Ams Manual Tech Preview

8/6/2019 Ams Manual Tech Preview

1/66

ACE Management ServerAdministrators Manual

VMware ACE

EN-000198-00


2/66

VMware, Inc.

3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

2 VMware, Inc.

ACE Management Server Administrators Manual

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

[email protected]

2009 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual propertylaws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents .

VMware, the VMware boxes logo and design, Virtual SMP, and VMotion are registered trademarks or trademarks ofVMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarksof their respective companies.
http://www.vmware.com/supportmailto:[email protected]://www.vmware.com/go/patentshttp://www.vmware.com/go/patentshttp://www.vmware.com/supporthttp://www.vmware.com/support/mailto:[email protected]


3/66

VMware, Inc. 3

Contents

About

This

Book 7

1 Introduction 9FeaturesofACEManagementServer 9

SystemRequirements 10

RequiredHardware 10

SupportedOperatingSystems 10

SupportedExternalDatabases 10

SupportedProxies 11

RequiredWebBrowsers 11

Licensing 11

2 PlanninganACEManagementServerDeployment 13DeploymentComponents 13

HostSystemOptions 14

WindowsHosts 14

LinuxHosts 14

ServerApplianceOption 14

DatabaseOptions 15

ActiveDirectoryAuthenticationOptions 15

PerformingCapacityPlanning 15

DatabaseThroughputandScalability 16

LDAPThroughput 16

NetworkBandwidthandPolicyUpdateFrequency 16

ACEPolicyConfiguration 17LoadBalancers 17

SecurityFeaturesandConsiderations 17

UsingSSLCertificatesandProtocol 18

AccessingACEManagementServerfromOutsidetheCorporateFirewall 19

DeploymentPlanningWorksheet 19

3 InstallingandConfiguringACE Management Server 21PreparingforInstallation 21

ConfigureTLSinYourBrowser 21

InstallingandUpgradingACEManagementServer 22

InstallanACEManagementServeronaWindowsHost 22

InstallACEManagementServeronaLinuxSystem 23

InstallanACEManagementServerAppliance 24

VerifyThattheApacheServiceIsStartedorRestarted 25

StartandConfigureACEManagementServer 26

LogIntoACEManagementServer 26


4/66


4 VMware, Inc.

4 ConfigurationOptionsforACEManagementServer 29PrerequisitesforConfiguringtheServer 29

CreateUsersandGroupsforIntegrationwithActiveDirectory 29

SetUpanExternalDatabase 30

CreatingaSystemDSNEntryforanExternalDatabase 31

IncreasetheNumberofDatabaseConnectionsAllowed 32

EnableDatabaseConnectionPoolingonLinux 33

SetUpaConnectionBetweentheServerApplianceandanExternalDatabase 33PrepareCustomSecurityCertificates 33

ViewthePropertiesoftheSelfSignedCertificateFile 34

StartingACEManagementServerConfiguration 34

ViewingandChangingLicensingInformation 34

UsinganExternalDatabase 35

CreatingAccessControl 35

UploadingCustomSSLCertificates 36

LoggingEvents 37

ApplyingConfigurationSettings 37

5 Load

Balancing

Multiple

ACE

Management

Server

Instances 39TypicalSetupUsingLoadBalancedACEManagementServerInstances 40InstalltheRequiredServicesforLoadBalancing 40

UsetheSameSSLCertificateonAllServers 41

CreateNewSSLCertificatesandKeysforEachServer 41

InstallingandConfiguringtheLoadBalancer 43

VerifyThatACEInstancesAreUsingtheLoadBalancer 43

6 ManagingACEInstances 45ViewingACEInstancesThattheServerManages 45

UsetheVMwareACEHelpDeskApplication 46

UsetheInstanceViewinWorkstation 46

SearchforanInstance 47

SortbyColumnHeadingandChangeColumnWidth 47

Show,Hide,andMoveColumnsintheInstanceView 48

CreateorDeleteCustomColumnsintheInstanceView 48

ViewInstanceDetails 48

Reactivate,Deactivate,orDeleteanACEInstance 49

PoliciesTab 49

ChangeaCopyProtectionID 49

ResettheAuthenticationPassword 50

AddInformationforCustomColumns 50

7 TroubleshootingandMaintenance 51TroubleshootingConfigurationProblems 51

ConnectionProblemsBetweenaLinuxACEInstanceandACEManagementServer 51

ChangethePortAssignmentforACEManagementServer 51

DeletetheServerConfigurationFileandSetaNewAdministratorPassword 52

RestoreaBackupCopyofanSSLCertificate 52

ConfiguringMultipleACEManagementServerInstancestoUseSSL 53

DatabaseBackup 53
http://-/?-http://-/?-http://-/?-http://-/?-


5/66


6/66


6 VMware, Inc.


7/66

VMware, Inc. 7

Thismanual,theVMwareACEManagementServerAdministratorsManual,providesinformationaboutinstallingandusingtheVMwareACEManagementServer,whichenablesyoutomanageACEinstancesin

realtime.UsingACEManagementServerisoptional,butdoingsoprovidesthefollowingbenefits:

ManageactivationofACEpackages.

Manage

authentication

of

those

activated

packages. DynamicallydeliverpolicyupdatestomanagedACEinstances.

DynamicallydeliverinstancecustomizationdataformanagedACEinstanceswithWindowsguest

operatingsystems.

Intended Audience

Thisbookisintendedforanyonewhoneedstoinstall,upgrade,oruseACEManagementServertomanage

ACEinstances.ACEManagementServerisintendedforACEadministratorswhomustmaintainandupdate

ACEpoliciesusedonvirtualmachinesdeployedthroughoutanenterprise.

Document FeedbackVMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhavecomments,sendyour

feedbackto:

[email protected]

Technical Support and Education Resources

Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.Toaccessthecurrentversion

ofthisbookandotherbooks,gotohttp://www.vmware.com/support/pubs.

Online and Telephone Support

Touseonlinesupporttosubmittechnicalsupportrequests,viewyourproductandcontractinformation,and

registeryourproducts,gotohttp://www.vmware.com/support.

Customerswithappropriatesupportcontractsshouldusetelephonesupportforthefastestresponseon

priority1issues.Gotohttp://www.vmware.com/support/phone_support.html.

Support Offerings

TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto

http://www.vmware.com/support/services.

About This Book
mailto:[email protected]://www.vmware.com/support/pubshttp://www.vmware.com/supporthttp://www.vmware.com/support/phone_support.htmlhttp://www.vmware.com/support/serviceshttp://www.vmware.com/support/serviceshttp://www.vmware.com/support/phone_support.htmlhttp://www.vmware.com/supportmailto:[email protected]://www.vmware.com/support/pubs


8/66


8 VMware, Inc.

VMware Professional Services

VMwareEducationServicescoursesofferextensivehandsonlabs,casestudyexamples,andcoursematerials

designedtobeusedasonthejobreferencetools.Coursesareavailableonsite,intheclassroom,andlive

online.Foronsitepilotprograms andimplementationbestpractices,VMwareConsultingServicesprovides

offeringsto helpyouassess,plan,build,andmanageyourvirtualenvironment.Toaccessinformationabout

educationclasses,certificationprograms,andconsultingservices,gotohttp://www.vmware.com/services.
http://www.vmware.com/services/http://www.vmware.com/services/


9/66

VMware, Inc. 9

1

TheVMwareACEManagementServerenablesyoutomanageVMwareACEinstances,todynamically

publishpolicychangesforthoseinstances,andtotestanddeploypackagesmoreeasily.

Thischapterincludesthefollowingtopics:

FeaturesofACEManagementServeronpage 9

SystemRequirementsonpage 10

Features of ACE Management Server

ACEManagementServeroffersscalabilityandreliability:

Youcanincreasecapacitybyaddingnetworkresourcessuchasloadbalancersandextraserverhardware.

Fortestingenvironments,thedefaultembeddedbackingstoreprovidesasimpleandefficientdatabase

solution.ToscaleACEManagementServerforproductiondeployments,youcanconfigureandusean

externalrelationaldatabasemanagementsystem(RDBMS).

InWindows,multithreadedprocesseshandleserverrequests.InLinux,multipleprocesseshandleserver

requests.Ifoneprocessfails,anothertakesover.

ACEManagementServeroffersActiveDirectoryintegration:

YoucanuseActiveDirectorytoauthenticateusersofACEinstances.

YoudonotneedaschemachangeforyourexistingActiveDirectory.

LDAPisusedtoaccessActiveDirectory.

InformationaboutWindowsdomainuseraccountstatesisprovidedinclearandusefulmessages.

Reasonsforloginfailuresarepresentedaslockedoutorpasswordexpired.

ACEManagementServeractsasanActiveDirectorypasswordchangeproxy.

YoucanusetheinstancecustomizationfeatureinACEwithyourownestablishednamingconventionsto

associateuserswithmachines.

Securityfeaturesincludethefollowing:

EncryptedcommunicationsbetweenserverandclientstraveloverHTTPStraffic.

Passwordsarestoredsecurelyinhashedforminthebackingstore.

FlexibledatabaseoptionsallowuseofanembeddeddatabaseorexternalRDBMStostoreACEinstance

dataandpolicies.

ACEManagementServeriseasytoinstallandconfigure.Clienttrafficcanbeproxiedbyeasilyavailable

products.Theserveruseseasilyavailablesoftwarecomponents:

ApacheWebserver2.0

Introduction 1


10/66


10 VMware, Inc.

ThedefaultSQLitedatabasestore

Theserversetupusesindustrystandardprotocols:

HTTPSandLDAP

XMLRPCformessageencapsulation

ACEManagementServeroffersextensibilityandavailability:

YoucancreateandusemorethanoneACEManagementServer.Whenyouusemorethanoneserver,youcansettheserversupsothattheysharethesamedatabaseforloadbalancingorincreasedfaulttolerance.

AWindowsACEManagementServercanbeonthesamesystemasWorkstation.

YoucandesignateasingleACEManagementServername,suchas

https://ace.policyserver.company.com,anduseDNSlookuptotranslatethehostnametoan

address.TheaddressiscachedifaDNSserverisnotavailable.Additionally,youcanusedifferentACE

ManagementServerinstancesifuserstravelbetweenofficesindifferentgeographiclocations.

System RequirementsThefollowingsectionsdescribetheACEManagementServersystemrequirements.

Required Hardware

Aminimumofan800MHzcompatiblex86andx8664architectureprocessor

Compatibleprocessorsinclude:

Celeron,PentiumII,PentiumIII,Pentium4,PentiumM(includingcomputerswithCentrinomobile

technology),Xeon(includingPrestonia),AMD,Athlon,Athlon MP,AthlonXP,Duron,Opteron,AMD64

Opteron,andAthlon64

Experimental

support

for

Intel

IA

32e

CPU 40MBoffreespaceisrequiredforbasicinstallation.VMwarerecommendsatleast10GBoffreediskspace.

An8bitdisplayadapterisrequired.

Forlocalareanetworking,anyEthernetcontrollerthattheoperatingsystemsupportsissufficient.

