs and private VLANs (PVLANs) required for operations within the hybrid
cloud environment. This best practice helps to conserve valuable resources such as
Spanning Tree Protocol (STP) logical interfaces. Each switch supports a limited
number of STP logical interfaces, and this number can be depleted before the VLAN
limit is reached, especially in a multitenant environment. Therefore, pruning and
carrying only the necessary VLANs can be of critical importance.
Logical network topology
41
Network Security
Figure 16 Logical topology with clusters, pods, and functional networks
We created a cloud management vSphere Distributed Switch (vDS) spanning the
Automation Pod and Network Edge Infrastructure (NEI) Pod. We created a separate
resource vDS spanning the Workload Pods. By doing so, we created a logical and
physical boundary segmenting the management and tenant workload traffic flows and
enabling a more focused approach to performance and security monitoring. Both vDSs
were spanned to the NEI Pod to establish connectivity with the physical core.
Implementing a separate vDS for Workload Pods enables you to limit administrative
access to the cloud management vDS, which has comparatively few networks
42
Enterprise Hybrid Cloud
Network Security
compared with possibly thousands of dynamic tenant networks. This configuration
also makes it easier to establish a baseline for management traffic and identify flows
that fall outside expected characteristics. A number of port groups are defined within
the cloud management vDS to provide Edge connectivity for services such as backup
and Active Directory.
We configured the resource vDS with a single port group for Edge connectivity. The
remaining port groups on this vDS were created by NSX when the hosts were
prepared for network virtualization. The VMware Virtual Extensible LAN (VXLAN)
network segments (also called logical switches) were configured by the administrator
through the Network and Security view in the vSphere Web Client.
Overlay networks with VXLAN
VXLAN is an overlay technology for network virtualization that provides network
abstraction, elasticity, and scaling across the data center.
VXLAN provides an architecture for scaling your applications across clusters and pods
without any physical network reconfiguration. With VXLAN, physical switches do not
need to be reconfigured when a VXLAN network is created. Instead, VXLAN virtual
wires or networks can be deployed over a single transit VLAN or multiple transit
VLANs. The decoupling of virtual networks from physical networks provides great
flexibility and agility without affecting or requiring changes to the physical network.
This enables rapid and dynamic provisioning of new networks at a theoretical scale of
millions of VXLAN networks.
The fact that VXLAN overlays can be used to dynamically segment network traffic is
of importance to the security posture of enterprise workloads. The scalability
limitations of VLANs are no longer an impediment to segmenting mission-critical
applications and creating as many trust zones as necessary.
The VXLAN port groups all share the same VLAN. This is one of the key benefits of
implementing VXLAN. You can use one VLAN as the physical transport for VXLAN
overlay networks. This reduces the required configuration of the ESXi host and top of
rack (TOR) physical switches to a single VLAN and enables the virtual VXLAN
networks to scale to 6,500 (assuming static port groups) per vDS.
Supporting infrastructure services
To support infrastructure operations, Dell EMC recommends configuring networking
on each ESXi host throughout the environment to enable connectivity to the backup
and vMotion networks.
Configure a VMkernel interface for NFS and vMotion on each ESXi host and create a
port group for the Avamar proxy virtual machines on the cloud management vDS to
complete the network connectivity.
Network environment for data protection
The high levels of deduplication and compression provided by the Avamar system
contribute to minimal data being sent across the LAN. However, as a best practice
design for performance, availability, and security, use a dedicated network for the
backup infrastructure, separate from the production networks, within which the
Avamar server nodes and proxy virtual servers reside.
All Avamar proxy servers should be configured with an isolated PVLAN ID, with the
result that they can communicate only with the Avamar server nodes and not with any
other system on the backup network. The backup infrastructure resources are further
protected by the isolation of the backup network from other Layer 3 networks. By
Overlay networks with VXLAN
43
Network Security
separating production and backup data on the networks, an attacker who gains control
of a virtual machine cannot compromise additional systems by using the backup
network. Where communications must be allowed to enable the solution to function
correctly, a firewall mediates the access attempt and permits the connection if
authorized-for example, for management of the Avamar system by backup
administrators, and for control communications with Data Protection Advisor, vRealize
Automation, vRealize Operations Manager, and vCenter Server instances.
In Enterprise Hybrid Cloud, access between the production network and the backup
network is permitted only through a firewall policy that restricts access to the Avamar
management and control planes to authorized administrators and orchestration
processes only.
Automation and provisioning
With improvements in server virtualization, network configuration has become a
chokepoint of the provisioning process when new applications are being deployed.
VXLAN overlay networks greatly simplify the configuration of physical networking
equipment, while increasing the scale and speed of deploying new networks and logical
switches.
A virtual application can be deployed in minutes. Planning, designing, and configuring
the network and security elements to support the application often can take days or
weeks. Using the automation capabilities of vRealize Automation, NSX can
significantly reduce the time required for the provisioning, update, and removal
processes. Multiple networks and a router, a firewall, and a load balancer can be
deployed dynamically with the virtual machine components of a blueprint. This
capability enables the delivery of an application stack and supporting services to
production users within minutes, including all the necessary network and security
services.
VMware NSX for vSphere
VMware NSX offers additional functionality and improved performance.
The additional functionality includes distributed logical routing, distributed virtual
firewalling, logical load balancing, and support for routing protocols such as Border
Gateway Protocol (BGP), Intermediate System to Intermediate System (IS-IS), and
Open Shortest Path First (OSPF). NSX also provides substantial performance
improvements in throughput, with logical routing and firewalling providing line-rate
performance distributed across many hosts instead of being limited to a single virtual
machine or physical host.
NSX Distributed Logical Router
The NSX Distributed Logical Router (DLR) performs all east-west workload traffic
routing at the hypervisor level.
DLR ensures that as long as the workloads are on the same host, even if they are on
different subnets, the traffic does not leave that host. If the workloads are on
separate hosts, the traffic takes the optimal path directly from one host to the other,
again without having to take a hairpin route through a virtual appliance or physical
router in the data center core. This offers optimal traffic flows and significant
performance gains
44
Enterprise Hybrid Cloud
Network Security
NSX Distributed Firewall
The NSX Distributed Firewall (DFW), which is implemented as a hypervisor kernel
module, eliminates the need to route traffic through virtual or external physical
firewalls for inspection.
Traffic is analyzed by the hypervisor when it leaves the source virtual machine virtual
network interface card (vNIC) and before it enters the vNIC of the destination virtual
machine. It is this enforcement at the vNIC level that enables East-West virtual
machine separation. For more information, see N-tier application considerations.
Because NSX is integrated with vCenter Server, it can use the vCenter inventory and
filter on more than just source and destination IP addresses or ports. Rules can be
applied to virtual machines, security groups, clusters, and data centers. Security
groups can also have dynamic membership, which enables rules to be applied based on
virtual machine attributes such as guest operating system, virtual machine name, or
security tags. Because inspection is performed at the hypervisor level, traffic does not
have to be steered through and analyzed by another device or virtual machine on the
network.
NSX Flow Monitoring
NSX Flow Monitoring provides a detailed view of historical and real-time traffic flows.
These flows can be shown in aggregate, by service, or by virtual machine. The data
can be used for troubleshooting performance issues, firewall misconfigurations, or
rogue traffic on the network.
NSX Logical Load Balancer
The NSX Logical Load Balancer (LLB) enables load sharing across a pool of virtual
machines.
It provides intelligent application monitoring, so that if a virtual machine in the pool
stops responding, it is automatically taken out of the pool and no traffic is sent to it
until it becomes responsive again. The load balancer can either be deployed as a
service on an Edge appliance that acts as the network gateway, or in "one-arm" mode,
where it has a single interface on the network and is not the gateway. It can support
throughput of up to 9 Gb/s and 130 k connections per second. The load balancer can
also be deployed in High Availability (HA) mode.
NSX Service Composer
Inside NSX, the Service Composer is a built-in tool that defines a new model for
consuming network and security services; it enables you to provision and assign
firewall policies and security services to applications in real time in a cloud data center.
Security policies are assigned to groups of virtual machines, and the policy is
automatically applied to new virtual machines as they are added to the group.
NSX Service Composer integrates with third-party security services. These services
can identify virtual machines on the network that are infected with malware or with
known vulnerabilities and place them into a quarantine security group that restricts
the virtual machines until the issue is resolved.
NSX Distributed Firewall
45
Network Security
Security groups, policies, and tags
Security groups
A security group is a collection of assets or grouping objects from the vSphere
inventory. The grouping feature enables you to create custom containers to which you
can assign resources such as virtual machines and network adapters for distributed
firewall protection. After a group is defined, you can add the group as source or
destination to a firewall rule for protection.
The dynamic mapping capability of security groups allows you to define the criteria
that an object must meet for it to be added to a security group you are creating. This
enables you to include virtual machines in a security group by defining a filter criterion
that can be selected from a range of attributes. For example, you might include a
criterion to add all virtual machines that run a specific operating system such as
Microsoft Windows 2003.
Security policies
A security policy is a set of endpoint, firewall, and network introspection services that
can be applied to a security group. During vRealize Automation data collection, the
security policies that have been defined in NSX appear in the Security tab. From
there, the tenant administrator or business group manager can assign security policies
to selected component machines. For example, you could apply a web security policy
to a web component.
Security tags
Security tags are additional, customizable criteria that you can use to create security
policies. Tags can be manually created and assigned to virtual machines, or they can
be added to virtual machines dynamically. Certain third-party software programs that
integrate with NSX can also consume and update these tags. For example, an antivirus application could label a virtual machine with the tag
ANTI_VIRUS.VirusFound.threat=high. This tag could then be included in a
firewall rule that automatically blocks all traffic to or from the tagged virtual machine.
VMware NSX for vSphere extensibility with Palo Alto
Networks firewalls
Because NSX for vSphere is a networking option with Enterprise Hybrid Cloud, you
can use the integration developed by VMware and Palo Alto Networks to expand your
cloud capabilities. Integrating VMware NSX and Palo Alto Networks VM-Series
firewalls with Enterprise Hybrid Cloud extends the protections offered by NSX for
vSphere to your physical data center.
With the integrated VMware and Palo Alto Networks solution, you can access an
advanced security feature set that:
l
Protects north-south and east-west traffic and offers software-defined
networking with VMware NSX and the Palo Alto Networks VM-Series
l
Maintains dynamic context-based policies across:
l
46
Enterprise Hybrid Cloud
n
NSX security groups
n
Palo Alto Networks dynamic address groups
Addresses simplified security and compliance mandates with protection against
known and unknown threats including exploits, viruses, spyware, malware, and
advanced persistent threats (APTs) as follows:
Network Security
n
l
Reduces attack surface with application whitelisting
n
Blocks known threats using an integrated Intrusion Prevention System (IPS)
n
Blocks unknown threats by using Palo Alto Networks Wildfire
Centralizes management and automation:
n
Common firewall management with Palo Alto Networks Panorama
n
Automated deployment with NSX and Panorama
For information on how to integrate the VM-Series from Palo Alto Networks with NSX
for vSphere, see the Next Generation Security with VMware NSX and Palo Alto Networks
VM-Series technical white paper on the VMware.com website.
VMware NSX firewall policy creation
Multiple firewall rule criteria
The traditional model of firewall rule creation is based on network traffic sources and
destinations defined using the IP addresses of relevant hosts (and virtual machines),
groups of IP addresses, or the subnets containing groups of IP addresses. This model
can require a significant amount of preparation and administration when IP addresses
change.
NSX goes beyond this model by providing multiple additional options for defining
firewall rule sources and destinations. Because NSX can understand virtual machine
attributes, you can create rules based on criteria such as virtual machine names,
virtual machine operating systems, and descriptive tags. These non-IP based rules
simplify the creation, organization, and maintenance of rules. They also enable a more
simplified set of security rules.
Here are some examples of rules you can create with NSX:
l
l
l
The source of the network traffic is defined as all virtual machines where the guest
OS is Windows, and the destination is a local patching/update server
Virtual machines whose name contains the term application-server can be reached
only from virtual machines whose name contains the term web-server
Criteria are combined using the AND or OR condition. For example, the guest OS
must be Windows AND the virtual machine name must contain the term
application-server
This method of rule creation directly supports the micro-segmentation model
described in N-tier application considerations on page 48.
Dynamic rules
The NSX model of rule creation is inherently dynamic, supporting the rapid elasticity
that is a main benefit of embracing the hybrid cloud.
As virtual machines that match the rule criteria are added, they automatically inherit
the correct security policies. When virtual machines are removed, you do not need to
edit the security.
With the first rule example described in Multiple firewall rule criteria on page 47, any
virtual machines created where Windows is the guest OS automatically match the rule
and can reach the patch server; no update of the policy is required to enable that
network communication. With the second example, the groups of web server and
application server virtual machines can be dynamically scaled up and down as capacity
needs dictate, and the correct network communications are inherited automatically.
VMware NSX firewall policy creation
47
Network Security
With NSX, any virtual machine can also be manually included or excluded with a rule
that also has defined virtual machine criteria.
N-tier application considerations
Traditional three-tier architecture
N-tier architecture is a technique used by software developers to split components of
an application to allow greater flexibility and modularity. A three-tier architecture
typically consists of a presentation layer, a logic layer, and a storage layer. This
architecture is commonly used for web applications, with web servers in the
presentation layer, application and middleware components in the logic layer, and
databases in the storage layer.
Security practitioners have adopted the three-tier model for best practices, because it
fits well with the principle of least privilege. Granular security controls can be applied
to allow only the minimum required network traffic through to each tier. For the web
application example, best practices allow end-user traffic to reach the web servers
only, using only required services such as HTTP/HTTPS. Network traffic to the
application servers is similarly restricted to traffic from the web servers on specific
ports. Traffic to the database servers is allowed only from the application servers to
the ports used by the database servers. In a typical physical data center, these
restrictions are achieved through Layer 3 separation of the tiers. This requires a
different subnet for each tier and firewalls between the tiers that allow only the
required traffic through, as shown in the following figure.
Figure 17 Traditional three-tier security architecture
The three-tier model is easily configured with NSX. However, because NSX firewall
rules are enforced at the vNICs of each virtual machine, NSX provides increased
flexibility for segmenting virtual machines. With NSX, web servers, application
servers, and database servers can sit next to each other within a flat Layer 2 subnet,
yet still have granular rules segmenting them from each other. This model can simplify
the network organization of applications by, for example, providing a single class C
subnet for each application.
Another benefit of this NSX model is the ability to achieve full application
containerization. In the physical world, often all web servers in a demilitarized zone
(DMZ) can see and talk to each other, even if they are not part of the same
application. This is also true of application servers in a protected zone, and of
database servers, which are often placed into an internal core network for licensing
48
Enterprise Hybrid Cloud
Network Security
reasons (exposing the rest of the internal core network if a database server is
compromised from the outside). With NSX, all tiers of an application can be fully
containerized to ensure that if an application is compromised by an attacker at any
tier, the attacker cannot pivot beyond the application to attack other applications or
hosts within the same network zone.
Two-tier applications
While the three-tier application model is prevalent, some applications are designed to
be split into only two tiers. These applications generally combine the presentation and
logic layers, while keeping the database tier separate. This model is becoming more
common in applications developed using frameworks such as Ruby on Rails and certain
Python frameworks. In other cases, a web server might only be used for specific
capabilities, such as SSO, because using a separate server or virtual machine would be
wasteful.
Frequently, an enterprise security team forces an application into a three-tier
architecture, often artificially creating a public-facing tier in a DMZ with a reverse
proxy for web applications. This implementation can become a source of contention
between the security team, who is trying to ensure the best possible protection of the
data, and the development team, who is trying to deliver an application as
inexpensively and efficiently as possible. Many two-tiered applications do not easily
lend themselves to being forced to a three-tiered implementation. Inflating an
application to three tiers, and using the web tier as a proxy for all traffic through to an
application tier, does not offer significantly better security. However, applying extra
controls in the web proxy tier can help improve security further-for example, installing
the ModSecurity application on top of Apache for additional web traffic inspection.
In a physical data center where multiple applications are present across network tiers,
and databases might be contained in an internal or private zone, the extra protection
provided by a three-tier architecture is justified. In the cloud, however, the ability of
NSX to containerize applications and limit potential exposure in the event of a
compromised application reduces the need to artificially inflate two-tier applications to
three tiers. While certain applications with sensitive data might still require the extra
protection of the three-tier model, NSX enables many applications to be run in two
tiers as originally designed, without many of the risks associated with bridging network
zones. Often the operational issues introduced by the increased complexity of the
three-tier model far outweigh the enhanced security posture.
The following figure shows an example of a two-tiered security architecture applied to
a virtual application.
Two-tier applications
49
Network Security
Figure 18 Two-tiered application secured with micro-segmentation
Cross-vCenter NSX
Enterprise Hybrid Cloud permits the use of cross-vCenter NSX and universal objects
in all Site Recovery Manager-based disaster recovery protection services.
This feature allows multiple NSX managers to be joined in a primary/secondary
relationship, as described in the Enterprise Hybrid Cloud 4.1.4 Concepts and Architecture
Guide.
These cross-vCenter network and security components are referred to as "universal"
and can only be managed on the primary manager. Non-universal network and security
objects are referred to as standard or local objects and must be managed from their
associated NSX manager. Replication of universal objects takes place from the
primary NSX managers to the secondary managers so that each manager has the
configuration details for all universal objects. This allows a secondary NSX manager to
be promoted if the primary NSX manager fails.
The universal distributed logical router (UDLR) and the universal logical switch (ULS)
are used to span networks and east-west routing across vCenters. There is a single
primary NSX manager and a single universal controller cluster in a federated NSX
environment, so the placement and protection of these components must be
considered carefully. The primary NSX manager will be connected to one of the cloud
vCenters in Enterprise Hybrid Cloud. The universal controller cluster can only be
deployed to clusters that are part of that cloud vCenter. When considering the
placement of the primary NSX manager and the universal controller cluster, if
Enterprise Hybrid Cloud uses VPLEX to support continuous availability single site
50
Enterprise Hybrid Cloud
Network Security
protection, ensure that the primary NSX manager and the universal controller cluster
are VPLEX protected.
When cross-vCenter NSX is used within an Enterprise Hybrid Cloud environment,
vRealize Automation has some limitations when deploying and managing workloads in
Enterprise Hybrid Cloud. These limitations are noted in the following section.
Universal network objects
The UDLR and the ULS span networks and east-west routing across vCenters. UDLRs
offer centralized administration and a routing configuration that can be customized at
the universal logical router, cluster, or host level. ULSs allow Layer 2 networks to span
multiple sites.
When you create a universal logical router, choose whether to enable local egress, as
this cannot be changed after creation. Local egress allows you to control what routes
are provided to ESXi hosts based on an identifier, the locale ID.
Note
When you create a logical switch in a universal transport zone, you create a universal
logical switch. This switch is available on all clusters in the universal transport zone.
The universal transport zone can include clusters in any vCenter in the cross-vCenter
NSX environment.
Universal controller cluster
Each cross-vCenter NSX environment has one universal controller cluster associated
with the primary NSX Manager. Secondary NSX Managers do not have a controller
cluster.
Universal firewall rules
The distributed firewall in a cross-vCenter NSX environment allows centralized
management of rules that apply to all vCenter Servers in your environment.
From the primary NSX Manager, you can create a distributed firewall rule section that
is marked for universal synchronization. You can create one universal Layer 2 rule
section and one universal Layer 3 rule section. These sections and their rules are
synchronized to all secondary NSX Managers. Rules in other sections remain local to
the NSX Manager.
Universal security objects
Universal network and security objects can be created only from the primary NSX
Manager.
Universal security groups can contain only universal IP sets, universal MAC sets, and
universal security groups. Membership is defined by included objects only. You cannot
use dynamic membership or excluded objects.
Universal security groups cannot be created from Service Composer. Security groups
created from Service Composer are local to that NSX Manager.
Note
Because of these limitations and the version of vRealize Automation used in this
version of Enterprise Hybrid Cloud, use of universal security objects is not supported.
Universal network objects
51
Network Security
Micro-segmentation use cases
Micro-segmentation is a security technology that breaks the data center into logical
elements and manages them with high-level security policies. This section describes
sample use cases for enabling micro-segmentation.
The three-tier application use cases show both traditional and converged N-tier
architectures, with micro-segmentation implemented to enhance the security posture.
NSX and vRealize Automation enable flexible creation and deployment of workload
resources, while providing richer functionality and improved performance over
traditional solutions.
Use case 1: On-demand with security tags
In a cloud environment, application workloads are provisioned, moved, and repurposed
on demand.
With NSX Service Composer (available only in NSX for vSphere), security can be
easily organized by dissociating the assets you want to protect from the policies that
define how you want to protect them. NSX security groups define which assets to
protect; NSX security policies define how the assets are protected. You map a
security policy to a security group to apply the security policy criteria to members of
the security group.
The following figure shows the relationship between a security group and a security
policy.
Figure 19 Security group-security policy relationship
This use case shows how to use NSX security tags to configure dynamic membership
for a security group and define IF/THEN workflows across security services. By
defining a security tag and mapping it to a security group, any virtual machines with
that tag are immediately and automatically added to the security group.
For example, IF a user selects a Finance application, THEN the application virtual
machines are automatically added to the Finance security group, in real time. The
workflow for implementing this example is as follows:
1. The security administrator predefines a security group (Finance) and a security
policy (Finance Policy) with dynamic membership based on a security tag
(Finance), as shown in the following figure.
52
Enterprise Hybrid Cloud
Network Security
Figure 20 Security Admin persona defines the Finance Policy
2. The cloud administrator creates a multimachine blueprint and sets the Finance tag
for one of the component blueprints (Finance App), as shown in the following
figure. The cloud administrator needs no knowledge of security groups or security
policies.
Figure 21 Cloud Admin persona configures the Finance tag on the blueprint
3. In the service catalog, an end user requests the Finance App application, as shown
in the following figure. The application is attached to the multimachine template.
Figure 22 Cloud consumer requests the protected Finance App
4. The application virtual machines are deployed. The virtual machine based on the
Finance App blueprint is dynamically assigned to the Finance security group, as
shown in the following figure. As a member of the Finance security group, the
virtual machine automatically inherits the security policies that are mapped to that
security group.
Use case 1: On-demand with security tags
53
Network Security
Figure 23 Security tag relationship with security groups
Use case 2: N-tier virtual applications
A three-tier application can be used to show the network and security provisioning
capabilities of NSX when integrated with vRealize Automation.
The web tier, serving web pages to users, is external-facing and load-balanced. Each
web server communicates with the application server, and the application server in
turn writes to and retrieves data from the database server.
The virtual machines are assigned to their respective security groups by the vRealize
Automation blueprint. The security groups are associated with security policies
(firewall rules) that are enforced by the NSX DFWs. The deployed virtual machines in
each tier inherit their specific security policy based on their security group
membership. This ensures that applications are protected from the moment of
deployment.
The following figure shows an example of a three-tiered application implemented with
micro-segmentation.
Figure 24 Three-tiered application implemented with micro-segmentation
54
Enterprise Hybrid Cloud
Network Security
NSX security groups and security policies
In this example, we used Service Composer to create three security groups, one for
each application tier: Web Servers, Application Servers, and Database Servers.
We created the following security policies (firewall rules) for the security groups:
l
The web-tier policy allows external connectivity on ports 80 and 443 to virtual
machines in the Web Servers security group.
l
The application-tier policy allows connectivity from the virtual machines in the
Web Servers security group to the virtual machines in the Application Servers
security group.
l
The database-tier policy allows connectivity from the virtual machines in the
Application Servers security group to the database virtual machines in the
Database Servers security group.
We applied the security policies to their respective security groups. For example, we
applied the Web Server Security Policy to the Web Servers security group, as shown
in the following figure.
Figure 25 Web Server Security Policy applied to Web Servers security group
The completed security policies allow:
l
The virtual machines in the web-tier security group access over the HTTP and
HTTPS protocols
l
The web-tier virtual machines to communicate with the application-tier virtual
machines
l
The application-tier virtual machines to store and retrieve data from the database
tier
The NSX firewall is a stateful firewall, so when a connection is allowed and a
communication session established, the response communication path is also allowed.
All other inbound or outbound traffic is denied by the block rules at the end of the rule
set. Like a traditional firewall, rules are applied sequentially from top to bottom.
Pre-provisioned multimachine blueprint
For the use case, we created three single-machine blueprints, one for each component
of the three-tier application (web, application, and database), and combined them in a
pre-provisioned multimachine blueprint, as shown in the following figure.
Use case 2: N-tier virtual applications
55
Network Security
Figure 26 Pre-provisioned multimachine blueprint
We edited each component blueprint and mapped the network adapter to the
corresponding security groups, as shown in the following figure.
In this example, there is only one network adapter.
Figure 27 Blueprint network and security group configuration
We then published the blueprint and added it to the service catalog. From there, users
can select the blueprint to provision new application virtual machines. Based on the
blueprint, vRealize Automation clones the virtual machines and attaches them to their
respective logical switch network segments. It also adds the provisioned virtual
machines to the security groups.
For this use case, we did not assign any members to the groups and we did not
configure any dynamic criteria for assigning members to the group. vRealize
Automation automatically assigns the virtual machines, when provisioned, to the
security groups specified in the blueprint.
Use case 3: Converged N-tier virtual applications
Micro-segmentation enables significantly greater control and security in your network.
Often, micro-segmentation removes the need for a network segment per tier;
therefore you can implement a converged architecture, as shown in the following
figure.
56
Enterprise Hybrid Cloud
Network Security
Figure 28 Converged three-tiered application secured with micro-segmentation
You can use the process described in use case 2 to define the security groups and
policies for the converged infrastructure. In fact, you can use the same groups and
policies. The only difference in the multimachine blueprint configuration is that you
assign the same network profile to the component machine network adapters. As a
result, the three tiers are provisioned to the same network segment.
Use case 4: App Isolation for component machines
vRealize Automation App Isolation uses the logical firewall to prevent all inbound and
outbound traffic to component workloads in a multimachine blueprint. When App
Isolation is enabled for a multimachine blueprint, the component machines in the
blueprint can communicate with each other but cannot connect outside the firewall, as
shown in the following figure.
Figure 29 Perimeter security enabled by App Isolation
When a multimachine service is provisioned with App Isolation, vRealize Automation
creates a security group corresponding to the multimachine service and assigns the
component machines as members of that security group. The NSX security policy
Use case 4: App Isolation for component machines
57
Network Security
called vRealize Automation App Isolation Policy is created and applied to the security
group. The firewall rules are defined in the security policy to allow only internal traffic.
The vRealize Automation App Isolation Policy has a lower precedence than other
security policies in NSX. For example, if a multimachine service contains a web
component machine and an App component machine, and the web component
machine hosts a web service, then the service must allow inbound traffic on ports 80
and 443. In this case, create a web-tier security policy in NSX with firewall rules
defined to allow incoming traffic to these ports, and apply the security policy on the
web component of the multimachine blueprint. If the web component machine needs
access to the App component machine using a load balancer on ports 8080 and 8443,
the security policy must also include firewall rules to allow outbound traffic to these
ports.
Application Isolation provides an optional first level of security. When enabled, all
inbound and outbound application access is blocked, while inter-application traffic is
permitted. Component-level security policies are applied at a higher precedence to
permit selected traffic.
58
Enterprise Hybrid Cloud
CHAPTER 6
Configuration Management
Configuration management is a vital element of implementing secure systems
consistently and in accordance with your security policies. It comprises a collection of
steps focused on establishing a configuration baseline to maintain the integrity of
Enterprise Hybrid Cloud and the resources it supports. This chapter presents the
following topics:
l
l
l
l
l
l
Configuration management overview.................................................................60
VMware vCenter Server host profiles................................................................ 60
VMware vSphere Update Manager.................................................................... 63
VMware vRealize Configuration Manager.......................................................... 68
Use case 1: Configuring a custom compliance standard...................................... 71
Use case 2: Applying exceptions to compliance templates................................. 73
Configuration Management
59
Configuration Management
Configuration management overview
Learn about the native configuration management and compliance capabilities of
Enterprise Hybrid Cloud. Configuration consistency can be achieved through the
implementation of vCenter host profiles, patch management using vSphere Update
Manager, and configuration compliance using vRealize Configuration Manager.
Enterprise Hybrid Cloud Security Management applies the recommendations in the
vSphere 6.5 Security Configuration Guide as well as security configuration
recommendations from Dell EMC and other vendors. Integrating security guidance
from multiple sources requires coordination. Dell EMC engineering has developed
processes to manage this integration and provide a secure, seamless, experience for
Enterprise Hybrid Cloud customers. The tools that underpin these processes ensure
that the relevant security configurations are in effect to assure adherence with
electronic governance, risk, and compliance (eGRC) requirements and with your
organization's internal IT and security standards.
