Creating Access Control; Uploading Custom Ssl Certificates - VMware ACE Management Server Administrator's Manual

ACE Management Server Administrator's Manual

Creating Access Control

On the Access Control tab, you can create a local Administrator role and Help Desk role or use Active
Directory for authenticating users with these roles.
Before you can configure the ACE Management Server to use a domain account for authentication, you must
create users and groups so that ACE Management Server can connect to the LDAP server. See "Create Users
and Groups for Integration with Active Directory" on page 29.
Use the following information to help you complete the fields for authentication:

Local account – If you specify a password for the Administrator role and forget or lose it, you must delete
the server configuration file. Deleting this file sets the server back to its initial state. You must reconfigure
the server and set the administrator password again.
See "Delete the Server Configuration File and Set a New Administrator Password" on page 52.

Domain account (LDAP) – To use Active Directory for authentication, specify the host and credentials
that the ACE Management Server uses to connect to and query the domain controller:

Host Name – Enter a fully qualified domain name (for example, ldap.vmware.com) instead of an IP
address or host name with no parent domain name (for example, ldap).

Query User sAMAcountName and Query User Password – Use the password and short name for
the user account you created for this purpose in Active Directory.

Query User Domain – The domain must be the domain for which the LDAP host is a domain
controller.

Admin Group DN and Help Desk Group DN – (Optional) Enter the distinguished name for these
groups, which you created for this purpose in Active Directory (for example,
cn=Users,dc=simplecorp,dc=com).
If this option is not enabled, anyone who logs in to the Help Desk application must be a member of
the ACE Administrators group.

Help Desk Role or Group DN – Creating a Help Desk role allows you to permit certain users to perform
Help Desk tasks from the Help Desk application. Users in this role cannot access other administrative
tools. You can still log in to the Help Desk Web application with your administrative LDAP credentials or
local Administrator password.
If you make changes to the information on the Access Control tab, you must click Apply or Cancel before you
can navigate to another tab.

Uploading Custom SSL Certificates

To have ACE Management Server use custom SSL certificates, either your own self‐signed certificates or those
of a third‐party or internal CA (certificate authority), use the Custom SSL Certificates tab to upload the
PEM‐encoded files.
Before you can upload custom SSL certificates, you must create and rename the certificate files. See "Prepare
Custom Security Certificates" on page 34.
By default, during ACE Management Server installation, the following two files are created:

server.key – This RSA 1024‐bit key is the private key.

server.crt – This self‐signed certificate is valid for 10 years from the date and time at which the server is
installed. Its signature is verified by the public key, which is embedded in the certificate. The certificate
file is encoded in PEM format.
When you run an ACE instance, the VMware Player application uses the complete certification chain that is
included in its package, not on the host, to verify connections made to ACE Management Server. Therefore,
the use of self‐signed certificates is adequate for most security needs. For more information about how
VMware ACE uses security certificates, see "Using SSL Certificates and Protocol" on page 18.
36 VMware, Inc.