Infoace Vmware

8/3/2019 Infoace Vmware

1/66

ACE Management ServerAdministrators Manual

VMware ACE 2.6

This document supports the version of each product listed and

supports all subsequent versions until the document is replaced

by a new edition. To check for more recent editions of thisdocument, see http://www.vmware.com/support/pubs.

EN-000169-00
http://www.vmware.com/support/pubshttp://www.vmware.com/support/pubs


2/66

VMware, Inc.

3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

2 VMware, Inc.

ACE Management Server Administrators Manual

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

[email protected]

Copyright 20072009 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright andintellectual property laws. VMware products are covered by one or more patents listed at

http://www.vmware.com/go/patents .VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marksand names mentioned herein may be trademarks of their respective companies.
http://www.vmware.com/supportmailto:[email protected]://www.vmware.com/go/patentshttp://www.vmware.com/go/patentshttp://www.vmware.com/go/patentshttp://www.vmware.com/go/patentshttp://www.vmware.com/go/patentsmailto:[email protected]://www.vmware.com/supporthttp://www.vmware.com/support/


3/66

VMware, Inc. 3

Contents

About

This

Book 7

1 Introduction 9FeaturesofACEManagementServer 9

SystemRequirements 10

RequiredHardware 10

SupportedOperatingSystems 10

SupportedExternalDatabases 10

SupportedProxies 11

RequiredWebBrowsers 11

Licensing 11

2 Planningan

ACE

Management

Server

Deployment 13

DeploymentComponents 13

HostSystemOptions 14

WindowsHosts 14

LinuxHosts 14

ServerApplianceOption 14

DatabaseOptions 15

ActiveDirectoryAuthenticationOptions 15

PerformingCapacityPlanning 15

DatabaseThroughputandScalability 16

LDAPThroughput 16

NetworkBandwidthandPolicyUpdateFrequency 16

ACEPolicy

Configuration 17

LoadBalancers 17

SecurityFeaturesandConsiderations 17

UsingSSLCertificatesandProtocol 18

AccessingACEManagementServerfromOutsidetheCorporateFirewall 19

DeploymentPlanningWorksheet 19

3 InstallingandConfiguringACE Management Server 21PreparingforInstallation 21

ConfigureTLSinYourBrowser 21

InstallingandUpgradingACEManagementServer 22

InstallanACEManagementServeronaWindowsHost 22

InstallACEManagementServeronaLinuxSystem 23

InstallanACEManagementServerAppliance 24

VerifyThattheApacheServiceIsStartedorRestarted 25

StartandConfigureACEManagementServer 26

LogIntoACEManagementServer 26


4/66


4 VMware, Inc.

4 ConfigurationOptionsforACEManagementServer 29PrerequisitesforConfiguringtheServer 29

CreateUsersandGroupsforIntegrationwithActiveDirectory 29

SetUpanExternalDatabase 30

CreatingaSystemDSNEntryforanExternalDatabase 31

IncreasetheNumberofDatabaseConnectionsAllowed 32

EnableDatabaseConnectionPoolingonLinux 33

SetUp

aConnection

Between

the

Server

Appliance

and

an

External

Database 33

PrepareCustomSecurityCertificates 33

ViewthePropertiesoftheSelfSignedCertificateFile 34

StartingACEManagementServerConfiguration 34

ViewingandChangingLicensingInformation 34

UsinganExternalDatabase 35

CreatingAccessControl 35

UploadingCustomSSLCertificates 36

LoggingEvents 37

ApplyingConfigurationSettings 37

5 Load

Balancing

Multiple

ACE

Management

Server

Instances 39TypicalSetupUsingLoadBalancedACEManagementServerInstances 40InstalltheRequiredServicesforLoadBalancing 40

UsetheSameSSLCertificateonAllServers 41

CreateNewSSLCertificatesandKeysforEachServer 41

InstallingandConfiguringtheLoadBalancer 43

VerifyThatACEInstancesAreUsingtheLoadBalancer 43

6 ManagingACEInstances 45ViewingACEInstancesThattheServerManages 45

UsetheVMwareACEHelpDeskApplication 46

UsetheInstanceViewinWorkstation 46

Searchfor

an

Instance 47

SortbyColumnHeadingandChangeColumnWidth 47

Show,Hide,andMoveColumnsintheInstanceView 48

CreateorDeleteCustomColumnsintheInstanceView 48

ViewInstanceDetails 48

Reactivate,Deactivate,orDeleteanACEInstance 49

PoliciesTab 49

ChangeaCopyProtectionID 49

ResettheAuthenticationPassword 50

AddInformationforCustomColumns 50

7 Troubleshootingand

Maintenance 51

TroubleshootingConfigurationProblems 51

ConnectionProblemsBetweenaLinuxACEInstanceandACEManagementServer 51

ChangethePortAssignmentforACEManagementServer 51

DeletetheServerConfigurationFileandSetaNewAdministratorPassword 52

RestoreaBackupCopyofanSSLCertificate 52

ConfiguringMultipleACEManagementServerInstancestoUseSSL 53

DatabaseBackup 53
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-


5/66

VMware, Inc. 5

Contents

Appendix:DatabaseSchemaandAuditEventLogData 55UsingDatabaseReportingTools 55

DatabaseSchema 55

QueryingtheAuditEventLogData 59

Glossary 63

Index 65


6/66


6 VMware, Inc.


7/66

VMware, Inc. 7

Thismanual,theVMwareACEManagementServerAdministratorsManual,providesinformationaboutinstallingandusingtheVMwareACEManagementServer,whichenablesyoutomanageACEinstancesin

realtime.UsingACEManagementServerisoptional,butdoingsoprovidesthefollowingbenefits:

ManageactivationofACEpackages.

Manage

authentication

of

those

activated

packages. DynamicallydeliverpolicyupdatestomanagedACEinstances.

DynamicallydeliverinstancecustomizationdataformanagedACEinstanceswithWindowsguest

operatingsystems.

Intended Audience

Thisbookisintendedforanyonewhoneedstoinstall,upgrade,oruseACEManagementServertomanage

ACEinstances.ACEManagementServerisintendedforACEadministratorswhomustmaintainandupdate

ACEpoliciesusedonvirtualmachinesdeployedthroughoutanenterprise.

Document FeedbackVMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhavecomments,sendyour

feedbackto:

[email protected]

Technical Support and Education Resources

Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.Toaccessthecurrentversion

ofthisbookandotherbooks,gotohttp://www.vmware.com/support/pubs.

Online and Telephone Support

Touse

online

support

to

submit

technical

support

requests,

view

your

product

and

contract

information,

and

registeryourproducts,gotohttp://www.vmware.com/support.

Customerswithappropriatesupportcontractsshouldusetelephonesupportforthefastestresponseon

priority1issues.Gotohttp://www.vmware.com/support/phone_support.html.

Support Offerings

TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto

http://www.vmware.com/support/services.

About This Book
mailto:[email protected]://www.vmware.com/support/pubshttp://www.vmware.com/supporthttp://www.vmware.com/support/phone_support.htmlhttp://www.vmware.com/support/serviceshttp://www.vmware.com/support/serviceshttp://www.vmware.com/support/phone_support.htmlhttp://www.vmware.com/supportmailto:[email protected]://www.vmware.com/support/pubs


8/66


8 VMware, Inc.

VMware Professional Services

VMwareEducationServicescoursesofferextensivehandsonlabs,casestudyexamples,andcoursematerials

designedtobeusedasonthejobreferencetools.Coursesareavailableonsite,intheclassroom,andlive

online.Foronsitepilotprograms andimplementationbestpractices,VMwareConsultingServicesprovides

offeringsto helpyouassess,plan,build,andmanageyourvirtualenvironment.Toaccessinformationabout

educationclasses,certificationprograms,andconsultingservices,gotohttp://www.vmware.com/services.
http://www.vmware.com/services/http://www.vmware.com/services/


9/66

VMware, Inc. 9

1

TheVMwareACEManagementServerenablesyoutomanageVMwareACEinstances,todynamically

publishpolicychangesforthoseinstances,andtotestanddeploypackagesmoreeasily.

Thischapterincludesthefollowingtopics:

FeaturesofACEManagementServeronpage 9

SystemRequirements

on

page 10

Features of ACE Management Server

ACEManagementServeroffersscalabilityandreliability:

Youcanincreasecapacitybyaddingnetworkresourcessuchasloadbalancersandextraserverhardware.

Fortestingenvironments,thedefaultembeddedbackingstoreprovidesasimpleandefficientdatabase

solution.ToscaleACEManagementServerforproductiondeployments,youcanconfigureandusean

externalrelationaldatabasemanagementsystem(RDBMS).

InWindows,multithreadedprocesseshandleserverrequests.InLinux,multipleprocesseshandleserver

requests.Ifoneprocessfails,anothertakesover.

ACEManagementServeroffersActiveDirectoryintegration:

YoucanuseActiveDirectorytoauthenticateusersofACEinstances.

YoudonotneedaschemachangeforyourexistingActiveDirectory.

LDAPisusedtoaccessActiveDirectory.

InformationaboutWindowsdomainuseraccountstatesisprovidedinclearandusefulmessages.

Reasonsforloginfailuresarepresentedaslockedoutorpasswordexpired.

ACEManagementServeractsasanActiveDirectorypasswordchangeproxy.

YoucanusetheinstancecustomizationfeatureinACEwithyourownestablishednamingconventionsto

associateuserswithmachines.

Securityfeaturesincludethefollowing:

EncryptedcommunicationsbetweenserverandclientstraveloverHTTPStraffic.

Passwordsarestoredsecurelyinhashedforminthebackingstore.

FlexibledatabaseoptionsallowuseofanembeddeddatabaseorexternalRDBMStostoreACEinstance

dataandpolicies.

Introduction 1


10/66


10 VMware, Inc.

ACEManagementServeriseasytoinstallandconfigure.Clienttrafficcanbeproxiedbyeasilyavailable

products.Theserveruseseasilyavailablesoftwarecomponents:

ApacheWebserver2.0

ThedefaultSQLitedatabasestore

Theserversetupusesindustrystandardprotocols:

HTTPSandLDAP

XMLRPCformessageencapsulation

ACEManagementServeroffersextensibilityandavailability:

YoucancreateandusemorethanoneACEManagementServer.Whenyouusemorethanoneserver,you

cansettheserversupsothattheysharethesamedatabaseforloadbalancingorincreasedfaulttolerance.

AWindowsACEManagementServercanbeonthesamesystemasWorkstation.

YoucandesignateasingleACEManagementServername,suchas

https://ace.policyserver.company.com,anduseDNSlookuptotranslatethehostnametoan

address.TheaddressiscachedifaDNSserverisnotavailable.Additionally,youcanusedifferentACE

ManagementServerinstancesifuserstravelbetweenofficesindifferentgeographiclocations.

System Requirements

ThefollowingsectionsdescribetheACEManagementServersystemrequirements.