Many organizations' IT and security groups face a significant challenge in gaining
visibility into configuration management and compliance in their environments. To
address this challenge, Enterprise Hybrid Cloud uses a number of native capabilities,
including:
l
l
l
vCenter host profiles ensure that a baseline is applied consistently across all ESXi
hosts, and enable many vSphere hardening guidelines to be centrally applied. They
also provide a means to perform ad-hoc scans for host compliance with a profile
and display alerts within the vSphere Web Client.
vSphere Update Manager enables patch management across virtual appliances
and ESXi hosts and provides a means to install and update third-party software on
ESXi hosts. With Update Manager, you can establish a baseline and ensure audit
compliance.
vRealize Configuration Manager extends the capabilities of vCenter host profiles
and vSphere Update Manager to provide inventory and asset management,
scheduled configuration and compliance scans, reports, and integration with
vRealize Operations Manager. In addition, vRealize Configuration Manager enables
configuration management of Windows and Linux guest OS patches, and can audit
the entire virtualized environment against many industry or regulatory frameworks
and standards.
VMware vCenter Server host profiles
vCenter Server host profiles ensure that a consistent configuration is applied across
all ESXi hosts when Enterprise Hybrid Cloud is initially deployed and as it is scaled out
to meet future capacity requirements.
Specifically, host profiles:
l
l
l
Ensure consistency for compliance
Reduce the deployment time for new hosts
Apply the same configuration changes to multiple hosts
To apply the same configuration settings to a group of ESXi hosts, you can create or
import a host profile. The host profile is associated with a single reference host. A new
or updated profile is established through the reference host, and propagated to the
other hosts in the environment through the host compliance tool.
When events occur that require storage, network, or security configuration changes
on multiple hosts in a cluster-firmware upgrades, for example-you can edit the host
60
Enterprise Hybrid Cloud
Configuration Management
profile and apply it across the cluster for consistent configuration updates. In addition,
you can exclude from the host profile any host configuration values that must be
unique across your environment.
The following figure shows some of the parameters that can be configured in a host
profile.
Figure 30 Host profile configuration parameters
When the host profile has been created and configured, you can attach it to one or
more vSphere hosts or clusters. The configuration of each host is then compared
against the host profile and any deviations are reported. For example, the following
figure shows a non-compliant status for one of the hosts in one of the clusters in the
test environment.
VMware vCenter Server host profiles
61
Configuration Management
Figure 31 Host compliance status with the host profile
The additional host profiles shown in the following figure correspond to other clusters
in the test environment that have different vDS configurations and show that you can
have multiple host profiles according to your configuration requirements.
62
Enterprise Hybrid Cloud
Configuration Management
Figure 32 Compliance view of the clusters attached to the Resources Pods host profile
Note
You can associate ESXi hosts and clusters with a single host profile only.
You can configure new hosts that are added to vCenter Server by applying the host
profile. This configuration management feature enables you to create a profile once,
and then use it for rapid configuration of multiple vSphere hosts. This feature also
eliminates the need to set up specialized scripts or to manually configure hosts.
You can create scheduled tasks that routinely check host compliance against a host
profile, email the results, and log a vCenter Server event. You can view the compliance
status in the vSphere Web Client by selecting the host profile and selecting Monitor,
as shown in the previous figure. When compliance checks return a non-compliant
status, a vCenter error event is generated and can be tracked in vRealize Operations
Manager.
VMware vSphere Update Manager
Certain security compliance standards require that all system components and
software are protected from known vulnerabilities by having the latest vendorsupplied security patches installed.
The Payment Card Industry Data Security Standard (PCI DSS) is one such standard.
Patch management is a core requirement of these standards. Organizations that are
unable to patch systems effectively and efficiently are susceptible to compromises
that are easily preventable. Consider patch management carefully in the context of
security, because it is important in establishing and maintaining a solid security
baseline.
Enterprise Hybrid Cloud uses VMware vSphere Update Manager to address patch
management and keep vSphere hosts and virtual appliances up to date. Update
Manager automates patch management and eliminates manual tracking and patching
of vSphere hosts and virtual appliances.
VMware vSphere Update Manager
63
Configuration Management
vSphere Update Manager includes these core features:
l
A compliance dashboard to provide visibility into the patch and upgrade status of
hosts and virtual appliances, for compliance to static or dynamic baselines
l
Stage and schedule patching for remote sites and scheduled maintenance
windows
l
Deployment of patches that are downloaded directly from a vendor website,
including drivers, Common Information Models (CIMs), and other updates from
hardware vendors for vSphere hosts
Patching can lead to compatibility errors that require remediation. Update Manager
can eliminate the most common patching problems before they occur, ensuring that
the time you save in batch processing automation is not wasted later in performing
rollbacks.
The benefits of vSphere Update Manager include:
l
Storing snapshots for a user-defined period so that administrators can roll back
the virtual machine if required
l
Securely patching offline virtual machines without exposing them to the network,
reducing the risk of non-compliant virtual machines
l
Ensuring the current version of a patch is applied with automatic notification
services
Baselines
vSphere Update Manager compares the state of vSphere hosts with baselines, and
can then stage and apply patches to enforce compliance. Dynamic baselines update
dynamically as vendors release additional patches. Fixed baselines are statically
defined and are used for upgrades. Extension baselines are statically defined.
The following figure shows examples of configured baselines.
64
Enterprise Hybrid Cloud
Configuration Management
Figure 33 Examples of baselines configured in vSphere Update Manager
A good example of a dynamic baseline is the Critical Host Patches baseline that
include vSphere Update Manager. We configured the inclusion criteria for this baseline
to include any patch of severity Critical, from any vendor and for any product, as
shown in the following figure.
Baselines
65
Configuration Management
Figure 34 Example of patch inclusion criteria for an Update Manager baseline
The inclusion criteria are granular; you can include or exclude individual patches, giving
you the flexibility to define a custom baseline specific to your environment. In addition,
you can include non-VMware extensions such as Dell EMC PowerPath™/VE extensions
in a custom baseline, as shown in the following figure.
Figure 35 PowerPath/VE extension added to a custom Update Manager baseline
Custom baselines enable you to deploy non-VMware extensions to all your ESXi hosts
and ensure that consistent revision control is maintained throughout your
environment.
Baseline groups
Baselines can be grouped and included in a baseline group, as shown in the following
figure.
66
Enterprise Hybrid Cloud
Configuration Management
Figure 36 Components of the EHC Hosts baseline group
Baseline groups are useful for applying multiple baselines to virtual appliances, hosts,
clusters, or data center objects, and are especially useful when you audit compliance,
because the compliance status can be viewed across the group of baselines instead of
individually for each baseline.
Audit compliance
The vSphere Update Manager Host Compliance view in the vSphere Web Client
provides a quick overview of your compliance status. For example, if 50 percent of the
hosts in the selected group are out of compliance, the affected baseline group and
individual baselines are flagged as non-compliant, and the type of update is also
flagged on the affected host.
To rectify this situation, click Remediate to start the Remediation wizard. From there,
the baseline can be applied to the affected assets.
You can schedule the remediation for a later time and date. This is useful when you are
restricted to a maintenance window and want to combine a scheduled remediation
with the staging feature to ensure you meet your maintenance window requirements.
The Remediation wizard also enables you to select host remediation options, including
the virtual machine power state and the disabling of any removable media mounted to
virtual machines on the hosts to be remediated.
Audit compliance
67
Configuration Management
The Enable parallel remediation option significantly reduces the remediation time by
running remediation tasks in parallel on clusters with two or more hosts and according
to the resources in demand on the cluster at remediation time. When remediating a
vSphere cluster with DRS enabled, all workloads remain available throughout the
remediation process.
VMware vRealize Configuration Manager
The security status of each cloud system changes dynamically. These changes might
be caused by a cloud administrator operation introducing risk into the environment,
cloud components that are susceptible to a vulnerability, or an external environment
change such as a new attack method. It is important to continuously monitor the
security status of Enterprise Hybrid Cloud, mitigate or remediate the potential risks,
and keep the system compliant to a security baseline.
In Enterprise Hybrid Cloud, we integrated VMware vRealize Configuration Manager to
build a configuration compliance audit and management system.
Configuration compliance
vRealize Configuration Manager provides a unified dashboard for managing
configuration compliance. It integrates with vSphere for configuration data collection,
providing the means to audit. The vSphere infrastructure and its dependent
components flag exceptions to policy and perform remediation.
Preset rules and templates are available that enable you to begin monitoring system
compliance to various standards, as shown in the following figure:
l
Regulatory standards—for example, Sarbanes-Oxley (SOX), Health Insurance
Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA),
Federal Information Security Management Act (FISMA)
l
Industry standards—for example, PCI DSS
l
Microsoft standards
Figure 37 vRealize Configuration Manager compliance dashboards showing vSphere hardening
compliance
Examples of elements that can be tracked for compliance are:
l
68
Enterprise Hybrid Cloud
Hypervisor configuration through vCenter Server host profiles
Configuration Management
l
l
l
Hypervisor and virtual appliance patch management through vSphere Update
Manager baselines
Linux and Windows guest OS configuration
Regulatory and industry standards through default compliance toolkits
Configuration compliance can be maintained against internal standards, security best
practices, vendor hardening guidelines, and regulatory mandates such as:
l
l
l
Security best practices developed by the Defense Information Systems Agency
(DISA STIGs), the National Institute of Standards and Technology (NIST), the
Center for Internet Security (CIS), and many more
Hardening guidelines from VMware and Microsoft
Regulatory mandates such as SOX, the PCI standard, HIPAA, and FISMA
You can also use vRealize Configuration Manager to assess compliance with your own
internal IT standard to drive best practices in your environment.
Risk badge and compliance scores
The integration between vRealize Operations Manager and vRealize Configuration
Manager includes using compliance template results from Configuration Manager to
contribute to the Risk badge score in vRealize Operations Manager, as shown in the
following figure.
Figure 38 vRealize Operations Manager dashboard displaying Risk badge score
The compliance templates are included in badge mappings that are run in
Configuration Manager against objects in vCenter Server instances that are managed
by both Configuration Manager and vRealize Operations Manager. These objects
include virtual machines, host systems, clusters, vCenter Server instances, and
Risk badge and compliance scores
69
Configuration Management
datastores. The compliance mapping results determine the compliance score.
Expanding the Why is Risk option shown in this figure displays the compliance status
summary shown in the following figure.
Figure 39 vRealize Operations Manager dashboard showing compliance status summary
vRealize Operations Manager pulls the compliance scores into the formulas used to
calculate the Risk badge scores. When you review the standards compliance in
vRealize Operations Manager, you can browse back to Configuration Manager to view
the detailed results and identify any configuration changes made to bring a noncompliant object back into compliance.
Operational compliance
Operational compliance views enable you to proactively enforce configuration
standards, detect configuration drift early, and automatically remediate against IT
policy violations. You can also harden the infrastructure for security and regulatory
requirements. Preparing for and responding to an audit is no longer an intimidating and
time-consuming process because, with automated reporting, you can pinpoint critical
areas with ease. Compliance views are tightly integrated with the operations
dashboard for comprehensive visibility into the health, risk, and efficiency of the
infrastructure and applications, as shown in the following figure.
70
Enterprise Hybrid Cloud
Configuration Management
Figure 40 Risk dashboard showing compliance status in the environment
Use case 1: Configuring a custom compliance standard
This use case shows how to configure a custom compliance standard.
Configuring a custom compliance standard includes creating compliance rules, rule
groups, and templates. Compliance templates consist of one or more rule groups, each
of which contain one or more rules and filters. When you run compliance, you are
running templates.
Compliance rules compare your virtual or physical machines (running Linux, UNIX,
Mac OS X, or Windows) against configuration standards that you import or create, to
determine if the machines meet the standards. The results of the compliance run
identify which machines comply with or are in violation of the standards. In some
cases, you can enforce certain settings on the machines that are not in compliance,
initiating the changes from vRealize Configuration Manager.
For this use case, we created a rule group that checks whether VMware Tools is
running in guest virtual machines that are included in the inventory of the two hybrid
cloud vCenter Server instances. We then created a compliance template and added
the rule group to it. Follow these steps:
1. In the vRealize Configuration Manager console, create a rule group.
2. Add a compliance rule to the rule group with the following attributes, as shown in
the following figure.
l
Rule type: Conditional
l
IF criterion: Tools Version Status <> 'guestToolsNotInstalled'
This excludes virtual machines that do not have VMware Tools installed.
l
THEN criterion: Tools Running Status = 'guestToolsRunning'
Use case 1: Configuring a custom compliance standard
71
Configuration Management
This checks whether VMware Tools is running.
l
Severity: Moderate
Figure 41 Rule criteria for detecting the running state of VMware Tools
3. Add a filter to the rule group to exclude guests that are not in the inventory of one
or other of the two hybrid cloud vCenter Server instances. This filter has the
following attributes, as shown in the following figure.
l
Data type: Basic
l
Conditions:
vCenter ='EPCIP-VC01'
vCenter ='EPCMP-VC01'
Figure 42 Filter criteria for detecting the running state of hybrid cloud vCenter Server
instances
4. Create a compliance template and add the rule group to it.
5. Run the template to view the compliance data results and verify the configuration.
The following figure shows a results summary view.
72
Enterprise Hybrid Cloud
Configuration Management
Figure 43 Summary of the custom compliance template results
Use case 2: Applying exceptions to compliance templates
This use case shows how to create compliance exceptions where a business need
exists.
To override specific template results, you can use exceptions rather than explicitly
resolving non-compliant results. The exceptions are applied against the compliance
template results and indicate that a specific result is compliant or non-compliant
although it does not match the rule requirements. Examples of where exceptions may
be necessary include:
l
Avamar image-level backup and restore. Avamar uses the http feature in vCenter
Server to backup or restore virtual machines-this feature is called http datastore.
l
Cloud Foundry requires that the Managed Object Browser (MOB) is enabled on
the vCenter Server system or deployments of Cloud Foundry fail.
Disabling the http Datastore Browser and MOB features in accordance with vSphere
hardening guidelines would break critical functionality. Exceptions are used so that
results are not skewed. The template to which you want to apply an exception must
exist. For more information, see the VMware Security Hardening Guides for vSphere
6.x.
Use case 2: Applying exceptions to compliance templates
73
Configuration Management
74
Enterprise Hybrid Cloud
CHAPTER 7
Multitenancy
Learn how to segment the network infrastructure, storage, and authentication on a
tenant-by-tenant basis and how the solution implements RBAC to separate functions
and enforce the principle of least privilege. This chapter presents the following topics:
l
l
l
Multitenancy overview....................................................................................... 76
Secure separation.............................................................................................. 76
Role-based access control................................................................................. 78
Multitenancy
75
Multitenancy
Multitenancy overview
This chapter introduces the mechanisms that Enterprise Hybrid Cloud uses to address
multitenancy security.
Valid concerns exist around information leakage and unauthorized access on a shared
infrastructure. Consumers of the provisioned resources need to operate in a dedicated
environment while still benefitting from infrastructure standardization. To address
concerns around shared infrastructure, Enterprise Hybrid Cloud was designed for
Enterprise multitenancy, with a "defense in-depth" perspective that is proven
through:
l
Secure separation
l
Network segmentation and separation
l
Tenant authentication
l
Role-based access control
l
Solution infrastructure
l
Entitlements
Secure separation
Learn about network segmentation, tenant and enterprise Edge routers, and tenant
authentication.
Network segmentation
The network infrastructure for the solution is designed to address the requirements of
multitenancy and secure separation of the tenant resources.
It is also designed to align with security best practices from vendors such as VMware
for segmenting networks according to the purpose or traffic type. For example,
configuring an isolated network segment for vMotion traffic between ESXi hosts helps
prevent attacks where the unencrypted data transfer can be intercepted by an
attacker and reconstructed to gain access to sensitive data.
We configured the trunks on the physical network infrastructure to carry only the
VLANs and PVLANs required for operations within the hybrid cloud environment. The
following figure shows the logical topology of the physical and virtual networks
defined in Enterprise Hybrid Cloud. We used VLANs to provide segmentation of the
networks at Layer 2 in the cloud management pod, because that environment is likely
to be static and an extension of existing management networks.
Note
The architecture can be supplemented at the physical switch layer with PVLANs and
VRF tables to provide segmentation at Layers 2 and 3. This approach is outside the
scope of Enterprise Hybrid Cloud.
76
Enterprise Hybrid Cloud
Multitenancy
Figure 44 Enterprise Hybrid Cloud network architecture
Tenant and enterprise Edge routers
Use tenant and enterprise Edge routers to manage security policies from an single
interface.
To enable connectivity between the physical network core and the tenant resources,
we deployed an enterprise Edge router and a tenant Edge router in HA mode for each
tenant.
We implemented an NSX ESR to act as a perimeter gateway for the Enterprise Hybrid
Cloud tenants, and applied a perimeter security policy. Where more than one tenant
was required, we isolated each tenant by implementing an NSX ESR per tenant. This
enabled us to manage security policies for the entire Enterprise Hybrid Cloud
environment from a single interface.
Note
An existing Layer 3 core can provide the function of the enterprise Edge router.
Tenant authentication
Tenants can use a common single directory with separation provided by dedicated
OUs. However, where secure multitenant authentication is required, a much more
robust solution is to use a dedicated directory for each tenant to provide
authentication for the tenant application owners and consumers.
VMware vRealize Automation identity stores
Enterprise Hybrid Cloud uses a native Active Directory identity store for the default
tenant in vRealize Automation. This identity store uses Kerberos authentication with
Active Directory. Each newly created tenant must be associated with at least one
Tenant and enterprise Edge routers
77
Multitenancy
Active Directory or Open LDAP identity store. Configure each tenant identity store
using one of the following options:
l
In the same directory as other tenants
l
In the same directory as other tenants, but using a dedicated OU per tenant
l
In a separate and distinct directory
This configuration enables degrees of separation according to the risk profile of the
business assets provisioned and managed by the solution and the organization's
appetite for risk.
ViPR authentication providers
Enterprise Hybrid Cloud maps tenants to ViPR Projects. Each ViPR Project must be
associated with an authentication provider. Authentication providers can be
configured to use Active Directory or an LDAP directory. You can configure each
authentication provider to use:
l
The same directory for all projects
l
A separate and distinct directory for each project
Each ViPR Project must be configured with an ACL that maps groups or users to the
All (read/write) or Backup (read/only) ViPR Project roles.
Role-based access control
Learn about vRealize Automation groups and roles and how entitlements work.
vRealize Automation groups and roles
The integration of the solution components with Active Directory enables the mapping
of each component's local roles to corresponding Active Directory groups for the
purposes of administration, operation, and auditing.
While access to the solution infrastructure components is limited to IT and security
administrators, end users use vRealize Automation as a self-service catalog and to
manage their provisioned resources. User roles and responsibilities are defined and
used in the structure of vRealize Automation. The administration of users and
compute resources in vRealize Automation is managed through the vRealize
Automation portal.
The vRealize Automation roles are:
l
78
Enterprise Hybrid Cloud
Tenant administrator—The tenant administrator is responsible for configuring
tenant-specific branding and user management, including:
n
Creating business groups and assigning the business group manager, support,
and user roles to Active Directory or OpenLDAP users and groups
n
Managing and configuring catalog services, entitlements, approval policies, and
shared blueprints within the context of their tenant
n
Tracking resource usage by all the tenant's users and initiating reclamation
requests to decommission unused virtual machines
l
Service architect—The service architect is responsible for authoring advanced
services such as service blueprints, custom resources, and resource actions. The
service architect can also perform catalog management functions.
l
Application architect—The application architect is responsible for creating,
modifying, and deleting applications in Application Services.
Multitenancy
l
l
l
l
System administrator—The system administrator (administrator@vsphere.local)
is responsible for:
n
Tenant creation, system defaults, branding, and tenant Simple Mail Transfer
Protocol (SMTP) relays
n
Assigning the infrastructure administrator and tenant administrator roles to
Active Directory users and groups
Infrastructure administrator—The infrastructure administrator (IaaS Admin) is a
system-wide role that is responsible for:
n
Discovery and management of the compute, network, and storage resources
used to provision workloads
n
Defining the vRealize Automation endpoints that are required to discover and
interact with the infrastructure resources in the physical, virtual, and public
cloud environments
n
Creating and configuring the fabric groups, assigning the fabric administrator
role to Active Directory users and groups, and adding discovered compute
resources to bring them under vRealize Automation control
Fabric administrator—Fabric groups can be used to segregate the resources
used by different organizational groups. Fabric administrators can manage cloud
resources for their respective fabric groups, as defined by the IaaS administrator.
Fabric group administrators are responsible for:
n
Configuring resource reservations to be consumed by each business group
n
Defining network, storage, compute, and cost profiles
n
Defining approval groups and policies
Business groups—Business group users are the consumers of the infrastructure
provided to the business group by a fabric group administrator:
n
The Business Group Manager role can perform some of the same functions as
the tenant administrator, such as authoring new services, managing
provisioned virtual machines, managing approval requests, and working on
behalf of other users. However, the scope of their responsibility is limited to
their respective business groups.
n
The Support User role can provision and manage resources on behalf of other
users, but cannot author new services.
n
The User role is assigned to those users who request and manage resources
made available to their business group. Users with the User role are the primary
consumers of the vRealize Automation self-service portal, which they use to
provision and manage their virtual machines.
n
The deployment of machine blueprints might be subject to approval by the
Business Group Manager. The Business Group Manager sets this approval
policy per blueprint.
n
Enterprise Hybrid Cloud also uses business groups to provision infrastructure
services and corporate application platforms (for example, Microsoft SQL
Servers, Exchange Servers, and Oracle Servers), and to provide access to
service blueprints that automate repetitive administrator tasks. These
resources and functions are typically used by administrators and applications
owners to meet their functional requirements.
vRealize Automation groups and roles
79
Multitenancy
Note
vRealize Automation is configured to use Active Directory (or OpenLDAP) as an
identity source. Therefore, vRealize Automation roles are mapped to Active Directory
groups that correspond to existing enterprise teams, as described in vRealize
Automation Installation and Configuration. Additional user groups can be created in
Active Directory and assigned to support the various roles in vRealize Automation.
Entitlements
Entitlements are a vRealize Automation construct, similar to access control lists
(ACLs), designed to grant access to machine and service blueprints to specific
business group users or groups.
In addition, entitlements are the implementation point for approval policies. vRealize
Automation entitlements can be used to restrict certain users to a defined view of the
service catalog, permitting them access only to the machine and service blueprints
that they require to fulfill their function.
80
Enterprise Hybrid Cloud
CHAPTER 8
Data Security
Learn how to use CloudLink SecureVM with Enterprise Hybrid Cloud to enhance
protection of your most sensitive data. CloudLink SecureVM allows you to control,
monitor, and secure your Windows and Linux virtual machines everywhere in your
hybrid cloud. This chapter presents the following topics:
l
l
l
l
Data security overview.......................................................................................82
CloudLink SecureVM..........................................................................................82
Policy-based management................................................................................. 83
Integration with the service catalog................................................................... 84
Data Security
81
Data Security
Data security overview
The protection of information assets, whether located in an on-premises or offpremises cloud, is of paramount concern to enterprises and their customers.
Many threats to the confidentiality and integrity of information could result in a
reputational, financial, or human impact through the disclosure of commercially
sensitive or personally identifiable information (PII) and other critical data. This
chapter discusses how you can use CloudLink SecureVM with Enterprise Hybrid Cloud
to enhance protection of your most sensitive data.
CloudLink SecureVM
Cloud computing offers undeniable benefits in relation to deployment flexibility and
agility, scaling, and cost-effective resource utilization.
The strengths and benefits of cloud computing must be balanced against the loss of
control and visibility in cloud deployments. CloudLink SecureVM provides
organizations with the security controls necessary to run virtual machines in the cloud
with confidence.
SecureVM enables encryption of the entire virtualized server or desktop running in the
cloud, independent of the cloud service provider. Protection of the entire virtual
machine enables organizations to define security policies to allow or disallow startup
of a particular virtual machine, and to verify the integrity of the virtual machine. This
provides complete protection against potentially malicious tampering. SecureVM
ensures that only trusted and verified virtual machines have the ability to run and to
access sensitive data residing in the cloud.
Platform support
SecureVM works in combination with native OS encryption technology such as
Microsoft BitLocker-a proven and high-performance volume encryption solution that
is widely implemented for physical machines.
SecureVM extends BitLocker functionality because BitLocker native authentication
mechanisms are not supported in cloud environments. The SecureVM functionality of
proven encryption key policy management enables BitLocker to be used for automated
encryption of boot volumes in the cloud, while enabling enterprise administrators to
control security policy and encryption keys. SecureVM also supports Linux native
encryption, providing organizations with a single encryption management solution for
multiple clouds and virtual machine operating systems.
SecureVM operates transparently to end users across virtually any private, public,
hybrid, or multicloud environment. Fully integrated with leading hypervisor and cloud
platforms, it is easy to deploy with almost limitless scalability. CloudLink provides
control, flexible policy- and key-management options, and reporting and monitoring
capabilities across different operating systems, virtual machines, and storage
infrastructures.
CloudLink can unlock and use the native encryption of Windows and Linux operating
systems.
82
Enterprise Hybrid Cloud
Data Security
Policy-based management
From CloudLink Center, you can define encryption policies and manage individual
virtual machines on which SecureVM Agent is deployed.
For example, you can configure the IP addresses from which virtual machines can
start automatically, or require interactive authorization to boot volumes, decrypt
volumes, and block individual virtual machines from starting up automatically.
In addition to IP addresses, a number of other virtual machine attributes are verified
by CloudLink Center-for example, the checksum of the pre-boot environment, which
must match the previous known-good checksum to assure users that the software has
not been tampered with while a virtual machine was not running. For information
about deploying SecureVM Agent, see the CloudLink SecureVM Deployment Guide.
Defining authorized IP addresses for virtual machines
When a virtual machine starts up, CloudLink Center checks that certain conditions are
met before allowing the startup to continue. One of the conditions that CloudLink
Center checks is that the virtual machine IP address has been identified as authorized
to CloudLink Center. You can view the current list of valid IP addresses in the
Approved Networks list.
You can define IP addresses as authorized to CloudLink Center by:
l
IP to specify a single IP address
l
CIDR to specify a network of IP addresses using Classless Inter-Domain Routing
l
IP Range to specify a range of consecutive IP addresses
Changing the global policy for virtual machine start up
When a virtual machine starts up, CloudLink Center checks if the virtual machine IP
address has changed since the last startup process. By default, if the IP address has
changed, startup is not allowed to continue automatically, and the virtual machine is
assigned the Pending status. Manually approve the virtual machine start up, either
using CloudLink Center or through the Enterprise Hybrid Cloud self-service interface.
In some circumstances, you might know that the IP addresses of virtual machines
might change. For example, in some cloud environments, such as Microsoft Azure, the
public IP address of a virtual machine might change when the machine shuts down and
restarts. A new IP address is assigned from the same subnet as the previous address.
To avoid having to manually confirm startups in these circumstances, you can change
the global policy to approve automatically. You can also limit automatic approvals to
virtual machines with a new IP address that is on the same subnet as the previous IP
address. At any time, you can change the global policy back to the default condition.
The global policy applies only to virtual machines with IP addresses identified as
authorized.
Encrypting virtual machine volumes
For Windows and Linux virtual machines, you can encrypt the unencrypted boot
partition. You can also encrypt Windows virtual machine data disks or Linux virtual
machine mounted devices on an individual basis.
For example, when deploying SecureVM Agent to a Windows virtual machine, you
might have applied a volume encryption policy that encrypted only the boot partition.
Policy-based management
83
Data Security
After deployment, you can encrypt the virtual machine data disks individually. After
initiating encryption, you can monitor progress on the virtual machine in the virtual
machine console. You can also view progress in the virtual machine panel on the
SecureVM tab of CloudLink Center.
Decrypting virtual machine volumes
You can decrypt a Windows or Linux virtual machine encrypted boot partition. You can
also decrypt Windows virtual machine data disks or Linux virtual machine mounted
devices on an individual basis.
For example, before removing a virtual machine that you no longer want to be under
SecureVM control, decrypt the volumes if you want to continue using the virtual
machine. Otherwise, the volumes remain encrypted and therefore inaccessible.
You can decrypt volumes (boot partition and data disks) from the Enterprise Hybrid
Cloud self-service interface. After initiating decryption, monitor progress on the
virtual machine console. You can also view progress in the virtual machine panel on the
SecureVM tab of CloudLink Center.
Changing the volume encryption policy for a Windows virtual machine
You can change the volume encryption policy that you selected during SecureVM
Agent deployment. For more information, see the CloudLink SecureVM Deployment
Guide.
For example, if the volume encryption policy applied during SecureVM Agent
deployment was Boot and Manual Data, only the boot partition is encrypted. No data
disks are encrypted during deployment and any data disks added after deployment
must be manually encrypted while the initial policy is in effect. You can change to the
All Data policy, so that data disks added to the virtual machine are automatically
encrypted.
