Infoace Vmware

ACE Management Server Administrators Manual
VMware ACE 2.6
This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
EN-000169-00
You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com
Copyright 20072009 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.
VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com
VMware, Inc.
Contents
AboutThisBook
1 Introduction 9
FeaturesofACEManagementServer 9 SystemRequirements 10 RequiredHardware 10 SupportedOperatingSystems 10 SupportedExternalDatabases 10 SupportedProxies 11 RequiredWebBrowsers 11 Licensing 11
2 PlanninganACEManagementServerDeployment 13
DeploymentComponents 13 HostSystemOptions 14 WindowsHosts 14 LinuxHosts 14 ServerApplianceOption 14 DatabaseOptions 15 ActiveDirectoryAuthenticationOptions 15 PerformingCapacityPlanning 15 DatabaseThroughputandScalability 16 LDAPThroughput 16 NetworkBandwidthandPolicyUpdateFrequency 16 ACEPolicyConfiguration 17 LoadBalancers 17 SecurityFeaturesandConsiderations 17 UsingSSLCertificatesandProtocol 18 AccessingACEManagementServerfromOutsidetheCorporateFirewall 19 DeploymentPlanningWorksheet 19
3 InstallingandConfiguringACE Management Server 21

PreparingforInstallation 21 ConfigureTLSinYourBrowser 21 InstallingandUpgradingACEManagementServer 22 InstallanACEManagementServeronaWindowsHost 22 InstallACEManagementServeronaLinuxSystem 23 InstallanACEManagementServerAppliance 24 VerifyThattheApacheServiceIsStartedorRestarted 25 StartandConfigureACEManagementServer 26 LogIntoACEManagementServer 26
VMware, Inc.
4 ConfigurationOptionsforACEManagementServer 29
PrerequisitesforConfiguringtheServer 29 CreateUsersandGroupsforIntegrationwithActiveDirectory 29 SetUpanExternalDatabase 30 CreatingaSystemDSNEntryforanExternalDatabase 31 IncreasetheNumberofDatabaseConnectionsAllowed 32 EnableDatabaseConnectionPoolingonLinux 33 SetUpaConnectionBetweentheServerApplianceandanExternalDatabase PrepareCustomSecurityCertificates 33 ViewthePropertiesoftheSelfSignedCertificateFile 34 StartingACEManagementServerConfiguration 34 ViewingandChangingLicensingInformation 34 UsinganExternalDatabase 35 CreatingAccessControl 35 UploadingCustomSSLCertificates 36 LoggingEvents 37 ApplyingConfigurationSettings 37
33
5 LoadBalancingMultipleACEManagementServerInstances 39
TypicalSetupUsingLoadBalancedACEManagementServerInstances InstalltheRequiredServicesforLoadBalancing 40 UsetheSameSSLCertificateonAllServers 41 CreateNewSSLCertificatesandKeysforEachServer 41 InstallingandConfiguringtheLoadBalancer 43 VerifyThatACEInstancesAreUsingtheLoadBalancer 43 40
6 ManagingACEInstances 45
ViewingACEInstancesThattheServerManages 45 UsetheVMwareACEHelpDeskApplication 46 UsetheInstanceViewinWorkstation 46 SearchforanInstance 47 SortbyColumnHeadingandChangeColumnWidth 47 Show,Hide,andMoveColumnsintheInstanceView 48 CreateorDeleteCustomColumnsintheInstanceView 48 ViewInstanceDetails 48 Reactivate,Deactivate,orDeleteanACEInstance 49 PoliciesTab 49 ChangeaCopyProtectionID 49 ResettheAuthenticationPassword 50 AddInformationforCustomColumns 50
7 TroubleshootingandMaintenance 51
TroubleshootingConfigurationProblems 51 ConnectionProblemsBetweenaLinuxACEInstanceandACEManagementServer 51 ChangethePortAssignmentforACEManagementServer 51 DeletetheServerConfigurationFileandSetaNewAdministratorPassword 52 RestoreaBackupCopyofanSSLCertificate 52 ConfiguringMultipleACEManagementServerInstancestoUseSSL 53 DatabaseBackup 53
VMware, Inc.
Contents
Appendix:DatabaseSchemaandAuditEventLogData
UsingDatabaseReportingTools 55 DatabaseSchema 55 QueryingtheAuditEventLogData 59
55
Glossary Index 65
63
VMware, Inc.
VMware, Inc.
About This Book
Thismanual,theVMwareACEManagementServerAdministratorsManual,providesinformationabout installingandusingtheVMwareACEManagementServer,whichenablesyoutomanageACEinstancesin realtime.UsingACEManagementServerisoptional,butdoingsoprovidesthefollowingbenefits:

ManageactivationofACEpackages. Manageauthenticationofthoseactivatedpackages. DynamicallydeliverpolicyupdatestomanagedACEinstances. DynamicallydeliverinstancecustomizationdataformanagedACEinstanceswithWindowsguest operatingsystems.
Intended Audience
Thisbookisintendedforanyonewhoneedstoinstall,upgrade,oruseACEManagementServertomanage ACEinstances.ACEManagementServerisintendedforACEadministratorswhomustmaintainandupdate ACEpoliciesusedonvirtualmachinesdeployedthroughoutanenterprise.
Document Feedback
VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhavecomments,sendyour feedbackto: docfeedback@vmware.com
Technical Support and Education Resources

Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.Toaccessthecurrentversion ofthisbookandotherbooks,gotohttp://www.vmware.com/support/pubs.
Online and Telephone Support

Touseonlinesupporttosubmittechnicalsupportrequests,viewyourproductandcontractinformation,and registeryourproducts,gotohttp://www.vmware.com/support. Customerswithappropriatesupportcontractsshouldusetelephonesupportforthefastestresponseon priority1issues.Gotohttp://www.vmware.com/support/phone_support.html.
Support Offerings
TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto http://www.vmware.com/support/services.
VMware, Inc.
VMware Professional Services

VMwareEducationServicescoursesofferextensivehandsonlabs,casestudyexamples,andcoursematerials designedtobeusedasonthejobreferencetools.Coursesareavailableonsite,intheclassroom,andlive online.Foronsitepilotprograms andimplementationbestpractices,VMwareConsultingServicesprovides offeringsto helpyouassess,plan,build,andmanageyourvirtualenvironment.Toaccessinformationabout educationclasses,certificationprograms,andconsultingservices,gotohttp://www.vmware.com/services.
VMware, Inc.
Introduction
TheVMwareACEManagementServerenablesyoutomanageVMwareACEinstances,todynamically publishpolicychangesforthoseinstances,andtotestanddeploypackagesmoreeasily. Thischapterincludesthefollowingtopics:

FeaturesofACEManagementServeronpage 9 SystemRequirementsonpage 10
Features of ACE Management Server

ACEManagementServeroffersscalabilityandreliability:

Youcanincreasecapacitybyaddingnetworkresourcessuchasloadbalancersandextraserverhardware. Fortestingenvironments,thedefaultembeddedbackingstoreprovidesasimpleandefficientdatabase solution.ToscaleACEManagementServerforproductiondeployments,youcanconfigureandusean externalrelationaldatabasemanagementsystem(RDBMS). InWindows,multithreadedprocesseshandleserverrequests.InLinux,multipleprocesseshandleserver requests.Ifoneprocessfails,anothertakesover.
ACEManagementServeroffersActiveDirectoryintegration:

YoucanuseActiveDirectorytoauthenticateusersofACEinstances. YoudonotneedaschemachangeforyourexistingActiveDirectory. LDAPisusedtoaccessActiveDirectory. InformationaboutWindowsdomainuseraccountstatesisprovidedinclearandusefulmessages. Reasonsforloginfailuresarepresentedaslockedoutorpasswordexpired. ACEManagementServeractsasanActiveDirectorypasswordchangeproxy. YoucanusetheinstancecustomizationfeatureinACEwithyourownestablishednamingconventionsto associateuserswithmachines.
Securityfeaturesincludethefollowing:

EncryptedcommunicationsbetweenserverandclientstraveloverHTTPStraffic. Passwordsarestoredsecurelyinhashedforminthebackingstore. FlexibledatabaseoptionsallowuseofanembeddeddatabaseorexternalRDBMStostoreACEinstance dataandpolicies.
VMware, Inc.
ACEManagementServeriseasytoinstallandconfigure.Clienttrafficcanbeproxiedbyeasilyavailable products.Theserveruseseasilyavailablesoftwarecomponents:

ApacheWebserver2.0 ThedefaultSQLitedatabasestore
Theserversetupusesindustrystandardprotocols:

HTTPSandLDAP XMLRPCformessageencapsulation
ACEManagementServeroffersextensibilityandavailability:
YoucancreateandusemorethanoneACEManagementServer.Whenyouusemorethanoneserver,you cansettheserversupsothattheysharethesamedatabaseforloadbalancingorincreasedfaulttolerance. AWindowsACEManagementServercanbeonthesamesystemasWorkstation. YoucandesignateasingleACEManagementServername,suchas https://ace.policyserver.company.com,anduseDNSlookuptotranslatethehostnametoan address.TheaddressiscachedifaDNSserverisnotavailable.Additionally,youcanusedifferentACE ManagementServerinstancesifuserstravelbetweenofficesindifferentgeographiclocations. NOTEYourservernamemustbeeitherthemachinenameinEnglishortheIP address.International charactersarenotsupported.
System Requirements
ThefollowingsectionsdescribetheACEManagementServersystemrequirements.
Required Hardware
Aminimumofan800MHzcompatiblex86andx8664architectureprocessor Compatibleprocessorsinclude: Celeron,PentiumII,PentiumIII,Pentium4,PentiumM(includingcomputerswithCentrinomobile technology),Xeon(includingPrestonia),AMD,Athlon,Athlon MP,AthlonXP,Duron,Opteron,AMD64 Opteron,andAthlon64
ExperimentalsupportforIntelIA32eCPU 40MBoffreespaceisrequiredforbasicinstallation.VMwarerecommendsatleast10GBoffreediskspace. An8bitdisplayadapterisrequired. Forlocalareanetworking,anyEthernetcontrollerthattheoperatingsystemsupportsissufficient.
Supported Operating Systems

FollowingarethesupportedoperatingsystemsforACEManagementServer:
WindowsServer2003WebEditionSP1andSP2,WindowsServer2003StandardEditionSP1andSP2, WindowsServer2003EnterpriseEditionSP1andSP2(includes64bitandR2editions) WindowsXPProfessional(includes64biteditions) Windows2000ServerServicePack4andWindows2000AdvancedServerServicePack 4 RedHatEnterpriseLinuxAdvancedServer4.0withUpdate 4. SUSELinuxEnterpriseServer9ServicePack3
10
VMware, Inc.
Chapter 1 Introduction
Supported External Databases

AnSQLitedatabaseengineisembeddedinACEManagementServer.Althoughthisdatabaseisadequatefor testingpurposes,useoneofthefollowingexternaldatabasesinproductionenvironments:
ForaWindowsbasedACEManagementServerMicrosoftSQLServer2000orhigher; Oracle Database 10g IfyouuseaMicrosoftSQLServerdatabase,thedatabasemustbehostedonasystemthatusesthesame localeasthesystemthathostsACEManagementServer.Forexample,ifACEManagementServeris installedonaJapanesesystem,thedatabaseservermustalsobeinstalledonaJapanesesystemandmust useJapanesecollation.
ForaLinuxbasedACEManagementServerPostgreSQL7.4orhigher
Supported Proxies
YoucandeployACEManagementServerwiththefollowingHTTPSproxysolutions:

ApacheProxyUsingmod_proxy ZeusTechnologyLoadBalancerAcommerciallyavailableloadbalancerandtrafficmanagement solution
Required Web Browsers

ThebrowserbasedACEManagementServerSetupapplicationandtheVMwareACEHelpDeskapplication requireoneofthefollowingWebbrowsers:

MozillaFirefox1.52orhigher InternetExplorer6.0orhigher.MakesurethattheInternetExplorerbrowserhasTLS1.0checkedtolog intotheAMSwebconfigurationpage.
Licensing
YoumustconfiguretheserverandentertheserialnumberintheserversetupWebapplication.Ifyoudonot, youcannotconnecttotheserverinWorkstation. Yourserialnumberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,the serialnumberissentbyemail.WorkstationandACEinstancescannotconnecttoanACEManagementServer withanexpiredornonexistentlicense.
VMware, Inc.
11
12
VMware, Inc.
Planning an ACE Management Server Deployment
ThischapterprovidesguidelinesfordeployingVMwareACEManagementServerinstances,including capacityplanningandbestpractices.Thischapterincludesthefollowingtopics:

DeploymentComponentsonpage 13 PerformingCapacityPlanningonpage 15 SecurityFeaturesandConsiderationsonpage 17 AccessingACEManagementServerfromOutsidetheCorporateFirewallonpage 19 DeploymentPlanningWorksheetonpage 19
Deployment Components
AtypicalACEManagementServerdeploymenthasthefollowingcomponents:
OneormoreACEManagementServerinstancesConfiguringmultipleserverstousethesame databaseincreasesthenumberofACEclientsyoucanmanageandguaranteeshighavailability. DatabaseserverForproductiondeployments,VMwarerecommendsOracleDatabase 10gorMSSQL forACEManagementServerinstalledonaWindowshost,andPostgresforACEManagementServer installedonaLinuxhost. (Optional)ActiveDirectorydomaincontrollerToenabletheACEManagementServerActive Directoryintegration,youmustconfigureACEManagementServertocommunicatewithyourdomain controller. (Optional)HTTPloadbalancerUsealoadbalancertohelpscalethecapacityofyourACEManagement Serverdeployment. (Optional)HTTPproxyIfclientswillaccessACEManagementServerfromoutsidethecorporate firewall,VMwarerecommendsusinganHTTPSproxyintheDMZ.YoucanuseACEManagementServer withApacheProxyandZeusTechnologyLoadBalancer.
ForanexampleofanACEManagementServerdeployment,seeFigure 21.
VMware, Inc.
13
Figure 2-1. Comprehensive ACE Management Server Deployment

WSAE client (within corporate network) Active Directory domain controller (optional)
LDAP Kerberos
ACE Player client (within corporate network)
HTTPS HTTPS HTTPS HTTPS
ACE Management Server (one or more)
load balancer (optional) database server
HTTPS ODBC
proxy for ACE Management Server service through corporate firewall (optional) ACE Player client (outside corporate network)
ACEManagementServeroffersconvenienceandflexibilityinitssetupoptions. YoucaninstalltheserveronWindowsorLinuxhosts.Fortestingpurposes,youcandownloadandrunthe serverasavirtualappliance.ACEManagementServerincludesitsownsecuritycertificatesandembedded database,butyoucanuseanexternaldatabaseandusecertificatesfromacertificateauthorityifyouprefer. YoucanalsoconfigureACEManagementServertouseActiveDirectoryforauthentication.
Host System Options

YoucaninstallACEManagementServeronaWindowshost,aLinuxhost,orasavirtualappliance.Ifyouset upmultipleACEManagementServerinstances,theymustallbethesametype.
Windows Hosts
IfyouplantointegratewithActiveDirectory,VMwarerecommendsthatyouinstallACEManagementServer onaWindowshost. TheWindowsACEManagementServerusestheWinLDAPlibrarybundledwithyourWindowsoperating systemtointegratewithActiveDirectory.InternaltestingresultsindicatethattheWindowsimplementation providesbetterperformancethanLinux.
Linux Hosts
YoucaninstallACEManagementServeronaLinuxhostanduseActiveDirectoryforauthentication,even thoughperformanceisslowerthanonWindowshosts.IfyouplantouseaLinuxhostinproduction environments,usetheLinuxinstallerratherthantheACEManagementServerappliance.Ifyoudonothave thesupportedLinuxoperatingsystemsinstalledonaphysicalserver,youcancreateavirtualmachine,install asupportedLinuxoperatingsystem,andinstallACEManagementServerinthevirtualmachine.
Server Appliance Option

TheACEManagementServerapplianceisaselfcontained,preinstalled,andpreconfiguredACE ManagementServerpackagedwithasmallLinuxoperatingsysteminavirtualmachine.Theapplianceis convenientandquicktosetupinatestingenvironmentbutisnotrecommendedforproductionenvironments. Bydefault,theapplianceattemptstoconfigureitsnetworkbyusingDHCP.IfyoudonotwanttouseDHCP, youcanusethebrowserbasedACEManagementServerSetupapplicationtoconfigurethenetworksettings. Youcanusethesameinterfacetoupdatetheappliancewhenupdatesbecomeavailable. YoumusthaveaccesstoaWebbrowser(Mozilla1.52orhigherorInternetExplorer6.0orhigher)tochange networksettingsorobtainupdatesfortheappliance.
14 VMware, Inc.
Chapter 2 Planning an ACE Management Server Deployment
Database Options
ACEManagementServeroffersthefollowingdatabaseoptions:
EmbeddedSQLitedatabaseThedefaultmodeofACEManagementServerworkswithanembedded SQLite3databaseengine.TheSQLitedatabaseengineisinitializedduringserverinstallationandrequires nospecialconfiguration.The embeddeddatabasesupportsuptoseveralgigabytesofdata. TheSQLitedatabaseisfilebasedandisnotdesignedtobeeffectivelysharedacrossmultipleprocesses.If youusethirdpartytoolstoaccessthedatabaseforareadoperation,therefore,youcannotdependon transactionalisolationofthependingwriteoperationsoftheACEManagementServer. Theembeddeddatabaseisadequatefortestingpurposes,butVMwarerecommendsthatyouusean externaldatabaseinproductionenvironments.
SupportedexternaldatabaseInproductionenvironments,useasupportedexternaldatabaseasa backingstoreforACEManagementServer,throughODBCconnectivity.Supportedexternaldatabase enginesarethefollowing:
ForWindowsbasedACEManagementServer,useMicrosoftSQLServer(SQLServer2000orSQL Server2005)orOracleDatabase10ginstalledonthesamesystemoradifferentWindowssystem ForLinuxbasedACEManagementServer,usePostgreSQL7.4orhigherinstalledonthesame systemoradifferentLinuxsystem
NOTEIfACEManagementServerisdeployedintheDMZ,useanexternaldatabaselocatedinsideyour corporatenetworkbehindafirewall. UsinganexternaldatabasewithACEManagementServeroffersthefollowingbenefits:
OnlinebackupsothatyoudonothavetoshutdownACEManagementServertobackupthe database. Enhancedsecuritymodel.Youcanfinetunepermissionstoaccesssensitivedata.TheSQLite databaseengineprovidesfilesystembasedsecurity. Performancefinetuning. Abilitytouseexternaldatabasemanagementandreportingtools. AbilitytouseloadbalancerswithmultipleACEManagementServerinstances.Youmustusean externalRDBMSasthebackingstore,becausetheSQLitedatabaseisnotdesignedtobeeffectively sharedacrossmultipleprocesses.
Active Directory Authentication Options