Supported Operating Systems

FollowingarethesupportedoperatingsystemsforACEManagementServer:

WindowsServer2003WebEditionSP1andSP2,WindowsServer2003StandardEditionSP1andSP2,

WindowsServer2003EnterpriseEditionSP1andSP2(includes64bitandR2editions)

Windows

XP

Professional

(includes

64

bit

editions) Windows2000ServerServicePack4andWindows2000AdvancedServerServicePack 4

RedHatEnterpriseLinuxAdvancedServer4.0withUpdate 4.

SUSELinuxEnterpriseServer9ServicePack3

Supported External Databases

AnSQLitedatabaseengineisembeddedinACEManagementServer.Althoughthisdatabaseisadequatefor

testingpurposes,useoneofthefollowingexternaldatabasesinproductionenvironments:

ForaWindowsbasedACEManagementServerMicrosoftSQLServer2000orhigher;

Oracle Database 10g

NOTE YourservernamemustbeeitherthemachinenameinEnglishortheIP address.International

charactersarenotsupported.


11/66

VMware, Inc. 11

Chapter 1 Introduction

IfyouuseaMicrosoftSQLServerdatabase,thedatabasemustbehostedonasystemthatusesthesame

localeasthesystemthathostsACEManagementServer.Forexample,ifACEManagementServeris

installedonaJapanesesystem,thedatabaseservermustalsobeinstalledonaJapanesesystemandmust

useJapanesecollation.

ForaLinuxbasedACEManagementServerPostgreSQL7.4orhigher

Supported Proxies

YoucandeployACEManagementServerwiththefollowingHTTPSproxysolutions:

ApacheProxyUsingmod_proxy

ZeusTechnologyLoadBalancerAcommerciallyavailableloadbalancerandtrafficmanagement

solution

Required Web Browsers

ThebrowserbasedACEManagementServerSetupapplicationandtheVMwareACEHelpDeskapplication

requireoneofthefollowingWebbrowsers:

MozillaFirefox1.52orhigher

InternetExplorer6.0orhigher

Licensing

YoumustconfiguretheserverandentertheserialnumberintheserversetupWebapplication.Ifyoudonot,

youcannotconnecttotheserverinWorkstation.

Yourserialnumberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,the

serialnumberissentbyemail.WorkstationandACEinstancescannotconnecttoanACEManagementServer

withanexpiredornonexistentlicense.


12/66


12 VMware, Inc.


13/66


14/66


15/66

VMware, Inc. 15

Chapter 2 Planning an ACE Management Server Deployment

Database Options

ACEManagementServeroffersthefollowingdatabaseoptions:

EmbeddedSQLitedatabaseThedefaultmodeofACEManagementServerworkswithanembedded

SQLite3databaseengine.TheSQLitedatabaseengineisinitializedduringserverinstallationandrequires

nospecialconfiguration.The embeddeddatabasesupportsuptoseveralgigabytesofdata.

TheSQLitedatabaseisfilebasedandisnotdesignedtobeeffectivelysharedacrossmultipleprocesses.If

youusethirdpartytoolstoaccessthedatabaseforareadoperation,therefore,youcannotdependon

transactionalisolationofthependingwriteoperationsoftheACEManagementServer.

Theembeddeddatabaseisadequatefortestingpurposes,butVMwarerecommendsthatyouusean

externaldatabaseinproductionenvironments.

SupportedexternaldatabaseInproductionenvironments,useasupportedexternaldatabaseasa

backingstoreforACEManagementServer,throughODBCconnectivity.Supportedexternaldatabase

enginesarethefollowing:

ForWindowsbasedACEManagementServer,useMicrosoftSQLServer(SQLServer2000orSQL

Server2005)orOracleDatabase10ginstalledonthesamesystemoradifferentWindowssystem

ForLinuxbasedACEManagementServer,usePostgreSQL7.4orhigherinstalledonthesame

system

or

a

different

Linux

system

UsinganexternaldatabasewithACEManagementServeroffersthefollowingbenefits:

OnlinebackupsothatyoudonothavetoshutdownACEManagementServertobackupthe

database.

Enhancedsecuritymodel.Youcanfinetunepermissionstoaccesssensitivedata.TheSQLite

databaseengineprovidesfilesystembasedsecurity.

Performancefinetuning.

Abilitytouseexternaldatabasemanagementandreportingtools.

AbilitytouseloadbalancerswithmultipleACEManagementServerinstances.Youmustusean

externalRDBMSasthebackingstore,becausetheSQLitedatabaseisnotdesignedtobeeffectively

sharedacrossmultipleprocesses.

Active Directory Authentication Options

ActiveDirectoryintegrationprovidesthefollowingbenefits:

PermitsjoininganoperatingsystemthatisrunninganACEinstancetothedomainremotely.

Providessearchfunctionssoyoucanquicklyfindaparticularindividualorgroup.

Enables

you

to

use

Active

Directory

Users

and

Groups

to

configure

role

based

access

to

the

features

of

ACEManagementServer.

Performing Capacity Planning

ACEManagementServerenablesyoutomanageACEinstancesandpoliciesinrealtime.Thenumberof

clientsthatasingleACEManagementServercanservedependsonseveralkeyfactors:

Databasethroughputandscalability

LDAPthroughput(ifyouareusingActiveDirectory)

Networkbandwidthavailableforincomingclientrequests

NOTE IfACEManagementServerisdeployedintheDMZ,useanexternaldatabaselocatedinsideyour

corporatenetworkbehindafirewall.


16/66


16 VMware, Inc.

ACEpolicyconfiguration

Loadbalancersforverylargedeployments(morethan5,000clients)

Table 21listsrecommendationsforthenumberofclientssupportedbasedonthehardwareyouareusing.The

figuresforrecommendedclientsreservesomeserverprocessingpowersothatinteractiveclientsreceive

responsesinatimelyfashionandtheserversatisfiesincreasesindemand.

Database Throughput and Scalability

Forproductiondeployments,VMwarerecommendsthatyouuseOracle,MSSQL,orPostgresasyour

databaseplatform.

Morethan95percentofthestoragespacethatanACEManagementServerrequiresisusedtologevent

information,whichisanaudittrailofalltransactionsperformedthroughACEManagementServer.Table 22

listsrecommendeddatabasesizesbasedonthenumberofclientsbeingserved.

Thefiguresinthetablearebasedona90daydatabasearchivalperiod.Backupthedatabaserecordsevery90

daysandkeepeventlogsfor90days.YoucanconfigureACEManagementServertopurgeeventlogsevery

90days.

Theauthenticationeventgeneratesmostofthedatabecauseaneventisgeneratedeverytimesomeone

attemptstoauthenticatetoACEManagementServer.YoucanconfigureACEManagementServertologless

eventinformation.SeeLoggingEventsonpage 36.

LDAP Throughput

ACEManagementServercancommunicatewithyourActiveDirectorydomaincontrollertoauthenticateuser

credentials.YourdomaincontrollerinfrastructurehandlestheLDAPtrafficrequiredtosupportthenumber

ofclientsthatyouanticipate.

IntegratingwithActiveDirectorythroughLDAPisimplementeddifferentlyintheWindowsACE

ManagementServerthanintheLinuxbasedACEManagementServer.TheWindowsACEManagement

ServerusestheWinLDAPlibrarybundledwithyourWindowsoperatingsystem.TheLinuxACE

ManagementServerusesathirdpartyKerberosLibraryandOpenSSL.VMwareinternaltestingresults

indicatethattheWindowsimplementationprovidesbetterperformancethanLinux.

Network Bandwidth and Policy Update Frequency

TheamountofnetworkbandwidththatACEManagementServerandACEinstancesrequiredependsonthe

frequencyofpolicyupdatesthatyouconfigure.Table 23showstheamountofbandwidthneededwhenyou

useapolicyupdatefrequencyvalueof10 minutes.

Table 2-1. Number of Clients Supported

Hardware Recommended Clients

2GHzAMD2wayserver(Opteron280,4GBRAM) 6,000

2GHzIntel2waydesktopmachine(4GBRAM) 4,000

Table 2-2. Database Storage Recommendations

Number of Clients Recommended Database Size

100 50Mb

1,000 500Mb

10,000 5,000Mb


17/66


18/66


18 VMware, Inc.

TrafficfromACEManagementServertoActiveDirectoryisencryptedIftheserverisintegratedwith

anActiveDirectoryservice,itcommunicateswiththeservicethroughanSSLprotectedlink.LDAPtraffic

isencryptedattheapplicationlayer.CredentialsareprotectedbyusingtheKerberosprotocolto

authenticatecredentials.

SensitiveconfigurationoptionsareencryptedPasswordsstoredintheconfigurationfileareencrypted.

DatabasesecurityThedatabasestorecontainssensitivedatasuchascryptographickeys.Configure

yourdatabasesecuritysothatitisprotectedfromintrusionandprotectedincaseofdataloss.Formore

informationaboutfeaturesthatareavailabletoprotectyourdata,seeyourdatabasedocumentation.

SSLencryptsdatathroughtheuseofapublickeyandprivatekeypair.Thepublickeyisknowntoeveryone

andtheprivatekeyisknownonlytothemessagerecipient.URLs thatrequireanSSLconnectionstartwith

https.

DuringACEManagementServerinstallation,thefollowingtwofilesarecreated:

server.keyAnRSA1024bitkey,thisistheprivatekey.

server.crtAselfsignedcertificate.Itssignatureisverifiedbythepublickey,whichisembeddedin

thecertificate.Thispubliccertificateisvalidfor10yearsfromthedateandtimeatwhichtheserveris

installed.ThecertificatefileisencodedinPEMformat.

Bydefault,thesefilesarestoredintheSSLdirectoryintheVMwareACEManagementServerprogram

directory.

VMwarePlayer,whichrunstheACEinstances,doesnottrustanycertificatesstoredonthehostmachineon

whichitisrunning.Instead,itreliesonacompletecertificationchainthatisincludedintheACEpackage.

Usingselfsignedcertificatesisadequateformostsecurityneeds.

Youcan,however,useacertificateissuedbyacertificateauthority.IfyouhavemultipleACEManagement

Serverinstances,youcanuseonecertificateforalloryoucanuseadifferentcertificateoneachone.

Using SSL Certificates and Protocol

WhenanACEenabledvirtualmachineconnectstoanACEManagementServer,itdownloadsthepublic

certificateforthatserverandanychainofcertificatesrequiredtoverifytheserverspubliccertificate.Aserver

certificatemighthaveachainofseveralcertificatesthatmustbeverifiedstepbystepuntiltheverification

processreachestheroot,ortrusted,certificateinthecertificatestore.Thefirsttimeaconnectionismadetoa

serverbyanyACEenabledvirtualmachineonaWorkstationadministratormachine,thecertificateandits

verificationaredownloadedtotheWorkstationhostsystem.

