Upload
nvphucvn
View
227
Download
0
Embed Size (px)
Citation preview
8/6/2019 Ams Manual Tech Preview
1/66
ACE Management ServerAdministrators Manual
VMware ACE
EN-000198-00
8/6/2019 Ams Manual Tech Preview
2/66
VMware, Inc.
3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com
2 VMware, Inc.
ACE Management Server Administrators Manual
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
2009 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual propertylaws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents .
VMware, the VMware boxes logo and design, Virtual SMP, and VMotion are registered trademarks or trademarks ofVMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarksof their respective companies.
http://www.vmware.com/supportmailto:[email protected]://www.vmware.com/go/patentshttp://www.vmware.com/go/patentshttp://www.vmware.com/supporthttp://www.vmware.com/support/mailto:[email protected]8/6/2019 Ams Manual Tech Preview
3/66
VMware, Inc. 3
Contents
About
This
Book 7
1 Introduction 9FeaturesofACEManagementServer 9
SystemRequirements 10
RequiredHardware 10
SupportedOperatingSystems 10
SupportedExternalDatabases 10
SupportedProxies 11
RequiredWebBrowsers 11
Licensing 11
2 PlanninganACEManagementServerDeployment 13DeploymentComponents 13
HostSystemOptions 14
WindowsHosts 14
LinuxHosts 14
ServerApplianceOption 14
DatabaseOptions 15
ActiveDirectoryAuthenticationOptions 15
PerformingCapacityPlanning 15
DatabaseThroughputandScalability 16
LDAPThroughput 16
NetworkBandwidthandPolicyUpdateFrequency 16
ACEPolicyConfiguration 17LoadBalancers 17
SecurityFeaturesandConsiderations 17
UsingSSLCertificatesandProtocol 18
AccessingACEManagementServerfromOutsidetheCorporateFirewall 19
DeploymentPlanningWorksheet 19
3 InstallingandConfiguringACE Management Server 21PreparingforInstallation 21
ConfigureTLSinYourBrowser 21
InstallingandUpgradingACEManagementServer 22
InstallanACEManagementServeronaWindowsHost 22
InstallACEManagementServeronaLinuxSystem 23
InstallanACEManagementServerAppliance 24
VerifyThattheApacheServiceIsStartedorRestarted 25
StartandConfigureACEManagementServer 26
LogIntoACEManagementServer 26
8/6/2019 Ams Manual Tech Preview
4/66
ACE Management Server Administrators Manual
4 VMware, Inc.
4 ConfigurationOptionsforACEManagementServer 29PrerequisitesforConfiguringtheServer 29
CreateUsersandGroupsforIntegrationwithActiveDirectory 29
SetUpanExternalDatabase 30
CreatingaSystemDSNEntryforanExternalDatabase 31
IncreasetheNumberofDatabaseConnectionsAllowed 32
EnableDatabaseConnectionPoolingonLinux 33
SetUpaConnectionBetweentheServerApplianceandanExternalDatabase 33PrepareCustomSecurityCertificates 33
ViewthePropertiesoftheSelfSignedCertificateFile 34
StartingACEManagementServerConfiguration 34
ViewingandChangingLicensingInformation 34
UsinganExternalDatabase 35
CreatingAccessControl 35
UploadingCustomSSLCertificates 36
LoggingEvents 37
ApplyingConfigurationSettings 37
5 Load
Balancing
Multiple
ACE
Management
Server
Instances 39TypicalSetupUsingLoadBalancedACEManagementServerInstances 40InstalltheRequiredServicesforLoadBalancing 40
UsetheSameSSLCertificateonAllServers 41
CreateNewSSLCertificatesandKeysforEachServer 41
InstallingandConfiguringtheLoadBalancer 43
VerifyThatACEInstancesAreUsingtheLoadBalancer 43
6 ManagingACEInstances 45ViewingACEInstancesThattheServerManages 45
UsetheVMwareACEHelpDeskApplication 46
UsetheInstanceViewinWorkstation 46
SearchforanInstance 47
SortbyColumnHeadingandChangeColumnWidth 47
Show,Hide,andMoveColumnsintheInstanceView 48
CreateorDeleteCustomColumnsintheInstanceView 48
ViewInstanceDetails 48
Reactivate,Deactivate,orDeleteanACEInstance 49
PoliciesTab 49
ChangeaCopyProtectionID 49
ResettheAuthenticationPassword 50
AddInformationforCustomColumns 50
7 TroubleshootingandMaintenance 51TroubleshootingConfigurationProblems 51
ConnectionProblemsBetweenaLinuxACEInstanceandACEManagementServer 51
ChangethePortAssignmentforACEManagementServer 51
DeletetheServerConfigurationFileandSetaNewAdministratorPassword 52
RestoreaBackupCopyofanSSLCertificate 52
ConfiguringMultipleACEManagementServerInstancestoUseSSL 53
DatabaseBackup 53
http://-/?-http://-/?-http://-/?-http://-/?-8/6/2019 Ams Manual Tech Preview
5/66
8/6/2019 Ams Manual Tech Preview
6/66
ACE Management Server Administrators Manual
6 VMware, Inc.
8/6/2019 Ams Manual Tech Preview
7/66
VMware, Inc. 7
Thismanual,theVMwareACEManagementServerAdministratorsManual,providesinformationaboutinstallingandusingtheVMwareACEManagementServer,whichenablesyoutomanageACEinstancesin
realtime.UsingACEManagementServerisoptional,butdoingsoprovidesthefollowingbenefits:
ManageactivationofACEpackages.
Manage
authentication
of
those
activated
packages. DynamicallydeliverpolicyupdatestomanagedACEinstances.
DynamicallydeliverinstancecustomizationdataformanagedACEinstanceswithWindowsguest
operatingsystems.
Intended Audience
Thisbookisintendedforanyonewhoneedstoinstall,upgrade,oruseACEManagementServertomanage
ACEinstances.ACEManagementServerisintendedforACEadministratorswhomustmaintainandupdate
ACEpoliciesusedonvirtualmachinesdeployedthroughoutanenterprise.
Document FeedbackVMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhavecomments,sendyour
feedbackto:
Technical Support and Education Resources
Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.Toaccessthecurrentversion
ofthisbookandotherbooks,gotohttp://www.vmware.com/support/pubs.
Online and Telephone Support
Touseonlinesupporttosubmittechnicalsupportrequests,viewyourproductandcontractinformation,and
registeryourproducts,gotohttp://www.vmware.com/support.
Customerswithappropriatesupportcontractsshouldusetelephonesupportforthefastestresponseon
priority1issues.Gotohttp://www.vmware.com/support/phone_support.html.
Support Offerings
TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto
http://www.vmware.com/support/services.
About This Book
mailto:[email protected]://www.vmware.com/support/pubshttp://www.vmware.com/supporthttp://www.vmware.com/support/phone_support.htmlhttp://www.vmware.com/support/serviceshttp://www.vmware.com/support/serviceshttp://www.vmware.com/support/phone_support.htmlhttp://www.vmware.com/supportmailto:[email protected]://www.vmware.com/support/pubs8/6/2019 Ams Manual Tech Preview
8/66
ACE Management Server Administrators Manual
8 VMware, Inc.
VMware Professional Services
VMwareEducationServicescoursesofferextensivehandsonlabs,casestudyexamples,andcoursematerials
designedtobeusedasonthejobreferencetools.Coursesareavailableonsite,intheclassroom,andlive
online.Foronsitepilotprograms andimplementationbestpractices,VMwareConsultingServicesprovides
offeringsto helpyouassess,plan,build,andmanageyourvirtualenvironment.Toaccessinformationabout
educationclasses,certificationprograms,andconsultingservices,gotohttp://www.vmware.com/services.
http://www.vmware.com/services/http://www.vmware.com/services/8/6/2019 Ams Manual Tech Preview
9/66
VMware, Inc. 9
1
TheVMwareACEManagementServerenablesyoutomanageVMwareACEinstances,todynamically
publishpolicychangesforthoseinstances,andtotestanddeploypackagesmoreeasily.
Thischapterincludesthefollowingtopics:
FeaturesofACEManagementServeronpage 9
SystemRequirementsonpage 10
Features of ACE Management Server
ACEManagementServeroffersscalabilityandreliability:
Youcanincreasecapacitybyaddingnetworkresourcessuchasloadbalancersandextraserverhardware.
Fortestingenvironments,thedefaultembeddedbackingstoreprovidesasimpleandefficientdatabase
solution.ToscaleACEManagementServerforproductiondeployments,youcanconfigureandusean
externalrelationaldatabasemanagementsystem(RDBMS).
InWindows,multithreadedprocesseshandleserverrequests.InLinux,multipleprocesseshandleserver
requests.Ifoneprocessfails,anothertakesover.
ACEManagementServeroffersActiveDirectoryintegration:
YoucanuseActiveDirectorytoauthenticateusersofACEinstances.
YoudonotneedaschemachangeforyourexistingActiveDirectory.
LDAPisusedtoaccessActiveDirectory.
InformationaboutWindowsdomainuseraccountstatesisprovidedinclearandusefulmessages.
Reasonsforloginfailuresarepresentedaslockedoutorpasswordexpired.
ACEManagementServeractsasanActiveDirectorypasswordchangeproxy.
YoucanusetheinstancecustomizationfeatureinACEwithyourownestablishednamingconventionsto
associateuserswithmachines.
Securityfeaturesincludethefollowing:
EncryptedcommunicationsbetweenserverandclientstraveloverHTTPStraffic.
Passwordsarestoredsecurelyinhashedforminthebackingstore.
FlexibledatabaseoptionsallowuseofanembeddeddatabaseorexternalRDBMStostoreACEinstance
dataandpolicies.
ACEManagementServeriseasytoinstallandconfigure.Clienttrafficcanbeproxiedbyeasilyavailable
products.Theserveruseseasilyavailablesoftwarecomponents:
ApacheWebserver2.0
Introduction 1
8/6/2019 Ams Manual Tech Preview
10/66
ACE Management Server Administrators Manual
10 VMware, Inc.
ThedefaultSQLitedatabasestore
Theserversetupusesindustrystandardprotocols:
HTTPSandLDAP
XMLRPCformessageencapsulation
ACEManagementServeroffersextensibilityandavailability:
YoucancreateandusemorethanoneACEManagementServer.Whenyouusemorethanoneserver,youcansettheserversupsothattheysharethesamedatabaseforloadbalancingorincreasedfaulttolerance.
AWindowsACEManagementServercanbeonthesamesystemasWorkstation.
YoucandesignateasingleACEManagementServername,suchas
https://ace.policyserver.company.com,anduseDNSlookuptotranslatethehostnametoan
address.TheaddressiscachedifaDNSserverisnotavailable.Additionally,youcanusedifferentACE
ManagementServerinstancesifuserstravelbetweenofficesindifferentgeographiclocations.
System RequirementsThefollowingsectionsdescribetheACEManagementServersystemrequirements.
Required Hardware
Aminimumofan800MHzcompatiblex86andx8664architectureprocessor
Compatibleprocessorsinclude:
Celeron,PentiumII,PentiumIII,Pentium4,PentiumM(includingcomputerswithCentrinomobile
technology),Xeon(includingPrestonia),AMD,Athlon,Athlon MP,AthlonXP,Duron,Opteron,AMD64
Opteron,andAthlon64
Experimental
support
for
Intel
IA
32e
CPU 40MBoffreespaceisrequiredforbasicinstallation.VMwarerecommendsatleast10GBoffreediskspace.
An8bitdisplayadapterisrequired.
Forlocalareanetworking,anyEthernetcontrollerthattheoperatingsystemsupportsissufficient.
