Академический Документы
Профессиональный Документы
Культура Документы
This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
EN-000169-00
You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com
Copyright 20072009 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.
VMware, Inc.
Contents
AboutThisBook
1 Introduction 9
FeaturesofACEManagementServer 9 SystemRequirements 10 RequiredHardware 10 SupportedOperatingSystems 10 SupportedExternalDatabases 10 SupportedProxies 11 RequiredWebBrowsers 11 Licensing 11
2 PlanninganACEManagementServerDeployment 13
DeploymentComponents 13 HostSystemOptions 14 WindowsHosts 14 LinuxHosts 14 ServerApplianceOption 14 DatabaseOptions 15 ActiveDirectoryAuthenticationOptions 15 PerformingCapacityPlanning 15 DatabaseThroughputandScalability 16 LDAPThroughput 16 NetworkBandwidthandPolicyUpdateFrequency 16 ACEPolicyConfiguration 17 LoadBalancers 17 SecurityFeaturesandConsiderations 17 UsingSSLCertificatesandProtocol 18 AccessingACEManagementServerfromOutsidetheCorporateFirewall 19 DeploymentPlanningWorksheet 19
VMware, Inc.
4 ConfigurationOptionsforACEManagementServer 29
PrerequisitesforConfiguringtheServer 29 CreateUsersandGroupsforIntegrationwithActiveDirectory 29 SetUpanExternalDatabase 30 CreatingaSystemDSNEntryforanExternalDatabase 31 IncreasetheNumberofDatabaseConnectionsAllowed 32 EnableDatabaseConnectionPoolingonLinux 33 SetUpaConnectionBetweentheServerApplianceandanExternalDatabase PrepareCustomSecurityCertificates 33 ViewthePropertiesoftheSelfSignedCertificateFile 34 StartingACEManagementServerConfiguration 34 ViewingandChangingLicensingInformation 34 UsinganExternalDatabase 35 CreatingAccessControl 35 UploadingCustomSSLCertificates 36 LoggingEvents 37 ApplyingConfigurationSettings 37
33
5 LoadBalancingMultipleACEManagementServerInstances 39
TypicalSetupUsingLoadBalancedACEManagementServerInstances InstalltheRequiredServicesforLoadBalancing 40 UsetheSameSSLCertificateonAllServers 41 CreateNewSSLCertificatesandKeysforEachServer 41 InstallingandConfiguringtheLoadBalancer 43 VerifyThatACEInstancesAreUsingtheLoadBalancer 43 40
6 ManagingACEInstances 45
ViewingACEInstancesThattheServerManages 45 UsetheVMwareACEHelpDeskApplication 46 UsetheInstanceViewinWorkstation 46 SearchforanInstance 47 SortbyColumnHeadingandChangeColumnWidth 47 Show,Hide,andMoveColumnsintheInstanceView 48 CreateorDeleteCustomColumnsintheInstanceView 48 ViewInstanceDetails 48 Reactivate,Deactivate,orDeleteanACEInstance 49 PoliciesTab 49 ChangeaCopyProtectionID 49 ResettheAuthenticationPassword 50 AddInformationforCustomColumns 50
7 TroubleshootingandMaintenance 51
TroubleshootingConfigurationProblems 51 ConnectionProblemsBetweenaLinuxACEInstanceandACEManagementServer 51 ChangethePortAssignmentforACEManagementServer 51 DeletetheServerConfigurationFileandSetaNewAdministratorPassword 52 RestoreaBackupCopyofanSSLCertificate 52 ConfiguringMultipleACEManagementServerInstancestoUseSSL 53 DatabaseBackup 53
VMware, Inc.
Contents
Appendix:DatabaseSchemaandAuditEventLogData
UsingDatabaseReportingTools 55 DatabaseSchema 55 QueryingtheAuditEventLogData 59
55
Glossary Index 65
63
VMware, Inc.
VMware, Inc.
Intended Audience
Thisbookisintendedforanyonewhoneedstoinstall,upgrade,oruseACEManagementServertomanage ACEinstances.ACEManagementServerisintendedforACEadministratorswhomustmaintainandupdate ACEpoliciesusedonvirtualmachinesdeployedthroughoutanenterprise.
Document Feedback
VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhavecomments,sendyour feedbackto: docfeedback@vmware.com
Support Offerings
TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto http://www.vmware.com/support/services.
VMware, Inc.
VMware, Inc.
Introduction
FeaturesofACEManagementServeronpage 9 SystemRequirementsonpage 10
ACEManagementServeroffersActiveDirectoryintegration:
Securityfeaturesincludethefollowing:
VMware, Inc.
ACEManagementServeriseasytoinstallandconfigure.Clienttrafficcanbeproxiedbyeasilyavailable products.Theserveruseseasilyavailablesoftwarecomponents:
ApacheWebserver2.0 ThedefaultSQLitedatabasestore
Theserversetupusesindustrystandardprotocols:
HTTPSandLDAP XMLRPCformessageencapsulation
ACEManagementServeroffersextensibilityandavailability:
YoucancreateandusemorethanoneACEManagementServer.Whenyouusemorethanoneserver,you cansettheserversupsothattheysharethesamedatabaseforloadbalancingorincreasedfaulttolerance. AWindowsACEManagementServercanbeonthesamesystemasWorkstation. YoucandesignateasingleACEManagementServername,suchas https://ace.policyserver.company.com,anduseDNSlookuptotranslatethehostnametoan address.TheaddressiscachedifaDNSserverisnotavailable.Additionally,youcanusedifferentACE ManagementServerinstancesifuserstravelbetweenofficesindifferentgeographiclocations. NOTEYourservernamemustbeeitherthemachinenameinEnglishortheIP address.International charactersarenotsupported.
System Requirements
ThefollowingsectionsdescribetheACEManagementServersystemrequirements.
Required Hardware
10
VMware, Inc.
Chapter 1 Introduction
ForaLinuxbasedACEManagementServerPostgreSQL7.4orhigher
Supported Proxies
YoucandeployACEManagementServerwiththefollowingHTTPSproxysolutions:
Licensing
YoumustconfiguretheserverandentertheserialnumberintheserversetupWebapplication.Ifyoudonot, youcannotconnecttotheserverinWorkstation. Yourserialnumberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,the serialnumberissentbyemail.WorkstationandACEinstancescannotconnecttoanACEManagementServer withanexpiredornonexistentlicense.
VMware, Inc.
11
12
VMware, Inc.
ThischapterprovidesguidelinesfordeployingVMwareACEManagementServerinstances,including capacityplanningandbestpractices.Thischapterincludesthefollowingtopics:
Deployment Components
AtypicalACEManagementServerdeploymenthasthefollowingcomponents:
OneormoreACEManagementServerinstancesConfiguringmultipleserverstousethesame databaseincreasesthenumberofACEclientsyoucanmanageandguaranteeshighavailability. DatabaseserverForproductiondeployments,VMwarerecommendsOracleDatabase 10gorMSSQL forACEManagementServerinstalledonaWindowshost,andPostgresforACEManagementServer installedonaLinuxhost. (Optional)ActiveDirectorydomaincontrollerToenabletheACEManagementServerActive Directoryintegration,youmustconfigureACEManagementServertocommunicatewithyourdomain controller. (Optional)HTTPloadbalancerUsealoadbalancertohelpscalethecapacityofyourACEManagement Serverdeployment. (Optional)HTTPproxyIfclientswillaccessACEManagementServerfromoutsidethecorporate firewall,VMwarerecommendsusinganHTTPSproxyintheDMZ.YoucanuseACEManagementServer withApacheProxyandZeusTechnologyLoadBalancer.
ForanexampleofanACEManagementServerdeployment,seeFigure 21.
