VMware vCenter Configuration Manager - 5.3 Installation Manual

vCenter Configuration Manager Installation and

Getting Started Guide

vCenter Configuration Manager 5.3

This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see

http://www.vmware.com/support/pubs.

EN-000456-00

vCenter Configuration Manager Installation and Getting Started Guide

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

docfeedback@vmware.com

http://www.vmware.com/go/patents.

VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

VMware, Inc.

3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

2 VMware, Inc.

Contents

About This Book 9

Preparing for Installation 11

Using Installation Manager 12 Understanding Installation Configurations 12 Understanding Tools Installation 13 Checking Prerequisites for Installation 13

Hardware and Software Requirements 13 Administration Rights 13 Default Network Authority Account 13 Default Collector Services Account 14 VMware Application Services Account 14 VCM Remote Virtual Directory 14 Secure Communications Certificates 15 Server Authentication 15

Understanding VCM's Use of FIPS Cryptography 17

VCM’s Use of Microsoft Cryptographic Service Providers (CSPs) for Windows Machines 17 Cryptography for UNIX/Linux Platforms 17 Cryptography used in VCM Software Components 18 Supported Windows and UNIX Platforms 18

Installing VCM Using Installation Manager 19

Using the Installation Manager 19

Navigating VCM Installation Manager Screens 19 Installing VCM and the Related Components 19

Upgrading VCM and Related Components 35

Prerequisites 35

Backup and Recovery 35 Assumptions for Upgrading Your VCM Collector and Database 36

Upgrading to VCM 5.3 36

Upgrading the VCM Database Only 36 Upgrading VCM on a 32-Bit System 36 Upgrading to a 64-Bit System 36 Before Upgrading 37

Performing the Upgrade 37 Upgrading Existing Windows Agents 38 Upgrading Existing Remote Clients 39 Upgrading Existing UNIX Agents 40

To Upgrade the UNIX Agent(s) with a Local Package 40

To Upgrade the UNIX Agent(s) with a Remote Package 41 Upgrading VCM for Virtualization 42

Upgrading an Agent Proxy Machine 43

Upgrading the vSphere Client VCM Plug-in 45

Getting Started with VCM Components and Tools 47

Understanding User Access 47

VMware, Inc. 3

vCenter Configuration Manager Installation and Getting Started Guide

Launching and Logging Onto VCM 48

How to Launch VCM and Log On 48 Getting Familiar with the Portal 48

General Information Bar 49

Portal Toolbar 49

Sliders 50 Where to Go Next 52

Getting Started with VCM 53

Discover, License, and Install Windows Machines 53

Verifying Available Domains 53

Checking the Network Authority 54

Assigning Network Authority Accounts 55

Discovering Windows Machines 56

Licensing Windows Machines 59

Installing the VCM Windows Agent on your Windows Machines 61

Performing an Initial Collection 67

Exploring Windows Collection Results 68

Getting Started Collecting Windows Custom Information 72 Discover, License, and Install UNIX/Linux Machines 80

Adding UNIX/Linux Machines 81

Licensing UNIX/Linux Machines 82

Installing the Agent on UNIX/Linux Machines 83

Performing a UNIX/Linux Collection 90

Exploring UNIX/Linux Collection Results 91 Discover, License, and Install Mac OS X Machines 94

Getting Started with VCM for Mac OS X 94

Adding Mac OS X Machines 94

Licensing Mac OS X Machines 96

Installing the Agent on Mac OS X Machines 97

Performing a Mac OS X Collection 103

Exploring Mac OS X Collection Results 106 Discover, License, and Collect Oracle Data from UNIX Machines 108

Adding UNIX Machines Hosting Oracle and Installing the Agent 109

Discovering Oracle Instances 109

Creating the Oracle Collection User Account 110

Performing an Oracle Collection 114

Exploring Oracle Collection Results 114

Reference Information about Oracle 114 Customize VCM for your Environment 115 How to Set Up and Use VCM Auditing 116