ThestoreorcollectionofcertificatesthatisdownloadedwhenanACEenabledvirtualmachineconnectstoa

serverisincludedineachACEpackagethatyoucreatewiththatvirtualmachine.ItissavedintheACE

Resourcesdirectory.WhenyoudeployandrunanACEinstanceofthisACEenabledvirtualmachine,the

VMwarePlayerapplicationusesthecertificatesincludedinthepackagetoverifyconnectionsmadetotheACE

ManagementServer.ItverifiesthatthecertificatesthatareintheACEpackagematchthosethattheserver

provides.Iftheydonotmatchexactly,VMware Playerdisplaysanerrormessageanddoesnotrunthe

instance.

VMware

Player

checks

the

integrity

of

the

certificate

store

included

in

the

package

every

time

it

communicates

withtheserver.VMwarePlayerdoesnottrustanycertificatesstoredonthehostmachineonwhichitis

running.Instead,itreliesonacompletecertificationchainthatisincludedintheACEpackage.Theuseof

selfsignedcertificatesisadequateformostsecurityneeds.

If,however,yourenterpriserequirestheuseofacertificatesignedbyacertificateauthority(internalor

commercial),youcansetupthattypeofkeycertificatepairfortheACEpackagestouse.Acertificateauthority,orCA,isanentitythatissuesandsignspublickeycertificates,typicallyforafee.


19/66

VMware, Inc. 19

Chapter 2 Planning an ACE Management Server Deployment

Accessing ACE Management Server from Outside the CorporateFirewall

AllclientrequeststoACEManagementServerareHTTPStrafficonport443.This meansthatanysolution

usingaproxytosecureHTTPStrafficintoyourcorporateserverscanbeusedtoproxyACEManagement

Servertraffic.

BecauseofthenumberofdataconnectionsthattheACEManagementServermustmakeonthebackend

(LDAP,DNS,ODBC,Kerberos),VMwarerecommendsusinganHTTPSproxyintheDMZ.Thisproxycan

relayACEManagementServertraffictotheactualACEManagementServerinsidethecorporatenetwork.

Figure 2-2. Recommended Deployment for External Access

ACEManagementServercanbedeployedwiththefollowingHTTPSproxysolutions:

ApacheProxyUsingmod_proxy

ZeusTechnologyLoadBalancerAcommerciallyavailableloadbalancerandtrafficmanagement

solution

AvoidthefollowingproblemswhenyouuseaproxyfortrafficintoanACEManagementServer:

SSLTerminationIfyourHTTPSproxyterminatestheSSLconnection,youmustusethesameSSLkey

andcertificateontheHTTPSproxyserverandACEManagementServer.Or,usetheACEManagement

ServercertificatechaintoembedtheHTTPSproxycertificateverificationchainintheACEpackage.

AnexampleofaproxyserverthatterminatesSSLconnectionsisApacheProxy.TheZeusloadbalancing

productssupportSSLpassthrough,whichmeansthattheSSLconnectionisterminatedatACE

ManagementServer.

MultipleACEManagementServerSSLcertificatesIfyouaredeployingmultipleACEManagement

Serverinstancesbehindaloadbalancingsolution,allACEManagementServerinstancesmustusethe

sameSSLkeyandcertificatepair.YoucanalsousetheACEManagementServercertificatechainfeature

toembedeverySSLcertificateverificationchainintotheACEpackage.

DNSresolutionWhenyoucreateanACEenabledvirtualmachine,youmustspecifyahostnamefor

ACEManagementServer.ThishostnamemustresolvetotheappropriateIPaddressforbothinternaland

externalclients.Internally,itcanresolvetoACEManagementServeritself.Externally,itcanresolvetothe

HTTPSproxyserver.

BecausethetrafficcomingintoACEManagementServerisplainHTTPStrafficandtheserverisstateless,you

candeploymanyotherconfigurationstoprovideexternalaccesstoanACEManagementServer.Whenyou

designyourdeployment,thinkofACEManagementServerasaWebserverwithsecuretraffic.

Deployment Planning Worksheet

Usethedeploymentplanningworksheettorecordyourchoiceofserversystem,database,securitycertificates,

andoptionalcomponentsforaproductionenvironment.

HTTPSproxy server

external client ODBC

NETBIOS (port 137)

DNS

KRB5 (port 88)

LDAP (port 389)

HTTPS traffic(443)

HTTPS traffic(443)

externalfirewall

AMS server

internalfirewall


20/66


21/66


22/66


23/66

VMware, Inc. 23

Chapter 3 Installing and Configuring ACE Management Server

Install ACE Management Server on a Linux System

YoucaninstallACEManagementServeronthefollowingLinuxsystems:

RedHatEnterpriseLinux4

SUSELinuxEnterpriseServer9SP3

Beforeyoubegin,makesurethesystemmeetstheserequirements:

AworkinginstallationofApache2.0isinstalledonthesystem.(TheRPMforaWebserverisincluded

withtheRedHatEnterpriseLinux4orSUSELinuxEnterpriseServer9installation.)

ApacheWebserviceisoperatingnormallyandisreceivingrequestsforSSLHTTP.

Themod_ldapandmod_sslmodulesareavailableonyoursystem.

ThefollowingpackagesareinstalledonyourRedHatEnterpriseLinux4orSUSELinuxEnterpriseServer

9system:curl,openldap,openssl,apache,andgdbm.

ForSUSELinuxEnterpriseServer9,thecyrus-sasl-gssapipackageisinstalled.Thispackageisnot

installedbydefault.

Whenyouusetheexternaldatabaseoption,thefollowingpackagesarerequiredaswell:

Red

Hat

Enterprise

Linux

4:

unixODBC

SUSELinuxEnterpriseServer9:unixODBC and,ifyouplantousetheX11graphicalconfiguration

tool,unixODBC-gui-qt

Theclockissynchronizedandtherequiredportsareavailable,asdescribedinPreparingforInstallation

onpage 21.

UsethisinstallationproceduretoinstallorupdateACEManagementServersoftware.

To install ACE Management Server on a Linux system

1 Downloadthe.rpm filefromtheVMwareWebsiteandsavethefileonthesystemthatistohostthe

server.

The

file

is

available

as

a

separate

downloadable

file

in

the

same

download

location

as

the

Workstation

application.

2 RuntheRedHatorSUSELinuxRPMinstallerforACEManagementServer:

vmware-ace-management-server-.i386-rhel4.rpm

vmware-ace-management-server-.i386-sles9.rpm

Forexample:

rpm -Uhv vmware-ace-management-server-87693.i386-rhel4.rpm

3 ForaSUSELinuxEnterpriseServer9server,ensurethattheLDAPmodule(mod_ldap)isconfiguredfor

loading:

a Open

the

following

file

with

a

text

editor:/etc/sysconfig/apache2

b AddtheldapconfigoptiontotheAPACHE_MODULESvariable.

c Saveandclosethefile.

AfterACEManagementServerisinstalled,youcanconfigureit.SeeStartandConfigureACEManagement

Serveronpage 26.


24/66


24 VMware, Inc.

Install an ACE Management Server Appliance

TheACEManagementServerapplianceisaselfcontained,preinstalled,andpreconfiguredACE

ManagementServerpackagedwithasmalloperatingsysteminavirtualmachine.Althoughtheapplianceis

adequatefortestenvironments,VMwarerecommendsthatyoudonotuseitinproductionenvironments.

Beforeyoubegin,makesuretheclockissynchronizedandtherequiredportsareavailable,asdescribedin

PreparingforInstallationonpage 21.

To install an ACE Management Server appliance

1 Downloadthe.zipfilefortheappliancefromtheVMwareWebsiteandsavethefileonthesystemthat

istohosttheserver.

2 Extractthefilestothedirectorywheretheserveristobelocated.

3 StartWorkstation,chooseFile>Opentoopen,andselecttheams_appliance.vmxfile.

4 ClickthePowerOnbuttontostartthevirtualappliance.

5 Atthepasswordprompt,enterapasswordandconfirmit.

Thispasswordisusedforbothrootandnetworkaccounts.Makeanoteofthispasswordsothatyoucan

useitforlaterappliancemanagementoperationsfromtheconsoleandtheWeb.

TheapplianceconfiguresitsnetworkbyusingDHCP.

Theconsoleviewdisplaysthefollowinginformation:

Currentnetworksettings

URLsforremotelyadministeringtheapplianceandconfiguringtheACEManagementServeritself

IfyoupressReturnattheloginprompt,theinformationappearsagain.

6 Atthetimezoneprompt,acceptthecurrentsettingormakeachangeasneeded.

7 (Optional)ToconfiguretheservertouseastaticIPaddressortospecifyaproxyserver,usetheAppliance

ManagementandConfigurationapplication,asfollows:

a LeavetheACEManagementServerappliancerunning.

b Browsetohttps://:8080.

c Intheconnectiondialogbox,typerootintheusernamefieldandyournetworkorrootpasswordin

thepasswordfield.

d ClicktheNetworklinkonthefirstpageofthebrowserbasedACEManagementServerSetup

application.

e Toviewinstructionsaboutconfiguringnetworksettings,clicktheHelplinkintheupperrightcorner

oftheWebpage.

f Afteryouchangenetworksettings,clickApply.

8 (Optional)Toreconfigureanyupdateoptions,forexample,todisableautomaticdownloadsofupdates,

usetheApplianceManagementandConfigurationapplication,asfollows:

a LeavetheACEManagementServerappliancerunning.

b Browsetohttps://:8080.

c Intheconnectiondialogbox,typerootintheusernamefieldandyournetworkorrootpasswordin

thepasswordfield.

d ClicktheUpdatelinkonthefirstpageoftheApplianceConfigurationandManagementWeb

applicationandcompletetheApplianceUpdatepage.

e Toviewinstructionsaboutconfiguringupdateoptions,clicktheHelplinkintheupperrightcorner

oftheWebpage.


25/66

VMware, Inc. 25


9 Whenyoufinishconfiguringanynetworkorupdatesettings,navigatetotheACEManagementServer

SetupWebapplicationtoconfiguretheserver.

Toaccessthatapplication,chooseoneofthesemethods:

FromtheApplianceManagementandConfigurationWebapplicationpage,clicktheACELoginlink

intheupperrightcornerofthepage.

Fromacommandpromptwindow,closethewindow,openabrowser,andentertheURLfortheACE

ManagementServerSetupWebapplication:

https://:8000/

10 ClickConfigurationtoopentheWebapplication.

Verify That the Apache Service Is Started or Restarted

IfyouinstalledACEManagementServeronaLinuxhost,verifythattheApacheserviceisstartedbeforeyou

attempttologin.

Fortroubleshootingpurposes,youmightoccasionallyneedtomanuallyrestarttheApacheservicethatACE

ManagementServeruses.

To verify that the Apache service is started or restartedDooneofthefollowing:

OnWindowshosts:

a ClicktheApacheiconinthetaskbar.

b SelectApache2inthemenuthatappears.

c Choosetheappropriatecommand:

Tostarttheserviceifitisstopped,clickStart.

Iftheserviceisalreadystarted,thiscommandisunavailable.

Torestart,clickStopandthenclickStart.

EnsurethatyouclickStopandStartratherthanRestart.