Required Hardware

Aminimumofan800MHzcompatiblex86andx8664architectureprocessor

Compatibleprocessorsinclude:

Celeron,Pentium

II,

Pentium

III,

Pentium

4,

Pentium

M

(including

computers

with

Centrino

mobile

technology),Xeon(includingPrestonia),AMD,Athlon,Athlon MP,AthlonXP,Duron,Opteron,AMD64

Opteron,andAthlon64

ExperimentalsupportforIntelIA32eCPU

40MBoffreespaceisrequiredforbasicinstallation.VMwarerecommendsatleast10GBoffreediskspace.

An8bitdisplayadapterisrequired.

Forlocalareanetworking,anyEthernetcontrollerthattheoperatingsystemsupportsissufficient.

Supported Operating Systems

Following

are

the

supported

operating

systems

for

ACE

Management

Server: WindowsServer2003WebEditionSP1andSP2,WindowsServer2003StandardEditionSP1andSP2,

WindowsServer2003EnterpriseEditionSP1andSP2(includes64bitandR2editions)

WindowsXPProfessional(includes64biteditions)

Windows2000ServerServicePack4andWindows2000AdvancedServerServicePack 4

RedHatEnterpriseLinuxAdvancedServer4.0withUpdate 4.

SUSELinuxEnterpriseServer9ServicePack3

NOTE YourservernamemustbeeitherthemachinenameinEnglishortheIP address.International

charactersarenotsupported.


11/66

VMware, Inc. 11

Chapter 1 Introduction

Supported External Databases

AnSQLitedatabaseengineisembeddedinACEManagementServer.Althoughthisdatabaseisadequatefor

testingpurposes,useoneofthefollowingexternaldatabasesinproductionenvironments:

ForaWindowsbasedACEManagementServerMicrosoftSQLServer2000orhigher;

Oracle Database 10g

IfyouuseaMicrosoftSQLServerdatabase,thedatabasemustbehostedonasystemthatusesthesame

localeas

the

system

that

hosts

ACE

Management

Server.

For

example,

if

ACE

Management

Server

is

installedonaJapanesesystem,thedatabaseservermustalsobeinstalledonaJapanesesystemandmust

useJapanesecollation.

ForaLinuxbasedACEManagementServerPostgreSQL7.4orhigher

Supported Proxies

YoucandeployACEManagementServerwiththefollowingHTTPSproxysolutions:

ApacheProxyUsingmod_proxy

ZeusTechnologyLoadBalancerAcommerciallyavailableloadbalancerandtrafficmanagement

solution

Required Web Browsers

ThebrowserbasedACEManagementServerSetupapplicationandtheVMwareACEHelpDeskapplication

requireoneofthefollowingWebbrowsers:

MozillaFirefox1.52orhigher

InternetExplorer6.0orhigher.MakesurethattheInternetExplorerbrowserhasTLS1.0checkedtolog

intotheAMSwebconfigurationpage.

Licensing

YoumustconfiguretheserverandentertheserialnumberintheserversetupWebapplication.Ifyoudonot,

youcannot

connect

to

the

server

in

Workstation.

Yourserialnumberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,the

serialnumberissentbyemail.WorkstationandACEinstancescannotconnecttoanACEManagementServer

withanexpiredornonexistentlicense.


12/66


12 VMware, Inc.


13/66

VMware, Inc. 13

2

ThischapterprovidesguidelinesfordeployingVMwareACEManagementServerinstances,including

capacityplanningandbestpractices.Thischapterincludesthefollowingtopics:

DeploymentComponentsonpage 13

PerformingCapacityPlanningonpage 15

SecurityFeatures

and

Considerations

on

page 17

AccessingACEManagementServerfromOutsidetheCorporateFirewallonpage 19

DeploymentPlanningWorksheetonpage 19

Deployment Components

AtypicalACEManagementServerdeploymenthasthefollowingcomponents:

OneormoreACEManagementServerinstancesConfiguringmultipleserverstousethesame

databaseincreasesthenumberofACEclientsyoucanmanageandguaranteeshighavailability.

DatabaseserverForproductiondeployments,VMwarerecommendsOracleDatabase 10gorMSSQL

forACE

Management

Server

installed

on

aWindows

host,

and

Postgres

for

ACE

Management

Server

installedonaLinuxhost.

(Optional)ActiveDirectorydomaincontrollerToenabletheACEManagementServerActive

Directoryintegration,youmustconfigureACEManagementServertocommunicatewithyourdomain

controller.

(Optional)HTTPloadbalancerUsealoadbalancertohelpscalethecapacityofyourACEManagement

Serverdeployment.

(Optional)HTTPproxyIfclientswillaccessACEManagementServerfromoutsidethecorporate

firewall,VMwarerecommendsusinganHTTPSproxyintheDMZ.YoucanuseACEManagementServer

withApacheProxyandZeusTechnologyLoadBalancer.

ForanexampleofanACEManagementServerdeployment,seeFigure 21.

Planning an ACE Management ServerDeployment 2


14/66


14 VMware, Inc.

Figure 2-1. Comprehensive ACE Management Server Deployment

ACEManagementServeroffersconvenienceandflexibilityinitssetupoptions.

YoucaninstalltheserveronWindowsorLinuxhosts.Fortestingpurposes,youcandownloadandrunthe

serverasavirtualappliance.ACEManagementServerincludesitsownsecuritycertificatesandembedded

database,butyoucanuseanexternaldatabaseandusecertificatesfromacertificateauthorityifyouprefer.

YoucanalsoconfigureACEManagementServertouseActiveDirectoryforauthentication.

Host System Options

YoucaninstallACEManagementServeronaWindowshost,aLinuxhost,orasavirtualappliance.Ifyouset

upmultipleACEManagementServerinstances,theymustallbethesametype.

Windows Hosts

Ifyou

plan

to

integrate

with

Active

Directory,

VMware

recommends

that

you

install

ACE

Management

Server

onaWindowshost.

TheWindowsACEManagementServerusestheWinLDAPlibrarybundledwithyourWindowsoperating

systemtointegratewithActiveDirectory.InternaltestingresultsindicatethattheWindowsimplementation

providesbetterperformancethanLinux.

Linux Hosts

YoucaninstallACEManagementServeronaLinuxhostanduseActiveDirectoryforauthentication,even

thoughperformanceisslowerthanonWindowshosts.IfyouplantouseaLinuxhostinproduction

environments,usetheLinuxinstallerratherthantheACEManagementServerappliance.Ifyoudonothave

thesupportedLinuxoperatingsystemsinstalledonaphysicalserver,youcancreateavirtualmachine,install

a

supported

Linux

operating

system,

and

install

ACE

Management

Server

in

the

virtual

machine.

Server Appliance Option

TheACEManagementServerapplianceisaselfcontained,preinstalled,andpreconfiguredACE

ManagementServerpackagedwithasmallLinuxoperatingsysteminavirtualmachine.Theapplianceis

convenientandquicktosetupinatestingenvironmentbutisnotrecommendedforproductionenvironments.

Bydefault,theapplianceattemptstoconfigureitsnetworkbyusingDHCP.IfyoudonotwanttouseDHCP,

youcanusethebrowserbasedACEManagementServerSetupapplicationtoconfigurethenetworksettings.

Youcanusethesameinterfacetoupdatetheappliancewhenupdatesbecomeavailable.

YoumusthaveaccesstoaWebbrowser(Mozilla1.52orhigherorInternetExplorer6.0orhigher)tochange

networksettingsorobtainupdatesfortheappliance.

ACE Management Server(one or more)

Active Directorydomain controller

(optional)

databaseserver

proxy for ACE Management Serverservice through corporate firewall

(optional)

WSAE client(within

corporatenetwork)

loadbalancer(optional)

ACE Player client(outside corporate network)

ACE Player client(within

corporatenetwork)

LDAPKerberos

ODBC

HTTPS

HTTPS

HTTPS

HTTPSHTTPS


15/66

VMware, Inc. 15

Chapter 2 Planning an ACE Management Server Deployment

Database Options

ACEManagementServeroffersthefollowingdatabaseoptions:

EmbeddedSQLitedatabaseThedefaultmodeofACEManagementServerworkswithanembedded

SQLite3databaseengine.TheSQLitedatabaseengineisinitializedduringserverinstallationandrequires

nospecialconfiguration.The embeddeddatabasesupportsuptoseveralgigabytesofdata.

TheSQLitedatabaseisfilebasedandisnotdesignedtobeeffectivelysharedacrossmultipleprocesses.If

youuse

third

party

tools

to

access

the

database

for

aread

operation,

therefore,

you

cannot

depend

on

transactionalisolationofthependingwriteoperationsoftheACEManagementServer.

Theembeddeddatabaseisadequatefortestingpurposes,butVMwarerecommendsthatyouusean

externaldatabaseinproductionenvironments.

SupportedexternaldatabaseInproductionenvironments,useasupportedexternaldatabaseasa

backingstoreforACEManagementServer,throughODBCconnectivity.Supportedexternaldatabase

enginesarethefollowing:

ForWindowsbasedACEManagementServer,useMicrosoftSQLServer(SQLServer2000orSQL

Server2005)orOracleDatabase10ginstalledonthesamesystemoradifferentWindowssystem

ForLinuxbasedACEManagementServer,usePostgreSQL7.4orhigherinstalledonthesame

system

or

a

different

Linux

system

UsinganexternaldatabasewithACEManagementServeroffersthefollowingbenefits:

OnlinebackupsothatyoudonothavetoshutdownACEManagementServertobackupthe

database.

Enhancedsecuritymodel.Youcanfinetunepermissionstoaccesssensitivedata.TheSQLite

databaseengineprovidesfilesystembasedsecurity.

Performancefinetuning.

Abilityto

use

external

database

management

and

reporting

tools.

AbilitytouseloadbalancerswithmultipleACEManagementServerinstances.Youmustusean

externalRDBMSasthebackingstore,becausetheSQLitedatabaseisnotdesignedtobeeffectively

sharedacrossmultipleprocesses.

Active Directory Authentication Options

ActiveDirectoryintegrationprovidesthefollowingbenefits:

PermitsjoininganoperatingsystemthatisrunninganACEinstancetothedomainremotely.

Providessearchfunctionssoyoucanquicklyfindaparticularindividualorgroup.

Enables

you

to

use

Active

Directory

Users

and

Groups

to

configure

role

based

access

to

the

features

of

ACEManagementServer.

Performing Capacity Planning

ACEManagementServerenablesyoutomanageACEinstancesandpoliciesinrealtime.Thenumberof

clientsthatasingleACEManagementServercanservedependsonseveralkeyfactors:

Databasethroughputandscalability

LDAPthroughput(ifyouareusingActiveDirectory)

Networkbandwidthavailableforincomingclientrequests

NOTE IfACEManagementServerisdeployedintheDMZ,useanexternaldatabaselocatedinsideyour

corporatenetworkbehindafirewall.


