Related Manuals for VMware VCM 5.3 - TRANSPORT LAYER SECURITY IMPLEMENTATION
Summary of Contents for VMware VCM 5.3 - TRANSPORT LAYER SECURITY IMPLEMENTATION
- Page 1 Configuration Manager Transport Layer Security Implementation VMware VCM 5.3 WHITE PAPER...
-
Page 2: Table Of Contents
TLS Implementation for VCM Table of Contents Introduction to TLS Server Authentication Mutual Authentication Certificates and Public Key Infrastructure Expiration and Revocation Certificate Standards Certificate Storage How VCM Uses Certificates The Enterprise Certificate The Collector Certificate Agent Certificates TLS Machine Security Level Creating and Installing Certificates for Collectors Installation of Certificates to Collectors Installation of Certificates to Additional Collectors... - Page 3 TLS Implementation for VCM Certificate Expiration Certificate Transport Exporting Certificates (Windows Only) Importing Certificates (Windows Only) Appendix A: Creating Certificates for TLS Using Makecert Create the Enterprise Certificate and the First Collector Certificate Create Certificates for Additional Collectors Import the Certificates on the Collector Machines MakeCert Options Appendix B: Updating the Collector Certificate Thumbprint in the VCM Collector Database Appendix C: Managing the VCM UNIX Agent Certificate Store...
-
Page 4: Introduction To Tls
VCM is Mutual Authentication ready. This means that Agent certificates can be manually created and registered to create a Mutual Authentication environment. However, VCM does not support this mode out-of-the-box, or supply any functionality to aid in the administration of Agent Certificates. Contact VMware Customer Support for instructions. TECHNICAL WHITE PAPER / 4... -
Page 5: Certificates And Public Key Infrastructure
TLS Implementation for VCM Certificates and Public Key Infrastructure A Public Key Infrastructure, or PKI, is a management system that aids in the administration and distribution of public keys and certificates. TLS can use certificates managed by a public key infrastructure to guarantee the identity of servers and clients. -
Page 6: Certificate Standards
VCM UNIX Agent installation package to view or manage the UNIX Agent Certificate store. For more information, see the VMware vCenter Configuration Manager Installation and Getting Started Guide. All VCM Agents using HTTP should be able to trust any VCM Collector Certificate, not just the Collector that the Agent installation package was generated on. -
Page 7: How Vcm Uses Certificates
TLS Implementation for VCM How VCM Uses Certificates There are three types of certificates that enable HTTP collector-agent communications in VCM: Enterprise Certificate One or more Collector Certificates Agent Certificates for each Agent (used in optional Mutual Authentication) Certificate information regarding the Enterprise and Collector certificates is collected in VCM. See Administration | Certificates. - Page 8 TLS Implementation for VCM Figure 2: Shared Collector-Agent Relationship As the diagram above illustrates, an Agent may communicate with more than one Collector. In this case, each Collector has a common Enterprise Certificate. Because both of the Collector certificates were issued by the same trusted authority, the Agent that is shared between the two can trust both Collector Certificates.
- Page 9 TLS Implementation for VCM Figure 3: Trust Chain in a Shared Collector-Agent Relationship In addition, for Mutual Authentication in a shared Collector-Agent relationship, each Collector trusts the Agent Certificate because that Agent Certificate was issued by a Collector Certificate which was, in turn, issued by the trusted Enterprise Certificate.
-
Page 10: The Collector Certificate
TLS Implementation for VCM The Collector Certificate The Collector Certificate is issued by the Enterprise Certificate, and must be usable for Server Authentication and, optionally, certificate signing (also known as “issuing”). Server Authentication is required to establish a TLS connection with an Agent. Certificate signing is required to issue Agent Certificates for Mutual Authentication. It is technically possible to split these functions between two certificates or two Collectors. -
Page 11: Tls Machine Security Level
Once an agent has established Mutual Authentication, the Collector will not allow non-TLS HTTP or Server (only) Authenticated TLS communication. The Collector supports both TLS and non-TLS capable Agents from earlier releases. Please contact VMware Customer Support for assistance using the current release with earlier Agents (TLS and non-TLS enabled). -
Page 12: Creating And Installing Certificates For Collectors
VCM and configure the Agents to trust these certificates. Installation of Certificates to Collectors VCM Installation Manager offers you the options of either generating your certificates during installation (see VMware vCenter Configuration Manager Installation and Getting Started Guide) or browsing to your certificate store to select pre-generated certificates. -
Page 13: Changing Certificates
TLS Implementation for VCM Changing Certificates Certificates always have an expiration date, after which they are no longer valid. The validity period for a certificate is a matter of policy and ranges from minutes to decades. In these cases, you can either renew or replace your certificates. Renewing Certificates Renewal of a certificate means extending the validity period for the certificate, using the same key pair, issuer, and identifying information. - Page 14 TLS Implementation for VCM After VCM installation, if you decide that you want to use different certificates than the ones that you either generated or selected during the installation process, you must replace those certificates. Use the following procedure to replace both the Enterprise and Collector Certificates. 1.