OnSUSELinuxEnterpriseServer9hostsorinthevirtualmachinethatcontainstheACEManagement

Serverappliance:

a Openaterminalwindowonthehostorinthevirtualmachine.

b Asroot,enterthefollowingcommand:

/etc/init.d/apache2 status

Ifthestatusisstarted,youcanlogintoACEManagementServer.SeeStartandConfigureACE

ManagementServeronpage 26.

c Entertheappropriatecommand:

Tostarttheserviceifitisstopped,enterthefollowingcommand:

/etc/init.d/apache2 start

Torestarttheservice,enterthefollowingcommands:

/etc/init.d/apache2 stop

/etc/init.d/apache2 start

OnRedHatEnterpriseLinux4:

a Openaterminalwindowonthehostorinthevirtualmachine.

b Asroot,enterthefollowingcommand:


26/66


26 VMware, Inc.

/etc/init.d/httpd status

Ifthestatusisstarted,youcanlogintoACEManagementServer.SeeStartandConfigureACE

ManagementServeronpage 26.

c Entertheappropriatecommand:

Tostarttheserviceifitisstopped,enterthefollowingcommand:

/etc/init.d/httpd start

Torestarttheservice,enterthefollowingcommands:

/etc/init.d/httpd stop

/etc/init.d/httpd start

Start and Configure ACE Management Server

Beforeyoubegin,makesurethatthefollowingprerequisitesaresatisfied,asapplicable:

IfyouinstalledACEManagementServeronaLinuxhostorareusingtheACEManagementServer

appliance,verifythattheApacheserverisrunning.SeeVerifyThattheApacheServiceIsStartedor

Restartedonpage 25.

Ifthisisthefirsttimeyouareloggingin,makesureyouhavetheserialnumberfortheproduct.Theserial

numberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,theserial

numberissentbyemail.

Ifyouplantouseanexternaldatabase,ActiveDirectoryintegration,orcustomSSLcertificates,youmust

performsomesetuptasksbeforeyoucanconfigureACEManagementServer.Seethefollowingtopics,as

applicable:

CreateUsersandGroupsforIntegrationwithActiveDirectoryonpage 29

SetUpanExternalDatabaseonpage 30

PrepareCustomSecurityCertificatesonpage 33

To start and configure ACE Management Server

1 OpenaWebbrowserandgotohttps://:8000.

ThevaluecanbethefullyqualifiednameofthecomputeronwhichACEManagement

ServerisinstalledoritcanbeanIPaddress.

IfyouinstalledACEManagementServeronaWindowshostandyouareusingthathosttoconfigureit,

youcanalternativelychooseStart>VMware>VMwareACEManagementServer.

2 AcceptthelicenseagreementandclickStart.

Theconfigurationtabsappearastheydoinsubsequentlogins,butforthefirstlogin,wizardbuttons

suchasNextandBackalsoappear.

3 CompletetheinformationoneachtabandclickNext.

TheonlyfieldsthatrequirechangesanddonothavedefaultsettingsaretheSerialNumberfieldonthe

LicensingtabandtheAdministratorpasswordontheAccessControltab.

Forinformationaboutspecificfieldsandtabs,clickHelponthetab.

Log In to ACE Management Server

ThefirsttimeyoulogintoACEManagementServer,youmustsetapassword.Thenexttimeyoulogin,you

mustprovidethatpasswordorprovideActiveDirectorycredentialsifyouconfiguredtheservertouseActive

Directoryforauthentication.

CommunicationsbetweenWorkstationandACEManagementServertakeplaceoverasecureSSLconnection.


27/66

VMware, Inc. 27


IftheserverisintegratedwithActiveDirectoryservice,enteryouradministrativecredentialsinoneofthe

formatsshowninTable 32.

To log in to ACE Management Server






2 Dooneofthefollowing:

ToconfigureACEManagementServer,clickConfiguration.

ToviewandtakeactionsonACEinstancesmanagedbythisserver,clickHelp Desk.

3 Enterlogincredentials.

IfyouuseActiveDirectoryforauthentication,seeTable 32.Inmultidomainenvironments,youmightbe

requiredtoenteradomain(forexample,eng.com).

Table 3-2. Login Options When Using Active Directory Service

Option Description Example

longname+password+domainname

Thelongnameistheformat.

JohnDoe

longname+password Thelongnameistheformat.

LeavetheDomainfieldblank.

JohnDoe

shortname+password+domain

TheshortnameisthesAMAccountName.

ace

(theshortformofthelongnameACEUser)

shortname+password TheshortnameisthesAMAccountName.


ace

(theshortformofthelongnameACEUser)

emailaddress+password Youcanonlyusethisoptionforadomainthatisaccessedthroughadirectconnection.

Leave

the

Domain

field

blank.

[email protected]

NETBIOSDOMAINNAME\username+password

TheNetBIOSnameisashortnamefordomainsthatisregisteredintheNetBIOSNameService(WINS).


username+password+NETBIOSDOMAINNAME

TheNetBIOSnameisashortnamefordomainsthatisregisteredintheNetBIOSNameService(WINS).


28/66


28 VMware, Inc.


29/66

VMware, Inc. 29

4

AfteryouinstallACEManagementServer,youmustusethebrowserbasedACEManagementServerSetup

applicationtoconfiguretheserver.


PrerequisitesforConfiguringtheServeronpage 29

StartingACEManagementServerConfigurationonpage 34

ViewingandChangingLicensingInformationonpage 34

UsinganExternalDatabaseonpage 35

CreatingAccessControlonpage 35

UploadingCustomSSLCertificatesonpage 36

LoggingEventsonpage 36

ApplyingConfigurationSettingsonpage 37

Prerequisites for Configuring the Server

IfyouplantouseActiveDirectoryintegration(usingLDAP),anexternaldatabase,orcustomSSLcertificates,

youmustperformsomesetuptasksbeforeyouconfiguretheACEManagementServer.

Create Users and Groups for Integration with Active Directory

TouseActiveDirectoryforauthenticatingusers,adduserstoanActiveDirectorygroupandcreateauserso

thatACEManagementServercanqueryLDAP.

WhenyouconfigureACEManagementServertouseLDAP,followtheseguidelinestoavoidnegatively

affectingperformance:

ThedefaultdomainisthedomainforwhichtheLDAPhostisadomaincontroller.

Thequeryuserisauserinthedefaultdomain.

Theadminusergroupisagroupthatexistsinthedefaultdomain.

IntegratingwithActiveDirectorythroughLDAPisimplementeddifferentlyintheWindowsbasedACE

ManagementServerthanintheLinuxbasedACEManagementServer.Theoperatingsystemsdifferinthe

librariestheyusetoconnecttoActiveDirectoryandtheexternaldatabasestheysupport.TheWindowsACE

ManagementServerusestheWinLDAPlibrarybundledwiththeWindowsoperatingsystem.The LinuxACE

ManagementServerusesathirdpartyKerberosLibraryandOpenSSL.VMwareinternaltestingresults

indicatethattheWindowsimplementationisprovidesbetterperformancethanLinux.

Configuration Options for ACEManagement Server 4


30/66


30 VMware, Inc.

To create users and groups for integration with Active Directory

1 CreateauserthatACEManagementServercanusetoconnecttotheLDAPserveranduseforquerying.

MakeanoteofthesAMAccountNamevalueforthatuser(forexample,aceuser.)

2 CreateanACEAdministratorsgroupinthedomain.

3 AddACEadministratoruserstotheACEAdministratorsgroup.

4 (Optional)CreateaHelpDeskgroupandassignuserstoitfortheHelpDeskrole.

YoucanlogintotheHelpDeskWebapplicationwithyouradministrativeLDAPcredentialsorpassword.

CreatingaHelpDeskroleallowsyoutopermitcertainuserstoperformHelpDesktasksfromwithinthe

HelpDeskapplicationbutdoesnotgivethemaccesstootheradministrativetools.

Set Up an External Database

Beforeyoubegin,makesurethatyouhaveoneofthefollowingsupporteddatabaseservers:

ForaWindowsbasedACEManagementServerMicrosoftSQLServer2000orhigher;

Oracle Database 10g

IfyouuseaMicrosoftSQLServerdatabase,thedatabasemustbehostedonasystemthatusesthesame

localeasthesystemthathostsACEManagementServer.Forexample,ifACEManagementServerisinstalledonaJapanesesystem,thedatabaseservermustalsobeinstalledonaJapanesesystemandmust

useJapanesecollation.

ForaLinuxbasedACEManagementServerPostgreSQL7.4orhigher

BeforeyouinstallthedatabaseonaLinuxhost,makesuretheunixODBCRPMpackageisinstalledontheLinux

system.VMwarerecommendsthatyouupdatethepackagetothelatestversionreleasedforyourspecific

Linuxdistribution.TheunixODBCpackageprovidesanODBCAPItoprogramsrunningonLinuxsystemsthat

issimilartotheWindowsODBCAPI.

Thepackagecontainsthelibodbcsharedlibrary,providingtheODBCDriverManagerAPItoother

programs,asetofconfigurationutilities,andODBCdriversforpopulardatabases.OnbothRedHat

EnterpriseLinuxandSUSELinuxEnterpriseServer 9,theODBCdriverforPostgreSQLisincludedinthe

unixODBCbinarydistributionpackage.

Also,makesuretheunixODBC-gui-qt packageisinstalled(thisutilityisincludedintheRedHatEnterprise

LinuxunixODBCpackage).ThispackageisrequiredtousetheODBCConfigX11graphicalconfigurationtool

forsettingupadatasourcename(DSN).

To set up an external database

1 Installadatabaseserveronahost.

TheexternaldatabasedoesnothavetobeinstalledonthesameserverasACEManagementServer,butit

mustbeinstalledonthesameplatform.Forexample,ifACEManagementServerisinstalledona

Windowshost,thedatabaseservermustalsobeinstalledonaWindowshost.

ACEManagementServercreatesthedatabaseschemaautomaticallyifproperaccessrightsaregranted.

2 Configurethedatabase.

Ensurethatyouhaveadedicateddatabaseandauseraccountthathasfullaccesstothisdatabase,

includingrightstocreatetables.Donotgivethisdatabaseuserpermissionsthatitdoesnotneed.For

example,youmightnotwanttogivethisaccountreadorwritepermissiontootherdatabasesthatyour

RDBMSmanages.

AlltablesthatarecreatedinthedatabasehaveanamestartingwithaPolicyDb_prefixandindexeswith

PdbIns_orPdbLf_prefixes.YoumightprovideACEManagementServerwithaDSNtoadatabasethat

itshareswithsomeotherapplication,ifthedatabasecountisatapremium.

3 (Optional)IfACEManagementServerisgoingtoconnecttothedatabaseoverthenetwork(TCPsocket

connection),ensurethatthefollowingareinplace:


31/66

VMware, Inc. 31

Chapter 4 Configuration Options for ACE Management Server

TCPconnectivityisenabledinthedatabaseconfigurationoptions.

TheTCPconnectionisnotblockedbyfirewallsettingsonthedatabaseserverortheACE

ManagementServerhost.

IfyouareusingaPostgreSQLdatabase,configureperuserpermissiontoconnecttothedatabase

overthenetwork.Configurethatpermissioninthepg_hba.conf file,whichislocatedintheroot

folderofyourdatabase.