16/66


16 VMware, Inc.

ACEpolicyconfiguration

Loadbalancersforverylargedeployments(morethan5,000clients)

Table 21listsrecommendationsforthenumberofclientssupportedbasedonthehardwareyouareusing.The

figuresforrecommendedclientsreservesomeserverprocessingpowersothatinteractiveclientsreceive

responsesinatimelyfashionandtheserversatisfiesincreasesindemand.

Database Throughput and Scalability

Forproductiondeployments,VMwarerecommendsthatyouuseOracle,MSSQL,orPostgresasyour

databaseplatform.

Morethan95percentofthestoragespacethatanACEManagementServerrequiresisusedtologevent

information,whichisanaudittrailofalltransactionsperformedthroughACEManagementServer.Table 22

listsrecommendeddatabasesizesbasedonthenumberofclientsbeingserved.

Thefiguresinthetablearebasedona90daydatabasearchivalperiod.Backupthedatabaserecordsevery90

daysandkeepeventlogsfor90days.YoucanconfigureACEManagementServertopurgeeventlogsevery

90days.

Theauthenticationeventgeneratesmostofthedatabecauseaneventisgeneratedeverytimesomeone

attemptstoauthenticatetoACEManagementServer.YoucanconfigureACEManagementServertologless

eventinformation.SeeLoggingEventsonpage 36.

LDAP Throughput

ACEManagementServercancommunicatewithyourActiveDirectorydomaincontrollertoauthenticateuser

credentials.YourdomaincontrollerinfrastructurehandlestheLDAPtrafficrequiredtosupportthenumber

ofclientsthatyouanticipate.

IntegratingwithActiveDirectorythroughLDAPisimplementeddifferentlyintheWindowsACE

ManagementServerthanintheLinuxbasedACEManagementServer.TheWindowsACEManagement

ServerusestheWinLDAPlibrarybundledwithyourWindowsoperatingsystem.TheLinuxACE

ManagementServerusesathirdpartyKerberosLibraryandOpenSSL.VMwareinternaltestingresults

indicatethattheWindowsimplementationprovidesbetterperformancethanLinux.

Table 2-1. Number of Clients Supported

Hardware Recommended Clients

2GHzAMD2wayserver(Opteron280,4GBRAM) 6,000

2GHzIntel2waydesktopmachine(4GBRAM) 4,000

Table 2-2. Database Storage Recommendations

Number of Clients Recommended Database Size

100 50Mb

1,000 500Mb

10,000 5,000Mb


17/66

VMware, Inc. 17


Network Bandwidth and Policy Update Frequency

TheamountofnetworkbandwidththatACEManagementServerandACEinstancesrequiredependsonthe

frequencyofpolicyupdatesthatyouconfigure.Table 23showstheamountofbandwidthneededwhenyou

useapolicyupdatefrequencyvalueof10 minutes.

VMwarerecommendsthatforlargedeployments(morethan5,000clients),youincreasethetimebetween

policyupdatesbyclientsbecausethisreducestheamountofrequiredbandwidth.

Table 24showsthebandwidthneededwhenthepolicyupdatefrequencyvalueissetto30minutes.

Theamountofnetworkbandwidthrequiredcanalsobehigherifyourpolicysetisverycomplex.

VMwarerecommendsthatyouhaveaseparatenetworklinkbetweenACEManagementServerandyour

databaseserver,sothattrafficcomingandgoingfromACEManagementServertoitsclientsdoesnotinterfere

withthetraffictoandfromyourdatabaseserver.

ACE Policy Configuration

TheconfigurationofACEpoliciescanaffectperformance.Youcanincreasetheamountofdatathatis

transferredbetweenACEManagementServerandACEPlayerbyusingoneofthefollowingmethods:

HostpoliciesEnablinghostpolicies(suchashostnetworkquarantine)requiresthatahostsidedaemon

retrievesthehostpoliciesfromtheACEManagementServer.

ComplexnetworkquarantinepoliciesIfthesetofrulesthatmakesupyournetworkquarantineisvery

large,thetransferoftheserulesfromtheACEManagementServertotheclientscanaffectthescalability.

ThenumbersshowninTable 23andTable 24areestimatesofrequiredbandwidthgivenaveragesize

rulesetsfornetworkquarantine.YoucanviewthesizeofyourpolicysetbyexaminingtheACEfile

directoryandcountingthesizeofthe.vmplfile.Anaveragepolicysetis15KBorless.

Load Balancers

TheACEManagementServerclientserverprotocolisbuiltontopoftheHTTPSprotocol.YoucanuseHTTP

loadbalancingsoftwareandhardwaresolutionstoscaleanACEManagementServerdeploymentbeyondthe

capacityofasingleserver(orforhighavailabilitydeployments).

ACEManagementServerscalesinalinearfashionwhenanenterprisegradeHTTPSloadbalancerisused.See

Chapter 5,LoadBalancingMultipleACEManagementServerInstances,onpage 39.

Table 2-3. Network Bandwidth Required with a Policy Update Frequency of 10 Minutes

Number of Clients Bandwidth Required

100 0.125Mb/sec.

1,000 1.25Mb/sec.

10,000 12.5Mb/sec.

Table 2-4. Network Bandwidth Required with a Policy Update Frequency of 30 Minutes

Number of Clients Bandwidth Required

100 0.04Mb/sec.1,000 0.4Mb/sec.

10,000 4Mb/sec.


18/66


18 VMware, Inc.

Security Features and Considerations

Bydefault,ACEManagementServerusestheSecureSocketsLayer(SSL)protocoltoprovideencryptedand

securecommunications.

FollowingisanoverviewofsecurityfeaturesandrecommendationsonhowtoconfiguretheACE

ManagementServertoavoidsecurityproblems:

TraffictoandfromclientsisprotectedbyHTTPSBydefault,ACEManagementServercreatesa

selfsigned

certificate

when

you

install

it

to

use

for

HTTPS

traffic.

These

certificates

are

secure,

but

you

canalsoconfigureACEManagementServertouseyourowncertificateandkeypairs.

TrafficfromACEManagementServertoActiveDirectoryisencryptedIftheserverisintegratedwith

anActiveDirectoryservice,itcommunicateswiththeservicethroughanSSLprotectedlink.LDAPtraffic

isencryptedattheapplicationlayer.CredentialsareprotectedbyusingtheKerberosprotocolto

authenticatecredentials.

SensitiveconfigurationoptionsareencryptedPasswordsstoredintheconfigurationfileareencrypted.

DatabasesecurityThedatabasestorecontainssensitivedatasuchascryptographickeys.Configure

yourdatabasesecuritysothatitisprotectedfromintrusionandprotectedincaseofdataloss.Formore

informationaboutfeaturesthatareavailabletoprotectyourdata,seeyourdatabasedocumentation.

SSLencrypts

data

through

the

use

of

apublic

key

and

private

key

pair.

The

public

key

is

known

to

everyone

andtheprivatekeyisknownonlytothemessagerecipient.URLs thatrequireanSSLconnectionstartwith

https.

DuringACEManagementServerinstallation,thefollowingtwofilesarecreated:

server.keyAnRSA1024bitkey,thisistheprivatekey.

server.crtAselfsignedcertificate.Itssignatureisverifiedbythepublickey,whichisembeddedin

thecertificate.Thispubliccertificateisvalidfor10yearsfromthedateandtimeatwhichtheserveris

installed.ThecertificatefileisencodedinPEMformat.

Bydefault,thesefilesarestoredintheSSLdirectoryintheVMwareACEManagementServerprogram

directory.

VMwarePlayer,

which

runs

the

ACE

instances,

does

not

trust

any

certificates

stored

on

the

host

machine

on

whichitisrunning.Instead,itreliesonacompletecertificationchainthatisincludedintheACEpackage.

Usingselfsignedcertificatesisadequateformostsecurityneeds.

Youcan,however,useacertificateissuedbyacertificateauthority.IfyouhavemultipleACEManagement

Serverinstances,youcanuseonecertificateforalloryoucanuseadifferentcertificateoneachone.

Using SSL Certificates and Protocol

WhenanACEenabledvirtualmachineconnectstoanACEManagementServer,itdownloadsthepublic

certificateforthatserverandanychainofcertificatesrequiredtoverifytheserverspubliccertificate.Aserver

certificatemighthaveachainofseveralcertificatesthatmustbeverifiedstepbystepuntiltheverification

processreachestheroot,ortrusted,certificateinthecertificatestore.Thefirsttimeaconnectionismadetoa

serverby

any

ACE

enabled

virtual

machine

on

aWorkstation

administrator

machine,

the

certificate

and

its

verificationaredownloadedtotheWorkstationhostsystem.

ThestoreorcollectionofcertificatesthatisdownloadedwhenanACEenabledvirtualmachineconnectstoa

serverisincludedineachACEpackagethatyoucreatewiththatvirtualmachine.ItissavedintheACE

Resourcesdirectory.WhenyoudeployandrunanACEinstanceofthisACEenabledvirtualmachine,the

VMwarePlayerapplicationusesthecertificatesincludedinthepackagetoverifyconnectionsmadetotheACE

ManagementServer.ItverifiesthatthecertificatesthatareintheACEpackagematchthosethattheserver

provides.Iftheydonotmatchexactly,VMware Playerdisplaysanerrormessageanddoesnotrunthe

instance.


19/66

VMware, Inc. 19


VMwarePlayercheckstheintegrityofthecertificatestoreincludedinthepackageeverytimeitcommunicates

withtheserver.VMwarePlayerdoesnottrustanycertificatesstoredonthehostmachineonwhichitis

running.Instead,itreliesonacompletecertificationchainthatisincludedintheACEpackage.Theuseof

selfsignedcertificatesisadequateformostsecurityneeds.

If,however,yourenterpriserequirestheuseofacertificatesignedbyacertificateauthority(internalor

commercial),youcansetupthattypeofkeycertificatepairfortheACEpackagestouse.Acertificateauthority,orCA,isanentitythatissuesandsignspublickeycertificates,typicallyforafee.

Accessing ACE Management Server from Outside the CorporateFirewall

AllclientrequeststoACEManagementServerareHTTPStrafficonport443.This meansthatanysolution

usingaproxytosecureHTTPStrafficintoyourcorporateserverscanbeusedtoproxyACEManagement

Servertraffic.

BecauseofthenumberofdataconnectionsthattheACEManagementServermustmakeonthebackend

(LDAP,DNS,ODBC,Kerberos),VMwarerecommendsusinganHTTPSproxyintheDMZ.Thisproxycan

relayACEManagementServertraffictotheactualACEManagementServerinsidethecorporatenetwork.