ActiveDirectoryintegrationprovidesthefollowingbenefits:

PermitsjoininganoperatingsystemthatisrunninganACEinstancetothedomainremotely. Providessearchfunctionssoyoucanquicklyfindaparticularindividualorgroup. EnablesyoutouseActiveDirectoryUsersandGroupstoconfigurerolebasedaccesstothefeaturesof ACEManagementServer.
Performing Capacity Planning

ACEManagementServerenablesyoutomanageACEinstancesandpoliciesinrealtime.Thenumberof clientsthatasingleACEManagementServercanservedependsonseveralkeyfactors:

Databasethroughputandscalability LDAPthroughput(ifyouareusingActiveDirectory) Networkbandwidthavailableforincomingclientrequests
VMware, Inc.
15
ACEpolicyconfiguration Loadbalancersforverylargedeployments(morethan5,000clients)
Table 21listsrecommendationsforthenumberofclientssupportedbasedonthehardwareyouareusing.The figuresforrecommendedclientsreservesomeserverprocessingpowersothatinteractiveclientsreceive responsesinatimelyfashionandtheserversatisfiesincreasesindemand. Table 2-1. Number of Clients Supported

Hardware 2GHzAMD2wayserver(Opteron280,4GBRAM) 2GHzIntel2waydesktopmachine(4GBRAM) Recommended Clients 6,000 4,000
Database Throughput and Scalability

Forproductiondeployments,VMwarerecommendsthatyouuseOracle,MSSQL,orPostgresasyour databaseplatform. Morethan95percentofthestoragespacethatanACEManagementServerrequiresisusedtologevent information,whichisanaudittrailofalltransactionsperformedthroughACEManagementServer.Table 22 listsrecommendeddatabasesizesbasedonthenumberofclientsbeingserved. Thefiguresinthetablearebasedona90daydatabasearchivalperiod.Backupthedatabaserecordsevery90 daysandkeepeventlogsfor90days.YoucanconfigureACEManagementServertopurgeeventlogsevery 90days. Table 2-2. Database Storage Recommendations
Number of Clients 100 1,000 10,000 Recommended Database Size 50Mb 500Mb 5,000Mb
Theauthenticationeventgeneratesmostofthedatabecauseaneventisgeneratedeverytimesomeone attemptstoauthenticatetoACEManagementServer.YoucanconfigureACEManagementServertologless eventinformation.SeeLoggingEventsonpage 36.
LDAP Throughput
ACEManagementServercancommunicatewithyourActiveDirectorydomaincontrollertoauthenticateuser credentials.YourdomaincontrollerinfrastructurehandlestheLDAPtrafficrequiredtosupportthenumber ofclientsthatyouanticipate. IntegratingwithActiveDirectorythroughLDAPisimplementeddifferentlyintheWindowsACE ManagementServerthanintheLinuxbasedACEManagementServer.TheWindowsACEManagement ServerusestheWinLDAPlibrarybundledwithyourWindowsoperatingsystem.TheLinuxACE ManagementServerusesathirdpartyKerberosLibraryandOpenSSL.VMwareinternaltestingresults indicatethattheWindowsimplementationprovidesbetterperformancethanLinux.
16
VMware, Inc.
Network Bandwidth and Policy Update Frequency

TheamountofnetworkbandwidththatACEManagementServerandACEinstancesrequiredependsonthe frequencyofpolicyupdatesthatyouconfigure.Table 23showstheamountofbandwidthneededwhenyou useapolicyupdatefrequencyvalueof10 minutes. Table 2-3. Network Bandwidth Required with a Policy Update Frequency of 10 Minutes
Number of Clients 100 1,000 10,000 Bandwidth Required 0.125Mb/sec. 1.25Mb/sec. 12.5Mb/sec.
VMwarerecommendsthatforlargedeployments(morethan5,000clients),youincreasethetimebetween policyupdatesbyclientsbecausethisreducestheamountofrequiredbandwidth. Table 24showsthebandwidthneededwhenthepolicyupdatefrequencyvalueissetto30minutes. Table 2-4. Network Bandwidth Required with a Policy Update Frequency of 30 Minutes
Number of Clients 100 1,000 10,000 Bandwidth Required 0.04Mb/sec. 0.4Mb/sec. 4Mb/sec.
Theamountofnetworkbandwidthrequiredcanalsobehigherifyourpolicysetisverycomplex. VMwarerecommendsthatyouhaveaseparatenetworklinkbetweenACEManagementServerandyour databaseserver,sothattrafficcomingandgoingfromACEManagementServertoitsclientsdoesnotinterfere withthetraffictoandfromyourdatabaseserver.
ACE Policy Configuration

TheconfigurationofACEpoliciescanaffectperformance.Youcanincreasetheamountofdatathatis transferredbetweenACEManagementServerandACEPlayerbyusingoneofthefollowingmethods:
HostpoliciesEnablinghostpolicies(suchashostnetworkquarantine)requiresthatahostsidedaemon retrievesthehostpoliciesfromtheACEManagementServer. ComplexnetworkquarantinepoliciesIfthesetofrulesthatmakesupyournetworkquarantineisvery large,thetransferoftheserulesfromtheACEManagementServertotheclientscanaffectthescalability. ThenumbersshowninTable 23andTable 24areestimatesofrequiredbandwidthgivenaveragesize rulesetsfornetworkquarantine.YoucanviewthesizeofyourpolicysetbyexaminingtheACEfile directoryandcountingthesizeofthe.vmplfile.Anaveragepolicysetis15KBorless.
Load Balancers
TheACEManagementServerclientserverprotocolisbuiltontopoftheHTTPSprotocol.YoucanuseHTTP loadbalancingsoftwareandhardwaresolutionstoscaleanACEManagementServerdeploymentbeyondthe capacityofasingleserver(orforhighavailabilitydeployments). ACEManagementServerscalesinalinearfashionwhenanenterprisegradeHTTPSloadbalancerisused.See Chapter 5,LoadBalancingMultipleACEManagementServerInstances,onpage 39.
VMware, Inc.
17
Security Features and Considerations

Bydefault,ACEManagementServerusestheSecureSocketsLayer(SSL)protocoltoprovideencryptedand securecommunications. FollowingisanoverviewofsecurityfeaturesandrecommendationsonhowtoconfiguretheACE ManagementServertoavoidsecurityproblems:
TraffictoandfromclientsisprotectedbyHTTPSBydefault,ACEManagementServercreatesa selfsignedcertificatewhenyouinstallittouseforHTTPStraffic.Thesecertificatesaresecure,butyou canalsoconfigureACEManagementServertouseyourowncertificateandkeypairs. TrafficfromACEManagementServertoActiveDirectoryisencryptedIftheserverisintegratedwith anActiveDirectoryservice,itcommunicateswiththeservicethroughanSSLprotectedlink.LDAPtraffic isencryptedattheapplicationlayer.CredentialsareprotectedbyusingtheKerberosprotocolto authenticatecredentials. SensitiveconfigurationoptionsareencryptedPasswordsstoredintheconfigurationfileareencrypted. DatabasesecurityThedatabasestorecontainssensitivedatasuchascryptographickeys.Configure yourdatabasesecuritysothatitisprotectedfromintrusionandprotectedincaseofdataloss.Formore informationaboutfeaturesthatareavailabletoprotectyourdata,seeyourdatabasedocumentation.
SSLencryptsdatathroughtheuseofapublickeyandprivatekeypair.Thepublickeyisknowntoeveryone andtheprivatekeyisknownonlytothemessagerecipient.URLs thatrequireanSSLconnectionstartwith https. DuringACEManagementServerinstallation,thefollowingtwofilesarecreated:

server.keyAnRSA1024bitkey,thisistheprivatekey. server.crtAselfsignedcertificate.Itssignatureisverifiedbythepublickey,whichisembeddedin thecertificate.Thispubliccertificateisvalidfor10yearsfromthedateandtimeatwhichtheserveris installed.ThecertificatefileisencodedinPEMformat.
Bydefault,thesefilesarestoredintheSSLdirectoryintheVMwareACEManagementServerprogram directory. VMwarePlayer,whichrunstheACEinstances,doesnottrustanycertificatesstoredonthehostmachineon whichitisrunning.Instead,itreliesonacompletecertificationchainthatisincludedintheACEpackage. Usingselfsignedcertificatesisadequateformostsecurityneeds. Youcan,however,useacertificateissuedbyacertificateauthority.IfyouhavemultipleACEManagement Serverinstances,youcanuseonecertificateforalloryoucanuseadifferentcertificateoneachone.
Using SSL Certificates and Protocol

WhenanACEenabledvirtualmachineconnectstoanACEManagementServer,itdownloadsthepublic certificateforthatserverandanychainofcertificatesrequiredtoverifytheserverspubliccertificate.Aserver certificatemighthaveachainofseveralcertificatesthatmustbeverifiedstepbystepuntiltheverification processreachestheroot,ortrusted,certificateinthecertificatestore.Thefirsttimeaconnectionismadetoa serverbyanyACEenabledvirtualmachineonaWorkstationadministratormachine,thecertificateandits verificationaredownloadedtotheWorkstationhostsystem. ThestoreorcollectionofcertificatesthatisdownloadedwhenanACEenabledvirtualmachineconnectstoa serverisincludedineachACEpackagethatyoucreatewiththatvirtualmachine.ItissavedintheACE Resourcesdirectory.WhenyoudeployandrunanACEinstanceofthisACEenabledvirtualmachine,the VMwarePlayerapplicationusesthecertificatesincludedinthepackagetoverifyconnectionsmadetotheACE ManagementServer.ItverifiesthatthecertificatesthatareintheACEpackagematchthosethattheserver provides.Iftheydonotmatchexactly,VMware Playerdisplaysanerrormessageanddoesnotrunthe instance.
18
VMware, Inc.
VMwarePlayercheckstheintegrityofthecertificatestoreincludedinthepackageeverytimeitcommunicates withtheserver.VMwarePlayerdoesnottrustanycertificatesstoredonthehostmachineonwhichitis running.Instead,itreliesonacompletecertificationchainthatisincludedintheACEpackage.Theuseof selfsignedcertificatesisadequateformostsecurityneeds. If,however,yourenterpriserequirestheuseofacertificatesignedbyacertificateauthority(internalor commercial),youcansetupthattypeofkeycertificatepairfortheACEpackagestouse.Acertificateauthority, orCA,isanentitythatissuesandsignspublickeycertificates,typicallyforafee.
Accessing ACE Management Server from Outside the Corporate Firewall

AllclientrequeststoACEManagementServerareHTTPStrafficonport443.This meansthatanysolution usingaproxytosecureHTTPStrafficintoyourcorporateserverscanbeusedtoproxyACEManagement Servertraffic. BecauseofthenumberofdataconnectionsthattheACEManagementServermustmakeonthebackend (LDAP,DNS,ODBC,Kerberos),VMwarerecommendsusinganHTTPSproxyintheDMZ.Thisproxycan relayACEManagementServertraffictotheactualACEManagementServerinsidethecorporatenetwork. Figure 2-2. Recommended Deployment for External Access
LDAP (port 389) HTTPS traffic (443) HTTPS traffic (443) KRB5 (port 88) DNS NETBIOS (port 137)
external client
external firewall HTTPS proxy server
internal firewall AMS server
ODBC
ACEManagementServercanbedeployedwiththefollowingHTTPSproxysolutions:

ApacheProxyUsingmod_proxy ZeusTechnologyLoadBalancerAcommerciallyavailableloadbalancerandtrafficmanagement solution
AvoidthefollowingproblemswhenyouuseaproxyfortrafficintoanACEManagementServer:
SSLTerminationIfyourHTTPSproxyterminatestheSSLconnection,youmustusethesameSSLkey andcertificateontheHTTPSproxyserverandACEManagementServer.Or,usetheACEManagement ServercertificatechaintoembedtheHTTPSproxycertificateverificationchainintheACEpackage. AnexampleofaproxyserverthatterminatesSSLconnectionsisApacheProxy.TheZeusloadbalancing productssupportSSLpassthrough,whichmeansthattheSSLconnectionisterminatedatACE ManagementServer.
MultipleACEManagementServerSSLcertificatesIfyouaredeployingmultipleACEManagement Serverinstancesbehindaloadbalancingsolution,allACEManagementServerinstancesmustusethe sameSSLkeyandcertificatepair.YoucanalsousetheACEManagementServercertificatechainfeature toembedeverySSLcertificateverificationchainintotheACEpackage. DNSresolutionWhenyoucreateanACEenabledvirtualmachine,youmustspecifyahostnamefor ACEManagementServer.ThishostnamemustresolvetotheappropriateIPaddressforbothinternaland externalclients.Internally,itcanresolvetoACEManagementServeritself.Externally,itcanresolvetothe HTTPSproxyserver.
BecausethetrafficcomingintoACEManagementServerisplainHTTPStrafficandtheserverisstateless,you candeploymanyotherconfigurationstoprovideexternalaccesstoanACEManagementServer.Whenyou designyourdeployment,thinkofACEManagementServerasaWebserverwithsecuretraffic.
VMware, Inc.
19
Deployment Planning Worksheet

Usethedeploymentplanningworksheettorecordyourchoiceofserversystem,database,securitycertificates, andoptionalcomponentsforaproductionenvironment. Table 2-5. Worksheet for ACE Management Server in a Production Environment
Component Active Directory integration Considerations PerformanceisbetterwhentheACE ManagementServerisinstalledona Windowshost. SeealsoCreateUsersandGroupsfor IntegrationwithActiveDirectoryon page 29. ACE Management Server Database server Ifyouusemultipleservers,allmustbe installedonthesameplatform. Forcapacityplanning,seeNumberof ClientsSupportedonpage 16. Thedatabaseservermustbecompatible withtheACEManagementServerhost.See SupportedExternalDatabaseson page 11. Usealoadbalancerforlargedeployments orforhighavailability.Itmustsupport HTTPSandrequiresanexternaldatabase. SeeLoadBalancersonpage 17. IfACEclientswillcontactACE ManagementServerfromoutsidethe firewall,useaproxy.SeeAccessingACE ManagementServerfromOutsidethe CorporateFirewallonpage 19. Ifyouusemultipleserversandplantouse adifferentSSLcertificateforeachone,you mustcreateorsendforthecertificates. ACEManagementServersupportsonly publickeycertificatesthataresignedusing theSHA1algorithm.SeeUsingSSL CertificatesandProtocolonpage 18. Ports ForActiveDirectory,useport389. FortheACEManagementServer appliance,useport8080.SeeChangethe PortAssignmentforACEManagement Serveronpage 51andAccessingACE ManagementServerfromOutsidethe CorporateFirewallonpage 19. Decision UseActiveDirectory?________ Ifyes,nameofuseraccountforACE ManagementServertoquerytheActive Directorydatabase:__________________ Fullyqualifieddomainnameofthe LDAPserver:_______________________ UseWindowsorLinux hosts?_____________ Howmanyservers?____________ MSQL,Oracle,orPostgresSQLdatabase? ____________________________
Loadbalancer
Usealoadbalancer?________
Proxy
Useaproxy?__________ ApacheProxyorZeusTechnologyLoad Balancer?________________________ Whichtypeofcertificate:selfsigned thirdparty,orinternalCA(certificate authority)?___________________ Numberofcertificates?__________
SSL certificates
Port8000forconfiguringtheACE ManagementServer. Port443forclientrequests. Whichadditionalports?______________
20
VMware, Inc.
Installing and Configuring ACE Management Server
Thischapterincludesthefollowingtopics:

PreparingforInstallationonpage 21 InstallingandUpgradingACEManagementServeronpage 22 VerifyThattheApacheServiceIsStartedorRestartedonpage 25 StartandConfigureACEManagementServeronpage 26 LogIntoACEManagementServeronpage 26
Preparing for Installation

BeforeyouinstallACEManagementServer,youmustplanyourdeployment.Completethefollowingtasks: 1 TodeterminewhichtypeofACEManagementServerinstallertouse,howmanyserverstoinstall,and whichdeploymentcomponentstoinclude,seeChapter 2,PlanninganACEManagementServer Deployment,onpage 13. ToconfigureyourWebbrowsertouseTransportLayerSecurity(TLS),seeConfigureTLSinYour Browseronpage 21. Tosynchronizetheclockonthehostsystemwiththeclientsystem,useNetworkTimeProtocol(NTP). TochooseanHTTPSportforthehostonwhichyouplantorunACEManagementServer,seeTable 31.
2 3 4
Table 3-1. Port Assignments, Default Settings, for ACE Management Server
HTTPS Port Number 443 8000 Description CommunicationsbetweenACEManagementServerandACE instances ACEManagementServerSetup(configuration)Webapplication ACEHelpDeskWebapplication 8080 ACEManagementServerApplianceconfiguration
NOTEIfanotherWebserverisinstalledthatusesanyofthesedefaultports,youmightneedtoresolvethe conflict.
VMware, Inc.
21
Configure TLS in Your Browser

TransportLayerSecurity(TLS)mustbeconfiguredonyourWebbrowsertooperateACEManagementServer. To configure TLS in your browser Dependingonthetypeofbrowser,dooneofthefollowing:
ForanInternetExplorerbrowser: a b ChooseTools>InternetOptions>AdvancedandscrolldowntoSecurity. SelecttheUseTLS1.0checkboxandclickOK.
ForaMozillabrowser: a b ChooseTools>Options>Advanced. SelecttheUseTLS1.0checkboxandclickOK.
Installing and Upgrading ACE Management Server