4 (Optional)OntheACEManagementServermachine,toverifytheserversconnectivitytothedatabasewiththeconfiguredusercredentials,runacommandlineorgraphicalSQLtool.

Examplesofsuchtoolsaresqlcmd.exeforSQLServer,sqlplus.exeforOracle,andpsqlfor

PostgresSQL.Fordatabaseconfigurationandverificationinstructions,seetherespectivedatabase

documentation.

5 OntheACEManagementServermachine,createaSystemDSNentry.

Creating a System DSN Entry for an External Database

TheonlyrequiredinformationinDSNconfigurationistheDSNname,serverIPaddressorhostname,andthe

databasename.YoudonotneedtoprovideausernameandpasswordintheDSNconfiguration.Youprovide

ausernameandpasswordlater,whenyouusetheACEManagementServerSetupapplication.

EnsurethatyoucreateasystemDSNandnotauserDSN.IfyoucreateauserDSN,itisvisibleonlytoyour

useraccount.ACEManagementServerrunsunderthelocalsystemaccount,sotheservercannotdetectoruse

auserDSN.

Create a System DSN Entry for a Windows Database

Regardlessofwhetherthehostis32bitor64bit,youcreateaDSNentryfora32bitsystem.

Beforeyoubegin,todeterminethecorrectODBCdriver,seeyouroperatingsystemanddatabase

documentation.

To create a System DSN entry for a Windows database


On32bithosts,usetheODBCDataSourcespluginbychoosingControl Panel>Administrative

Tools>DataSources(ODBC).

On64bithosts,navigateto%WINDIR%\syswow64\odbcad32.exeandusethatprogramtocreatea

SystemDSNentryfora32bitsubsystem.

ACEManagementServerdoesnotsupportODBCusinganSQLNativeClientdriveronWindows64bit

systems.

2 CreateanentrythatincludestheDSNname,serverIPaddressorhostname,andthedatabasename.

3 (Optional)IftheDSNSetupwizardprovidesanoptiontotesttheconnection,verifythattheconnection

workswiththedatabaseusercredentials.

4 Make

a

note

of

the

database

DSN,

user

name,

and

password.

YoucannowusethebrowserbasedACEManagementServerSetupapplicationtoconnecttothisdatabase.

Create a System DSN Entry for a Linux Database

OnLinuxsystems,youuseatexteditorortheODBCConfiggraphical(X11)utilitytocreateasystemDSNentry.

TheODBCConfigutilitymimicstheWindowsODBCDataSourcesControlPanelplugin.

Beforeyoubegin,determinethecorrectODBCdriver:

OnRedHatEnterpriseServer,thedriverislocatedat/usr/lib/libodbcpsql.so.


32/66


33/66

VMware, Inc. 33


Enable Database Connection Pooling on Linux

EnablingdatabaseconnectionpoolingfordatabasesonLinuxhostscangiveasubstantialperformancegain

underhighloads.ACEManagementServercanreusedatabaseconnectionsratherthanopeningnew

connectionsforeveryrequest.

EnabledatabaseconnectionpoolingintheODBCDriverManager(itisdisabledbydefault)tooptimize

performanceforserversonLinuxplatforms.

OnWindowsplatforms,ODBCconnectionpoolingisenabledbydefault.

To enable database connection pooling on Linux

1 StarttheODBCConfigutilityasarootuser.

2 ClicktheAdvancedtab.

3 SelecttheConnectionPoolingcheckbox.

Set Up a Connection Between the Server Appliance and an External Database

TheACEManagementServerappliancedoesnotcontainaPostgreSQLdatabaseserver.Youcan,however,use

anexternaldatabaseserverwiththeappliance.

To set up a connection between the server appliance and an external database

1 Logintotheserverapplianceconsoleasroot,usingthepasswordyoucreatedduringyourfirstrunof

theserverappliance.

2 Openthe/etc/odbc.inifileinatexteditor.

Forexample:

vaos# vi /etc/odbc.ini

Thisfilecontainsthepostgres_dsn settingfortheOBSCDSN.

3 Uncommentalllinesinthepostgres_dsn fileexceptthefirsttwo.

Touncommentlines,deletethepoundsign(#)atthebeginningofeachline.

4 ReplaceplaceholderswiththePostgreSQLdatabaseserverDNSnameorIP addressandthedatabase

nameofthisserver.

5 Usethedefaultportnumberorsetadifferentportnumber.

6 Savethefile.

Afteryoucompletethistask,postgres_dsnappearsinthedropdownmenuontheDatabasetabintheACE

ManagementServerSetupapplication.

Prepare Custom Security Certificates

TousecustomSSLcertificates,eitheryourownselfsignedcertificatesorthoseofathirdpartyorinternalCA

(certificateauthority),youmustprovidethecertificate,key,and(inthecaseofCAs)certificatechainfiles.

ThesefilesmustbePEMencoded.

Afteryoucreateorobtainthesefiles,uploadthemtoACEManagementServerbyusingtheCustomSSL

Certificates tabintheACEManagementServerSetupapplication.

To prepare custom security certificates

1 Createorprovidetheneededfiles:

Foryourownselfsignedcertificate,usetheopensslutilitytocreateanewselfsignedcertificate.

ForathirdpartyCAorinternalCA,obtainanSSLcertificatesignedbythatCA,anda

certificateverificationchainfile.


34/66


34 VMware, Inc.

ThechainfileisaconcatenationofeverycertificaterequiredtoverifythenewSSLcertificateyou

createdorobtained.Stepsforobtainingthecertificatechainvary,dependingonwhichhostoperating

systemyouareusingandonthesourcefromwhichtheCAcertificateisobtained.

Aprivatekeyfile.SSLencryptsdatathroughtheuseofapublickeyandprivatekeypair.Thepublic

keyisknowntoeveryoneandtheprivatekeyisknownonlytothemessagerecipient.

ThecertificatesignaturesmustusetheSHA1algorithmdigest.ThefilesmustbePEMencoded.

2 Renamethefiles,asfollows:

Renametheprivatekeyfiletoserver.key.

Renamethecertificatefiletoserver.crt.

Renamethecertificatechainfiletochain.crt.

YoucannowusetheACEManagementServerSetupapplicationtouploadthecertificatefiles.

View the Properties of the Self-Signed Certificate File

ThisfileisstoredintheSSLdirectoryintheVMwareACEManagementServerprogramdirectory.

To view the properties of the self-signed certificate file

Dooneofthefollowing:

OnaWindowshost,navigatetothelocationoftheserver.crtfileanddoubleclickthefilename.

OnaLinuxhost,usethefollowingcommand:

openssl x509 -in /var/lib/vmware/acesc/ssl/server.crt -text

Toreplaceanexpiredcertificate,seePrepareCustomSecurityCertificatesonpage 33.Donotmodify

certificatestomakethempermanent.

Starting ACE Management Server Configuration

IfyouplantouseActiveDirectoryintegration(usingLDAP),anexternaldatabase,orcustomSSLcertificates,

youmustperformsomesetuptasksbeforeconfiguringtheACEManagementServer.SeePrerequisitesforConfiguringtheServeronpage 29.

ThetextthatappearsontheStarttabchanges,dependingonwhetheryouhavedoneaninitialconfiguration:

IfthispagesaysThisserverhasnotbeenconfiguredyet,youmustclickStarttocompletethe

configurationsetupwizard.

IfthispagesaysThisserverisconfigured,theNextandPreviouswizardbuttonsdonotappear.Youcan

navigatetoothertabsbyclickingatab.

Viewing and Changing Licensing Information

AfteryouenteranACEManagementServerserialnumber,usetheLicensingtabtodeterminetheexpiration

date,ifany.

Theserialnumberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,theserial

numberissentbyemail.

IfthesystemonwhichyouinstalledACEManagementServercurrentlyhasmorethanonevalidserver

license,justonelicenseappearsonthepage.

YoucanusetheLicensingtabtoaddorchangeaserialnumber,username,orcompanyname.

Ifyoumakechangestotheinformationonthistab,youmustclickApplyorCancelbeforeyoucannavigate

toanothertab.


35/66

VMware, Inc. 35


Using an External Database

TheembeddeddatabaseisanSQLitedatabase.VMwarerecommendsthatyouuseanexternaldatabasein

productionenvironments.

Theembeddeddatabaseisinitializedduringserverinstallationandrequiresnospecialconfiguration.This

databaseisadequatefortestingpurposesbutisnotdesignedtobeeffectivelysharedacrossmultiple

processes.

BeforeyoucanconfiguretheACEManagementServertouseanexternaldatabase,youmustcreateasystem

DSNandcredentialsforaccessingthatdatasource.SeeSetUpanExternalDatabaseonpage 30.

UsethefollowinginformationtohelpyoucompletethefieldsontheDatabasetab:

DataSourceName(DSN)DatasourcenameyouusedwhenyoucreatedasystemDSNentryonthe

ACEManagementServermachine.

UserNameandPasswordCredentialsforauseraccountthathasfullaccesstothedatabase,including

rightstocreatetables.

Afteryouenterthedatabaseconnectioncredentials,thesetupapplicationchecksforanexistingdatabase.

Iftheexistingschemaisnotcompatible,noschemaisavailableortheschemacannotbeupgraded.Ifyou

overwritetheexistingschemaanddata,anewschemaiscreated.If youdonotoverwritetheexistingschema

anddata,theconfigurationapplicationquits.

Ifyouareupgradingtheserverfromthepreviousrelease,thedatabaseschemaisupgradedautomaticallyand

youdonotloseyourpreviousdata.Theupgradeisperformedonthefirststartoftheupgradedserver,even

ifyoudonotrerunthesetupapplication.

IfyoumakechangestotheinformationontheDatabasetab,youmustclickApplyorCancelbeforeyoucan

navigatetoanothertab.

Creating Access Control

OntheAccessControltab,youcancreatealocalAdministratorroleandHelpDeskroleoruseActive

Directoryforauthenticatinguserswiththeseroles.

BeforeyoucanconfiguretheACEManagementServertouseadomainaccountforauthentication,youmust

createusersandgroupssothatACEManagementServercanconnecttotheLDAPserver.SeeCreateUsers

andGroupsforIntegrationwithActiveDirectoryonpage 29.

Usethefollowinginformationtohelpyoucompletethefieldsforauthentication:

LocalaccountIfyouspecifyapasswordfortheAdministratorroleandforgetorloseit,youmustdelete

the

server

configuration

file.

Deleting

this

file

sets

the

server

back

to

its

initial

state.

You

must

reconfigure

theserverandsettheadministratorpasswordagain.

Domainaccount(LDAP)TouseActiveDirectoryforauthentication,specifythehostandcredentials

thattheACEManagementServerusestoconnecttoandquerythedomaincontroller:

HostNameEnterafullyqualifieddomainname(forexample,ldap.vmware.com)insteadofanIP

addressorhostnamewithnoparentdomainname(forexample,ldap).

QueryUsersAMAcountNameandQueryUserPasswordUsethepasswordandshortnamefor

theuseraccountyoucreatedforthispurposeinActiveDirectory.