Getting Started with VCM for Virtualization 117

Virtual Environment Configuration 117

ESX 2.5/3.x,vSphere 4, and ESXi Servers Collections 118

vCenter Server Collections 118 Configuring Agent Proxy Virtualization Collections 118 Configuring Agent Proxy Machines 120

Licensing Agent Proxy Machines 120

Installing the Agent on the Agent Proxy Machine 121

Performing a Collection Using the Machines Data Type 121

Installing Agent Proxies 122 Configuring ESX/vSphere Servers 123

Copying Files to the ESX/vSphere Server 124

Running Scripts on the ESX/vSphere Server 124

Adding ESX/vSphere Servers to VCM 125

Licensing the ESX/vSphere Server in VCM 126

4 VMware, Inc.

Contents

Licensing ESX/vSphere Server Machines as Virtual Machine (VM) Hosts 127 Configuring Web Services for ESX/vSphere Server Communication 128

Adding the Web Services User to the Administrator Role Using the VI Client/vCenter Client

Installing the ESX Web Services Certificate on the Agent Proxy Machine 130

For ESX 2.5.x Only: Setting Up VirtualCenter to Collect Virtualization Data 134

Adding Web Services Settings 134 Performing an Initial Virtualization Collection 134 Exploring Virtualization Collection Results 135 Configuring vCenter Server Data Collections 137

vCenter Server Collection Prerequisites 137

Collecting vCenter Server Data 141

Reviewing Collected vCenter Server Data 142

Troubleshooting vCenter Server Data Collections 142 About the vSphere Client VCM Plug-in 143

Registering the vSphere Client VCM Plug-in 143

Configuring the vSphere Client VCM Plug-in Integration Settings 144

Getting Started with the vSphere Client VCM Plug-in 145

Upgrading the vSphere Client VCM Plug-in 146 Further Reading 146

129

Getting Started with VCM Remote 147

Getting Started with VCM Remote 147 Installing the VCM Remote Client 148

Installing the Remote Client manually 149 Making VCM Aware of VCM Remote Clients 156 Configuring VCM Remote Settings 156

Creating Custom Collection Filter Sets 156

Specifying Custom Filter Sets in the VCM Remote Settings 156 Performing a Collection Using VCM Remote 157 Exploring VCM Remote Collection Results 157

Getting Started with VCM Patching 159

Getting Started with VCM Patching 159 Getting Started with VCM Patching for Windows Machines 159

Check for Updates to Bulletins 159

Collect Data from Windows Machines Using the VCM Patching Filter Sets 160

Launch an Assessment 161

Explore VCM Patching Windows Assessment Results 165

Deploy Patches to Windows Machines 165 Getting Started with VCM Patching for UNIX/Linux Machines 168

Getting Started 168

Check for Updates to Bulletins 169

Collect Assessment Data from UNIX/Linux Machines 169

Explore Assessment Results and Acquire the Patches 173

Deploy Patches to UNIX/Linux Machines 175

How the Deploy Action Works 176 Further Reading 177

Getting Started with Software Provisioning 179

VMware vCenter Configuration Manager Package Studio 179

Software Repository for Windows 179

Package Manager for Windows 179

Overview of Component Relationships 180 Installing the Software Provisioning Components 180

Install Software Repository for Windows 181

Software Repository Structure 182

VMware, Inc. 5

vCenter Configuration Manager Installation and Getting Started Guide

Manually Uninstall the Repository 182

Install Package Studio 182

Manually Uninstall Package Studio 184

Install Package Manager on Managed Machines 184 Using Package Studio to Create Software Packages and Publish to Repositories 185

Creating Packages 185 Using VCM Software Provisioning for Windows 186

Prerequisites 186

Collect Package Manager Information from Machines 187

Collect Software Repository Data 187

Add Repository Sources to Package Managers 188

Install Packages 189 Related Software Provisioning Actions 190

Viewing Provisioning Jobs in the Job Manager 190

Creating Compliance Rules based on Provisioning Data 190

Creating Compliance Rules containing Provisioning Remediation Actions 191 Further Reading 193

