Safeguarding Installation Kits; Vcm Installation Kits Are Obtained From Vmware Or Secure Sources; Vcm Installation Kits Are Protected From Tampering Or Verified - VMware VCM 5.3 - CONFIGURATION MANAGER SECURITY ENVIRONMENT REQUIREMENTS Configuration

Vcenter configuration manager security environment requirements

Table of Contents

7.0 Safeguarding Installation Kits

Secure operation of VCM requires that the product's software be untampered with and intact as delivered by VMware.

VMware ships VCM and add-on products on CD/DVD in packages signed by the VMware Software Publisher

Certificate. This software reaches customer machines in various ways:

Delivery of the CD/DVD

Download from http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vcenter_configuration_

manager/5_0

ClickOnce™ download from the server zone

Agent push install by the Collector service

Patching Agent push by Patching

Thin client UI by HTTP

VCM Remote updates

Patching deployed patches and updates

VMware VCM Software Provisioning

SMS

Group Policy

VCM Remote Command file attachments

The best practice is to ensure that each kit is either obtained from a secure channel, or is verified.

Executables and MSI installers can be verified by using the Certificate Verification Tool available on the Microsoft

Developer's Network.

The VMware Software Publisher Certificate is available at http://downloads.vmware.com/d/info/datacenter_

downloads/vmware_vcenter_configuration_manager/5_0.

When VCM installation kits are stored on writable media, they must be protected from tampering prior to installation.

Compliance rules and other content exported using the VCM import/export tool likewise should be protected while in

transit to other sites. Authenticode signatures on installation kits are verified just prior to installation. For example:

signtool verify /a /v "CMAgent<version>.msi"

vCenter Configuration Manager Security Environment Requirements

TECHNICAL WHITE PAPER / 17

Table of Contents

Vcm 5.3