CAUTION Afteryouentercredentials,ifthemessageCompatible schema exists. Do you want to

reinitialize the schema and overwrite the existing data?appears,selectUseexistingschemaanddataunlessyouwanttoerasealldatainyourexistingdatabase.Toreinitializethedatabaseatsomelater

time,youcanreopenthisconfigurationapplicationandreturntothispage.


36/66


36 VMware, Inc.

QueryUserDomainThedomainmustbethedomainforwhichtheLDAPhostisadomain

controller.

AdminGroupDNandHelpDeskGroupDN(Optional)Enterthedistinguishednameforthese

groups,whichyoucreatedforthispurposeinActiveDirectory(forexample,

cn=Users,dc=simplecorp,dc=com).

Ifthisoptionisnotenabled,anyonewhologsintotheHelpDeskapplicationmustbeamemberof

theACEAdministratorsgroup.

HelpDeskRoleorGroupDNCreatingaHelpDeskroleallowsyoutopermitcertainuserstoperform

HelpDesktasksfromtheHelpDeskapplication.Usersinthisrolecannotaccessotheradministrative

tools.YoucanstilllogintotheHelpDeskWebapplicationwithyouradministrativeLDAPcredentialsor

localAdministratorpassword.

IfyoumakechangestotheinformationontheAccessControltab,youmustclickApplyorCancelbeforeyou

cannavigatetoanothertab.

Uploading Custom SSL Certificates

TohaveACEManagementServerusecustomSSLcertificates,eitheryourownselfsignedcertificatesorthose

ofathirdpartyorinternalCA(certificateauthority),usetheCustomSSLCertificatestabtouploadthe

PEMencodedfiles.

BeforeyoucanuploadcustomSSLcertificates,youmustcreateandrenamethecertificatefiles.SeePrepare

CustomSecurityCertificatesonpage 33.

Bydefault,duringACEManagementServerinstallation,thefollowingtwofilesarecreated:

server.keyThisRSA1024bitkeyistheprivatekey.

server.crtThisselfsignedcertificateisvalidfor10yearsfromthedateandtimeatwhichtheserveris

installed.Itssignatureisverifiedbythepublickey,whichisembeddedinthecertificate.Thecertificate

fileisencodedinPEMformat.

WhenyourunanACEinstance,theVMwarePlayerapplicationusesthecompletecertificationchainthatis

includedinitspackage,notonthehost,toverifyconnectionsmadetoACEManagementServer.Therefore,

theuseofselfsignedcertificatesisadequateformostsecurityneeds.

WhenyouclickUploadcertificates,asummarypagedisplaysthefilesandlocationsyouspecifyonthistab.

Notethelocationofanybackupfiles.Youmightneedtousethebackupifyoufindthatthenewfileisinvalid

whenyouclickApply.

AfteryouuploadcustomSSLcertificates,youmustupdateanyexistingACEenabledvirtualmachinestouse

anewcertificateandkeyfile.Todoso,useWorkstationtocreateanupdatepackage.Whenyoudeploythe

newpackage,ACEinstancesreceivethenewcertificatefileandcertificatechain.

Logging Events

Theservercollectslogentriesforeventsthatchangethedatabase.OntheLoggingtab,youcansetthelogging

levelsandsetanoptionforpurginglogentries.

ACEManagementServerusesthefollowingloggingcategories:

ACEAdministrationLogseventsforinstancecreation,update,anddestruction.

PackageAdministrationLogseventsforpackagecreation,update,instancecustomization,andpackage

removal.

PolicyAdministrationLogseventsforpolicysetupdateandpublish,useraccesscontrolchanges,and

instancepasswordssetbyanACEadministrator.


37/66

VMware, Inc. 37


InstanceAdministrationLogsACEinstancelifecycleevents,suchascreation,copying,revocation,

reenablement,anddeletion.Alsologsinstancepasswordchangebyauseroranadministrator,changes

inexpirationforeachinstance,changesofinstanceguestorhostoperatingsysteminformation,and

settinginstancecustomfields.Thedebuglevelcanbeusedtologthemostubiquitoustrafficsuchas

policyupdaterequestsfromactiveinstances.Failedinstanceverificationsareloggedonlyatthedebug

level.

AuthenticationLogseventsforeveryauthenticationrequest,suchasadministrationorhelpdesk

authenticationattempts(atthenormallevel),instanceauthentication(attheinformationallevel),andremoteLDAPpasswordchange.Setloggingforthiscategorytothelowestlevelthatispracticalforyou.

Thiscategorycangeneratealargevolumeofentries.

Foreachcategory,youcanchooseoneofthefollowinglogginglevels:

NoneNologentryismadeforthisevent.

CriticalAnexampleofacriticallogeventisonethatremovesallpackages,instances,andpolicies

associatedwithanACEenabledvirtualmachine.

NormalThislevelofdetailissufficienttoanswermostqueries.

InformativeEntriesfornondestructiveeventsthathavelimitedeffect.

DebugEntriesforeveryclientaccessoftheserver.Itprovidesmorerecordsofcertaineventtypes,

creatingalargenumberloggingentriescomparedtootherloglevels.Itlogsallinformationaltransactions,

suchasinstancestatusandsoon.

UsetheEventLogPurgingcontroltoconfiguretheamountoflogginginformationretained.Thepurge

maintenanceprocessrunsapproximatelyeverysixhours.

IfyoumakechangestotheinformationontheLoggingtab,youmustclickApplyorCancelbeforeyoucan

navigatetoanothertab.

Applying Configuration Settings

TheRestartpageappearswhenyouclickApplyononeofthetabs.Youmustrestarttheserverforthe

configurationsettingstotakeeffect.

IfyouclickLater,youcanalwaysrestarttheserverbyclickingApplyonanyofthetabs,evenifyoudonot

makechangesonthetab.


38/66


38 VMware, Inc.


39/66

VMware, Inc. 39

5

Ifyouhavethousandsofclients,youcanconfiguremultipleVMwareACEManagementServerinstancesto

worktogether.Youcansetuptwoormoreserversandusethemwithaloadbalancer.


TypicalSetupUsingLoadBalancedACEManagementServerInstancesonpage 40

InstalltheRequiredServicesforLoadBalancingonpage 40

UsetheSameSSLCertificateonAllServersonpage 41

CreateNewSSLCertificatesandKeysforEachServeronpage 41

InstallingandConfiguringtheLoadBalanceronpage 43

VerifyThatACEInstancesAreUsingtheLoadBalanceronpage 43

Load-Balancing Multiple ACEManagement Server Instances 5


40/66


40 VMware, Inc.

Typical Setup Using Load-Balanced ACE Management ServerInstances

AsingleACEManagementServercanhandleapresetnumberofclients,butyoucanaddmoreserverstoyour

ACEManagementServerinfrastructurebyusingloadbalancing.Whenyouaddmoreserverstothe

loadbalancinggroup,thenumberofclientsthatyoucanservescaleslinearly.Forexample,ifyoucanserve

2,000 clientswithoneserver,usingtwoloadbalancedserversallowsyoutoserve4,000 clients.

Figure 51showsasimpledeploymenttopologyforusingloadbalancing.

Figure 5-1. Two ACE Management Server Instances Working Together

Touseasetupsimilartotheonedepicted,youmusthavethefollowing:

Twoormoremachines(orvirtualmachines)tohosttheACEManagementServerprocesses

AnexternaldatabasetohosttheACEManagementServerdata

Aloadbalancingsolutiontomanagetraffic

Install the Required Services for Load Balancing

ServicesincludemultipleACEManagementServerinstances,anexternaldatabase,andWorkstation.

To install the required services for load balancing

1 InstalltheACEManagementServerpackageontwoormoremachines(orvirtualmachines).

SeeInstallingandUpgradingACEManagementServeronpage 22.

2 ConfigureeachACEManagementServerseparatelytoaccessthesameexternaldatabase.

SeeStartandConfigureACEManagementServeronpage 26.

BothACEManagementServerinstallationsmustbeabletoidentifythesamedatastoresoeither

installationcanfieldqueriesforclientsandscalethenumberofclientsthatcanbeserved.

3 ToverifythatbothACEManagementServerinstancesareworkingproperly,startWorkstationand

connecttoeachACEManagementServerdirectly:

a InWorkstation,chooseFile>ConnecttoACEManagementServer.

b EntertheIPorhostnameofthemachinewhereACEManagementServerisinstalled,changethe

numberinthePortfieldifnecessary,andclickOK.

ACEManagement

Server 1

ACEManagement

Server 2

Active Directorydomain controller

databaseserver

loadbalancer(optional)

AMS Client

AMS Client

AMS Client

LDAPKerberos

LDAPKerberos

ODBC

ODBC

HTTPS

HTTPS

HTTPS

HTTPS

HTTPS


41/66


42/66


42 VMware, Inc.

Figure 5-2. Creating the Certificate Chain File

To create new SSL certificates and keys for each server

1 CreateasmanySSLcertificateandkeypairsasyouneed(oneforeachserverinyourserverfarm).

Theprocedurevaries,dependingonthetoolsyouuse.Todeterminehowtocreatethesecertificatesand

keys,seethedocumentationforyourplatform.Eachcertificatemusthaveauniquecommonnameanda

uniqueserialnumber.

2 Ifyourcertificatesrequireacertificatechaintobeverified,createacertificatechainfileforeachcertificate.

Thecertificatechainfileisatextfilethatcontainseverycertificate(inPEMformat)neededtoverifythe

leafcertificate(includingtherootcertificateofthechain).

a Downloadtheverificationchainfromyourcertificateauthority.

b EachcertificatemustbeinPEMformatbeforeyoucreatethecertificatechainfile.

ToconverttoPEMformat,usetheopenSSLtoolsavailableonline.

c CreatethecertificatechainfilebyconcatenatingeachPEMencodedcertificateintoonefile.

Ifbothofyourcertificatesareselfsigned,yourcertificatechainfilemustbeafilethatcontains

bothcertificatesconcatenated.

Ifyoureceivedyourcertificatesfromthesamecertificateauthority,thechainfilemustcontain

only

the

verification

chain

for

these

certificates,

and

the

chains

must

be

the

same.

Ifthecertificatescomefromdifferentcertificateauthorities,thechainfilemustcontainboth

certificateverificationchains.

Forexample,ifyouareusingtwoACEManagementServerinstancesyouhavetwocertificatechainfiles.

3 Joinallofthecertificatechainfilesintoonefile.

Ifyoucan,eliminatetheduplicateentries.

4 ConverttheserversSSLcertificatestoPEMformat.

5 AddtheserversSSLcertificatesinPEMformattothecertificatechainfile.

[Root SSL Certificate in PEM format]

[Intermediary SSL Certificate in PEM format]

[AMS #1 SSL Certificate in PEM format]

[AMS #1 SSL Certificate in PEM format]

convert to PEMthen append to file




certificateverification

chain

Server SSLCertificates

Certificate Chain FileRoot SSL Certificate

Intermediary SSL Certificate

ACE Management Server #1SSL Certificate

ACE Management Server #2SSL Certificate


43/66

VMware, Inc. 43

Chapter 5 Load-Balancing Multiple ACE Management Server Instances

6 OntheCustomSSLCertificatestab,uploadtheSSLcertificatefile,theSSLkeyfile,andthecertificate

chainfile:

a SpecifythekeyfileintheServerPrivateKeyfield.

b SpecifythecertificatefileintheServerPublicCertificatefield.

c ClickUploadcertificates.

d ClickApplyandclickRestart.