Changing the volume encryption policy does not affect the boot partition or any
existing data disks. The new policy is applied only when data disks are added to the
virtual machine.
Integration with the service catalog
CloudLink SecureVM encryption is integrated with the service catalog, allowing
encryption of both new and existing workloads. A catalog blueprint can easily be
created, cloned, or modified, whereby the CloudLink build profile is attached to create
an encrypted catalog item. Day two operations are also available to apply encryption
to an existing virtual machine or workload. Virtual disk encryption policies are applied
programmatically based on workload location and requestor selection.
84
Enterprise Hybrid Cloud
CHAPTER 9
Certificate Update Procedures for EHC
Components
This chapter includes the tasks you must complete to update the security certificates
for each Enterprise Hybrid Cloud component.
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
l
Enterprise Hybrid Cloud certificate update overview ........................................ 86
Updating vCenter Platform Service Controller...................................................92
Updating VMware vCenter Server certificates...................................................95
Updating Automation Pod Platform Services Controller....................................101
Updating SRM certificates................................................................................ 101
Updating NSX certificates................................................................................ 104
Updating ViPR certificates............................................................................... 105
Updating the vRealize Automation Appliance....................................................106
Updating vRealize Automation Web IaaS certificates....................................... 108
Updating vRealize Automation Manager IaaS certificates................................. 110
Updating the active vRealize Automation Application Services certificate......... 111
Updating vRealize Orchestrator certificates......................................................113
Updating vRealize Operations certificates.........................................................114
Updating vRealize Business certificates............................................................ 114
Updating Log Insight certificates.......................................................................116
Updating Avamar certificates............................................................................ 116
Updating RecoverPoint for Virtual Machines certificates.................................. 118
Updating CloudLink certificates........................................................................120
Updating ESXi certificates................................................................................120
Updating the Data Protection Advisor (DPA) certificate.................................. 122
Updating VAMI appliance certificates............................................................... 124
Running EHC validation workflows................................................................... 126
Certificate Update Procedures for EHC Components
85
Certificate Update Procedures for EHC Components
Enterprise Hybrid Cloud certificate update overview
This chapter addresses certificate update procedures used by the EHC solution to
integrate the required components.
In a production environment, Enterprise Hybrid Cloud security best practice is to use
2048-bit SSL leaf-certificates to secure authentication and authorization between
EHC v4.1.2 foundation components. These SSL certificates generally have a two- to
three-year lifetime. When the lifetime expires, the leaf-certificates must be replaced
to prevent an Enterprise Hybrid Cloud administration and orchestration outage. The
lifetime of any certificate can be investigated by opening the component certificate
and reviewing the Valid from section under the General tab on the certificate.
Note
Enterprise Hybrid Cloud implements Transport Layer Security (TLS)-compatible
configurations and certificates. All references to Secure Sockets Layer (SSL) in this
chapter imply TLS compatibility.
EHC Trusted PKI Hierarchy
In a customer environment, the EHC v4.1.2 foundation components have leaf
certificates applied. The leaf certificates are at the end of an implicit chain of trust
defined by the customer security organization.
The chain of trust is defined as:
1. Root CA
2. Subordinate CA (one or more layers of subordinates)
3. Leaf Certificate
86
Enterprise Hybrid Cloud
Certificate Update Procedures for EHC Components
Figure 45 SSL certificate chain of trust
Note
If the root CA or subordinate CA are due to expire, the customer security organization
must replace them before you can replace the EHC leaf certificate. This process goes
beyond the scope of this document.
EHC Trusted PKI Hierarchy
87
Certificate Update Procedures for EHC Components
EHC SSL component trust dependency
Understand the SSL certificate interdependency among the EHC components.
Figure 46 EHC SSL certificate interdependency
Overview of certificate update procedures
Ensure that you follow the update order, fulfill the prerequisites, and adhere to
recommendations and best practices.
Certificate update recommendations
Adhere to certificate update and security recommendations.
Certificate security
When creating and signing certificates, DELL EMC recommends that you:
88
Enterprise Hybrid Cloud
l
Properly secure the private key associated with the root certificate.
l
In a high-risk environment, use a secure enclave or an air-gapped network for
signing operations and creating keys, CSRs, and other security-related artifacts.
Certificate Update Procedures for EHC Components
(An air-gapped network is completely physically, electrically, and
electromagnetically isolated.)
l
Use a hardware Random-number Generator (RNG) to efficiently and quickly
generate random numbers with adequate characteristics for cryptographic use.
l
For maximum security, use the OpenBSD operating system as the host for the
OpenSSL key and certificate utilities.
Certification revocation list
The certificate update process replaces active certificates that are due to expire, but
the superseded certificates remain active within the Issued Certificates section on the
CA. Dell EMC recommends that as a certificate is superseded, you mark each
component certificate as revoked on the CA, which adds the certificate to the
revoked certificates list on the CA server.
Certificate replacement order
The EHC foundation component leaf certificate replacement procedure follows a
specific sequence.
Update the certificates in this order:
1. vCenter PSC
2. vCenter Server
3. Site Recovery Manager
4. NSX
5. ViPR
6. vRealize Automation Appliance
7. vRealize Automation Web
8. vRealize Automation Manager
9. vRealize Automation Application Service
10. vRealize Orchestrator
11. vRealize Operations
12. vRealize Business
13. vRealize Log Insight
14. Avamar
Additional components that might be considered for leaf certificate replacement
include:
l
ESXi
l
Data Domain
l
DPA
l
VMware Appliance Management Interface (VAMI)
For each component whose certificates are to be replaced, record the:
l
FQDN
l
IP address
l
Required administrative username and password
Overview of certificate update procedures
89
Certificate Update Procedures for EHC Components
Updating multisite configurations
You must follow a specific order when you update components in a multisite
configuration.
Note
The following steps refer to a Standard dual site/dual vCenter topology.
1. On Site A, replace the Machine and Solution Users SSL certificates on PSC01 and
VC01.
2. On Site B, replace the Machine and Solution Users SSL certificates on PSC02 and
VC02.
3. On the Automation Pod, replace the Machine and Solution Users SSL certificates.
Dell EMC recommends that you replace the SSL certificates on the protected site
SRM before replacing the SSL certificates on subsequent SRM recovery sites.
Note
Component leaf certificate expiration dates might be different on each site. Expiration
dates depend on when the site was deployed as part of the customer EHC cloud
platform. If only one site requires certificate replacement, treat it as a single-site
certificate update.
Certificate update prerequisites
Prepare for the certificate update procedures.
l
l
Ensure that you have the following tools and documents available:
n
EHC Buildscript
n
EHC Build Guide
n
NSX Administration Guide
Plan a certificate update maintenance window.
When you update certificates, some EHC components require a restart, which
directly affects the availability of EHC Orchestration and Administration. Dell EMC
recommends that you complete the certificate replacement procedure as a single
end-to-end consecutive process. The process will intermittently affect the
availability of EHC Orchestration and Administration. Before you start the process,
plan a suitable maintenance window with the customer to cover the end-to-end
timeframe required to complete the entire EHC certificate replacement. More
information about the interruption to EHC Orchestration and Automation is
provided in the component sections.
VMware Certificate Manager tool
Use the VMWare Certificate Manager tool to replace the required machine and
solution user certificates in PSCs and vCenter Servers.
You use the Certificate Manager tool in each vCenter Server and on each PSC to
replace certificates.
By default, the Certificate Manager tool is located under the /usr/lib/vmwarevmca/bin/certificate-manager path.
The Certificate Manager tool can:
90
Enterprise Hybrid Cloud
Certificate Update Procedures for EHC Components
l
Help plan the required sequence to follow when you update your SSL certificates.
l
Generate Certificate Signing Requests (CSR) for each of the EHC v4.1.2 vSphere
6.x components that require an updated SSL certificate. When the CSR is created,
each component's certificate files are stored in specific directories.
l
Apply newly created certificates to each of the required EHC v4.1.2 vSphere 6.x
components as outlined by the Certificate Manager tool.
Running EHC validation workflows
After the end-to-end SSL certificate procedure has been completed, run EHC
vRealize Automation workflows to validate that EHC orchestration and automation is
fully functional.
Run validation tests for vRealize Orchestrator, vCenter, ViPR, Avamar and DPA to
ensure that each of these components is functioning correctly. Testing details are
provided in the associated sections.
Procedure
1. Perform validation tests on vRealize Orchestrator:
a. Connect to the vRealize Orchestrator console: https://vrovip.domain:8283.
b. Select EHC > Foundation > Validation > tests and run the following tests in
the order listed:
l
Pre-Test configuration elements
l
TestAD
l
TestCAFE
l
TestVCAC
l
TestVCenter
l
TestViPR
l
TestVRO
l
VerifySiteAffinityBuildProfileAndCustomProperties
2. Validate that vCenter is functioning without issue by deploying a virtual machine
from the vRealize Automation workflow:
a. Connect to vRealize Automation: https://vra-vip.domain/
vcac/org/ehcTenantName/.
b. Select Catalog > All Services > DeployVMwithBackupCatalogItem.
3. Validate the provision of cloud storage with ViPR:
a. Connect to vRealize Automation: https://vra-vip.domain/
vcac/org/ehcTenantName/.
b. Select Catalog > Provision Cloud Storage > Run Provision cloud storage.
4. Validate that Avamar backup and restore is functioning:
a. Connect to vRealize Automation: https://vra-vip.domain/
vcac/org/ehcTenantName/.
b. Select Catalog > Data Protection Services > Create Backup Service
Level.
Overview of certificate update procedures
91
Certificate Update Procedures for EHC Components
c. Select Catalog > Data Protection Services > Run Backup Service Level.
d. Select Catalog > Data Protection Services > On Demand Backup.
e. Select Catalog > Data Protection Services > On Demand Restore.
5. Validate that DPA is functioning:
a. Connect to vRealize Orchestrator: https://vro-vip.domain:8283.
b. Select EPC2 > EPC Data Protection > CalledByvCAC > GetBackupStatus.
Updating SSL Trust for SSO
When the SSL certificates are updated, update SSL Trust for SSO in vRealize
Orchestrator by using Orchestrator Control Center.
Procedure
1. Connect to the vRealize Orchestrator Control Center (https://
vRO-01.domain:8283/vco-controlcenter).
2. From Home > Manage, select Certificates.
3. From the Trusted Certificates tab, select Import and specify the URL/IP of
the vCenter Server.
4. Click Import for the new certificate.
5. Confirm that the new certificate is populated in the Trusted SSL certificate list.
6. Delete the old certificate from the list.
7. On the secondary vRealize Orchestrator Configuration server (https://
vRO-02.domain:8283/vco-controlcenter), repeat steps 1 to 5.
Updating vCenter Platform Service Controller
Use the VMware Certificate Manager tool to replace the SSL certificates on each
Platform Service Controller (PSC).
Before you replace the certificates, do the following:
l
Set up a maintenance window with the customer. Postpone virtual machine
provisioning during the maintenance window.
l
Ensure that Enterprise Hybrid Cloud Automation and Orchestration are offline.
l
Ensure that vRealize Automation workflows are not running.
The procedure to update certificates on the PSC includes:
l
Replacing the Machine SSL certificate (see Replacing PSC Machine SSL
certificates on page 93).
l
Replacing the Solution Users certificate (see Replacing PSC Solution User SSL
certificates on page 94).
l
Updating the SSL Trust for SSO (see Updating SSL Trust for SSO on page 92 ).
After the PSC certificate replacement procedure is complete, replace the VMware
vCenter Server certificate associated with this site (see Updating VMware vCenter
Server certificates on page 95) .
92
Enterprise Hybrid Cloud
Certificate Update Procedures for EHC Components
Note
Ensure that you replace site PSC and vCenter certificates before proceeding to
another site.
Replacing PSC Machine SSL certificates
Replace the active Machine SSL certificates on a VMware PSC.
Procedure
1. Use SSH to log in to the PSC virtual machine.
2. Create a local /tmp/ssl/ directory.
3. Change directory (CD) to /usr/lib/vmware-vmca/bin/.
4. Run certificate-manager.
5. Select Option 1: Replace Machine SSL certificate with Custom Certificates
and type a valid SSO and the user name and password of a user with vCenter
privileges.
6. Select Generate certificate signing request and key for Machine SSL cert.
l
Output destination directory: /tmp/ssl/.
l
Output machine_ssl.csr and machine_ssl.key
7. Generate a signed certificate:
a. Connect to CA Web-Enrollment: https://CA-Server_domain/
certsrv.
b. Submit an advanced certificate request using Base64.
c. Paste the contents of the applicable CSR into the encoded section.
d. Use the following certificate template: vSphere 6.x (VMware KB 2112009)
e. Download the Base64 certificate.
f. Rename the Base64 certificate to machine_ssl.cer.
g. Copy the machine_ssl.cer file to the C:\Certs directory on the
PSC virtual machine.
8. In the Certificate Manager tool, select Option 1: Continue to import custom
certs and keys.
a. Type the path to machine_ssl.cer.
b. Type the path to machine_ssl.key.
c. Type the path to Root64.cer.
d. Type Y.
All required PSC services are stopped and started.
Note
The script's output includes VMware system process checks that are not valid
for this VMware component. Therefore, you might see service checks for
components such as VSAN with a Don't update service message.
Replacing PSC Machine SSL certificates
93
Certificate Update Procedures for EHC Components
9. When the status is 100% Complete, restart the control service on the
associated vCenter server to reflect the PSC updates.
a. Log in with SSH to the vCenter server virtual machine.
b. Run service-control - -stop - -all.
c. Run service-control - -start - -all.
10. Validate the PSC certificate:
a. Open your web browser and connect to the PSC web interface (https://
psc<00>.domain/psc).
b. Log in as SSO Administrator (administrator@vsphere.local).
c. Select Certificate Management, log in with the administrator account, and
then click Submit.
d. Verify that the certificate is present.
e. Verify that the validity dates have been updated for the certificate.
After you finish
Replace the Solution Users certificate (see Replacing PSC Solution User SSL
certificates on page 94).
Replacing PSC Solution User SSL certificates
Replace the active Solution User SSL certificates on a VMware PSC.
Before you begin
Ensure that the Machine SSL certificate has been replaced.
Procedure
1. Use SSH to log in to the PSC virtual machine.
2. Change directory (CD) to /usr/lib/vmware-vmca/bin/.
3. Run certificate-manager.
4. Select Option 5: Replace Solution User certificate with Custom Certificates
and type a valid SSO and the user name and password for a user with vCenter
privileges.
5. Select Option 1: Generate certificate signing request and key for Solution
User cert
l
Output destination directory /tmp/ssl/.
l
Output must be two different solution user CSRs and private keys:
n
machine
n
vsphere_webclient
6. Generate a signed certificate:
a. Connect to CA Web-Enrollment: https://CA-Server_domain/
certsrv.
b. Submit an advanced certificate request using Base64.
c. Paste the contents of the applicable CSR into the encoded section.
d. Use the following certificate template: vSphere 6.x (VMware KB 2112009)
94
Enterprise Hybrid Cloud
Certificate Update Procedures for EHC Components
e. Download the Base64 certificate.
f. Rename the Base64 certificate to match the applicable solution user.
(name.cer)
g. Copy the solution user certificates to C:\Certs directory on the PSC
Server virtual machine.
7. In the Certificate Manager tool, select Option 1: Continue to import custom
certs and keys.
a. Provide the path to machine.cer.
b. Provide the path to machine.key.
c. Provide the path to vsphere-webclient.cer.
d. Provide the path to vsphere-webclient.key.
e. Type the path to Root64.cer.
f. Type Y.
All required PSC services are stopped and started.
8. When the status is 100% Complete, restart the control service on the
associated vCenter server to reflect the PSC updates.
a. Log in with SSH to the vCenter server virtual machine.
b. Run service-control - -stop - -all.
c. Run service-control - -start - -all.
9. Validate the PSC certificate:
a. Open your web browser and connect to the PSC web interface (https://
psc<00>.domain/psc).
b. Log in as SSO Administrator (administrator@vsphere.local).
c. Select Certificate Management, log in with the administrator account, and
then click Submit.
d. Verify that the certificate is present.
e. Verify that the validity dates have been updated for the certificate.
After you finish
l
Update the SSL Trust for SSO in vRealize Orchestrator. See Updating SSL Trust
for SSO on page 92.
l
Replace the VMware vCenter Server certificate associated with this site. See
Updating VMware vCenter Server certificates on page 95.
Updating VMware vCenter Server certificates
Use the VMware Certificate Manager tool to replace expiring SSL certificates on the
VMware vCenter Server.
Before you replace the certificates, do the following:
l
Set up a maintenance window with the customer. Postpone virtual machine
provisioning during the maintenance window.
l
Ensure that Enterprise Hybrid Cloud Automation and Orchestration are offline.
Updating VMware vCenter Server certificates
95
Certificate Update Procedures for EHC Components
l
Ensure that vRealize Automation workflows are not running.
l
Replace the certificates for the PSC that is associated with this site (see Updating
vCenter Platform Service Controller on page 92).
Note
Complete the vCenter server certificate replacement as soon as possible after the
associated PSC appliance SSL certificate replacement.
The procedure to update certificates on the vCenter Server includes:
l
Replacing the Machine SSL certificate (see Replacing vCenter Server Machine
SSL certificates on page 96).
l
Replacing the Solution Users certificate (see Replacing vCenter Server Solution
User SSL certificates on page 97).
l
Updating additional components (see Updating additional components after
vCenter Server updates on page 99).
Replacing vCenter Server Machine SSL certificates
Replace the active Machine SSL certificates on a VMware vCenter Server appliance.
Before you begin
Ensure that the certificates for the PSC that is associated with this site have been
replaced.
Procedure
1. Use SSH to log in to the vCenter Server virtual machine.
2. Create a local /tmp/ssl/ directory.
3. Change directory (CD) to /usr/lib/vmware-vmca/bin/.
4. Run certificate-manager.
5. Select Option 1: Replace Machine SSL certificate with Custom Certificates
a. Type a valid SSO and user name and password for a user with vCenter
privileges.
b. Type the IP address of the associated PSC appliance (valid infrastructure
server IP).
6. Select Option 2 to start certificate replacement and respond to the prompts.
vSphere Certificate Manager prompts you for the following information:
l
Password for administrator@vsphere.local
l
Valid Machine SSL custom certificate (.crt file)
l
Valid Machine SSL custom key (.key file)
l
Valid signing certificate for the custom machine SSL certificate (.crt file)
l
IP address of the Platform Services Controller (If you are running the
command on a management node in a multi-node deployment)
l
(If prompted) output destination directory /tmp/ssl/
l
(If prompted) output machine_ssl.csr and machine_ssl.key
7. Generate a signed certificate:
96
Enterprise Hybrid Cloud
Certificate Update Procedures for EHC Components
a. Connect to CA Web-Enrollment: https://CA-Server_domain/
certsrv.
b. Submit an advanced certificate request using Base64.
c. Paste the contents of the applicable CSR into the encoded section.
d. Use the following certificate template: vSphere 6.x (VMware KB 2112009)
e. Download the Base64 certificate.
f. Rename the Base64 certificate to machine_ssl.cer.
g. Copy the machine_ssl.cer file to the C:\Certs directory on the
PSC virtual machine.
8. In the Certificate Manager tool, select Option 1: Continue to import custom
certs and keys.
a. Type the path to machine_ssl.cer.
b. Type the path to machine_ssl.key.
c. Type the path to Root64.cer.
d. Type Y.
All required PSC services are stopped and started.
Note
The script's output includes VMware system process checks that are not valid
for this VMware component. Therefore, you might see service checks for
components such as VSAN with a Don't update service message.
9. Open your web browser to the following URLs and verify that the certificate is
present:
l
vCenter Server (https://vcs.domain.com:443)
l
vSphere Web Client (https://vcs.domain.com:9443)
After you finish
Replace the Solution User SSL certificate (see Replacing vCenter Server Solution
User SSL certificates on page 97).
Replacing vCenter Server Solution User SSL certificates
Replace the active Solution User SSL certificates on a vCenter Server.
Before you begin
Ensure that the Machine SSL certificate has been replaced (see Replacing vCenter
Server Machine SSL certificates on page 96).
Procedure
1. Use SSH to log in to the vCenter Server virtual machine.
2. Change directory (CD) to /usr/lib/vmware-vmca/bin/.
3. Run certificate-manager.
4. Select Option 5: Replace Solution User SSL certificate with Custom
Certificates:
Replacing vCenter Server Solution User SSL certificates
97
Certificate Update Procedures for EHC Components
a. Type a valid SSO and the user name and password of a user with vCenter
privileges.
b. Type the IP address of the associated PSC appliance, (valid infrastructure
server IP).
5. Select Option 2 to start certificate replacement and respond to the prompts.
l
Output destination directory /tmp/ssl/
l
Output is four different solution user CSRs and private keys:
n
machine
n
vsphere_webclient
n
vpxd
n
vpxd-extension
6. Generate a signed certificate:
a. Connect to CA Web-Enrollment: https://CA-Server_domain/
certsrv.
b. Submit an advanced certificate request using Base64.
c. Paste the contents of the applicable CSR into the encoded section.
d. Use the following certificate template: vSphere 6.x (VMware KB 2112009)
e. Download the Base64 certificate.
f. Rename the Base64 certificate to match the applicable solution user.
(name.cer)
g. Copy four solution user certificates to the C:\Certs directory on the
vCenter virtual machine.
7. In the Certificate Manager tool, select Option 1: Continue to import custom
certs and keys:
a. Type the path to machine.cer
b. Type the path to machine.key
c. Type the path to vsphere-webclient.cer
d. Type the path to vsphere-webclient.key
e. Type the path to vpxd.cer
f. Type the path to vpxd.key
g. Type the path to vpxd-extension.cer
h. Type the path to vpxd-extension.key
i. Type the path to Root64.cer.
j. Type Y.
All vCenter Server services are stopped and started.
8. Open your web browser to the following URLs and verify that the certificate is
present:
98
Enterprise Hybrid Cloud
l
vCenter Server (https://vcs.domain.com:443)
l
vSphere Web Client (https://vcs.domain.com:9443)
Certificate Update Procedures for EHC Components
After you finish
Update additional components (see Updating additional components after vCenter
Server updates on page 99)
Updating additional components after vCenter Server updates
When the vCenter Server active certificate replacement is complete, you must update
some Enterprise Hybrid Cloud components with the new vCenter Server SSL
certificate.
Procedure
1. vRealize Orchestrator.
See Updating SSL Trust for SSO on page 92.
2. NSX Manager.
See Reestablishing the lookup service connection on page 99.
3. vRealize Operations Manager.
See Reestablish the collection process on vRealize Operations Manager on page
99.
4. Avamar.
See Uploading vCenter SSL certificates to Avamar on page 100.
Reestablishing the lookup service connection
After you update the PSC and vCenter Server SSL certificates, reestablish the HTTPS
connection from NSX Manager to vCenter server and the lookup service.
Procedure
1. Connect to NSX Manager.
2. Go to Manage Appliance Settings > NSX Management Service > Lookup
Service, and click Edit.
3. Type the PSC SSO administrator and password, and then click OK.
4. Accept the updated certificate thumb print.
5. Go to vCenter Server and click Edit.
6. Type the vCenter password and accept the updated certificate thumb print.
The vCenter Server shows a connected status.
Reestablish the collection process on vRealize Operations Manager
When vCenter Server SSL certificates are updated, the collection process on vRealize
Operations Manager needs to be re-established.
Procedure
1. Connect to vRealize Operations Manager.
2. Go to Certificates and remove expired/superseded vCenter certificates.
3. Go to Solutions and select VMware vSphere from list of current solutions.
4. Select the Configure option.
5. In the solution window for vSphere, click Test Connection and then click OK
for new certificate thumb print.
Updating additional components after vCenter Server updates
99
Certificate Update Procedures for EHC Components
6. Click Save Settings, OK, and then Close.
7. Click Start Collecting to resume the vSphere collection process.
Uploading vCenter SSL certificates to Avamar
When the vCenter Server SSL certificates are updated, the newly applied vCenter
SSL certificate must be manually uploaded to your Avamar servers.
This procedure requires the Avamar server MCS process to be stopped. This will abort
any running or scheduled backup/restore operations. Dell EMC recommends that you
perform this procedure during a low backup activity or during a planned maintenance
window.
Note
If the Avamar server protects more than one vCenter, perform the procedure on all
vCenter servers.
Procedure
1. SSH as admin to Avamar utility-node (multi-node version) or to Avamar Server
(single-node/AVE).
2. Copy rui.crt from the vCenter machine to the Avamar server
l
a. vCenter location: C:\ProgramData\VMware\vCenterServer\cfg
\vmware-vpx\ssl\rui.crt
Note
The Program Data directory is a hidden system directory.
l
Avamar location: /tmp
3. To stop the MCS, type the dpnctl stop mcs command.
4. Switch user to root by typing su – and enter the root password.
5. To copy the MCS keystore to /tmp, type the cp /usr/local/avamar/lib/
rmi_ssl_keystore /tmp/ command.
6. Add the vCenter certificate to the temporary MCS keystore by typing:
a. cd /tmp
b. $JAVA_HOME/bin/keytool -import -file rui.crt -alias
alias -keystore rmi_ssl_keystore
where, alias is a user defined name for this certificate
7. Type the keystore password. (The default is changeme).
8. Type yes and press Enter to trust the certificate.
9. Back up the live MCS keystore by typing:
a. cd /usr/local/avamar/lib
b. cp rmi_ssl_keystore rmi_ssl_keystore.date
where date is today's date.
10. Copy the temporary MCS keystore to the live location by typing:
cp /tmp/rmi_ssl_key_store /usr/local/avamar/lib/
100
Enterprise Hybrid Cloud
Certificate Update Procedures for EHC Components
11. Exit the root subshell by typing exit.
12. To restart the MCS and scheduler:
a. Type dpnctl start mcs
b. Type dpnctl start sched
13. Validate Avamar, following the vRealize Automation workflow:
a. Go to Catalog > Data Protection Services > Create Backup Service
Level.
b. Go to Catalog > Data Protection Services > Run Backup Service Level.
Updating Automation Pod Platform Services Controller
The vCenter Automation Pod Platform Services Controller (Auto-PSC) manages and
controls access to the vRealize suite of applications. The Auto-PSC also provides
authorization based on user privilege to allow various EHC workflows to run.
Before you begin
l
Set up a maintenance window with the customer. Postpone virtual machine
provisioning during the maintenance window.
l
Ensure that Enterprise Hybrid Cloud Automation and Orchestration are offline.
l
Ensure that vRealize Automation workflows are not running.
The procedures for updating the Automation Pod PSC certificates are similar to the
procedures for updating the PSC certificates. Use the VMware Certificate Manager
tool to replace the SSL certificates on each PSC.
Procedure
1. Replace the Machine SSL certificate (see Replacing PSC Machine SSL
certificates on page 93).
2. Replace the Solution Users SSL certificate (see Replacing PSC Solution User
SSL certificates on page 94)
3. Update the SSL Trust for SSO in vRealize Automation:
a. Connect to the Master vRealize Automation VAMI Appliance.
b. Click vRA Settings > SSO.
c. Update the SSO Admin User and Password and click Save Settings.
d. Click OK for the new SSL thumb print.
The SSO Info section now shows status = connected.
4. Update the SSL Trust for SSO in vRealize Orchestrator. See Updating SSL
Trust for SSO on page 92.
Updating SRM certificates
Replace the current SRM SSL certificate.
Before you begin
l
Ensure you have the correct SRM installer package that matches the SRM plug-in
build number in vCenter.
Updating Automation Pod Platform Services Controller
101
Certificate Update Procedures for EHC Components
l
Make note of password for EHC svc_srm service account.
l
Arrange a maintenance window with the customer so that no Test Failover, ReProtect, or Failover operations are running during this maintenance window.
l
Follow this pre-check:
1. Connect to the vCenter Server web client.
2. Go to Site Recovery Manager.
3. Check the status of each recovery plan.
Note
Check for ongoing Test Failover, Re-Protect, or Failover operations from the SRM
Console. If any of these tasks is pending or running, do not replace the certificate and
wait for the task to complete.
If you are replacing certificates in a multisite environment, update the Protected Site
first and then update the recovery sites. When you complete the SSL certificate
replacement on each site SRM virtual machine, verify that recovery plan status is
showing as active and the destination site is accessible.
For more information, see Requirements When Using Custom SSL/TLS Certificates
with Site Recovery Manager.
Procedure
1. Connect to the virtual machine where you want to generate the certificate
signing request (CSR) and Private Key. (The virtual machine must run
OpenSSL.)
2. Create the C:\Certs\SRM output directory for new key files.
3. Create the srm.cfg configuration file, which is used to create the CSR.
Note
The SubjectAltName value includes a generic FQDN that covers both sites,
as well as a per-site SRM FQDN.