Supported Operating Systems
FollowingarethesupportedoperatingsystemsforACEManagementServer:
WindowsServer2003WebEditionSP1andSP2,WindowsServer2003StandardEditionSP1andSP2,
WindowsServer2003EnterpriseEditionSP1andSP2(includes64bitandR2editions)
Windows
XP
Professional
(includes
64
bit
editions) Windows2000ServerServicePack4andWindows2000AdvancedServerServicePack 4
RedHatEnterpriseLinuxAdvancedServer4.0withUpdate 4.
SUSELinuxEnterpriseServer9ServicePack3
Supported External Databases
AnSQLitedatabaseengineisembeddedinACEManagementServer.Althoughthisdatabaseisadequatefor
testingpurposes,useoneofthefollowingexternaldatabasesinproductionenvironments:
ForaWindowsbasedACEManagementServerMicrosoftSQLServer2000orhigher;
Oracle Database 10g
NOTE YourservernamemustbeeitherthemachinenameinEnglishortheIP address.International
charactersarenotsupported.
8/6/2019 Ams Manual Tech Preview
11/66
VMware, Inc. 11
Chapter 1 Introduction
IfyouuseaMicrosoftSQLServerdatabase,thedatabasemustbehostedonasystemthatusesthesame
localeasthesystemthathostsACEManagementServer.Forexample,ifACEManagementServeris
installedonaJapanesesystem,thedatabaseservermustalsobeinstalledonaJapanesesystemandmust
useJapanesecollation.
ForaLinuxbasedACEManagementServerPostgreSQL7.4orhigher
Supported Proxies
YoucandeployACEManagementServerwiththefollowingHTTPSproxysolutions:
ApacheProxyUsingmod_proxy
ZeusTechnologyLoadBalancerAcommerciallyavailableloadbalancerandtrafficmanagement
solution
Required Web Browsers
ThebrowserbasedACEManagementServerSetupapplicationandtheVMwareACEHelpDeskapplication
requireoneofthefollowingWebbrowsers:
MozillaFirefox1.52orhigher
InternetExplorer6.0orhigher
Licensing
YoumustconfiguretheserverandentertheserialnumberintheserversetupWebapplication.Ifyoudonot,
youcannotconnecttotheserverinWorkstation.
Yourserialnumberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,the
serialnumberissentbyemail.WorkstationandACEinstancescannotconnecttoanACEManagementServer
withanexpiredornonexistentlicense.
8/6/2019 Ams Manual Tech Preview
12/66
ACE Management Server Administrators Manual
12 VMware, Inc.
8/6/2019 Ams Manual Tech Preview
13/66
8/6/2019 Ams Manual Tech Preview
14/66
8/6/2019 Ams Manual Tech Preview
15/66
VMware, Inc. 15
Chapter 2 Planning an ACE Management Server Deployment
Database Options
ACEManagementServeroffersthefollowingdatabaseoptions:
EmbeddedSQLitedatabaseThedefaultmodeofACEManagementServerworkswithanembedded
SQLite3databaseengine.TheSQLitedatabaseengineisinitializedduringserverinstallationandrequires
nospecialconfiguration.The embeddeddatabasesupportsuptoseveralgigabytesofdata.
TheSQLitedatabaseisfilebasedandisnotdesignedtobeeffectivelysharedacrossmultipleprocesses.If
youusethirdpartytoolstoaccessthedatabaseforareadoperation,therefore,youcannotdependon
transactionalisolationofthependingwriteoperationsoftheACEManagementServer.
Theembeddeddatabaseisadequatefortestingpurposes,butVMwarerecommendsthatyouusean
externaldatabaseinproductionenvironments.
SupportedexternaldatabaseInproductionenvironments,useasupportedexternaldatabaseasa
backingstoreforACEManagementServer,throughODBCconnectivity.Supportedexternaldatabase
enginesarethefollowing:
ForWindowsbasedACEManagementServer,useMicrosoftSQLServer(SQLServer2000orSQL
Server2005)orOracleDatabase10ginstalledonthesamesystemoradifferentWindowssystem
ForLinuxbasedACEManagementServer,usePostgreSQL7.4orhigherinstalledonthesame
system
or
a
different
Linux
system
UsinganexternaldatabasewithACEManagementServeroffersthefollowingbenefits:
OnlinebackupsothatyoudonothavetoshutdownACEManagementServertobackupthe
database.
Enhancedsecuritymodel.Youcanfinetunepermissionstoaccesssensitivedata.TheSQLite
databaseengineprovidesfilesystembasedsecurity.
Performancefinetuning.
Abilitytouseexternaldatabasemanagementandreportingtools.
AbilitytouseloadbalancerswithmultipleACEManagementServerinstances.Youmustusean
externalRDBMSasthebackingstore,becausetheSQLitedatabaseisnotdesignedtobeeffectively
sharedacrossmultipleprocesses.
Active Directory Authentication Options
ActiveDirectoryintegrationprovidesthefollowingbenefits:
PermitsjoininganoperatingsystemthatisrunninganACEinstancetothedomainremotely.
Providessearchfunctionssoyoucanquicklyfindaparticularindividualorgroup.
Enables
you
to
use
Active
Directory
Users
and
Groups
to
configure
role
based
access
to
the
features
of
ACEManagementServer.
Performing Capacity Planning
ACEManagementServerenablesyoutomanageACEinstancesandpoliciesinrealtime.Thenumberof
clientsthatasingleACEManagementServercanservedependsonseveralkeyfactors:
Databasethroughputandscalability
LDAPthroughput(ifyouareusingActiveDirectory)
Networkbandwidthavailableforincomingclientrequests
NOTE IfACEManagementServerisdeployedintheDMZ,useanexternaldatabaselocatedinsideyour
corporatenetworkbehindafirewall.
8/6/2019 Ams Manual Tech Preview
16/66
ACE Management Server Administrators Manual
16 VMware, Inc.
ACEpolicyconfiguration
Loadbalancersforverylargedeployments(morethan5,000clients)
Table 21listsrecommendationsforthenumberofclientssupportedbasedonthehardwareyouareusing.The
figuresforrecommendedclientsreservesomeserverprocessingpowersothatinteractiveclientsreceive
responsesinatimelyfashionandtheserversatisfiesincreasesindemand.
Database Throughput and Scalability
Forproductiondeployments,VMwarerecommendsthatyouuseOracle,MSSQL,orPostgresasyour
databaseplatform.
Morethan95percentofthestoragespacethatanACEManagementServerrequiresisusedtologevent
information,whichisanaudittrailofalltransactionsperformedthroughACEManagementServer.Table 22
listsrecommendeddatabasesizesbasedonthenumberofclientsbeingserved.
Thefiguresinthetablearebasedona90daydatabasearchivalperiod.Backupthedatabaserecordsevery90
daysandkeepeventlogsfor90days.YoucanconfigureACEManagementServertopurgeeventlogsevery
90days.
Theauthenticationeventgeneratesmostofthedatabecauseaneventisgeneratedeverytimesomeone
attemptstoauthenticatetoACEManagementServer.YoucanconfigureACEManagementServertologless
eventinformation.SeeLoggingEventsonpage 36.
LDAP Throughput
ACEManagementServercancommunicatewithyourActiveDirectorydomaincontrollertoauthenticateuser
credentials.YourdomaincontrollerinfrastructurehandlestheLDAPtrafficrequiredtosupportthenumber
ofclientsthatyouanticipate.
IntegratingwithActiveDirectorythroughLDAPisimplementeddifferentlyintheWindowsACE
ManagementServerthanintheLinuxbasedACEManagementServer.TheWindowsACEManagement
ServerusestheWinLDAPlibrarybundledwithyourWindowsoperatingsystem.TheLinuxACE
ManagementServerusesathirdpartyKerberosLibraryandOpenSSL.VMwareinternaltestingresults
indicatethattheWindowsimplementationprovidesbetterperformancethanLinux.
Network Bandwidth and Policy Update Frequency
TheamountofnetworkbandwidththatACEManagementServerandACEinstancesrequiredependsonthe
frequencyofpolicyupdatesthatyouconfigure.Table 23showstheamountofbandwidthneededwhenyou
useapolicyupdatefrequencyvalueof10 minutes.
Table 2-1. Number of Clients Supported
Hardware Recommended Clients
2GHzAMD2wayserver(Opteron280,4GBRAM) 6,000
2GHzIntel2waydesktopmachine(4GBRAM) 4,000
Table 2-2. Database Storage Recommendations
Number of Clients Recommended Database Size
100 50Mb
1,000 500Mb
10,000 5,000Mb
8/6/2019 Ams Manual Tech Preview
17/66
8/6/2019 Ams Manual Tech Preview
18/66
ACE Management Server Administrators Manual
18 VMware, Inc.
TrafficfromACEManagementServertoActiveDirectoryisencryptedIftheserverisintegratedwith
anActiveDirectoryservice,itcommunicateswiththeservicethroughanSSLprotectedlink.LDAPtraffic
isencryptedattheapplicationlayer.CredentialsareprotectedbyusingtheKerberosprotocolto
authenticatecredentials.
SensitiveconfigurationoptionsareencryptedPasswordsstoredintheconfigurationfileareencrypted.
DatabasesecurityThedatabasestorecontainssensitivedatasuchascryptographickeys.Configure
yourdatabasesecuritysothatitisprotectedfromintrusionandprotectedincaseofdataloss.Formore
informationaboutfeaturesthatareavailabletoprotectyourdata,seeyourdatabasedocumentation.
SSLencryptsdatathroughtheuseofapublickeyandprivatekeypair.Thepublickeyisknowntoeveryone
andtheprivatekeyisknownonlytothemessagerecipient.URLs thatrequireanSSLconnectionstartwith
https.
DuringACEManagementServerinstallation,thefollowingtwofilesarecreated:
server.keyAnRSA1024bitkey,thisistheprivatekey.
server.crtAselfsignedcertificate.Itssignatureisverifiedbythepublickey,whichisembeddedin
thecertificate.Thispubliccertificateisvalidfor10yearsfromthedateandtimeatwhichtheserveris
installed.ThecertificatefileisencodedinPEMformat.
Bydefault,thesefilesarestoredintheSSLdirectoryintheVMwareACEManagementServerprogram
directory.
VMwarePlayer,whichrunstheACEinstances,doesnottrustanycertificatesstoredonthehostmachineon
whichitisrunning.Instead,itreliesonacompletecertificationchainthatisincludedintheACEpackage.
Usingselfsignedcertificatesisadequateformostsecurityneeds.
Youcan,however,useacertificateissuedbyacertificateauthority.IfyouhavemultipleACEManagement
Serverinstances,youcanuseonecertificateforalloryoucanuseadifferentcertificateoneachone.
Using SSL Certificates and Protocol
WhenanACEenabledvirtualmachineconnectstoanACEManagementServer,itdownloadsthepublic
certificateforthatserverandanychainofcertificatesrequiredtoverifytheserverspubliccertificate.Aserver
certificatemighthaveachainofseveralcertificatesthatmustbeverifiedstepbystepuntiltheverification
processreachestheroot,ortrusted,certificateinthecertificatestore.Thefirsttimeaconnectionismadetoa
serverbyanyACEenabledvirtualmachineonaWorkstationadministratormachine,thecertificateandits
verificationaredownloadedtotheWorkstationhostsystem.
ThestoreorcollectionofcertificatesthatisdownloadedwhenanACEenabledvirtualmachineconnectstoa
serverisincludedineachACEpackagethatyoucreatewiththatvirtualmachine.ItissavedintheACE
Resourcesdirectory.WhenyoudeployandrunanACEinstanceofthisACEenabledvirtualmachine,the
VMwarePlayerapplicationusesthecertificatesincludedinthepackagetoverifyconnectionsmadetotheACE
ManagementServer.ItverifiesthatthecertificatesthatareintheACEpackagematchthosethattheserver
provides.Iftheydonotmatchexactly,VMware Playerdisplaysanerrormessageanddoesnotrunthe
instance.