CompletethisstepforeveryACEManagementServerinyourfarmtouploadfilestoeachACE

ManagementServer.

Installing and Configuring the Load Balancer

ACEManagementServerusesHTTPStocommunicatewithitsclients.Youcanuseanyloadbalancing

solutionthatsupportsHTTPSwithACEManagementServer.

Installtheloadbalancerandconfigureport443(HTTPoverSSL)forloadbalancing.Do notconfigure

port 8080or8000forloadbalancing.Thesetwoportsareusedforconfiguration.Port 8080isthevirtual

applianceconfigurationportand8000istheACEManagementServerconfigurationport.

Verify That ACE Instances Are Using the Load Balancer

AfteryouconfiguremultipleACEManagementServerinstancestoworkwithaloadbalancerandinstallthe

necessarySSLcertificates,performverification.VerifythatACEinstancescanconnecttoACEManagement

Serverinstancesbyusingtheaddressoftheloadbalancer.

Beforeyoubegin,restartWorkstationsothatWorkstationcandownloadtheSSLcertificatewhenaconnection

totheACEManagementServerisestablished.

To verify that ACE instances are using the load balancer

1 CreateanACEenabledvirtualmachine.

2 Openthepolicyeditor.

3 SelectPolicyUpdateFrequency.

4 SelectDisableOfflineUsage.

5 ClickOK.

6 RemovethefirstACEManagementServerfromtheloadbalancingconfigurationsothatalltrafficgoesto

thesecondACEManagementServer.

7 PreviewtheACEinstance.

ThispreviewcreatesaninstanceontheACEManagementServer.

8 ClosetheACEPlayer.

9 Remove

the

second

ACE

Management

Server

from

the

load

balancing

configuration

and

add

the

first

ACEManagementServerbacktotheconfiguration.

AlltrafficgoestothefirstACEManagementServer.

10 PreviewthesameACEinstanceagain,andwhenpromptedwhethertoreinstantiateorreusetheinstance,

selectUseExistingInstance.

Iftheinstancestartssuccessfully,bothserversareusingthesameSSLcertificate.


44/66


44 VMware, Inc.


45/66


46/66


46 VMware, Inc.

Use the VMware ACE Help Desk Application

ACEadministratorsandhelpdeskassistantscanaccessACEinstancesthroughtheVMwareACEHelpDesk

Webapplication.YoucanusetheHelpDesktoreactivateaninstance,changetheinstancesexpirationdate,

andresetauserpasswordifitislostorforgotten.

To use the VMware ACE Help Desk application






2 ClicktheHelpDesklink.

3 Supplythelogininformation.

Usethefollowinginformationtohelpyoucompletethefieldsthatappearinthiswindow:

UserNameandPasswordIfahelpdeskrolewascreated,entercredentialsforthatrole.Otherwise,

entercredentialsforadministeringtheACEManagementServer.

DomainInmultidomainenvironments,youmightberequiredtoenteradomain(forexample,

eng.com).

TheVMwareACEHelpDeskopenstheInstancespage,whichcontainsasummarytableofalltheinstances

thattheservermanages.

Use the Instance View in Workstation

ACEadministratorscanaccessACEinstancesthroughtheinstanceview.Youcanusetheinstanceviewto

reactivateaninstance,changetheinstancesexpirationdate,andresetauserpasswordifitislostorforgotten.

TheinstanceviewinWorkstationenablesyoutoperformallthetasksavailableintheVMwareACEHelpDesk

andafewmoretasks.Intheinstanceview,youcancreatecustomcolumnsandsavethesearchesyoucreate.

Youmusthaveadministratorcredentialstousetheinstanceview.

Aninstancehasoneofthefollowingstatustypes:

TheValidFromandValidUntilcolumnsindicatetheperiodthattheinstanceisvalid.Theinstanceexpires

aftertheValidUntildate.Ifnoexpirationdateissetfortheinstance,thosecolumnsareempty.

To use the instance view in Workstation

1 FromtheWorkstationmenubar,chooseFile>ConnecttoACEManagementServer.

2 SpecifythefullyqualifiedhostnameortheIPaddressandclickOK.

Inmostcases,thedefaultportnumberdoesnotneedtobechanged.

Active Theinstanceisactiveandavailableforimmediateuse.

Deactivated Thisinstancewaspurposelydeactivated.Youmust

reactivateittomakeitusableagain.

Blockedby

policies

Theinstanceisstillactivebutisblocked(cannotberun)

becauseofaviolationofapolicysuchasexpirationdate

orcopyprotection.Fordetails,viewtheserverlogfor

thatinstance.


47/66

VMware, Inc. 47

Chapter 6 Managing ACE Instances

3 Completetheloginwindow.

Usethefollowinginformationtohelpyoucompletethefieldsthatappearinthiswindow:

UserNameandPasswordEntercredentialsforadministeringtheACEManagementServer.

DomainInmultidomainenvironments,youmightberequiredtoenteradomain(forexample,

eng.com).

Search for an InstanceYoucanusethesearchfunctiontoquerytheACEManagementServerdatabaseforoneormoreparticular

ACEinstances.SearchcriteriaarejoinedwithAND,notOR,operations.

To search for an ACE instance

1 ClickSearchandspecifythecriteriatobeincludedwhenthedatabaseisqueried.

Usethefollowinginformationtohelpyouspecifysearchcriteria:

ActivatedByActivationmethod,suchaspassword,ActiveDirectoryuser,oractivationkey.Ifno

suchactivationmethodexists,N/Aappearsinthecolumn.

ACEVMNameNameoftheACEenabledvirtualmachinefromwhichtheACEinstancewas

created.

GuestName(ForWindowsguestsonly)Computernameresolvedontheusersmachineduring

instancecustomization,ifyouusethatfeature.The NetBIOSnameisreportedhere,anditisa

maximumof15characterslong.Eveniftheactualcomputernamecontainsmorecharacters,thename

alwaysappearsastheNetBIOSname.

CustomcolumnsCustomcolumnsthatyoucreatedappeardirectlybelowtheGuestMACAddress

criterion.

ExactmatchonlyValuesarecasesensitive.

Saveas(AvailableintheWorkstationinstanceviewonly)Savedsearchesarespecifictoeachserver.

YoucaneditordeleteyoursavedsearchesbyselectingthenameofasavedsearchintheSaved

SearchesdropdownmenuandclickingOptions.

2 ClickSearch.

Inthesearchresults,thetotalnumberofinstancesappearsjustbelowthetable.

3 Tonavigatethroughalargenumberofresults,dooneofthefollowing:

IntheVMwareACEHelpDesk,clickthepreviousandnextarrowsattherightofthestatusbaratthe

bottomoftheInstancestable.

IntheinstanceviewinWorkstation,scrolldown.

4 Toreturntothefulllist,dooneofthefollowing:

IntheVMwareACEHelpDesk,clicktheBacktoallinstanceslink,locatedbelowtheSearchbutton.

IntheinstanceviewinWorkstation,clickClearSearch.

Sort by Column Heading and Change Column Width

Youcanreordertheinstancesinthetablealphabeticallyornumerically,dependingontheselectedcolumns

contents,inascendingordescendingorder.

To sort by column heading and change column width

1 Clickthecolumnheadingofthecolumntosort.

Clickagaintoresortintheopposite(ascendingordescending)order.


48/66


48 VMware, Inc.

2 Tochangecolumnwidths,clickacolumndivideranddragittoanewwidth.

Show, Hide, and Move Columns in the Instance View

AlthoughyoucansortandresizecolumnsineithertheVMwareACEHelpDeskortheWorkstationinstance

view,youcanshow,hide,andmovecolumnsonlyintheWorkstationinstanceview.

Columnchangesforoneserverdonotaffectotherservers.

To show, hide, and move columns in the instance view

1 InWorkstation,connecttotheACEManagementServerandlogin.

SeeUsetheInstanceViewinWorkstationonpage 46.

2 Toshoworhideacolumn,rightclickthecolumnheadingrowandselectordeselectthecolumntoshow

orhide.

Ifyoushowacolumnthatwaspreviouslyhidden,thecolumnisaddedtotherightsideofthetable.

3 Tomoveacolumn,clickthecolumnheader,dragthecolumntoanewlocation,andreleasethemouse

button.

Create or Delete Custom Columns in the Instance ViewCustomcolumnsenableyoutoaddcategoriesofinformationabouttheinstancesthatanACEManagement

Servermanages.Forexample,youcanaddaHelpTicketcolumntorecordtheIDassociatedwithendusers

supportrequests.

YoucancreatecustomcolumnsonlyintheWorkstationinstanceview.Intheinstanceviewtable,youcanadd,

delete,andrenameuptoninecustomcolumns.

To create or delete custom columns in instance view

1 InWorkstation,connecttotheACEManagementServerandlogin.

SeeUsetheInstanceViewinWorkstationonpage 46.

2 RightclickthecolumnheadingrowandchooseAddCustomColumn.

3 TypeanameforthenewcolumnintheNametextboxandclickOK.

4 Tochangethenameofordeleteacustomcolumn,rightclickthecustomcolumnheaderandchoosea

commandfromthecontextmenu.

Afteryoucreateacustomcolumn,usetheInstanceDetailspageforeachACEinstancetoaddinformationto

display.SeeAddInformationforCustomColumnsonpage 50.

View Instance Details

TheInstanceDetailspagedisplaysallofthesameinformationshownonthesummarypage,anditincludes

informationabouttheACEinstancespolicysettings.

Youcanreactivate,deactivate,orchangetheexpirationdatefromtheInstanceDetailspage,asyoucanfrom

thesummarypage.ThefollowingtasksareavailableonlyfromtheInstanceDetailspage:

ChangingthecopyprotectionID

Resettingtheauthenticationpassword

Addinginformationforcustomcolumns

To view instance details

1 Selecttheinstancebyclickingitsinstancerow.

2 ClicktheViewdetailiconatthetopofthetableordoubleclicktheinstancerow.


49/66

VMware, Inc. 49

Chapter 6 Managing ACE Instances

3 IfyouusetheVMwareACEHelpDesk,toviewdetailsaboutnetworkaccess,clickthelinksunderZone,

HostAccess,orGuestAccess.

YoucanviewtheZonesorRulesDetailpageforthiszoneorthistypeofnetworkaccess.

TheEverywhereandEverywhereelsezonesettingsarenotlinkedtoaZonesDetailpagebecausethey

areselfexplanatory.

Reactivate, Deactivate, or Delete an ACE InstanceYoucanimmediatelydenyorallowaccesstoaninstancebydeactivatingorreactivating it.Afteryou

deactivateaninstance,youcandeleteitfromthelistofinstancesthattheservermanages.