Figure 2-2. Recommended Deployment for External Access

ACEManagementServercanbedeployedwiththefollowingHTTPSproxysolutions:

ApacheProxyUsingmod_proxy

ZeusTechnologyLoadBalancerAcommerciallyavailableloadbalancerandtrafficmanagement

solution

AvoidthefollowingproblemswhenyouuseaproxyfortrafficintoanACEManagementServer:

SSLTerminationIfyourHTTPSproxyterminatestheSSLconnection,youmustusethesameSSLkey

andcertificateontheHTTPSproxyserverandACEManagementServer.Or,usetheACEManagement

ServercertificatechaintoembedtheHTTPSproxycertificateverificationchainintheACEpackage.

AnexampleofaproxyserverthatterminatesSSLconnectionsisApacheProxy.TheZeusloadbalancing

productssupportSSLpassthrough,whichmeansthattheSSLconnectionisterminatedatACE

ManagementServer.

MultipleACEManagementServerSSLcertificatesIfyouaredeployingmultipleACEManagement

Serverinstances

behind

aload

balancing

solution,

all

ACE

Management

Server

instances

must

use

the

sameSSLkeyandcertificatepair.YoucanalsousetheACEManagementServercertificatechainfeature

toembedeverySSLcertificateverificationchainintotheACEpackage.

DNSresolutionWhenyoucreateanACEenabledvirtualmachine,youmustspecifyahostnamefor

ACEManagementServer.ThishostnamemustresolvetotheappropriateIPaddressforbothinternaland

externalclients.Internally,itcanresolvetoACEManagementServeritself.Externally,itcanresolvetothe

HTTPSproxyserver.

BecausethetrafficcomingintoACEManagementServerisplainHTTPStrafficandtheserverisstateless,you

candeploymanyotherconfigurationstoprovideexternalaccesstoanACEManagementServer.Whenyou

designyourdeployment,thinkofACEManagementServerasaWebserverwithsecuretraffic.

HTTPSproxy server

external client ODBC

NETBIOS (port 137)

DNS

KRB5 (port 88)

LDAP (port 389)

HTTPS traffic(443)

HTTPS traffic(443)

externalfirewall

AMS server

internalfirewall


20/66


20 VMware, Inc.

Deployment Planning Worksheet

Usethedeploymentplanningworksheettorecordyourchoiceofserversystem,database,securitycertificates,

andoptionalcomponentsforaproductionenvironment.

Table 2-5. Worksheet for ACE Management Server in a Production Environment

Component Considerations Decision

Active

Directoryintegration

Performance

is

better

when

the

ACE

ManagementServerisinstalledonaWindowshost.

SeealsoCreateUsersandGroupsforIntegrationwithActiveDirectoryonpage 29.

Use

Active

Directory?

________Ifyes,nameofuseraccountforACEManagementServertoquerytheActiveDirectorydatabase:__________________

FullyqualifieddomainnameoftheLDAPserver:_______________________

ACEManagementServer

Ifyouusemultipleservers,allmustbeinstalledonthesameplatform.

Forcapacityplanning,seeNumberofClientsSupportedonpage 16.

UseWindowsorLinuxhosts?_____________

Howmanyservers?____________

Databaseserver

ThedatabaseservermustbecompatiblewiththeACEManagementServerhost.SeeSupportedExternalDatabasesonpage 11.

MSQL,Oracle,orPostgresSQLdatabase?

____________________________

Load balancer Usealoadbalancerforlargedeploymentsorforhighavailability.ItmustsupportHTTPSandrequiresanexternaldatabase.SeeLoadBalancersonpage 17.

Usealoadbalancer?________

Proxy IfACEclientswillcontactACEManagementServerfromoutsidethefirewall,useaproxy.SeeAccessingACEManagementServerfromOutsidetheCorporateFirewallonpage 19.

Useaproxy?__________

ApacheProxyorZeusTechnologyLoadBalancer?________________________

SSLcertificates

IfyouusemultipleserversandplantouseadifferentSSLcertificateforeachone,youmustcreateorsendforthecertificates.

ACE

Management

Server

supports

only

publickeycertificatesthataresignedusingtheSHA1algorithm.SeeUsingSSLCertificatesandProtocolonpage 18.

Whichtypeofcertificate:selfsignedthirdparty,orinternalCA(certificateauthority)?___________________

Numberofcertificates?__________

Ports ForActiveDirectory,useport389.

FortheACEManagementServerappliance,useport8080.SeeChangethePortAssignmentforACEManagementServeronpage 51andAccessingACEManagementServerfromOutsidetheCorporateFirewallonpage 19.

Port8000forconfiguringtheACEManagementServer.

Port443forclientrequests.

Whichadditionalports?______________


21/66

VMware, Inc. 21

3


PreparingforInstallationonpage 21

InstallingandUpgradingACEManagementServeronpage 22

VerifyThattheApacheServiceIsStartedorRestartedonpage 25

StartandConfigureACEManagementServeronpage 26

LogIntoACEManagementServeronpage 26

Preparing for Installation

BeforeyouinstallACEManagementServer,youmustplanyourdeployment.Completethefollowingtasks:

1 TodeterminewhichtypeofACEManagementServerinstallertouse,howmanyserverstoinstall,and

whichdeploymentcomponentstoinclude,seeChapter 2,PlanninganACEManagementServer

Deployment,onpage 13.

2 ToconfigureyourWebbrowsertouseTransportLayerSecurity(TLS),seeConfigureTLSinYour

Browseron

page 21.

3 Tosynchronizetheclockonthehostsystemwiththeclientsystem,useNetworkTimeProtocol(NTP).

4 TochooseanHTTPSportforthehostonwhichyouplantorunACEManagementServer,seeTable 31.

Installing and ConfiguringACE Management Server 3

Table 3-1. Port Assignments, Default Settings, for ACE Management Server

HTTPS Port Number Description

443 CommunicationsbetweenACEManagementServerandACEinstances

8000 ACEManagementServerSetup(configuration)Webapplication

ACEHelpDeskWebapplication

8080 ACE

Management

Server

Appliance

configuration

NOTE IfanotherWebserverisinstalledthatusesanyofthesedefaultports,youmightneedtoresolvethe

conflict.


22/66


22 VMware, Inc.

Configure TLS in Your Browser

TransportLayerSecurity(TLS)mustbeconfiguredonyourWebbrowsertooperateACEManagementServer.

To configure TLS in your browser

Dependingonthetypeofbrowser,dooneofthefollowing:

ForanInternetExplorerbrowser:

a ChooseTools

>Internet

Options

>Advanced

and

scroll

down

to

Security.

b SelecttheUseTLS1.0checkboxandclickOK.

ForaMozillabrowser:

a ChooseTools>Options>Advanced.

b SelecttheUseTLS1.0checkboxandclickOK.

Installing and Upgrading ACE Management Server

YoucaninstalloneormoreACEManagementServerinstancestoservicetheACEinstancesinyourenterprise.

IfyousetupmultipleACEManagementServerinstances,theyallmustbeinstalledoneitherWindowshosts

orLinux

hosts,

or

all

must

be

installed

as

appliances.

ToupgradefromACEManagementServer2.0to2.6,usethesameprocedureasforinstallingtheserverfor

thefirsttime.Whentheinstallerdetectsanearlierversion,ituninstallstheoldversionbeforeinstallingthe

newone.Configurationsettingsarepreserved.

Forproductiondeployments,VMwarerecommendsthatACEManagementServerbeinstalledoneithera

dedicatedserveroravirtualplatformwithsufficientavailableresourcestoensureperformanceandstability.

SystemrequirementsdependalmostexclusivelyonthenumberofACEinstancesbeingsupportedandthe

frequencywithwhichtheyareconfiguredtocommunicatewiththeserver.Formoreinformationabout

VMwareperformancetesting,seePerformingCapacityPlanningonpage 15.

However,ACEManagementServerwastestedandcanbeinstalledondesktoporworkstationplatformsto

supportasmallnumberofclientsornonproductionevaluations.

Install an ACE Management Server on a Windows Host

InstallingACEManagementServeronaWindowshostinvolvesdownloadingandrunninganinstallation

wizard.YoucaninstallACEManagementServeronthefollowingWindowssystems:

WindowsServer2003

WindowsXPProfessional(includes64biteditions)

Windows2000Server

Beforeyoubegin,makesuretheclockissynchronizedandtherequiredportsareavailable,asdescribedin

PreparingforInstallationonpage 21.

Usethis

installation

procedure

to

install

or

update

ACE

Management

Server

software.

To install an ACE Management Server on a Windows host

1 DownloadtheVMware-ACE-Management-Server.exe filefromtheVMwareWebsiteandsavethefile

onthesystemthatistohosttheserver.

ThefileisavailableasaseparatedownloadablefileinthesamedownloadlocationastheWorkstation

application.

2 DoubleclicktheVMware-ACE-Management-Server.exe filetostarttheinstallationwizard.


23/66

VMware, Inc. 23

Chapter 3 Installing and Configuring ACE Management Server

3 Followthepromptsintheinstallationwizard.

4 Ifyouareusingacomputerthathasafirewallenabledandyouseeamessageattheendoftheinstallation

askingwhetheryouwanttounblocktheApacheservice,chooseUnblock.

ACEManagementServerdoesnotworkproperlyifyoudonotunblocktheApacheservice.

AfterACEManagementServerisinstalled,youcanconfigureit.SeeStartandConfigureACEManagement

Serveronpage 26.

Install ACE Management Server on a Linux System

YoucaninstallACEManagementServeronthefollowingLinuxsystems:

RedHatEnterpriseLinux4

SUSELinuxEnterpriseServer9SP3

Beforeyoubegin,makesurethesystemmeetstheserequirements:

AworkinginstallationofApache2.0isinstalledonthesystem.(TheRPMforaWebserverisincluded

withtheRedHatEnterpriseLinux4orSUSELinuxEnterpriseServer9installation.)

ApacheWebserviceisoperatingnormallyandisreceivingrequestsforSSLHTTP.

Themod_ldap

and

mod_ssl

modules

are

available

on

your

system.

ThefollowingpackagesareinstalledonyourRedHatEnterpriseLinux4orSUSELinuxEnterpriseServer

9system:curl,openldap,openssl,apache,andgdbm.

ForSUSELinuxEnterpriseServer9,thecyrus-sasl-gssapipackageisinstalled.Thispackageisnot

installedbydefault.

Whenyouusetheexternaldatabaseoption,thefollowingpackagesarerequiredaswell:

RedHatEnterpriseLinux4:unixODBC

SUSELinuxEnterpriseServer9:unixODBC and,ifyouplantousetheX11graphicalconfiguration

tool,unixODBC-gui-qt

Theclock

is

synchronized

and

the

required

ports

are

available,

as

described

in

Preparing

for

Installation

onpage 21.

UsethisinstallationproceduretoinstallorupdateACEManagementServersoftware.

To install ACE Management Server on a Linux system

1 Downloadthe.rpm filefromtheVMwareWebsiteandsavethefileonthesystemthatistohostthe

server.

ThefileisavailableasaseparatedownloadablefileinthesamedownloadlocationastheWorkstation

application.