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment,
dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:srm.domain, DNS:srm01.domain
[ req_distinguished_name ]
countryName = 2-digit_country_code
stateOrProvinceName = state/province
localityName = location
0.organizationName = company_name
organizationalUnitName = department_name
commonName = srm.domain
102
Enterprise Hybrid Cloud
Certificate Update Procedures for EHC Components
[ v3_ca ]
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
basicConstraints = CA:true
[ req_attributes
4. Open the command prompt and browse to the directory where OpenSSL is
installed.
5. To create the CSR and Private Key, run the following command:
openssl.exe req -new -nodes -out C:\Certs\SRM\srm.csr keyout C:\Certs\SRM\srm-orig.key -config C:\Certs\SRM
\srm.cfg
6. To convert the Private Key to RSA format, run the following command:
openssl.exe rsa -in c:\Certs\SRM\srm-orig.key -out c:
\Certs\SRM\srm.key
7. Generate a CA-signed certificate from generated CSR:
a. Connect to CA Web-Enrollment: https://CA-Server_domain/
certsrv.
b. Submit an advanced certificate request using Base64.
c. Paste the contents of the applicable CSR into the encoded section.
d. Use the following certificate template: vSphere 6.x (VMware KB 2112009)
e. Download the Base64 certificate.
f. Rename the Base64 certificate to match the applicable solution user.
(name.cer)
8. To convert the certificate file to encrypted p12 format, run the following
command, where the variable values reflect the customer environment:
openssl.exe pkcs12 -export -in c:\Certs\SRM\srm.cer -inkey
c:\Certs\SRM\srm.key -name "srmprotected" -passout pass:
password -out c:\Certs\SRM\srm.p12
The password can be a maximum of 31 characters. For more information, see
the VMware topic, SRM Install and Configure.
9. Copy the new srm.p12 certificate request file (srm.p12) to the SRM virtual
machine.
10. RDP to the SRM virtual machine with the svc_srm user account.
11. Execute the previously downloaded SRM installer and select Modify.
12. Provide SSO administrative credentials (usually
administrator@vsphere.local) and click Next and Next again on
vCenter server page.
13. On the SRM page, type the Admin email address and host to be used for the
installation and click Next.
14. On the Certificate Type page, select Use a PKCS#12 certificate file and click
Next.
15. On the Certificate File page, go to the location of srm.p12 file and type
Password. Click Next and Next again on the External Database page.
Updating SRM certificates
103
Certificate Update Procedures for EHC Components
16. On SRM Service Account page, enter the password for the svc_srm account
and click Next and then Finish.
17. Restart local SRM service on the SRM virtual machine.
a. Open the services.msc console.
b. Restart the VMware vCenter Site Recovery Manager Server
service.
18. To validate the SRM virtual machine:
a. Open the MMC console and add in the Certificates snap-in:
Service Account > Local Computer > VMware vCenter Site Recovery
Manager Server
b. Expand the snap-in and select vmware-dr\Personal > Certificates.
The newly updated certificate is listed. Note the certificate CA and
expiration date.
19. To validate vCenter:
a. Connect to vCenter Server web client.
b. Go to Site Recovery Manager.
c. Check status of each recovery plan.
After you finish
Update the SSL Trust for SSO (see Updating SSL Trust for SSO on page 92).
Updating NSX certificates
Replace the current SSL CA-signed certificate on NSX manager.
Before you begin
Review information about SSL certification in the NSX Administration Guide.
Note
You must reboot NSX Manager when the certificate replacement is complete.
Procedure
1. Log in to the NSX Manager virtual appliance.
2. Select Manage Appliance Settings > SSL Certificates > Generate CSR.
3. Provide data for the following fields, and then click OK.
l
Algorithm—Select RSA.
l
Key Size—Select the key length used in the selected algorithm.
l
Common Name—Type the IP address or fully qualified domain name
(FQDN) of the NSX Manager. VMware recommends that you enter the
FQDN.
l
Remaining fields—Complete according to customer requirements.
4. Click Download CSR.
Using this method, the private key never leaves the NSX Manager.
104
Enterprise Hybrid Cloud
Certificate Update Procedures for EHC Components
5. Generate CA-signed certificates:
a. Connect to CA Web-Enrollment: https://CA-Server_domain/
certsrv.
b. Submit an advanced certificate request using Base64.
c. Paste the contents of the applicable CSR into the encoded section.
d. Use the following certificate template: vSphere 6.x (VMware KB 2112009)
e. Download the DER encoded certificate. The default filename
iscertnew.cer.
f. Download the DER encoded certificate chain, and extract the Root and the
appropriate subordinate certificates in to the Root64.cer file
6. Convert the certificate to PEM format:
a. Run the openssl x509 -inform der -in certnew.cer -out 4nsx-signed.pem command.
b. Concatenate Root and subordinate certificates in the 4-nsx-signed.pem
file.
Additional root and subordinate certificates are placed below existing leaf
certificates in the 4-nsx-signed.pem file.
7. In the NSX manager UI, click Import and select 4-nsx-signed.pem.
8. When the import is successful, the server certificate and all the CA certificates
are listed on the SSL certificates page.
9. Click the settings icon in the top left and click Reboot Appliance.
10. To validate the new certificates, check the SSL certificate contents on the NSX
Manager web page address bar. The SSL certificate Valid from field under the
General tab indicates the period of time for which the new certificate is valid.
After you finish
Update the SSL Trust for SSO (see Updating SSL Trust for SSO on page 92).
Updating ViPR certificates
Replace the ViPR active SSL certificate.
Before you begin
An Enterprise Hybrid Cloud Buildscript is required for scripted creation of CSR and
download of ViPR controller SSL certificate.
Use the Enterprise Hybrid Cloud buildscript to create and submit the component CSR
and download the ViPR controller SSL certificate. Plan to restart ViPR Manager after
the certificate replacement is complete.
Procedure
1. Run the Enterprise Hybrid Cloud Buildscript.
2. Select Option 4 ViPR Tasks.
3. Select Option 1 Create & Submit CSR & Download ViPR SSL Cert.
Updated SSL certificate component files are stored locally in C:\Certs
\ViPR_Controller.
Updating ViPR certificates
105
Certificate Update Procedures for EHC Components
4. Connect to the ViPR Web UI at https://ViPR-FQDN.
5. Select Security > Keystoreand upload the new private key and certificate chain
file.
6. Click Save.
The ViPR controller restarts.
7. Validate the new certificate details and dates from the ViPR Web UI address
bar, https://ViPR-FQDN.
After you finish
Update the SSL Trust for SSO. See Updating SSL Trust for SSO on page 92
Updating the vRealize Automation Appliance
Update the existing SSL certificates on the vRealize Automation Appliance.
Before you begin
l
Set up a maintenance window with the customer. Postpone virtual machine
provisioning during the maintenance window.
l
Ensure that Enterprise Hybrid Cloud Automation and Orchestration are offline.
l
Ensure that vRealize Automation workflows are not running.
l
Confirm that up-to-date backups exist for the vRealize Automation Appliance
virtual machines and the VMware vCloud Automation Center (VCAC) database.
l
Connect to the Appliance Web UI, https://vra01.domain:5480/ and confirm
all valid services on each appliance are showing as Registered and none are
showing as Failed. Resolve failed services before attempting certificate
replacement.
Note
l
Completing the process on the Master vRealize Automation appliance replicates
the certificate to the secondary appliance.
l
Replace only one vRealize Automation appliance component certificate at a time
to ensure that environment trust is maintained.
Procedure
1. Prepare the environment using the Prepare the environment topic in VMware KB
article 2090090.
2. Prepare the configuration file for the master appliance, vRA01.
For example (variables are specific to the customer environment):
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
106
Enterprise Hybrid Cloud
Certificate Update Procedures for EHC Components
keyUsage = digitalSignature, keyEncipherment,
dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vra01, DNS:vra01.domain,DNS:vra02,
DNS:domain, DNS:vra-vip, DNS:vra-vip.domain
[ req_distinguished_name ]
countryName = 2-digit_code
stateOrProvinceName = state/province
localityName = locality
0.organizationName = org_name
organizationalUnitName = unit
commonName = vra-vip.domain
3. Run the following commands to create a certificate signing request:
a. openssl req -new -nodes -out c:\certs\vra01\rui.csr keyout c:\certs\vra01\rui-orig.key -config c:\certs
\vra01\vra01.cfg
(Input - vra01.cfg, Output - rui.csr; rui.orig.key)
b. openssl rsa -in c:\certs\vra01\rui-orig.key -out c:
\certs\vra01\rui.key
Converts rui.orig.key to rui.key
4. Generate certificate:
a. Connect to CA Web-Enrollment: https://CA-Server_domain/
certsrv.
b. Submit an advanced certificate request using Base64.
c. Paste the contents of the applicable CSR into the encoded section.
d. Use the following certificate template: vSphere 6.x (VMware KB 2112009)
e. Download Base64 encoded certificate. (default filename, certnew.cer)
f. Rename the downloaded signed certificate to rui.crt.
5. Generate the pfx and create the PEM files:
a. openssl pkcs12 -export -in C:\certs\vra01\rui.crt -inkey
C:\certs\vra01\rui.key -certfile c:\certs\Root64.cer name "rui" -passout pass: CREATEPASSWORD -out C:\certs
\vra01\rui.pfx
b. openssl pkcs12 -in c:\certs\vra01\rui.pfx -inkey c:
\certs\vra01\rui.key -out c:\certs\vra01\rui.pem -nodes
6. From the Appliance Web UI https://vra01.domain:5480/ select vRA
Settings > Host Settings.
7. Select SSL Configuration > Importand paste the contents of the relevant
rui.key, rui.pem, and pass phrase.
8. Click Save Settings.
vRealize Automation Appliance services restart. The status is displayed in the
Services tab.
Note
It could take 10 to 15 minutes for all services to restart and show as Registered.
Updating the vRealize Automation Appliance
107
Certificate Update Procedures for EHC Components
9. Ignore the Sign the IaaS certificates section. This will be completed later.
10. From the vRealize Automation Appliance portal, https://vra01.domain:
5480, select vRA Settings > Host Settings and confirm that the certificate
information is identical on the master and secondary vRealize Automation
appliance certificates.
11. Connect to the vRealize Automation VIP https://vra-vip.domain and
verify the new certificate status from the portal address bar and confirm that
the certificate expiration date has been updated.
After you finish
l
Update vRealize Business:
1. Connect to vRealize Business Web VAMI, https://vRB
Appliance.domain:5480.
2. Under vRealize, type vRealize Automation VIP details.
3. Select Accept vRealize Automation certificate.
4. Click Register.
l
Update the SSL Trust for SSO. See Updating SSL Trust for SSO on page 92
Updating vRealize Automation Web IaaS certificates
Renew the Master and Secondary vRealize Automation Web IaaS certificates.
Before you begin
l
Set up a maintenance window with the customer. Postpone virtual machine
provisioning during the maintenance window.
l
Ensure that Enterprise Hybrid Cloud Automation and Orchestration are offline.
l
Ensure that vRealize Automation workflows are not running.
l
Perform a backup of the vRealize Automation Appliance virtual machines.
Update the Master vRealize Automation Web IaaS certificate, and then update the
Secondary certificate.
Procedure
1. RDP to the Web server virtual machine.
2. Open IIS, select the web server Web01 and select Server Certificates > Create
Certificate Request.
a. Under Distinguished Name Properties, provide values for the fields
according to the customer environment. For Common Name, use webvip.domain.
b. Under Service Provider properties select 2048 bit RSA certificate.
c. Type a name for the file, select the location, and click Finish.
3. Generate a signed certificate:
a. Connect to CA Web-Enrollment: https://CA-Server_domain/
certsrv.
b. Submit an advanced certificate request using Base64.
c. Paste the contents of the applicable CSR into the encoded section.
108
Enterprise Hybrid Cloud
Certificate Update Procedures for EHC Components
d. Use the following certificate template: VMware SSL
e. Additional attributes: Specify san for all Web DNS.
For example, san:=web-vip&dns=web01&dns=
web01.vlab.local&dns= web02&dns= web02.vlab.local
f. Download the Base64 certificate.
4. From the Master web virtual machine IIS, select Complete certificate request.
The new certificate is listed under Server Certificates.
5. Go to Default Web Site, right-click Edit Bindings and edit https port 443
to assign the new SSL certificate.
6. Select the IIS server and select Manage Server > Restart to restart the IIS
service.
7. Connect to vRealize Automation https://vRA Web01.domain. to confirm that
the certificate valid from date has been updated.
8. Update the secondary vRealize Automation Web IaaS certificate:
a. On Master Web01 IIS, right click the valid server certificate and select
Export as .pfx.
b. Set the password.
c. Copy the PFX file to the secondary Web02 virtual machine.
d. On Web02, select IIS > Server Certificates.
e. Select Import and import the PFX file from Web01.
The new certificate is listed under Server Certificates in IIS MMC.
f. Right click Default Web Site, select Edit Bindings > https port 443 >
Edit > Assign new SSL certificate, select the appropriate certificate, and
click OK.
g. Restart the IIS service.
9. Validate that the certificate status and valid from dates have been updated on
the following:
l
vRA Web02 https://web02.domain.
l
vRA Web VIP https://web-vip.domain.
10. Connect to vRealize Automation Appliance Management page, https://
vra01.domain:5480/ to confirm that all services are showing as Registered.
If any services show as Failed, refer to Updating vRealize Automation
Certificates for information about rebuilding the trust relationship between
vRealize Automation components.
After you finish
Update the SSL Trust for SSO. See Updating SSL Trust for SSO on page 92.
Updating vRealize Automation Web IaaS certificates
109
Certificate Update Procedures for EHC Components
Updating vRealize Automation Manager IaaS certificates
Renew expiring Master and Secondary vRealize Automation Manager IaaS
certificates.
Before you begin
l
Set up a maintenance window with the customer. Postpone virtual machine
provisioning during the maintenance window.
l
Ensure that Enterprise Hybrid Cloud Automation and Orchestration are offline.
l
Ensure that vRealize Automation workflows are not running.
l
Perform a backup of the vRealize Automation Appliance virtual machines.
Update the Master vRealize Automation Manager IaaS certificate, and then update
the Secondary certificate.
Procedure
1. RDP to the Manager server virtual machine.
2. Open IIS, select the web server Manager01 and select Server Certificates >
Create Certificate Request.
l
Common Name: manager-vip.domain
l
Service Provider properties: 2048 bit RSA certificate.
3. Generate a signed certificate:
a. Connect to CA Web-Enrollment: https://CA-Server_domain/
certsrv.
b. Submit an advanced certificate request using Base64.
c. Paste the contents of the applicable CSR into the encoded section.
d. Use the following certificate template: VMware SSL
e. Additional attributes: Use SAN for all Manager DNS.
For example, san:=manager-vip&dns=manager01&dns=
manager01.vlab.local&dns= manager02&dns=
manager02.vlab.local
f. Download the Base64 certificate.
4. From the Master manager virtual machine IIS, select Complete certificate
request.
The new certificate is listed under Server Certificates.
5. Go to Default Web Site, right-click Edit Bindings and edit port 443 to assign
the new SSL certificate.
6. Restart the IIS service.
7. Connect to vRealize Automation https://vRA_Web01.domain to confirm
that the certificate valid from date has been updated.
8. Update the secondary vRealize Automation Manager IaaS certificate:
a. On Master Manager01 IIS, right click the valid server certificate and select
Export as .pfx.
110
Enterprise Hybrid Cloud
Certificate Update Procedures for EHC Components
b. Set the password
c. Copy the PFX file to the secondary Manager02 virtual machine.
d. On Manager02, select IIS > Server Certificates.
e. Select Import and import the PFX file from Manager01.
The new certificate is listed under Server Certificates.
f. Go to Default Web Site, right-click and select Edit Bindings.
g. Edit https port 443 to assign the new SSL certificate.
h. Restart the IIS service.
9. Validate that the certificate status and valid from dates have been updated on
the following:
l
vRA Manager02 https://manager02.domain.
l
vRA Manager VIP https://manager-vip.domain.
10. Connect to vRealize Automation Appliance Management page, https://
vra01.domain:5480/ to confirm that all services are showing as Registered.
If any services show as Failed, refer to Updating vRealize Automation
Certificates for information about rebuilding the trust relationship between
vRealize Automation components.
Updating the active vRealize Automation Application
Services certificate
Replace an expiring CA signed SSL certificate on the vRealize Automation Application
Services (vRAAS) server.
Before you begin
l
Set up a maintenance window with the customer. Postpone virtual machine
provisioning during the maintenance window.
l
Ensure that Enterprise Hybrid Cloud Automation and Orchestration are offline.
l
Ensure that vRealize Automation workflows are not running.
l
Perform a backup of the vRealize Automation Appliance virtual machines.
Note
If the customer vRAAS does not currently use CA signed certificates and the
customer wants to start using CA signed certificates, complete the Update Server
section of KB 2065009.
Procedure
1. Prepare the environment using the Prepare the environment topic in VMware KB
article 2090090.
2. Prepare configuration file for Master Appliance, vRA01.
For example (variables are specific to the customer environment):
[ req ]
default_bits = 2048
Updating the active vRealize Automation Application Services certificate
111
Certificate Update Procedures for EHC Components
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment,
dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vra01, DNS:vra01.domain,DNS:vra02,
DNS:domain, DNS:vra-vip, DNS:vra-vip.domain
[ req_distinguished_name ]
countryName = 2-digit_code
stateOrProvinceName = state/province
localityName = locality
0.organizationName = org_name
organizationalUnitName = unit
commonName = vra-vip.domain
3. Run the following commands to create a certificate signing request:
a. openssl req -new -nodes -out c:\certs\vraas\rui.csr keyout c:\certs\vraas\rui-orig.key -config c:\certs
\vraas\vraas.cfg
(Input - vraas.cfg, Output - rui.csr; rui.orig.key)
b. openssl rsa -in c:\certs\vraas\rui-orig.key -out c:
\certs\vraas\rui.key
Converts rui.orig.key to rui.key
4. Generate certificate:
a. Connect to CA Web-Enrollment: https://CA-Server_domain/
certsrv.
b. Submit an advanced certificate request using Base64.
c. Paste the contents of the applicable CSR into the encoded section.
d. Use the following certificate template: VMware SSL
e. Download Base64 encoded certificate and save as rui.crt.
5. Combine private key and certificate in to one PKCS 12 file: openssl pkcs12
-export -in C:\certs\vraas\rui.crt -inkey C:\certs\vraas
\rui.key -passout pass:password -out C:\certs\vraas
\rui.p12
6. Copy the generated rui.p12 to the vRAAS appliance. (WinSCP file to /tmp).
7. Use SSH to log in to the vRAAS appliance and change directory to /tmp.
8. Create the JKS Keystore file required by the vRealize Application Services
server by running the command: keytool -v -importkeystore deststorepass 'password' -destkeystore appdui.jks srckeystore /tmp/rui.p12 -srcstoretype PKCS12 srcstorepass 'password' -destalias ssl -alias 1 deststoretype JKS.
9. Backup active Keystore appdui.ks in /home/Darwin/keystore.
10. Copy the generated appdui.ks keystore file from /tmp to /home/Darwin/
keystore.
112
Enterprise Hybrid Cloud
Certificate Update Procedures for EHC Components
This will overwrite keystore file already in this directory.
11. Update file permissions on Keystore:
a. #chown darwin /home/darwin/keystore/appdui.jks
b. #chmod 400 /home/darwin/keystore/appdui.jks
12. Stop and restart the vRealize Application Services server:
a. Stop: #service vmware-darwin-tcserver stop
b. Restart: #service vmware-darwin-tcserver restart
Note
It could take 10 to 15 minutes for all services to restart and show as Registered.
13. Connect to vRealize Application Services server https://vRAAS.domain:
8444/darwin to confirm that the certificate expiration date has been updated.
Results
Completing the process on the Master vRealize Automation appliance replicates the
certificate to the secondary appliance.
Updating vRealize Orchestrator certificates
Replace expiring vRealize Orchestrator SSL certificates.
Before you begin
Plan for a restart of the vRealize Orchestrator hosts.
To reestablish trust between vRealize Orchestrator and each solution component it
communicates with, SSL Trust for SSO must be updated in vRealize Orchestrator by
using Orchestrator Control Center. Perform these steps on the first orchestrator
node.
The following table lists the vRealize Orchestrator touchpoints for SSL.
EHC Component
Example URL
ViPR
https://vipr.domain.local
vRealize Automation virtual
appliance VIP
https://vra-vip.domain.local
vRealize Automation web server
VIP
https://web-vip.domain.local
Cloud Center Server
https://cloud-vc01.domain.local
Cloud Center SDK
https://cloud-vc01.domain.local/sdk
NSX Manager
https://nsx-mgr.domain.local
Data Protection Advisor (DPA)
https://dpa.domain.local:9002
SRM Primary Site
https://srm01.domain.local:9086
SRM Recovery Site
https://srm02.domain.local:9086
The EHCBuildGuideScript includes an option to generate and install the SSL
certificate for vRealize Orchestrator automatically.
Updating vRealize Orchestrator certificates
113
Certificate Update Procedures for EHC Components
Procedure
1. Run EHCBuildGuideScript.ps1, select Option 6 vRealize Orchestrator
Tasks, and then select option 1.
2. Follow the onscreen instructions.
The script:
l
Creates and submits the CSR
l
Downloads the vRealize Orchestrator certificates to the local store
l
Imports the certificates directly on to each vRealize Orchestrator instance
l
When the certificates have been applied, automatically reboots each
vRealize Orchestrator host
3. To validate the new certificates, check the certificate settings from the
vRealize Orchestrator control center (https://vRO.domain:8283/vcocontrolcenter).
Updating vRealize Operations certificates
Replace expiring vRealize Operations SSL certificates.
Before you begin
For more information, see Configure a certificate for use with vRealize Operations
Manager (2046591).
You can use the EHC Buildscript to create and submit the component CSR and
download the vRealize Operations Manager SSL certificate.
Procedure
1. Log in to the vRealize Operations Admin console (https://vrops.domain/
admin) as an administrator.
2. At the top right, click the SSL Certificate icon.
3. Click Install New Certificate and upload the chain.pem file.
4. Click Install to apply the new certificate.
The admin web page reloads with the new certificate,
5. Validate that new certificate from web page address bar (https://
vrops.domain/admin), which includes the expected expiration date.
Updating vRealize Business certificates
Replace vRealize Business for Cloud SSL certificate, change from self-signed
certificate to Certifying Authority (CA) signed certificate, and import the certificate
private key and the certificate issued by a CA.
Before you begin
114
Enterprise Hybrid Cloud
l
Backup the existing key store from /usr/local/tcserver/vfabric-tcserver-standard/sharedconf/ssl.keystore.
l
Verify that your certificate matches the following requirements:
n
Keysize: 2048
n
Algorithm: RSA
Certificate Update Procedures for EHC Components
n
The distinguished name provided in the certificate is reachable over network.
Procedure
1. Log in to the vRealize Business for Cloud Web console, https://
vRealize_Business_for_Cloud_IP_address:5480.
2. Unregister vRealize Business for Cloud from vRealize Automation or VMware
Identity Manager.
3. Select Administration > SSL.
4. Under Choose Mode, select the certificate type. If you are using a PEM
encoded certificate, select Import PEM encoded certificate.
Note
Using a self-signed certificate is not recommended for production
environments.
The following actions are available:
l
Generate a self-signed certificate—Type a common name for the
certificate in the Common Name box.
You can use the fully qualified domain name of the virtual appliance
(hostname.domain.name) or a wildcard, such as *.mycompany.com. Do
not accept a default value, unless it matches the host name of the virtual
appliance.
Type the following information in the appropriate boxes:
l
n
Organization—Your organization or company name.
n
Organizational Unit—Your department name or location.
n
Country—Your two-letter ISO 3166 country code, such as US.
Insert PEM encoded certificate:
n
Copy the certificate values from BEGIN PRIVATE KEY to END
PRIVATE KEY, including the header and footer, and paste them in the
RSA Private Key box.
n
Copy the certificate values from BEGIN CERTIFICATE to END
CERTIFICATE, including the header and footer, and paste them in the
Certificate(s) (.pem) box.
n
(Optional) If your certificate uses a pass phrase to encrypt the certificate
key, copy the pass phrase and paste it in the Passphrase box.
5. Click Replace Certificate.
6. Re-register vRealize Business for Cloud with vRealize Automation or VMware
Identity Manager.
Note
If you are using VMware Identity Manager, restart the data collection services
manually by running the monit start itbm-data-collector command.
Updating vRealize Business certificates
115
Certificate Update Procedures for EHC Components
Updating Log Insight certificates
Replace expiring Log Insight SSL certificates.
Before you begin
Plan for a brief service restart of Log Insight service.
For more information, see Install a Custom SSL Certificate by Using the vRealize Log
Insight Web Interface.
You can use the EHC Buildscript to create and submit the component CSR and
download the Log Insight Manager SSL certificate.
Procedure
1. Connect to the Log Insight web portal (https://vRLI.domain).
2. Select Configuration > Administration > SSL Certificate.
3. Under Custom SSL Certificate, browse to and select the newly created
chain.pem file, and then click Save.
4. When the file is uploaded, click Management > Cluster, select a cluster node,
and then select Restart vRealize Log Insight.
The Log Insight service restarts. This command does not provide a full reboot of
the appliance. For more information, see the VMware topic, Restart Process.
The updated SSL certificate components are stored locally in C:\Certs.
5. Validate the new certificates:
a. Check the SSL certificate fingerprint on the Log Insight web portal
(https://logi.domain).
b. Open the secure SSL certificate and review the certificate and the updated
certificate validity period.
Updating Avamar certificates
Install certificates in the Avamar system by copying the certificates to the correct
location on each node.
Before you begin
l
Ensure that you have arranged a maintenance window with the customer, because
this procedure requires that the Avamar server process (mcs) is stopped.
l
Pause all scheduled or running backups until the process is complete.
l
Ensure that OpenSSL is installed on the system that generates the CSR.
By default Avamar is installed using self-signed certificates. This procedure updates
self-signed Avamar certificates.
Procedure
1. On each Avamar server, generate a CA signed certificate:
a. Run openssl req -new -newkey rsa:2048 -keyform PEM keyout avamarFQDNkey.pem -nodes -outform PEM -out
avamarFQDNreq.pem.
116
Enterprise Hybrid Cloud
Certificate Update Procedures for EHC Components
b. Provide the appropriate CSR information at the prompts.
c. Connect to CA_Web_Enrollment https://CA.domain/certsrv and
submit an advanced certificate request using Base64.
d. Open the VMware SSL certificate template.
e. Paste the contents of avamarFQDNreq.pem into the encoded section.
f. Download the Base64 certificate.
g. Rename the CA signed certificate certnew.cer to cert.pem.
h. Rename the key file avamarFQDNkey.pem to key.pem.
2. Use SSH to log in:
l
For a single-node server, log in to the server as admin.
l
For a multi-node server, log in to the utility node as admin.
3. Type dpnctl stop gsan to stop the Avamar server.
4. Copy the certificate to the locations specified for the type of Avamar system:
l
l
Single-node system:
n
Copy the certificate to /data01/home/admin/cert.pem.
n
Copy the certificate to /usr/local/avamar/etc/cert.pem.
Multi-node system
n
On each storage node, copy the certificate generated for that node to: /
data01/home/admin/cert.pem.
n
On the utility node, copy the certificate generated for that node to: /
usr/ local/avamar/etc/cert.pem.
5. Copy the key associated with the certificate to the locations specified for the
type of Avamar system:
l
l
Single-node system
n
Copy the key to: /data01/home/admin/cert.pem.
n
Copy the key to: /usr/local/avamar/etc/cert.pem.
Multi-node system
n
On each storage node, copy the key generated for that node to: /
data01/home/admin/cert.pem.
n
On the utility node, copy the key generated for that node to: /usr/
local/avamar/etc/cert.pem.
6. Restart the Avamar server by typing gsan dpnctl start.
7. Type avmaint config verifypeer=yes –avamaronly to enable client
authentication.
After you finish
If this is the first time the customer has applied CA signed certificates to their Avamar
environment, proceed to Enabling encrypted server authentication on page 118.
Updating Avamar certificates
117
Certificate Update Procedures for EHC Components
Enabling encrypted server authentication
Configure Avamar to use a CA-signed certificate for encrypted communication if CAsigned certificates have been assigned to the Avamar environment for the first time.
Procedure
1. Use SSH to log in:
l
Single node: log in to the server as admin.
l
Multi-node: log in to he utility node as admin.
2. Open /usr/local/avamar/var/mc/server_data/prefs/
mcserver.xml
3. In mcserver.xml, locate the encrypt_server_authenticate preference
and change it to encrypt_server_authenticate=true.
4. Save and close the file.
5. Stop and restart the Avamar server.
Updating the Avamar Proxy certificate
Applying the root certificate of the CA to the Avamar proxy enables authentication of
the Avamar server certificate for trusted communication between server and proxy.