VMware
Player
checks
the
integrity
of
the
certificate
store
included
in
the
package
every
time
it
communicates
withtheserver.VMwarePlayerdoesnottrustanycertificatesstoredonthehostmachineonwhichitis
running.Instead,itreliesonacompletecertificationchainthatisincludedintheACEpackage.Theuseof
selfsignedcertificatesisadequateformostsecurityneeds.
If,however,yourenterpriserequirestheuseofacertificatesignedbyacertificateauthority(internalor
commercial),youcansetupthattypeofkeycertificatepairfortheACEpackagestouse.Acertificateauthority,orCA,isanentitythatissuesandsignspublickeycertificates,typicallyforafee.
8/6/2019 Ams Manual Tech Preview
19/66
VMware, Inc. 19
Chapter 2 Planning an ACE Management Server Deployment
Accessing ACE Management Server from Outside the CorporateFirewall
AllclientrequeststoACEManagementServerareHTTPStrafficonport443.This meansthatanysolution
usingaproxytosecureHTTPStrafficintoyourcorporateserverscanbeusedtoproxyACEManagement
Servertraffic.
BecauseofthenumberofdataconnectionsthattheACEManagementServermustmakeonthebackend
(LDAP,DNS,ODBC,Kerberos),VMwarerecommendsusinganHTTPSproxyintheDMZ.Thisproxycan
relayACEManagementServertraffictotheactualACEManagementServerinsidethecorporatenetwork.
Figure 2-2. Recommended Deployment for External Access
ACEManagementServercanbedeployedwiththefollowingHTTPSproxysolutions:
ApacheProxyUsingmod_proxy
ZeusTechnologyLoadBalancerAcommerciallyavailableloadbalancerandtrafficmanagement
solution
AvoidthefollowingproblemswhenyouuseaproxyfortrafficintoanACEManagementServer:
SSLTerminationIfyourHTTPSproxyterminatestheSSLconnection,youmustusethesameSSLkey
andcertificateontheHTTPSproxyserverandACEManagementServer.Or,usetheACEManagement
ServercertificatechaintoembedtheHTTPSproxycertificateverificationchainintheACEpackage.
AnexampleofaproxyserverthatterminatesSSLconnectionsisApacheProxy.TheZeusloadbalancing
productssupportSSLpassthrough,whichmeansthattheSSLconnectionisterminatedatACE
ManagementServer.
MultipleACEManagementServerSSLcertificatesIfyouaredeployingmultipleACEManagement
Serverinstancesbehindaloadbalancingsolution,allACEManagementServerinstancesmustusethe
sameSSLkeyandcertificatepair.YoucanalsousetheACEManagementServercertificatechainfeature
toembedeverySSLcertificateverificationchainintotheACEpackage.
DNSresolutionWhenyoucreateanACEenabledvirtualmachine,youmustspecifyahostnamefor
ACEManagementServer.ThishostnamemustresolvetotheappropriateIPaddressforbothinternaland
externalclients.Internally,itcanresolvetoACEManagementServeritself.Externally,itcanresolvetothe
HTTPSproxyserver.
BecausethetrafficcomingintoACEManagementServerisplainHTTPStrafficandtheserverisstateless,you
candeploymanyotherconfigurationstoprovideexternalaccesstoanACEManagementServer.Whenyou
designyourdeployment,thinkofACEManagementServerasaWebserverwithsecuretraffic.
Deployment Planning Worksheet
Usethedeploymentplanningworksheettorecordyourchoiceofserversystem,database,securitycertificates,
andoptionalcomponentsforaproductionenvironment.
HTTPSproxy server
external client ODBC
NETBIOS (port 137)
DNS
KRB5 (port 88)
LDAP (port 389)
HTTPS traffic(443)
HTTPS traffic(443)
externalfirewall
AMS server
internalfirewall
8/6/2019 Ams Manual Tech Preview
20/66
8/6/2019 Ams Manual Tech Preview
21/66
8/6/2019 Ams Manual Tech Preview
22/66
8/6/2019 Ams Manual Tech Preview
23/66
VMware, Inc. 23
Chapter 3 Installing and Configuring ACE Management Server
Install ACE Management Server on a Linux System
YoucaninstallACEManagementServeronthefollowingLinuxsystems:
RedHatEnterpriseLinux4
SUSELinuxEnterpriseServer9SP3
Beforeyoubegin,makesurethesystemmeetstheserequirements:
AworkinginstallationofApache2.0isinstalledonthesystem.(TheRPMforaWebserverisincluded
withtheRedHatEnterpriseLinux4orSUSELinuxEnterpriseServer9installation.)
ApacheWebserviceisoperatingnormallyandisreceivingrequestsforSSLHTTP.
Themod_ldapandmod_sslmodulesareavailableonyoursystem.
ThefollowingpackagesareinstalledonyourRedHatEnterpriseLinux4orSUSELinuxEnterpriseServer
9system:curl,openldap,openssl,apache,andgdbm.
ForSUSELinuxEnterpriseServer9,thecyrus-sasl-gssapipackageisinstalled.Thispackageisnot
installedbydefault.
Whenyouusetheexternaldatabaseoption,thefollowingpackagesarerequiredaswell:
Red
Hat
Enterprise
Linux
4:
unixODBC
SUSELinuxEnterpriseServer9:unixODBC and,ifyouplantousetheX11graphicalconfiguration
tool,unixODBC-gui-qt
Theclockissynchronizedandtherequiredportsareavailable,asdescribedinPreparingforInstallation
onpage 21.
UsethisinstallationproceduretoinstallorupdateACEManagementServersoftware.
To install ACE Management Server on a Linux system
1 Downloadthe.rpm filefromtheVMwareWebsiteandsavethefileonthesystemthatistohostthe
server.
The
file
is
available
as
a
separate
downloadable
file
in
the
same
download
location
as
the
Workstation
application.
2 RuntheRedHatorSUSELinuxRPMinstallerforACEManagementServer:
vmware-ace-management-server-.i386-rhel4.rpm
vmware-ace-management-server-.i386-sles9.rpm
Forexample:
rpm -Uhv vmware-ace-management-server-87693.i386-rhel4.rpm
3 ForaSUSELinuxEnterpriseServer9server,ensurethattheLDAPmodule(mod_ldap)isconfiguredfor
loading:
a Open
the
following
file
with
a
text
editor:/etc/sysconfig/apache2
b AddtheldapconfigoptiontotheAPACHE_MODULESvariable.
c Saveandclosethefile.
AfterACEManagementServerisinstalled,youcanconfigureit.SeeStartandConfigureACEManagement
Serveronpage 26.
8/6/2019 Ams Manual Tech Preview
24/66
ACE Management Server Administrators Manual
24 VMware, Inc.
Install an ACE Management Server Appliance
TheACEManagementServerapplianceisaselfcontained,preinstalled,andpreconfiguredACE
ManagementServerpackagedwithasmalloperatingsysteminavirtualmachine.Althoughtheapplianceis
adequatefortestenvironments,VMwarerecommendsthatyoudonotuseitinproductionenvironments.
Beforeyoubegin,makesuretheclockissynchronizedandtherequiredportsareavailable,asdescribedin
PreparingforInstallationonpage 21.
To install an ACE Management Server appliance
1 Downloadthe.zipfilefortheappliancefromtheVMwareWebsiteandsavethefileonthesystemthat
istohosttheserver.
2 Extractthefilestothedirectorywheretheserveristobelocated.
3 StartWorkstation,chooseFile>Opentoopen,andselecttheams_appliance.vmxfile.
4 ClickthePowerOnbuttontostartthevirtualappliance.
5 Atthepasswordprompt,enterapasswordandconfirmit.
Thispasswordisusedforbothrootandnetworkaccounts.Makeanoteofthispasswordsothatyoucan
useitforlaterappliancemanagementoperationsfromtheconsoleandtheWeb.
TheapplianceconfiguresitsnetworkbyusingDHCP.
Theconsoleviewdisplaysthefollowinginformation:
Currentnetworksettings
URLsforremotelyadministeringtheapplianceandconfiguringtheACEManagementServeritself
IfyoupressReturnattheloginprompt,theinformationappearsagain.
6 Atthetimezoneprompt,acceptthecurrentsettingormakeachangeasneeded.
7 (Optional)ToconfiguretheservertouseastaticIPaddressortospecifyaproxyserver,usetheAppliance
ManagementandConfigurationapplication,asfollows:
a LeavetheACEManagementServerappliancerunning.
b Browsetohttps://:8080.
c Intheconnectiondialogbox,typerootintheusernamefieldandyournetworkorrootpasswordin
thepasswordfield.
d ClicktheNetworklinkonthefirstpageofthebrowserbasedACEManagementServerSetup
application.
e Toviewinstructionsaboutconfiguringnetworksettings,clicktheHelplinkintheupperrightcorner
oftheWebpage.
f Afteryouchangenetworksettings,clickApply.
8 (Optional)Toreconfigureanyupdateoptions,forexample,todisableautomaticdownloadsofupdates,
usetheApplianceManagementandConfigurationapplication,asfollows:
a LeavetheACEManagementServerappliancerunning.
b Browsetohttps://:8080.
c Intheconnectiondialogbox,typerootintheusernamefieldandyournetworkorrootpasswordin
thepasswordfield.
d ClicktheUpdatelinkonthefirstpageoftheApplianceConfigurationandManagementWeb
applicationandcompletetheApplianceUpdatepage.
e Toviewinstructionsaboutconfiguringupdateoptions,clicktheHelplinkintheupperrightcorner
oftheWebpage.
8/6/2019 Ams Manual Tech Preview
25/66
VMware, Inc. 25
Chapter 3 Installing and Configuring ACE Management Server
9 Whenyoufinishconfiguringanynetworkorupdatesettings,navigatetotheACEManagementServer
SetupWebapplicationtoconfiguretheserver.
Toaccessthatapplication,chooseoneofthesemethods:
FromtheApplianceManagementandConfigurationWebapplicationpage,clicktheACELoginlink
intheupperrightcornerofthepage.
Fromacommandpromptwindow,closethewindow,openabrowser,andentertheURLfortheACE
ManagementServerSetupWebapplication:
https://:8000/
10 ClickConfigurationtoopentheWebapplication.
Verify That the Apache Service Is Started or Restarted
IfyouinstalledACEManagementServeronaLinuxhost,verifythattheApacheserviceisstartedbeforeyou
attempttologin.
Fortroubleshootingpurposes,youmightoccasionallyneedtomanuallyrestarttheApacheservicethatACE
ManagementServeruses.
To verify that the Apache service is started or restartedDooneofthefollowing:
OnWindowshosts:
a ClicktheApacheiconinthetaskbar.
b SelectApache2inthemenuthatappears.
c Choosetheappropriatecommand:
Tostarttheserviceifitisstopped,clickStart.
Iftheserviceisalreadystarted,thiscommandisunavailable.
Torestart,clickStopandthenclickStart.
EnsurethatyouclickStopandStartratherthanRestart.