VMware, Inc.
13
HTTPS ODBC
proxy for ACE Management Server service through corporate firewall (optional) ACE Player client (outside corporate network)
Windows Hosts
IfyouplantointegratewithActiveDirectory,VMwarerecommendsthatyouinstallACEManagementServer onaWindowshost. TheWindowsACEManagementServerusestheWinLDAPlibrarybundledwithyourWindowsoperating systemtointegratewithActiveDirectory.InternaltestingresultsindicatethattheWindowsimplementation providesbetterperformancethanLinux.
Linux Hosts
YoucaninstallACEManagementServeronaLinuxhostanduseActiveDirectoryforauthentication,even thoughperformanceisslowerthanonWindowshosts.IfyouplantouseaLinuxhostinproduction environments,usetheLinuxinstallerratherthantheACEManagementServerappliance.Ifyoudonothave thesupportedLinuxoperatingsystemsinstalledonaphysicalserver,youcancreateavirtualmachine,install asupportedLinuxoperatingsystem,andinstallACEManagementServerinthevirtualmachine.
Database Options
ACEManagementServeroffersthefollowingdatabaseoptions:
VMware, Inc.
15
ACEpolicyconfiguration Loadbalancersforverylargedeployments(morethan5,000clients)
LDAP Throughput
ACEManagementServercancommunicatewithyourActiveDirectorydomaincontrollertoauthenticateuser credentials.YourdomaincontrollerinfrastructurehandlestheLDAPtrafficrequiredtosupportthenumber ofclientsthatyouanticipate. IntegratingwithActiveDirectorythroughLDAPisimplementeddifferentlyintheWindowsACE ManagementServerthanintheLinuxbasedACEManagementServer.TheWindowsACEManagement ServerusestheWinLDAPlibrarybundledwithyourWindowsoperatingsystem.TheLinuxACE ManagementServerusesathirdpartyKerberosLibraryandOpenSSL.VMwareinternaltestingresults indicatethattheWindowsimplementationprovidesbetterperformancethanLinux.
16
VMware, Inc.
VMwarerecommendsthatforlargedeployments(morethan5,000clients),youincreasethetimebetween policyupdatesbyclientsbecausethisreducestheamountofrequiredbandwidth. Table 24showsthebandwidthneededwhenthepolicyupdatefrequencyvalueissetto30minutes. Table 2-4. Network Bandwidth Required with a Policy Update Frequency of 30 Minutes
Number of Clients 100 1,000 10,000 Bandwidth Required 0.04Mb/sec. 0.4Mb/sec. 4Mb/sec.
Load Balancers
TheACEManagementServerclientserverprotocolisbuiltontopoftheHTTPSprotocol.YoucanuseHTTP loadbalancingsoftwareandhardwaresolutionstoscaleanACEManagementServerdeploymentbeyondthe capacityofasingleserver(orforhighavailabilitydeployments). ACEManagementServerscalesinalinearfashionwhenanenterprisegradeHTTPSloadbalancerisused.See Chapter 5,LoadBalancingMultipleACEManagementServerInstances,onpage 39.
VMware, Inc.
17
TraffictoandfromclientsisprotectedbyHTTPSBydefault,ACEManagementServercreatesa selfsignedcertificatewhenyouinstallittouseforHTTPStraffic.Thesecertificatesaresecure,butyou canalsoconfigureACEManagementServertouseyourowncertificateandkeypairs. TrafficfromACEManagementServertoActiveDirectoryisencryptedIftheserverisintegratedwith anActiveDirectoryservice,itcommunicateswiththeservicethroughanSSLprotectedlink.LDAPtraffic isencryptedattheapplicationlayer.CredentialsareprotectedbyusingtheKerberosprotocolto authenticatecredentials. SensitiveconfigurationoptionsareencryptedPasswordsstoredintheconfigurationfileareencrypted. DatabasesecurityThedatabasestorecontainssensitivedatasuchascryptographickeys.Configure yourdatabasesecuritysothatitisprotectedfromintrusionandprotectedincaseofdataloss.Formore informationaboutfeaturesthatareavailabletoprotectyourdata,seeyourdatabasedocumentation.
18
VMware, Inc.
external client
ODBC
ACEManagementServercanbedeployedwiththefollowingHTTPSproxysolutions:
AvoidthefollowingproblemswhenyouuseaproxyfortrafficintoanACEManagementServer:
VMware, Inc.
19
Loadbalancer
Usealoadbalancer?________
Proxy
SSL certificates
20
VMware, Inc.
Thischapterincludesthefollowingtopics:
2 3 4
Table 3-1. Port Assignments, Default Settings, for ACE Management Server
HTTPS Port Number 443 8000 Description CommunicationsbetweenACEManagementServerandACE instances ACEManagementServerSetup(configuration)Webapplication ACEHelpDeskWebapplication 8080 ACEManagementServerApplianceconfiguration
NOTEIfanotherWebserverisinstalledthatusesanyofthesedefaultports,youmightneedtoresolvethe conflict.
VMware, Inc.
21
Beforeyoubegin,makesuretheclockissynchronizedandtherequiredportsareavailable,asdescribedin PreparingforInstallationonpage 21. UsethisinstallationproceduretoinstallorupdateACEManagementServersoftware. To install an ACE Management Server on a Windows host 1 DownloadtheVMware-ACE-Management-Server.exe filefromtheVMwareWebsiteandsavethefile onthesystemthatistohosttheserver. ThefileisavailableasaseparatedownloadablefileinthesamedownloadlocationastheWorkstation application. 2 DoubleclicktheVMware-ACE-Management-Server.exe filetostarttheinstallationwizard.
22
VMware, Inc.
3 4
RedHatEnterpriseLinux4 SUSELinuxEnterpriseServer9SP3
Beforeyoubegin,makesurethesystemmeetstheserequirements:
UsethisinstallationproceduretoinstallorupdateACEManagementServersoftware. To install ACE Management Server on a Linux system 1 Downloadthe.rpm filefromtheVMwareWebsiteandsavethefileonthesystemthatistohostthe server. ThefileisavailableasaseparatedownloadablefileinthesamedownloadlocationastheWorkstation application. 2 RuntheRedHatorSUSELinuxRPMinstallerforACEManagementServer:
vmware-ace-management-server-<build_number>.i386-rhel4.rpm vmware-ace-management-server-<build_number>.i386-sles9.rpm
Forexample:
rpm -Uhv vmware-ace-management-server-87693.i386-rhel4.rpm
VMware, Inc.
23
b c
AddtheldapconfigoptiontotheAPACHE_MODULESvariable. Saveandclosethefile.
Currentnetworksettings URLsforremotelyadministeringtheapplianceandconfiguringtheACEManagementServeritself
IfyoupressReturnattheloginprompt,theinformationappearsagain. 6 7 Atthetimezoneprompt,acceptthecurrentsettingormakeachangeasneeded. (Optional)ToconfiguretheservertouseastaticIPaddressortospecifyaproxyserver,usetheAppliance ManagementandConfigurationapplication,asfollows: a b c d e f LeavetheACEManagementServerappliancerunning. Browsetohttps://<hostIPaddress>:8080. Intheconnectiondialogbox,typerootintheusernamefieldandyournetworkorrootpasswordin thepasswordfield. ClicktheNetworklinkonthefirstpageofthebrowserbasedACEManagementServerSetup application. Toviewinstructionsaboutconfiguringnetworksettings,clicktheHelplinkintheupperrightcorner oftheWebpage. Afteryouchangenetworksettings,clickApply.
24
VMware, Inc.
