VMware VCENTER CONFIGURATION MANAGER 5.3 Getting Started Manual page 16

vCenter Configuration Manager Installation and Getting Started Guide
is shared between two collectors.
Server Authentication is required to establish a TLS connection with an Agent. All Collectors should have a
common Enterprise Certificate. Each Collector Certificate is issued by the Enterprise Certificate, and is
capable of Server Authentication.
The Collector Certificate is used to initiate and secure a TLS communication channel with an HTTP
n
Agent. The Agent must be able to establish that the Collector Certificate can be trusted, which means
that the Collector Certificate is valid and the certification path starting with the Collector Certificate
ends with a trusted certificate. By design, the Enterprise Certificate is installed in the Agent's trusted
store, and the chain ends with the Enterprise Certificate.
A Collector Certificate can also be used to issue Agent certificates. As long as all Collector Certificates
n
are issued by the same Enterprise Certificate, any Agent Certificate may be issued by any Collector
Certificate, and all Agents will be able to trust all Collectors. Similarly, all collectors will be able to
validate all Agent Certificates. Agent Certificates are used for Mutual Authentication only. Mutual
authentication is supported, but requires interaction with VMware Customer Support and a Collector
Certificate that also has certificate signing capability.
The Collector Certificate and associated private key must be available to the Collector. This certificate is
n
stored in the (local machine) personal system store.
Collector Certificates in VCM must adhere to the requirements specified above in Secure Communications
Certificates.
Delivering Initial Certificates to Agents
VCM Agents use the Enterprise Certificate to validate Collector Certificates. Therefore, the Agent must
have access to the Enterprise Certificate as a trusted certificate. In most cases, VCM will deliver and install
the Enterprise Certificate as needed.
Installing the Agent from a Disk (Windows® only): The VCM Installation DVD does not contain
n
customer-specific certificates. If HTTP is specified, the manual VCM Installer requests the location of the
Enterprise Certificate file during the installation. You must have this file available at installation time.
The certificate file (with a .pem extension) can be copied from the CollectorData folder of the Collector.
This will be the case whether you run the manual installer directly (CMAgentInstall.exe) or use the
"Agent Only" option from the DVD auto-run program.
Using CMAgentInstall.exe to Install the Agent (Windows® only): CMAgtInstall.exe or
n
CMAgent[version].msi is the manual Agent installer program. The manual installer will request the
location of the Enterprise Certificate file, if HTTP is specified. You must have this file available at
installation time. The certificate file can be copied from the CollectorData folder of the Collector.
MSI Install Package: If HTTP is specified, the MSI agent install package also requires access to the .pem
n
file.
Installing the Agent for UNIX/Linux: See
n
document.
Installing the Agent Using a Provisioning System
For Windows®, the manual installation program is available in .exe and .msi formats. Both versions allow
the Enterprise Certificate file to be specified with a command line switch. The certificate installation step
may also be omitted with a command line switch. When these programs are run through a provisioning
system, you must ensure that the Enterprise Certificate is available (and still secure), and configure the
program options appropriately. Alternatively, you may choose to push the Enterprise Certificate to
Agents by some other means and configure the provisioning system to omit certificate installation.
16
Installing the VCM Agent on UNIX/Linux Machines in this
VMware, Inc.