OnSUSELinuxEnterpriseServer9hostsorinthevirtualmachinethatcontainstheACEManagement
Serverappliance:
a Openaterminalwindowonthehostorinthevirtualmachine.
b Asroot,enterthefollowingcommand:
/etc/init.d/apache2 status
Ifthestatusisstarted,youcanlogintoACEManagementServer.SeeStartandConfigureACE
ManagementServeronpage 26.
c Entertheappropriatecommand:
Tostarttheserviceifitisstopped,enterthefollowingcommand:
/etc/init.d/apache2 start
Torestarttheservice,enterthefollowingcommands:
/etc/init.d/apache2 stop
/etc/init.d/apache2 start
OnRedHatEnterpriseLinux4:
a Openaterminalwindowonthehostorinthevirtualmachine.
b Asroot,enterthefollowingcommand:
8/6/2019 Ams Manual Tech Preview
26/66
ACE Management Server Administrators Manual
26 VMware, Inc.
/etc/init.d/httpd status
Ifthestatusisstarted,youcanlogintoACEManagementServer.SeeStartandConfigureACE
ManagementServeronpage 26.
c Entertheappropriatecommand:
Tostarttheserviceifitisstopped,enterthefollowingcommand:
/etc/init.d/httpd start
Torestarttheservice,enterthefollowingcommands:
/etc/init.d/httpd stop
/etc/init.d/httpd start
Start and Configure ACE Management Server
Beforeyoubegin,makesurethatthefollowingprerequisitesaresatisfied,asapplicable:
IfyouinstalledACEManagementServeronaLinuxhostorareusingtheACEManagementServer
appliance,verifythattheApacheserverisrunning.SeeVerifyThattheApacheServiceIsStartedor
Restartedonpage 25.
Ifthisisthefirsttimeyouareloggingin,makesureyouhavetheserialnumberfortheproduct.Theserial
numberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,theserial
numberissentbyemail.
Ifyouplantouseanexternaldatabase,ActiveDirectoryintegration,orcustomSSLcertificates,youmust
performsomesetuptasksbeforeyoucanconfigureACEManagementServer.Seethefollowingtopics,as
applicable:
CreateUsersandGroupsforIntegrationwithActiveDirectoryonpage 29
SetUpanExternalDatabaseonpage 30
PrepareCustomSecurityCertificatesonpage 33
To start and configure ACE Management Server
1 OpenaWebbrowserandgotohttps://:8000.
ThevaluecanbethefullyqualifiednameofthecomputeronwhichACEManagement
ServerisinstalledoritcanbeanIPaddress.
IfyouinstalledACEManagementServeronaWindowshostandyouareusingthathosttoconfigureit,
youcanalternativelychooseStart>VMware>VMwareACEManagementServer.
2 AcceptthelicenseagreementandclickStart.
Theconfigurationtabsappearastheydoinsubsequentlogins,butforthefirstlogin,wizardbuttons
suchasNextandBackalsoappear.
3 CompletetheinformationoneachtabandclickNext.
TheonlyfieldsthatrequirechangesanddonothavedefaultsettingsaretheSerialNumberfieldonthe
LicensingtabandtheAdministratorpasswordontheAccessControltab.
Forinformationaboutspecificfieldsandtabs,clickHelponthetab.
Log In to ACE Management Server
ThefirsttimeyoulogintoACEManagementServer,youmustsetapassword.Thenexttimeyoulogin,you
mustprovidethatpasswordorprovideActiveDirectorycredentialsifyouconfiguredtheservertouseActive
Directoryforauthentication.
CommunicationsbetweenWorkstationandACEManagementServertakeplaceoverasecureSSLconnection.
8/6/2019 Ams Manual Tech Preview
27/66
VMware, Inc. 27
Chapter 3 Installing and Configuring ACE Management Server
IftheserverisintegratedwithActiveDirectoryservice,enteryouradministrativecredentialsinoneofthe
formatsshowninTable 32.
To log in to ACE Management Server
1 OpenaWebbrowserandgotohttps://:8000.
ThevaluecanbethefullyqualifiednameofthecomputeronwhichACEManagement
ServerisinstalledoritcanbeanIPaddress.
IfyouinstalledACEManagementServeronaWindowshostandyouareusingthathosttoconfigureit,
youcanalternativelychooseStart>VMware>VMwareACEManagementServer.
2 Dooneofthefollowing:
ToconfigureACEManagementServer,clickConfiguration.
ToviewandtakeactionsonACEinstancesmanagedbythisserver,clickHelp Desk.
3 Enterlogincredentials.
IfyouuseActiveDirectoryforauthentication,seeTable 32.Inmultidomainenvironments,youmightbe
requiredtoenteradomain(forexample,eng.com).
Table 3-2. Login Options When Using Active Directory Service
Option Description Example
longname+password+domainname
Thelongnameistheformat.
JohnDoe
longname+password Thelongnameistheformat.
LeavetheDomainfieldblank.
JohnDoe
shortname+password+domain
TheshortnameisthesAMAccountName.
ace
(theshortformofthelongnameACEUser)
shortname+password TheshortnameisthesAMAccountName.
LeavetheDomainfieldblank.
ace
(theshortformofthelongnameACEUser)
emailaddress+password Youcanonlyusethisoptionforadomainthatisaccessedthroughadirectconnection.
Leave
the
Domain
field
blank.
NETBIOSDOMAINNAME\username+password
TheNetBIOSnameisashortnamefordomainsthatisregisteredintheNetBIOSNameService(WINS).
LeavetheDomainfieldblank.
username+password+NETBIOSDOMAINNAME
TheNetBIOSnameisashortnamefordomainsthatisregisteredintheNetBIOSNameService(WINS).
8/6/2019 Ams Manual Tech Preview
28/66
ACE Management Server Administrators Manual
28 VMware, Inc.
8/6/2019 Ams Manual Tech Preview
29/66
VMware, Inc. 29
4
AfteryouinstallACEManagementServer,youmustusethebrowserbasedACEManagementServerSetup
applicationtoconfiguretheserver.
Thischapterincludesthefollowingtopics:
PrerequisitesforConfiguringtheServeronpage 29
StartingACEManagementServerConfigurationonpage 34
ViewingandChangingLicensingInformationonpage 34
UsinganExternalDatabaseonpage 35
CreatingAccessControlonpage 35
UploadingCustomSSLCertificatesonpage 36
LoggingEventsonpage 36
ApplyingConfigurationSettingsonpage 37
Prerequisites for Configuring the Server
IfyouplantouseActiveDirectoryintegration(usingLDAP),anexternaldatabase,orcustomSSLcertificates,
youmustperformsomesetuptasksbeforeyouconfiguretheACEManagementServer.
Create Users and Groups for Integration with Active Directory
TouseActiveDirectoryforauthenticatingusers,adduserstoanActiveDirectorygroupandcreateauserso
thatACEManagementServercanqueryLDAP.
WhenyouconfigureACEManagementServertouseLDAP,followtheseguidelinestoavoidnegatively
affectingperformance:
ThedefaultdomainisthedomainforwhichtheLDAPhostisadomaincontroller.
Thequeryuserisauserinthedefaultdomain.
Theadminusergroupisagroupthatexistsinthedefaultdomain.
IntegratingwithActiveDirectorythroughLDAPisimplementeddifferentlyintheWindowsbasedACE
ManagementServerthanintheLinuxbasedACEManagementServer.Theoperatingsystemsdifferinthe
librariestheyusetoconnecttoActiveDirectoryandtheexternaldatabasestheysupport.TheWindowsACE
ManagementServerusestheWinLDAPlibrarybundledwiththeWindowsoperatingsystem.The LinuxACE
ManagementServerusesathirdpartyKerberosLibraryandOpenSSL.VMwareinternaltestingresults
indicatethattheWindowsimplementationisprovidesbetterperformancethanLinux.
Configuration Options for ACEManagement Server 4
8/6/2019 Ams Manual Tech Preview
30/66
ACE Management Server Administrators Manual
30 VMware, Inc.
To create users and groups for integration with Active Directory
1 CreateauserthatACEManagementServercanusetoconnecttotheLDAPserveranduseforquerying.
MakeanoteofthesAMAccountNamevalueforthatuser(forexample,aceuser.)
2 CreateanACEAdministratorsgroupinthedomain.
3 AddACEadministratoruserstotheACEAdministratorsgroup.
4 (Optional)CreateaHelpDeskgroupandassignuserstoitfortheHelpDeskrole.
YoucanlogintotheHelpDeskWebapplicationwithyouradministrativeLDAPcredentialsorpassword.
CreatingaHelpDeskroleallowsyoutopermitcertainuserstoperformHelpDesktasksfromwithinthe
HelpDeskapplicationbutdoesnotgivethemaccesstootheradministrativetools.
Set Up an External Database
Beforeyoubegin,makesurethatyouhaveoneofthefollowingsupporteddatabaseservers:
ForaWindowsbasedACEManagementServerMicrosoftSQLServer2000orhigher;
Oracle Database 10g
IfyouuseaMicrosoftSQLServerdatabase,thedatabasemustbehostedonasystemthatusesthesame
localeasthesystemthathostsACEManagementServer.Forexample,ifACEManagementServerisinstalledonaJapanesesystem,thedatabaseservermustalsobeinstalledonaJapanesesystemandmust
useJapanesecollation.
ForaLinuxbasedACEManagementServerPostgreSQL7.4orhigher
BeforeyouinstallthedatabaseonaLinuxhost,makesuretheunixODBCRPMpackageisinstalledontheLinux
system.VMwarerecommendsthatyouupdatethepackagetothelatestversionreleasedforyourspecific
Linuxdistribution.TheunixODBCpackageprovidesanODBCAPItoprogramsrunningonLinuxsystemsthat
issimilartotheWindowsODBCAPI.
Thepackagecontainsthelibodbcsharedlibrary,providingtheODBCDriverManagerAPItoother
programs,asetofconfigurationutilities,andODBCdriversforpopulardatabases.OnbothRedHat
EnterpriseLinuxandSUSELinuxEnterpriseServer 9,theODBCdriverforPostgreSQLisincludedinthe
unixODBCbinarydistributionpackage.
Also,makesuretheunixODBC-gui-qt packageisinstalled(thisutilityisincludedintheRedHatEnterprise
LinuxunixODBCpackage).ThispackageisrequiredtousetheODBCConfigX11graphicalconfigurationtool
forsettingupadatasourcename(DSN).
To set up an external database
1 Installadatabaseserveronahost.
TheexternaldatabasedoesnothavetobeinstalledonthesameserverasACEManagementServer,butit
mustbeinstalledonthesameplatform.Forexample,ifACEManagementServerisinstalledona
Windowshost,thedatabaseservermustalsobeinstalledonaWindowshost.
ACEManagementServercreatesthedatabaseschemaautomaticallyifproperaccessrightsaregranted.
2 Configurethedatabase.
Ensurethatyouhaveadedicateddatabaseandauseraccountthathasfullaccesstothisdatabase,
includingrightstocreatetables.Donotgivethisdatabaseuserpermissionsthatitdoesnotneed.For
example,youmightnotwanttogivethisaccountreadorwritepermissiontootherdatabasesthatyour
RDBMSmanages.
AlltablesthatarecreatedinthedatabasehaveanamestartingwithaPolicyDb_prefixandindexeswith
PdbIns_orPdbLf_prefixes.YoumightprovideACEManagementServerwithaDSNtoadatabasethat
itshareswithsomeotherapplication,ifthedatabasecountisatapremium.
3 (Optional)IfACEManagementServerisgoingtoconnecttothedatabaseoverthenetwork(TCPsocket
connection),ensurethatthefollowingareinplace:
8/6/2019 Ams Manual Tech Preview
31/66
VMware, Inc. 31
Chapter 4 Configuration Options for ACE Management Server
TCPconnectivityisenabledinthedatabaseconfigurationoptions.
TheTCPconnectionisnotblockedbyfirewallsettingsonthedatabaseserverortheACE
ManagementServerhost.
IfyouareusingaPostgreSQLdatabase,configureperuserpermissiontoconnecttothedatabase
overthenetwork.Configurethatpermissioninthepg_hba.conf file,whichislocatedintheroot
folderofyourdatabase.