2 RuntheRedHatorSUSELinuxRPMinstallerforACEManagementServer:

vmware-ace-management-server-.i386-rhel4.rpm

vmware-ace-management-server-.i386-sles9.rpm

Forexample:

rpm -Uhv vmware-ace-management-server-87693.i386-rhel4.rpm


24/66


24 VMware, Inc.

3 ForaSUSELinuxEnterpriseServer9server,ensurethattheLDAPmodule(mod_ldap)isconfiguredfor

loading:

a Openthefollowingfilewithatexteditor:

/etc/sysconfig/apache2

b AddtheldapconfigoptiontotheAPACHE_MODULESvariable.

c Saveandclosethefile.

AfterACEManagementServerisinstalled,youcanconfigureit.SeeStartandConfigureACEManagement

Serveronpage 26.

Install an ACE Management Server Appliance

TheACEManagementServerapplianceisaselfcontained,preinstalled,andpreconfiguredACE

ManagementServerpackagedwithasmalloperatingsysteminavirtualmachine.Althoughtheapplianceis

adequatefortestenvironments,VMwarerecommendsthatyoudonotuseitinproductionenvironments.

Beforeyoubegin,makesuretheclockissynchronizedandtherequiredportsareavailable,asdescribedin

PreparingforInstallationonpage 21.

To install an ACE Management Server appliance

1 Downloadthe.zipfilefortheappliancefromtheVMwareWebsiteandsavethefileonthesystemthat

istohosttheserver.

2 Extractthefilestothedirectorywheretheserveristobelocated.

3 StartWorkstation,chooseFile>Opentoopen,andselecttheams_appliance.vmxfile.

4 ClickthePowerOnbuttontostartthevirtualappliance.

5 Atthepasswordprompt,enterapasswordandconfirmit.

Thispasswordisusedforbothrootandnetworkaccounts.Makeanoteofthispasswordsothatyoucan

useitforlaterappliancemanagementoperationsfromtheconsoleandtheWeb.

Theappliance

configures

its

network

by

using

DHCP.

Theconsoleviewdisplaysthefollowinginformation:

Currentnetworksettings

URLsforremotelyadministeringtheapplianceandconfiguringtheACEManagementServeritself

IfyoupressReturnattheloginprompt,theinformationappearsagain.

6 Atthetimezoneprompt,acceptthecurrentsettingormakeachangeasneeded.

7 (Optional)ToconfiguretheservertouseastaticIPaddressortospecifyaproxyserver,usetheAppliance

ManagementandConfigurationapplication,asfollows:

a LeavetheACEManagementServerappliancerunning.

b Browsetohttps://:8080.

c Intheconnectiondialogbox,typerootintheusernamefieldandyournetworkorrootpasswordin

thepasswordfield.

d ClicktheNetworklinkonthefirstpageofthebrowserbasedACEManagementServerSetup

application.

e Toviewinstructionsaboutconfiguringnetworksettings,clicktheHelplinkintheupperrightcorner

oftheWebpage.

f Afteryouchangenetworksettings,clickApply.


25/66

VMware, Inc. 25


8 (Optional)Toreconfigureanyupdateoptions,forexample,todisableautomaticdownloadsofupdates,

usetheApplianceManagementandConfigurationapplication,asfollows:

a LeavetheACEManagementServerappliancerunning.

b Browsetohttps://:8080.

c Intheconnectiondialogbox,typerootintheusernamefieldandyournetworkorrootpasswordin

thepasswordfield.

d Clickthe

Update

link

on

the

first

page

of

the

Appliance

Configuration

and

Management

Web

applicationandcompletetheApplianceUpdatepage.

e Toviewinstructionsaboutconfiguringupdateoptions,clicktheHelplinkintheupperrightcorner

oftheWebpage.

9 Whenyoufinishconfiguringanynetworkorupdatesettings,navigatetotheACEManagementServer

SetupWebapplicationtoconfiguretheserver.

Toaccessthatapplication,chooseoneofthesemethods:

FromtheApplianceManagementandConfigurationWebapplicationpage,clicktheACELoginlink

intheupperrightcornerofthepage.

Fromacommandpromptwindow,closethewindow,openabrowser,andentertheURLfortheACE

ManagementServerSetupWebapplication:

https://:8000/

10 ClickConfigurationtoopentheWebapplication.

Verify That the Apache Service Is Started or Restarted

IfyouinstalledACEManagementServeronaLinuxhost,verifythattheApacheserviceisstartedbeforeyou

attempttologin.

Fortroubleshootingpurposes,youmightoccasionallyneedtomanuallyrestarttheApacheservicethatACE

ManagementServeruses.

To verify that the Apache service is started or restarted

Dooneofthefollowing:

OnWindowshosts:

a ClicktheApacheiconinthetaskbar.

b SelectApache2inthemenuthatappears.

c Choosetheappropriatecommand:

Tostarttheserviceifitisstopped,clickStart.

Iftheserviceisalreadystarted,thiscommandisunavailable.

Torestart,

click

Stop

and

then

click

Start.

EnsurethatyouclickStopandStartratherthanRestart.

OnSUSELinuxEnterpriseServer9hostsorinthevirtualmachinethatcontainstheACEManagement

Serverappliance:

a Openaterminalwindowonthehostorinthevirtualmachine.

b Asroot,enterthefollowingcommand:

/etc/init.d/apache2 status

Ifthestatusisstarted,youcanlogintoACEManagementServer.SeeStartandConfigureACE

ManagementServeronpage 26.


26/66


26 VMware, Inc.

c Entertheappropriatecommand:

Tostarttheserviceifitisstopped,enterthefollowingcommand:

/etc/init.d/apache2 start

Torestarttheservice,enterthefollowingcommands:

/etc/init.d/apache2 stop

/etc/init.d/apache2 start

OnRedHatEnterpriseLinux4:

a Openaterminalwindowonthehostorinthevirtualmachine.

b Asroot,enterthefollowingcommand:

/etc/init.d/httpd status

Ifthestatusisstarted,youcanlogintoACEManagementServer.SeeStartandConfigureACE

ManagementServeronpage 26.

c Entertheappropriatecommand:

Tostarttheserviceifitisstopped,enterthefollowingcommand:

/etc/init.d/httpd start

Torestarttheservice,enterthefollowingcommands:

/etc/init.d/httpd stop

/etc/init.d/httpd start

Start and Configure ACE Management Server

Beforeyoubegin,makesurethatthefollowingprerequisitesaresatisfied,asapplicable:

IfyouinstalledACEManagementServeronaLinuxhostorareusingtheACEManagementServer

appliance,verifythattheApacheserverisrunning.SeeVerifyThattheApacheServiceIsStartedor

Restartedonpage 25.

If

this

is

the

first

time

you

are

logging

in,

make

sure

you

have

the

serial

number

for

the

product.

The

serial

numberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,theserial

numberissentbyemail.

Ifyouplantouseanexternaldatabase,ActiveDirectoryintegration,orcustomSSLcertificates,youmust

performsomesetuptasksbeforeyoucanconfigureACEManagementServer.Seethefollowingtopics,as

applicable:

CreateUsersandGroupsforIntegrationwithActiveDirectoryonpage 29

SetUpanExternalDatabaseonpage 30

PrepareCustomSecurityCertificatesonpage 33

To start and configure ACE Management Server

1 OpenaWebbrowserandgotohttps://:8000.

ThevaluecanbethefullyqualifiednameofthecomputeronwhichACEManagement

ServerisinstalledoritcanbeanIPaddress.

IfyouinstalledACEManagementServeronaWindowshostandyouareusingthathosttoconfigureit,

youcanalternativelychooseStart>VMware>VMwareACEManagementServer.

2 AcceptthelicenseagreementandclickStart.

Theconfigurationtabsappearastheydoinsubsequentlogins,butforthefirstlogin,wizardbuttons

suchasNextandBackalsoappear.


27/66

VMware, Inc. 27


3 CompletetheinformationoneachtabandclickNext.

TheonlyfieldsthatrequirechangesanddonothavedefaultsettingsaretheSerialNumberfieldonthe

LicensingtabandtheAdministratorpasswordontheAccessControltab.

Forinformationaboutspecificfieldsandtabs,clickHelponthetab.

Log In to ACE Management Server

Thefirst

time

you

log

in

to

ACE

Management

Server,

you

must

set

apassword.

The

next

time

you

log

in,

you

mustprovidethatpasswordorprovideActiveDirectorycredentialsifyouconfiguredtheservertouseActive

Directoryforauthentication.

CommunicationsbetweenWorkstationandACEManagementServertakeplaceoverasecureSSLconnection.

IftheserverisintegratedwithActiveDirectoryservice,enteryouradministrativecredentialsinoneofthe

formatsshowninTable 32.

To log in to ACE Management Server

1 OpenaWebbrowserandgotohttps://:8000.

The

value

can

be

the

fully

qualified

name

of

the

computer

on

which

ACE

Management

ServerisinstalledoritcanbeanIPaddress.

IfyouinstalledACEManagementServeronaWindowshostandyouareusingthathosttoconfigureit,

youcanalternativelychooseStart>VMware>VMwareACEManagementServer.

2 Dooneofthefollowing:

ToconfigureACEManagementServer,clickConfiguration.

ToviewandtakeactionsonACEinstancesmanagedbythisserver,clickHelp Desk.

Table 3-2. Login Options When Using Active Directory Service

Option Description Example

longname+password+domainname

Thelongnameistheformat.

JohnDoe

longname+password Thelongnameistheformat.

LeavetheDomainfieldblank.

JohnDoe

shortname+password+domain

TheshortnameisthesAMAccountName.

ace

(theshortformofthelongnameACEUser)

shortname+password TheshortnameisthesAMAccountName.


ace

(theshortformofthelongnameACEUser)

emailaddress+password Youcanonlyusethisoptionforadomainthatisaccessedthroughadirectconnection.


[email protected]

NETBIOSDOMAINNAME\username+password

TheNetBIOSnameisashortnamefordomainsthatisregisteredintheNetBIOSNameService(WINS).


username+password+NETBIOSDOMAINNAME

TheNetBIOSnameisashortnamefordomainsthatisregisteredintheNetBIOSNameService(WINS).


28/66


28 VMware, Inc.

3 Enterlogincredentials.

IfyouuseActiveDirectoryforauthentication,seeTable 32.Inmultidomainenvironments,youmightbe

requiredtoenteradomain(forexample,eng.com).


29/66

VMware, Inc. 29

4

AfteryouinstallACEManagementServer,youmustusethebrowserbasedACEManagementServerSetup

applicationtoconfiguretheserver.


PrerequisitesforConfiguringtheServeronpage 29

StartingACE

Management

Server

Configuration

on

page 34

ViewingandChangingLicensingInformationonpage 35

UsinganExternalDatabaseonpage 35

CreatingAccessControlonpage 36

UploadingCustomSSLCertificatesonpage 36

LoggingEventsonpage 37

ApplyingConfigurationSettingsonpage 37

Prerequisites for Configuring the Server

IfyouplantouseActiveDirectoryintegration(usingLDAP),anexternaldatabase,orcustomSSLcertificates,

youmustperformsomesetuptasksbeforeyouconfiguretheACEManagementServer.