-
Page 15: Delivering Initial Certificates To Agents
TLS Implementation for VCM Delivering Initial Certificates to Agents VCM Agents use Enterprise Certificates to validate Collector Certificates. Therefore, the Agent must have access to the Enterprise Certificate as a trusted certificate. In most cases, VCM will deliver and install the Enterprise Certificate as needed. -
Page 16: Installing The Agent From A Disk (Windows Only)
To manage the VCM UNIX Agent Certificate store, use the CSI_ ManageCertificateStore utility and related help provided with your UNIX Agent installation package. For more information about UNIX/Linux or Mac OS X agent installation or packages and platforms, refer to the VMware vCenter Configuration Manager Installation and Getting Started Guide. -
Page 17: Certificate Expiration
The Enterprise Certificate is embedded in the installation package. For more information about UNIX/Linux or Mac OS X Agent installation, refer to the VMware vCenter Configuration Manager Installation and Getting Started Guide. -
Page 18: Importing Certificates (Windows Only)
TLS Implementation for VCM 8. Select the certificate to be exported. Right-click, and then select All Tasks | Export. 9. The Certificate Export wizard appears. Click Next. 10. The Export Private Key dialog box appears. If the private key for this certificate is available and is marked as exportable, you will have the option of exporting the private key. - Page 19 TLS Implementation for VCM 9. The File to Import dialog box appears. Select the file to import. Either format is acceptable: *.pfx or *.cer. The *.pem format is typically a synonym for *.cer and is used more commonly on UNIX systems. 10.
-
Page 20: Appendix A: Creating Certificates For Tls Using Makecert
TLS Implementation for VCM Appendix A: Creating Certificates for TLS Using Makecert VCM is designed to run in TLS mode with two levels of certificates. In this mode, an Enterprise Certificate is the ultimate trusted authority. All Collector Certificates will be signed by this Enterprise Certificate. All Agents will have access to the Enterprise Certificate as a trusted authority. -
Page 21: Create Certificates For Additional Collectors
TLS Implementation for VCM 1. Use the following command to create the CM Enterprise Certificate: makecert -pe -n "<enterprise_cert_name>" -ss Root -sr LocalMachine -r -sky exchange -sk "<enterprise_key_name>" -b mm/dd/yyyy -e mm/dd/yyyy -len 1024 -h 2 -cy authority -eku 1.3.6.1.5.5.7.3.1 <filename[.cer | .pem]> 2. - Page 22 Collector machine. The Enterprise Certificate file is located in the CollectorData folder of the initial collector (typically C:\Program Files\VMware\VCM\CollectorData) or you can export it from the local machine trusted root system store. The export file has a .pem extension.
-
Page 23: Import The Certificates On The Collector Machines
Refer to the following table for a list of the options used in the previously described MakeCert commands, and their definitions. Note The strings: AAAAAA-AAAAAA... and BBBBBBBB-BBBBB... represent GUIDS. VMware uses GUIDS to help create unique names. GUIDS are a useful convention for programmatically creating uniqueness and are generally not necessary in a manual process. - Page 24 Must be a valid x509 identifier. Collector Certificates generated by the VCM installer will have the form: “CN=VMware VCM Collector Certificate AAAAAAAA-AAAA-AAAA- AAAA-AAAAAAAAAAAA, T=VMware VCM Certificate 7529006C- 222F-4EBF-A7E7-F6AB15DB626F, O=<customer_name>” CN: Generic name based on a GUID generated for each set of certificates created.
- Page 25 TLS Implementation for VCM Make the private key exportable. Self sign the certificate. -sk <collector_key_ Name the key container, for easy reference later. This name does not name> need to be related to the certificate name. -sk <enterprise_key_ Names the key container, for easy reference later. This name does name>...