4 (Optional)OntheACEManagementServermachine,toverifytheserversconnectivitytothedatabasewiththeconfiguredusercredentials,runacommandlineorgraphicalSQLtool.
Examplesofsuchtoolsaresqlcmd.exeforSQLServer,sqlplus.exeforOracle,andpsqlfor
PostgresSQL.Fordatabaseconfigurationandverificationinstructions,seetherespectivedatabase
documentation.
5 OntheACEManagementServermachine,createaSystemDSNentry.
Creating a System DSN Entry for an External Database
TheonlyrequiredinformationinDSNconfigurationistheDSNname,serverIPaddressorhostname,andthe
databasename.YoudonotneedtoprovideausernameandpasswordintheDSNconfiguration.Youprovide
ausernameandpasswordlater,whenyouusetheACEManagementServerSetupapplication.
EnsurethatyoucreateasystemDSNandnotauserDSN.IfyoucreateauserDSN,itisvisibleonlytoyour
useraccount.ACEManagementServerrunsunderthelocalsystemaccount,sotheservercannotdetectoruse
auserDSN.
Create a System DSN Entry for a Windows Database
Regardlessofwhetherthehostis32bitor64bit,youcreateaDSNentryfora32bitsystem.
Beforeyoubegin,todeterminethecorrectODBCdriver,seeyouroperatingsystemanddatabase
documentation.
To create a System DSN entry for a Windows database
1 Dooneofthefollowing:
On32bithosts,usetheODBCDataSourcespluginbychoosingControl Panel>Administrative
Tools>DataSources(ODBC).
On64bithosts,navigateto%WINDIR%\syswow64\odbcad32.exeandusethatprogramtocreatea
SystemDSNentryfora32bitsubsystem.
ACEManagementServerdoesnotsupportODBCusinganSQLNativeClientdriveronWindows64bit
systems.
2 CreateanentrythatincludestheDSNname,serverIPaddressorhostname,andthedatabasename.
3 (Optional)IftheDSNSetupwizardprovidesanoptiontotesttheconnection,verifythattheconnection
workswiththedatabaseusercredentials.
4 Make
a
note
of
the
database
DSN,
user
name,
and
password.
YoucannowusethebrowserbasedACEManagementServerSetupapplicationtoconnecttothisdatabase.
Create a System DSN Entry for a Linux Database
OnLinuxsystems,youuseatexteditorortheODBCConfiggraphical(X11)utilitytocreateasystemDSNentry.
TheODBCConfigutilitymimicstheWindowsODBCDataSourcesControlPanelplugin.
Beforeyoubegin,determinethecorrectODBCdriver:
OnRedHatEnterpriseServer,thedriverislocatedat/usr/lib/libodbcpsql.so.
8/6/2019 Ams Manual Tech Preview
32/66
8/6/2019 Ams Manual Tech Preview
33/66
VMware, Inc. 33
Chapter 4 Configuration Options for ACE Management Server
Enable Database Connection Pooling on Linux
EnablingdatabaseconnectionpoolingfordatabasesonLinuxhostscangiveasubstantialperformancegain
underhighloads.ACEManagementServercanreusedatabaseconnectionsratherthanopeningnew
connectionsforeveryrequest.
EnabledatabaseconnectionpoolingintheODBCDriverManager(itisdisabledbydefault)tooptimize
performanceforserversonLinuxplatforms.
OnWindowsplatforms,ODBCconnectionpoolingisenabledbydefault.
To enable database connection pooling on Linux
1 StarttheODBCConfigutilityasarootuser.
2 ClicktheAdvancedtab.
3 SelecttheConnectionPoolingcheckbox.
Set Up a Connection Between the Server Appliance and an External Database
TheACEManagementServerappliancedoesnotcontainaPostgreSQLdatabaseserver.Youcan,however,use
anexternaldatabaseserverwiththeappliance.
To set up a connection between the server appliance and an external database
1 Logintotheserverapplianceconsoleasroot,usingthepasswordyoucreatedduringyourfirstrunof
theserverappliance.
2 Openthe/etc/odbc.inifileinatexteditor.
Forexample:
vaos# vi /etc/odbc.ini
Thisfilecontainsthepostgres_dsn settingfortheOBSCDSN.
3 Uncommentalllinesinthepostgres_dsn fileexceptthefirsttwo.
Touncommentlines,deletethepoundsign(#)atthebeginningofeachline.
4 ReplaceplaceholderswiththePostgreSQLdatabaseserverDNSnameorIP addressandthedatabase
nameofthisserver.
5 Usethedefaultportnumberorsetadifferentportnumber.
6 Savethefile.
Afteryoucompletethistask,postgres_dsnappearsinthedropdownmenuontheDatabasetabintheACE
ManagementServerSetupapplication.
Prepare Custom Security Certificates
TousecustomSSLcertificates,eitheryourownselfsignedcertificatesorthoseofathirdpartyorinternalCA
(certificateauthority),youmustprovidethecertificate,key,and(inthecaseofCAs)certificatechainfiles.
ThesefilesmustbePEMencoded.
Afteryoucreateorobtainthesefiles,uploadthemtoACEManagementServerbyusingtheCustomSSL
Certificates tabintheACEManagementServerSetupapplication.
To prepare custom security certificates
1 Createorprovidetheneededfiles:
Foryourownselfsignedcertificate,usetheopensslutilitytocreateanewselfsignedcertificate.
ForathirdpartyCAorinternalCA,obtainanSSLcertificatesignedbythatCA,anda
certificateverificationchainfile.
8/6/2019 Ams Manual Tech Preview
34/66
ACE Management Server Administrators Manual
34 VMware, Inc.
ThechainfileisaconcatenationofeverycertificaterequiredtoverifythenewSSLcertificateyou
createdorobtained.Stepsforobtainingthecertificatechainvary,dependingonwhichhostoperating
systemyouareusingandonthesourcefromwhichtheCAcertificateisobtained.
Aprivatekeyfile.SSLencryptsdatathroughtheuseofapublickeyandprivatekeypair.Thepublic
keyisknowntoeveryoneandtheprivatekeyisknownonlytothemessagerecipient.
ThecertificatesignaturesmustusetheSHA1algorithmdigest.ThefilesmustbePEMencoded.
2 Renamethefiles,asfollows:
Renametheprivatekeyfiletoserver.key.
Renamethecertificatefiletoserver.crt.
Renamethecertificatechainfiletochain.crt.
YoucannowusetheACEManagementServerSetupapplicationtouploadthecertificatefiles.
View the Properties of the Self-Signed Certificate File
ThisfileisstoredintheSSLdirectoryintheVMwareACEManagementServerprogramdirectory.
To view the properties of the self-signed certificate file
Dooneofthefollowing:
OnaWindowshost,navigatetothelocationoftheserver.crtfileanddoubleclickthefilename.
OnaLinuxhost,usethefollowingcommand:
openssl x509 -in /var/lib/vmware/acesc/ssl/server.crt -text
Toreplaceanexpiredcertificate,seePrepareCustomSecurityCertificatesonpage 33.Donotmodify
certificatestomakethempermanent.
Starting ACE Management Server Configuration
IfyouplantouseActiveDirectoryintegration(usingLDAP),anexternaldatabase,orcustomSSLcertificates,
youmustperformsomesetuptasksbeforeconfiguringtheACEManagementServer.SeePrerequisitesforConfiguringtheServeronpage 29.
ThetextthatappearsontheStarttabchanges,dependingonwhetheryouhavedoneaninitialconfiguration:
IfthispagesaysThisserverhasnotbeenconfiguredyet,youmustclickStarttocompletethe
configurationsetupwizard.
IfthispagesaysThisserverisconfigured,theNextandPreviouswizardbuttonsdonotappear.Youcan
navigatetoothertabsbyclickingatab.
Viewing and Changing Licensing Information
AfteryouenteranACEManagementServerserialnumber,usetheLicensingtabtodeterminetheexpiration
date,ifany.
Theserialnumberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,theserial
numberissentbyemail.
IfthesystemonwhichyouinstalledACEManagementServercurrentlyhasmorethanonevalidserver
license,justonelicenseappearsonthepage.
YoucanusetheLicensingtabtoaddorchangeaserialnumber,username,orcompanyname.
Ifyoumakechangestotheinformationonthistab,youmustclickApplyorCancelbeforeyoucannavigate
toanothertab.
8/6/2019 Ams Manual Tech Preview
35/66
VMware, Inc. 35
Chapter 4 Configuration Options for ACE Management Server
Using an External Database
TheembeddeddatabaseisanSQLitedatabase.VMwarerecommendsthatyouuseanexternaldatabasein
productionenvironments.
Theembeddeddatabaseisinitializedduringserverinstallationandrequiresnospecialconfiguration.This
databaseisadequatefortestingpurposesbutisnotdesignedtobeeffectivelysharedacrossmultiple
processes.
BeforeyoucanconfiguretheACEManagementServertouseanexternaldatabase,youmustcreateasystem
DSNandcredentialsforaccessingthatdatasource.SeeSetUpanExternalDatabaseonpage 30.
UsethefollowinginformationtohelpyoucompletethefieldsontheDatabasetab:
DataSourceName(DSN)DatasourcenameyouusedwhenyoucreatedasystemDSNentryonthe
ACEManagementServermachine.
UserNameandPasswordCredentialsforauseraccountthathasfullaccesstothedatabase,including
rightstocreatetables.
Afteryouenterthedatabaseconnectioncredentials,thesetupapplicationchecksforanexistingdatabase.
Iftheexistingschemaisnotcompatible,noschemaisavailableortheschemacannotbeupgraded.Ifyou
overwritetheexistingschemaanddata,anewschemaiscreated.If youdonotoverwritetheexistingschema
anddata,theconfigurationapplicationquits.
Ifyouareupgradingtheserverfromthepreviousrelease,thedatabaseschemaisupgradedautomaticallyand
youdonotloseyourpreviousdata.Theupgradeisperformedonthefirststartoftheupgradedserver,even
ifyoudonotrerunthesetupapplication.
IfyoumakechangestotheinformationontheDatabasetab,youmustclickApplyorCancelbeforeyoucan
navigatetoanothertab.
Creating Access Control
OntheAccessControltab,youcancreatealocalAdministratorroleandHelpDeskroleoruseActive
Directoryforauthenticatinguserswiththeseroles.
BeforeyoucanconfiguretheACEManagementServertouseadomainaccountforauthentication,youmust
createusersandgroupssothatACEManagementServercanconnecttotheLDAPserver.SeeCreateUsers
andGroupsforIntegrationwithActiveDirectoryonpage 29.
Usethefollowinginformationtohelpyoucompletethefieldsforauthentication:
LocalaccountIfyouspecifyapasswordfortheAdministratorroleandforgetorloseit,youmustdelete
the
server
configuration
file.
Deleting
this
file
sets
the
server
back
to
its
initial
state.
You
must
reconfigure
theserverandsettheadministratorpasswordagain.
Domainaccount(LDAP)TouseActiveDirectoryforauthentication,specifythehostandcredentials
thattheACEManagementServerusestoconnecttoandquerythedomaincontroller:
HostNameEnterafullyqualifieddomainname(forexample,ldap.vmware.com)insteadofanIP
addressorhostnamewithnoparentdomainname(forexample,ldap).
QueryUsersAMAcountNameandQueryUserPasswordUsethepasswordandshortnamefor
theuseraccountyoucreatedforthispurposeinActiveDirectory.
CAUTION Afteryouentercredentials,ifthemessageCompatible schema exists. Do you want to
reinitialize the schema and overwrite the existing data?appears,selectUseexistingschemaanddataunlessyouwanttoerasealldatainyourexistingdatabase.Toreinitializethedatabaseatsomelater
time,youcanreopenthisconfigurationapplicationandreturntothispage.