(Optional)Toreconfigureanyupdateoptions,forexample,todisableautomaticdownloadsofupdates, usetheApplianceManagementandConfigurationapplication,asfollows: a b c d e LeavetheACEManagementServerappliancerunning. Browsetohttps://<hostIPaddress>:8080. Intheconnectiondialogbox,typerootintheusernamefieldandyournetworkorrootpasswordin thepasswordfield. ClicktheUpdatelinkonthefirstpageoftheApplianceConfigurationandManagementWeb applicationandcompletetheApplianceUpdatepage. Toviewinstructionsaboutconfiguringupdateoptions,clicktheHelplinkintheupperrightcorner oftheWebpage.
10
ClickConfigurationtoopentheWebapplication.
Tostarttheserviceifitisstopped,clickStart. Iftheserviceisalreadystarted,thiscommandisunavailable.
Torestart,clickStopandthenclickStart. EnsurethatyouclickStopandStartratherthanRestart.
VMware, Inc.
25
Entertheappropriatecommand:
Tostarttheserviceifitisstopped,enterthefollowingcommand:
/etc/init.d/apache2 start
Torestarttheservice,enterthefollowingcommands:
/etc/init.d/apache2 stop /etc/init.d/apache2 start
Tostarttheserviceifitisstopped,enterthefollowingcommand:
/etc/init.d/httpd start
Torestarttheservice,enterthefollowingcommands:
/etc/init.d/httpd stop /etc/init.d/httpd start
IfyouinstalledACEManagementServeronaLinuxhostorareusingtheACEManagementServer appliance,verifythattheApacheserverisrunning.SeeVerifyThattheApacheServiceIsStartedor Restartedonpage 25. Ifthisisthefirsttimeyouareloggingin,makesureyouhavetheserialnumberfortheproduct.Theserial numberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,theserial numberissentbyemail. Ifyouplantouseanexternaldatabase,ActiveDirectoryintegration,orcustomSSLcertificates,youmust performsomesetuptasksbeforeyoucanconfigureACEManagementServer.Seethefollowingtopics,as applicable:
To start and configure ACE Management Server 1 OpenaWebbrowserandgotohttps://<hostname>:8000. The<hostname>valuecanbethefullyqualifiednameofthecomputeronwhichACEManagement ServerisinstalledoritcanbeanIPaddress. IfyouinstalledACEManagementServeronaWindowshostandyouareusingthathosttoconfigureit, youcanalternativelychooseStart>VMware>VMwareACEManagementServer. 2 AcceptthelicenseagreementandclickStart. Theconfigurationtabsappearastheydoinsubsequentlogins,butforthefirstlogin,wizardbuttons suchasNextandBackalsoappear.
26
VMware, Inc.
To log in to ACE Management Server 1 OpenaWebbrowserandgotohttps://<hostname>:8000. The<hostname>valuecanbethefullyqualifiednameofthecomputeronwhichACEManagement ServerisinstalledoritcanbeanIPaddress. IfyouinstalledACEManagementServeronaWindowshostandyouareusingthathosttoconfigureit, youcanalternativelychooseStart>VMware>VMwareACEManagementServer. 2 Dooneofthefollowing:
VMware, Inc.
27
28
VMware, Inc.
VMware, Inc.
29
To create users and groups for integration with Active Directory 1 CreateauserthatACEManagementServercanusetoconnecttotheLDAPserveranduseforquerying. MakeanoteofthesAMAccountNamevalueforthatuser(forexample,aceuser.) 2 3 4 CreateanACEAdministratorsgroupinthedomain. AddACEadministratoruserstotheACEAdministratorsgroup. (Optional)CreateaHelpDeskgroupandassignuserstoitfortheHelpDeskrole. YoucanlogintotheHelpDeskWebapplicationwithyouradministrativeLDAPcredentialsorpassword. CreatingaHelpDeskroleallowsyoutopermitcertainuserstoperformHelpDesktasksfromwithinthe HelpDeskapplicationbutdoesnotgivethemaccesstootheradministrativetools.
ForaLinuxbasedACEManagementServerPostgreSQL7.4orhigher
BeforeyouinstallthedatabaseonaLinuxhost,makesuretheunixODBCRPMpackageisinstalledontheLinux system.VMwarerecommendsthatyouupdatethepackagetothelatestversionreleasedforyourspecific Linuxdistribution.TheunixODBCpackageprovidesanODBCAPItoprogramsrunningonLinuxsystemsthat issimilartotheWindowsODBCAPI. Thepackagecontainsthelibodbcsharedlibrary,providingtheODBCDriverManagerAPItoother programs,asetofconfigurationutilities,andODBCdriversforpopulardatabases.OnbothRedHat EnterpriseLinuxandSUSELinuxEnterpriseServer 9,theODBCdriverforPostgreSQLisincludedinthe unixODBCbinarydistributionpackage. Also,makesuretheunixODBC-gui-qt packageisinstalled(thisutilityisincludedintheRedHatEnterprise LinuxunixODBCpackage).ThispackageisrequiredtousetheODBCConfigX11graphicalconfigurationtool forsettingupadatasourcename(DSN). To set up an external database 1 Installadatabaseserveronahost. TheexternaldatabasedoesnothavetobeinstalledonthesameserverasACEManagementServer,butit mustbeinstalledonthesameplatform.Forexample,ifACEManagementServerisinstalledona Windowshost,thedatabaseservermustalsobeinstalledonaWindowshost. ACEManagementServercreatesthedatabaseschemaautomaticallyifproperaccessrightsaregranted. 2 Configurethedatabase. Ensurethatyouhaveadedicateddatabaseandauseraccountthathasfullaccesstothisdatabase, includingrightstocreatetables.Donotgivethisdatabaseuserpermissionsthatitdoesnotneed.For example,youmightnotwanttogivethisaccountreadorwritepermissiontootherdatabasesthatyour RDBMSmanages. AlltablesthatarecreatedinthedatabasehaveanamestartingwithaPolicyDb_prefixandindexeswith PdbIns_orPdbLf_prefixes.YoumightprovideACEManagementServerwithaDSNtoadatabasethat itshareswithsomeotherapplication,ifthedatabasecountisatapremium.
30
VMware, Inc.
(Optional)IfACEManagementServerisgoingtoconnecttothedatabaseoverthenetwork(TCPsocket connection),ensurethatthefollowingareinplace:
OntheACEManagementServermachine,createaSystemDSNentry.
YoucannowusethebrowserbasedACEManagementServerSetupapplicationtoconnecttothisdatabase.
VMware, Inc.
31
Create a System DSN Entry for a Linux Database OnLinuxsystems,youuseatexteditorortheODBCConfiggraphical(X11)utilitytocreateasystemDSNentry. TheODBCConfigutilitymimicstheWindowsODBCDataSourcesControlPanelplugin. Beforeyoubegin,determinethecorrectODBCdriver:
IfyouareusingtheACEManagementServerappliance,seeSetUpaConnectionBetweentheServer ApplianceandanExternalDatabaseonpage 33. Youusetheodbc.inifileforcreatingDSNsandtheodbcinst.inifilefordriverandgeneralODBCsystem configuration. To create a System DSN entry for a Linux database 1 Asroot,usetheODBCConfigutilitytocreateaSystemDSNentry. YoualsomustconfiguretheserveraddressandthedatabasenameintheDSNsettings. ForinformationaboutusingunixODBC,seetheunixODBCProjectWebpage. TheODBCConfigutilitymakeschangestotheodbc.iniandodbcinst.inifiles. 2 MakeanoteofthedatabaseDSN,username,andpassword.
YoucannowusethebrowserbasedACEManagementServerSetupapplicationtoconnecttothisdatabase.
32
VMware, Inc.
