Web Browser Preparation; Place The Vcm Web Host In The Ie Trusted Zone; Verify The Vcm Web Host's Https Certificate; Verify The Vcm Software Publisher Certificate - VMware VCM 5.3 - CONFIGURATION MANAGER SECURITY ENVIRONMENT REQUIREMENTS Configuration

vCenter Configuration Manager Security Environment Requirements

10.0 Web Browser Preparation

The VCM web client runs within IE and connects to the VCM web application served by IIS. Since VCM users also
browse the Internet using IE, VCM requires that the security measures described in the following sections be taken in
order to protect VCM users from spoofing and cross-site scripting attacks.

10.1 Place the VCM Web host in the IE trusted zone

Placing VCM in the trusted zone has beneficial effects. It allows IE to delegate the VCM user's credentials to the web
service for use with SQL Server when running in a split-installation configuration, making this a requirement for proper
SQL Server preparation. It also allows users to disable navigation into the trusted zone from less privileged IE zones;
thereby reducing XSS exposure. To place VCM web host in the IE Trusted Zone, see the VCM Web Service
Installation and Getting Started Guide for Split Installs, pages 3- 4, and figures 3-5. The document is available from
VMware Customer Support.

10.2 Verify the VCM Web host's HTTPS certificate

The SSL certificate used for HTTPS with the VCM web host can be issued by either a trusted root certificate authority
or self-issued by the customer. When a certificate from a trusted authority is detected, IE will not notify the VCM user.
However, when an untrusted certificate is detected (either a customer-issued or false certificate), IE will ask the user
to accept the certificate as trusted. When this occurs, VCM users should verify the certificate is authentic and
authorized by clicking the 'Details' tab of the dialog and verifying the information with the certificate creator.
Trusted SSL certificates are those issued by members of the Microsoft Root Certificate Program list.

10.3 Verify the VCM software publisher certificate

Some components of the VCM UI download to the VCM user's browser as ClickOnce deployments signed by the
VMware Software Publisher Certificate (SPC). When these components are activated in the UI, the user will be
prompted for whether to trust the SPC. When this occurs, VCM users should verify the certificate is authentic and
authorized by clicking the 'Details' tab of the dialog and verifying the information with VMware. The VMware Software
Publisher Certificate is available at http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vcenter_
configuration_manager/5_0.

10.4 Remove untrusted machines from the IE trusted zone

VCM is a system and network configuration management tool. Therefore, the VCM web site should be isolated from
untrusted sites to prevent cross site attacks.
TECHNICAL WHITE PAPER / 21