8/6/2019 Ams Manual Tech Preview
36/66
ACE Management Server Administrators Manual
36 VMware, Inc.
QueryUserDomainThedomainmustbethedomainforwhichtheLDAPhostisadomain
controller.
AdminGroupDNandHelpDeskGroupDN(Optional)Enterthedistinguishednameforthese
groups,whichyoucreatedforthispurposeinActiveDirectory(forexample,
cn=Users,dc=simplecorp,dc=com).
Ifthisoptionisnotenabled,anyonewhologsintotheHelpDeskapplicationmustbeamemberof
theACEAdministratorsgroup.
HelpDeskRoleorGroupDNCreatingaHelpDeskroleallowsyoutopermitcertainuserstoperform
HelpDesktasksfromtheHelpDeskapplication.Usersinthisrolecannotaccessotheradministrative
tools.YoucanstilllogintotheHelpDeskWebapplicationwithyouradministrativeLDAPcredentialsor
localAdministratorpassword.
IfyoumakechangestotheinformationontheAccessControltab,youmustclickApplyorCancelbeforeyou
cannavigatetoanothertab.
Uploading Custom SSL Certificates
TohaveACEManagementServerusecustomSSLcertificates,eitheryourownselfsignedcertificatesorthose
ofathirdpartyorinternalCA(certificateauthority),usetheCustomSSLCertificatestabtouploadthe
PEMencodedfiles.
BeforeyoucanuploadcustomSSLcertificates,youmustcreateandrenamethecertificatefiles.SeePrepare
CustomSecurityCertificatesonpage 33.
Bydefault,duringACEManagementServerinstallation,thefollowingtwofilesarecreated:
server.keyThisRSA1024bitkeyistheprivatekey.
server.crtThisselfsignedcertificateisvalidfor10yearsfromthedateandtimeatwhichtheserveris
installed.Itssignatureisverifiedbythepublickey,whichisembeddedinthecertificate.Thecertificate
fileisencodedinPEMformat.
WhenyourunanACEinstance,theVMwarePlayerapplicationusesthecompletecertificationchainthatis
includedinitspackage,notonthehost,toverifyconnectionsmadetoACEManagementServer.Therefore,
theuseofselfsignedcertificatesisadequateformostsecurityneeds.
WhenyouclickUploadcertificates,asummarypagedisplaysthefilesandlocationsyouspecifyonthistab.
Notethelocationofanybackupfiles.Youmightneedtousethebackupifyoufindthatthenewfileisinvalid
whenyouclickApply.
AfteryouuploadcustomSSLcertificates,youmustupdateanyexistingACEenabledvirtualmachinestouse
anewcertificateandkeyfile.Todoso,useWorkstationtocreateanupdatepackage.Whenyoudeploythe
newpackage,ACEinstancesreceivethenewcertificatefileandcertificatechain.
Logging Events
Theservercollectslogentriesforeventsthatchangethedatabase.OntheLoggingtab,youcansetthelogging
levelsandsetanoptionforpurginglogentries.
ACEManagementServerusesthefollowingloggingcategories:
ACEAdministrationLogseventsforinstancecreation,update,anddestruction.
PackageAdministrationLogseventsforpackagecreation,update,instancecustomization,andpackage
removal.
PolicyAdministrationLogseventsforpolicysetupdateandpublish,useraccesscontrolchanges,and
instancepasswordssetbyanACEadministrator.
8/6/2019 Ams Manual Tech Preview
37/66
VMware, Inc. 37
Chapter 4 Configuration Options for ACE Management Server
InstanceAdministrationLogsACEinstancelifecycleevents,suchascreation,copying,revocation,
reenablement,anddeletion.Alsologsinstancepasswordchangebyauseroranadministrator,changes
inexpirationforeachinstance,changesofinstanceguestorhostoperatingsysteminformation,and
settinginstancecustomfields.Thedebuglevelcanbeusedtologthemostubiquitoustrafficsuchas
policyupdaterequestsfromactiveinstances.Failedinstanceverificationsareloggedonlyatthedebug
level.
AuthenticationLogseventsforeveryauthenticationrequest,suchasadministrationorhelpdesk
authenticationattempts(atthenormallevel),instanceauthentication(attheinformationallevel),andremoteLDAPpasswordchange.Setloggingforthiscategorytothelowestlevelthatispracticalforyou.
Thiscategorycangeneratealargevolumeofentries.
Foreachcategory,youcanchooseoneofthefollowinglogginglevels:
NoneNologentryismadeforthisevent.
CriticalAnexampleofacriticallogeventisonethatremovesallpackages,instances,andpolicies
associatedwithanACEenabledvirtualmachine.
NormalThislevelofdetailissufficienttoanswermostqueries.
InformativeEntriesfornondestructiveeventsthathavelimitedeffect.
DebugEntriesforeveryclientaccessoftheserver.Itprovidesmorerecordsofcertaineventtypes,
creatingalargenumberloggingentriescomparedtootherloglevels.Itlogsallinformationaltransactions,
suchasinstancestatusandsoon.
UsetheEventLogPurgingcontroltoconfiguretheamountoflogginginformationretained.Thepurge
maintenanceprocessrunsapproximatelyeverysixhours.
IfyoumakechangestotheinformationontheLoggingtab,youmustclickApplyorCancelbeforeyoucan
navigatetoanothertab.
Applying Configuration Settings
TheRestartpageappearswhenyouclickApplyononeofthetabs.Youmustrestarttheserverforthe
configurationsettingstotakeeffect.
IfyouclickLater,youcanalwaysrestarttheserverbyclickingApplyonanyofthetabs,evenifyoudonot
makechangesonthetab.
8/6/2019 Ams Manual Tech Preview
38/66
ACE Management Server Administrators Manual
38 VMware, Inc.
8/6/2019 Ams Manual Tech Preview
39/66
VMware, Inc. 39
5
Ifyouhavethousandsofclients,youcanconfiguremultipleVMwareACEManagementServerinstancesto
worktogether.Youcansetuptwoormoreserversandusethemwithaloadbalancer.
Thischapterincludesthefollowingtopics:
TypicalSetupUsingLoadBalancedACEManagementServerInstancesonpage 40
InstalltheRequiredServicesforLoadBalancingonpage 40
UsetheSameSSLCertificateonAllServersonpage 41
CreateNewSSLCertificatesandKeysforEachServeronpage 41
InstallingandConfiguringtheLoadBalanceronpage 43
VerifyThatACEInstancesAreUsingtheLoadBalanceronpage 43
Load-Balancing Multiple ACEManagement Server Instances 5
8/6/2019 Ams Manual Tech Preview
40/66
ACE Management Server Administrators Manual
40 VMware, Inc.
Typical Setup Using Load-Balanced ACE Management ServerInstances
AsingleACEManagementServercanhandleapresetnumberofclients,butyoucanaddmoreserverstoyour
ACEManagementServerinfrastructurebyusingloadbalancing.Whenyouaddmoreserverstothe
loadbalancinggroup,thenumberofclientsthatyoucanservescaleslinearly.Forexample,ifyoucanserve
2,000 clientswithoneserver,usingtwoloadbalancedserversallowsyoutoserve4,000 clients.
Figure 51showsasimpledeploymenttopologyforusingloadbalancing.
Figure 5-1. Two ACE Management Server Instances Working Together
Touseasetupsimilartotheonedepicted,youmusthavethefollowing:
Twoormoremachines(orvirtualmachines)tohosttheACEManagementServerprocesses
AnexternaldatabasetohosttheACEManagementServerdata
Aloadbalancingsolutiontomanagetraffic
Install the Required Services for Load Balancing
ServicesincludemultipleACEManagementServerinstances,anexternaldatabase,andWorkstation.
To install the required services for load balancing
1 InstalltheACEManagementServerpackageontwoormoremachines(orvirtualmachines).
SeeInstallingandUpgradingACEManagementServeronpage 22.
2 ConfigureeachACEManagementServerseparatelytoaccessthesameexternaldatabase.
SeeStartandConfigureACEManagementServeronpage 26.
BothACEManagementServerinstallationsmustbeabletoidentifythesamedatastoresoeither
installationcanfieldqueriesforclientsandscalethenumberofclientsthatcanbeserved.
3 ToverifythatbothACEManagementServerinstancesareworkingproperly,startWorkstationand
connecttoeachACEManagementServerdirectly:
a InWorkstation,chooseFile>ConnecttoACEManagementServer.
b EntertheIPorhostnameofthemachinewhereACEManagementServerisinstalled,changethe
numberinthePortfieldifnecessary,andclickOK.
ACEManagement
Server 1
ACEManagement
Server 2
Active Directorydomain controller
databaseserver
loadbalancer(optional)
AMS Client
AMS Client
AMS Client
LDAPKerberos
LDAPKerberos
ODBC
ODBC
HTTPS
HTTPS
HTTPS
HTTPS
HTTPS
8/6/2019 Ams Manual Tech Preview
41/66
8/6/2019 Ams Manual Tech Preview
42/66
ACE Management Server Administrators Manual
42 VMware, Inc.
Figure 5-2. Creating the Certificate Chain File
To create new SSL certificates and keys for each server
1 CreateasmanySSLcertificateandkeypairsasyouneed(oneforeachserverinyourserverfarm).
Theprocedurevaries,dependingonthetoolsyouuse.Todeterminehowtocreatethesecertificatesand
keys,seethedocumentationforyourplatform.Eachcertificatemusthaveauniquecommonnameanda
uniqueserialnumber.
2 Ifyourcertificatesrequireacertificatechaintobeverified,createacertificatechainfileforeachcertificate.
Thecertificatechainfileisatextfilethatcontainseverycertificate(inPEMformat)neededtoverifythe
leafcertificate(includingtherootcertificateofthechain).
a Downloadtheverificationchainfromyourcertificateauthority.
b EachcertificatemustbeinPEMformatbeforeyoucreatethecertificatechainfile.
ToconverttoPEMformat,usetheopenSSLtoolsavailableonline.
c CreatethecertificatechainfilebyconcatenatingeachPEMencodedcertificateintoonefile.
Ifbothofyourcertificatesareselfsigned,yourcertificatechainfilemustbeafilethatcontains
bothcertificatesconcatenated.
Ifyoureceivedyourcertificatesfromthesamecertificateauthority,thechainfilemustcontain
only
the
verification
chain
for
these
certificates,
and
the
chains
must
be
the
same.
Ifthecertificatescomefromdifferentcertificateauthorities,thechainfilemustcontainboth
certificateverificationchains.
Forexample,ifyouareusingtwoACEManagementServerinstancesyouhavetwocertificatechainfiles.
3 Joinallofthecertificatechainfilesintoonefile.
Ifyoucan,eliminatetheduplicateentries.
4 ConverttheserversSSLcertificatestoPEMformat.
5 AddtheserversSSLcertificatesinPEMformattothecertificatechainfile.
[Root SSL Certificate in PEM format]
[Intermediary SSL Certificate in PEM format]
[AMS #1 SSL Certificate in PEM format]
[AMS #1 SSL Certificate in PEM format]
convert to PEMthen append to file
convert to PEMthen append to file
convert to PEMthen append to file
convert to PEMthen append to file
certificateverification
chain
Server SSLCertificates
Certificate Chain FileRoot SSL Certificate
Intermediary SSL Certificate
ACE Management Server #1SSL Certificate
ACE Management Server #2SSL Certificate
8/6/2019 Ams Manual Tech Preview
43/66
VMware, Inc. 43
Chapter 5 Load-Balancing Multiple ACE Management Server Instances
6 OntheCustomSSLCertificatestab,uploadtheSSLcertificatefile,theSSLkeyfile,andthecertificate
chainfile:
a SpecifythekeyfileintheServerPrivateKeyfield.
b SpecifythecertificatefileintheServerPublicCertificatefield.
c ClickUploadcertificates.
d ClickApplyandclickRestart.