YoucaninstalloneormoreACEManagementServerinstancestoservicetheACEinstancesinyourenterprise. IfyousetupmultipleACEManagementServerinstances,theyallmustbeinstalledoneitherWindowshosts orLinuxhosts,orallmustbeinstalledasappliances. ToupgradefromACEManagementServer2.0to2.6,usethesameprocedureasforinstallingtheserverfor thefirsttime.Whentheinstallerdetectsanearlierversion,ituninstallstheoldversionbeforeinstallingthe newone.Configurationsettingsarepreserved. Forproductiondeployments,VMwarerecommendsthatACEManagementServerbeinstalledoneithera dedicatedserveroravirtualplatformwithsufficientavailableresourcestoensureperformanceandstability. SystemrequirementsdependalmostexclusivelyonthenumberofACEinstancesbeingsupportedandthe frequencywithwhichtheyareconfiguredtocommunicatewiththeserver.Formoreinformationabout VMwareperformancetesting,seePerformingCapacityPlanningonpage 15. However,ACEManagementServerwastestedandcanbeinstalledondesktoporworkstationplatformsto supportasmallnumberofclientsornonproductionevaluations.
Install an ACE Management Server on a Windows Host

InstallingACEManagementServeronaWindowshostinvolvesdownloadingandrunninganinstallation wizard.YoucaninstallACEManagementServeronthefollowingWindowssystems:

WindowsServer2003 WindowsXPProfessional(includes64biteditions) Windows2000Server
Beforeyoubegin,makesuretheclockissynchronizedandtherequiredportsareavailable,asdescribedin PreparingforInstallationonpage 21. UsethisinstallationproceduretoinstallorupdateACEManagementServersoftware. To install an ACE Management Server on a Windows host 1 DownloadtheVMware-ACE-Management-Server.exe filefromtheVMwareWebsiteandsavethefile onthesystemthatistohosttheserver. ThefileisavailableasaseparatedownloadablefileinthesamedownloadlocationastheWorkstation application. 2 DoubleclicktheVMware-ACE-Management-Server.exe filetostarttheinstallationwizard.
22
VMware, Inc.
Chapter 3 Installing and Configuring ACE Management Server
3 4
Followthepromptsintheinstallationwizard. Ifyouareusingacomputerthathasafirewallenabledandyouseeamessageattheendoftheinstallation askingwhetheryouwanttounblocktheApacheservice,chooseUnblock. ACEManagementServerdoesnotworkproperlyifyoudonotunblocktheApacheservice.
AfterACEManagementServerisinstalled,youcanconfigureit.SeeStartandConfigureACEManagement Serveronpage 26.
Install ACE Management Server on a Linux System

YoucaninstallACEManagementServeronthefollowingLinuxsystems:

RedHatEnterpriseLinux4 SUSELinuxEnterpriseServer9SP3
Beforeyoubegin,makesurethesystemmeetstheserequirements:
AworkinginstallationofApache2.0isinstalledonthesystem.(TheRPMforaWebserverisincluded withtheRedHatEnterpriseLinux4orSUSELinuxEnterpriseServer9installation.) ApacheWebserviceisoperatingnormallyandisreceivingrequestsforSSLHTTP. Themod_ldapandmod_sslmodulesareavailableonyoursystem. ThefollowingpackagesareinstalledonyourRedHatEnterpriseLinux4orSUSELinuxEnterpriseServer 9system:curl,openldap,openssl,apache,andgdbm. ForSUSELinuxEnterpriseServer9,thecyrus-sasl-gssapipackageisinstalled.Thispackageisnot installedbydefault. Whenyouusetheexternaldatabaseoption,thefollowingpackagesarerequiredaswell:

RedHatEnterpriseLinux4:unixODBC SUSELinuxEnterpriseServer9:unixODBC and,ifyouplantousetheX11graphicalconfiguration tool,unixODBC-gui-qt
Theclockissynchronizedandtherequiredportsareavailable,asdescribedinPreparingforInstallation onpage 21.
UsethisinstallationproceduretoinstallorupdateACEManagementServersoftware. To install ACE Management Server on a Linux system 1 Downloadthe.rpm filefromtheVMwareWebsiteandsavethefileonthesystemthatistohostthe server. ThefileisavailableasaseparatedownloadablefileinthesamedownloadlocationastheWorkstation application. 2 RuntheRedHatorSUSELinuxRPMinstallerforACEManagementServer:

vmware-ace-management-server-<build_number>.i386-rhel4.rpm vmware-ace-management-server-<build_number>.i386-sles9.rpm
Forexample:
rpm -Uhv vmware-ace-management-server-87693.i386-rhel4.rpm
VMware, Inc.
23
ForaSUSELinuxEnterpriseServer9server,ensurethattheLDAPmodule(mod_ldap)isconfiguredfor loading: a Openthefollowingfilewithatexteditor:

/etc/sysconfig/apache2
b c
AddtheldapconfigoptiontotheAPACHE_MODULESvariable. Saveandclosethefile.
AfterACEManagementServerisinstalled,youcanconfigureit.SeeStartandConfigureACEManagement Serveronpage 26.
Install an ACE Management Server Appliance

TheACEManagementServerapplianceisaselfcontained,preinstalled,andpreconfiguredACE ManagementServerpackagedwithasmalloperatingsysteminavirtualmachine.Althoughtheapplianceis adequatefortestenvironments,VMwarerecommendsthatyoudonotuseitinproductionenvironments. Beforeyoubegin,makesuretheclockissynchronizedandtherequiredportsareavailable,asdescribedin PreparingforInstallationonpage 21. To install an ACE Management Server appliance 1 2 3 4 5 Downloadthe.zipfilefortheappliancefromtheVMwareWebsiteandsavethefileonthesystemthat istohosttheserver. Extractthefilestothedirectorywheretheserveristobelocated. StartWorkstation,chooseFile>Opentoopen,andselecttheams_appliance.vmxfile. ClickthePowerOnbuttontostartthevirtualappliance. Atthepasswordprompt,enterapasswordandconfirmit. Thispasswordisusedforbothrootandnetworkaccounts.Makeanoteofthispasswordsothatyoucan useitforlaterappliancemanagementoperationsfromtheconsoleandtheWeb. TheapplianceconfiguresitsnetworkbyusingDHCP. Theconsoleviewdisplaysthefollowinginformation:

Currentnetworksettings URLsforremotelyadministeringtheapplianceandconfiguringtheACEManagementServeritself
IfyoupressReturnattheloginprompt,theinformationappearsagain. 6 7 Atthetimezoneprompt,acceptthecurrentsettingormakeachangeasneeded. (Optional)ToconfiguretheservertouseastaticIPaddressortospecifyaproxyserver,usetheAppliance ManagementandConfigurationapplication,asfollows: a b c d e f LeavetheACEManagementServerappliancerunning. Browsetohttps://<hostIPaddress>:8080. Intheconnectiondialogbox,typerootintheusernamefieldandyournetworkorrootpasswordin thepasswordfield. ClicktheNetworklinkonthefirstpageofthebrowserbasedACEManagementServerSetup application. Toviewinstructionsaboutconfiguringnetworksettings,clicktheHelplinkintheupperrightcorner oftheWebpage. Afteryouchangenetworksettings,clickApply.
24
VMware, Inc.
(Optional)Toreconfigureanyupdateoptions,forexample,todisableautomaticdownloadsofupdates, usetheApplianceManagementandConfigurationapplication,asfollows: a b c d e LeavetheACEManagementServerappliancerunning. Browsetohttps://<hostIPaddress>:8080. Intheconnectiondialogbox,typerootintheusernamefieldandyournetworkorrootpasswordin thepasswordfield. ClicktheUpdatelinkonthefirstpageoftheApplianceConfigurationandManagementWeb applicationandcompletetheApplianceUpdatepage. Toviewinstructionsaboutconfiguringupdateoptions,clicktheHelplinkintheupperrightcorner oftheWebpage.
Whenyoufinishconfiguringanynetworkorupdatesettings,navigatetotheACEManagementServer SetupWebapplicationtoconfiguretheserver. Toaccessthatapplication,chooseoneofthesemethods:
FromtheApplianceManagementandConfigurationWebapplicationpage,clicktheACELoginlink intheupperrightcornerofthepage. Fromacommandpromptwindow,closethewindow,openabrowser,andentertheURLfortheACE ManagementServerSetupWebapplication:

https://<hostIPaddress>:8000/
10
ClickConfigurationtoopentheWebapplication.
Verify That the Apache Service Is Started or Restarted

IfyouinstalledACEManagementServeronaLinuxhost,verifythattheApacheserviceisstartedbeforeyou attempttologin. Fortroubleshootingpurposes,youmightoccasionallyneedtomanuallyrestarttheApacheservicethatACE ManagementServeruses. To verify that the Apache service is started or restarted Dooneofthefollowing:
OnWindowshosts: a b c ClicktheApacheiconinthetaskbar. SelectApache2inthemenuthatappears. Choosetheappropriatecommand:
Tostarttheserviceifitisstopped,clickStart. Iftheserviceisalreadystarted,thiscommandisunavailable.
Torestart,clickStopandthenclickStart. EnsurethatyouclickStopandStartratherthanRestart.
OnSUSELinuxEnterpriseServer9hostsorinthevirtualmachinethatcontainstheACEManagement Serverappliance: a b Openaterminalwindowonthehostorinthevirtualmachine. Asroot,enterthefollowingcommand:

/etc/init.d/apache2 status
Ifthestatusisstarted,youcanlogintoACEManagementServer.SeeStartandConfigureACE ManagementServeronpage 26.
VMware, Inc.
25
Entertheappropriatecommand:
Tostarttheserviceifitisstopped,enterthefollowingcommand:
/etc/init.d/apache2 start
Torestarttheservice,enterthefollowingcommands:
/etc/init.d/apache2 stop /etc/init.d/apache2 start
OnRedHatEnterpriseLinux4: a b Openaterminalwindowonthehostorinthevirtualmachine. Asroot,enterthefollowingcommand:

/etc/init.d/httpd status
Ifthestatusisstarted,youcanlogintoACEManagementServer.SeeStartandConfigureACE ManagementServeronpage 26. c Entertheappropriatecommand:
Tostarttheserviceifitisstopped,enterthefollowingcommand:
/etc/init.d/httpd start
Torestarttheservice,enterthefollowingcommands:
/etc/init.d/httpd stop /etc/init.d/httpd start
Start and Configure ACE Management Server

Beforeyoubegin,makesurethatthefollowingprerequisitesaresatisfied,asapplicable:
IfyouinstalledACEManagementServeronaLinuxhostorareusingtheACEManagementServer appliance,verifythattheApacheserverisrunning.SeeVerifyThattheApacheServiceIsStartedor Restartedonpage 25. Ifthisisthefirsttimeyouareloggingin,makesureyouhavetheserialnumberfortheproduct.Theserial numberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,theserial numberissentbyemail. Ifyouplantouseanexternaldatabase,ActiveDirectoryintegration,orcustomSSLcertificates,youmust performsomesetuptasksbeforeyoucanconfigureACEManagementServer.Seethefollowingtopics,as applicable:

CreateUsersandGroupsforIntegrationwithActiveDirectoryonpage 29 SetUpanExternalDatabaseonpage 30 PrepareCustomSecurityCertificatesonpage 33
To start and configure ACE Management Server 1 OpenaWebbrowserandgotohttps://<hostname>:8000. The<hostname>valuecanbethefullyqualifiednameofthecomputeronwhichACEManagement ServerisinstalledoritcanbeanIPaddress. IfyouinstalledACEManagementServeronaWindowshostandyouareusingthathosttoconfigureit, youcanalternativelychooseStart>VMware>VMwareACEManagementServer. 2 AcceptthelicenseagreementandclickStart. Theconfigurationtabsappearastheydoinsubsequentlogins,butforthefirstlogin,wizardbuttons suchasNextandBackalsoappear.
26
VMware, Inc.
CompletetheinformationoneachtabandclickNext. TheonlyfieldsthatrequirechangesanddonothavedefaultsettingsaretheSerialNumberfieldonthe LicensingtabandtheAdministratorpasswordontheAccessControltab. Forinformationaboutspecificfieldsandtabs,clickHelponthetab.
Log In to ACE Management Server

ThefirsttimeyoulogintoACEManagementServer,youmustsetapassword.Thenexttimeyoulogin,you mustprovidethatpasswordorprovideActiveDirectorycredentialsifyouconfiguredtheservertouseActive Directoryforauthentication. CommunicationsbetweenWorkstationandACEManagementServertakeplaceoverasecureSSLconnection. IftheserverisintegratedwithActiveDirectoryservice,enteryouradministrativecredentialsinoneofthe formatsshowninTable 32. Table 3-2. Login Options When Using Active Directory Service
Option longname+password+ domainname longname+password Description Thelongnameisthe<First_name> <Last_name>format. Thelongnameisthe<First_name> <Last_name>format. LeavetheDomainfieldblank. shortname+password+ domain shortname+password Theshortnameisthe sAMAccountName. Theshortnameisthe sAMAccountName. LeavetheDomainfieldblank. emailaddress+password Youcanonlyusethisoptionfora domainthatisaccessedthrougha directconnection. LeavetheDomainfieldblank. NETBIOSDOMAIN NAME\username+ password username+password+ NETBIOSDOMAIN NAME TheNetBIOSnameisashortnamefor domainsthatisregisteredinthe NetBIOSNameService(WINS). LeavetheDomainfieldblank. TheNetBIOSnameisashortnamefor domainsthatisregisteredinthe NetBIOSNameService(WINS). ace (theshortformofthe longnameACEUser) ace (theshortformofthe longnameACEUser) user1@acme.com Example JohnDoe JohnDoe
To log in to ACE Management Server 1 OpenaWebbrowserandgotohttps://<hostname>:8000. The<hostname>valuecanbethefullyqualifiednameofthecomputeronwhichACEManagement ServerisinstalledoritcanbeanIPaddress. IfyouinstalledACEManagementServeronaWindowshostandyouareusingthathosttoconfigureit, youcanalternativelychooseStart>VMware>VMwareACEManagementServer. 2 Dooneofthefollowing:

ToconfigureACEManagementServer,clickConfiguration. ToviewandtakeactionsonACEinstancesmanagedbythisserver,clickHelp Desk.
VMware, Inc.
27
Enterlogincredentials. IfyouuseActiveDirectoryforauthentication,seeTable 32.Inmultidomainenvironments,youmightbe requiredtoenteradomain(forexample,eng.com).
28
VMware, Inc.
Configuration Options for ACE Management Server
AfteryouinstallACEManagementServer,youmustusethebrowserbasedACEManagementServerSetup applicationtoconfiguretheserver. Thischapterincludesthefollowingtopics:

PrerequisitesforConfiguringtheServeronpage 29 StartingACEManagementServerConfigurationonpage 34 ViewingandChangingLicensingInformationonpage 35 UsinganExternalDatabaseonpage 35 CreatingAccessControlonpage 36 UploadingCustomSSLCertificatesonpage 36 LoggingEventsonpage 37 ApplyingConfigurationSettingsonpage 37
Prerequisites for Configuring the Server

IfyouplantouseActiveDirectoryintegration(usingLDAP),anexternaldatabase,orcustomSSLcertificates, youmustperformsomesetuptasksbeforeyouconfiguretheACEManagementServer.
Create Users and Groups for Integration with Active Directory

TouseActiveDirectoryforauthenticatingusers,adduserstoanActiveDirectorygroupandcreateauserso thatACEManagementServercanqueryLDAP. WhenyouconfigureACEManagementServertouseLDAP,followtheseguidelinestoavoidnegatively affectingperformance:

ThedefaultdomainisthedomainforwhichtheLDAPhostisadomaincontroller. Thequeryuserisauserinthedefaultdomain. Theadminusergroupisagroupthatexistsinthedefaultdomain.
IntegratingwithActiveDirectorythroughLDAPisimplementeddifferentlyintheWindowsbasedACE ManagementServerthanintheLinuxbasedACEManagementServer.Theoperatingsystemsdifferinthe librariestheyusetoconnecttoActiveDirectoryandtheexternaldatabasestheysupport.TheWindowsACE ManagementServerusestheWinLDAPlibrarybundledwiththeWindowsoperatingsystem.The LinuxACE ManagementServerusesathirdpartyKerberosLibraryandOpenSSL.VMwareinternaltestingresults indicatethattheWindowsimplementationisprovidesbetterperformancethanLinux.
VMware, Inc.
29
To create users and groups for integration with Active Directory 1 CreateauserthatACEManagementServercanusetoconnecttotheLDAPserveranduseforquerying. MakeanoteofthesAMAccountNamevalueforthatuser(forexample,aceuser.) 2 3 4 CreateanACEAdministratorsgroupinthedomain. AddACEadministratoruserstotheACEAdministratorsgroup. (Optional)CreateaHelpDeskgroupandassignuserstoitfortheHelpDeskrole. YoucanlogintotheHelpDeskWebapplicationwithyouradministrativeLDAPcredentialsorpassword. CreatingaHelpDeskroleallowsyoutopermitcertainuserstoperformHelpDesktasksfromwithinthe HelpDeskapplicationbutdoesnotgivethemaccesstootheradministrativetools.
Set Up an External Database