-
Page 26: Appendix B: Updating The Collector Certificate Thumbprint In The Vcm Collector Database
TLS Implementation for VCM Appendix B: Updating the Collector Certificate Thumbprint in the VCM Collector Database 1. Within MMC, navigate to the Collector Certificate. 2. Right-click the certificate, and then select Open. The Certificate Information window appears. 3. Click the Details tab, and then scroll down to the Thumbprint field. Copy the value for use in the SQL script shown below. -
Page 27: Appendix C: Managing The Vcm Unix Agent Certificate Store
TLS Implementation for VCM Appendix C: Managing the VCM UNIX Agent Certificate Store The VCM UNIX Agent certificate store is a protected data storage area that is designed to hold enterprise and collector certificates for server authentication, and to hold the agent certificate and private key for mutual authentication. Although this store is not encrypted, it is protected from simple viewing. -
Page 28: Csi_Managecertificatestore Options
TLS Implementation for VCM CSI_ManageCertificateStore Options [root@localhost tmp]# CSI_ManageCertificateStore -? Usage: /opt/CMAgent/CFC/3.0/bin/CSI_ManageCertificateStore -[?h] [-c certificate_store_name] -[adel] [-g fingerprint] [-s subject] [-f filename] [-c certificate_store_name] -[iu] -f filename -h Display this help and exit -? Display this help and exit -c The name of the certificate store. This name includes the path. Defaults to registry value -a Perform action on all certificates in the store -d Delete from the certificate store... - Page 29 TLS Implementation for VCM -u Update certificate in the certificate store Common uses: Insert a new certificate into the certificate store: /opt/CMAgent/CFC/3.0/bin/CSI_ManageCertificateStore -i -f filename Update an existing certificate in the certificate store: /opt/CMAgent/CFC/3.0/bin/CSI_ManageCertificateStore -u -f filename Add a key to an existing certificate in the certificate store: /opt/CMAgent/CFC/3.0/bin/CSI_ManageCertificateStore -u -f filename -k key_filename Delete an existing certificate from the certificate store: /opt/CMAgent/CFC/3.0/bin/CSI_ManageCertificateStore -d -f filename...
-
Page 30: Csi_Managecertificatestore Output
[root@localhost tmp]# CSI_ManageCertificateStore -l Certificate: Fingerprint: 1C564431B9B28DC4D24BB920FD98B539FF57C0C2 Common Name: testca1.VMware.com Subject : CN = testca1.VMware.com, ST = Colorado, C = US, emailAddress = ca1@VMware.com, O = VMware, Inc., OU = Testing Certificate: Fingerprint: 779403A8D53B1258F3EB09E62A8D17B14CD81DC3 Common Name: Enterprise Certificate 9ACD1B00-42CF-4794-B4E8-B6BDBEC1D4B6... - Page 31 Certificate 7529006C-222F-4EBF-A7E7-F6AB15DB626F, CN = Enterprise Certificate 9ACD1B00-42CF-4794-B4E8-B6BDBEC1D4B6 Certificate: Fingerprint: 0041AB5ECF869E1D6A38389A6B834D5768932397 Common Name: Enterprise Certificate 2CA82018-20E1-4487-8A02-DA7A2CFD4304 Subject : O = VMware, Inc., OU = VMware vCenter Configuration Manager, title = VCM Certificate 7529006C-222F-4EBF-A7E7-F6AB15DB626F, CN = Enterprise Certificate 2CA82018-20E1-4487-8A02-DA7A2CFD4304 Certificate: Fingerprint: 765831AFF8E15332F78D7CBC805F1C68089C8640...
- Page 32 TLS Implementation for VCM Subject : O =VMware, Inc., OU = VMware vCenter Configuration Manager, title = VCM Certificate 7529006C-222F-4EBF-A7E7-F6AB15DB626F, CN = Enterprise Certificate 2CA82018-20E1-4487-8A02-DA7A2CFD4304 Example of exporting certificates from the store By default the “-e” option for exporting certificates will cause all certificates in the store to be exported. This behavior can be modified by specifying options (for example, “-g fingerprint”...
- Page 33 TLS Implementation for VCM Subject : O = QAT, OU = VMware vCenter Configuration Manager, title = VCM Certificate 7529006C-222F-4EBF-A7E7-F6AB15DB626F, CN = Enterprise Certificate 7780CB3B-281F-47DF-B48B-5BDE5806C156 This command produced the following files: 0041AB5ECF869E1D6A38389A6B834D5768932397-cert.pem 1C564431B9B28DC4D24BB920FD98B539FF57C0C2-cert.pem 765831AFF8E15332F78D7CBC805F1C68089C8640-cert.pem 779403A8D53B1258F3EB09E62A8D17B14CD81DC3-cert.pem If the certificate in the store has an associated private key (this is only used if mutual authentication is set up), an additional file named fingerprint-key.pem will be created.
- Page 34 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright © 2010 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc., in the United States and/or other jurisdictions.