CompletethisstepforeveryACEManagementServerinyourfarmtouploadfilestoeachACE
ManagementServer.
Installing and Configuring the Load Balancer
ACEManagementServerusesHTTPStocommunicatewithitsclients.Youcanuseanyloadbalancing
solutionthatsupportsHTTPSwithACEManagementServer.
Installtheloadbalancerandconfigureport443(HTTPoverSSL)forloadbalancing.Do notconfigure
port 8080or8000forloadbalancing.Thesetwoportsareusedforconfiguration.Port 8080isthevirtual
applianceconfigurationportand8000istheACEManagementServerconfigurationport.
Verify That ACE Instances Are Using the Load Balancer
AfteryouconfiguremultipleACEManagementServerinstancestoworkwithaloadbalancerandinstallthe
necessarySSLcertificates,performverification.VerifythatACEinstancescanconnecttoACEManagement
Serverinstancesbyusingtheaddressoftheloadbalancer.
Beforeyoubegin,restartWorkstationsothatWorkstationcandownloadtheSSLcertificatewhenaconnection
totheACEManagementServerisestablished.
To verify that ACE instances are using the load balancer
1 CreateanACEenabledvirtualmachine.
2 Openthepolicyeditor.
3 SelectPolicyUpdateFrequency.
4 SelectDisableOfflineUsage.
5 ClickOK.
6 RemovethefirstACEManagementServerfromtheloadbalancingconfigurationsothatalltrafficgoesto
thesecondACEManagementServer.
7 PreviewtheACEinstance.
ThispreviewcreatesaninstanceontheACEManagementServer.
8 ClosetheACEPlayer.
9 Remove
the
second
ACE
Management
Server
from
the
load
balancing
configuration
and
add
the
first
ACEManagementServerbacktotheconfiguration.
AlltrafficgoestothefirstACEManagementServer.
10 PreviewthesameACEinstanceagain,andwhenpromptedwhethertoreinstantiateorreusetheinstance,
selectUseExistingInstance.
Iftheinstancestartssuccessfully,bothserversareusingthesameSSLcertificate.
8/6/2019 Ams Manual Tech Preview
44/66
ACE Management Server Administrators Manual
44 VMware, Inc.
8/6/2019 Ams Manual Tech Preview
45/66
8/6/2019 Ams Manual Tech Preview
46/66
ACE Management Server Administrators Manual
46 VMware, Inc.
Use the VMware ACE Help Desk Application
ACEadministratorsandhelpdeskassistantscanaccessACEinstancesthroughtheVMwareACEHelpDesk
Webapplication.YoucanusetheHelpDesktoreactivateaninstance,changetheinstancesexpirationdate,
andresetauserpasswordifitislostorforgotten.
To use the VMware ACE Help Desk application
1 OpenaWebbrowserandgotohttps://:8000.
ThevaluecanbethefullyqualifiednameofthecomputeronwhichACEManagement
ServerisinstalledoritcanbeanIPaddress.
IfyouinstalledACEManagementServeronaWindowshostandyouareusingthathosttoconfigureit,
youcanalternativelychooseStart>VMware>VMwareACEManagementServer.
2 ClicktheHelpDesklink.
3 Supplythelogininformation.
Usethefollowinginformationtohelpyoucompletethefieldsthatappearinthiswindow:
UserNameandPasswordIfahelpdeskrolewascreated,entercredentialsforthatrole.Otherwise,
entercredentialsforadministeringtheACEManagementServer.
DomainInmultidomainenvironments,youmightberequiredtoenteradomain(forexample,
eng.com).
TheVMwareACEHelpDeskopenstheInstancespage,whichcontainsasummarytableofalltheinstances
thattheservermanages.
Use the Instance View in Workstation
ACEadministratorscanaccessACEinstancesthroughtheinstanceview.Youcanusetheinstanceviewto
reactivateaninstance,changetheinstancesexpirationdate,andresetauserpasswordifitislostorforgotten.
TheinstanceviewinWorkstationenablesyoutoperformallthetasksavailableintheVMwareACEHelpDesk
andafewmoretasks.Intheinstanceview,youcancreatecustomcolumnsandsavethesearchesyoucreate.
Youmusthaveadministratorcredentialstousetheinstanceview.
Aninstancehasoneofthefollowingstatustypes:
TheValidFromandValidUntilcolumnsindicatetheperiodthattheinstanceisvalid.Theinstanceexpires
aftertheValidUntildate.Ifnoexpirationdateissetfortheinstance,thosecolumnsareempty.
To use the instance view in Workstation
1 FromtheWorkstationmenubar,chooseFile>ConnecttoACEManagementServer.
2 SpecifythefullyqualifiedhostnameortheIPaddressandclickOK.
Inmostcases,thedefaultportnumberdoesnotneedtobechanged.
Active Theinstanceisactiveandavailableforimmediateuse.
Deactivated Thisinstancewaspurposelydeactivated.Youmust
reactivateittomakeitusableagain.
Blockedby
policies
Theinstanceisstillactivebutisblocked(cannotberun)
becauseofaviolationofapolicysuchasexpirationdate
orcopyprotection.Fordetails,viewtheserverlogfor
thatinstance.
8/6/2019 Ams Manual Tech Preview
47/66
VMware, Inc. 47
Chapter 6 Managing ACE Instances
3 Completetheloginwindow.
Usethefollowinginformationtohelpyoucompletethefieldsthatappearinthiswindow:
UserNameandPasswordEntercredentialsforadministeringtheACEManagementServer.
DomainInmultidomainenvironments,youmightberequiredtoenteradomain(forexample,
eng.com).
Search for an InstanceYoucanusethesearchfunctiontoquerytheACEManagementServerdatabaseforoneormoreparticular
ACEinstances.SearchcriteriaarejoinedwithAND,notOR,operations.
To search for an ACE instance
1 ClickSearchandspecifythecriteriatobeincludedwhenthedatabaseisqueried.
Usethefollowinginformationtohelpyouspecifysearchcriteria:
ActivatedByActivationmethod,suchaspassword,ActiveDirectoryuser,oractivationkey.Ifno
suchactivationmethodexists,N/Aappearsinthecolumn.
ACEVMNameNameoftheACEenabledvirtualmachinefromwhichtheACEinstancewas
created.
GuestName(ForWindowsguestsonly)Computernameresolvedontheusersmachineduring
instancecustomization,ifyouusethatfeature.The NetBIOSnameisreportedhere,anditisa
maximumof15characterslong.Eveniftheactualcomputernamecontainsmorecharacters,thename
alwaysappearsastheNetBIOSname.
CustomcolumnsCustomcolumnsthatyoucreatedappeardirectlybelowtheGuestMACAddress
criterion.
ExactmatchonlyValuesarecasesensitive.
Saveas(AvailableintheWorkstationinstanceviewonly)Savedsearchesarespecifictoeachserver.
YoucaneditordeleteyoursavedsearchesbyselectingthenameofasavedsearchintheSaved
SearchesdropdownmenuandclickingOptions.
2 ClickSearch.
Inthesearchresults,thetotalnumberofinstancesappearsjustbelowthetable.
3 Tonavigatethroughalargenumberofresults,dooneofthefollowing:
IntheVMwareACEHelpDesk,clickthepreviousandnextarrowsattherightofthestatusbaratthe
bottomoftheInstancestable.
IntheinstanceviewinWorkstation,scrolldown.
4 Toreturntothefulllist,dooneofthefollowing:
IntheVMwareACEHelpDesk,clicktheBacktoallinstanceslink,locatedbelowtheSearchbutton.
IntheinstanceviewinWorkstation,clickClearSearch.
Sort by Column Heading and Change Column Width
Youcanreordertheinstancesinthetablealphabeticallyornumerically,dependingontheselectedcolumns
contents,inascendingordescendingorder.
To sort by column heading and change column width
1 Clickthecolumnheadingofthecolumntosort.
Clickagaintoresortintheopposite(ascendingordescending)order.
8/6/2019 Ams Manual Tech Preview
48/66
ACE Management Server Administrators Manual
48 VMware, Inc.
2 Tochangecolumnwidths,clickacolumndivideranddragittoanewwidth.
Show, Hide, and Move Columns in the Instance View
AlthoughyoucansortandresizecolumnsineithertheVMwareACEHelpDeskortheWorkstationinstance
view,youcanshow,hide,andmovecolumnsonlyintheWorkstationinstanceview.
Columnchangesforoneserverdonotaffectotherservers.
To show, hide, and move columns in the instance view
1 InWorkstation,connecttotheACEManagementServerandlogin.
SeeUsetheInstanceViewinWorkstationonpage 46.
2 Toshoworhideacolumn,rightclickthecolumnheadingrowandselectordeselectthecolumntoshow
orhide.
Ifyoushowacolumnthatwaspreviouslyhidden,thecolumnisaddedtotherightsideofthetable.
3 Tomoveacolumn,clickthecolumnheader,dragthecolumntoanewlocation,andreleasethemouse
button.
Create or Delete Custom Columns in the Instance ViewCustomcolumnsenableyoutoaddcategoriesofinformationabouttheinstancesthatanACEManagement
Servermanages.Forexample,youcanaddaHelpTicketcolumntorecordtheIDassociatedwithendusers
supportrequests.
YoucancreatecustomcolumnsonlyintheWorkstationinstanceview.Intheinstanceviewtable,youcanadd,
delete,andrenameuptoninecustomcolumns.
To create or delete custom columns in instance view
1 InWorkstation,connecttotheACEManagementServerandlogin.
SeeUsetheInstanceViewinWorkstationonpage 46.
2 RightclickthecolumnheadingrowandchooseAddCustomColumn.
3 TypeanameforthenewcolumnintheNametextboxandclickOK.
4 Tochangethenameofordeleteacustomcolumn,rightclickthecustomcolumnheaderandchoosea
commandfromthecontextmenu.
Afteryoucreateacustomcolumn,usetheInstanceDetailspageforeachACEinstancetoaddinformationto
display.SeeAddInformationforCustomColumnsonpage 50.
View Instance Details
TheInstanceDetailspagedisplaysallofthesameinformationshownonthesummarypage,anditincludes
informationabouttheACEinstancespolicysettings.
Youcanreactivate,deactivate,orchangetheexpirationdatefromtheInstanceDetailspage,asyoucanfrom
thesummarypage.ThefollowingtasksareavailableonlyfromtheInstanceDetailspage:
ChangingthecopyprotectionID
Resettingtheauthenticationpassword
Addinginformationforcustomcolumns
To view instance details
1 Selecttheinstancebyclickingitsinstancerow.
2 ClicktheViewdetailiconatthetopofthetableordoubleclicktheinstancerow.
8/6/2019 Ams Manual Tech Preview
49/66
VMware, Inc. 49
Chapter 6 Managing ACE Instances
3 IfyouusetheVMwareACEHelpDesk,toviewdetailsaboutnetworkaccess,clickthelinksunderZone,
HostAccess,orGuestAccess.
YoucanviewtheZonesorRulesDetailpageforthiszoneorthistypeofnetworkaccess.
TheEverywhereandEverywhereelsezonesettingsarenotlinkedtoaZonesDetailpagebecausethey
areselfexplanatory.
Reactivate, Deactivate, or Delete an ACE InstanceYoucanimmediatelydenyorallowaccesstoaninstancebydeactivatingorreactivating it.Afteryou
deactivateaninstance,youcandeleteitfromthelistofinstancesthattheservermanages.