Create Users and Groups for Integration with Active Directory

TouseActiveDirectoryforauthenticatingusers,adduserstoanActiveDirectorygroupandcreateauserso

thatACEManagementServercanqueryLDAP.

WhenyouconfigureACEManagementServertouseLDAP,followtheseguidelinestoavoidnegatively

affectingperformance:

ThedefaultdomainisthedomainforwhichtheLDAPhostisadomaincontroller.

Thequery

user

is

auser

in

the

default

domain.

Theadminusergroupisagroupthatexistsinthedefaultdomain.

IntegratingwithActiveDirectorythroughLDAPisimplementeddifferentlyintheWindowsbasedACE

ManagementServerthanintheLinuxbasedACEManagementServer.Theoperatingsystemsdifferinthe

librariestheyusetoconnecttoActiveDirectoryandtheexternaldatabasestheysupport.TheWindowsACE

ManagementServerusestheWinLDAPlibrarybundledwiththeWindowsoperatingsystem.The LinuxACE

ManagementServerusesathirdpartyKerberosLibraryandOpenSSL.VMwareinternaltestingresults

indicatethattheWindowsimplementationisprovidesbetterperformancethanLinux.

Configuration Options for ACEManagement Server 4


30/66


30 VMware, Inc.

To create users and groups for integration with Active Directory

1 CreateauserthatACEManagementServercanusetoconnecttotheLDAPserveranduseforquerying.

MakeanoteofthesAMAccountNamevalueforthatuser(forexample,aceuser.)

2 CreateanACEAdministratorsgroupinthedomain.

3 AddACEadministratoruserstotheACEAdministratorsgroup.

4 (Optional)Create

aHelp

Desk

group

and

assign

users

to

it

for

the

Help

Desk

role.

YoucanlogintotheHelpDeskWebapplicationwithyouradministrativeLDAPcredentialsorpassword.

CreatingaHelpDeskroleallowsyoutopermitcertainuserstoperformHelpDesktasksfromwithinthe

HelpDeskapplicationbutdoesnotgivethemaccesstootheradministrativetools.

Set Up an External Database

Beforeyoubegin,makesurethatyouhaveoneofthefollowingsupporteddatabaseservers:

ForaWindowsbasedACEManagementServerMicrosoftSQLServer2000orhigher;

Oracle Database 10g

IfyouuseaMicrosoftSQLServerdatabase,thedatabasemustbehostedonasystemthatusesthesame

localeas

the

system

that

hosts

ACE

Management

Server.

For

example,

if

ACE

Management

Server

is

installedonaJapanesesystem,thedatabaseservermustalsobeinstalledonaJapanesesystemandmust

useJapanesecollation.

ForaLinuxbasedACEManagementServerPostgreSQL7.4orhigher

BeforeyouinstallthedatabaseonaLinuxhost,makesuretheunixODBCRPMpackageisinstalledontheLinux

system.VMwarerecommendsthatyouupdatethepackagetothelatestversionreleasedforyourspecific

Linuxdistribution.TheunixODBCpackageprovidesanODBCAPItoprogramsrunningonLinuxsystemsthat

issimilartotheWindowsODBCAPI.

Thepackagecontainsthelibodbcsharedlibrary,providingtheODBCDriverManagerAPItoother

programs,asetofconfigurationutilities,andODBCdriversforpopulardatabases.OnbothRedHat

EnterpriseLinuxandSUSELinuxEnterpriseServer 9,theODBCdriverforPostgreSQLisincludedinthe

unixODBCbinary

distribution

package.

Also,makesuretheunixODBC-gui-qt packageisinstalled(thisutilityisincludedintheRedHatEnterprise

LinuxunixODBCpackage).ThispackageisrequiredtousetheODBCConfigX11graphicalconfigurationtool

forsettingupadatasourcename(DSN).

To set up an external database

1 Installadatabaseserveronahost.

TheexternaldatabasedoesnothavetobeinstalledonthesameserverasACEManagementServer,butit

mustbeinstalledonthesameplatform.Forexample,ifACEManagementServerisinstalledona

Windowshost,thedatabaseservermustalsobeinstalledonaWindowshost.

ACEManagementServercreatesthedatabaseschemaautomaticallyifproperaccessrightsaregranted.

2 Configurethedatabase.

Ensurethatyouhaveadedicateddatabaseandauseraccountthathasfullaccesstothisdatabase,

includingrightstocreatetables.Donotgivethisdatabaseuserpermissionsthatitdoesnotneed.For

example,youmightnotwanttogivethisaccountreadorwritepermissiontootherdatabasesthatyour

RDBMSmanages.

AlltablesthatarecreatedinthedatabasehaveanamestartingwithaPolicyDb_prefixandindexeswith

PdbIns_orPdbLf_prefixes.YoumightprovideACEManagementServerwithaDSNtoadatabasethat

itshareswithsomeotherapplication,ifthedatabasecountisatapremium.


31/66

VMware, Inc. 31

Chapter 4 Configuration Options for ACE Management Server

3 (Optional)IfACEManagementServerisgoingtoconnecttothedatabaseoverthenetwork(TCPsocket

connection),ensurethatthefollowingareinplace:

TCPconnectivityisenabledinthedatabaseconfigurationoptions.

TheTCPconnectionisnotblockedbyfirewallsettingsonthedatabaseserverortheACE

ManagementServerhost.

IfyouareusingaPostgreSQLdatabase,configureperuserpermissiontoconnecttothedatabase

overthe

network.

Configure

that

permission

in

the

pg_hba.conf file,

which

is

located

in

the

root

folderofyourdatabase.

4 (Optional)OntheACEManagementServermachine,toverifytheserversconnectivitytothedatabase

withtheconfiguredusercredentials,runacommandlineorgraphicalSQLtool.

Examplesofsuchtoolsaresqlcmd.exeforSQLServer,sqlplus.exeforOracle,andpsqlfor

PostgresSQL.Fordatabaseconfigurationandverificationinstructions,seetherespectivedatabase

documentation.

5 OntheACEManagementServermachine,createaSystemDSNentry.

Creating a System DSN Entry for an External Database

TheonlyrequiredinformationinDSNconfigurationistheDSNname,serverIPaddressorhostname,andthe

databasename.YoudonotneedtoprovideausernameandpasswordintheDSNconfiguration.Youprovide

ausernameandpasswordlater,whenyouusetheACEManagementServerSetupapplication.

EnsurethatyoucreateasystemDSNandnotauserDSN.IfyoucreateauserDSN,itisvisibleonlytoyour

useraccount.ACEManagementServerrunsunderthelocalsystemaccount,sotheservercannotdetectoruse

auserDSN.

Create a System DSN Entry for a Windows Database

Regardlessofwhetherthehostis32bitor64bit,youcreateaDSNentryfora32bitsystem.

Beforeyoubegin,todeterminethecorrectODBCdriver,seeyouroperatingsystemanddatabase

documentation.

To create a System DSN entry for a Windows database

1 Dooneofthefollowing:

On32bithosts,usetheODBCDataSourcespluginbychoosingControl Panel>Administrative

Tools>DataSources(ODBC).

On64bithosts,navigateto%WINDIR%\syswow64\odbcad32.exeandusethatprogramtocreatea

SystemDSNentryfora32bitsubsystem.

ACEManagementServerdoesnotsupportODBCusinganSQLNativeClientdriveronWindows64bit

systems.

2 CreateanentrythatincludestheDSNname,serverIPaddressorhostname,andthedatabasename.

3 (Optional)

If

the

DSN

Setup

wizard

provides

an

option

to

test

the

connection,

verify

that

the

connection

workswiththedatabaseusercredentials.

4 MakeanoteofthedatabaseDSN,username,andpassword.

YoucannowusethebrowserbasedACEManagementServerSetupapplicationtoconnecttothisdatabase.


32/66


32 VMware, Inc.

Create a System DSN Entry for a Linux Database

OnLinuxsystems,youuseatexteditorortheODBCConfiggraphical(X11)utilitytocreateasystemDSNentry.

TheODBCConfigutilitymimicstheWindowsODBCDataSourcesControlPanelplugin.

Beforeyoubegin,determinethecorrectODBCdriver:

OnRedHatEnterpriseServer,thedriverislocatedat/usr/lib/libodbcpsql.so.

OnSUSELinuxEnterpriseServer9,thedriverislocatedat/user/lib/unixODBC/libodbcpsql.so.2.

TheDSN

configuration

for

the

unixODBC

package

is

stored

in

the

/etc

directory

(/etc/unixODBC

for

SUSELinuxEnterpriseServer).

IfyouareusingtheACEManagementServerappliance,seeSetUpaConnectionBetweentheServer

ApplianceandanExternalDatabaseonpage 33.

Youusetheodbc.inifileforcreatingDSNsandtheodbcinst.inifilefordriverandgeneralODBCsystem

configuration.

To create a System DSN entry for a Linux database

1 Asroot,usetheODBCConfigutilitytocreateaSystemDSNentry.

YoualsomustconfiguretheserveraddressandthedatabasenameintheDSNsettings.

Forinformation

about

using

unixODBC,

see

the

unixODBC

Project

Web

page.

TheODBCConfigutilitymakeschangestotheodbc.iniandodbcinst.inifiles.

2 MakeanoteofthedatabaseDSN,username,andpassword.

YoucannowusethebrowserbasedACEManagementServerSetupapplicationtoconnecttothisdatabase.

Increase the Number of Database Connections Allowed

Foroptimalserverperformance,ACEManagementServerstartsmultipleparallelthreads(onWindows)or

processes(onLinux)listeningfortheincomingconnectionsfromtheclients.Everyclientconnectiontypically

runsadatabasetransaction,soitneedstoopenadatabaseconnection.

ACEManagementServerusuallyrequiresasmanydatabaseconnectionsasitdoesparallelthreadsor

processesfor

client

connections.

If

the

server

runs

out

of

database

connections,

the

clients

might

start

receiving

connectionerrors.

FollowingisalistofthelocationsfortheApacheconfigurationfileandthetypicaldefaultnumberof

connections:

ThedefaultinstallationofthePostgreSQLdatabaseonRedHatEnterpriseLinuxallows100 remote

connections,whichislessthanthenumberofparallelthreadsthattheApacheserverstartsbydefaultonthe

sameplatform.Changethisnumberifyouexpectahighvolumeofclientrequeststoyourserver(morethan

100activeclients).