To increase the number of database connections allowed 1 2 InspecttheApacheconfigurationfileontheACEManagementServerhosttodeterminethenumberof parallelthreadsorprocessesthatmightstartatthesametime. ConfigurethedatabasetoallowasmanyconnectionsastheApacheserver. Seeyourdatabasedocumentation.
Thisfilecontainsthepostgres_dsn settingfortheOBSCDSN. 3 Uncommentalllinesinthepostgres_dsn fileexceptthefirsttwo. Touncommentlines,deletethepoundsign(#)atthebeginningofeachline. 4 5 6 Replaceplaceholders<...>withthePostgreSQLdatabaseserverDNSnameorIP addressandthedatabase nameofthisserver. Usethedefaultportnumberorsetadifferentportnumber. Savethefile.
Afteryoucompletethistask,postgres_dsnappearsinthedropdownmenuontheDatabasetabintheACE ManagementServerSetupapplication.
VMware, Inc.
33
Aprivatekeyfile.SSLencryptsdatathroughtheuseofapublickeyandprivatekeypair.Thepublic keyisknowntoeveryoneandtheprivatekeyisknownonlytothemessagerecipient.
ThecertificatesignaturesmustusetheSHA1algorithmdigest.ThefilesmustbePEMencoded. 2 Renamethefiles,asfollows:
YoucannowusetheACEManagementServerSetupapplicationtouploadthecertificatefiles.
OnaWindowshost,navigatetothelocationoftheserver.crtfileanddoubleclickthefilename. OnaLinuxhost,usethefollowingcommand:
openssl x509 -in /var/lib/vmware/acesc/ssl/server.crt -text
34
VMware, Inc.
ThetextthatappearsontheStarttabchanges,dependingonwhetheryouhavedoneaninitialconfiguration:
CAUTIONAfteryouentercredentials,ifthemessageCompatible schema exists. Do you want to reinitialize the schema and overwrite the existing data?appears,selectUseexistingschema anddataunlessyouwanttoerasealldatainyourexistingdatabase.Toreinitializethedatabaseatsomelater time,youcanreopenthisconfigurationapplicationandreturntothispage. Iftheexistingschemaisnotcompatible,noschemaisavailableortheschemacannotbeupgraded.Ifyou overwritetheexistingschemaanddata,anewschemaiscreated.If youdonotoverwritetheexistingschema anddata,theconfigurationapplicationquits. Ifyouareupgradingtheserverfromthepreviousrelease,thedatabaseschemaisupgradedautomaticallyand youdonotloseyourpreviousdata.Theupgradeisperformedonthefirststartoftheupgradedserver,even ifyoudonotrerunthesetupapplication. IfyoumakechangestotheinformationontheDatabasetab,youmustclickApplyorCancelbeforeyoucan navigatetoanothertab.
VMware, Inc.
35
Domainaccount(LDAP)TouseActiveDirectoryforauthentication,specifythehostandcredentials thattheACEManagementServerusestoconnecttoandquerythedomaincontroller:
HostNameEnterafullyqualifieddomainname(forexample,ldap.vmware.com)insteadofanIP addressorhostnamewithnoparentdomainname(forexample,ldap). QueryUsersAMAcountNameandQueryUserPasswordUsethepasswordandshortnamefor theuseraccountyoucreatedforthispurposeinActiveDirectory. QueryUserDomainThedomainmustbethedomainforwhichtheLDAPhostisadomain controller. AdminGroupDNandHelpDeskGroupDN(Optional)Enterthedistinguishednameforthese groups,whichyoucreatedforthispurposeinActiveDirectory(forexample, cn=Users,dc=simplecorp,dc=com). Ifthisoptionisnotenabled,anyonewhologsintotheHelpDeskapplicationmustbeamemberof theACEAdministratorsgroup.
IfyoumakechangestotheinformationontheAccessControltab,youmustclickApplyorCancelbeforeyou cannavigatetoanothertab.
36
VMware, Inc.
Logging Events
Theservercollectslogentriesforeventsthatchangethedatabase.OntheLoggingtab,youcansetthelogging levelsandsetanoptionforpurginglogentries. ACEManagementServerusesthefollowingloggingcategories:
ACEAdministrationLogseventsforinstancecreation,update,anddestruction. PackageAdministrationLogseventsforpackagecreation,update,instancecustomization,andpackage removal. PolicyAdministrationLogseventsforpolicysetupdateandpublish,useraccesscontrolchanges,and instancepasswordssetbyanACEadministrator. InstanceAdministrationLogsACEinstancelifecycleevents,suchascreation,copying,revocation, reenablement,anddeletion.Alsologsinstancepasswordchangebyauseroranadministrator,changes inexpirationforeachinstance,changesofinstanceguestorhostoperatingsysteminformation,and settinginstancecustomfields.Thedebuglevelcanbeusedtologthemostubiquitoustrafficsuchas policyupdaterequestsfromactiveinstances.Failedinstanceverificationsareloggedonlyatthedebug level. AuthenticationLogseventsforeveryauthenticationrequest,suchasadministrationorhelpdesk authenticationattempts(atthenormallevel),instanceauthentication(attheinformationallevel),and remoteLDAPpasswordchange.Setloggingforthiscategorytothelowestlevelthatispracticalforyou. Thiscategorycangeneratealargevolumeofentries.
Foreachcategory,youcanchooseoneofthefollowinglogginglevels:
VMware, Inc.
37
38
VMware, Inc.
VMware, Inc.
39
AMS Client
HTTPS
database server
ODBC
AMS Client
HTTPS
HTTPS
Touseasetupsimilartotheonedepicted,youmusthavethefollowing:
40
VMware, Inc.
VMware, Inc.
41
To create new SSL certificates and keys for each server 1 CreateasmanySSLcertificateandkeypairsasyouneed(oneforeachserverinyourserverfarm). Theprocedurevaries,dependingonthetoolsyouuse.Todeterminehowtocreatethesecertificatesand keys,seethedocumentationforyourplatform.Eachcertificatemusthaveauniquecommonnameanda uniqueserialnumber. 2 Ifyourcertificatesrequireacertificatechaintobeverified,createacertificatechainfileforeachcertificate. Thecertificatechainfileisatextfilethatcontainseverycertificate(inPEMformat)neededtoverifythe leafcertificate(includingtherootcertificateofthechain). a b Downloadtheverificationchainfromyourcertificateauthority. EachcertificatemustbeinPEMformatbeforeyoucreatethecertificatechainfile. ToconverttoPEMformat,usetheopenSSLtoolsavailableonline. c CreatethecertificatechainfilebyconcatenatingeachPEMencodedcertificateintoonefile.
Forexample,ifyouareusingtwoACEManagementServerinstancesyouhavetwocertificatechainfiles.
42
VMware, Inc.
Joinallofthecertificatechainfilesintoonefile. Ifyoucan,eliminatetheduplicateentries.
4 5 6
CompletethisstepforeveryACEManagementServerinyourfarmtouploadfilestoeachACE ManagementServer.
VMware, Inc.
43
44
VMware, Inc.
AfterACEManagementServerisinstalledandconfigured,youcandothefollowing:
Thischapterincludesthefollowingtopics:
ViewingACEInstancesThattheServerManagesonpage 45 SearchforanInstanceonpage 47 SortbyColumnHeadingandChangeColumnWidthonpage 47 Show,Hide,andMoveColumnsintheInstanceViewonpage 48 CreateorDeleteCustomColumnsintheInstanceViewonpage 48 ViewInstanceDetailsonpage 48 Reactivate,Deactivate,orDeleteanACEInstanceonpage 49 ChangeaCopyProtectionIDonpage 49 ResettheAuthenticationPasswordonpage 50 AddInformationforCustomColumnsonpage 50
VMware, Inc.