The Avamar proxy requires an update only if the Root CA certificate has been replaced
and the Avamar server certificate has also been updated.
Before you begin
Ensure that you have arranged a suitable maintenance window with the customer,
because a restart is required for each proxy. This process must be completed for each
Avamar proxy.
Procedure
1. Connect to CA_Web_Enrollment https://CA.domain/certsrv.
2. Download the CA root certificate in Base64 format. (Root64.cer)
3. Rename the root certificate file to chain.pem.
4. Copy the chain.pem file to the Avamar proxy and place it in the
directory /usr/local/avamar/etc/.
5. Reboot the Avamar proxy to re-establish encrypted communications between
the Avamar server and the proxy.
Updating RecoverPoint for Virtual Machines certificates
Update expiring RecoverPoint for Virtual Machines certificates.
Before you begin
It is a best practice to configure vCenter Server to require a certificate, because once
RecoverPoint has read the certificate, it does not need further access to the location.
The default certificate locations are:
Windows 2003
Server
118
Enterprise Hybrid Cloud
C:\Documents and Settings\All Users
\Application Data\VMware\VMware VirtualCenter
\SSL\rui.crt
Certificate Update Procedures for EHC Components
Windows 2008
Server
C:\Users\All Users\Application Data\VMware
\VMware VirtualCenter\SSL\rui.crt
Replacing vCenter Server Certificates in VMware vSphere 5.0, 5.5 and 6.0, available on
the VMware website, provides more information about the location of the security
certificate.
Procedure
1. In the vSphere Web Client home page, select RecoverPoint for VMs
Management > Administration.
2. Use one of the following methods to access the vCenter Registration
information:
l
l
To manage the registration of all vCenter servers in a RecoverPoint for VMs
system, select vCenter Servers > Registration, and use the Edit button to
edit the vCenter settings. Use this option to:
n
Edit the vCenter server information, upload a new vCenter certificate or
delete an existing certificate.
n
Propagate your changes to the specified vCenter server at the specified
vRPA cluster using the Apply button.
n
Propagate your changes to all vRPA clusters in your system using the
Apply changes to all clusters button.
To manage the registration of a vCenter server at a specific RPA cluster,
select vRPA Clusters > vCenter Servers, select a vRPA cluster.
n
Click the Edit button to edit the registration details of an existing
vCenter server at the selected vRPA cluster.
n
Click the Add button to register a new vCenter server at the selected
vRPA cluster.
3. In the Register vCenter Server dialog box, type the following information:
Setting
Description
vCenter Server IP IP address of the vCenter Server. This is also the display
name of the vCenter Server in RecoverPoint.
Port
Port number of the vCenter Server. Default = 443
(HTTPS).
Username
vCenter Server username.
Password
vCenter Server password.
Certificate
To specify a certificate, browse to and select the
certificate file.
4. Click OK.
Results
The specified vCenter Server is registered at the specified vRPA clusters with the
specified details.
Updating RecoverPoint for Virtual Machines certificates
119
Certificate Update Procedures for EHC Components
Updating CloudLink certificates
Update expiring CloudLink certificates.
By default, the CloudLink Center uses a self-signed certificate. When you connect to
CloudLink Center, security warnings are displayed if self-signed certificates do not
have the same level of trust as certificates issued and signed by a trusted certification
authority (CA). Two options exist for providing a certificate that has been signed for
CloudLink by a trusted CA:
l
Generate a certificate signing request for a private key generated by CloudLink
Center.
l
Upload an externally generated certificate and private key. CloudLink supports two
formats for externally generated keys and certificates:
n
Privacy-Enhanced Electronic Mail format—Certificates using this format are
provided in files with the filename extension .pem. You must upload the private
key file along with the certificate file.
n
PKCS#12 format—Certificates using this format are provided in files with the
filename extension .p12. Along with the certificate file, the CA provides you
with a password that is required to access the contents of the .p12 file. The file
contains both the certificate and the private key.
Procedure
1. openssl.exe req -new -nodes -out c:\Certs\CloudL
\CloudL.csr -keyout c:\Certs\CloudL\CloudL-orig.key config c:\Certs\CloudL\CloudL.cfg
2. openssl.exe rsa -in c:\Certs\CloudL\CloudL-orig.key -out
c:\Certs\CloudL\CloudL.key
3. openssl.exe pkcs12 -export -in c:\Certs\CloudL\CloudL.cer
-inkey c:\Certs\CloudL\CloudL.key -name "cloudlink" passout pass:cloudlink -out c:\Certs\CloudL\cloudlink.p12
4. Upload the p12 file from the Administration web page.
Updating ESXi certificates
Replace the active leaf certificate on a single ESXi vSphere host.
Before you begin
Before replacing the ESXi SSL certificate:
120
Enterprise Hybrid Cloud
l
For the customer EHC 4.1.2 environment, determine on how many ESXi hosts you
must renew the SSL certificate.
l
Ensure that vCenter Server has the CA root and subordinate certificate chain
already in place (see Updating VMware vCenter Server certificates on page 95).
l
Create the required certificates according to the following reference KB articles:
n
Replacing default certificates with CA signed SSL certificates in vSphere 6.x
(2111219)
n
Configuring CA signed certificates for ESXi 6.0 hosts (2113926)
Certificate Update Procedures for EHC Components
Procedure
1. Connect to the virtual machine on which you want to generate the CSR and the
Private Key.
Note
The virtual machine must be running OpenSSL.
2. Create output directory C:\Certs\esx for the new key files.
3. Create the openssl.cfg configuration file, which is used to create the CSR.
Note
The value forSubjectAltName includes the short name, the full FQDN, and
the IP address of the ESXi host. These values resolve any inconsistent
connection issues with the vSphere Web Client.
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:esxi, IP:x.x.x.x, DNS:esxi.domain
[ req_distinguished_name ]
countryName = 2-digit_country_code
stateOrProvinceName = state/province
localityName = location
0.organizationName = company_name
organizationalUnitName = department_name
commonName = srm.domain
4. Open a command prompt and browse to the directory where OpenSSL is
installed.
5. Create the CSR and Private Key:
openssl.exe req -new -nodes -out C:\Certs\esx\rui.csr keyout C:\Certs\esx\rui-orig.key -config C:\Certs\esx/
openssl.cfg
6. Convert the Private Key to RSA format:
openssl.exe rsa -in c:\Certs\esx\rui-orig.key -out c:
\Certs\esx\rui.key
7. Generate a signed certificate:
a. Connect to CA Web-Enrollment: https://CA-Server_domain/
certsrv.
b. Submit an advanced certificate request using Base64.
Updating ESXi certificates
121
Certificate Update Procedures for EHC Components
c. Paste the contents of the applicable CSR into the encoded section.
d. Use the following certificate template: vSphere 6.x (VMware KB 2112009)
e. Download the Base64 certificate.
f. Rename the Base64 certificate to rui.crt.
8. Connect to vCenter Server and put the ESXi host in to Maintenance Mode.
9. SSH to the ESXi host console.
Note
Ensure SSH access is enabled to the host.
10. Backup the contents of the /etc/vmware/ssl directory, and then delete
rui.crt and rui.key from the directory.
11. Copy the newly created rui.crt and rui.key files to /etc/vmware/ssl.
12. From the vCenter Server host console, select Troubleshooting Options >
Restart Management Agents > F11
13. When the agents restart, in vCenter Server, take the host out of Maintenance
Mode.
14. Reboot the host.
15. Connect to the ESXi host (https://esx-hostname).
16. From the browser, determine the validity and status of the new certificate.
Note the certificate "thumb print" under the Details section of the certificate.
17. Open SQL Server Management Studio and connect to the vCenter database
(VCDB).
18. Query VCDB for dbo.VPX_Host.
The vCenter-aware HOST_SSL_THUMBPRINT matches the ESXi host SSL
thumb print.
Updating the Data Protection Advisor (DPA) certificate
By default DPA is installed using self-signed certificates. If the customer has
previously replaced the self-signed DPA certificates, the CA signed certificates must
be renewed.
Procedure
1. Connect to the remote desktop of the DPA virtual machine.
2. Create a copy of the following files:
l
C:\Program Files\EMC\DPA\services\standalone
\configuration\apollo.keystore
l
C:\Program Files\EMC\DPA\services\standalone
\configuration\standalone.xml
3. Generate a new alias and private key to a temporary keystore:
a. Open PowerShell and go to the following directory:
C:\Program Files\EMC\DPA\services\_jre\bin\
122
Enterprise Hybrid Cloud
Certificate Update Procedures for EHC Components
b. Run the following command:
./keytool -genkey -keyalg RSA -alias alias name -keysize
2048 -keystore C:\new.keystore
c. Type the password for the new keystore.
d. For the What is your first and last name? prompt, type the FQDN of the
DPA server. For example, dpa.domain.local.
e. Provide the requested information and type the signing key password.
4. Create a certificate signing request from the alias/temp keystore:
a. Open PowerShell and go to the directory C:\Program Files\EMC\DPA
\services\_jre\bin\.
b. Run the following command:
./keytool -certreq -alias alias name -keystore C:
\new.keystore -file C:\dpa.csr
Use the same alias name as used in step 3b.
c. Type the previously set keystore password.
5. Generate a CA signed certificate:
a. Connect to CA Web-Enrollment: https://CA-Server_domain/
certsrv.
b. Submit an advanced certificate request using Base64.
c. Paste the contents of the applicable CSR into the encoded section.
d. Use the following certificate template: VMware SSL
e. Download the Base64 certificate.
f. Rename the Base64 certificate to match the applicable solution user.
(name.cer)
g. Download PKCS Base64 certificate chain.
h. Extract the root and subordinate certificates from the chain into a new file
called Root64.cer.
i. Place the name.cer and Root64.cer on the DPA virtual machine.
6. Import the Root CA and subordinates (if applicable) in the new key store:
a. ./keytool -import -trustcacerts -alias insert new alias
name for root or subordinates -keystore C:\new.keystore
-file C:\Root64.cer
b. Review the imported Root and subordinate certificates and click Yes to
Trust this certificate.
7. Import the certificate for the server into the new keystore.
a. ./keytool -import -trustcacerts -alias insert alias name
-keystore C:\new.keystore -file C:\aliasname.cer
b. Type the previously set keystore password.
8. Import the new complete keystore:
a. Go to the C:\Program Files\EMC\DPA\services\bin\ directory.
Updating the Data Protection Advisor (DPA) certificate
123
Certificate Update Procedures for EHC Components
b. Run the following command:
./dpa.bat app impcert -kf C:\new.keystore -al alias name
-pw alias password
The apollo keystore has the alias and certificates from the new keystore, but
the certificates are associated with the alias from the temp keystore.
9. Modify the standalone.xml file to point to the new alias, so when it reads
apollo keystore on startup it can find the certificates:
a. Open C:\ProgramFiles\EMC\DPA\services\standalone
\configuration\standalone.xml.
b. Open standalone.xml with a text editor and find the following line:
keyalias="${ apollo.keystore.alias:apollokey}
c. Change apollokey to the alias you used when you created the temp
keystore 10.
10. Restart the DPA Application service.
11. Confirm that the certificate is active:
a. Open the DPA web UI at https://dpa.domain.
b. Review the active certificate contents to confirm new expiration dates.
c. Run the following vRealize Orchestrator workflow: EPC2 > EPC Data
Protection > CalledByvCAC > GetBackupStatus.
After you finish
Update the SSL Trust for SSO. See Updating SSL Trust for SSO on page 92.
Updating VAMI appliance certificates
Replace the vRealize Automation Appliance VAMI SSL certificate.
The procedure to replace the vRealize Automation Appliance VAMI SSL certificate is
similar to replacing the vRealize Automation Appliance certificate (see Updating the
vRealize Automation Appliance on page 106).
Note
There is no interruption to service during this procedure.
Procedure
1. Prepare the environment as described in Signing vRA certificates using an
internal Microsoft CA signing authority (2090090).
2. Create the configuration file for the appliance.
The following example uses vRA01. The variable values reflect the customer
environment.
[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
124
Enterprise Hybrid Cloud
Certificate Update Procedures for EHC Components
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment,
dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vra01, DNS:vra01.domain
[ req_distinguished_name ]
countryName = IE
stateOrProvinceName = MUNSTER
localityName = CORK
0.organizationName = HOOLI
organizationalUnitName = HCE
commonName = vra01.domain
3. Run the following commands to create the certificate signing request:
l
openssl req -new -nodes -out c:\certs\vra01\rui.csr keyout c:\certs\vra01\rui-orig.key -config c:\certs
\vra01\vra01.cfg
Input is vra01.cfg and output is rui.csr and rui.orig.key
l
openssl rsa -in c:\certs\vra01\rui-orig.key -out c:
\certs\vra01\rui.key
This command converts rui.orig.key to rui.key.
4. Sign the certificates.
Note
Use the custom VMware SSL Certificate Template.
5. Run the following commands to generate the .pfx and create the .pem files:
l
openssl pkcs12 -export -in C:\certs\vra01\rui.crt -inkey
C:\certs\vra01\rui.key -certfile c:\certs\Root64.cer name “rui” -passout pass:CREATEPASSWORD -out C:\certs
\vra01\rui.pfx
l
openssl pkcs12 -in c:\certs\vra01\rui.pfx -inkey c:
\certs\vra01\rui.key -out c:\certs\vra01\rui.pem –nodes
6. SSH to the appliance.
7. Back up the current /opt/vmware/etc/lighttpd/server.pem certificate
file.
8. Copy the contents of new .pem file to overwrite the server.pem file on the
appliance.
9. To restart the lighttpd service, run the service vami-lighttpd
restart command.
10. Use HTTPS to connect to the appliance and confirm that the new certificate is
in place.
11. Repeat this procedure for the secondary appliance in the HA pair.
Updating VAMI appliance certificates
125
Certificate Update Procedures for EHC Components
Running EHC validation workflows
After the end-to-end SSL certificate procedure has been completed, run EHC
vRealize Automation workflows to validate that EHC orchestration and automation is
fully functional.
Run validation tests for vRealize Orchestrator, vCenter, ViPR, Avamar and DPA to
ensure that each of these components is functioning correctly. Testing details are
provided in the associated sections.
Procedure
1. Perform validation tests on vRealize Orchestrator:
a. Connect to the vRealize Orchestrator console: https://vrovip.domain:8283.
b. Select EHC > Foundation > Validation > tests and run the following tests in
the order listed:
l
Pre-Test configuration elements
l
TestAD
l
TestCAFE
l
TestVCAC
l
TestVCenter
l
TestViPR
l
TestVRO
l
VerifySiteAffinityBuildProfileAndCustomProperties
2. Validate that vCenter is functioning without issue by deploying a virtual machine
from the vRealize Automation workflow:
a. Connect to vRealize Automation: https://vra-vip.domain/
vcac/org/ehcTenantName/.
b. Select Catalog > All Services > DeployVMwithBackupCatalogItem.
3. Validate the provision of cloud storage with ViPR:
a. Connect to vRealize Automation: https://vra-vip.domain/
vcac/org/ehcTenantName/.
b. Select Catalog > Provision Cloud Storage > Run Provision cloud storage.
4. Validate that Avamar backup and restore is functioning:
a. Connect to vRealize Automation: https://vra-vip.domain/
vcac/org/ehcTenantName/.
b. Select Catalog > Data Protection Services > Create Backup Service
Level.
c. Select Catalog > Data Protection Services > Run Backup Service Level.
d. Select Catalog > Data Protection Services > On Demand Backup.
e. Select Catalog > Data Protection Services > On Demand Restore.
5. Validate that DPA is functioning:
126
Enterprise Hybrid Cloud
Certificate Update Procedures for EHC Components
a. Connect to vRealize Orchestrator: https://vro-vip.domain:8283.
b. Select EPC2 > EPC Data Protection > CalledByvCAC > GetBackupStatus.
Running EHC validation workflows
127
Certificate Update Procedures for EHC Components
128
Enterprise Hybrid Cloud
CHAPTER 10
Password Management
This topic presents the following topics:
l
l
l
l
l
l
l
l
l
Password management overview......................................................................130
Service accounts.............................................................................................. 130
SQL Server service accounts............................................................................138
Active Directory bind service accounts............................................................. 144
Enterprise Hybrid Cloud application accounts...................................................149
Enterprise Hybrid Cloud adapter accounts....................................................... 162
EHC interactive user accounts......................................................................... 164
Enterprise Hybrid Cloud local accounts............................................................ 166
Dell EMC ViPR physical resources.................................................................... 169
Password Management
129
Password Management
Password management overview
In a production environment, using service accounts to track and control applications
and to mitigate the impact of a potential systems compromise is a security best
practice.
This chapter provides a comprehensive list of service accounts, the default names for
the Active Directory groups, and the usernames required by Enterprise Hybrid Cloud.
You may use your own naming schema for these groups if required, but you must have
a comparable username for each of the roles. If you choose to use non-default names,
ensure that you comprehensively document the mapping between your chosen names
and the default names. This information is required to assist support in
troubleshooting your environment if the need arises.
Local root or administrator accounts
The Enterprise Hybrid Cloud solution does not use root user accounts or passwords
for any components. The reconfiguration or update of passwords for root user
accounts is outside the scope of this document.
Supported versions
Password management applies to:
l
Enterprise Hybrid Cloud 4.1
l
Enterprise Hybrid Cloud 4.1.x
l
VMware vSphere 6.0
l
VMware vSphere 6.5
Service accounts
The following table lists the Enterprise Hybrid Cloud solution service accounts.
130
Enterprise Hybrid Cloud
Account type
Account name
Group membership
Description
Service
svc_iaas
SQL_Admins
Service account for
IaaS Services.
Permissions are
granted on the
infrastructure-as-aservice (IaaS) SQL
Server database.
SQL Server admin
privileges may be
revoked after the
IaaS installation
process.
Service
svc_sqlsvr
Local Administrator on
SQL Server VM
Service account for
SQL Server
Services.
Service
svc_sqlsvragent
Local Administrator on
SQL Server VM
Service account for
SQL Server Agent.
Service
svc_vcenter
VC_App_Logins_RW
Service account for
vCenter.
Password Management
Account type
Account name
Group membership
Description
Permissions are
granted on the
vCenter SQL
Server database.
Service
svc_vum
VC_App_Logins_RW
Service account for
Update Manager.
Permissions are
granted on the
vSphere Update
Manager SQL
Server database.
Service
svc_srm
VC_App_Logins_RW
Service account for
VMware SRM.
Permissions are
granted on the
SRM SQL Server
database.
Service
svc_vro
Connects vRealize
Orchestrator to
SQL Server
(vRealize
Orchestrator HA
only). Permissions
are granted on the
vRealize
Orchestrator SQL
Server database.
AD Bind
adbind_vra
User account to
bind vRealize
Automation to
Active Directory.
AD Bind
adbind_vro
User account to
bind vRealize
Orchestrator to
Active Directory.
AD Bind
adbind_vrops
User account to
bind vRealize
Operations to
Active Directory.
AD Bind
adbind_vipr
User account to
bind ViPR to Active
Directory.
AD Bind
adbind_logi
User account to
bind Log Insight to
Active Directory.
AD Bind
adbind_dpa
User account to
bind Data
Protection Advisor
Service accounts
131
Password Management
Account type
Account name
Group membership
Description
(DPA) to Active
Directory.
132
Enterprise Hybrid Cloud
AD Bind
adbind_sso
User account to
bind SSO to Active
Directory.
AD Bind
adbind_rp4vm
User account to
bind RecoverPoint
for Virtual
Machines to Active
Directory.
Application
app_vrb_vcenter
VC_App_Logins_RO
User account to
connect vRealize
Business Standard
to vCenter.
Application
app_nsx_vcenter
VC_App_Logins_RW
User account to
connect NSX to
vCenter.
Application
app_logi_vcenter
VC_App_Logins_RW
User account to
connect Log Insight
to vCenter.
Application
app_vra_vcenter
VC_App_Logins_RW
User account to
connect vRealize
Automation to
vCenter.
Application
app_vro_vcenter
VC_App_Logins_RW
VRO_Admins
User account to
connect vRealize
Orchestrator to
vCenter.
Application
app_vrops_vcenter
VC_App_Logins_RW
User account to
connect vRealize
Operations to
vCenter.
Application
app_vrops_vra
EHC_IaaS_Admins
EHC_Tenant_Admins
User account for
vRealize Operations
vRealize
Automation
management pack.
Application
app_vipr_vcenter
VC_App_Logins_RW
User account to
connect ViPR to
vCenter.
Application
app_avamar_vcenter
VC_App_Logins_RW
User account to
connect Avamar to
vCenter.
Application
app_avamar_soap
Avamar_Admins
User account for
SOAP connections
to Avamar.
Password Management
Account type
Account name
Group membership
Description
Application
app_nsx_sso
Application
app_vro_sso
VRO_Admins
User account to
connect vRealize
Orchestrator to
SSO.
Application
app_logi_vrops
VROPS_App_Logi
ns_RW
User account to
connect Log Insight
to vRealize
Operations.
Application
app_vro_vipr
VC_App_Logins_RW
User account to
ViPR_System_Monitors connect the ViPR
plug-in for vRealize
Orchestrator to
ViPR.
Application
app_vra_nsx
NSX_Ent_Admins
User account for
NSX endpoint
credential in
vRealize
Automation.
Application
app_vra_vro
VC_App_Logins_RW
VRO_Admins
User account for
both vRealize
Orchestrator
endpoint and
vRealize
Orchestrator server
configuration in
vRealize
Automation.
Application
app_vro_iaas
Local Administrator on
IaaS VM
Domain account for
Enterprise Hybrid
Cloud workflows to
connect to IaaS.
Permissions are
granted on the IaaS
SQL Server
database.
Application
app_vipr_vplex
VPLEX_Admins
User account to
connect ViPR to
VPLEX.
Application
app_vipr_rpa
RP_Admins
User account to
connect ViPR to
RecoverPoint.
Application
app_vro_dpa
DPA_Users
User account to
connect vRealize
Orchestrator to
DPA.
User account to
connect NSX to
SSO.
Service accounts
133
Password Management
134
Enterprise Hybrid Cloud
Account type
Account name
Group membership
Description
Application
app_vro_srm
SRM_Admins
User account to
connect vRealize
Orchestrator to
VMware SRM.
Application
app_vro_sql
SQL_App_Logins_RO
User account to
connect vRealize
Orchestrator to
SQL Server.
Application
app_vro_nsx
NSX_Ent_Admins
User account to
connect vRealize
Orchestrator to
NSX.
Application
app_vro_rest
VRO_Admins
User account to
create a vRealize
Orchestrator REST
host.
Application
app_vro_rp4vm
RP4VM_Admins
User account to
connect vRealize
Orchestrator to
RecoverPoint for
Virtual Machines.
Application
app_srm_vcenter
VC_App_Logins_RW
User account to
pair SRM sites.
Application
app_vum_vcenter
VC_App_Logins_RW
User account to
connect vSphere
Update Manager to
vCenter.
Application
app_vrpa_vcenter
VC_App_Logins_RW
User account to
connect vRPAs to
vCenter.
Adapter
adp_vrops_vcenter
VC_App_Logins_RO
User account to set
up the ESA adapter
for vRealize
Operations.
Adapter
adp_vrops_vipr
ViPR_System_Monitors User account to set
up ViPR adapter for
vRealize
Operations.
Interactive
ehc_sysadmin
EHC_System_Admins
DPA_Admins
DPA_Users
Enterprise Hybrid
Cloud SuperUser.
Interactive
ehc_fabric_admin
EHC_Fabric_Admins
vRealize
Automation Fabric
Administrator.
Interactive
ehc_iaas_admin
EHC_IaaS_Admins
vRealize
Automation IaaS
Administrator.
Password Management
Account type
Account name
Group membership
Description
Interactive
ehc_nsx_ent_admin
NSX_Ent_Admins
VC_ReadOnly
NSX Enterprise
Administrator.
Interactive
ehc_storage_admin
EHC_Storage_Services Storage
ViPR_System_Monitors Administrator.
Interactive
ehc_backup_admin
EHC_Backup_Services
User executing
backup catalog
items from vRealize
Automation.
Interactive
ehc_config_admin
EHC_Config_Services
User with
permissions to the
Enterprise Hybrid
Cloud configuration
services.
Interactive
ehc_tenant_admin
EHC_Tenant_Admins
vRealize
Automation Tenant
Administrator.
Interactive
ehc_app_admin
EHC_App_Admins
User with
application and
infrastructure
administrator role
for creating
blueprints.
Interactive
ehc_vc_admin
VC_Admins
vCenter
Administrator.
Interactive
ehc_vipr_admin
ViPR_Admins
ViPR Administrator.
Interactive
ehc_vro_admin
VRO_Admins
vRealize
Orchestrator
Administrator.
Interactive
ehc_logi_admin
Log_insight_Admins
Log Insight
Administrator.
Interactive
ehc_vrops_admin
VROPS_Admins
vRealize Operations
Administrator.
Interactive
ehc_vsrm_admin
ViPR_SRM_Admins
ViPR SRM
Administrator.
Interactive
ehc_dpa_admin
DPA_Admins
DPA Administrator.
Interactive
ehc_avamar_admin
Avamar_Admins
Avamar
Administrator.
Interactive
ehc_dd_admin
DD_Admins
Data Domain
Administrator.
Interactive
ehc_sql_admin
SQL_Admins
SQL Server
Administrator.
Interactive
ehc_bg_admin
Tenant_BG_Managers
vRealize
Automation
Business Group
Administrator.
Service accounts
135
Password Management
136
Enterprise Hybrid Cloud
Account type
Account name
Group membership
Description
Interactive
ehc_cloudlink_admin
CloudLink_Admins
CloudLink Center
Administrator.
Interactive
ehc_rp4vm_admin
RP4VM_Admin
RecoverPoint for
Virtual Machines
Administrator.
Local
av0xddboost
Local Data Domain
user account with
DD Boost user
privileges, used by
Avamar to connect
to Data Domain.
Create one of these
user accounts for
every instance of
Avamar in the
environment,
replacing x with an
appropriate
numeral.
Local
app_vipr_rp
Local RecoverPoint
admin account to
connect ViPR to
RecoverPoint.
Local
app_srm_rp
Local RecoverPoint
admin account to
connect VMware
SRM to
RecoverPoint.
Local
replicate
Local user on
vRealize
Automation
appliances for use
in the postgres
database. Created
during postgres
database setup.
Local
app_vrb_vrops
Local user on
vRealize Operations
with read only role
for vRealize
Business
connection.
Local
app_logi_vrops
Local user on
vRealize Operations
with read-only role
for Log Insight
connection.
Local
configurationAdmin
Local vRealize
Automation
Password Management
Account type
Account name
Group membership
Description
account for
managing tenant
configuration.
Local
tenantAdmin
Local vRealize
Automation
account for
managing tenants.
Changing the RecoverPoint for Virtual Machines Shadow Copy user service
account
The RecoverPoint for Virtual Machines Shadow Copy user service account is a service
account for RecoverPoint for Virtual Machines Shadow Copy services.
Before you begin
l
Ensure that vRealize Automation has fewer than 100 services.
Check the inactive services from vRealize Automation > Administration >
Catalog Management > Services. If vRealize Automation has more than 100
services, reinitiation of the RecoverPoint for Virtual Machines module fails.
Manually delete the oldest inactive Enterprise Hybrid Cloud services until there are
fewer than 100 services.
l
Rerun the RP4VM Initialize Main task with the new shadow user.
Enterprise Hybrid Cloud permits only one current shadow user. If you are changing the
shadow user, change all deployments and VMs that the previous shadow user owned.
If the original shadow user owns any deployments or VMs, RecoverPoint for Virtual
Machines post-failover tasks fail for those deployments and VMs.
Note
When you run the initialize main configuration, all vRealize Automation catalog item
icon brandings are overwritten. Re-apply them to complete the process of restoring
the configuration back to the previous version.
Procedure
1. To provide the new shadow user with access to the business group, go to
Administration > Users & Groups > Business Groups.
2. Highlight the row and select Edit.
3. Go to Members and add the user.
4. Click Finish.
5. Change the owner of the shadow VMs using vRealize Automation.
a. Select Items > Deployments.
b. In the Owned by menu, select the business group to show all the current
deployments, including the shadow deployments named
vm_nameshadowrandom_number.
c. Select the shadow deployments and select Actions > Change Owner.
This action sets the shadow deployment, and its VMs, to the owner you
choose.
Changing the RecoverPoint for Virtual Machines Shadow Copy user service account
137
Password Management
Removing a shadow user
If you no longer want the previous shadow user to have access to the business group,
remove the user from the user role.
Note
This is an optional procedure.