Beforeyoubegin,makesurethatyouhaveoneofthefollowingsupporteddatabaseservers:
ForaWindowsbasedACEManagementServerMicrosoftSQLServer2000orhigher; Oracle Database 10g IfyouuseaMicrosoftSQLServerdatabase,thedatabasemustbehostedonasystemthatusesthesame localeasthesystemthathostsACEManagementServer.Forexample,ifACEManagementServeris installedonaJapanesesystem,thedatabaseservermustalsobeinstalledonaJapanesesystemandmust useJapanesecollation.
ForaLinuxbasedACEManagementServerPostgreSQL7.4orhigher
BeforeyouinstallthedatabaseonaLinuxhost,makesuretheunixODBCRPMpackageisinstalledontheLinux system.VMwarerecommendsthatyouupdatethepackagetothelatestversionreleasedforyourspecific Linuxdistribution.TheunixODBCpackageprovidesanODBCAPItoprogramsrunningonLinuxsystemsthat issimilartotheWindowsODBCAPI. Thepackagecontainsthelibodbcsharedlibrary,providingtheODBCDriverManagerAPItoother programs,asetofconfigurationutilities,andODBCdriversforpopulardatabases.OnbothRedHat EnterpriseLinuxandSUSELinuxEnterpriseServer 9,theODBCdriverforPostgreSQLisincludedinthe unixODBCbinarydistributionpackage. Also,makesuretheunixODBC-gui-qt packageisinstalled(thisutilityisincludedintheRedHatEnterprise LinuxunixODBCpackage).ThispackageisrequiredtousetheODBCConfigX11graphicalconfigurationtool forsettingupadatasourcename(DSN). To set up an external database 1 Installadatabaseserveronahost. TheexternaldatabasedoesnothavetobeinstalledonthesameserverasACEManagementServer,butit mustbeinstalledonthesameplatform.Forexample,ifACEManagementServerisinstalledona Windowshost,thedatabaseservermustalsobeinstalledonaWindowshost. ACEManagementServercreatesthedatabaseschemaautomaticallyifproperaccessrightsaregranted. 2 Configurethedatabase. Ensurethatyouhaveadedicateddatabaseandauseraccountthathasfullaccesstothisdatabase, includingrightstocreatetables.Donotgivethisdatabaseuserpermissionsthatitdoesnotneed.For example,youmightnotwanttogivethisaccountreadorwritepermissiontootherdatabasesthatyour RDBMSmanages. AlltablesthatarecreatedinthedatabasehaveanamestartingwithaPolicyDb_prefixandindexeswith PdbIns_orPdbLf_prefixes.YoumightprovideACEManagementServerwithaDSNtoadatabasethat itshareswithsomeotherapplication,ifthedatabasecountisatapremium.
30
VMware, Inc.
Chapter 4 Configuration Options for ACE Management Server
(Optional)IfACEManagementServerisgoingtoconnecttothedatabaseoverthenetwork(TCPsocket connection),ensurethatthefollowingareinplace:

TCPconnectivityisenabledinthedatabaseconfigurationoptions. TheTCPconnectionisnotblockedbyfirewallsettingsonthedatabaseserverortheACE ManagementServerhost. IfyouareusingaPostgreSQLdatabase,configureperuserpermissiontoconnecttothedatabase overthenetwork.Configurethatpermissioninthepg_hba.conf file,whichislocatedintheroot folderofyourdatabase.
(Optional)OntheACEManagementServermachine,toverifytheserversconnectivitytothedatabase withtheconfiguredusercredentials,runacommandlineorgraphicalSQLtool. Examplesofsuchtoolsaresqlcmd.exeforSQLServer,sqlplus.exeforOracle,andpsqlfor PostgresSQL.Fordatabaseconfigurationandverificationinstructions,seetherespectivedatabase documentation.
OntheACEManagementServermachine,createaSystemDSNentry.
Creating a System DSN Entry for an External Database

TheonlyrequiredinformationinDSNconfigurationistheDSNname,serverIPaddressorhostname,andthe databasename.YoudonotneedtoprovideausernameandpasswordintheDSNconfiguration.Youprovide ausernameandpasswordlater,whenyouusetheACEManagementServerSetupapplication. EnsurethatyoucreateasystemDSNandnotauserDSN.IfyoucreateauserDSN,itisvisibleonlytoyour useraccount.ACEManagementServerrunsunderthelocalsystemaccount,sotheservercannotdetectoruse auserDSN. Create a System DSN Entry for a Windows Database Regardlessofwhetherthehostis32bitor64bit,youcreateaDSNentryfora32bitsystem. Beforeyoubegin,todeterminethecorrectODBCdriver,seeyouroperatingsystemanddatabase documentation. To create a System DSN entry for a Windows database 1 Dooneofthefollowing:
On32bithosts,usetheODBCDataSourcespluginbychoosingControl Panel>Administrative Tools>DataSources(ODBC). On64bithosts,navigateto%WINDIR%\syswow64\odbcad32.exeandusethatprogramtocreatea SystemDSNentryfora32bitsubsystem.
ACEManagementServerdoesnotsupportODBCusinganSQLNativeClientdriveronWindows64bit systems. 2 3 4 CreateanentrythatincludestheDSNname,serverIPaddressorhostname,andthedatabasename. (Optional)IftheDSNSetupwizardprovidesanoptiontotesttheconnection,verifythattheconnection workswiththedatabaseusercredentials. MakeanoteofthedatabaseDSN,username,andpassword.
YoucannowusethebrowserbasedACEManagementServerSetupapplicationtoconnecttothisdatabase.
VMware, Inc.
31
Create a System DSN Entry for a Linux Database OnLinuxsystems,youuseatexteditorortheODBCConfiggraphical(X11)utilitytocreateasystemDSNentry. TheODBCConfigutilitymimicstheWindowsODBCDataSourcesControlPanelplugin. Beforeyoubegin,determinethecorrectODBCdriver:

OnRedHatEnterpriseServer,thedriverislocatedat/usr/lib/libodbcpsql.so. OnSUSELinuxEnterpriseServer9,thedriverislocatedat/user/lib/unixODBC/libodbcpsql.so.2. TheDSNconfigurationfortheunixODBCpackageisstoredinthe/etcdirectory(/etc/unixODBCfor SUSELinuxEnterpriseServer).
IfyouareusingtheACEManagementServerappliance,seeSetUpaConnectionBetweentheServer ApplianceandanExternalDatabaseonpage 33. Youusetheodbc.inifileforcreatingDSNsandtheodbcinst.inifilefordriverandgeneralODBCsystem configuration. To create a System DSN entry for a Linux database 1 Asroot,usetheODBCConfigutilitytocreateaSystemDSNentry. YoualsomustconfiguretheserveraddressandthedatabasenameintheDSNsettings. ForinformationaboutusingunixODBC,seetheunixODBCProjectWebpage. TheODBCConfigutilitymakeschangestotheodbc.iniandodbcinst.inifiles. 2 MakeanoteofthedatabaseDSN,username,andpassword.
YoucannowusethebrowserbasedACEManagementServerSetupapplicationtoconnecttothisdatabase.
Increase the Number of Database Connections Allowed

Foroptimalserverperformance,ACEManagementServerstartsmultipleparallelthreads(onWindows)or processes(onLinux)listeningfortheincomingconnectionsfromtheclients.Everyclientconnectiontypically runsadatabasetransaction,soitneedstoopenadatabaseconnection. ACEManagementServerusuallyrequiresasmanydatabaseconnectionsasitdoesparallelthreadsor processesforclientconnections.Iftheserverrunsoutofdatabaseconnections,theclientsmightstartreceiving connectionerrors. FollowingisalistofthelocationsfortheApacheconfigurationfileandthetypicaldefaultnumberof connections:
Platform Windows Location C:\Program Files\VMware\VMware ACE Management Server\Apache2\ conf\httpd.conf /etc/httpd/conf/httpd.conf /etc/apache2/server-tuning.conf /etc/httpd/apache2.conf Client Connections 250 (WinNTMPMsection)
RedHatEnterprise Linux SUSELinux ACEManagement Serverappliance
256 (preforkMPMsection) 150 (preforkMPMsection) 20 (preforkMPMsection)
ThedefaultinstallationofthePostgreSQLdatabaseonRedHatEnterpriseLinuxallows100 remote connections,whichislessthanthenumberofparallelthreadsthattheApacheserverstartsbydefaultonthe sameplatform.Changethisnumberifyouexpectahighvolumeofclientrequeststoyourserver(morethan 100activeclients).
32
VMware, Inc.
To increase the number of database connections allowed 1 2 InspecttheApacheconfigurationfileontheACEManagementServerhosttodeterminethenumberof parallelthreadsorprocessesthatmightstartatthesametime. ConfigurethedatabasetoallowasmanyconnectionsastheApacheserver. Seeyourdatabasedocumentation.
Enable Database Connection Pooling on Linux

EnablingdatabaseconnectionpoolingfordatabasesonLinuxhostscangiveasubstantialperformancegain underhighloads.ACEManagementServercanreusedatabaseconnectionsratherthanopeningnew connectionsforeveryrequest. EnabledatabaseconnectionpoolingintheODBCDriverManager(itisdisabledbydefault)tooptimize performanceforserversonLinuxplatforms. OnWindowsplatforms,ODBCconnectionpoolingisenabledbydefault. To enable database connection pooling on Linux 1 2 3 StarttheODBCConfigutilityasarootuser. ClicktheAdvancedtab. SelecttheConnectionPoolingcheckbox.
Set Up a Connection Between the Server Appliance and an External Database

TheACEManagementServerappliancedoesnotcontainaPostgreSQLdatabaseserver.Youcan,however,use anexternaldatabaseserverwiththeappliance. To set up a connection between the server appliance and an external database 1 2 Logintotheserverapplianceconsoleasroot,usingthepasswordyoucreatedduringyourfirstrunof theserverappliance. Openthe/etc/odbc.inifileinatexteditor. Forexample:
vaos# vi /etc/odbc.ini
Thisfilecontainsthepostgres_dsn settingfortheOBSCDSN. 3 Uncommentalllinesinthepostgres_dsn fileexceptthefirsttwo. Touncommentlines,deletethepoundsign(#)atthebeginningofeachline. 4 5 6 Replaceplaceholders<...>withthePostgreSQLdatabaseserverDNSnameorIP addressandthedatabase nameofthisserver. Usethedefaultportnumberorsetadifferentportnumber. Savethefile.
Afteryoucompletethistask,postgres_dsnappearsinthedropdownmenuontheDatabasetabintheACE ManagementServerSetupapplication.
VMware, Inc.
33
Prepare Custom Security Certificates

TousecustomSSLcertificates,eitheryourownselfsignedcertificatesorthoseofathirdpartyorinternalCA (certificateauthority),youmustprovidethecertificate,key,and(inthecaseofCAs)certificatechainfiles. ThesefilesmustbePEMencoded. Afteryoucreateorobtainthesefiles,uploadthemtoACEManagementServerbyusingtheCustomSSL CertificatestabintheACEManagementServerSetupapplication. FormoreinformationabouthowVMwareACEusesSSLcertificates,seeUsingSSLCertificatesandProtocol onpage 18. To prepare custom security certificates 1 Createorprovidetheneededfiles:

Foryourownselfsignedcertificate,usetheopensslutilitytocreateanewselfsignedcertificate. ForathirdpartyCAorinternalCA,obtainanSSLcertificatesignedbythatCA,anda certificateverificationchainfile. ThechainfileisaconcatenationofeverycertificaterequiredtoverifythenewSSLcertificateyou createdorobtained.Stepsforobtainingthecertificatechainvary,dependingonwhichhostoperating systemyouareusingandonthesourcefromwhichtheCAcertificateisobtained.
Aprivatekeyfile.SSLencryptsdatathroughtheuseofapublickeyandprivatekeypair.Thepublic keyisknowntoeveryoneandtheprivatekeyisknownonlytothemessagerecipient.
ThecertificatesignaturesmustusetheSHA1algorithmdigest.ThefilesmustbePEMencoded. 2 Renamethefiles,asfollows:

Renametheprivatekeyfiletoserver.key. Renamethecertificatefiletoserver.crt. Renamethecertificatechainfiletochain.crt.
YoucannowusetheACEManagementServerSetupapplicationtouploadthecertificatefiles.
View the Properties of the Self-Signed Certificate File

ThisfileisstoredintheSSLdirectoryintheVMwareACEManagementServerprogramdirectory. To view the properties of the self-signed certificate file Dooneofthefollowing:

OnaWindowshost,navigatetothelocationoftheserver.crtfileanddoubleclickthefilename. OnaLinuxhost,usethefollowingcommand:
openssl x509 -in /var/lib/vmware/acesc/ssl/server.crt -text
Toreplaceanexpiredcertificate,seePrepareCustomSecurityCertificatesonpage 34.Donotmodify certificatestomakethempermanent.
Starting ACE Management Server Configuration

IfyouplantouseActiveDirectoryintegration(usingLDAP),anexternaldatabase,orcustomSSLcertificates, youmustperformsomesetuptasksbeforeconfiguringtheACEManagementServer.SeePrerequisitesfor ConfiguringtheServeronpage 29.
34
VMware, Inc.
ThetextthatappearsontheStarttabchanges,dependingonwhetheryouhavedoneaninitialconfiguration:
IfthispagesaysThisserverhasnotbeenconfiguredyet,youmustclickStarttocompletethe configurationsetupwizard. IfthispagesaysThisserverisconfigured,theNextandPreviouswizardbuttonsdonotappear.Youcan navigatetoothertabsbyclickingatab.
Viewing and Changing Licensing Information

AfteryouenteranACEManagementServerserialnumber,usetheLicensingtabtodeterminetheexpiration date,ifany. Theserialnumberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,theserial numberissentbyemail. IfthesystemonwhichyouinstalledACEManagementServercurrentlyhasmorethanonevalidserver license,justonelicenseappearsonthepage. YoucanusetheLicensingtabtoaddorchangeaserialnumber,username,orcompanyname. Ifyoumakechangestotheinformationonthistab,youmustclickApplyorCancelbeforeyoucannavigate toanothertab.
Using an External Database

TheembeddeddatabaseisanSQLitedatabase.VMwarerecommendsthatyouuseanexternaldatabasein productionenvironments. Theembeddeddatabaseisinitializedduringserverinstallationandrequiresnospecialconfiguration.This databaseisadequatefortestingpurposesbutisnotdesignedtobeeffectivelysharedacrossmultiple processes. BeforeyoucanconfiguretheACEManagementServertouseanexternaldatabase,youmustcreateasystem DSNandcredentialsforaccessingthatdatasource.SeeSetUpanExternalDatabaseonpage 30. UsethefollowinginformationtohelpyoucompletethefieldsontheDatabasetab:
DataSourceName(DSN)DatasourcenameyouusedwhenyoucreatedasystemDSNentryonthe ACEManagementServermachine. UserNameandPasswordCredentialsforauseraccountthathasfullaccesstothedatabase,including rightstocreatetables. Afteryouenterthedatabaseconnectioncredentials,thesetupapplicationchecksforanexistingdatabase.
CAUTIONAfteryouentercredentials,ifthemessageCompatible schema exists. Do you want to reinitialize the schema and overwrite the existing data?appears,selectUseexistingschema anddataunlessyouwanttoerasealldatainyourexistingdatabase.Toreinitializethedatabaseatsomelater time,youcanreopenthisconfigurationapplicationandreturntothispage. Iftheexistingschemaisnotcompatible,noschemaisavailableortheschemacannotbeupgraded.Ifyou overwritetheexistingschemaanddata,anewschemaiscreated.If youdonotoverwritetheexistingschema anddata,theconfigurationapplicationquits. Ifyouareupgradingtheserverfromthepreviousrelease,thedatabaseschemaisupgradedautomaticallyand youdonotloseyourpreviousdata.Theupgradeisperformedonthefirststartoftheupgradedserver,even ifyoudonotrerunthesetupapplication. IfyoumakechangestotheinformationontheDatabasetab,youmustclickApplyorCancelbeforeyoucan navigatetoanothertab.
VMware, Inc.
35
Creating Access Control

OntheAccessControltab,youcancreatealocalAdministratorroleandHelpDeskroleoruseActive Directoryforauthenticatinguserswiththeseroles. BeforeyoucanconfiguretheACEManagementServertouseadomainaccountforauthentication,youmust createusersandgroupssothatACEManagementServercanconnecttotheLDAPserver.SeeCreateUsers andGroupsforIntegrationwithActiveDirectoryonpage 29. Usethefollowinginformationtohelpyoucompletethefieldsforauthentication:
LocalaccountIfyouspecifyapasswordfortheAdministratorroleandforgetorloseit,youmustdelete theserverconfigurationfile.Deletingthisfilesetstheserverbacktoitsinitialstate.Youmustreconfigure theserverandsettheadministratorpasswordagain. SeeDeletetheServerConfigurationFileandSetaNewAdministratorPasswordonpage 52.
Domainaccount(LDAP)TouseActiveDirectoryforauthentication,specifythehostandcredentials thattheACEManagementServerusestoconnecttoandquerythedomaincontroller:
HostNameEnterafullyqualifieddomainname(forexample,ldap.vmware.com)insteadofanIP addressorhostnamewithnoparentdomainname(forexample,ldap). QueryUsersAMAcountNameandQueryUserPasswordUsethepasswordandshortnamefor theuseraccountyoucreatedforthispurposeinActiveDirectory. QueryUserDomainThedomainmustbethedomainforwhichtheLDAPhostisadomain controller. AdminGroupDNandHelpDeskGroupDN(Optional)Enterthedistinguishednameforthese groups,whichyoucreatedforthispurposeinActiveDirectory(forexample, cn=Users,dc=simplecorp,dc=com). Ifthisoptionisnotenabled,anyonewhologsintotheHelpDeskapplicationmustbeamemberof theACEAdministratorsgroup.
HelpDeskRoleorGroupDNCreatingaHelpDeskroleallowsyoutopermitcertainuserstoperform HelpDesktasksfromtheHelpDeskapplication.Usersinthisrolecannotaccessotheradministrative tools.YoucanstilllogintotheHelpDeskWebapplicationwithyouradministrativeLDAPcredentialsor localAdministratorpassword.
IfyoumakechangestotheinformationontheAccessControltab,youmustclickApplyorCancelbeforeyou cannavigatetoanothertab.
Uploading Custom SSL Certificates