To reactivate, deactivate, or delete an ACE instance
1 Selecttheinstancebyclickingitsinstancerow.
2 ClicktheDeactivateorReactivateiconintheupperleftcorneroftheInstancespage.
3 IfyouclickedReactivate,whenprompted,resettheexpirationdates.
4 (Optional)IfyouclickedDeactivate,clickDeletetodeletetheinstancerow.
5 ClickOK.
Change a Copy Protection ID
IfanenduserattemptstocopyormoveacopyprotectedACEinstance,theuserreceivesanerrormessage
thatcontainsanewcopyprotectionID.AftertheendusersendsthatIDtoyou,theadministrator,youcanuse
ittoreplacetheoriginalID.
TheCopyProtectionIDfieldisalwaysactive,soyoucanchangetheIDatanytime.
To change a copy protection ID
1 Selecttheinstancebyclickingitsinstancerow.
2 ClicktheViewdetailiconatthetopofthetableordoubleclicktheinstancerow.
3 Dooneofthefollowing:
IntheVMwareACEHelpDesk,replacethealphanumericstringintheCopy ProtectionIDfieldwith
anewIDandclicktheSaveiconatthetopofthepage.
InWorkstation,clickthePoliciestab,replacethecopyprotectionIDwithanewID,andclickOK.
Reset the Authentication Password
You
can
reset
passwords
for
instances
with
user
specified
passwords.
The
new
password
must
have
at
least
onecharacter.
To reset the authentication password
1 Selecttheinstancebyclickingitsinstancerow.
2 ClicktheViewdetailiconatthetopofthetableordoubleclicktheinstancerow.
3 ClickResetPasswordandspecifyanewpassword.
IntheWorkstationinstanceview,thisbuttonappearsonthePoliciestab.
4 Sendthenewpasswordtotheuserinanemailmessage.
CAUTION IfyouchangeacopyprotectionIDforanactiveinstance,theoriginalinstancenolongerruns.
8/6/2019 Ams Manual Tech Preview
50/66
8/6/2019 Ams Manual Tech Preview
51/66
VMware, Inc. 51
7
Thischapterincludesthefollowingtopics:
TroubleshootingConfigurationProblemsonpage 51
ConfiguringMultipleACEManagementServerInstancestoUseSSLonpage 53
DatabaseBackuponpage 53
Troubleshooting Configuration Problems
CommonconfigurationproblemsincluderesolvingconnectionproblemsandportconflictsandresettingACE
administratorpasswords.
Connection Problems Between a Linux ACE Instance and ACE ManagementServer
IfanACEinstanceonaLinuxhostcannotcontacttheserver,determinewhetherafirewallorproxysettingis
blockingorreroutingHTTPStrafficonport443.
Bydefault,HTTPStrafficfromtheVMwarePlayertoACEManagementServerisroutedonport443.Disable
thefirewallorturnofftheproxysettingtoallowVMware Playertoservertrafficonthatport.
Change the Port Assignment for ACE Management Server
ACEManagementServerisamodulerunningontheApache2.0platform.Tochangetheportthattheserver
listenson,youmustmanuallyedittheApacheconfigurationfile.
To change the port assignment for ACE Management Server
1 Usingatexteditor,opentheACEManagementServercomponentHTTPconfigurationfile.
Dependingontheserversoperatingsystem,thefileisplacedinoneofthefollowinglocations:
WindowsC:\Program Files\VMware\VMware ACE Management
Server\Apache2\conf\httpd.conf
RedHatEnterpriseLinux4/etc/httpd/conf.d/acesc.conf
SUSELinuxEnterpriseServer9SP3/etc/apache2/conf.d/acesc.conf
ThispathisdifferentifVMwareACEManagementServerisinstalledinadifferentlocation.Usethepath
youestablishedforyourserver.
2 LocatethelineentryinthefilethatreadsListen 443andchangetheportnumber.
Youcannotuseport8000,whichtheserverusesforconfiguration,orport 8080,whichtheACE
ManagementServerapplianceuses.
3 LocatethesectionheaderfortheVirtualServerconfigurationforport 443.
Troubleshooting and Maintenance 7
8/6/2019 Ams Manual Tech Preview
52/66
ACE Management Server Administrators Manual
52 VMware, Inc.
Thislinelookssimilartothefollowing:
4 Changetheportnumberinthesectionheadertothedesiredportnumber.
Forexample,tochangetoport8443,change443to8443.
5 Savethefile.
6 Stop
and
start
the
Apache
service.Forinstructions,seeVerifyThattheApacheServiceIsStartedorRestartedonpage 25.
WhenyoucreateanACEenabledvirtualmachine,youcanspecifywhichportistobeusedtocommunicate
withACEManagementServer.
Delete the Server Configuration File and Set a New Administrator Password
Ifyouloseorforgettheadministratorpassword,youmustdeletetheconfigurationfileandreconfigurethe
server.Aspartofthatconfiguration,yousetanewpassword.
To delete the server configuration file and set a new administrator password
1 NavigatetothelocationoftheACEManagementServerconfigurationfile:
Dependingontheserversoperatingsystem,thefileisplacedinoneofthefollowinglocations:
WindowsC:\Program Files\VMware\VMware ACE Management Server\conf\acesc.conf
Linux/var/lib/vmware/acesc/conf/acesc.conf
2 Saveacopyofthefiletoanewlocationsothatyoucanrefertoitwhenyoureconfiguretheserver.
3 Deletetheoriginalconfigurationfile.
4 StarttheACEManagementServerSetupapplicationandconfiguretheserveragain,specifyinga
passwordontheAccessControltab.
SeeStartandConfigureACEManagementServeronpage 26.
5 ContinuewiththeACEManagementServerSetupapplicationinoneofthefollowingways:
Ifthisistheinitialconfigurationoftheserver,clickNext.
Ifyouarereconfiguringtheserver,clickApplyandclickRestartorLater.
IfyouclickLater,youmustrestarttheserverfortheconfigurationchangestotakeeffect.Youcan
restarttheserverbyclickingApplyonanyofthetabs,evenifyoudonotmakechangesonthetab.
Restore a Backup Copy of an SSL Certificate
Ifyouuploadaninvalidcertificatefile,theACEManagementServerSetupapplicationfailswhenyouclick
ApplyandthenRestartandyoucannotrestarttheApacheservice.Tofixthisproblem,restorethebackup
certificatefileforthecorrespondingcertificate.
To restore a backup copy of an SSL certificate
1 NavigatetotheACEManagementServerdirectorywherethebackupisstored.
Thefilenamesusethefollowingformat:
.-
Thevalueisoneofthefollowing:
server.crtTheserverpubliccertificate
server.keyTheserverprivatekey
chain.crtThecertificatechain
8/6/2019 Ams Manual Tech Preview
53/66
VMware, Inc. 53
Chapter 7 Troubleshooting and Maintenance
The portionofthefilenameisintheformatYYYYMMDD(year,month,day).
The portionofthefilenameisintheformatHHMMSS(hours,minutes,seconds).
Forexample,afilenamemightbeserver.crt.20070216-095344.
2 Savethefileinthecorrectlocationasssl/.crt andrestarttheApacheservermanually.
SeeVerifyThattheApacheServiceIsStartedorRestartedonpage 25.
3 StarttheACEManagementServerSetupapplicationandusetheCustomSSLCertificatestabtouploadthebackupcopy.
StartandConfigureACEManagementServeronpage 26.
Configuring Multiple ACE Management Server Instances to Use SSL
YoumightconfiguremultipleACEManagementServerinstancestouseSSLinthefollowingscenarios:
Multipleserversbehindoneormoreproxyservers:
EachservercanhaveitsownSSLkeyandcertificate(ACEManagementServerandproxyserver).
Thecert_chainfilemustcontainthecertificatefileandverificationchainfortheSSLcertificatesthat
theproxyserversareusing.Placethiscert_chainfileineachACEManagementServer.
Whenselfsignedcertificatesarebeingused,theactualcertificateistheverificationchain.Thechain
filecontainseachselfsignedcertificatebeingthattheproxiesareusing.
Youcanalsousethesamekeyandcertificateforeveryserverandproxy.Inthiscase,youdonotneed
tocreateacert_chainfile.
Eachcertificatemusthaveauniquecommonname.
MultipleserversusingDNSroundrobin:
EachservercanhaveitsownSSLkeyandcertificate(ACEManagementServerandproxyserver).
Thecert_chainfilemustcontainthecertificateandverificationchainforeverycertificatethatthe
serversuse.PlacethiscertificatechainfileineachACEManagementServer.
Whenselfsignedcertificatesarebeingused,theactualcertificateistheverificationchain.Thechain
filecontainseachselfsignedcertificatethateachoftheserversisusing.
Youcanusethesamekeyandcertificateforeveryserver.Inthiscase,youdonotneedtocreatea
cert_chainfile.
SeealsoLoadBalancingMultipleACEManagementServerInstancesonpage 39.
Database Backup
Ifyouareusinganexternaldatabase,useabackupandrecoverystrategythatisappropriateforyourdatabase
system.BackupyourACEManagementServerdatabaseonaregularbasistoensurethatthedatabasecanbe
recoveredpromptlyifneeded.
Ifyouareusingtheembeddeddatabase,youcanusestandardfilebackuptools,suchasntbackupordd.The
dataisstoredinoneofthefollowinglocations:
WindowsC:\Program Files\VMware\VMware ACE Management Server\db\acesc.bin.
Linux/var/lib/vmware/acesc/db/acesc.bin
Ifyouareusingtheembeddeddatabaseinaproductionenvironment,stoptheserver,copythefiletoa
differentlocationforthebackup,andrestarttheserver.SQLiteisfilebased,sothedatabasefilemightbe
modifiedbytheACEManagementServerprocessatthesametimethatitisbeingcopiedforbackup.An
inconsistentdatabasesnapshotmightbeproduced.Thisproblemisunlikelytooccurbecausethefileisusually
notlargeandiscopiedquickly.
8/6/2019 Ams Manual Tech Preview
54/66
ACE Management Server Administrators Manual
54 VMware, Inc.
Otheralternativesforbackingupanopendatabase,asrecommendedbymembersofanSQLitecommunity,
arethefollowing:
Usethesqlite3commandlinetooltologintotheSQLitedatabase.Usethe.dumpcommand,storethe
resultinaseparatefile,andbackupthatresultfile.AnSQLscriptrecreatesthedatabase.
UsetheShadowVolumeCopymechanismonWindowssystemsorLVMvolumesnapshotsonLinux(and
thecrashrestorefeatureofSQLite)tobackupthecompletedatabasedirectory,includingjournalfilesif
theyarepresent.OnaWindowsXPSP1orlateroperatingsystem,usentbackuponthedatabase
directory.
Usethesqlite3commandlinetooltologintotheSQLitedatabase.UsetheBEGIN EXCLUSIVE
command,copythedatabasefile,andthenusetheCOMMITcommand.
Forinformationtohelpyouuseyourcompanysownmanagementorreportingtoolsorautomatedscripts
withthedataintheVRMdatabase,seeAppendix:DatabaseSchemaandAuditEventLogDataonpage 55.
8/6/2019 Ams Manual Tech Preview
55/66
VMware, Inc. 55
Thisappendixexplainstheformatofthedatastoredinthedatabaseandthebestwaystoaccessthisdata.This
appendixincludesthefollowingtopics:
UsingDatabaseReportingToolsonpage 55
DatabaseSchemaonpage 55
QueryingtheAuditEventLogDataonpage 59
Using Database Reporting Tools
YoucanuseathirdpartydatabasemanagementorreportingtoolwiththeVMwareACEManagementServer
database.Youcancreatecustomreportsofthesystemstatebyusingareportingtool.Youcanalsousea
reportingtooltoinspecttheaudittrailoftheadministratororuseractionsstoredintheEventtable.For
example,you