To reactivate, deactivate, or delete an ACE instance


2 ClicktheDeactivateorReactivateiconintheupperleftcorneroftheInstancespage.

3 IfyouclickedReactivate,whenprompted,resettheexpirationdates.

4 (Optional)IfyouclickedDeactivate,clickDeletetodeletetheinstancerow.

5 ClickOK.

Change a Copy Protection ID

IfanenduserattemptstocopyormoveacopyprotectedACEinstance,theuserreceivesanerrormessage

thatcontainsanewcopyprotectionID.AftertheendusersendsthatIDtoyou,theadministrator,youcanuse

ittoreplacetheoriginalID.

TheCopyProtectionIDfieldisalwaysactive,soyoucanchangetheIDatanytime.

To change a copy protection ID




IntheVMwareACEHelpDesk,replacethealphanumericstringintheCopy ProtectionIDfieldwith

anewIDandclicktheSaveiconatthetopofthepage.

InWorkstation,clickthePoliciestab,replacethecopyprotectionIDwithanewID,andclickOK.

Reset the Authentication Password

You

can

reset

passwords

for

instances

with

user

specified

passwords.

The

new

password

must

have

at

least

onecharacter.

To reset the authentication password



3 ClickResetPasswordandspecifyanewpassword.

IntheWorkstationinstanceview,thisbuttonappearsonthePoliciestab.

4 Sendthenewpasswordtotheuserinanemailmessage.

CAUTION IfyouchangeacopyprotectionIDforanactiveinstance,theoriginalinstancenolongerruns.


50/66


51/66

VMware, Inc. 51

7


TroubleshootingConfigurationProblemsonpage 51

ConfiguringMultipleACEManagementServerInstancestoUseSSLonpage 53

DatabaseBackuponpage 53

Troubleshooting Configuration Problems

CommonconfigurationproblemsincluderesolvingconnectionproblemsandportconflictsandresettingACE

administratorpasswords.

Connection Problems Between a Linux ACE Instance and ACE ManagementServer

IfanACEinstanceonaLinuxhostcannotcontacttheserver,determinewhetherafirewallorproxysettingis

blockingorreroutingHTTPStrafficonport443.

Bydefault,HTTPStrafficfromtheVMwarePlayertoACEManagementServerisroutedonport443.Disable

thefirewallorturnofftheproxysettingtoallowVMware Playertoservertrafficonthatport.

Change the Port Assignment for ACE Management Server

ACEManagementServerisamodulerunningontheApache2.0platform.Tochangetheportthattheserver

listenson,youmustmanuallyedittheApacheconfigurationfile.

To change the port assignment for ACE Management Server

1 Usingatexteditor,opentheACEManagementServercomponentHTTPconfigurationfile.

Dependingontheserversoperatingsystem,thefileisplacedinoneofthefollowinglocations:

WindowsC:\Program Files\VMware\VMware ACE Management

Server\Apache2\conf\httpd.conf

RedHatEnterpriseLinux4/etc/httpd/conf.d/acesc.conf

SUSELinuxEnterpriseServer9SP3/etc/apache2/conf.d/acesc.conf

ThispathisdifferentifVMwareACEManagementServerisinstalledinadifferentlocation.Usethepath

youestablishedforyourserver.

2 LocatethelineentryinthefilethatreadsListen 443andchangetheportnumber.

Youcannotuseport8000,whichtheserverusesforconfiguration,orport 8080,whichtheACE

ManagementServerapplianceuses.

3 LocatethesectionheaderfortheVirtualServerconfigurationforport 443.

Troubleshooting and Maintenance 7


52/66


52 VMware, Inc.

Thislinelookssimilartothefollowing:

4 Changetheportnumberinthesectionheadertothedesiredportnumber.

Forexample,tochangetoport8443,change443to8443.

5 Savethefile.

6 Stop

and

start

the

Apache

service.Forinstructions,seeVerifyThattheApacheServiceIsStartedorRestartedonpage 25.

WhenyoucreateanACEenabledvirtualmachine,youcanspecifywhichportistobeusedtocommunicate

withACEManagementServer.

Delete the Server Configuration File and Set a New Administrator Password

Ifyouloseorforgettheadministratorpassword,youmustdeletetheconfigurationfileandreconfigurethe

server.Aspartofthatconfiguration,yousetanewpassword.

To delete the server configuration file and set a new administrator password

1 NavigatetothelocationoftheACEManagementServerconfigurationfile:

Dependingontheserversoperatingsystem,thefileisplacedinoneofthefollowinglocations:

WindowsC:\Program Files\VMware\VMware ACE Management Server\conf\acesc.conf

Linux/var/lib/vmware/acesc/conf/acesc.conf

2 Saveacopyofthefiletoanewlocationsothatyoucanrefertoitwhenyoureconfiguretheserver.

3 Deletetheoriginalconfigurationfile.

4 StarttheACEManagementServerSetupapplicationandconfiguretheserveragain,specifyinga

passwordontheAccessControltab.

SeeStartandConfigureACEManagementServeronpage 26.

5 ContinuewiththeACEManagementServerSetupapplicationinoneofthefollowingways:

Ifthisistheinitialconfigurationoftheserver,clickNext.

Ifyouarereconfiguringtheserver,clickApplyandclickRestartorLater.

IfyouclickLater,youmustrestarttheserverfortheconfigurationchangestotakeeffect.Youcan

restarttheserverbyclickingApplyonanyofthetabs,evenifyoudonotmakechangesonthetab.

Restore a Backup Copy of an SSL Certificate

Ifyouuploadaninvalidcertificatefile,theACEManagementServerSetupapplicationfailswhenyouclick

ApplyandthenRestartandyoucannotrestarttheApacheservice.Tofixthisproblem,restorethebackup

certificatefileforthecorrespondingcertificate.

To restore a backup copy of an SSL certificate

1 NavigatetotheACEManagementServerdirectorywherethebackupisstored.

Thefilenamesusethefollowingformat:

.-

Thevalueisoneofthefollowing:

server.crtTheserverpubliccertificate

server.keyTheserverprivatekey

chain.crtThecertificatechain


53/66

VMware, Inc. 53

Chapter 7 Troubleshooting and Maintenance

The portionofthefilenameisintheformatYYYYMMDD(year,month,day).

The portionofthefilenameisintheformatHHMMSS(hours,minutes,seconds).

Forexample,afilenamemightbeserver.crt.20070216-095344.

2 Savethefileinthecorrectlocationasssl/.crt andrestarttheApacheservermanually.

SeeVerifyThattheApacheServiceIsStartedorRestartedonpage 25.

3 StarttheACEManagementServerSetupapplicationandusetheCustomSSLCertificatestabtouploadthebackupcopy.

StartandConfigureACEManagementServeronpage 26.

Configuring Multiple ACE Management Server Instances to Use SSL

YoumightconfiguremultipleACEManagementServerinstancestouseSSLinthefollowingscenarios:

Multipleserversbehindoneormoreproxyservers:

EachservercanhaveitsownSSLkeyandcertificate(ACEManagementServerandproxyserver).

Thecert_chainfilemustcontainthecertificatefileandverificationchainfortheSSLcertificatesthat

theproxyserversareusing.Placethiscert_chainfileineachACEManagementServer.

Whenselfsignedcertificatesarebeingused,theactualcertificateistheverificationchain.Thechain

filecontainseachselfsignedcertificatebeingthattheproxiesareusing.

Youcanalsousethesamekeyandcertificateforeveryserverandproxy.Inthiscase,youdonotneed

tocreateacert_chainfile.

Eachcertificatemusthaveauniquecommonname.

MultipleserversusingDNSroundrobin:

EachservercanhaveitsownSSLkeyandcertificate(ACEManagementServerandproxyserver).

Thecert_chainfilemustcontainthecertificateandverificationchainforeverycertificatethatthe

serversuse.PlacethiscertificatechainfileineachACEManagementServer.

Whenselfsignedcertificatesarebeingused,theactualcertificateistheverificationchain.Thechain

filecontainseachselfsignedcertificatethateachoftheserversisusing.

Youcanusethesamekeyandcertificateforeveryserver.Inthiscase,youdonotneedtocreatea

cert_chainfile.

SeealsoLoadBalancingMultipleACEManagementServerInstancesonpage 39.

Database Backup

Ifyouareusinganexternaldatabase,useabackupandrecoverystrategythatisappropriateforyourdatabase

system.BackupyourACEManagementServerdatabaseonaregularbasistoensurethatthedatabasecanbe

recoveredpromptlyifneeded.

Ifyouareusingtheembeddeddatabase,youcanusestandardfilebackuptools,suchasntbackupordd.The

dataisstoredinoneofthefollowinglocations:

WindowsC:\Program Files\VMware\VMware ACE Management Server\db\acesc.bin.

Linux/var/lib/vmware/acesc/db/acesc.bin

Ifyouareusingtheembeddeddatabaseinaproductionenvironment,stoptheserver,copythefiletoa

differentlocationforthebackup,andrestarttheserver.SQLiteisfilebased,sothedatabasefilemightbe

modifiedbytheACEManagementServerprocessatthesametimethatitisbeingcopiedforbackup.An

inconsistentdatabasesnapshotmightbeproduced.Thisproblemisunlikelytooccurbecausethefileisusually

notlargeandiscopiedquickly.


54/66


54 VMware, Inc.

Otheralternativesforbackingupanopendatabase,asrecommendedbymembersofanSQLitecommunity,

arethefollowing:

Usethesqlite3commandlinetooltologintotheSQLitedatabase.Usethe.dumpcommand,storethe

resultinaseparatefile,andbackupthatresultfile.AnSQLscriptrecreatesthedatabase.

UsetheShadowVolumeCopymechanismonWindowssystemsorLVMvolumesnapshotsonLinux(and

thecrashrestorefeatureofSQLite)tobackupthecompletedatabasedirectory,includingjournalfilesif

theyarepresent.OnaWindowsXPSP1orlateroperatingsystem,usentbackuponthedatabase

directory.

Usethesqlite3commandlinetooltologintotheSQLitedatabase.UsetheBEGIN EXCLUSIVE

command,copythedatabasefile,andthenusetheCOMMITcommand.

Forinformationtohelpyouuseyourcompanysownmanagementorreportingtoolsorautomatedscripts

withthedataintheVRMdatabase,seeAppendix:DatabaseSchemaandAuditEventLogDataonpage 55.


55/66

VMware, Inc. 55

Thisappendixexplainstheformatofthedatastoredinthedatabaseandthebestwaystoaccessthisdata.This

appendixincludesthefollowingtopics:

UsingDatabaseReportingToolsonpage 55

DatabaseSchemaonpage 55

QueryingtheAuditEventLogDataonpage 59

Using Database Reporting Tools

YoucanuseathirdpartydatabasemanagementorreportingtoolwiththeVMwareACEManagementServer

database.Youcancreatecustomreportsofthesystemstatebyusingareportingtool.Youcanalsousea

reportingtooltoinspecttheaudittrailoftheadministratororuseractionsstoredintheEventtable.For

example,you

Documents

Ams Manual Tech Preview