TohaveACEManagementServerusecustomSSLcertificates,eitheryourownselfsignedcertificatesorthose ofathirdpartyorinternalCA(certificateauthority),usetheCustomSSLCertificatestabtouploadthe PEMencodedfiles. BeforeyoucanuploadcustomSSLcertificates,youmustcreateandrenamethecertificatefiles.SeePrepare CustomSecurityCertificatesonpage 34. Bydefault,duringACEManagementServerinstallation,thefollowingtwofilesarecreated:

server.keyThisRSA1024bitkeyistheprivatekey. server.crtThisselfsignedcertificateisvalidfor10yearsfromthedateandtimeatwhichtheserveris installed.Itssignatureisverifiedbythepublickey,whichisembeddedinthecertificate.Thecertificate fileisencodedinPEMformat.
WhenyourunanACEinstance,theVMwarePlayerapplicationusesthecompletecertificationchainthatis includedinitspackage,notonthehost,toverifyconnectionsmadetoACEManagementServer.Therefore, theuseofselfsignedcertificatesisadequateformostsecurityneeds.Formoreinformationabouthow VMwareACEusessecuritycertificates,seeUsingSSLCertificatesandProtocolonpage 18.
36
VMware, Inc.
WhenyouclickUploadcertificates,asummarypagedisplaysthefilesandlocationsyouspecifyonthistab. Notethelocationofanybackupfiles.Youmightneedtousethebackupifyoufindthatthenewfileisinvalid whenyouclickApply.SeeRestoreaBackupCopyofanSSLCertificateonpage 52. AfteryouuploadcustomSSLcertificates,youmustupdateanyexistingACEenabledvirtualmachinestouse anewcertificateandkeyfile.Todoso,useWorkstationtocreateanupdatepackage.Whenyoudeploythe newpackage,ACEinstancesreceivethenewcertificatefileandcertificatechain.
Logging Events
Theservercollectslogentriesforeventsthatchangethedatabase.OntheLoggingtab,youcansetthelogging levelsandsetanoptionforpurginglogentries. ACEManagementServerusesthefollowingloggingcategories:

ACEAdministrationLogseventsforinstancecreation,update,anddestruction. PackageAdministrationLogseventsforpackagecreation,update,instancecustomization,andpackage removal. PolicyAdministrationLogseventsforpolicysetupdateandpublish,useraccesscontrolchanges,and instancepasswordssetbyanACEadministrator. InstanceAdministrationLogsACEinstancelifecycleevents,suchascreation,copying,revocation, reenablement,anddeletion.Alsologsinstancepasswordchangebyauseroranadministrator,changes inexpirationforeachinstance,changesofinstanceguestorhostoperatingsysteminformation,and settinginstancecustomfields.Thedebuglevelcanbeusedtologthemostubiquitoustrafficsuchas policyupdaterequestsfromactiveinstances.Failedinstanceverificationsareloggedonlyatthedebug level. AuthenticationLogseventsforeveryauthenticationrequest,suchasadministrationorhelpdesk authenticationattempts(atthenormallevel),instanceauthentication(attheinformationallevel),and remoteLDAPpasswordchange.Setloggingforthiscategorytothelowestlevelthatispracticalforyou. Thiscategorycangeneratealargevolumeofentries.
Foreachcategory,youcanchooseoneofthefollowinglogginglevels:

NoneNologentryismadeforthisevent. CriticalAnexampleofacriticallogeventisonethatremovesallpackages,instances,andpolicies associatedwithanACEenabledvirtualmachine. NormalThislevelofdetailissufficienttoanswermostqueries. InformativeEntriesfornondestructiveeventsthathavelimitedeffect. DebugEntriesforeveryclientaccessoftheserver.Itprovidesmorerecordsofcertaineventtypes, creatingalargenumberloggingentriescomparedtootherloglevels.Itlogsallinformationaltransactions, suchasinstancestatusandsoon.
UsetheEventLogPurgingcontroltoconfiguretheamountoflogginginformationretained.Thepurge maintenanceprocessrunsapproximatelyeverysixhours. IfyoumakechangestotheinformationontheLoggingtab,youmustclickApplyorCancelbeforeyoucan navigatetoanothertab.
Applying Configuration Settings

TheRestartpageappearswhenyouclickApplyononeofthetabs.Youmustrestarttheserverforthe configurationsettingstotakeeffect. IfyouclickLater,youcanalwaysrestarttheserverbyclickingApplyonanyofthetabs,evenifyoudonot makechangesonthetab.
VMware, Inc.
37
38
VMware, Inc.
Load-Balancing Multiple ACE Management Server Instances
Ifyouhavethousandsofclients,youcanconfiguremultipleVMwareACEManagementServerinstancesto worktogether.Youcansetuptwoormoreserversandusethemwithaloadbalancer. Thischapterincludesthefollowingtopics:

TypicalSetupUsingLoadBalancedACEManagementServerInstancesonpage 40 InstalltheRequiredServicesforLoadBalancingonpage 40 UsetheSameSSLCertificateonAllServersonpage 41 CreateNewSSLCertificatesandKeysforEachServeronpage 41 InstallingandConfiguringtheLoadBalanceronpage 43 VerifyThatACEInstancesAreUsingtheLoadBalanceronpage 43
VMware, Inc.
39
Typical Setup Using Load-Balanced ACE Management Server Instances

AsingleACEManagementServercanhandleapresetnumberofclients,butyoucanaddmoreserverstoyour ACEManagementServerinfrastructurebyusingloadbalancing.Whenyouaddmoreserverstothe loadbalancinggroup,thenumberofclientsthatyoucanservescaleslinearly.Forexample,ifyoucanserve 2,000 clientswithoneserver,usingtwoloadbalancedserversallowsyoutoserve4,000 clients. Figure 51showsasimpledeploymenttopologyforusingloadbalancing. Figure 5-1. Two ACE Management Server Instances Working Together
AMS Client
HTTPS HTTPS LDAP Kerberos
Active Directory domain controller
AMS Client
HTTPS
ACE Management Server 1 load balancer (optional)
ODBC LDAP Kerberos
database server
ODBC
AMS Client
HTTPS
HTTPS
ACE Management Server 2
Touseasetupsimilartotheonedepicted,youmusthavethefollowing:

Twoormoremachines(orvirtualmachines)tohosttheACEManagementServerprocesses AnexternaldatabasetohosttheACEManagementServerdata Aloadbalancingsolutiontomanagetraffic
Install the Required Services for Load Balancing

ServicesincludemultipleACEManagementServerinstances,anexternaldatabase,andWorkstation. To install the required services for load balancing 1 InstalltheACEManagementServerpackageontwoormoremachines(orvirtualmachines). SeeInstallingandUpgradingACEManagementServeronpage 22. 2 ConfigureeachACEManagementServerseparatelytoaccessthesameexternaldatabase. SeeStartandConfigureACEManagementServeronpage 26. BothACEManagementServerinstallationsmustbeabletoidentifythesamedatastoresoeither installationcanfieldqueriesforclientsandscalethenumberofclientsthatcanbeserved.
40
VMware, Inc.
Chapter 5 Load-Balancing Multiple ACE Management Server Instances
ToverifythatbothACEManagementServerinstancesareworkingproperly,startWorkstationand connecttoeachACEManagementServerdirectly: a b InWorkstation,chooseFile>ConnecttoACEManagementServer. EntertheIPorhostnameofthemachinewhereACEManagementServerisinstalled,changethe numberinthePortfieldifnecessary,andclickOK.
ThesetupissuccessfulifyoucanviewthesamedataintheInstanceViewwindowforeachACE ManagementServerinstance.IfyoucreateatestACEandpreviewit,youseethepreviewinstanceon bothservers.
Use the Same SSL Certificate on All Servers

Foraloadbalancingsolution,youcancopytheSSLcertificateandkeyfromoneACEManagementServerto another. CAUTIONThisproceduredirectsyoutouploadboththecertificatefile(the.crtfile)andthematchingkey file(the.keyfile).Ifyoudonotuploadboth,theApachehttpdserviceonthesecondACMManagement Servermightfreeze.Inthiscase,youmustuninstallandreinstallACEManagementServer. To use the same SSL certificate on all servers 1 2 LogintotheACEManagementServerSetupapplicationforthefirstACEManagementServer. ClicktheCustomSSLCertificatestabtodeterminethelocationoftheSSLcertificateandkeydirectory files.
OnWindows,thefilesarelocatedatC:\Program Files\VMware\VMware ACE Management Server\ssl. OnLinux,thefilesarelocatedat\var\lib\vmware\acesc\ssl.
Thecertificatefileisserver.crt.Thekeyfileisserver.key. 3 CopythefilestothesecondACEManagementServer. IfyouareusingtheACEManagementServervirtualappliance,usethescp(securecopy)commandto copythecertificateandkeyfiles: a b Openacommandprompt. Enterthefollowingcommand:

scp user@<host>:<file> user@<host>:<file>
YoucanalsoenablesharedfoldersifyouareusingWorkstationtorunthevirtualappliance,andcopythe filesfromthevirtualmachinethroughthesharedfoldersfeature.Formoreinformationaboutshared folders,seetheVMwareWorkstationUsersManual. 4 5 LogintotheACEManagementServerSetupapplicationforthesecondACEManagementServer. UsetheCustomSSLCertificatestabtouploadthefiles: a b c d SpecifythekeyfileintheServerPrivateKeyfield. SpecifythecertificatefileintheServerPublicCertificatefield. ClickUploadcertificates. ClickApplyandclickRestart.
VMware, Inc.
41
Create New SSL Certificates and Keys for Each Server

IfyoudonotwanttousethesameSSLcertificateandkeyforeachACEManagementServer,youmustcreate newSSLcertificatesandkeysforeachserver. IfyouplantoobtainSSLcertificatesfromacertificateauthority,youmustcreatecertificatechains.Figure 52 providesanoverviewofdeterminingwhichcertificatesareincludedinachain. Figure 5-2. Creating the Certificate Chain File
certificate verification chain convert to PEM then append to file
Root SSL Certificate
Certificate Chain File

[Root SSL Certificate in PEM format] [Intermediary SSL Certificate in PEM format] [AMS #1 SSL Certificate in PEM format] [AMS #1 SSL Certificate in PEM format]
convert to PEM then append to file
Intermediary SSL Certificate
Server SSL Certificates convert to PEM then append to file
ACE Management Server #1 SSL Certificate
ACE Management Server #2 SSL Certificate
convert to PEM then append to file
To create new SSL certificates and keys for each server 1 CreateasmanySSLcertificateandkeypairsasyouneed(oneforeachserverinyourserverfarm). Theprocedurevaries,dependingonthetoolsyouuse.Todeterminehowtocreatethesecertificatesand keys,seethedocumentationforyourplatform.Eachcertificatemusthaveauniquecommonnameanda uniqueserialnumber. 2 Ifyourcertificatesrequireacertificatechaintobeverified,createacertificatechainfileforeachcertificate. Thecertificatechainfileisatextfilethatcontainseverycertificate(inPEMformat)neededtoverifythe leafcertificate(includingtherootcertificateofthechain). a b Downloadtheverificationchainfromyourcertificateauthority. EachcertificatemustbeinPEMformatbeforeyoucreatethecertificatechainfile. ToconverttoPEMformat,usetheopenSSLtoolsavailableonline. c CreatethecertificatechainfilebyconcatenatingeachPEMencodedcertificateintoonefile.
Ifbothofyourcertificatesareselfsigned,yourcertificatechainfilemustbeafilethatcontains bothcertificatesconcatenated. Ifyoureceivedyourcertificatesfromthesamecertificateauthority,thechainfilemustcontain onlytheverificationchainforthesecertificates,andthechainsmustbethesame. Ifthecertificatescomefromdifferentcertificateauthorities,thechainfilemustcontainboth certificateverificationchains.
Forexample,ifyouareusingtwoACEManagementServerinstancesyouhavetwocertificatechainfiles.
42
VMware, Inc.
Chapter 5 Load-Balancing Multiple ACE Management Server Instances
Joinallofthecertificatechainfilesintoonefile. Ifyoucan,eliminatetheduplicateentries.
4 5 6
ConverttheserversSSLcertificatestoPEMformat. AddtheserversSSLcertificatesinPEMformattothecertificatechainfile. OntheCustomSSLCertificatestab,uploadtheSSLcertificatefile,theSSLkeyfile,andthecertificate chainfile: a b c d SpecifythekeyfileintheServerPrivateKeyfield. SpecifythecertificatefileintheServerPublicCertificatefield. ClickUploadcertificates. ClickApplyandclickRestart.
CompletethisstepforeveryACEManagementServerinyourfarmtouploadfilestoeachACE ManagementServer.
Installing and Configuring the Load Balancer

ACEManagementServerusesHTTPStocommunicatewithitsclients.Youcanuseanyloadbalancing solutionthatsupportsHTTPSwithACEManagementServer. Installtheloadbalancerandconfigureport443(HTTPoverSSL)forloadbalancing.Do notconfigure port 8080or8000forloadbalancing.Thesetwoportsareusedforconfiguration.Port 8080isthevirtual applianceconfigurationportand8000istheACEManagementServerconfigurationport.
Verify That ACE Instances Are Using the Load Balancer

AfteryouconfiguremultipleACEManagementServerinstancestoworkwithaloadbalancerandinstallthe necessarySSLcertificates,performverification.VerifythatACEinstancescanconnecttoACEManagement Serverinstancesbyusingtheaddressoftheloadbalancer. Beforeyoubegin,restartWorkstationsothatWorkstationcandownloadtheSSLcertificatewhenaconnection totheACEManagementServerisestablished. To verify that ACE instances are using the load balancer 1 2 3 4 5 6 CreateanACEenabledvirtualmachine. Openthepolicyeditor. SelectPolicyUpdateFrequency. SelectDisableOfflineUsageandclickOK. RemovethefirstACEManagementServerfromtheloadbalancingconfigurationsothatalltrafficgoesto thesecondACEManagementServer. PreviewtheACEinstance. ThispreviewcreatesaninstanceontheACEManagementServer. 7 8 ClosetheACEPlayer. RemovethesecondACEManagementServerfromtheloadbalancingconfigurationandaddthefirst ACEManagementServerbacktotheconfiguration. AlltrafficgoestothefirstACEManagementServer. 9 PreviewthesameACEinstanceagain,andwhenpromptedwhethertoreinstantiateorreusetheinstance, selectUseExistingInstance. Iftheinstancestartssuccessfully,bothserversareusingthesameSSLcertificate.
VMware, Inc.
43
44
VMware, Inc.
Managing ACE Instances
AfterACEManagementServerisinstalledandconfigured,youcandothefollowing:

ViewACEinstancesthataremanagedbyaparticularACEManagementServer. Revokeandreenableaninstance. FixvariousproblemswiththeACEinstancesasreportedbyinstanceusers.

ViewingACEInstancesThattheServerManagesonpage 45 SearchforanInstanceonpage 47 SortbyColumnHeadingandChangeColumnWidthonpage 47 Show,Hide,andMoveColumnsintheInstanceViewonpage 48 CreateorDeleteCustomColumnsintheInstanceViewonpage 48 ViewInstanceDetailsonpage 48 Reactivate,Deactivate,orDeleteanACEInstanceonpage 49 ChangeaCopyProtectionIDonpage 49 ResettheAuthenticationPasswordonpage 50 AddInformationforCustomColumnsonpage 50
Viewing ACE Instances That the Server Manages

ToviewandmanageaserversACEinstances,youcanuseeithertheInstancespageoftheVMwareACEHelp DeskortheserversinstanceviewinWorkstation. BothuserinterfacesenableyoutofixalimitedsetofACEinstanceproblems,suchasreactivatinganinstance, changingtheinstancesexpirationdate,andresettingtheuserpasswordiftheuserhaslostorforgottenit. BecausetheVMwareACEHelpDeskisabrowserbasedapplication,youcanuseitoncomputersthatdonot haveWorkstationinstalled.TheHelpDeskalsoallowsyoutocreatearestrictedhelpdeskrole.Userswiththis rolecanfixalimitedsetofproblemsreportedbyendusers,buttheycannotchangeconfigurationsettingsfor theACEManagementServer. TheinstanceviewinWorkstationenablesyoutoperformallthetasksavailableintheVMwareACEHelpDesk andafewmoretasks.Forexample,intheinstanceview,youcancreatecustomcolumnsandsavethesearches youcreate.
VMware, Inc.
45
Use the VMware ACE Help Desk Application

ACEadministratorsandhelpdeskassistantscanaccessACEinstancesthroughtheVMwareACEHelpDesk Webapplication.YoucanusetheHelpDesktoreactivateaninstance,changetheinstancesexpirationdate, andresetauserpasswordifitislostorforgotten. To use the VMware ACE Help Desk application 1 OpenaWebbrowserandgotohttps://<hostname>:8000. The<hostname>valuecanbethefullyqualifiednameofthecomputeronwhichACEManagement ServerisinstalledoritcanbeanIPaddress. IfyouinstalledACEManagementServeronaWindowshostandyouareusingthathosttoconfigureit, youcanalternativelychooseStart>VMware>VMwareACEManagementServer. 2 3 ClicktheHelpDesklink. Supplythelogininformation. Usethefollowinginformationtohelpyoucompletethefieldsthatappearinthiswindow:
UserNameandPasswordIfahelpdeskrolewascreated,entercredentialsforthatrole.Otherwise, entercredentialsforadministeringtheACEManagementServer. DomainInmultidomainenvironments,youmightberequiredtoenteradomain(forexample, eng.com).
TheVMwareACEHelpDeskopenstheInstancespage,whichcontainsasummarytableofalltheinstances thattheservermanages.
Use the Instance View in Workstation

ACEadministratorscanaccessACEinstancesthroughtheinstanceview.Youcanusetheinstanceviewto reactivateaninstance,changetheinstancesexpirationdate,andresetauserpasswordifitislostorforgotten. TheinstanceviewinWorkstationenablesyoutoperformallthetasksavailableintheVMwareACEHelpDesk andafewmoretasks.Intheinstanceview,youcancreatecustomcolumnsandsavethesearchesyoucreate. Youmusthaveadministratorcredentialstousetheinstanceview. Aninstancehasoneofthefollowingstatustypes: Active Theinstanceisactiveandavailableforimmediateuse.
Deactivated
Thisinstancewaspurposelydeactivated.Youmust reactivateittomakeitusableagain. Theinstanceisstillactivebutisblocked(cannotberun) becauseofaviolationofapolicysuchasexpirationdate orcopyprotection.Fordetails,viewtheserverlogfor thatinstance.
Blockedby policies
TheValidFromandValidUntilcolumnsindicatetheperiodthattheinstanceisvalid.Theinstanceexpires aftertheValidUntildate.Ifnoexpirationdateissetfortheinstance,thosecolumnsareempty.
46
VMware, Inc.
Chapter 6 Managing ACE Instances
To use the instance view in Workstation 1 2 FromtheWorkstationmenubar,chooseFile>ConnecttoACEManagementServer. SpecifythefullyqualifiedhostnameortheIPaddressandclickOK. Inmostcases,thedefaultportnumberdoesnotneedtobechanged. 3 Completetheloginwindow. Usethefollowinginformationtohelpyoucompletethefieldsthatappearinthiswindow:

UserNameandPasswordEntercredentialsforadministeringtheACEManagementServer. DomainInmultidomainenvironments,youmightberequiredtoenteradomain(forexample, eng.com).
Search for an Instance

YoucanusethesearchfunctiontoquerytheACEManagementServerdatabaseforoneormoreparticular ACEinstances.SearchcriteriaarejoinedwithAND,notOR,operations. Beforeyoubegin,dooneofthefollowing:

LogintotheVMwareACEHelpDeskforanACEManagementServer. ConnecttoanACEManagementServerfromtheWorkstationwindow.
To search for an ACE instance 1 ClickSearchandspecifythecriteriatobeincludedwhenthedatabaseisqueried. Usethefollowinginformationtohelpyouspecifysearchcriteria:
ActivatedByActivationmethod,suchaspassword,ActiveDirectoryuser,oractivationkey.Ifno suchactivationmethodexists,N/Aappearsinthecolumn. ACEVMNameNameoftheACEenabledvirtualmachinefromwhichtheACEinstancewas created. GuestName(ForWindowsguestsonly)Computernameresolvedontheusersmachineduring instancecustomization,ifyouusethatfeature.The NetBIOSnameisreportedhere,anditisa maximumof15characterslong.Eveniftheactualcomputernamecontainsmorecharacters,thename alwaysappearsastheNetBIOSname. CustomcolumnsCustomcolumnsthatyoucreatedappeardirectlybelowtheGuestMACAddress criterion. ExactmatchonlyValuesarecasesensitive. Saveas(AvailableintheWorkstationinstanceviewonly)Savedsearchesarespecifictoeachserver. YoucaneditordeleteyoursavedsearchesbyselectingthenameofasavedsearchintheSaved SearchesdropdownmenuandclickingOptions.
ClickSearch. Inthesearchresults,thetotalnumberofinstancesappearsjustbelowthetable.
Tonavigatethroughalargenumberofresults,dooneofthefollowing:
IntheVMwareACEHelpDesk,clickthepreviousandnextarrowsattherightofthestatusbaratthe bottomoftheInstancestable. IntheinstanceviewinWorkstation,scrolldown.
Toreturntothefulllist,dooneofthefollowing:

IntheVMwareACEHelpDesk,clicktheBacktoallinstanceslink,locatedbelowtheSearchbutton. IntheinstanceviewinWorkstation,clickClearSearch.
VMware, Inc.
47
Sort by Column Heading and Change Column Width

Youcanreordertheinstancesinthetablealphabeticallyornumerically,dependingontheselectedcolumns contents,inascendingordescendingorder. To sort by column heading and change column width 1 Clickthecolumnheadingofthecolumntosort. Clickagaintoresortintheopposite(ascendingordescending)order. 2 Tochangecolumnwidths,clickacolumndivideranddragittoanewwidth.
Show, Hide, and Move Columns in the Instance View

AlthoughyoucansortandresizecolumnsineithertheVMwareACEHelpDeskortheWorkstationinstance view,youcanshow,hide,andmovecolumnsonlyintheWorkstationinstanceview. Columnchangesforoneserverdonotaffectotherservers. To show, hide, and move columns in the instance view 1 InWorkstation,connecttotheACEManagementServerandlogin. SeeUsetheInstanceViewinWorkstationonpage 46. 2 Toshoworhideacolumn,rightclickthecolumnheadingrowandselectordeselectthecolumntoshow orhide. Ifyoushowacolumnthatwaspreviouslyhidden,thecolumnisaddedtotherightsideofthetable. 3 Tomoveacolumn,clickthecolumnheader,dragthecolumntoanewlocation,andreleasethemouse button.
Create or Delete Custom Columns in the Instance View

CustomcolumnsenableyoutoaddcategoriesofinformationabouttheinstancesthatanACEManagement Servermanages.Forexample,youcanaddaHelpTicketcolumntorecordtheIDassociatedwithendusers supportrequests. YoucancreatecustomcolumnsonlyintheWorkstationinstanceview.Intheinstanceviewtable,youcanadd, delete,andrenameuptoninecustomcolumns. To create or delete custom columns in instance view 1 InWorkstation,connecttotheACEManagementServerandlogin. SeeUsetheInstanceViewinWorkstationonpage 46. 2 3 4 RightclickthecolumnheadingrowandchooseAddCustomColumn. TypeanameforthenewcolumnintheNametextboxandclickOK. Tochangethenameofordeleteacustomcolumn,rightclickthecustomcolumnheaderandchoosea commandfromthecontextmenu.
Afteryoucreateacustomcolumn,usetheInstanceDetailspageforeachACEinstancetoaddinformationto display.SeeAddInformationforCustomColumnsonpage 50.
48
VMware, Inc.
Chapter 6 Managing ACE Instances
View Instance Details

TheInstanceDetailspagedisplaysallofthesameinformationshownonthesummarypage,anditincludes informationabouttheACEinstancespolicysettings. Youcanreactivate,deactivate,orchangetheexpirationdatefromtheInstanceDetailspage,asyoucanfrom thesummarypage.ThefollowingtasksareavailableonlyfromtheInstanceDetailspage:

ChangingthecopyprotectionID Resettingtheauthenticationpassword Addinginformationforcustomcolumns
To view instance details 1 2 3 Selecttheinstancebyclickingitsinstancerow. ClicktheViewdetailiconatthetopofthetableordoubleclicktheinstancerow. IfyouusetheVMwareACEHelpDesk,toviewdetailsaboutnetworkaccess,clickthelinksunderZone, HostAccess,orGuestAccess. YoucanviewtheZonesorRulesDetailpageforthiszoneorthistypeofnetworkaccess. TheEverywhereandEverywhereelsezonesettingsarenotlinkedtoaZonesDetailpagebecausethey areselfexplanatory.
Reactivate, Deactivate, or Delete an ACE Instance

Youcanimmediatelydenyorallowaccesstoaninstancebydeactivatingorreactivating it.Afteryou deactivateaninstance,youcandeleteitfromthelistofinstancesthattheservermanages. Beforeyoubegin,dooneofthefollowing:

To reactivate, deactivate, or delete an ACE instance 1 2 3 4 5 Selecttheinstancebyclickingitsinstancerow. ClicktheDeactivateorReactivateiconintheupperleftcorneroftheInstancespage. IfyouclickedReactivate,whenprompted,resettheexpirationdates. (Optional)IfyouclickedDeactivate,clickDeletetodeletetheinstancerow. ClickOK.
Change a Copy Protection ID

IfanenduserattemptstocopyormoveacopyprotectedACEinstance,theuserreceivesanerrormessage thatcontainsanewcopyprotectionID.AftertheendusersendsthatIDtoyou,theadministrator,youcanuse ittoreplacetheoriginalID. Beforeyoubegin,dooneofthefollowing:

TheCopyProtectionIDfieldisalwaysactive,soyoucanchangetheIDatanytime. CAUTIONIfyouchangeacopyprotectionIDforanactiveinstance,theoriginalinstancenolongerruns.
VMware, Inc.
49
To change a copy protection ID 1 2 3 Selecttheinstancebyclickingitsinstancerow. ClicktheViewdetailiconatthetopofthetableordoubleclicktheinstancerow. Dooneofthefollowing:
IntheVMwareACEHelpDesk,replacethealphanumericstringintheCopy ProtectionIDfieldwith anewIDandclicktheSaveiconatthetopofthepage. InWorkstation,clickthePoliciestab,replacethecopyprotectionIDwithanewID,andclickOK.
Reset the Authentication Password

Youcanresetpasswordsforinstanceswithuserspecifiedpasswords.Thenewpasswordmusthaveatleast onecharacter. To reset the authentication password 1 2 3 Selecttheinstancebyclickingitsinstancerow. ClicktheViewdetailiconatthetopofthetableordoubleclicktheinstancerow. ClickResetPasswordandspecifyanewpassword. IntheWorkstationinstanceview,thisbuttonappearsonthePoliciestab. 4 Sendthenewpasswordtotheuserinanemailmessage.
Add Information for Custom Columns

AlthoughyoumustusetheinstanceviewinWorkstationtocreatecustomcolumns,youcanaddinformation tocustomcolumnfieldsineithertheinstanceviewortheVMwareACEHelpDesk. Beforeyoubegin,ifnecessary,usetheinstanceviewinWorkstationtocreatecustomcolumns.SeeCreateor DeleteCustomColumnsintheInstanceViewonpage 48. To add information for custom columns 1 2 3 Selecttheinstancebyclickingitsinstancerow. ClicktheViewdetailiconatthetopofthetableordoubleclicktheinstancerow. Dooneofthefollowing:
IntheVMwareACEHelpDesk,entercustomvaluesinoneormorecustomfieldsandclicktheSave iconatthetopofthepage. InWorkstation,clicktheCustomtab,entercustomvaluesinoneormorecustomfields,andclickOK.
50
VMware, Inc.
Troubleshooting and Maintenance

TroubleshootingConfigurationProblemsonpage 51 ConfiguringMultipleACEManagementServerInstancestoUseSSLonpage 53 DatabaseBackuponpage 53
Troubleshooting Configuration Problems

CommonconfigurationproblemsincluderesolvingconnectionproblemsandportconflictsandresettingACE administratorpasswords.
Connection Problems Between a Linux ACE Instance and ACE Management Server
IfanACEinstanceonaLinuxhostcannotcontacttheserver,determinewhetherafirewallorproxysettingis blockingorreroutingHTTPStrafficonport443. Bydefault,HTTPStrafficfromtheVMwarePlayertoACEManagementServerisroutedonport443.Disable thefirewallorturnofftheproxysettingtoallowVMware Playertoservertrafficonthatport.
Change the Port Assignment for ACE Management Server

ACEManagementServerisamodulerunningontheApache2.0platform.Tochangetheportthattheserver listenson,youmustmanuallyedittheApacheconfigurationfile. To change the port assignment for ACE Management Server 1 Usingatexteditor,opentheACEManagementServercomponentHTTPconfigurationfile. Dependingontheserversoperatingsystem,thefileisplacedinoneofthefollowinglocations:
WindowsC:\Program Files\VMware\VMware ACE Management Server\Apache2\conf\httpd.conf RedHatEnterpriseLinux4/etc/httpd/conf.d/acesc.conf SUSELinuxEnterpriseServer9SP3/etc/apache2/conf.d/acesc.conf
ThispathisdifferentifVMwareACEManagementServerisinstalledinadifferentlocation.Usethepath youestablishedforyourserver. 2 LocatethelineentryinthefilethatreadsListen 443andchangetheportnumber. Youcannotuseport8000,whichtheserverusesforconfiguration,orport 8080,whichtheACE ManagementServerapplianceuses.
VMware, Inc.
51
LocatethesectionheaderfortheVirtualServerconfigurationforport 443. Thislinelookssimilartothefollowing:

<VirtualHost -default_:443>
Changetheportnumberinthesectionheadertothedesiredportnumber. Forexample,tochangetoport8443,change443to8443.
5 6
Savethefile. StopandstarttheApacheservice. Forinstructions,seeVerifyThattheApacheServiceIsStartedorRestartedonpage 25.
WhenyoucreateanACEenabledvirtualmachine,youcanspecifywhichportistobeusedtocommunicate withACEManagementServer.
Delete the Server Configuration File and Set a New Administrator Password
Ifyouloseorforgettheadministratorpassword,youmustdeletetheconfigurationfileandreconfigurethe server.Aspartofthatconfiguration,yousetanewpassword. To delete the server configuration file and set a new administrator password 1 NavigatetothelocationoftheACEManagementServerconfigurationfile: Dependingontheserversoperatingsystem,thefileisplacedinoneofthefollowinglocations:

WindowsC:\Program Files\VMware\VMware ACE Management Server\conf\acesc.conf Linux/var/lib/vmware/acesc/conf/acesc.conf
2 3 4
Saveacopyofthefiletoanewlocationsothatyoucanrefertoitwhenyoureconfiguretheserver. Deletetheoriginalconfigurationfile. StarttheACEManagementServerSetupapplicationandconfiguretheserveragain,specifyinga passwordontheAccessControltab. SeeStartandConfigureACEManagementServeronpage 26.
ContinuewiththeACEManagementServerSetupapplicationinoneofthefollowingways:

Ifthisistheinitialconfigurationoftheserver,clickNext. Ifyouarereconfiguringtheserver,clickApplyandclickRestartorLater. IfyouclickLater,youmustrestarttheserverfortheconfigurationchangestotakeeffect.Youcan restarttheserverbyclickingApplyonanyofthetabs,evenifyoudonotmakechangesonthetab.
Restore a Backup Copy of an SSL Certificate

Ifyouuploadaninvalidcertificatefile,theACEManagementServerSetupapplicationfailswhenyouclick ApplyandthenRestartandyoucannotrestarttheApacheservice.Tofixthisproblem,restorethebackup certificatefileforthecorrespondingcertificate.
52
VMware, Inc.
Chapter 7 Troubleshooting and Maintenance
To restore a backup copy of an SSL certificate 1 NavigatetotheACEManagementServerdirectorywherethebackupisstored. Thefilenamesusethefollowingformat: <certificate_filename>.<date>-<time> The<certificate_filename>valueisoneofthefollowing:

server.crtTheserverpubliccertificate server.keyTheserverprivatekey chain.crtThecertificatechain
The <date>portionofthefilenameisintheformatYYYYMMDD(year,month,day). The <time>portionofthefilenameisintheformatHHMMSS(hours,minutes,seconds). Forexample,afilenamemightbeserver.crt.20070216-095344. 2 Savethefileinthecorrectlocationasssl/<filename>.crt and restarttheApacheservermanually. SeeVerifyThattheApacheServiceIsStartedorRestartedonpage 25. 3 StarttheACEManagementServerSetupapplicationandusetheCustomSSLCertificatestabtoupload thebackupcopy. StartandConfigureACEManagementServeronpage 26.
Configuring Multiple ACE Management Server Instances to Use SSL

YoumightconfiguremultipleACEManagementServerinstancestouseSSLinthefollowingscenarios:
Multipleserversbehindoneormoreproxyservers:

EachservercanhaveitsownSSLkeyandcertificate(ACEManagementServerandproxyserver). Thecert_chainfilemustcontainthecertificatefileandverificationchainfortheSSLcertificatesthat theproxyserversareusing.Placethiscert_chainfileineachACEManagementServer. Whenselfsignedcertificatesarebeingused,theactualcertificateistheverificationchain.Thechain filecontainseachselfsignedcertificatebeingthattheproxiesareusing. Youcanalsousethesamekeyandcertificateforeveryserverandproxy.Inthiscase,youdonotneed tocreateacert_chainfile. Eachcertificatemusthaveauniquecommonname.
MultipleserversusingDNSroundrobin:

EachservercanhaveitsownSSLkeyandcertificate(ACEManagementServerandproxyserver). Thecert_chainfilemustcontainthecertificateandverificationchainforeverycertificatethatthe serversuse.PlacethiscertificatechainfileineachACEManagementServer. Whenselfsignedcertificatesarebeingused,theactualcertificateistheverificationchain.Thechain filecontainseachselfsignedcertificatethateachoftheserversisusing. Youcanusethesamekeyandcertificateforeveryserver.Inthiscase,youdonotneedtocreatea cert_chainfile.
SeealsoLoadBalancingMultipleACEManagementServerInstancesonpage 39.
VMware, Inc.
53
Database Backup
Ifyouareusinganexternaldatabase,useabackupandrecoverystrategythatisappropriateforyourdatabase system.BackupyourACEManagementServerdatabaseonaregularbasistoensurethatthedatabasecanbe recoveredpromptlyifneeded. Ifyouareusingtheembeddeddatabase,youcanusestandardfilebackuptools,suchasntbackupordd.The dataisstoredinoneofthefollowinglocations:

WindowsC:\Program Files\VMware\VMware ACE Management Server\db\acesc.bin. Linux/var/lib/vmware/acesc/db/acesc.bin
Ifyouareusingtheembeddeddatabaseinaproductionenvironment,stoptheserver,copythefiletoa differentlocationforthebackup,andrestarttheserver.SQLiteisfilebased,sothedatabasefilemightbe modifiedbytheACEManagementServerprocessatthesametimethatitisbeingcopiedforbackup.An inconsistentdatabasesnapshotmightbeproduced.Thisproblemisunlikelytooccurbecausethefileisusually notlargeandiscopiedquickly. Otheralternativesforbackingupanopendatabase,asrecommendedbymembersofanSQLitecommunity, arethefollowing:
Usethesqlite3commandlinetooltologintotheSQLitedatabase.Usethe.dumpcommand,storethe resultinaseparatefile,andbackupthatresultfile.AnSQLscriptrecreatesthedatabase. UsetheShadowVolumeCopymechanismonWindowssystemsorLVMvolumesnapshotsonLinux(and thecrashrestorefeatureofSQLite)tobackupthecompletedatabasedirectory,includingjournalfilesif theyarepresent.OnaWindowsXPSP1orlateroperatingsystem,usentbackuponthedatabase directory. Usethesqlite3commandlinetooltologintotheSQLitedatabase.UsetheBEGIN EXCLUSIVE command,copythedatabasefile,andthenusetheCOMMITcommand.
Forinformationtohelpyouuseyourcompanysownmanagementorreportingtoolsorautomatedscripts withthedataintheVRMdatabase,seeAppendix:DatabaseSchemaandAuditEventLogDataonpage 55.
54
VMware, Inc.
Appendix: Database Schema and Audit Event Log Data
Thisappendixexplainstheformatofthedatastoredinthedatabaseandthebestwaystoaccessthisdata.This appendixincludesthefollowingtopics:

UsingDatabaseReportingToolsonpage 55 DatabaseSchemaonpage 55 QueryingtheAuditEventLogDataonpage 59
Using Database Reporting Tools

YoucanuseathirdpartydatabasemanagementorreportingtoolwiththeVMwareACEManagementServer database.Youcancreatecustomreportsofthesystemstatebyusingareportingtool.Youcanalsousea reportingtooltoinspecttheaudittrailoftheadministratororuseractionsstoredintheEventtable.For example,youmightfindactiveinstanceswithoutdatedACEpolicysets,orexcessivefailedauthentication attempts. TheRDBMSaccesscontrolmechanismprotectsthedatastoredinthedatabase.Donotallowthedatabaseuser accountthatyourreportingtoolusestohaveahigherthannecessarylevelofaccesstothedata.Otherwiseyou mightcompromisethesecurityofyourVMwareACEsystem. Forexample,reportingtoolstypicallydonotneedwriteaccesstothedatabase.Instead,youcancreatea separatereadonlyaccountforthereportingtool.Youmightalsowanttodisallowreadaccesstodatabase fieldsthatcontainsensitiveinformation,suchasuserpasswords,instancecustomizationdata(whichmight havethedomainadministratorlogin),orinstancediskencryptionkeys.TheembeddedSQLitedatabasedoes notsupportauthentication,soaccesscanbeprotectedonlybyfilebasedsecuritythatprovidesreadonly permissionsorpermissionstoperformanyoperation.
Database Schema
TablesintheACEManagementServerdatabaserepresentthemajorconfigurationobjectsofACE ManagementServer,includingAce,Package,Instance,AccessPolicy,RuntimePolicy,andUserData,which containsimagecustomizationsettingsandotherdataforeachuser.Administratoranduseractionsareaudit loggedintheEventtableinthedatabase,whilepossibleeventtypesarelistedintheEventTypetable. Notethefollowingaboutthedatabaseschema:

Afewtableswithinternalsysteminformationandindexesarenotlisted. BooleanvaluesarestoredasstringswithTRUEorFALSEvalues. Timestampsarestoredasdecimal64bitnumberstringsshowingthenumberofmicrosecondsfrom12:00 a.m01/01/1970. Otherdatesandtimesarestoredasdecimalstringsshowingthenumberofsecondsfrom12:00a.m 01/01/1970.
VMware, Inc.
55
ACE,Package,Instance,Access,andUserDatarecordsareneverdeletedfromthedatabase.Theyare markedasdeletedwiththedeletedfieldsettoTRUE,sothatthepreviousinformationcanbeinspected forauditpurposes. TheguestandhostoperatingsystemportionsoftheACEpolicysetarestoredinthe PolicyDb_RuntimePolicytableinrespectivefieldsasstrings,iftheirsizeislessthan2000bytes.Ifthe policycomponentexceeds2000bytes,thestringissplitin2000bytechunksandstoredinthe PolicyDb_LongFieldtable.Inthiscase,thevaluefortherespectiveExtKeyfieldintheRuntimePolicytable containstheforeignkeypointingtothecorrespondingseriesofstringsintheLongFieldtable(seethe notesinthetabledefinition).
Thefollowingisthedatabaseschemascript.
/* Name value pairs of service information, e.g. DB schema version number */ CREATE TABLE PolicyDb_MetaInfo ( name VARCHAR(128), /* Name of the name-value pair */ value VARCHAR(1024), /* Value of the name-value pair */ PRIMARY KEY(name)); /* This table holds data for guest and host policy sets, split in 2K chunks */ /* Select all fields for the key in the order of index and append strings together */ /* to reconstruct the policy set */ CREATE TABLE PolicyDb_LongField ( longFieldKey VARCHAR(128), /* Unique ID of the long field series */ longFieldIndex INTEGER, /* Index in the series */ longFieldValue VARCHAR(2000), /* Up to 2000 chars of field value chunk */ sessionExpires VARCHAR(21), /* Optional field for storing session blob */ PRIMARY KEY (longFieldKey, longFieldIndex)); /* ACE Master data */ CREATE TABLE PolicyDb_Ace ( aceUID VARCHAR(128), /* Unique ID (primary key) */ aceName VARCHAR(128), /* Name of this ace */ activePolicySetVersion INTEGER NOT NULL, /* Soft foreign key to active RT policy*/ aceTsCreated VARCHAR(21) DEFAULT 0 NOT NULL, /* Creation timestamp */ aceTsLastModified VARCHAR(21) DEFAULT 0 NOT NULL, /* Last modified timestamp */ deleted VARCHAR(7) DEFAULT 'FALSE', /* Is this entry deleted (tombstone) */ PRIMARY KEY(aceUID)); /* Package data */ CREATE TABLE PolicyDb_Package ( packageUID VARCHAR(128), /* Unique ID (primary key) */ aceUID VARCHAR(128) NOT NULL, /* The ACE it belongs to. */ pkgName VARCHAR(128), /* UI visible name. */ pkgUseValidDates VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Use validity dates or always valid */ pkgValidDateStart VARCHAR(21) NOT NULL, /* The package is valid from this date.*/ pkgValidDateEnd VARCHAR(21) NOT NULL, /* The package is valid till this date.*/ pkgDisabled VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Is the package disabled */ pkgProtectionKey VARCHAR(1024), /* The key used for package distribution */ pkgPreview VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Is preview package */ pkgTsCreated VARCHAR(21) DEFAULT 0 NOT NULL, /* Creation timestamp */ pkgTsLastModified VARCHAR(21) DEFAULT 0 NOT NULL, /* Last modified timestamp */ deleted VARCHAR(7) DEFAULT 'FALSE', /* Is this entry deleted (tombstone) */ PRIMARY KEY(packageUID), FOREIGN KEY(aceUID) REFERENCES PolicyDb_Ace(aceUID)); /* Access Control object data (single item of the list, associated with ACE Master)*/ CREATE TABLE PolicyDb_Access ( accessPK VARCHAR(128), /* Unique ID (primary key) */ aceUID VARCHAR(128), /* Ace for which this access policy is (FK)*/ identityData VARCHAR(128), /* Internal representation, SID in AD */ /* case, token value goes here. */ accVersion INTEGER NOT NULL, /* Access object version number */ identityType INTEGER NOT NULL, /* AD User, Group, or Token Value */ identityName VARCHAR(128), /* UI visible user/group name in AD case */ accUseInstanceLimit VARCHAR(7)
56
VMware, Inc.
DEFAULT 'FALSE' NOT NULL, /* Limit number of instances for this ID? */ accInstanceLimit INTEGER NOT NULL, /* Max no. of ACE instances allowed */ accTsCreated VARCHAR(21) DEFAULT 0 NOT NULL, /* Creation timestamp */ accTsLastModified VARCHAR(21) DEFAULT 0 NOT NULL, /* Last modified timestamp */ deleted VARCHAR(7) DEFAULT 'FALSE', /* Is this entry deleted (tombstone) */ PRIMARY KEY(accessPK), FOREIGN KEY(aceUID) REFERENCES PolicyDb_Ace(aceUID)); /* ACE Instance object data */ CREATE TABLE PolicyDb_Instance ( instanceUID VARCHAR(128), /* VM instance ID (primary key) */ packageUID VARCHAR(128) NOT NULL, /* The package it belongs to. */ aceUID VARCHAR(128) DEFAULT '' NOT NULL, /* The ACE Master it belongs to */ creatorIdName VARCHAR(128) NOT NULL, /* Display name of the activator user */ creatorIdData VARCHAR(256), /* Fully qualified name of the activator */ creatorAuthType INTEGER NOT NULL, /* The type of access check at activation */ activationDate VARCHAR(21) NOT NULL, /* The date and time for the activation. */ lastPolicyCheck VARCHAR(21) NOT NULL, /* Last time when the player called server */ revocationDate VARCHAR(21) NOT NULL, /* When the instance was revoked */ replacementDate VARCHAR(21) NOT NULL, /* When replaced because of Copy Protect. */ /* policy */ inheritsExpiration VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Use expiration info from Policy Set */ insUseValidDates VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Use validity dates or always valid */ insValidDateStart VARCHAR(21) NOT NULL, /* The instance is valid from this date*/ insValidDateEnd VARCHAR(21) NOT NULL, /* The instance is valid till this date*/ insPassword VARCHAR(128), /* The login password for non-AD */ /* authentication for this instance */ hostName VARCHAR(128), /* The name of the host PC the VM runs on */ hostIp VARCHAR(128), /* The IP addr of the host the VM runs on */ insProtectionKey VARCHAR(1024), /* Instance VM disk encryption key */ copyProtectionId VARCHAR(1024), /* Stores location of the copy */ insPreview VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Is preview instance */ guestIpAddress VARCHAR(128) DEFAULT '', /* Reported VM IP address */ guestMacAddress VARCHAR(128) DEFAULT '', /* Assigned VM MAC address */ guestMachineName VARCHAR(128) DEFAULT '', /* The guest (VM) OS host name */ guestConfigStatus INTEGER DEFAULT 0, /* The completion status of guest */ /* auto-configuration */ guestConfigMsg VARCHAR(512), /* Message for the guest auto-config */ insTsCreated VARCHAR(21) DEFAULT 0 NOT NULL, /* Creation timestamp */ insTsLastModified VARCHAR(21) DEFAULT 0 NOT NULL, /* Last modified timestamp */ deleted VARCHAR(7) DEFAULT 'FALSE', /* Is this entry deleted (tombstone) */ insCustom1 VARCHAR(255), /* User-defined field */ insCustom2 VARCHAR(255), /* User-defined field */ insCustom3 VARCHAR(255), /* User-defined field */ insCustom4 VARCHAR(255), /* User-defined field */ insCustom5 VARCHAR(255), /* User-defined field */ insCustom6 VARCHAR(255), /* User-defined field */ insCustom7 VARCHAR(255), /* User-defined field */ insCustom8 VARCHAR(255), /* User-defined field */ insCustom9 VARCHAR(255), /* User-defined field */ PRIMARY KEY(instanceUID), FOREIGN KEY(packageUID) REFERENCES PolicyDb_Package(packageUID), FOREIGN KEY(aceUID) REFERENCES PolicyDb_Ace(aceUID)); /* MAC Address Pool (reserved for future use) */ CREATE TABLE PolicyDb_MacPool ( macPoolUID VARCHAR(128), /* primary key */ aceUID VARCHAR(128) NOT NULL, /* ACE for which this MacPool is used */ macPoolName VARCHAR(128), /* User visible name */ description VARCHAR(128), /* name and description of the MAC pool*/ rangeStart VARCHAR(21) NOT NULL, /* Start address of the MAC pool */ rangeEnd VARCHAR(21) NOT NULL, /* End address of the MAC pool */ lastAssigned VARCHAR(21) NOT NULL, /* Last assigned address */ mplTsCreated VARCHAR(21) DEFAULT 0 NOT NULL, /* Creation timestamp */ mplTsLastModified VARCHAR(21) DEFAULT 0 NOT NULL, /* Last modified timestamp */ deleted VARCHAR(7) DEFAULT 'FALSE', /* Is this entry deleted (tombstone) */
VMware, Inc.
57
PRIMARY KEY(macPoolUID), FOREIGN KEY(aceUID) REFERENCES PolicyDb_Ace(aceUID)); /* Instance customization data */ CREATE TABLE PolicyDb_UserData ( userDataPK VARCHAR(516), /* Primary key */ aceUID VARCHAR(128), /* ACE for which this UserData is defined */ packageUID VARCHAR(128), /* Package for which this UserData is used */ activator VARCHAR(128), /* The user */ udataName VARCHAR(128), /* User data entry name */ udataType INTEGER NOT NULL, /* Attribute of the date */ udataValue VARCHAR(2048), /* User data entry value */ udtTsCreated VARCHAR(21) DEFAULT 0 NOT NULL, /* Creation timestamp */ udtTsLastModified VARCHAR(21) DEFAULT 0 NOT NULL, /* Last modified timestamp */ deleted VARCHAR(7) DEFAULT 'FALSE', /* Is this entry deleted (tombstone) */ FOREIGN KEY(aceUID) REFERENCES PolicyDb_Ace(aceUID), FOREIGN KEY(packageUID) REFERENCES PolicyDb_Package(packageUID), PRIMARY KEY(userDataPK)); /* ACE Master policy set */ CREATE TABLE PolicyDb_RuntimePolicy ( aceUID VARCHAR(128), /* The ACE it belongs to. */ policyVersion INTEGER, /* Version of the RT Policy for this ACE */ clientPolicyData VARCHAR(2000), /* Runtime policy for the guest OS */ clientPolicyDataExtKey VARCHAR(128), /* If too long store in LongField table */ hostPolicyData VARCHAR(2000), /* Runtime policy for the host OS (NQ) */ hostPolicyDataExtKey VARCHAR(128), /* If too long store in LongField table */ expirationType INTEGER NOT NULL, /* Expiration Type (enum) */ expValue_1 VARCHAR(21) NOT NULL, /* Expiration value (depends on type) */ expValue_2 VARCHAR(21) NOT NULL, /* Expiration value (depends on type) */ cacheLifetime VARCHAR(21) NOT NULL, /* How long could work without server */ rtpInstType INTEGER NOT NULL, /* Instantiation authentication check type */ rtpAuthType INTEGER NOT NULL, /* Runtime authentication check type */ rtpUseInstanceLimit VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Limit number of instances for this ACE? */ rtpInstanceLimit INTEGER NOT NULL, /* Max no. of ACE instances allowed */ rtpUsePerUserInstanceLimit VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Limit number of instances per user? */ rtpPerUserInstanceLimit INTEGER NOT NULL, /* Max no. of ACE instances per user */ copyPolicy INTEGER DEFAULT 0 NOT NULL, /* Behavior if VM instance is copied */ published VARCHAR(7) DEFAULT 'FALSE' NOT NULL,/* Policy published (update locked)*/ rtpTsCreated VARCHAR(21) DEFAULT 0 NOT NULL, /* Creation timestamp */ rtpTsLastModified VARCHAR(21) DEFAULT 0 NOT NULL, /* Last modified timestamp */ deleted VARCHAR(7) DEFAULT 'FALSE', /* Is this entry deleted (tombstone) */ PRIMARY KEY (aceUID, policyVersion), FOREIGN KEY(aceUID) REFERENCES PolicyDb_Ace(aceUID)); /* ACE Management Server info - reserved for future use */ CREATE TABLE PolicyDb_AcescServer ( serverHostname VARCHAR(128), /* Host name of the server computer */ serverPort INTEGER, /* TCP port number server is listening on */ secure VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Whether HTTPS is enabled */ sslCertificateExtKey VARCHAR(128), /* SSL Certificate data, key to stored */ /* in LongField table */ sslCertificateChainExtKey VARCHAR(128), /* SSL Certificate Chain data, key to */ /* stored in LongField table */ PRIMARY KEY (serverHostname, serverPort)); /* Audit Event Log Event Types lookup table */ CREATE TABLE PolicyDb_EventType ( eventType INTEGER, /* Event Type code (PK) */ eventMessage VARCHAR(1024), /* Printable message for this event type */ eventCategory INTEGER, /* Event Category code */ eventCategoryName VARCHAR(128), /* Event Category printable name */ eventLogLevel INTEGER, /* Event Log Level */ PRIMARY KEY (eventType)); /* Audit Event Log data */ CREATE TABLE PolicyDb_Event (
58
VMware, Inc.
eventUID INTEGER, /* Primary key of the table (sequential) */ eventTs VARCHAR(21), /* Timestamp of the event creation in uSec */ loginName VARCHAR(128), /* Login user name of the actor */ aceUID VARCHAR(128), /* UID of the ACE affected by event */ packageUID VARCHAR(128), /* UID of the package affected by event */ instanceUID VARCHAR(128), /* UID of the instance affected by event */ policyVersion INTEGER, /* Version of ACE policy affected by event */ eventCategory INTEGER, /* Event Category as defined in EventType */ eventType INTEGER, /* Event Type as defined in EventType */ sessionID VARCHAR(128), /* Ace Server Session ID */ clientIP VARCHAR(128), /* IP Address of the client machine (resvd) */ serverIP VARCHAR(128), /* IP Address of the Ace Server (reserved) */ turnaroundTime VARCHAR(21), /* Server-side execution time in ms */ handlerName VARCHAR(128), /* Name of the ClientLib handler (debug) */ returnCodeText VARCHAR(128), /* Text error code returned to the client */ messageParams VARCHAR(1024), /* Tab separated list of event data */ prevEventUID INTEGER UNIQUE, /* UID of the previous recorded event */ eventSignature VARCHAR(128), /* Event signature, signed with server key */ FOREIGN KEY(eventType) REFERENCES PolicyDb_EventType(eventType), FOREIGN KEY(prevEventUID) REFERENCES PolicyDb_Event(eventUID), PRIMARY KEY (eventUID));
Querying the Audit Event Log Data

YoucanusetheACEServerComponenttocreateanaudittrailforalltransactionsthattheserverperforms. Youcanusethissystemtotrackusage,securitybreaches,policyerrors,performance,andsoon. TheACEServerComponentEventLogginginfrastructureisflexibleenoughtoprovidedetailedloggingwhen necessary,withoutoverwhelmingthesystembyslowingperformance. Theeventloggingmechanismcapturesenoughinformationtoanswerthefollowingquestions:

Whoactivatedaninstance? Whenwasaninstanceactivated? Whorevokedaninstance? Whoturnedoffcopyprotectionpolicy? Whatchangestopolicyweremadeonaparticulardate? Whoisfailingtoauthenticate?
Themechanismdoesnotnecessarilyanswerthesequestionsdirectly,butprovidesenoughdatasothatan administratorcanvieweventlogsandfindanswers.Thedatabeingloggedmeetsthefollowingrequirements:

Providesdetailsofeachtransactionserved. Centralizesthegatheringofeventlogdatawhenmultipleserversareused. Providesameansforadministratorstoselectwhichtypeoftransactionsarelogged. Canbeconfiguredtoprovidemoreorfewerlogswhennecessary.
Someofthisaudittrailisalreadyvisiblethroughotherfeaturesoftheproduct.Forexample,theinstance viewerdisplaysthedateofthelastpolicygetoperation,ortheexpirationdate,andsoon.Theeventlogging mechanismcananswermoredifficultquestions,suchaswhichadministratormadewhichpolicychangesand whichadministratordeletedanACEinstance. Table A1describesthedatathatisstoredinalogentry. Table A-1. Log Entry Data
Data AuditlogeventID(PK) Logtimestamp Description Anincrementinginteger Inmicrosecondsfrom12:00a.m.01/01/1970, storedasadecimalstring
VMware, Inc.
59
Table A-1. Log Entry Data (Continued)

Data Loginusername AffectedACEUID(FK) AffectedpackageUID(FK) AffectedinstanceUID(FK) AffectedPolicySetVersion Eventcategory Eventtypecode(FK) SessionID IncomingIPaddress ServerIPAddress Operationturnaroundtime Operationhandlername(debug) Returncodetext Messageparameters PreviouseventUUIDtoprevent unauthorizedrecorddeletionorinsertion Eventrecordhashwithaserverkeytoreveal modificationoftherecord Success,failure,specificerror Tabseparatedlist Logintegrity Logintegrity Auth,AceAdmin,PkgAdmin,PolicyAdmin, InstAdmin ReferencesPolicyDb_EventTypetable Debug Reservedforfutureuse Reservedforfutureuse Timespentinserverinms Description
ACE,package,andinstanceUIDsandpolicyversionprovidecoordinatesofthelogeventinthespaceofACE Serverobjects.Theyhelplinktheeventwiththestateofthesystem.Byusingdatabasequerytools,youcan findallACEadministrationeventsthataffectedaparticularACEinstancefromitscreationuntilitsdeletion. Notallcoordinatesarepresentforallevents.Forexample,ifapackageexpirationdateupdateislogged,the instanceUIDfieldisnotset,becauseallinstanceswithinthepackageareaffected. Ifimmutabledataisstoredpermanentlyelsewhereinthedatabase,itisnotduplicatedinthelogentry.For example,whenanewpolicyispublished,thecompletepolicytextisnotincludedinthelogentry.Instead,its versionnumberisreferenced,sothatthecompletedataoftheeventcanbereconstructedfromPolicyDb_ RuntimePolicyandPolicyDb_Accesstablesifnecessary. NOTEACEManagementServerdoesnotlogsensitivedatalikepasswordsorencryptionkeys. TheeventtypecodeisassociatedwithalookuptablePolicyDb_EventType,whichcontainsatextmessage templateforeachtypeofevent,category,andlogleveloftheevent.Themessagecancontain%sparameter placeholders,inwhichcasetheMessageParametersfieldinthelogentrycontainsatabdelimitedlistof valuesfortheseparameters.Forexample,aninstanceadministrationeventwithtype=4110hasthefollowing message: 4110 -> "Instance Set Guest Info requested, IP address = %s, MAC address %s, configuration message \"%s\", machine name \"%s\", configuration status %s" Inthisexample,theMessageParametersfieldshows: 10.17.0.3 00:0C:29:1A:2B:3C OK ACETest 0
Theresultingparametersreplacethe%splaceholdersinthemessagetemplate.
60
VMware, Inc.
ACEManagementServereventloggingcontainsanexperimentaltamperevidencefeature.Everyrecordinthe eventlog(exceptthefirstone)musthaveauniquereferencetothepreviousevent,furtherenforcedbythe databaseforeignkeyanduniqueconstraint.EachsuccessiverecordhasauniqueIDincrementedby1,so missingrecordsareimmediatelyevident.Ifauserwithdirectaccesstothedatabasechanges,adds,orremoves somerecords,theusermustchangeeitherthepreviouseventpointerorotherdataintheremainingevent records.DatawithineveryrecordishashedtogetherwithaserverkeyandisstoredintheeventSignaturefield. Formoreinformationabouteventcategories,configuringlevelsofeventloggingforeachcategory,and purgingoldeventstokeepthetablesizeincheck,seeLoggingEventsonpage 37.
VMware, Inc.
61
62
VMware, Inc.
Glossary
ACEinstance AvirtualmachinethatACEadministratorscreate,associatewithvirtualrightsmanagement(VRM) policies,andthenpackagefordeploymenttousers. ACEManagementServer AserverthattheACEadministratorcaninstallanduseforactivatingandtrackingACEinstancesandfor hostingdynamicpoliciesforACEinstances. ACEenabledvirtualmachine AvirtualmachinetemplatethattheACEadministratorcreates.Thevirtualmachinecanbeconfigured withvariouspolicies,devicesanddeploymentsettings.Itcanthenbeusedasthebasisforcreating packagestobesenttoACEusers.InearlierversionsofVMwareACE,thistemplatewascalledanACE Master. activation AstepinanACEinstancesetupthatincludespackageprotectionandsettinguptheACEinstances runtimeauthenticationpolicy.Thesuccessfulcompletionofactivationmakesthepackagedvirtual machine,withitspoliciesandothersettings,anACEinstance.Theactivationsettingintheaccesscontrol policydetermineswhocanaccessaninstalledACEpackageandturnitintoanACEinstance.Seealso authentication. authentication AstepinanACEinstancesetupthatincludesinstanceprotection.Thesuccessfulcompletionofthe authenticationstepallowstheusertoruntheinstance.Seealsoactivation. deploymentsettings Asetofrulesandsettingsassociatedwithapackage,suchasinstancecustomizationsettings.These settingscannotbechangedafterpackaging.Theonlywaytochangedeploymentsettingsistocreatea newpackage. guestoperatingsystem AnoperatingsystemthatrunsinsideanACEinstance.Seealsohostoperatingsystem. hostcomputer ThephysicalcomputeronwhichtheVMwarePlayersoftwareisinstalled.IthoststheACEinstances. hostoperatingsystem Anoperatingsystemthatrunsonthehostmachine.Seealsoguestoperatingsystem. hotfix Aninstallablefilethatresetsauserspassword,renewsanexpiredvirtualmachineorenablesa copyprotectedvirtualmachinetorunfromanewlocation.
VMware, Inc.
63
instancecustomization TheactofcustomizinganACEinstance,thusmakingituniquefromallotherinstances.Theinstance customizationprocessautomatestheactionsoftheMicrosoftSyspreputility.ItalsoprovidestheACE administratorwithfeaturesneededtosetupanautomatedremotedomainjoinprocessoftheACE instancetoacompanyVPNnetwork. managedACEinstance AnACEinstancethatanACEManagementServermanages.SeealsoACEManagementServer. package Aninstallablebundlefordistributiontousers.AfullpackageincludesanACEenabledvirtualmachine configurationfile,virtualdiskfiles,policies,apackageinstaller,andresourcefiles.Italsoincludesthe VMwarePlayerapplicationusedtorunACEinstances. policy AformalsetofguidelinesthatcontrolthecapabilitiesofanACEinstance.Policiesaresetinthepolicy editorinWorkstation.Seealsopublish. preview AnoperatingandviewingmodethatanadministratorcanusetopreviewtheACEinstanceasitwillrun ontheusersmachine.Theadministratorcanusethisfeaturetoseetheeffectsofpolicyandconfiguration settingswithouthavingtoperformthepackaginganddeploymentsteps. publish TheprocessofmakingpoliciesavailableonACEManagementServersothatACEinstancescanreceive themaccordingtothepolicyupdateschedule.Seealsopolicy. standaloneACEinstance AnACEinstancethatisnotmanagedbyACEManagementServer.Anychangestoitspoliciesorother settingsaremadebytheadministratorsdistributionofupdatestotheuser. virtualmachine Avirtualizedx86PCenvironmentinwhichaguestoperatingsystemandassociatedapplicationsoftware canrun.AnACEenabledvirtualmachinethathaspoliciesandothersettingsassociatedwithitisknown asanACEinstance.SeealsoACEinstance. VMwarePlayer AnapplicationthatallowsausertorunanACEinstance. Workstation Theprogramthatanadministratorusestocreate,deploy,andupdateACEpackagesandmanageACE instances.FormerlynamedVMwareACEManagerorVMwareWorkstationACEEdition. VMwareTools Asuiteofutilitiesanddriversthatenhancestheperformanceandfunctionalityoftheguestoperating system.KeyfeaturesofVMwareToolsincludesomeorallofthefollowing,dependingonyourguest operatingsystem:anSVGAdriver,amousedriver,theVMwareToolscontrolpage,andsupportforsuch featuresassharedfolders,shrinkingvirtualdisks,timesynchronizationwiththehost,VMwareTools scripts,andconnectinganddisconnectingdeviceswhiletheACEinstanceisrunning.
64
VMware, Inc.
Index
A
ACE instance log events for 37 on Linux host, fixing server connection problem 51 security certificates in 18 ACE Management Server Active Directory integration 15 changing port assignment 51 configuring 29 creating Active Directory user and group for 29 database backup 53 database schema 55 default port assignments 22 embedded database 15 external database option 15 features 9 fixing connection problem with ACE instance on Linux host 51 hardware requirements 10 installing 22 installing on Linux system 23 installing on Windows system 22 installment options 22 licensing 34 logging on 26 querying the audit event log data 55 serial number 34 stopping and starting manually 25 using 45 Active Directory creating group for use with ACE Management Server 29 creating user for use with ACE Management Server 29 integration with ACE Management Server 15 logon options, ACE Management Server 26 audit event log data, querying 59
configuring ACE Management Server instances 29 copy protection, changing the ID for 49 custom fields in instance view 48
D
database backup 53 external 15 for ACE 15 database for ACE Management Server 15 deactivate an ACE instance 49 details for an instance, viewing 48
E
event logging 37 expiration dates, changing 49
H
Help Desk advanced instance queries 47 Instances page 45 using 46 Help Desk Instance Details page 48
I
installing ACE Management Server 22 Instance Details page 48 instance queries 47 instance view custom fields 48 customizing columns in 48 details 48 Instances page 45
L
LDAP See Active Directory licensing, ACE Management Server 34 logging events 37 logging on to the ACE Management Server 26
C
certificates, setting up 33 change the copy protection ID 49 clock synchronization (note) 21 column headings, sorting by 47 configuration Restart page 37
P
passwords, resetting admin password for ACE Management Server 52 for ACE instances 50
VMware, Inc.
65
port assignments, default 22 port for ACE Management Server 51
R
reactivate an ACE instance 49 reset the password for an instance 50 Restart page 37 restarting the ACE Management Server 37
S
searching for instances in Help Desk 47 security, SSL 17, 18 sort instances 47 SQLite database for ACE Management server 15 SSL certification, using 17, 18 SSL protocol, using 17, 18 stopping and starting the Apache service manually 25
T
troubleshooting with the Help Desk application 46
U
using the ACE Management Server 45
V
view details for an instance 48 VMware Player fixing ACE Server connection problem on Linux host 51
66
VMware, Inc.

Infoace Vmware

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Infoace Vmware

Загружено:

Авторское право:

Доступные форматы

ACE Management Server Administrators Manual

VMware ACE 2.6

ACE Management Server Administrators Manual

VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

3 InstallingandConfiguringACE Management Server 21

ACE Management Server Administrators Manual

ACE Management Server Administrators Manual

About This Book

Thismanual,theVMwareACEManagementServerAdministratorsManual,providesinformationabout installingandusingtheVMwareACEManagementServer,whichenablesyoutomanageACEinstancesin realtime.UsingACEManagementServerisoptional,butdoingsoprovidesthefollowingbenefits:

ManageactivationofACEpackages. Manageauthenticationofthoseactivatedpackages. DynamicallydeliverpolicyupdatestomanagedACEinstances. DynamicallydeliverinstancecustomizationdataformanagedACEinstanceswithWindowsguest operatingsystems.

Technical Support and Education Resources

Online and Telephone Support

ACE Management Server Administrators Manual

VMware Professional Services

TheVMwareACEManagementServerenablesyoutomanageVMwareACEinstances,todynamically publishpolicychangesforthoseinstances,andtotestanddeploypackagesmoreeasily. Thischapterincludesthefollowingtopics:

Features of ACE Management Server

EncryptedcommunicationsbetweenserverandclientstraveloverHTTPStraffic. Passwordsarestoredsecurelyinhashedforminthebackingstore. FlexibledatabaseoptionsallowuseofanembeddeddatabaseorexternalRDBMStostoreACEinstance dataandpolicies.

ACE Management Server Administrators Manual

Aminimumofan800MHzcompatiblex86andx8664architectureprocessor Compatibleprocessorsinclude: Celeron,PentiumII,PentiumIII,Pentium4,PentiumM(includingcomputerswithCentrinomobile technology),Xeon(includingPrestonia),AMD,Athlon,Athlon MP,AthlonXP,Duron,Opteron,AMD64 Opteron,andAthlon64

ExperimentalsupportforIntelIA32eCPU 40MBoffreespaceisrequiredforbasicinstallation.VMwarerecommendsatleast10GBoffreediskspace. An8bitdisplayadapterisrequired. Forlocalareanetworking,anyEthernetcontrollerthattheoperatingsystemsupportsissufficient.

Supported Operating Systems

Supported External Databases

ApacheProxyUsingmod_proxy ZeusTechnologyLoadBalancerAcommerciallyavailableloadbalancerandtrafficmanagement solution

Required Web Browsers

MozillaFirefox1.52orhigher InternetExplorer6.0orhigher.MakesurethattheInternetExplorerbrowserhasTLS1.0checkedtolog intotheAMSwebconfigurationpage.

ACE Management Server Administrators Manual

Planning an ACE Management Server Deployment

DeploymentComponentsonpage 13 PerformingCapacityPlanningonpage 15 SecurityFeaturesandConsiderationsonpage 17 AccessingACEManagementServerfromOutsidetheCorporateFirewallonpage 19 DeploymentPlanningWorksheetonpage 19

ACE Management Server Administrators Manual

Figure 2-1. Comprehensive ACE Management Server Deployment

ACE Player client (within corporate network)

HTTPS HTTPS HTTPS HTTPS

ACE Management Server (one or more)

load balancer (optional) database server

Host System Options

Server Appliance Option

Chapter 2 Planning an ACE Management Server Deployment

SupportedexternaldatabaseInproductionenvironments,useasupportedexternaldatabaseasa backingstoreforACEManagementServer,throughODBCconnectivity.Supportedexternaldatabase enginesarethefollowing:

ForWindowsbasedACEManagementServer,useMicrosoftSQLServer(SQLServer2000orSQL Server2005)orOracleDatabase10ginstalledonthesamesystemoradifferentWindowssystem ForLinuxbasedACEManagementServer,usePostgreSQL7.4orhigherinstalledonthesame systemoradifferentLinuxsystem

NOTEIfACEManagementServerisdeployedintheDMZ,useanexternaldatabaselocatedinsideyour corporatenetworkbehindafirewall. UsinganexternaldatabasewithACEManagementServeroffersthefollowingbenefits:

Active Directory Authentication Options

PermitsjoininganoperatingsystemthatisrunninganACEinstancetothedomainremotely. Providessearchfunctionssoyoucanquicklyfindaparticularindividualorgroup. EnablesyoutouseActiveDirectoryUsersandGroupstoconfigurerolebasedaccesstothefeaturesof ACEManagementServer.

Performing Capacity Planning

Databasethroughputandscalability LDAPthroughput(ifyouareusingActiveDirectory) Networkbandwidthavailableforincomingclientrequests

ACE Management Server Administrators Manual

Table 21listsrecommendationsforthenumberofclientssupportedbasedonthehardwareyouareusing.The figuresforrecommendedclientsreservesomeserverprocessingpowersothatinteractiveclientsreceive responsesinatimelyfashionandtheserversatisfiesincreasesindemand. Table 2-1. Number of Clients Supported

Database Throughput and Scalability

Theauthenticationeventgeneratesmostofthedatabecauseaneventisgeneratedeverytimesomeone attemptstoauthenticatetoACEManagementServer.YoucanconfigureACEManagementServertologless eventinformation.SeeLoggingEventsonpage 36.

Chapter 2 Planning an ACE Management Server Deployment

Network Bandwidth and Policy Update Frequency

Theamountofnetworkbandwidthrequiredcanalsobehigherifyourpolicysetisverycomplex. VMwarerecommendsthatyouhaveaseparatenetworklinkbetweenACEManagementServerandyour databaseserver,sothattrafficcomingandgoingfromACEManagementServertoitsclientsdoesnotinterfere withthetraffictoandfromyourdatabaseserver.

ACE Policy Configuration

ACE Management Server Administrators Manual

Security Features and Considerations

SSLencryptsdatathroughtheuseofapublickeyandprivatekeypair.Thepublickeyisknowntoeveryone andtheprivatekeyisknownonlytothemessagerecipient.URLs thatrequireanSSLconnectionstartwith https. DuringACEManagementServerinstallation,thefollowingtwofilesarecreated:

server.keyAnRSA1024bitkey,thisistheprivatekey. server.crtAselfsignedcertificate.Itssignatureisverifiedbythepublickey,whichisembeddedin thecertificate.Thispubliccertificateisvalidfor10yearsfromthedateandtimeatwhichtheserveris installed.ThecertificatefileisencodedinPEMformat.

Using SSL Certificates and Protocol

Chapter 2 Planning an ACE Management Server Deployment

Accessing ACE Management Server from Outside the Corporate Firewall

external firewall HTTPS proxy server

internal firewall AMS server

ApacheProxyUsingmod_proxy ZeusTechnologyLoadBalancerAcommerciallyavailableloadbalancerandtrafficmanagement solution

BecausethetrafficcomingintoACEManagementServerisplainHTTPStrafficandtheserverisstateless,you candeploymanyotherconfigurationstoprovideexternalaccesstoanACEManagementServer.Whenyou designyourdeployment,thinkofACEManagementServerasaWebserverwithsecuretraffic.

Useaproxy? ApacheProxyorZeusTechnologyLoad Balancer?____ Whichtypeofcertificate:selfsigned thirdparty,orinternalCA(certificate authority)?_ Numberofcertificates?__