45
TheVMwareACEHelpDeskopenstheInstancespage,whichcontainsasummarytableofalltheinstances thattheservermanages.
Deactivated
Blockedby policies
TheValidFromandValidUntilcolumnsindicatetheperiodthattheinstanceisvalid.Theinstanceexpires aftertheValidUntildate.Ifnoexpirationdateissetfortheinstance,thosecolumnsareempty.
46
VMware, Inc.
To use the instance view in Workstation 1 2 FromtheWorkstationmenubar,chooseFile>ConnecttoACEManagementServer. SpecifythefullyqualifiedhostnameortheIPaddressandclickOK. Inmostcases,thedefaultportnumberdoesnotneedtobechanged. 3 Completetheloginwindow. Usethefollowinginformationtohelpyoucompletethefieldsthatappearinthiswindow:
LogintotheVMwareACEHelpDeskforanACEManagementServer. ConnecttoanACEManagementServerfromtheWorkstationwindow.
ActivatedByActivationmethod,suchaspassword,ActiveDirectoryuser,oractivationkey.Ifno suchactivationmethodexists,N/Aappearsinthecolumn. ACEVMNameNameoftheACEenabledvirtualmachinefromwhichtheACEinstancewas created. GuestName(ForWindowsguestsonly)Computernameresolvedontheusersmachineduring instancecustomization,ifyouusethatfeature.The NetBIOSnameisreportedhere,anditisa maximumof15characterslong.Eveniftheactualcomputernamecontainsmorecharacters,thename alwaysappearsastheNetBIOSname. CustomcolumnsCustomcolumnsthatyoucreatedappeardirectlybelowtheGuestMACAddress criterion. ExactmatchonlyValuesarecasesensitive. Saveas(AvailableintheWorkstationinstanceviewonly)Savedsearchesarespecifictoeachserver. YoucaneditordeleteyoursavedsearchesbyselectingthenameofasavedsearchintheSaved SearchesdropdownmenuandclickingOptions.
ClickSearch. Inthesearchresults,thetotalnumberofinstancesappearsjustbelowthetable.
Tonavigatethroughalargenumberofresults,dooneofthefollowing:
Toreturntothefulllist,dooneofthefollowing:
IntheVMwareACEHelpDesk,clicktheBacktoallinstanceslink,locatedbelowtheSearchbutton. IntheinstanceviewinWorkstation,clickClearSearch.
VMware, Inc.
47
48
VMware, Inc.
To view instance details 1 2 3 Selecttheinstancebyclickingitsinstancerow. ClicktheViewdetailiconatthetopofthetableordoubleclicktheinstancerow. IfyouusetheVMwareACEHelpDesk,toviewdetailsaboutnetworkaccess,clickthelinksunderZone, HostAccess,orGuestAccess. YoucanviewtheZonesorRulesDetailpageforthiszoneorthistypeofnetworkaccess. TheEverywhereandEverywhereelsezonesettingsarenotlinkedtoaZonesDetailpagebecausethey areselfexplanatory.
LogintotheVMwareACEHelpDeskforanACEManagementServer. ConnecttoanACEManagementServerfromtheWorkstationwindow.
To reactivate, deactivate, or delete an ACE instance 1 2 3 4 5 Selecttheinstancebyclickingitsinstancerow. ClicktheDeactivateorReactivateiconintheupperleftcorneroftheInstancespage. IfyouclickedReactivate,whenprompted,resettheexpirationdates. (Optional)IfyouclickedDeactivate,clickDeletetodeletetheinstancerow. ClickOK.
LogintotheVMwareACEHelpDeskforanACEManagementServer. ConnecttoanACEManagementServerfromtheWorkstationwindow.
TheCopyProtectionIDfieldisalwaysactive,soyoucanchangetheIDatanytime. CAUTIONIfyouchangeacopyprotectionIDforanactiveinstance,theoriginalinstancenolongerruns.
VMware, Inc.
49
50
VMware, Inc.
Thischapterincludesthefollowingtopics:
Connection Problems Between a Linux ACE Instance and ACE Management Server
IfanACEinstanceonaLinuxhostcannotcontacttheserver,determinewhetherafirewallorproxysettingis blockingorreroutingHTTPStrafficonport443. Bydefault,HTTPStrafficfromtheVMwarePlayertoACEManagementServerisroutedonport443.Disable thefirewallorturnofftheproxysettingtoallowVMware Playertoservertrafficonthatport.
VMware, Inc.
51
Changetheportnumberinthesectionheadertothedesiredportnumber. Forexample,tochangetoport8443,change443to8443.
5 6
WhenyoucreateanACEenabledvirtualmachine,youcanspecifywhichportistobeusedtocommunicate withACEManagementServer.
Delete the Server Configuration File and Set a New Administrator Password
Ifyouloseorforgettheadministratorpassword,youmustdeletetheconfigurationfileandreconfigurethe server.Aspartofthatconfiguration,yousetanewpassword. To delete the server configuration file and set a new administrator password 1 NavigatetothelocationoftheACEManagementServerconfigurationfile: Dependingontheserversoperatingsystem,thefileisplacedinoneofthefollowinglocations:
2 3 4
ContinuewiththeACEManagementServerSetupapplicationinoneofthefollowingways:
52
VMware, Inc.
The <date>portionofthefilenameisintheformatYYYYMMDD(year,month,day). The <time>portionofthefilenameisintheformatHHMMSS(hours,minutes,seconds). Forexample,afilenamemightbeserver.crt.20070216-095344. 2 Savethefileinthecorrectlocationasssl/<filename>.crt and restarttheApacheservermanually. SeeVerifyThattheApacheServiceIsStartedorRestartedonpage 25. 3 StarttheACEManagementServerSetupapplicationandusetheCustomSSLCertificatestabtoupload thebackupcopy. StartandConfigureACEManagementServeronpage 26.
Multipleserversbehindoneormoreproxyservers:
MultipleserversusingDNSroundrobin:
SeealsoLoadBalancingMultipleACEManagementServerInstancesonpage 39.
VMware, Inc.
53
Database Backup
Ifyouareusinganexternaldatabase,useabackupandrecoverystrategythatisappropriateforyourdatabase system.BackupyourACEManagementServerdatabaseonaregularbasistoensurethatthedatabasecanbe recoveredpromptlyifneeded. Ifyouareusingtheembeddeddatabase,youcanusestandardfilebackuptools,suchasntbackupordd.The dataisstoredinoneofthefollowinglocations:
54
VMware, Inc.
Thisappendixexplainstheformatofthedatastoredinthedatabaseandthebestwaystoaccessthisdata.This appendixincludesthefollowingtopics:
Database Schema
TablesintheACEManagementServerdatabaserepresentthemajorconfigurationobjectsofACE ManagementServer,includingAce,Package,Instance,AccessPolicy,RuntimePolicy,andUserData,which containsimagecustomizationsettingsandotherdataforeachuser.Administratoranduseractionsareaudit loggedintheEventtableinthedatabase,whilepossibleeventtypesarelistedintheEventTypetable. Notethefollowingaboutthedatabaseschema:
VMware, Inc.
55
Thefollowingisthedatabaseschemascript.