Procedure
1. Go to Administration > Users & Groups > Business Groups.
2. Highlight the row and select Edit.
3. Go to Members.
4. Select the row of the shadow user that you want to remove from the user role.
5. Click the red X.
6. Click Finish.
SQL Server service accounts
The SQL Server service accounts are:
l
svc_iaas
l
svc_sqlsvr
l
svc_sqlsvragent
l
svc_vcenter
l
svc_vum
l
svc_srm
l
svc_vro
Changing the svc_iaas account and password
The svc_iaas account and password are used for login as a service for a number of
services on multiple vRealize Automation IaaS machine types.
The svc_iass account is a service account for IaaS services. Permissions for this
account are granted on an IaaS SQL Server database. SQL Server admin privileges
can be revoked after the IaaS installation process. This service account applies to:
138
Enterprise Hybrid Cloud
l
vRealize Automation IaaS Manager servers
l
vRealize Automation IaaS Web servers
l
vRealize Automation IaaS DEM Worker servers
l
vRealize Automation IaaS Agent servers
Password Management
Note
Deployed instances of vRealize Automation that are configured for high availability
(HA) or that are in a distributed mode enable the vRealize Automation portal for
Enterprise Hybrid Cloud to remain accessible except during vRealize Automation
Manager failover. As other services are restarted, brief delays in provisioning might
occur.
Procedure
1. Change the password of svc_iaas in Active Directory.
2. Update the vRealize Automation services on each IaaS Manager server.
a. Log in to each manager node and open the Services MMC.
b. Update the login password in the service properties for each of the following
services:
l
VMware DEM-Orchestrator —manager71-01.vlab.local DEO (assuming
the DEM Orchestrator was installed on the manager server according to
the build guide).
l
VMware vCloud Automation Center Management Agent
l
VMware vCloud Automation Center Service
c. Restart the services.
3. Update the vRealize Automation services on each IaaS DEM Worker server.
a. Log in to each DEM worker node and open the Services MMC.
b. Update the login password in the service properties for each of the following
services:
l
VMware vCloud Automation Center Agent (vCenter endpoint name)
l
VMware vCloud Automation Center Management Agent
c. Restart the services.
4. Update the vRealize Automation services on each IaaS Agent server.
a. Log in to each web node and open the Services MMC.
b. Update the login password in the service properties for each of the following
services:
l
VMware vCloud Automation Center Agent (vCenter endpoint name)
l
VMware vCloud Automation Center Management Agent
5. Update the vRealize Automation services on each IaaS Web server.
a. Log in to each web node and open the Services MMC.
b. Update the login password in the service properties for the VMware vCloud
Automation Center Management Agent service.
c. Restart the services.
Changing the svc_iaas account and password
139
Password Management
Changing the svc_iaas password in the IIS configuration
Change the svc_iaas password in the IIS configuration of the IaaS Web Servers.
Procedure
1. Log in to the IaaS Web server Windows machine.
2. Launch the IIS Manager.
3. Go to Start > Administrative tool > Internet Information Service (IIS)
Manager.
4. Select Auto-Web-XX in the left-most menu.
Note
Auto-Web-XX might be different in your environment.
5. Go to Content View > Applications Pools.
6. Configure the RepositoryAppPool, vACCAppPool, and WapiAppPool application
pools:
a. Right-click the application pool and select Advanced Settings.
b. Scroll down to and select Identity, and click the ellipsis button (... ) on the
right.
c. Click Set, and then type the credentials, using the existing username with
the new password.
7. Restart the IIS manager:
a. Open an elevated command prompt.
b. Type the following command:
iisreset
8. Repeat the preceding steps for each web server node.
9. Restart the vRealize Automation application.
Changing the svc_sqlsvr account password
The svc_sqlsvr account is the service account for SQL Server service running on
Windows virtual machines. Change the password that is used by the SQL Server
(Database Engine) service by updating it in Active Directory.
This procedure applies to:
l
auto-sql01
l
cloud-sql01
l
cloud-sql02
l
Any others in customer environments that host Enterprise Hybrid Cloud databases
Note
There is no impact when you perform this procedure. The password takes effect
immediately. A restart of SQL Server is not required.
140
Enterprise Hybrid Cloud
Password Management
Procedure
1. In SQL Server Configuration Manager, select SQL Server Services.
2. Right-click SQL Server, and then select Properties.
3. Select Log On.
4. Update the password in the Password field and the Confirm password field.
5. Repeat the preceding steps for each SQL Server service.
Changing the svc_sqlvragent account password
The svc_sqlvragent account is the service account for the SQL Server Agent service
running on Windows virtual machines. Change the password that is used by the SQL
Server (Database Engine) service by updating it in Active Directory.
This procedure applies to:
l
auto-sql01
l
cloud-sql01
l
cloud-sql02
l
Any others in customer environments that host Enterprise Hybrid Cloud databases
Note
There is no impact when you perform this procedure. The password takes effect
immediately. A restart of SQL Server is not required.
Procedure
1. In the SQL Server Configuration Manager, select the SQL Server Agent service.
2. Update the password entry.
3. Repeat the preceding steps for each SQL Server service.
Changing the svc_vcenter account password
The svc_vcenter account is the Windows-based vCenter service account. The
password is used by the vCenter Server services and for database connections to the
SQL Server database. Permissions for this account are granted on a vCenter SQL
Server database.
Note
This procedure is relevant for upgrades only from pre-4.1 instances of Enterprise
Hybrid Cloud. All greenfield installations of Enterprise Hybrid Cloud 4.1 and 4.1.x use
the appliance version to which this procedure does not apply.
This procedure applies to:
l
Core vCenter Server (where it exists and is deployed as part of Enterprise Hybrid
Cloud)
l
Cloud vCenter Server
l
All vCenter Server instances that are managed by Enterprise Hybrid Cloud
Changing the svc_sqlvragent account password
141
Password Management
Note
vCenter is offline for the duration of the services restart. You cannot provision new
machines or other infrastructure services that are dependent on the affected vCenter
Server.
Procedure
1. Change the password for svc_vcenter in Active Directory.
2. Log in to vCenter Server via RDP using the svc_vcenter account with the new
password.
3. Open vCenter Server Services using Start > Run, and then type services.msc.
4. Stop vCenter Server services.
5. Open the VMware VirtualCenter Server properties.
6. On the Log On tab, update the password, confirm the change, and then click
OK.
7. At a command prompt, go to the following path:
%SYSTEMDRIVE%\ Program Files\VMware\vCenter Server\vpxd
8. Run vpxd.exe -p.
9. Open DSN for vCenter Server and click Next to save the password to DSN.
10. Start vCenter Server services.
Changing the svc_vum account password
The svc_vum account is the Update Manager service account. Permissions for this
account are granted on the vSphere Update Manager SQL Server database.
Note
This applies only to Windows-based deployments of Update Manager.
This procedure applies to all vSphere Update Manager instances that are integrated
with vCenter Server in Enterprise Hybrid Cloud.
Note
During this procedure, there is no operational impact to Enterprise Hybrid Cloud.
However, the patch management and ESXi upgrade capability of vSphere Update
Manager is interrupted.
Procedure
1. Update the password of the svc_vum service account in Active Directory.
2. Log in to VMware vCenter Update Manager server and stop the vSphere
Update Manager service.
3. Open Services, and change the password of the Log-On svc_vum account of
the vCenter Update Manager service.
4. Run VMwareUpdateManagerUtility.exe as an administrator.
This file usually runs on C:\Program Files (x86)\VMware
\Infrastructure\Update Manager\.
142
Enterprise Hybrid Cloud
Password Management
5. On the Database Setting tab, type the updated svc_vum password.
6. Re-register to vCenter Server with the updated credentials.
7. Restart the vCenter Update Manager service.
8. Repeat steps 2 through 7 for each vSphere Update Manager in the Enterprise
Hybrid Cloud environment.
Changing the svc_srm account password
The svc_srm account is the service account for VMware Site Recovery Manager.
Permissions for this account are granted on the Site Recovery Manager SQL Server
database. Change the password for the svc_srm account by updating it in Active
Directory.
This procedure applies to all Site Recovery Manager servers that Enterprise Hybrid
Cloud manages.
Note
During this procedure, data protection functions to create or modify protection plans
or groups and protect or unprotect machines are not operational.
Procedure
1. Log in to the SRM Server via RDP using the svc_srm account.
2. Open services using Start > Run and type services.msc.
3. Stop the SRM services.
4. Open the VMware SRM properties.
5. On the Log On tab, update the svc_srm password and confirm. Click OK.
6. Start SRM services.
7. Repeat the preceding steps for every Site Recovery Manager server in the
Enterprise Hybrid Cloud environment.
Changing PowerShell credentials
If Site Recovery Manager-based Enterprise Hybrid Cloud disaster recovery is
implemented, change the PowerShell credentials object.
Procedure
1. Log in to each <SRM> Server via RDP using the svc_srm account.
2. Run a PowerShell window as an administrator, and follow these steps, replacing
the username with the environment equivalent:
a. Start the powershell.exe process with the credentials DOMAIN\svc_srm.
b. Type the password for the service account and click OK.
A new instance of PowerShell opens.
3. Go to the C:\EHC folder and run the credentials.ps1 script.
4. When prompted, type the vRealize Orchestrator username and password for
Site Recovery Manager to use for the network convergence scripts.
Changing the svc_vro account password
The svc_vro service account connects vRealize Orchestrator to SQL Server (vRealize
Orchestrator HA only). Permissions for this account are granted on the vRealize
Changing the svc_srm account password
143
Password Management
Orchestrator SQL Server database. Change the password for the svc_vro account by
updating it in Active Directory.
This procedure applies to all vRealize Orchestrator clusters in the Enterprise Hybrid
Cloud environment.
Note
During this procedure, all Enterprise Hybrid Cloud service catalog items and blueprints
that call vRealize Orchestrator workflows do not function.
Procedure
1. Browse to the Orchestrator Configuration interface of the vRealize
Orchestrator node, for example, https://vro1.domain.local:8283/
vco-controlcenter/.
2. Log in as root vmware, using the password configured during installation.
3. Under Database, click Configure Database, set the password parameter for
the svc_vro user, and click Save Settings.
The vRealize Orchestrator server prompts you to restart the server. A restart is
optional.
4. Export the configuration from the vRealize Orchestrator node:
a. On the home page, under Manage, click Export/Import Configuration.
b. Click the Export Configuration tab.
c. Save the configuration Zip file to a shared location.
5. Import the configuration to the vRealize Orchestrator node:
a. Browse to the orchestrator configuration interface of the vRealize
Orchestrator node, for example, https://vro2.domain.local:8283/
vco-controlcenter/.
b. On the home page, under Manage, click Export/Import Configuration.
c. Click the Import Configuration tab.
d. Browse to the saved configuration Zip file.
e. Wait until the configuration is successfully imported.
6. Repeat the preceding steps for all other vRealize Orchestrator clusters in the
Enterprise Hybrid Cloud environment.
Active Directory bind service accounts
The Active Directory bind service accounts are:
144
Enterprise Hybrid Cloud
l
adbind_vra
l
adbind_vro
l
adbind_vrops
l
adbind_vipr
l
adbind_logi
l
adbind_dpa
l
adbind_sso
Password Management
l
adbind_rp4vm
Changing the adbind_vra account password
Change the database password for the adbind_vra bind service account by updating it
in Active Directory.
The adbind_vra account is a service account to bind VMware vRealize Automation to
Active Directory. This account is used to configure the identity source on newly
created vRealize Automation tenants and enumerate Active Directory user accounts
and groups. It applies to vRealize Automation tenants' directory configuration.
Note
Until the password has been changed, the previously synchronized accounts continue
to work, but a new synchronization will not begin.
Procedure
1. Log in to the Enterprise Hybrid Cloud vRealize Automation tenant as a user with
Tenant Administrator privileges.
2. Go to Administration > Directory Management > Directories, and select the
directory name to be updated.
3. Under the Bind User Details, update Bind DN Password.
4. Click Test Connection to validate the change and click Save.
5. Click Sync Now.
6. Repeat the preceding steps for every vRealize Automation tenant and directory
name that uses adbind_vra.
Changing the adbind_vro account password
Change the Active Directory bind password for the adbind_vro bind service account
by updating it in Active Directory.
The adbind_vro account is a service account to bind VMware vRealize Automation to
Active Directory. This account is used to configure the identity source on newly
created vRealize Automation tenants and enumerate Active Directory user accounts
and groups.
Note
This account was known as adbind_vco in previous releases of Enterprise Hybrid
Cloud. Long term customers may continue to use adbind_vro due to in-place
upgrades.
It applies to vRealize Orchestrator Active Directory plug-in.
Note
It is not known if Active Directory users can log in to the vRealize Automation portal
during or after this procedure.
Procedure
1. Log in to the vRealize Orchestrator VIP or primary vRealize Orchestrator using
the vRealize Orchestrator client as a user with vRealize Automation Tenant
Administrator privileges, for example, ehc_tenant_admin.
Changing the adbind_vra account password
145
Password Management
2. Go to Inventory > Active Directory, right-click the LDAP server, and select
Run Workflow.
3. Right-click and select Update.
4. Type the new password for the adbind_vro user.
5. Click Submit.
6. Repeat the preceding steps for each vRealize Orchestrator cluster in the
Enterprise Hybrid Cloud environment.
Updating the Enterprise Hybrid Cloud Object Model
Update the Enterprise Hybrid Cloud object model to include the new adbind_vro
account password.
Enterprise Hybrid Cloud uses an object model that provides the framework for storing
and referencing metadata that is related to infrastructure and compute resources. All
model data is stored in a Microsoft SQL Server database on the Automation Pod SQL
Server instance, and can be referenced by all vRealize Orchestrator nodes. After you
change the adbind_vro account password, update it in the EHC Object Model to
maintain the connection between vRealize Orchestrator and Active Directory.
Procedure
1. Log in to the Enterprise Hybrid Cloud tenant portal as a user with vRealize
Automation Tenant Administrator privileges that include entitlements to the
EHC Connection Maintenance catalog item.
2. Go to Catalog > EHC Configuration and select Connection Maintenance.
3. Select ActiveDirectoryConnection and click Next.
4. Type the new password for the adbind_vro user.
5. Click Submit.
6. Repeat the preceding steps for each vRealize Orchestrator cluster in the
Enterprise Hybrid Cloud environment.
Changing the adbind_vrops account password
Change the Active Directory bind password for the adbind_vrops bind service account
by updating it in Active Directory.
The adbind_vrops account is a service account to bind VMware vRealize Operations to
Active Directory. This account is used to enumerate Active Directory user accounts
and groups. It applies to vRealize Operations Active Directory configuration on the
vRealize Operations admin interface.
Note
Active Directory users can connect during and after the adbind account password
change. If the password is not changed within vRealize Operations, authentication
fails if the prevailing Active Directory policy enforces password aging.
Procedure
1. Log in to the vRealize Operations UI, for example, https://vrops-FQDN/,
using the admin account and password provided during installation.
2. Go to Administration > Authentication Sources and select the LDAP
authentication source.
146
Enterprise Hybrid Cloud
Password Management
3. Click the pencil icon to edit the LDAP source, and type the updated password
for the adbind_vrops Active Directory bind user account.
4. Click Test to validate the new settings, and click OK if the validation is
successful.
Changing the adbind_vipr account password
Change the Active Directory bind password for the adbind_vipr bind service account
by updating it in Active Directory.
The adbind_vipr account is a service account to bind Dell EMC ViPR to Active
Directory. This account is used to configure the authentication provider on ViPR and
enumerate Active Directory user accounts and groups. It applies to the ViPR
authentication provider.
Note
Active Directory users can access ViPR during and after the adbind account password
change. If the password is not changed within ViPR, authentication fails if the
prevailing Active Directory policy enforces password aging.
Procedure
1. Log in to the ViPR UI/cluster, for example, https://vipr-cluster-ip/,
with the Security Administrator role, for example, root.
2. Go to Security > Authentication Providers.
3. Click the existing Authentication Provider.
4. In the Password field, type the new password for the adbind_vipr user as
configured in the Manager DN field.
5. Click Save.
Changing the adbind_logi account password
Change the Active Directory bind password for the adbind_logi bind service account
by updating it in Active Directory.
The adbind_logi account is a service account to bind VMware Log Insight to Active
Directory. This account is used to configure Log Insight to enumerate Active Directory
user accounts and groups.
Note
Active Directory users can log in during and after the password change. If the
password is not changed in Log Insight, authentication fails if the prevailing Active
Directory policy enforces password aging.
Procedure
1. Verify that you are logged in to the vRealize Log Insight Web user interface, for
example, https://log-insight-host, as a user with the Edit Admin
permission, that is, admin.
2. Go to Configuration > Administration.
3. Under Configuration, click Authentication.
4. On the Authentication Configuration page, do the following:
Changing the adbind_vipr account password
147
Password Management
a. Click the checkbox to edit the password.
b. In the Password field, type the new password for the adbind_logi user
account and click Test Connection.
5. If the test is successful, click Save.
Changing the adbind_dpa account password
Change the Active Directory bind password for the adbind_dpa bind service account
by updating it in Active Directory.
The adbind_dpa Active Directory bind service account is a service account to bind
Data Protection Advisor to Active Directory. This account is used to configure Data
Protection Advisor to enumerate Active Directory user accounts and groups.
Note
It is not known if Active Directory users can log in to the Log Insight portal during or
after this procedure.
Procedure
1. Browse and connect to the DPA Server over HTTPS on port 9002, for example,
https://dpaAppServer-FQDN:9002. Ensure that all pop-up blockers are
disabled.
2. Type the username and password.
3. In the main DPA console's navigation pane, select Admin and then select Users
& Security.
4. Select Manage External Authentication.
5. In the User Properties section, in the Password field, type the new password
for the adbind_dpa user.
6. Click Validate.
7. Click Test User.
8. Click OK.
Changing the adbind_sso account password
Change the Active Directory bind password for the adbind_sso bind service account
by updating it in Active Directory.
The adbind_sso account is a service account to bind VMware SSO to Active Directory.
This account is used to configure the identity source to enumerate Active Directory
user accounts and groups.
Note
Active Directory users can access vRealize Automation and vCenter during and after
the adbind account password change. If the password is not changed within vRealize
Automation and vCenter, authentication fails if the prevailing Active Directory policy
enforces password aging.
Procedure
1. Using the vSphere Client, go to Administration > Single Sign-On >
Configuration > Identity Sources.
148
Enterprise Hybrid Cloud
Password Management
2. Edit the Active Directory identity source.
3. Type the new password and click Test Connection to validate.
4. If the validation is successful, click OK.
5. Repeat steps 2 through 4 for each Active Directory type identity source that
uses adbind_sso.
Changing the adbind_rp4vm account password
Change the Active Directory bind password for the adbind_rp4vm bind service
account by updating it in Active Directory.
The adbind_rp4vm account is a service account to bind RecoverPoint for Virtual
Machines to Active Directory.
Note
Active Directory users can log in to the RecoverPoint Appliance portal during or after
this procedure.
Procedure
1. Log in to Unisphere for RecoverPoint using the security-admin user id and the
password that is provided during installation.
2. Click Admin.
3. Click Users and Roles.
4. Go to Manage User Authentication.
5. Specify the new password for the adbind_rp4m account.
6. To change additional account passwords, repeat the preceding steps for all
Unisphere and RecoverPoint portal accounts.
Enterprise Hybrid Cloud application accounts
The following table lists the Enterprise Hybrid Cloud application accounts.
app_vrb_vcenter
app_vra_vro
app_nsx_vcenter
app_vro_iaas
app_logi_vcenter
app_vipr_vplex
app_vro_vcenter
app_vipr_rpa
app_vrops_vcenter
app_vro_dpa
app_vrops_vra
app_vro_srm
app_vipr_vcenter
app_vro_sql
app_avamar_vcenter
app_vro_nsx
app_avamar_soap
app_vro_rest
app_nsx_sso
app_vro_rp4vm
app_vro_sso
app_srm_vcenter
app_logi_vrops
app_vum_vcenter
Changing the adbind_rp4vm account password
149
Password Management
app_vro_vipr
app_vrpa_vcenter
app_vra_nsx
Changing the app_vrb_vcenter account password
Change the password for the app_vrb_vcenter EHC application account by updating it
in Active Directory.
The app_vrb_vcenter EHC application account is a user account to connect vRealize
Business Standard to vCenter. The account applies to the Enterprise Hybrid Cloud
tenant portal.
Note
This procedure interrupts connectivity between vRealize Business Standard and
vCenter.
Procedure
1. Log in to the vRealize Automation Enterprise Hybrid Cloud tenant portal as the
Enterprise Hybrid Cloud tenant administrator.
2. Click the Administration tab.
3. Click Business Management.
4. Click the General link, which is selected by default.
5. Expand Manage Private Cloud Connections and click the icon under Manage
vCenter Server Connections.
6. Edit the password for app_vrb_vcenter and click Save.
7. Repeat the preceding steps for all vRealize Automation Enterprise Hybrid Cloud
tenant portals.
Changing the app_nsx_vcenter account password
Change the password for the app_nsx_vcenter EHC application account by updating
it in Active Directory.
The app_nsx_vcenter EHC application account is a user account to connect NSX to
vCenter. The account applies to NSX Manager and vCenter Registration.
Note
This procedure interrupts connectivity between NSX and vCenter.
Procedure
1. Browse to NSX Manager, for example, https://nsxmgrIP, and log in as an
admin with the password provided during deployment.
2. Select Manage vCenter Registration.
3. Under vCenter Server click Edit.
4. In the Password field, type the new password for the app_nsx_vcenter
account, and click OK.
5. Click Yes to accept the certificate if requested.
6. Log out of NSX Manager.
150
Enterprise Hybrid Cloud
Password Management
Changing the app_logi_vcenter account password
Change the password for the app_logi_vcenter EHC application account by updating
it in Active Directory.
The app_logi_vcenter EHC application account is a user account to connect vRealize
Automation to vCenter. The account applies to the Enterprise Hybrid Cloud tenant
portal.
Note
This procedure interrupts connectivity between vRealize Automation and vCenter.
Procedure
1. Log in to the Enterprise Hybrid Cloud tenant portal with an account that has
infrastructure administrator privileges, for example, ehc_iaas_admin/
ehc_sysadmin.
2. Select the Infrastructure tab, click Endpoints, and then click Credentials.
3. On the page that is associated with the vra-vcenter credentials, click the Edit
button at top of the credentials list.
4. In the Password field, type the new password.
5. Click the green check mark icon to save the credential configuration.
6. Log out of vRealize Automation.
7. Repeat the preceding steps for each vCenter managed by Enterprise Hybrid
Cloud.
Changing the app_vro_vcenter account password
Change the password for the app_vro_vcenter EHC application account by updating it
in Active Directory.
The app_vro_vcenter EHC application account is a user account to connect vRealize
Orchestrator to vCenter. The account applies to the vCenter plug-in for vRealize
Orchestrator.
Note
This procedure interrupts vCenter plug-in instances that are configured in vRealize
Orchestrator.
Procedure
1. Log in to vRealize Orchestrator.
2. Go to Library > vCenter > Configuration.
3. Update a vCenter Server instance, which can be used for the password update.
4. Repeat steps 2 and 3 on all instances of vRealize Orchestrator.
Changing the app_logi_vcenter account password
151
Password Management
Changing the app_vrops_vcenter account password
Change the password for the app_vrops_vcenter EHC application account by
updating it in Active Directory.
The app_vrops_vcenter EHC application account is a user account to connect
vRealize Orchestrator to vCenter. The account applies to the VMware vRealize
Operations Manager UI.
Note
This procedure interrupts connectivity between vRealize Operations and vCenter.
Procedure
1. Browse to the vRealize Operations Manager UI, for example, https://
vrops-FQDN, and log in as admin, using the password provided during
deployment.
2. Go to Administration > Solutions > VMware vSphere and click Configure.
3. Under Basic Settings, click the pencil icon to edit the vCenter Server
credentials.
4. Update the password for the app_vrops_vcenter account.
5. Click OK.
6. Click Test Connection.
7. Click Save Settings, and then click Close.
8. Repeat steps 4 through 7 for all instances of vCenter.
9. Log out of the vRealize Operations Manager UI.
Changing the app_vrops_vra account password
Change the password for the app_vra_vcenter EHC application account by updating it
in Active Directory.
The app_vra_vcenter EHC application account is a user account for vRealize
Automation management pack for vRealize Operations.
Note
There is no impact when you perform this procedure.
Procedure
1. Browse to the vRealize Operations Manager UI, for example, http://vropsFQDN, and log in as an administrator.
2. Go to Administration > Solutions > VMware vRealize Automation
Management Pack and click Configure.
3. Under Basic Settings, click the pencil icon to edit the credentials for the
vRealize Automation Appliance URL.
4. Click OK.
5. Click Test Connection.
6. Log out of the vRealize Operations Manager UI.
7. Repeat the preceding steps for all instances.
152
Enterprise Hybrid Cloud
Password Management
Changing the app_vipr_vcenter account password
Change the password for the app_vipr_vcenter EHC application account by updating
it in Active Directory.
The app_vipr_vcenter EHC application account is a user account to connect Dell EMC
ViPR to VMware vCenter.
Note
This procedure interrupts connectivity between ViPR and vCenter.
Procedure
1. Browse to the ViPR UI, for example, https://vipr-cluster-fqdn/, and
log in with root privileges.
2. Go to Physical Assets > VMware vCenters and click the vCenter entry.
3. In the Password field, type the new password for the app_vipr_vcenter
account.
4. Click Save.
5. Repeat the preceding steps for all VMware vCenter instances that are managed
by Enterprise Hybrid Cloud.
6. Log out of the ViPR UI.
7. Repeat the preceding steps for all ViPR UIs.
Changing the app_avamar_vcenter account password
Change the password for the app_avamar_vcenter EHC application account by
updating it in Active Directory.
The app_avamar_vcenter EHC application account is a user account to connect Dell
EMC Avamar to vCenter.
Note
This procedure interrupts connectivity between Avamar and vCenter.
Procedure
1. Launch Avamar Administrator and log in using the root account and the
password that is provided during installation.
2. Go to Navigation > Administration.
3. Select the vCenter Domain, for example, vc01.domainName.local.
4. In the Inventory pane, scroll down to and select the vCenter Client, for example,
vcs01.domain.local.
5. Right-click the vCenter Client and select Edit Client.
6. In the Root User panel, type the new password for the app_avamar_vcenter
account.
7. Type the new password in the Verify Password field.
8. Click OK.
9. Repeat the preceding steps for all Enterprise Hybrid Cloud-managed vCenter
instances that are integrated with Avamar.
Changing the app_vipr_vcenter account password
153
Password Management
Changing the app_avamar_soap account password
Change the password for the app_avamar_soap EHC application account by updating
it in Active Directory.
The app_avamar_soap EHC application account is a user account for SOAP
connection to Avamar.
Note
There is no impact when you perform this procedure.
Procedure
1. Browse to the Enterprise Hybrid Cloud tenant portal, for example,
ehc_tenant_admin@domain.local, and log in as the system administrator
with entitlements to the EHC Connection Maintenance catalog item.
2. Go to Catalog > EHC Configuration and select Connection Maintenance.
3. Select SOAP Connection and click Next.
4. Type the new password for the app_avamar_soap user.
5. Click Submit.
Changing the app_nsx_sso account password
Change the password for the app_nsx_sso EHC application account by updating it in
Active Directory.
The app_nsx_sso EHC application account is a user account to connect VMware NSX
to SSO. This account applies to VMware NSX Manager Appliances.
Note
Active Directory users and groups cannot log in to NSX. The SSO server authenticates
the credentials, and if the role is assigned, NSX allows the login. In the case of groups
to which this user belongs, it fetches group information from the SSO server and uses
the information to determine the role that is assigned on NSX.
Procedure
1. Browse to NSX Manager, for example, https://nsxmgrIP, and log in as an
administrator with the password provided during deployment.
2. Select Manage vCenter Registration.
3. Under Lookup Service URL, click Edit.
4. In the Password field, type the new password for the app_nsx_sso account,
and click OK.
5. Log out of NSX Manager.
6. Repeat the preceding steps for all NSX Manager instances.
Changing the app_vro_sso account password
Change the password for the app_vro_sso EHC application account.
The app_vro_sso EHC application account is a user account to connect VMware
vRealize Orchestrator to SSO. This account applies to VMware vRealize Orchestrator
Appliances.
154
Enterprise Hybrid Cloud
Password Management
Note
Active Directory users cannot log in to the vRealize Orchestrator Client.
Procedure
1. Update the password for app_vro_sso in Active Directory.
Changing the app_logi_vrops account password
Change the password for the app_logi_vrops EHC application account by updating it
in Active Directory.
The app_logi_vrops EHC application account is a user account to connect VMware
Log Insight to VMware vRealize Operations. This account applies to vRealize
Operations and Log Insight Appliances in an Enterprise Hybrid Cloud environment.
Note
The impact of this procedure includes:
l
The vRealize Operations Manager feature "Launch in Context" no longer shows
actions that are related to Log Insight.
l
The vRealize Operations Manager no longer issues alerts that are triggered by Log
Insight.