Platform Location Client Connections

Windows C:\Program Files\VMware\VMwareACE Management Server\Apache2\

conf\httpd.conf

250 (WinNTMPMsection)

RedHatEnterpriseLinux

/etc/httpd/conf/httpd.conf 256 (preforkMPMsection)

SUSELinux /etc/apache2/server-tuning.conf 150 (prefork

MPM

section)

ACEManagementServerappliance

/etc/httpd/apache2.conf 20 (preforkMPMsection)


33/66

VMware, Inc. 33


To increase the number of database connections allowed

1 InspecttheApacheconfigurationfileontheACEManagementServerhosttodeterminethenumberof

parallelthreadsorprocessesthatmightstartatthesametime.

2 ConfigurethedatabasetoallowasmanyconnectionsastheApacheserver.

Seeyourdatabasedocumentation.

Enable Database Connection Pooling on Linux

EnablingdatabaseconnectionpoolingfordatabasesonLinuxhostscangiveasubstantialperformancegain

underhighloads.ACEManagementServercanreusedatabaseconnectionsratherthanopeningnew

connectionsforeveryrequest.

EnabledatabaseconnectionpoolingintheODBCDriverManager(itisdisabledbydefault)tooptimize

performanceforserversonLinuxplatforms.

OnWindowsplatforms,ODBCconnectionpoolingisenabledbydefault.

To enable database connection pooling on Linux

1 StarttheODBCConfigutilityasarootuser.

2 Clickthe

Advanced

tab.

3 SelecttheConnectionPoolingcheckbox.

Set Up a Connection Between the Server Appliance and an External Database

TheACEManagementServerappliancedoesnotcontainaPostgreSQLdatabaseserver.Youcan,however,use

anexternaldatabaseserverwiththeappliance.

To set up a connection between the server appliance and an external database

1 Logintotheserverapplianceconsoleasroot,usingthepasswordyoucreatedduringyourfirstrunof

theserverappliance.

2 Openthe/etc/odbc.inifileinatexteditor.

Forexample:

vaos# vi /etc/odbc.ini

Thisfilecontainsthepostgres_dsn settingfortheOBSCDSN.

3 Uncommentalllinesinthepostgres_dsn fileexceptthefirsttwo.

Touncommentlines,deletethepoundsign(#)atthebeginningofeachline.

4 ReplaceplaceholderswiththePostgreSQLdatabaseserverDNSnameorIP addressandthedatabase

nameofthisserver.

5 Usethedefaultportnumberorsetadifferentportnumber.

6 Save

the

file.

Afteryoucompletethistask,postgres_dsnappearsinthedropdownmenuontheDatabasetabintheACE

ManagementServerSetupapplication.


34/66


34 VMware, Inc.

Prepare Custom Security Certificates

TousecustomSSLcertificates,eitheryourownselfsignedcertificatesorthoseofathirdpartyorinternalCA

(certificateauthority),youmustprovidethecertificate,key,and(inthecaseofCAs)certificatechainfiles.

ThesefilesmustbePEMencoded.

Afteryoucreateorobtainthesefiles,uploadthemtoACEManagementServerbyusingtheCustomSSL

Certificates tabintheACEManagementServerSetupapplication.

Formore

information

about

how

VMware

ACE

uses

SSL

certificates,

see

Using

SSL

Certificates

and

Protocol

onpage 18.

To prepare custom security certificates

1 Createorprovidetheneededfiles:

Foryourownselfsignedcertificate,usetheopensslutilitytocreateanewselfsignedcertificate.

ForathirdpartyCAorinternalCA,obtainanSSLcertificatesignedbythatCA,anda

certificateverificationchainfile.

ThechainfileisaconcatenationofeverycertificaterequiredtoverifythenewSSLcertificateyou

createdorobtained.Stepsforobtainingthecertificatechainvary,dependingonwhichhostoperating

systemyouareusingandonthesourcefromwhichtheCAcertificateisobtained.

Aprivatekeyfile.SSLencryptsdatathroughtheuseofapublickeyandprivatekeypair.Thepublic

keyisknowntoeveryoneandtheprivatekeyisknownonlytothemessagerecipient.

ThecertificatesignaturesmustusetheSHA1algorithmdigest.ThefilesmustbePEMencoded.

2 Renamethefiles,asfollows:

Renametheprivatekeyfiletoserver.key.

Renamethecertificatefiletoserver.crt.

Renamethecertificatechainfiletochain.crt.

YoucannowusetheACEManagementServerSetupapplicationtouploadthecertificatefiles.

View the Properties of the Self-Signed Certificate File

ThisfileisstoredintheSSLdirectoryintheVMwareACEManagementServerprogramdirectory.

To view the properties of the self-signed certificate file

Dooneofthefollowing:

OnaWindowshost,navigatetothelocationoftheserver.crtfileanddoubleclickthefilename.

OnaLinuxhost,usethefollowingcommand:

openssl x509 -in /var/lib/vmware/acesc/ssl/server.crt -text

Toreplaceanexpiredcertificate,seePrepareCustomSecurityCertificatesonpage 34.Donotmodify

certificatesto

make

them

permanent.

Starting ACE Management Server Configuration

IfyouplantouseActiveDirectoryintegration(usingLDAP),anexternaldatabase,orcustomSSLcertificates,

youmustperformsomesetuptasksbeforeconfiguringtheACEManagementServer.SeePrerequisitesfor

ConfiguringtheServeronpage 29.


35/66

VMware, Inc. 35


ThetextthatappearsontheStarttabchanges,dependingonwhetheryouhavedoneaninitialconfiguration:

IfthispagesaysThisserverhasnotbeenconfiguredyet,youmustclickStarttocompletethe

configurationsetupwizard.

IfthispagesaysThisserverisconfigured,theNextandPreviouswizardbuttonsdonotappear.Youcan

navigatetoothertabsbyclickingatab.

Viewing and Changing Licensing InformationAfteryouenteranACEManagementServerserialnumber,usetheLicensingtabtodeterminetheexpiration

date,ifany.

Theserialnumberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,theserial

numberissentbyemail.

IfthesystemonwhichyouinstalledACEManagementServercurrentlyhasmorethanonevalidserver

license,justonelicenseappearsonthepage.

YoucanusetheLicensingtabtoaddorchangeaserialnumber,username,orcompanyname.

Ifyoumakechangestotheinformationonthistab,youmustclickApplyorCancelbeforeyoucannavigate

toanothertab.

Using an External Database

TheembeddeddatabaseisanSQLitedatabase.VMwarerecommendsthatyouuseanexternaldatabasein

productionenvironments.

Theembeddeddatabaseisinitializedduringserverinstallationandrequiresnospecialconfiguration.This

databaseisadequatefortestingpurposesbutisnotdesignedtobeeffectivelysharedacrossmultiple

processes.

BeforeyoucanconfiguretheACEManagementServertouseanexternaldatabase,youmustcreateasystem

DSNandcredentialsforaccessingthatdatasource.SeeSetUpanExternalDatabaseonpage 30.

UsethefollowinginformationtohelpyoucompletethefieldsontheDatabasetab:

DataSourceName(DSN)DatasourcenameyouusedwhenyoucreatedasystemDSNentryonthe

ACEManagementServermachine.

UserNameandPasswordCredentialsforauseraccountthathasfullaccesstothedatabase,including

rightstocreatetables.

Afteryouenterthedatabaseconnectioncredentials,thesetupapplicationchecksforanexistingdatabase.

Ifthe

existing

schema

is

not

compatible,

no

schema

is

available

or

the

schema

cannot

be

upgraded.

If

you

overwritetheexistingschemaanddata,anewschemaiscreated.If youdonotoverwritetheexistingschema

anddata,theconfigurationapplicationquits.

Ifyouareupgradingtheserverfromthepreviousrelease,thedatabaseschemaisupgradedautomaticallyand

youdonotloseyourpreviousdata.Theupgradeisperformedonthefirststartoftheupgradedserver,even

ifyoudonotrerunthesetupapplication.

IfyoumakechangestotheinformationontheDatabasetab,youmustclickApplyorCancelbeforeyoucan

navigatetoanothertab.

CAUTION Afteryouentercredentials,ifthemessageCompatible schema exists. Do you want to

reinitialize the schema and overwrite the existing data?appears,selectUseexistingschema

anddataunlessyouwanttoerasealldatainyourexistingdatabase.Toreinitializethedatabaseatsomelater

time,youcanreopenthisconfigurationapplicationandreturntothispage.


36/66


36 VMware, Inc.

Creating Access Control

OntheAccessControltab,youcancreatealocalAdministratorroleandHelpDeskroleoruseActive

Directoryforauthenticatinguserswiththeseroles.

BeforeyoucanconfiguretheACEManagementServertouseadomainaccountforauthentication,youmust

createusersandgroupssothatACEManagementServercanconnecttotheLDAPserver.SeeCreateUsers

andGroupsforIntegrationwithActiveDirectoryonpage 29.

Usethe

following

information

to

help

you

complete

the

fields

for

authentication:

LocalaccountIfyouspecifyapasswordfortheAdministratorroleandforgetorloseit,youmustdelete

theserverconfigurationfile.Deletingthisfilesetstheserverbacktoitsinitialstate.Youmustreconfigure

theserverandsettheadministratorpasswordagain.

SeeDeletetheServerConfigurationFileandSetaNewAdministratorPasswordonpage 52.

Domainaccount(LDAP)TouseActiveDirectoryforauthentication,specifythehostandcredentials

thattheACEManagementServerusestoconnecttoandquerythedomaincontroller:

HostNameEnterafullyqualifieddomainname(forexample,ldap.vmware.com)insteadofanIP

addressorhostnamewithnoparentdomainname(forexample,ldap).

QueryUsersAMAcountNameandQueryUserPasswordUsethepasswordandshortnamefor

theuser

account

you

created

for

this

purpose

in

Active

Directory.

QueryUserDomainThedomainmustbethedomainforwhichtheLDAPhostisadomain

controller.

AdminGroupDNandHelpDeskGroupDN(Optional)Enterthedistinguishednameforthese

groups,whichyoucreatedforthispurposeinActiveDirectory(forexample,

cn=Users,dc=simplecorp,dc=com).

Ifthisoptionisnotenabled,anyonewhologsintotheHelpDeskapplicationmustbeamemberof

theACEAdministratorsgroup.

HelpDeskRoleorGroupDNCreatingaHelpDeskroleallowsyoutopermitcertainuserstoperform

HelpDesktasksfromtheHelpDeskapplication.Usersinthisrolecannotaccessotheradministrative

tools.You

can

still

log

in

to

the

Help

Desk

Web

application

with

your

administrative

LDAP

credentials

or

localAdministratorpassword.

IfyoumakechangestotheinformationontheAccessControltab,youmustclickApplyorCancelbeforeyou

cannavigatetoanothertab.

Uploading Custom SSL Certificates

TohaveACEManagementServerusecustomSSLcertificates,eitheryourownselfsignedcertificatesorthose

ofathirdpartyorinternalCA(certificateauthority),usetheCustomSSLCertificatestabtouploadthe

PEMencodedfiles.