/* Name value pairs of service information, e.g. DB schema version number */ CREATE TABLE PolicyDb_MetaInfo ( name VARCHAR(128), /* Name of the name-value pair */ value VARCHAR(1024), /* Value of the name-value pair */ PRIMARY KEY(name)); /* This table holds data for guest and host policy sets, split in 2K chunks */ /* Select all fields for the key in the order of index and append strings together */ /* to reconstruct the policy set */ CREATE TABLE PolicyDb_LongField ( longFieldKey VARCHAR(128), /* Unique ID of the long field series */ longFieldIndex INTEGER, /* Index in the series */ longFieldValue VARCHAR(2000), /* Up to 2000 chars of field value chunk */ sessionExpires VARCHAR(21), /* Optional field for storing session blob */ PRIMARY KEY (longFieldKey, longFieldIndex)); /* ACE Master data */ CREATE TABLE PolicyDb_Ace ( aceUID VARCHAR(128), /* Unique ID (primary key) */ aceName VARCHAR(128), /* Name of this ace */ activePolicySetVersion INTEGER NOT NULL, /* Soft foreign key to active RT policy*/ aceTsCreated VARCHAR(21) DEFAULT 0 NOT NULL, /* Creation timestamp */ aceTsLastModified VARCHAR(21) DEFAULT 0 NOT NULL, /* Last modified timestamp */ deleted VARCHAR(7) DEFAULT 'FALSE', /* Is this entry deleted (tombstone) */ PRIMARY KEY(aceUID)); /* Package data */ CREATE TABLE PolicyDb_Package ( packageUID VARCHAR(128), /* Unique ID (primary key) */ aceUID VARCHAR(128) NOT NULL, /* The ACE it belongs to. */ pkgName VARCHAR(128), /* UI visible name. */ pkgUseValidDates VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Use validity dates or always valid */ pkgValidDateStart VARCHAR(21) NOT NULL, /* The package is valid from this date.*/ pkgValidDateEnd VARCHAR(21) NOT NULL, /* The package is valid till this date.*/ pkgDisabled VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Is the package disabled */ pkgProtectionKey VARCHAR(1024), /* The key used for package distribution */ pkgPreview VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Is preview package */ pkgTsCreated VARCHAR(21) DEFAULT 0 NOT NULL, /* Creation timestamp */ pkgTsLastModified VARCHAR(21) DEFAULT 0 NOT NULL, /* Last modified timestamp */ deleted VARCHAR(7) DEFAULT 'FALSE', /* Is this entry deleted (tombstone) */ PRIMARY KEY(packageUID), FOREIGN KEY(aceUID) REFERENCES PolicyDb_Ace(aceUID)); /* Access Control object data (single item of the list, associated with ACE Master)*/ CREATE TABLE PolicyDb_Access ( accessPK VARCHAR(128), /* Unique ID (primary key) */ aceUID VARCHAR(128), /* Ace for which this access policy is (FK)*/ identityData VARCHAR(128), /* Internal representation, SID in AD */ /* case, token value goes here. */ accVersion INTEGER NOT NULL, /* Access object version number */ identityType INTEGER NOT NULL, /* AD User, Group, or Token Value */ identityName VARCHAR(128), /* UI visible user/group name in AD case */ accUseInstanceLimit VARCHAR(7)
56
VMware, Inc.
DEFAULT 'FALSE' NOT NULL, /* Limit number of instances for this ID? */ accInstanceLimit INTEGER NOT NULL, /* Max no. of ACE instances allowed */ accTsCreated VARCHAR(21) DEFAULT 0 NOT NULL, /* Creation timestamp */ accTsLastModified VARCHAR(21) DEFAULT 0 NOT NULL, /* Last modified timestamp */ deleted VARCHAR(7) DEFAULT 'FALSE', /* Is this entry deleted (tombstone) */ PRIMARY KEY(accessPK), FOREIGN KEY(aceUID) REFERENCES PolicyDb_Ace(aceUID)); /* ACE Instance object data */ CREATE TABLE PolicyDb_Instance ( instanceUID VARCHAR(128), /* VM instance ID (primary key) */ packageUID VARCHAR(128) NOT NULL, /* The package it belongs to. */ aceUID VARCHAR(128) DEFAULT '' NOT NULL, /* The ACE Master it belongs to */ creatorIdName VARCHAR(128) NOT NULL, /* Display name of the activator user */ creatorIdData VARCHAR(256), /* Fully qualified name of the activator */ creatorAuthType INTEGER NOT NULL, /* The type of access check at activation */ activationDate VARCHAR(21) NOT NULL, /* The date and time for the activation. */ lastPolicyCheck VARCHAR(21) NOT NULL, /* Last time when the player called server */ revocationDate VARCHAR(21) NOT NULL, /* When the instance was revoked */ replacementDate VARCHAR(21) NOT NULL, /* When replaced because of Copy Protect. */ /* policy */ inheritsExpiration VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Use expiration info from Policy Set */ insUseValidDates VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Use validity dates or always valid */ insValidDateStart VARCHAR(21) NOT NULL, /* The instance is valid from this date*/ insValidDateEnd VARCHAR(21) NOT NULL, /* The instance is valid till this date*/ insPassword VARCHAR(128), /* The login password for non-AD */ /* authentication for this instance */ hostName VARCHAR(128), /* The name of the host PC the VM runs on */ hostIp VARCHAR(128), /* The IP addr of the host the VM runs on */ insProtectionKey VARCHAR(1024), /* Instance VM disk encryption key */ copyProtectionId VARCHAR(1024), /* Stores location of the copy */ insPreview VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Is preview instance */ guestIpAddress VARCHAR(128) DEFAULT '', /* Reported VM IP address */ guestMacAddress VARCHAR(128) DEFAULT '', /* Assigned VM MAC address */ guestMachineName VARCHAR(128) DEFAULT '', /* The guest (VM) OS host name */ guestConfigStatus INTEGER DEFAULT 0, /* The completion status of guest */ /* auto-configuration */ guestConfigMsg VARCHAR(512), /* Message for the guest auto-config */ insTsCreated VARCHAR(21) DEFAULT 0 NOT NULL, /* Creation timestamp */ insTsLastModified VARCHAR(21) DEFAULT 0 NOT NULL, /* Last modified timestamp */ deleted VARCHAR(7) DEFAULT 'FALSE', /* Is this entry deleted (tombstone) */ insCustom1 VARCHAR(255), /* User-defined field */ insCustom2 VARCHAR(255), /* User-defined field */ insCustom3 VARCHAR(255), /* User-defined field */ insCustom4 VARCHAR(255), /* User-defined field */ insCustom5 VARCHAR(255), /* User-defined field */ insCustom6 VARCHAR(255), /* User-defined field */ insCustom7 VARCHAR(255), /* User-defined field */ insCustom8 VARCHAR(255), /* User-defined field */ insCustom9 VARCHAR(255), /* User-defined field */ PRIMARY KEY(instanceUID), FOREIGN KEY(packageUID) REFERENCES PolicyDb_Package(packageUID), FOREIGN KEY(aceUID) REFERENCES PolicyDb_Ace(aceUID)); /* MAC Address Pool (reserved for future use) */ CREATE TABLE PolicyDb_MacPool ( macPoolUID VARCHAR(128), /* primary key */ aceUID VARCHAR(128) NOT NULL, /* ACE for which this MacPool is used */ macPoolName VARCHAR(128), /* User visible name */ description VARCHAR(128), /* name and description of the MAC pool*/ rangeStart VARCHAR(21) NOT NULL, /* Start address of the MAC pool */ rangeEnd VARCHAR(21) NOT NULL, /* End address of the MAC pool */ lastAssigned VARCHAR(21) NOT NULL, /* Last assigned address */ mplTsCreated VARCHAR(21) DEFAULT 0 NOT NULL, /* Creation timestamp */ mplTsLastModified VARCHAR(21) DEFAULT 0 NOT NULL, /* Last modified timestamp */ deleted VARCHAR(7) DEFAULT 'FALSE', /* Is this entry deleted (tombstone) */
VMware, Inc.
