EMC Unity Family Security Configuration Manual page 18

Access Control
EMC Unity All Flash, EMC Unity Hybrid, EMC UnityVSA 4.0 Security Configuration Guide
18
Storage DRS integration: vSphere will rely on information obtained internally from
l
the VP and feed it into its business logic for various Storage DRS work-flows.
VASA 3.0 and 2.0 support Virtual Volumes (VVols). VASA 3.0 and VASA 2.0 support
interfaces to query storage abstractions such as VVols and Storage Containers. This
information helps storage policy based management (SPBM) make decisions about
virtual disk placement and compliance. VASA 3.0 and VASA 2.0 also support interfaces
to provision and manage the lifecycle of Virtual Volumes used to back virtual disks.
These interfaces are directly invoked by ESXi hosts.
For more information related to VASA, vSphere, and VVols, refer to the VMware
documentation and the Unisphere online help.
Authentication related to VASA
In order to initiate a connection from vCenter to the Unisphere VP, you must use the
vSphere client to enter three key pieces of information:
the URL of the VP, using the following format:
l
For VASA 3.0 and VASA 2.0, https://<Management IP address>:8443/vasa/
n
version.xml
For VASA 1.0, https://<Management IP address>:8444/vasa/version.xml or
n
https://<Management IP address>:8444/vasa/services/vasaService
the username of a Unisphere user (the role must be either VM Administrator or
l
administrator):
Note
The VM Administrator role is strictly used as a means to register certificates.
for local users use the syntax: local/<username>
n
for LDAP users use the syntax: <domain>/<username>
n
the password associated with this user
l
The Unisphere credentials used here are only used during this initial step of the
connection. If the Unisphere credentials are valid for the target storage system, the
certificate of the vCenter Server is automatically registered with the storage system.
It is this certificate that is used to authenticate all subsequent requests from the
vCenter. No manual steps are required to install or upload this certificate to the VP. If
the certificate has expired, the vCenter must register a new certificate to support a
new session. If the certificate is revoked by the user, the session is invalidated and the
connection is severed.
vCenter session, secure connection and credentials
A vCenter session begins when a vSphere administrator uses the vSphere Client to
supply the vCenter Server with the VP URL and login credentials. The vCenter Server
uses the URL, credentials, and the SSL certificate of the VP to establish a secure
connection with the VP. A vCenter session ends when one of the following events
occurs:
An administrator uses the vSphere Client to remove the VP from the vCenter
l
configuration and the vCenter Server terminates the connection.
The vCenter Server fails or a vCenter Server service fails, terminating the
l
connection. When vCenter or the service starts again, it will attempt to reestablish
the SSL connection. If it cannot, it will start a new SSL connection.
The VASA Provider fails, terminating the connection. When the VASA Provider
l
starts up, it can respond to communication from the vCenter Server to reestablish
the SSL connection and VASA session.