BeforeyoucanuploadcustomSSLcertificates,youmustcreateandrenamethecertificatefiles.SeePrepare

Custom

Security

Certificates

on

page 34.

Bydefault,duringACEManagementServerinstallation,thefollowingtwofilesarecreated:

server.keyThisRSA1024bitkeyistheprivatekey.

server.crtThisselfsignedcertificateisvalidfor10yearsfromthedateandtimeatwhichtheserveris

installed.Itssignatureisverifiedbythepublickey,whichisembeddedinthecertificate.Thecertificate

fileisencodedinPEMformat.

WhenyourunanACEinstance,theVMwarePlayerapplicationusesthecompletecertificationchainthatis

includedinitspackage,notonthehost,toverifyconnectionsmadetoACEManagementServer.Therefore,

theuseofselfsignedcertificatesisadequateformostsecurityneeds.Formoreinformationabouthow

VMwareACEusessecuritycertificates,seeUsingSSLCertificatesandProtocolonpage 18.


37/66

VMware, Inc. 37


WhenyouclickUploadcertificates,asummarypagedisplaysthefilesandlocationsyouspecifyonthistab.

Notethelocationofanybackupfiles.Youmightneedtousethebackupifyoufindthatthenewfileisinvalid

whenyouclickApply.SeeRestoreaBackupCopyofanSSLCertificateonpage 52.

AfteryouuploadcustomSSLcertificates,youmustupdateanyexistingACEenabledvirtualmachinestouse

anewcertificateandkeyfile.Todoso,useWorkstationtocreateanupdatepackage.Whenyoudeploythe

newpackage,ACEinstancesreceivethenewcertificatefileandcertificatechain.

Logging EventsTheservercollectslogentriesforeventsthatchangethedatabase.OntheLoggingtab,youcansetthelogging

levelsandsetanoptionforpurginglogentries.

ACEManagementServerusesthefollowingloggingcategories:

ACEAdministrationLogseventsforinstancecreation,update,anddestruction.

PackageAdministrationLogseventsforpackagecreation,update,instancecustomization,andpackage

removal.

PolicyAdministrationLogseventsforpolicysetupdateandpublish,useraccesscontrolchanges,and

instancepasswordssetbyanACEadministrator.

InstanceAdministration

Logs

ACE

instance

life

cycle

events,

such

as

creation,

copying,

revocation,

reenablement,anddeletion.Alsologsinstancepasswordchangebyauseroranadministrator,changes

inexpirationforeachinstance,changesofinstanceguestorhostoperatingsysteminformation,and

settinginstancecustomfields.Thedebuglevelcanbeusedtologthemostubiquitoustrafficsuchas

policyupdaterequestsfromactiveinstances.Failedinstanceverificationsareloggedonlyatthedebug

level.

AuthenticationLogseventsforeveryauthenticationrequest,suchasadministrationorhelpdesk

authenticationattempts(atthenormallevel),instanceauthentication(attheinformationallevel),and

remoteLDAPpasswordchange.Setloggingforthiscategorytothelowestlevelthatispracticalforyou.

Thiscategorycangeneratealargevolumeofentries.

Foreachcategory,youcanchooseoneofthefollowinglogginglevels:

NoneNo

log

entry

is

made

for

this

event.

CriticalAnexampleofacriticallogeventisonethatremovesallpackages,instances,andpolicies

associatedwithanACEenabledvirtualmachine.

NormalThislevelofdetailissufficienttoanswermostqueries.

InformativeEntriesfornondestructiveeventsthathavelimitedeffect.

DebugEntriesforeveryclientaccessoftheserver.Itprovidesmorerecordsofcertaineventtypes,

creatingalargenumberloggingentriescomparedtootherloglevels.Itlogsallinformationaltransactions,

suchasinstancestatusandsoon.

UsetheEventLogPurgingcontroltoconfiguretheamountoflogginginformationretained.Thepurge

maintenanceprocessrunsapproximatelyeverysixhours.

IfyoumakechangestotheinformationontheLoggingtab,youmustclickApplyorCancelbeforeyoucan

navigatetoanothertab.

Applying Configuration Settings

TheRestartpageappearswhenyouclickApplyononeofthetabs.Youmustrestarttheserverforthe

configurationsettingstotakeeffect.

IfyouclickLater,youcanalwaysrestarttheserverbyclickingApplyonanyofthetabs,evenifyoudonot

makechangesonthetab.


38/66


38 VMware, Inc.


39/66

VMware, Inc. 39

5

Ifyouhavethousandsofclients,youcanconfiguremultipleVMwareACEManagementServerinstancesto

worktogether.Youcansetuptwoormoreserversandusethemwithaloadbalancer.


TypicalSetupUsingLoadBalancedACEManagementServerInstancesonpage 40

Installthe

Required

Services

for

Load

Balancing

on

page 40

UsetheSameSSLCertificateonAllServersonpage 41

CreateNewSSLCertificatesandKeysforEachServeronpage 41

InstallingandConfiguringtheLoadBalanceronpage 43

VerifyThatACEInstancesAreUsingtheLoadBalanceronpage 43

Load-Balancing Multiple ACEManagement Server Instances 5


40/66


40 VMware, Inc.

Typical Setup Using Load-Balanced ACE Management ServerInstances

AsingleACEManagementServercanhandleapresetnumberofclients,butyoucanaddmoreserverstoyour

ACEManagementServerinfrastructurebyusingloadbalancing.Whenyouaddmoreserverstothe

loadbalancinggroup,thenumberofclientsthatyoucanservescaleslinearly.Forexample,ifyoucanserve

2,000 clientswithoneserver,usingtwoloadbalancedserversallowsyoutoserve4,000 clients.

Figure 51shows

asimple

deployment

topology

for

using

load

balancing.

Figure 5-1. Two ACE Management Server Instances Working Together

Touseasetupsimilartotheonedepicted,youmusthavethefollowing:

Twoormoremachines(orvirtualmachines)tohosttheACEManagementServerprocesses

AnexternaldatabasetohosttheACEManagementServerdata

Aloadbalancingsolutiontomanagetraffic

Install the Required Services for Load Balancing

ServicesincludemultipleACEManagementServerinstances,anexternaldatabase,andWorkstation.

To install the required services for load balancing

1 InstalltheACEManagementServerpackageontwoormoremachines(orvirtualmachines).

SeeInstallingandUpgradingACEManagementServeronpage 22.

2 Configureeach

ACE

Management

Server

separately

to

access

the

same

external

database.

SeeStartandConfigureACEManagementServeronpage 26.

BothACEManagementServerinstallationsmustbeabletoidentifythesamedatastoresoeither

installationcanfieldqueriesforclientsandscalethenumberofclientsthatcanbeserved.

ACEManagement

Server 1

ACEManagement

Server 2

Active Directorydomain controller

databaseserver

loadbalancer(optional)

AMS Client

AMS Client

AMS Client

LDAPKerberos

LDAPKerberos

ODBC

ODBC

HTTPS

HTTPS

HTTPS

HTTPS

HTTPS


41/66

VMware, Inc. 41

Chapter 5 Load-Balancing Multiple ACE Management Server Instances

3 ToverifythatbothACEManagementServerinstancesareworkingproperly,startWorkstationand

connecttoeachACEManagementServerdirectly:

a InWorkstation,chooseFile>ConnecttoACEManagementServer.

b EntertheIPorhostnameofthemachinewhereACEManagementServerisinstalled,changethe

numberinthePortfieldifnecessary,andclickOK.

ThesetupissuccessfulifyoucanviewthesamedataintheInstanceViewwindowforeachACE

ManagementServer

instance.

If

you

create

atest

ACE

and

preview

it,

you

see

the

preview

instance

on

bothservers.

Use the Same SSL Certificate on All Servers

Foraloadbalancingsolution,youcancopytheSSLcertificateandkeyfromoneACEManagementServerto

another.

To use the same SSL certificate on all servers

1 LogintotheACEManagementServerSetupapplicationforthefirstACEManagementServer.

2 ClicktheCustomSSLCertificatestabtodeterminethelocationoftheSSLcertificateandkeydirectory

files.

OnWindows,thefilesarelocatedatC:\Program Files\VMware\VMware ACE Management

Server\ssl.

OnLinux,thefilesarelocatedat\var\lib\vmware\acesc\ssl.

Thecertificatefileisserver.crt.Thekeyfileisserver.key.

3 CopythefilestothesecondACEManagementServer.

If

you

are

using

the

ACE

Management

Server

virtual

appliance,

use

the

scp

(secure

copy)

command

to

copythecertificateandkeyfiles:

a Openacommandprompt.

b Enterthefollowingcommand:

scp user@: user@:

YoucanalsoenablesharedfoldersifyouareusingWorkstationtorunthevirtualappliance,andcopythe

filesfromthevirtualmachinethroughthesharedfoldersfeature.Formoreinformationaboutshared

folders,seetheVMwareWorkstationUsersManual.4 LogintotheACEManagementServerSetupapplicationforthesecondACEManagementServer.

5 UsetheCustomSSLCertificatestabtouploadthefiles:

a SpecifythekeyfileintheServerPrivateKeyfield.

b SpecifythecertificatefileintheServerPublicCertificatefield.

c ClickUploadcertificates.

d ClickApplyandclickRestart.

CAUTION Thisproceduredirectsyoutouploadboththecertificatefile(the.crtfile)andthematchingkey

file(the.keyfile).Ifyoudonotuploadboth,theApachehttpdserviceonthesecondACMManagement

Servermightfreeze.Inthiscase,youmustuninstallandreinstallACEManagementServer.


42/66


42 VMware, Inc.

Create New SSL Certificates and Keys for Each Server

IfyoudonotwanttousethesameSSLcertificateandkeyforeachACEManagementServer,youmustcreate

newSSLcertificatesandkeysforeachserver.

IfyouplantoobtainSSLcertificatesfromacertificateauthority,youmustcreatecertificatechains.Figure 52

providesanoverviewofdeterminingwhichcertificatesareincludedinachain.

Figure 5-2. Creating the Certificate Chain File

To create new SSL certificates and keys for each server

1 CreateasmanySSLcertificateandkeypairsasyouneed(oneforeachserverinyourserverfarm).

Theprocedurevaries,dependingonthetoolsyouuse.Todeterminehowtocreatethesecertificatesand

keys,seethedocumentationforyourplatform.Eachcertificatemusthaveauniquecommonnameanda

uniqueserialnumber.

2 Ifyourcertificatesrequireacertificatechaintobeverified,createacertificatechainfileforeachcertificate.

Thecertificatechainfileisatextfilethatcontainseverycertificate(inPEMformat)neededtoverifythe

leafcertificate(includingtherootcertificateofthechain).

a Downloadtheverificationchainfromyourcertificateauthority.

b EachcertificatemustbeinPEMformatbeforeyoucreatethecertificatechainfile.

Toconvert

to

PEM

format,

use

the

open

SSL

Infoace Vmware

Documents

Transcript of Infoace Vmware