57
PRIMARY KEY(macPoolUID), FOREIGN KEY(aceUID) REFERENCES PolicyDb_Ace(aceUID)); /* Instance customization data */ CREATE TABLE PolicyDb_UserData ( userDataPK VARCHAR(516), /* Primary key */ aceUID VARCHAR(128), /* ACE for which this UserData is defined */ packageUID VARCHAR(128), /* Package for which this UserData is used */ activator VARCHAR(128), /* The user */ udataName VARCHAR(128), /* User data entry name */ udataType INTEGER NOT NULL, /* Attribute of the date */ udataValue VARCHAR(2048), /* User data entry value */ udtTsCreated VARCHAR(21) DEFAULT 0 NOT NULL, /* Creation timestamp */ udtTsLastModified VARCHAR(21) DEFAULT 0 NOT NULL, /* Last modified timestamp */ deleted VARCHAR(7) DEFAULT 'FALSE', /* Is this entry deleted (tombstone) */ FOREIGN KEY(aceUID) REFERENCES PolicyDb_Ace(aceUID), FOREIGN KEY(packageUID) REFERENCES PolicyDb_Package(packageUID), PRIMARY KEY(userDataPK)); /* ACE Master policy set */ CREATE TABLE PolicyDb_RuntimePolicy ( aceUID VARCHAR(128), /* The ACE it belongs to. */ policyVersion INTEGER, /* Version of the RT Policy for this ACE */ clientPolicyData VARCHAR(2000), /* Runtime policy for the guest OS */ clientPolicyDataExtKey VARCHAR(128), /* If too long store in LongField table */ hostPolicyData VARCHAR(2000), /* Runtime policy for the host OS (NQ) */ hostPolicyDataExtKey VARCHAR(128), /* If too long store in LongField table */ expirationType INTEGER NOT NULL, /* Expiration Type (enum) */ expValue_1 VARCHAR(21) NOT NULL, /* Expiration value (depends on type) */ expValue_2 VARCHAR(21) NOT NULL, /* Expiration value (depends on type) */ cacheLifetime VARCHAR(21) NOT NULL, /* How long could work without server */ rtpInstType INTEGER NOT NULL, /* Instantiation authentication check type */ rtpAuthType INTEGER NOT NULL, /* Runtime authentication check type */ rtpUseInstanceLimit VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Limit number of instances for this ACE? */ rtpInstanceLimit INTEGER NOT NULL, /* Max no. of ACE instances allowed */ rtpUsePerUserInstanceLimit VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Limit number of instances per user? */ rtpPerUserInstanceLimit INTEGER NOT NULL, /* Max no. of ACE instances per user */ copyPolicy INTEGER DEFAULT 0 NOT NULL, /* Behavior if VM instance is copied */ published VARCHAR(7) DEFAULT 'FALSE' NOT NULL,/* Policy published (update locked)*/ rtpTsCreated VARCHAR(21) DEFAULT 0 NOT NULL, /* Creation timestamp */ rtpTsLastModified VARCHAR(21) DEFAULT 0 NOT NULL, /* Last modified timestamp */ deleted VARCHAR(7) DEFAULT 'FALSE', /* Is this entry deleted (tombstone) */ PRIMARY KEY (aceUID, policyVersion), FOREIGN KEY(aceUID) REFERENCES PolicyDb_Ace(aceUID)); /* ACE Management Server info - reserved for future use */ CREATE TABLE PolicyDb_AcescServer ( serverHostname VARCHAR(128), /* Host name of the server computer */ serverPort INTEGER, /* TCP port number server is listening on */ secure VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Whether HTTPS is enabled */ sslCertificateExtKey VARCHAR(128), /* SSL Certificate data, key to stored */ /* in LongField table */ sslCertificateChainExtKey VARCHAR(128), /* SSL Certificate Chain data, key to */ /* stored in LongField table */ PRIMARY KEY (serverHostname, serverPort)); /* Audit Event Log Event Types lookup table */ CREATE TABLE PolicyDb_EventType ( eventType INTEGER, /* Event Type code (PK) */ eventMessage VARCHAR(1024), /* Printable message for this event type */ eventCategory INTEGER, /* Event Category code */ eventCategoryName VARCHAR(128), /* Event Category printable name */ eventLogLevel INTEGER, /* Event Log Level */ PRIMARY KEY (eventType)); /* Audit Event Log data */ CREATE TABLE PolicyDb_Event (
58
VMware, Inc.
eventUID INTEGER, /* Primary key of the table (sequential) */ eventTs VARCHAR(21), /* Timestamp of the event creation in uSec */ loginName VARCHAR(128), /* Login user name of the actor */ aceUID VARCHAR(128), /* UID of the ACE affected by event */ packageUID VARCHAR(128), /* UID of the package affected by event */ instanceUID VARCHAR(128), /* UID of the instance affected by event */ policyVersion INTEGER, /* Version of ACE policy affected by event */ eventCategory INTEGER, /* Event Category as defined in EventType */ eventType INTEGER, /* Event Type as defined in EventType */ sessionID VARCHAR(128), /* Ace Server Session ID */ clientIP VARCHAR(128), /* IP Address of the client machine (resvd) */ serverIP VARCHAR(128), /* IP Address of the Ace Server (reserved) */ turnaroundTime VARCHAR(21), /* Server-side execution time in ms */ handlerName VARCHAR(128), /* Name of the ClientLib handler (debug) */ returnCodeText VARCHAR(128), /* Text error code returned to the client */ messageParams VARCHAR(1024), /* Tab separated list of event data */ prevEventUID INTEGER UNIQUE, /* UID of the previous recorded event */ eventSignature VARCHAR(128), /* Event signature, signed with server key */ FOREIGN KEY(eventType) REFERENCES PolicyDb_EventType(eventType), FOREIGN KEY(prevEventUID) REFERENCES PolicyDb_Event(eventUID), PRIMARY KEY (eventUID));
Themechanismdoesnotnecessarilyanswerthesequestionsdirectly,butprovidesenoughdatasothatan administratorcanvieweventlogsandfindanswers.Thedatabeingloggedmeetsthefollowingrequirements:
Someofthisaudittrailisalreadyvisiblethroughotherfeaturesoftheproduct.Forexample,theinstance viewerdisplaysthedateofthelastpolicygetoperation,ortheexpirationdate,andsoon.Theeventlogging mechanismcananswermoredifficultquestions,suchaswhichadministratormadewhichpolicychangesand whichadministratordeletedanACEinstance. Table A1describesthedatathatisstoredinalogentry. Table A-1. Log Entry Data
Data AuditlogeventID(PK) Logtimestamp Description Anincrementinginteger Inmicrosecondsfrom12:00a.m.01/01/1970, storedasadecimalstring
VMware, Inc.
59
ACE,package,andinstanceUIDsandpolicyversionprovidecoordinatesofthelogeventinthespaceofACE Serverobjects.Theyhelplinktheeventwiththestateofthesystem.Byusingdatabasequerytools,youcan findallACEadministrationeventsthataffectedaparticularACEinstancefromitscreationuntilitsdeletion. Notallcoordinatesarepresentforallevents.Forexample,ifapackageexpirationdateupdateislogged,the instanceUIDfieldisnotset,becauseallinstanceswithinthepackageareaffected. Ifimmutabledataisstoredpermanentlyelsewhereinthedatabase,itisnotduplicatedinthelogentry.For example,whenanewpolicyispublished,thecompletepolicytextisnotincludedinthelogentry.Instead,its versionnumberisreferenced,sothatthecompletedataoftheeventcanbereconstructedfromPolicyDb_ RuntimePolicyandPolicyDb_Accesstablesifnecessary. NOTEACEManagementServerdoesnotlogsensitivedatalikepasswordsorencryptionkeys. TheeventtypecodeisassociatedwithalookuptablePolicyDb_EventType,whichcontainsatextmessage templateforeachtypeofevent,category,andlogleveloftheevent.Themessagecancontain%sparameter placeholders,inwhichcasetheMessageParametersfieldinthelogentrycontainsatabdelimitedlistof valuesfortheseparameters.Forexample,aninstanceadministrationeventwithtype=4110hasthefollowing message: 4110 -> "Instance Set Guest Info requested, IP address = %s, MAC address %s, configuration message \"%s\", machine name \"%s\", configuration status %s" Inthisexample,theMessageParametersfieldshows: 10.17.0.3 00:0C:29:1A:2B:3C OK ACETest 0
Theresultingparametersreplacethe%splaceholdersinthemessagetemplate.