Procedure
1. Browse to the vRealize Log Insight web UI, for example, https://loginsight-host, and then log in as a user with the Edit Admin permissions, for
example, admin.
2. Go to Configuration > Administration.
3. Under Integration, click vRealize Operations.
4. In the Password field, select the Update Password checkbox, and type the
new password for the app_logi_vrops account.
5. Click Test Connection.
6. Click Save.
7. Repeat the preceding steps for all vRealize Log Insight instances.
Changing the app_vro_vipr account password
Change the password for the app_vro_vipr EHC application account by updating it in
Active Directory.
The app_vro_vipr EHC application account is a user account to connect the ViPR
vRealize Orchestrator plug-in to ViPR. The account applies to the Dell EMC ViPR
plug-in for vRealize Orchestrator
Note
During this procedure, Enterprise Hybrid Cloud STaaS workflows (datastore
provisioning) fail to complete.
Procedure
1. Update the password in Active Directory.
Changing the app_logi_vrops account password
155
Password Management
2. Run the Configure Dell EMC ViPR and tenant workflow in the vRealize
Orchestrator client.
Changing the app_vra_nsx account password
Change the password for the app_vra_nsx EHC application account by updating it in
Active Directory.
The app_vra_nsx EHC application account is a user account for NSX endpoint
credential in vRealize Automation.
Note
Until the password change is complete, connectivity between vRealize Automation
and NSX is unavailable.
Procedure
1. Browse to the Enterprise Hybrid Cloud tenant portal, for example, https://
vra71-vip.vlab.local/vcac/org/ehc, and log in with an account that
has infrastructure administrator privileges, for example, ehc_iaas_admin.
2. Select the Infrastructure tab, and click Endpoints, and then click Credentials.
3. On the left side of the page, click the pencil link that is associated with the vransx credentials.
4. In the Password field, type the new password.
5. Click the green check mark icon to save the credentials configuration.
6. Log out of vRealize Automation.
7. Repeat the preceding steps for all vRealize Automation instances.
Changing the app_vra_vro account password
Change the password for the app_vra_vro EHC application account by updating it in
Active Directory.
The app_vra_vro EHC application account is a user account to connect vRealize
Automation to vCenter Orchestrator. This account applies to vRealize Automation
infrastructure resource allocation for tenant clusters.
Note
During this procedure, completion of vCenter compute provisioning for tenant
endpoints fails.
Procedure
1. Log in to the Enterprise Hybrid Cloud tenant portal with an account that has
infrastructure administrator privileges, for example, ehc_iaas_admin or
administrator.
2. Select the Infrastructure tab, click Endpoints, and then click Credentials.
3. On the left side of the page, click the pencil link that is associated with the vravro credentials.
4. In the Password field, type the new password for the app_vra_vco account.
5. Click the green check mark icon to save the credentials configuration.
6. Log out of the Enterprise Hybrid Cloud tenant portal.
156
Enterprise Hybrid Cloud
Password Management
7. Commit these changes:
a. SSH to the vRealize Automation appliance at, for example, http://vRAFQDN:5480.
b. Restart the VMware vCloud Automation Center services with the service
vcacserver restart command.
8. Repeat the preceding steps for all vRealize Automation instances.
Changing the app_vro_iaas account password
Change the password for the app_vro_iaas EHC application account by updating it in
Active Directory.
The app_vro_iaas EHC application account is a domain account for Enterprise Hybrid
Cloud workflows to connect to IaaS. Permissions for this account are granted on an
IaaS SQL Server database. This account is also used in the Enterprise Hybrid Cloud
tenant portal.
Note
Until the password change is complete, connection between the Enterprise Hybrid
Cloud tenant portal and the SQL Server database is disrupted.
Procedure
1. Log in to the Enterprise Hybrid Cloud tenant portal as the system administrator
with entitlements to the Enterprise Hybrid Cloud Connection Maintenance
catalog item, for example, ehc_tenant_admin@domain.local.
2. Go to Catalog > EHC Configuration and select Connection Maintenance.
3. Select IAASC, and then click Next.
4. Type the new password for the app_vro_iaas user.
5. Click Submit.
Changing the app_vipr_vplex account password
Change the password for the app_vipr_vplex EHC application account by updating it
in Active Directory.
The app_vipr_vplex EHC application account is a user account to connect Dell EMC
ViPR to Dell EMC VPLEX. This procedure applies to CA dual-site/single vCenter
topologies
Note
During this procedure, you are unable to provision new CA-protected storage.
Procedure
1. Browse to the Dell EMC ViPR UI and log in with root privileges.
2. Go to Physical Assets > Storage Providers, and click the VPLEX entry.
3. In the Password field, type the new password for the app_vipr_vplex account.
4. In the Confirm Password field, type the new password.
5. Click Save.
6. Select the VPLEX entry and run Rediscover.
Changing the app_vro_iaas account password
157
Password Management
7. Log out of the ViPR UI.
8. Repeat the preceding steps for all ViPR UIs.
Changing the app_vipr_rpa account password
Change the password for the app_vipr_rpa EHC application account by updating it in
Active Directory.
The app_vipr_rpa EHC application account is a user account to connect Dell EMC
ViPR to Dell EMC RecoverPoint. It applies to access credentials for Dell EMC
RecoverPoint (disaster recovery only).
Note
During this procedure:
l
Connectivity to EMC RecoverPoint is lost.
l
The RP_Admins Active Directory group has admin privileges within RecoverPoint.
Procedure
1. Browse to the Dell EMC ViPR UI/cluster and log in with root privileges, for
example, root.
2. Go to Physical Assets > Storage Providers and select the RecoverPoint entry.
3. In the Password field, type the new password for the app_vipr_rpa account.
4. In the Confirm Password field, type the new password.
5. Click Save.
6. Select the RecoverPoint entry and run Rediscover.
7. Repeat the preceding steps for all RecoverPoint entries.
8. Log out of the ViPR UI.
9. Repeat the preceding steps for all ViPR UI instances.
Changing the app_vro_dpa account password
Change the password for the app_vro_dpa EHC application account by updating it in
Active Directory.
The app_vro_dpa EHC application account is a user account to connect VMware
vRealize Orchestrator to Dell EMC Data Protection Advisor. This account is also used
in the Enterprise Hybrid Cloud tenant portal.
Note
During this procedure, backup reports cannot be issued.
Procedure
1. Browse to the Enterprise Hybrid Cloud tenant portal, for example,
ehc_tenant_admin@domain.local, and log in as the system administrator
with entitlements to the EHC Connection Maintenance catalog item.
2. Go to Catalog > EHC Configuration and select Connection Maintenance.
3. Select DPAConnection and click Next.
4. Type the new password for app_vro_dpa
user.
158
Enterprise Hybrid Cloud
Password Management
5. Click Submit.
6. Repeat the preceding steps for all Enterprise Hybrid Cloud tenant portals.
Changing the app_vro_srm account password
Change the password for the app_vro_srm EHC application account.
The app_vro_sso EHC application account is a user account to connect VMware
vRealize Orchestrator to VMware Site Recovery Manager. This account applies to
VMware SRM plug-in for vRealize Orchestrator.
Note
During the procedure, disaster recovery failover or failback fails.
Procedure
1. Update the password for app_vro_srm in Active Directory.
Changing the app_vro_sql account password
Change the password for the app_vro_sql EHC application account by updating it in
Active Directory.
Note
This procedure is applicable only for the Enterprise Hybrid Cloud SRM disaster
recovery environment. For a non-Enterprise Hybrid Cloud SRM disaster recovery
environment, log in to VMware vRealize Orchestrator and run the following workflow:
EHC/Foundation/Initialization/Initialize EHC Foundation plug-in.
The app_vro_sql EHC application account is a user account to connect vRealize
Orchestrator to SQL Server. This account is also used in the Enterprise Hybrid Cloud
tenant portal.
Note
This account is used to connect to the SQL Server database from vRealize
Orchestrator for Enterprise Hybrid Cloud object model changes. Enterprise Hybrid
Cloud object model provisioning fails.
Procedure
1. Log in to the Enterprise Hybrid Cloud tenant portal as the system administrator
with entitlements to the EHC Connection Maintenance catalog item, for
example, ehc_tenant_admin@domain.local.
2. Go to Catalog > EHC Configuration, and then select Connection
Maintenance.
3. Select SQLConnection, and click Next.
4. Type the new password for the app_vro_sql user.
5. Click Submit.
Changing the app_vro_srm account password
159
Password Management
Changing the app_vro_nsx account password
Change the password for the app_vro_nsx EHC application account by updating it in
Active Directory.
Note
This procedure is applicable only for Enterprise Hybrid Cloud SRM disaster recovery
environments. For non-Enterprise Hybrid Cloud SRM disaster recovery environments,
users must log in to vRealize Orchestrator and run the following workflow: EHC/
Foundation/Initialization/Initialize EHC Foundation plug-in.
The app_vro_nsx EHC application account is a user account to connect VMware
vRealize Orchestrator to NSX. This account is also used in the Enterprise Hybrid
Cloud tenant portal. It applies to vRealize Automation network infrastructure resource
allocation for tenant clusters.
Note
During this procedure, NSX network provisioning for tenant endpoints fails to
complete.
Procedure
1. Log in to the Enterprise Hybrid Cloud tenant portal as the system administrator
with entitlements to the EHC Connection Maintenance catalog item, for
example, ehc_tenant_admin@domain.local.
2. Go to Catalog > EHC Configuration, and select Connection Maintenance.
3. Select NSXConnection, and click Next.
4. Type the new password for app_vro_nsx user.
5. Click Submit.
Changing the app_vro_rest account password
Change the password for the app_vro_rest EHC application account by updating it in
Active Directory.
The app_vro_rest EHC application account is a user account to create a VMware
vRealize Orchestrator REST host. This account is also used in the Enterprise Hybrid
Cloud tenant portal.
Note
Until the password change is complete, the connection between the Enterprise Hybrid
Cloud tenant portal and vRealize Orchestrator is disrupted.
Procedure
1. Log in to the Enterprise Hybrid Cloud tenant portal as the system administrator
with entitlements to the EHC Connection Maintenance catalog item, for
example, ehc_tenant_admin@domain.local.
2. Go to Catalog > EHC Configuration, and select Connection Maintenance.
3. Select vROConnection, and then click Next.
4. Type the new password for app_vro_rest user.
160
Enterprise Hybrid Cloud
Password Management
5. Click Submit.
Changing the app_vro_rp4vm account password
Change the password for the app_vro_rp4vm EHC application account by updating it
in Active Directory.
The app_vro_rp4vm EHC application account is a user account to connect VMware
vRealize Orchestrator to RecoverPoint for Virtual Machines.
Note
Until the password change is complete, the connection between RecoverPoint for
Virtual Machines and vRealize Orchestrator is disrupted.
Procedure
1. Log in to VMware vRealize Orchestrator.
2. Click the workflow icon.
3. Open the Update vRPA Cluster Credential workflow by clicking EHC >
Recovery Point for VMs > Configuration > Site Topology > Update vRPA
Cluster.
4. Click Start workflow.
5. Type the username and new password.
Changing the app_srm_vcenter account password
Change the password for the app_srm_vcenter EHC application account by updating
it in Active Directory.
The app_srm_vcenter EHC application account is a user account to pair vCenter Site
Recovery Manager sites.
Note
Until the password change is complete, the connection between vCenter Site Recover
Manager and the hosted virtual machines is disrupted.
Procedure
1. Launch the vSphere Web Client on one of the sites, and select Site Recovery >
Sites.
2. From the Objects tab, right-click one of the sites and select Reconfigure
Pairing.
3. Click Next and then type the username and updated password.
4. Click Finish.
Changing the app_vum_vcenter account password
Change the password for the app_vum_vcenter EHC application account by updating
it in Active Directory.
The app_vum_vcenter EHC application account is a user account to connect vSphere
Update Manager to VMware vCenter. This account applies to VMware vCenter.
Changing the app_vro_rp4vm account password
161
Password Management
Note
Until the password change is complete, the connection between vCenter Site Recover
Manager and the hosted virtual machines is disrupted.
Procedure
1. Log in to the Update Manager VM as the update manager service account
(svc_vum).
2. Change the password for the app_vum_vcenter account.
Changing the app_vrpa_vcenter account password
Change the password for the app_vrpa_vcenter EHC application account by updating
it in Active Directory.
The app_vrpa_vcenter EHC application account is a user account to connect vRPAs
to VMware vCenter. This account applies to RecoverPoint.
Note
Until the password change is complete, the connection between RecoverPoint and
vCenter is interrupted.
Procedure
1. Log in to Unisphere for RecoverPoint
2. Select RPA Clusters.
3. In the left panel, select vCenter Servers.
4. Select Registered vCenter Servers and then click Edit.
5. Specify a new password for app_vrpa_vcenter, and then click OK.
6. Repeat the preceding steps for all RPA clusters.
Enterprise Hybrid Cloud adapter accounts
The Enterprise Hybrid Cloud adapter accounts are:
l
adp_vrops_vcenter
l
adp_vrops_vipr
Changing adp_vrops_vcenter account password
Change the password for the adp_vrops_vcenter account by updating it in Active
Directory.
The adp_vrops_vcenter account is a user account to set up VMware vRealize
Operations for the Dell EMC ESA adapter. It applies to the Dell EMC ESA adapter for
VMware vRealize Operations connections to cloud vCenter Servers.
Note
This procedure impacts the ability to view health trees for the storage environment
from the virtual environment.
162
Enterprise Hybrid Cloud
Password Management
Procedure
1. Browse to the vRealize Operation Manager UI, for example, http://vropsFQDN, and log in with an account with administrator privileges, for example,
admin, using the password provided during installation.
2. Go to Home > Administration > Solutions.
3. Select the Dell EMC adapter and click Configure.
4. Select the instance name for the cloud vCenter.
5. Under Instance Settings, click the pencil icon to edit the credentials.
6. In the Manage Credential window, type the new password for the
adp_vrops_vcenter account.
7. Click Test Connection.
8. Click Save Settings.
9. Repeat steps 4 to 8 for all Cloud vCenter instances.
10. Click Close.
11. Repeat the preceding steps in all vRealize Operation Manager UIs.
Changing adp_vrops_vipr account password
Change the password for the adp_vrops_vipr account by updating it in Active
Directory.
The adp_vrops_vipr account is a user account to set up a vRealize Operations ViPR
adapter. It applies to monitoring of Dell EMC ViPR from VMware vRealize Operations.
Note
This procedure impacts the ability to view ViPR-related dashboards within VMware
vRealize Operations.
Procedure
1. Browse to the vRealize Operation Manager UI, for example, http://vropsFQDN, and log in with an account with administrator privileges, for example,
admin, using the password provided during installation.
2. Go to Home > Administration > Solutions.
3. Select the Dell EMC adapter and click Configure.
4. Select the adapter instance name, for example, EHC ViPR Adapter.
5. On the Instance Setting tab, edit the credential.
6. Click Test Connection.
7. Click Save Settings.
8. Click Close.
9. Repeat the preceding steps in all vRealize Operation Manager UIs.
Changing adp_vrops_vipr account password
163
Password Management
EHC interactive user accounts
Change a password in any of the following interactive user accounts by updating it in
Active Directory.
Account
Description
Applies to
ehc_fabric_admin
User account for the vRealize
VMware vRealize
Automation fabric administrator. Automation fabric
administrator.
None
ehc_iass_admin
User account for the vRealize
Automation IaaS administrator
None
ehc_nsx_ent_admin
User account for NSX enterprise VMware NSX enterprise
None
administration
administrators use the
account to log in to VMware
vCenter to configure NSX
ehc_storage_admin
User account for storage
administration
EHC Storage Services and
ViPR System Monitor
ehc_backup_admin
User account for executing
backup catalog items from
vRealize Automation
Dell EMC Avamar
administration, grid
maintenance, catalog items,
and Dell EMC Data
Protection Advisor
VMware vRealize
Automation IaaS
administrator
Impact
None
l
Data protection backup and
restore scenarios unable to
complete
l
Avamar administration - Grid
maintenance and failovers
ehc_config_admin
User account with entitlements
to the Enterprise Hybrid Cloud
configuration services.
Enterprise Hybrid Cloud day None
2 operations, ability to run
site maintenance,
connection maintenance,
hardware island
maintenance, and so on
ehc_app_admin
User account with application
and infrastructure administrator
role for creating blueprints
vRealize Automation
None
ehc_vc_admin
User account for VMware
vCenter administrator
vCenter
None
ehc_vipr_admin
User account for ViPR
administrator
Dell EMC ViPR
None
ehc_vro_admin
User account for vRealize
Orchestrator administrator
vRealize Orchestrator
None
ehc_logi_admin
User account for Log Insight
administrator
VMware Log Insight
None
ehc_vrops_admin
User account for vRealize
Operations administrator
VMware vRealize
Operations
None
ehc_vsrm_admin
User account for ViPR SRM
administrator
Dell EMC ViPR SRM
None
164
Enterprise Hybrid Cloud
Password Management
Account
Description
Applies to
Impact
ehc_dpa_admin
User account for Data
Dell EMC Data Protection
Protection Advisor administrator Advisor
None
ehc_avamar_admin
User account for Avamar
administration
Dell EMC Avamar
None
ehc_dd_admin
User account for Data Domain
administrator
Dell EMC Data Domain
None
ehc_sql_admin
User account for SQL Server
administrator
Microsoft SQL Server
None
ehc_bg_admin
User account for vRealize
Automation business group
administrator
VMware vRealize Business
None
ehc_rp4vm_admin
User account for RecoverPoint
for Virtual Machines
administrator
Dell EMC RecoverPoint for
Virtual Machines
None
ehc_cloudlink_admin
User account for CloudLink
Center administrator
Dell EMC CloudLink
None
Changing the ehc_sysadmin account password
Change the password for the ehc_sysadmin account by updating it in Active
Directory.
The ehc_sysadmin account is a user account to set up an Enterprise Hybrid Cloud
super-user. It applies to Enterprise Hybrid Cloud super-user account that is used
during installation and upgrade of the Enterprise Hybrid Cloud solution. This account is
also used in the Enterprise Hybrid Cloud tenant portal.
Note
This procedure impacts cloud administration and RecoverPoint for Virtual Machines
blueprint provisioning.
Procedure
1. Browse to the Enterprise Hybrid Cloud tenant portal, and log in as the system
administrator with entitlements to the EHC Connection Maintenance catalog
item, for example, ehc_tenant_admin@domain.local.
2. Go to Catalog > EHC Configuration and select Connection Maintenance.
3. Select vRAConnection and click Next.
4. Type the new password for the ehc_sysadmin user.
5. Click Submit.
After you finish
For future Enterprise Hybrid Cloud upgrades, ensure that you type the new
ehc_sysadmin password where requested during the installation of the Enterprise
Hybrid Cloud main package.
Changing the ehc_sysadmin account password
165
Password Management
Changing the ehc_tenant_admin account password
Change the password for the ehc_tenant_admin account by updating it in Active
Directory.
The ehc_tenant_admin account is a user account for the VMware vRealize
Automation tenant administrator.
Note
There is no impact when you perform this procedure.
Procedure
1. Log in to the Enterprise Hybrid Cloud tenant portal as the system administrator
with entitlements to the EHC Connection Maintenance catalog item, for
example, ehc_tenant_admin@domain.local.
2. Go to Catalog > EHC Configuration and select Connection Maintenance.
3. Select SMTPConnection and click Next.
4. Type the new password for the ehc_sysadmin user.
5. Click Submit.
Enterprise Hybrid Cloud local accounts
The Enterprise Hybrid Cloud local accounts are:
l
dd4avamar/av0xddboost
l
app_vipr_rp
l
app_srm_rp
l
app_vrb_vrops
l
configurationAdmin
l
tenantAdmin
Changing the dd4avamar/av0xddboost account password
The dd4avamar/av0xddboost account is the local Data Domain user account with DD
Boost user privileges.
Dell EMC Avamar uses the dd4avamar/av0xddboost account to connect to Data
Domain. There must be one of these accounts for every instance of Avamar in the
environment, with x replaced by a numeral. This account applies to Avamar.
Note
This procedure impacts:
166
Enterprise Hybrid Cloud
l
The connection between Data Domain and Avamar
l
Backup/restore
Password Management
Procedure
1. Browse to Data Domain, for example, http://data-domain-ip-addr/
ddem/login, and log in using the sysadmin account and password provided
during installation.
2. Go to Administration > Access and select Local users.
3. Select dd4avamar/av0xddboost, and click Change password.
This account is also used in Avamar administration.
4. Log in to the Avamar administrator client using the root account and the
password specified during installation.
5. Click Server, and then select Data Domain.
6. Click Actions.
7. Under Account, type the current password and the new password.
Changing the app_vipr_rp account password
Change the password for the app_vipr_rp account by updating it in Active Directory.
The app_vipr_rp Enterprise Hybrid Cloud local account is the user account to connect
Dell EMC ViPR to EMC RecoverPoint. The account applies to Dell EMC ViPR.
Note
This procedure:
l
Impacts the ViPR UI
l
Interrupts connectivity between ViPR and RecoverPoint.
Procedure
1. Browse to the ViPR UI /cluster, for example, https://vipr-clusterfqdn), and log in with root privileges.
2. Go to Physical Assets > Data Protection Systems and select the
RecoverPoint entry.
3. In the Password field, type the new password for the app_vipr_rp account.
4. Type the new password in the Confirm Password field.
5. Click Save.
6. Select the RecoverPoint entry and run Rediscover.
7. Log out of the ViPR UI.
Changing the app_srm_rp account password
Change the password for the app_srm_rp account by updating it in Active Directory.
The app_srm_rp Enterprise Hybrid Cloud local account is the RecoverPoint
administrator account that is used to connect VMware SRM to RecoverPoint (Array
Manager). This account is used by VMware SRM to connect to RecoverPoint and
control storage failover.
Note
This procedure impacts connectivity for VMware SRM to RecoverPoint.
Changing the app_vipr_rp account password
167
Password Management
Procedure
1. Launch the vSphere Web Client, and select Site Recovery > Sites.
2. Select the first SRM site, and click Related Objects.
3. Under Array Based Replication, select and edit the Array Manager (ViPR
SRA).
4. Click Next, and continue to complete the discovery process.
5. Repeat steps 2 through 4 for the second SRM site.
Changing the app_vrb_vrops account password
Change the password for the app_vrb_vrops account by updating it in Active
Directory.
The app_vrb_vrops Enterprise Hybrid Cloud local account is the user account to
connect VMware vRealize Business Standard to VMware vRealize Operations. This
account applies to vRealize Business Standard.
This procedure interrupts the connectivity between vRealize Business Standard and
vRealize Operations.
Procedure
1. Log in to vRealize Operations.
2. Go to Administration > Access Control.
3. Change the password for app_vrb_vrops.
Changing the configurationAdmin account password
The configurationAdmin account is the local vRealize Automation account for
managing tenant configuration.
Note
This procedure impacts tenant configuration.
Procedure
1. Browse to the vRealize Automation console, https://vraappliance/
vcac/, and log in with the default system administrator username and
password.
2. Click the tenant name.
For example, for the default tenant, click vsphere.local.
3. On the Local users tab, select the configurationAdmin user.
4. Type the new password, and then click OK.
5. Repeat the preceding steps for all tenants.
168
Enterprise Hybrid Cloud
Password Management
Changing the tenantAdmin account password
The tenantAdmin account is the local vRealize Automation account for managing
tenants.
Note
This procedure impacts tenant management.
Procedure
1. Browse to the vRealize Automation console, https://vraappliance/
vcac/, and log in with the default system administrator username and
password.
2. Click the tenant name.
For example, for the default tenant, click vsphere.local.
3. On the Local users tab, select the tenantAdmin user.
4. Type the new password, and then click OK.
5. Repeat the preceding steps for all tenants.
Dell EMC ViPR physical resources
The Dell EMC ViPR physical resources are:
l
Fabric Manager
n
If the Enterprise Hybrid Cloud solution is on a VCE platform, then it uses Cisco
MDS switches.
n
If this is a "bring-your-own" (BYO) Enterprise Hybrid Cloud instance, then
Brocade switches may be used.
l
Cisco MDS password in the ViPR UI
l
Brocade password in the ViPR UI
l
Dell EMC Vblock compute system password in the ViPR UI
l
Storage provider password in the ViPR UI
l
Dell EMC VNX password in the ViPR UI
l
Dell EMC XtremIO password in the ViPR UI
l
Dell EMC VPLEX password in the ViPR UI
l
Dell EMC RecoverPoint password in the ViPR UI
Changing the Cisco MDS account password
Change the password for the Cisco MDS account in the ViPR UI.
Procedure
1. Log in to the ViPR UI as a system administrator.
2. Go to Physical Assets > Fabric Managers.
3. For each MDS switch, do the following:
a. Select the switch.
Changing the tenantAdmin account password
169
Password Management
b. Type and confirm the new password.
c. Click Save.
4. If the ViPR software does not automatically begin a rediscovery of the MDS
switches, then select the checkbox next to each MDS item and click
Rediscover.
Changing the Brocade account password
Change the password for the Brocade account in the ViPR UI.
Procedure
1. Log in to the ViPR UI with system administrator privileges.
2. Go to Physical Assets > Fabric Managers.
3. Select SMI-S Host (CMCNE).
4. Type and confirm the new password.
5. Click Save.
6. If the ViPR software does not automatically begin a rediscovery of the SMI-S
host, then select the checkbox next to the SMI-S host item and click
Rediscover.
Changing the Vblock compute system account password
Change the password for the Vblock compute system account in the ViPR UI.
Dell EMC ViPR can manage the Cisco UCS through Vblock Compute Systems under
ViPR Physical Assets.
Procedure
1. Log in to the ViPR UI with system administrator privileges.
2. Go to Physical Assets > Vblock compute systems.
3. Select the Vblock/UCS item.
4. Type and confirm the new password.
Keep the default settings for all other fields.
5. Click Save.
6. If the ViPR software does not automatically begin a rediscovery of the UCS,
then select the UCS host item and click Rediscover.
Changing the storage provider account password
Change the password for the storage provider account in the ViPR UI.
Procedure
1. Log in to the ViPR Controller UI as a system administrator user.
2. Go to Physical Assets > Storage Provider, and then click Storage Provider.
3. Type and confirm the new password.
Keep the default settings for all other fields.
4. Click Save.
170
Enterprise Hybrid Cloud
Password Management
5. If the ViPR software does not automatically begin a rediscovery of the storage
provider, then select the storage provider and click Rediscover.
Changing the VNX account password
Change the password for the VNX storage account in the ViPR UI.
Procedure
1. Log in to the ViPR Controller UI as a system administrator user.
2. Go to Physical Assets > Storage Provider, and then click the storage provider.
3. Type and confirm the new password.
Keep the default settings for all other fields.
4. Click Save.
5. If the ViPR software does not automatically begin a rediscovery of the storage
provider, then select the storage provider and click Rediscover.
Changing the EMC XtremIO account password
Change the password for the XtremIO storage provider account in the ViPR UI.
Procedure
1. Log in to the ViPR UI as a system administrator user.
2. Go to Physical Assets > Storage Systems, and then click Storage Provider.
3. Type and confirm the new password.
Keep the default settings for all other fields.
4. Click Save.
5. If the ViPR software does not automatically begin a rediscovery of the storage
provider, then select the storage provider and click Rediscover.
Changing the EMC VPLEX account password
Change the password for the EMC VPLEX account in ViPR UI by updating it in Active
Directory.
Dell EMC ViPR software should use the app_vipr_vplex account to discover the Dell
EMC VPLEX system. The account user should be a member of the VPLEX_Admins
Active Directory group, which should be assigned admin privileges in VPLEX.
Procedure
1. Log in to the ViPR UI as a system administrator user.
2. Go to Physical Assets > Storage Providers, and then click VPLEX Storage
Provider.
3. Type and confirm the new password.
Keep the default settings for all other fields.
4. Click Save.
5. If the ViPR software does not automatically begin a rediscovery of the VPLEX
storage provider, and then select the checkbox next to the VPLEX storage
provider, and click Rediscover.
Changing the VNX account password
171
Password Management
Changing the RecoverPoint password
Change the password for the Dell EMC RecoverPoint account in the Dell EMC ViPR UI
by updating it in Active Directory.
ViPR software must use the app_vipr_rpa account to discover the RecoverPoint
Appliances. The account user must be a member of the RP_Admins Active Directory
group, which must be assigned admin privileges in RecoverPoint.
Procedure
1. Log in to the ViPR UI with administrative privileges.
2. Go to Physical Assets > Data Protection Systems, and then click the
RecoverPoint item to edit it.
3. Type and confirm the new password.
Keep the default settings for all other fields.
4. Click Save.
5. If the ViPR software does not automatically begin a rediscovery of the
RecoverPoint system, then select the checkbox next to the RecoverPoint
system and click Rediscover.