60
VMware, Inc.
VMware, Inc.
61
62
VMware, Inc.
Glossary
ACEinstance AvirtualmachinethatACEadministratorscreate,associatewithvirtualrightsmanagement(VRM) policies,andthenpackagefordeploymenttousers. ACEManagementServer AserverthattheACEadministratorcaninstallanduseforactivatingandtrackingACEinstancesandfor hostingdynamicpoliciesforACEinstances. ACEenabledvirtualmachine AvirtualmachinetemplatethattheACEadministratorcreates.Thevirtualmachinecanbeconfigured withvariouspolicies,devicesanddeploymentsettings.Itcanthenbeusedasthebasisforcreating packagestobesenttoACEusers.InearlierversionsofVMwareACE,thistemplatewascalledanACE Master. activation AstepinanACEinstancesetupthatincludespackageprotectionandsettinguptheACEinstances runtimeauthenticationpolicy.Thesuccessfulcompletionofactivationmakesthepackagedvirtual machine,withitspoliciesandothersettings,anACEinstance.Theactivationsettingintheaccesscontrol policydetermineswhocanaccessaninstalledACEpackageandturnitintoanACEinstance.Seealso authentication. authentication AstepinanACEinstancesetupthatincludesinstanceprotection.Thesuccessfulcompletionofthe authenticationstepallowstheusertoruntheinstance.Seealsoactivation. deploymentsettings Asetofrulesandsettingsassociatedwithapackage,suchasinstancecustomizationsettings.These settingscannotbechangedafterpackaging.Theonlywaytochangedeploymentsettingsistocreatea newpackage. guestoperatingsystem AnoperatingsystemthatrunsinsideanACEinstance.Seealsohostoperatingsystem. hostcomputer ThephysicalcomputeronwhichtheVMwarePlayersoftwareisinstalled.IthoststheACEinstances. hostoperatingsystem Anoperatingsystemthatrunsonthehostmachine.Seealsoguestoperatingsystem. hotfix Aninstallablefilethatresetsauserspassword,renewsanexpiredvirtualmachineorenablesa copyprotectedvirtualmachinetorunfromanewlocation.
VMware, Inc.
63
instancecustomization TheactofcustomizinganACEinstance,thusmakingituniquefromallotherinstances.Theinstance customizationprocessautomatestheactionsoftheMicrosoftSyspreputility.ItalsoprovidestheACE administratorwithfeaturesneededtosetupanautomatedremotedomainjoinprocessoftheACE instancetoacompanyVPNnetwork. managedACEinstance AnACEinstancethatanACEManagementServermanages.SeealsoACEManagementServer. package Aninstallablebundlefordistributiontousers.AfullpackageincludesanACEenabledvirtualmachine configurationfile,virtualdiskfiles,policies,apackageinstaller,andresourcefiles.Italsoincludesthe VMwarePlayerapplicationusedtorunACEinstances. policy AformalsetofguidelinesthatcontrolthecapabilitiesofanACEinstance.Policiesaresetinthepolicy editorinWorkstation.Seealsopublish. preview AnoperatingandviewingmodethatanadministratorcanusetopreviewtheACEinstanceasitwillrun ontheusersmachine.Theadministratorcanusethisfeaturetoseetheeffectsofpolicyandconfiguration settingswithouthavingtoperformthepackaginganddeploymentsteps. publish TheprocessofmakingpoliciesavailableonACEManagementServersothatACEinstancescanreceive themaccordingtothepolicyupdateschedule.Seealsopolicy. standaloneACEinstance AnACEinstancethatisnotmanagedbyACEManagementServer.Anychangestoitspoliciesorother settingsaremadebytheadministratorsdistributionofupdatestotheuser. virtualmachine Avirtualizedx86PCenvironmentinwhichaguestoperatingsystemandassociatedapplicationsoftware canrun.AnACEenabledvirtualmachinethathaspoliciesandothersettingsassociatedwithitisknown asanACEinstance.SeealsoACEinstance. VMwarePlayer AnapplicationthatallowsausertorunanACEinstance. Workstation Theprogramthatanadministratorusestocreate,deploy,andupdateACEpackagesandmanageACE instances.FormerlynamedVMwareACEManagerorVMwareWorkstationACEEdition. VMwareTools Asuiteofutilitiesanddriversthatenhancestheperformanceandfunctionalityoftheguestoperating system.KeyfeaturesofVMwareToolsincludesomeorallofthefollowing,dependingonyourguest operatingsystem:anSVGAdriver,amousedriver,theVMwareToolscontrolpage,andsupportforsuch featuresassharedfolders,shrinkingvirtualdisks,timesynchronizationwiththehost,VMwareTools scripts,andconnectinganddisconnectingdeviceswhiletheACEinstanceisrunning.
64
VMware, Inc.
Index
A
ACE instance log events for 37 on Linux host, fixing server connection problem 51 security certificates in 18 ACE Management Server Active Directory integration 15 changing port assignment 51 configuring 29 creating Active Directory user and group for 29 database backup 53 database schema 55 default port assignments 22 embedded database 15 external database option 15 features 9 fixing connection problem with ACE instance on Linux host 51 hardware requirements 10 installing 22 installing on Linux system 23 installing on Windows system 22 installment options 22 licensing 34 logging on 26 querying the audit event log data 55 serial number 34 stopping and starting manually 25 using 45 Active Directory creating group for use with ACE Management Server 29 creating user for use with ACE Management Server 29 integration with ACE Management Server 15 logon options, ACE Management Server 26 audit event log data, querying 59
configuring ACE Management Server instances 29 copy protection, changing the ID for 49 custom fields in instance view 48
D
database backup 53 external 15 for ACE 15 database for ACE Management Server 15 deactivate an ACE instance 49 details for an instance, viewing 48
E
event logging 37 expiration dates, changing 49
H
Help Desk advanced instance queries 47 Instances page 45 using 46 Help Desk Instance Details page 48
I
installing ACE Management Server 22 Instance Details page 48 instance queries 47 instance view custom fields 48 customizing columns in 48 details 48 Instances page 45
L
LDAP See Active Directory licensing, ACE Management Server 34 logging events 37 logging on to the ACE Management Server 26
C
certificates, setting up 33 change the copy protection ID 49 clock synchronization (note) 21 column headings, sorting by 47 configuration Restart page 37
P
passwords, resetting admin password for ACE Management Server 52 for ACE instances 50
VMware, Inc.
65
R
reactivate an ACE instance 49 reset the password for an instance 50 Restart page 37 restarting the ACE Management Server 37
S
searching for instances in Help Desk 47 security, SSL 17, 18 sort instances 47 SQLite database for ACE Management server 15 SSL certification, using 17, 18 SSL protocol, using 17, 18 stopping and starting the Apache service manually 25
T
troubleshooting with the Help Desk application 46
U
using the ACE Management Server 45
V
view details for an instance 48 VMware Player fixing ACE Server connection problem on Linux host 51
66
VMware, Inc.