172
Enterprise Hybrid Cloud
CHAPTER 11
References
This chapter presents the following topics:
l
l
l
l
Enterprise Hybrid Cloud documentation........................................................... 174
Enterprise Hybrid Cloud security documentation.............................................. 174
Other documentation........................................................................................ 177
VMware Knowledge Base .................................................................................178
References
173
References
Enterprise Hybrid Cloud documentation
The following documentation on EMC.com or Online Support provides additional and
relevant information. Access to these documents depends on your login credentials. If
you do not have access to a document, contact your Dell EMC representative.
l
Enterprise Hybrid Cloud 4.1.2 Reference Architecture Guide
l
Enterprise Hybrid Cloud 4.1.2 Concepts and Architecture Guide
l
Enterprise Hybrid Cloud 4.1.2 Administration Guide
l
Enterprise Hybrid Cloud 4.1.2 Infrastructure and Operations Management Guide
Enterprise Hybrid Cloud security documentation
Find Dell EMC and VMware documentation related to Enterprise Hybrid Cloud
security, as well as hardening guides for Enterprise Hybrid Cloud components.
Enterprise Hybrid Cloud has been secured by implementing the recommendations in
the following product security guides from Dell EMC and VMware.
Table 1 Dell EMC documentation
Publication
Description
Product Security: Enhancing the
trustworthiness of EMC Solutions
Describes how Dell EMC embeds security in
the company's product development,
deployment, and maintenance practices, as
well as in its supply chain.
Dell EMC Symmetrix Security Configuration
Guide
Describes how to securely deploy, use, and
maintain Solutions Enabler version 7.6 and
Unisphere for VMAX version 1.6.
Dell EMC ViPR Controller Version 3.6 Security Provides an overview of security
Configuration Guide
configuration settings available in ViPR,
secure deployment and usage settings, and
secure maintenance and physical security
controls needed to ensure secure operation of
ViPR.
Dell EMC Avamar Product Security Guide
Provides an overview of the settings and
security provisions that are available in
Avamar to ensure secure operation of the
product.
Dell EMC Avamar 7.2 Extended Retention
Security Guide
Describes how to configure security features
for the Avamar Extended Retention feature.
Table 2 VMware documentation
174
Enterprise Hybrid Cloud
Publication
Description
VMware Product Security: An Overview of
VMware's Security Programs and Practices
Describes VMware's approach to security for
virtualization software products and solutions.
References
Table 2 VMware documentation (continued)
Publication
Description
VMware vSphere Security Management Guide Provides information about securing your
vSphere environment for VMware vCenter
Server and VMware ESXi.
VMware NSX for vSphere Network
Virtualization Design Guide
Provides an overview of the VMware NSX
network virtualization platform.
VMware NSX for vSphere 6.2 Documentation
Center
Provides information about installing,
configuring, and using NSX.
VMware Hardened Virtual Appliance
Operations Guide
Addresses the site‐specific technical
requirements to meet Security Technical
Information Guides (STIG).
NSX Administration Guide
All components that comprise the Enterprise Hybrid Cloud platform are listed in the
following table, along with the associated security configuration guides, if applicable.
This list is based on the products described in the Enterprise Hybrid Cloud EMC
Simple Support Matrix (ESSM).
Table 3 Hardening guides
Component
Security Guide
VMAX
Dell EMC VMAX All Flash and VMAX3
Family Security Configuration Guide
VNX
Dell EMC VNX Series Version VNX1,
VNX2 Security Configuration Guide for
VNX
ScaleIO
Dell EMC ScaleIO Security Configuration
Guide
VPLEX
Notes
Provides information about
features and configuration
options that are available
for configuring secure
system operation and
storage processing. The
guide explains why, when,
and how to use these
security features.
Contact your EMC
representative for access
to this document.
Unity Hybrid Flash
Array
Dell EMC Unity Family, Unity All Flash,
Unity Hybrid, Unity VSA Version 4.2
Security Configuration Guide
XtremIO
Dell EMC XtremIO Storage Array XIOS
Versions 4.0.2, 4.0.4, 4.0.10, and 4.0.15;
XMS Versions 4.2.0 and 4.2.1 Security
Configuration Guide
Enterprise Hybrid Cloud security documentation
175
References
Table 3 Hardening guides (continued)
Component
Security Guide
Connectrix Manager
Converged Network
Edition
No additional guidance
listed for this component.
PowerPath / VE
No additional guidance
listed for this component.
SE/SMI-S for VMAX
No additional guidance
listed for this component.
SE/SMI-S for VNX
No additional guidance
listed for this component.
ViPR
Dell EMC ViPR Controller Version 3.6
Security Configuration Guide
ViPR SRM
Dell EMC ViPR SRM Version 3.5.1.0
Security Configuration Guide
Avamar
Dell EMC Avamar Version 7.3 Product
Security Guide
Data Domain
Dell EMC Data Domain Security Guide
Data Protection
Advisor
Dell EMC Data Protection Advisor
Security Configuration Guide
Microsoft SQL
Server 2012 SP2
Microsoft SQL Server 2012 Security Best
Practice Whitepaper - Microsoft
Microsoft Windows
Server 2012R2
Enterprise Hybrid Cloud
Describes the key security
features of Data Domain
systems and provides the
procedures required to
ensure data protection and
appropriate access control.
See the Microsoft Windows
SCW.
VMware NSX for
vSphere
VMware NSX Security Hardening Guide
VMware vSphere
ESX
VMware vSphere 6.5 Hardening Guide
VMware vSphere
vCenter for
Windows
VMware vSphere 6.5 Hardening Guide
VMware vSphere
vCenter Server
Appliance
VMware vSphere 6.5 Hardening Guide
VMware vRealize
Automation
VMware vRealize Automation Hardening
Guide
VMware vRealize
Business for Cloud
176
Notes
No additional guidance
listed for this component.
References
Table 3 Hardening guides (continued)
Component
Security Guide
Notes
VMware vRealize
Configuration
Manager
VMware vRealize Configuration Manager
Security Guide
Describes how to harden
vRealize Configuration
Manager for secure use.
VMware vRealize
Log Insight
VMware vRealize Log Insight Security
Guide
Provides a reference to the
security features of
vRealize Log Insight.
VMware vRealize
Operations Manager
VMware Secure Configuration vRealize
Operations Manager
VMware vRealize
Orchestration
Appliance
No additional guidance
listed for this component.
VMware Site
Recovery Manager
VMware Site Recovery Manager 6.5
Dell EMCRecover
Point for Virtual
Machines
Dell EMC RecoverPoint for Virtual
Machines Security Configuration Guide
Python
No additional guidance
listed for this component.
CloudLink SecureVM Cloudlink SecureVM 5.5 Security
Configuration Guide
Dell EMC VxBlock
Contact your Dell EMC
representative for access
to this document.
Dell EMC VxRack
Flex
Contact your Dell EMC
representative for access
to this document.
Dell EMC VxRail
Contact your Dell EMC
representative for access
to this document.
Other documentation
l
VCE Foundation Upgrade from 3.1 to 3.5 Process
l
VCE Foundation for EMC Enterprise Hybrid Cloud Addendum
l
VMware vRealize Automation Installation and Configuration
l
Next Generation Security with VMware NSX and Palo Alto Networks VM-Series
l
CloudLink SecureVM Version 5.5 Deployment Guide for Enterprise
l
Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation
List (CRL) Profile (RFC 5280)
l
How to Request a Certificate With a Custom Subject Alternative Name (Microsoft
TechNet)
Other documentation
177
References
l
LDAP over SSL (LDAPS) Certificate (Microsoft TechNet)
VMware Knowledge Base
The VMware Knowledge Base provides support for VMware products.
The following VMware Knowledge Base topics provide information about how to
manage certificates
178
Enterprise Hybrid Cloud
l
How to use vSphere 6.x Certificate Manager (2097936)
l
Replacing a vSphere 6.x Machine SSL certificate with a Custom Certificate
Authority Signed Certificate (2112277)
l
Replace Solution User Certificates with Custom Certificates
l
How to replace the vSphere 6.0 Solution User certs with CA signed certs
(2112278)
l
Creating a Microsoft Certificate Authority Template for SSL certificate creation in
vSphere 6.x (2112009)
l
Replacing default certificates with CA signed SSL certificates in vSphere 6.x
(2111219)
l
Certificate troubleshooting, supportability, and trust requirements for vRealize
Automation (2106583)
l
Signing vRA certificates using an internal Microsoft CA signing authority
(2090090)
l
Repairing or updating the trust between all components within vRealize
Automation 6.x environment (2110207)
l
Applying a CA Signed SSL Certificate to a VMware vRealize Application Services
server (2065009)
l
Configure a certificate for use with vRealize Operations Manager (2046591)
l
Configuring CA signed certificates for ESXi 6 hosts (2113926)
l
Implementing CA signed SSL certificates with vSphere 5.x (2034833)
l
Creating certificate requests and certificates for vCenter Server 5.5 components
(2061934)
l
Set up Your System to Use Custom Certificates from the Platform Services
Controller
l
Configuring CA signed certificates for ESXi 6.0 hosts (2113926)
l
Managing Certificates with vSphere Certificate Manager Utility
l
Requirements When Using Custom SSL/TLS Certificates with Site Recovery
Manager
l
Updating vRealize Automation Certificates
l
Change or Replace the SSL Certificate of vRealize Business for Cloud
l
Install a Custom SSL Certificate (using the vRealize Log Insight Web Interface)
APPENDIX A
Enterprise Hybrid Cloud Security Data
The appendix presents the following topic:
l
Security data.................................................................................................... 180
Enterprise Hybrid Cloud Security Data
179
Enterprise Hybrid Cloud Security Data
Security data
The tables in this chapter provide information on security data for Enterprise Hybrid
Cloud.
Table 4 Application and management interface APIs
Product
API
Document
Part number or location
Data Protection Advisor
REST
Data Protection Advisor REST API Reference
P/N 302-003-608
ViPR
REST
ViPR Controller REST API Developer Guide
302-000-496
VMware NSX-V
REST
NSX vSphere API Guide
EN-001545-06
VMware vRealize
Orchestrator
REST
vSphere Web Services SDK Programming Guide
EN-002095-01
VMware Site Recovery
Manager
REST
Site Recovery Manager API Developer's Guide
EN-001733-00
VMware SSO SDK
REST
vCenter Single Sign-On Programming Guide
EN-001413-00
VMware vRealize
Orchestrator
REST
Using the vCenter Orchestrator REST API
VMware vSphere 6.5
Documentation Center
VMware vRealize Operations
Manager
vSphere
VMware vSphere Management SDK
VMware vSphere 6.5
Documentation Center
VMware vRealize Automation REST
Using Application Services REST APIs
EN-001652-00
VMware vRealize Automation REST
Programming Guide
VMware Docs
VMware vRealize Log Insight
REST
VMware vRealize Log Insight Developer's Guide
VMware ESXi
vSphere
VMware vSphere Management SDK
VMware vSphere 6.5
Documentation Center
VMware vSphere Web
Services SDK
REST
Developer's Setup Guide
VMware Docs
Note
CloudLink SecureVM includes a comprehensive set
of REST APIs. For documentation about these APIs,
see About > REST Documentation in the
CloudLink Center contents pane.
Table 5 Authentication mechanisms and integration
180
Enterprise Hybrid Cloud
Enterprise Hybrid Cloud component
Active
Directory
Exceptions
Avamar
Y
MCCLI
Data Domain
Y
Data Protection Advisor
Y
Storage Analytics
Y
ViPR
Y
Enterprise Hybrid Cloud Security Data
Table 5 Authentication mechanisms and integration (continued)
Enterprise Hybrid Cloud component
Active
Directory
ViPR Analytics
Y
Microsoft SQL Server
Y
Microsoft Windows Server
Y
VMware vSphere ESXi
Y
VMware vRealize Log Insight
Y
VMware vCenter Server (for Windows)
Y
VMware vRealize Operations Manager
Y
VMware vRealize Automation Application Services
Y
Exceptions
Table 6 Log capability matrix for vRealize Log Insight or similar solution (such as Q-Radar)
Enterprise Hybrid Cloud component
Format
Avamar
syslog/file
Data Domain
syslog/file
Data Protection Advisor
API/WinRM/file
Enterprise Hybrid Cloud modules
with vCenter vRealize Orchestrator
RecoverPoint
syslog/file
ViPR
syslog/file
ViPR SRA (for Windows)
API/WinRM/file
Microsoft SQL Server
API/WinRM/file
Microsoft Windows Server
API/WinRM/file
VMware vRealize Business for Cloud
syslog/file
VMware NSX-V
Syslog
VMware vCenter Server (for Windows)
API/WinRM/file
VMware Site Recovery Manager
API/WinRM/file
VMware vRealize Automation
syslog/file
VMware vRealize Log Insight
syslog/file
VMware vRealize Operations Manager
syslog/file
VMware vRealize Operations Manager Adapters
with vRealize Operations Manager
VMware vRealize Orchestrator
syslog/file
VMware vRealize Orchestrator Plugins
with vRealize Orchestrator
VMware vSphere ESXi
syslog/file
Security data
181
Enterprise Hybrid Cloud Security Data
Table 7 Operating systems in use in Enterprise Hybrid Cloud CMP
System component
Operating system
OS type
Avamar Proxy
SLES 11 SP3
Bare metal
Avamar Server
SLES 11 SP3
Bare metal
Data Domain
DDOS 6.0.0.30
Bare metal
Data Protection Advisor
Windows Server 2012 R2
Guest
ViPR
SLES 11 SP3
Appliance
Microsoft SQL Server
Windows Server 2012 R2
Guest
VMware vCenter Server (for Windows)
Windows Server 2012 R2
Guest
VMware vRealize Automation Application Services
SLES 11 SP3
Appliance
VMware vRealize Automation
SLES 11 SP3
Appliance
VMware vRealize Business for Cloud
SLES 11 SP2
Appliance
VMware vRealize Log Insight
SLES 11 SP3
Appliance
VMware vRealize Operations Manager
SLES 11 SP2
Appliance
VMware vRealize Orchestrator
SLES 11 SP3
Appliance
VMware vSphere ESXi
ESXi 6.5U1
Bare metal
Table 8 Ports in use in Avamar Server
Application and services
Protocol
Port
Direction
ECHO
TCP/UDP
7
Both
FTP
TCP
21 (optional)
Inbound
SSH
TCP
22
Both
Telnet
TCP
23 (optional)
Inbound
EMC DD Boost/Port Mapper
TCP
111
Inbound
NTP
TCP/UDP
123
Both
LDAP
TCP
389
Outbound
Client downloads/DTLT
TCP
80 (optional) /443
Inbound
CIFS (Netbios name services)
UDP
137
Inbound
CIFS (Datagram services)
UDP
138
Inbound
CIFS (Netbios session services)
UDP
139
Inbound
CIFS (Microsoft DS)
TCP
445
Inbound
SNMP
TCP/UDP
161 (optional)
Inbound
EMC DD Boost/NFS
TCP
2049
Inbound
Replication
TCP
2051 (optional)
Inbound
NFS (mountd)
TCP/UDP
2052
Inbound
182
Enterprise Hybrid Cloud
Enterprise Hybrid Cloud Security Data
Table 8 Ports in use in Avamar Server (continued)
Application and services
Protocol
Port
Direction
DDMC
TCP
3009 (optional)
Inbound
SMTP
TCP
25
Outbound
SNMP
UDP
162 (optional)
Outbound
Syslog
UDP
514 (optional)
Outbound
Avamar Installer (TLS)
TCP
8543
Both
GSAN
TCP/UDP
19000-19500
GSAN
TCP/UDP
20000-20500
GSAN
TCP/UDP
25000-25500
GSAN
TCP/UDP
26000-26500
Avamar Server
TCP
27000
Inbound
Avamar Server TLS
TCP
29000
Inbound
avagent
TCP
28002
Secure Utility Node/Storage Node
TCP
30001
Both
Avamar System/Client
TCP
30002
Both
Secure Utility Node/Storage Node
TCP
30003
Both
Data Protection Advisor Agent
TCP
3741
Inbound
Data Protection Advisor Application Server
TCP
9002
Inbound
Data Protection Advisor Datastore Server
TCP
9003
Inbound
HTTP
TCP
9004
Inbound
HTTPS
TCP
9002
Inbound
MANAGEMENT_NATIVE
TCP
9999
Inbound
MANAGEMENT_HTTP
TCP
9005
Inbound
MESSAGING
TCP
5445
Outbound
MESSAGING_THROUGHPUT
TCP
5455
Outbound
OSGI
TCP
8090
Outbound
REMOTING
TCP
4447
Outbound
TXN_RECOVERY
TCP
4712
Outbound
TXN_STATUS
TCP
4713
Outbound
HTTP
TCP
5445
Inbound
HTTPS
TCP
7600
Inbound
MANAGEMENT_NATIVE
TCP
57600
Inbound
MANAGEMENT_HTTP
UDP
5445
Inbound
MESSAGING
UDP
7500
Outbound
Security data
183
Enterprise Hybrid Cloud Security Data
Table 8 Ports in use in Avamar Server (continued)
Application and services
Protocol
Port
Direction
MESSAGING_THROUGHTPUT
UDP
9876
Outbound
OSGI
UDP
45700
Outbound
REMOTING
UDP
45688
Outbound
TXN_RECOVERY
UDP
45689
Outbound
Table 9 Ports in use in PowerPath/VE licensing appliance
Application and services
Protocol
Port
Direction
SSH
TCP
22
Both
NTP
TCP/UDP
123
Both
DNS
UDP
53
Outbound
License Reporting
TCP
443 or 8443
Inbound
Application and services
Protocol
Port
Direction
Solutions Enabler
TCP
2707
Inbound
Event daemon
TCP
Dynamic
Inbound
VNX
TCP
443 or 2163
Inbound
SMI-S Provider
TCP
5988
Inbound
SMI-S Provider (TLS)
TCP
5989
Inbound
Table 10 Ports in use SMI-S_ECOM
Table 11 Ports in use in Unisphere for VMAX
Application and services
Protocol
Port
Direction
Storage management server
TCP
80, 443, 2162, 2163
Inbound
Host agent
TCP
6389
Outbound
SMTP
TCP
25, 465, or 587
Outbound
Storage processor agent
TCP
6389
Outbound
RemotelyAnywhere Host
TCP
9519, 22
Outbound
LDAP Server
TCP
389
Outbound
LDAP over SSL/TLS Server
TCP
636
Outbound
iSNS Server
TCP
3205
Outbound
VNX OE for Block
TCP
3260
Inbound
Storage management server
UDP
2162
Outbound
Unisphere Storage System Initialization Utility
UDP
2163
Outbound
NTP Server
UDP
123
Both
184
Enterprise Hybrid Cloud
Enterprise Hybrid Cloud Security Data
Table 11 Ports in use in Unisphere for VMAX (continued)
Application and services
Protocol
Port
Direction
SMTP Traps
UDP
162
Outgoing
ESXi or Virtual Center Server
TCP
443
Outbound
Table 12 Ports in use in ViPR
Application and services
Protocol
Port
Direction
ECHO
UDP
7
Inbound
SSH
TCP
22
Both
SMTP
TCP
25
Outbound
NTP
UDP
123
Both
SNMP
UDP
162
Outbound
HTTPS
TCP
443
Both
Domain Controller
TCP/UDP
88
Outbound
LDAP
TCP
389 (optional)
Outbound
Secure LDAP
TCP
636
Outbound
Keystone (openstack auth provider)
TCP
35357 (optional)
Outbound
IPSec
UDP
500 (optional)
Both
Connect
FTPS
990
Outbound
Coordinator Service
TCP
5181, 2889
Both
Hitachi
TCP
2001 (optional)
Outbound
Zookeeper peers
TCP
2888 (optional)
Both
Reverse Proxy – Rest API
TCP
4443
Both
IPSec
UDP
4500 (optional)
Both
CIM adapter for internal nodes
UDP
5000 (optional)
Inbound
Windows WinRM HTTP
TCP
5985, 5986 (optional)
Both
SMI-S Provider
TCP
5988
Outbound
SMI-S Provider (TLS)
TCP
5989
Outbound
ViPR Controller user interface
TCP
6443
Inbound
CIM adapter
TCP
7012
Inbound
VDC to VDC communication
TCP
7100
Both
RecoverPoint API (TLS)
TCP
7125
Outbound
DB Service
TCP
7199, 7200 (optional)
Both
JMX Server
TCP
7299 (optional)
Both
Coordinator Service
TCP
7399, 7400 (optional)
Both
Security data
185
Enterprise Hybrid Cloud Security Data
Table 12 Ports in use in ViPR (continued)
Application and services
Protocol
Port
Direction
Authentication service
TCP
7443
Inbound
Isilon
TCP
8080 (optional)
Outbound
API service
TCP
8443
Outbound
SA service
TCP
8444 (optional)
Outbound
Nginx
TCP
8543 (optional)
Both
Cinder – Rest API
TCP
8776 (optional)
Both
VASA
TCP
9083
Inbound
GEO DB Service
TCP
9160 (optional)
Both
sys service
TCP
9993
Both
syssvc CLI download (unauthenticated)
TCP
9998
Both
Controller Service
TCP
10099, 40201
Both
Table 13 Ports in use in Microsoft SQL Server
Application and services
Protocol
Port
Direction
SQL Server
TCP
1433
Both
Dedicated Admin Connection
TCP
1434
Inbound
SQL Server named instance
UDP
1434
Both
SQL Server Analysis Service
TCP
2383
Inbound
Connection request to a named instance of Analysis Services
TCP
2383
Both
Transact-SQL debugger and SQL Server Integration Services
TCP
135
Both
Table 14 Ports in use in VMware NSX Manager
Application and services
Protocol
Port
Direction
HTTPS
TCP
443
Inbound
HTTP
TCP
80
Inbound
Messaging
TCP
1234
Inbound
Messaging
UDP
56711
Outbound
SSH
TCP
22
Both
NTP
TCP/UDP
123
Both
Syslog
TCP/UDP
514 (optional)
Both
Table 15 Ports in use in VMware vRealize Operations Manager
186
Enterprise Hybrid Cloud
Application and services
Protocol
Port
Direction
SSH
TCP
22
Both
Enterprise Hybrid Cloud Security Data
Table 15 Ports in use in VMware vRealize Operations Manager (continued)
Application and services
Protocol
Port
Direction
HTTP
TCP
80
Inbound
HTTPS
TCP
443
Inbound
Table 16 Ports in use in VMware vRealize Orchestrator
Application and services
Protocol
Port
Direction
HTTP
TCP
8280
Inbound
HTTPS
TCP
8281
Inbound
Web configuration HTTPS access port
TCP
8283
Inbound
Messaging port
TCP
8286
Inbound
Messaging port
TCP
8287
Inbound
LDAP
TCP
389
Outbound
LDAP over SSL/TLS
TCP
636
Outbound
Platform Services Controller
TCP
443
Outbound
SQL Server
TCP
1433
Outbound
SMTP Server
TCP
25
Outbound
vCenter Server API
TCP
443
Outbound
Lookup port
TCP
8230
Inbound
Command port
TCP
8240
Inbound
Message port
TCP
8250
Inbound
Data port
TCP
8244
Inbound
Web configuration HTTP access port
TCP
8282
Inbound
LDAP
TCP
389
Outbound
LDAP over SSL/TLS
TCP
636
Outbound
LDAP using Global Catalog
TCP
LDAP on 3268
LDAPS on 3269
Outbound
Table 17 Ports in use in VMware vRealize Automation Application Services
Application and services
Protocol
Port
Direction
RPC
TCP
111
Inbound
Access to vRealize Automation console
TCP
443
Inbound
VAMI
TCP
5480, 5488, 5489
Inbound
Internal vCenter
TCP
8230, 8280, 8281
Inbound
SMTP
TCP/UDP
25, 587
Outbound
DNS
TCP/UDP
53
Both
Security data
187
Enterprise Hybrid Cloud Security Data
Table 17 Ports in use in VMware vRealize Automation Application Services (continued)
Application and services
Protocol
Port
Direction
DHCP
TCP/UDP
67, 68, 546, 547
Outbound
Software updates
TCP
80
Inbound
POP
TCP/UDP
110, 995
Outbound
IMAP
TCP/UDP
143, 993
Outbound
NTP
TCP/UDP
123
Both
IaaS Manager Service over HTTPS
TCP
443
Inbound
PostgreSQL database
TCP/UDP
5433
Outbound
SSO service over HTTPS
TCP
443
Outbound
vRealize Orchestrator instance
TCP
8281
Outbound
Manager Service
TCP
80
Inbound
proxy agents
TCP
80
Inbound
guest agents
TCP
80
Inbound
Virtualization host
TCP
80
Inbound
DEMs
TCP
443
Inbound
vFabric, RabbitMQ
TCP
5671
Inbound
Table 18 Ports in use in VMware vRealize Automation
Application and services
Protocol
Port
Direction
vRealize Automation Appliance
TCP
443, 8444 (for the Remote Console
capability)
Inbound
vRealize Automation Application Services
TCP
8443
Inbound
SSH
TCP
22
Inbound
VAMI
TCP
5480
Inbound
Platform Services Controller
TCP
443
Outbound
VMware vSphere ESXi (for the Remote Console
capability)
TCP
902
Outbound
vSphere Endpoint
TCP
443
Outbound
Table 19 Ports in use in VMware vRealize Automation IaaS
Application and services
Protocol
Port
Direction
Manager Service
TCP
443
Inbound
DNS
TCP/UDP
53
Outbound
NTP
TCP/UDP
123
Both
Manager Service
TCP
443
Outbound
188
Enterprise Hybrid Cloud
Enterprise Hybrid Cloud Security Data
Table 19 Ports in use in VMware vRealize Automation IaaS (continued)
Application and services
Protocol
Port
Direction
Website
TCP
443
Outbound
Distributed Execution Managers
TCP
443
Outbound
Manager Service, Website
TCP
1433
Outbound
Manager Service (optional)
TCP
80
Outbound
Table 20 Ports in use in VMware vRealize Business for Cloud
Application and services
Protocol
Port
Direction
HTTPS (for VAMI)
TCP
5480
Inbound
HTTPS
TCP
443
Inbound
SSH
TCP
22
Inbound
vPostgres
TCP
5432
Inbound
Table 21 Ports in use in VMware vRealize Log Insight
Application and services
Protocol
Port
Direction
SSH
TCP
22
Both
HTTP (optional)
TCP
80
Inbound
HTTPS
TCP
443
Inbound
Syslog
TCP
514
Inbound
Syslog
UDP
514
Inbound
Syslog-TLS
TCP
1514
Inbound
Syslog
TCP
6514
Outbound
vRealize Log Insight Ingestion API
TCP
9000
Inbound
Thrift RPC
TCP
16520 through
16580
Inbound
log4j Server
TCP
59778
Inbound
Database Server
TCP
12543
Inbound
Table 22 Ports in use in VMware vSphere vCenter
Application and services
Protocol
Port
Direction
SSH
TCP
22
Both
SMTP
TCP
25
Outbound
DNS
UDP
53
Both
HTTP
TCP/UDP
80
Inbound
Kerberos
TCP/UDP
88
Outbound
Security data
189
Enterprise Hybrid Cloud Security Data
Table 22 Ports in use in VMware vSphere vCenter (continued)
Application and services
Protocol
Port
Direction
NTP
UDP
123
Both
LDAP
TCP
389 (optional)
Outbound
Secure LDAP
TCP
636 (optional)
Outbound
Web Access
TCP
443
Inbound
vSphere Syslog Collector
TCP/UDP
514
Both
vCenter Server/VMware Infrastructure Client
TCP/UDP
902
Inbound
vSphere Syslog Collector TLS
TCP/UDP
1514
Both
Control Interface RPC (SSO)
TCP
2012
Both
RPC for VMCA
TCP
2014
Both
DNS Management
TCP
2015
Both
Authentication Framework Management
TCP/UDP
2020
Both
Appliance Management Interface
TCP
5480
Both
ESXi dump collector
TCP
6500
Inbound
Auto Deploy Service
TCP
6501
Outbound
Auto Deploy management
TCP
6502
Inbound
Secure Token Service
TCP
7444
Both
vSphere Update Manager
TCP
8084, 9084, 9087 (not all
necessarily used)
Inbound
vSphere Web Client
TCP
9443
Both
vCenter Server Appliance - AD
TCP
135 (optional)
Outbound
SNMP
UDP
161 (optional)
Outbound
VMware Syslog collector
TCP
8109 (optional)
Outbound
Migration Assistant Port
TCP
9123 (optional)
Both
vService Manager
TCP
15007, 15008 (optional)
Outbound
vSphere Replication
TCP
31031, 44046 (optional)
Outbound
vCenter SSO LDAPS
TCP
11711, 11712 (optional)
Outbound
190
Enterprise Hybrid Cloud
Download PDF
Similar pages