Getting Started with VCM Management Extensions for Assets 195

Getting Started with VCM Management Extensions for Assets 195 Review Hardware and Software Configuration Item Fields 195

Modifying Hardware Configuration Item Fields 196

Modifying Software Configuration Item Fields 198 Adding Hardware Configuration Items 200

Editing Values for Devices 200

Modifying Other Devices 201 Adding Software Configuration Items 202 Further Reading 203

Getting Started with VCM Service Desk Integration 205

Getting Started with Service Desk Integration 205 Service Desk Integration in the Console 205 Service Desk Integration in Job Manager 206 Further Reading 207

Getting Started with VCM for Active Directory 209

Making VCM Aware of Domain Controllers 209

Confirming the Presence of Domains 210

Adding and Assigning Network Authority Accounts 211

Discovering Domain Controllers 211

Verifying Domain Controller Machines in Available Machines 213

Licensing and Deploying the VCM Agent 213

Performing a Machine Data Type Collection 216 Configuring VCM for Active Directory as an Additional Product 216

Deploying VCM for AD to the Domain Controllers 216

Running the Determine Forest Action 218

Running the Setup DCs Action 218 Performing an Active Directory Data Collection 220 Exploring Active Directory Collection Results 223 Further Reading 226

Getting Started with VCM for SMS 227

Getting Started with VCM for SMS 227 Making VCM Aware of the SMS Servers 227 Performing SMS Server Collections 228 Performing SMS Client Collections 229 Exploring SMS Collection Results 229

6 VMware, Inc.

Contents

Viewing SMS Dashboards 229

Viewing SMS Server Data 230

Viewing SMS Client Data 231

Viewing SMS Reports 232 Further Reading 233

Getting Started with Windows Server Update Services 235

Getting Started with Windows Server Update Services 235 Making VCM Aware of the WSUS Server 235 Performing WSUS Server Collections 236 Performing WSUS Client Collections 236 Exploring WSUS Collection Results 237

Viewing WSUS Clients 237

Viewing WSUS Reports 238 Further Reading 238

Accessing Additional Compliance Content 239

Locating the Content Directory 239 Launching the Content Wizard to Import Relevant Content 239 Exploring Imported Content Results in the Portal 239

Installing and Getting Started with VCM Tools 241

Installing the VCM Tools Only 241 Foundation Checker 242 VCM Job Manager Tool 242 VCM Import/Export and Content Wizard (CW) 243

VCM Import/Export 244

Content Wizard 245

Maintaining VCM After Installation 247

Customize VCM and Component-specific Settings 247 Configure Database File Growth 249 Configure Database Recovery Settings 250 Create a Maintenance Plan for SQL Server 2005 250 Incorporate the VCM CMDB into your Backup/Disaster Recovery Plans 258

Troubleshooting Problems with VCM 259

Evaluating Missing UNIX Patch Assessment Results 259 Resolving Reports and Node Summaries Problems 260

To Resolve the Problem 260 Resolving Protected Storage Errors 260

To Resolve the Problem 261 Resetting the Required Secure Channel (SSL) 261

Updating the Web.config Configuration File 261

Updating the VCM Virtual Directory 262

Updating the IIS Settings in VCM 262 Resolving a Report Parameter Error 262

Configuring a Collector as an Agent Proxy 265

Verifying Membership to CSI_COMM_PROXY_SVC on the Agent Proxy Machine 265 Generating Key Pairs on the Agent Proxy Machine 266 Uploading Keys to the Database 266

Index 267

VMware, Inc. 7

vCenter Configuration Manager Installation and Getting Started Guide

8 VMware, Inc.

About This Book

This guide, VCM Installation and Getting Started Guide, describes the steps you must take in order to ensure a successful VMware vCenter Configuration Manager (VCM) installation. This document contains the following information:

Preparing for the VCM installation.

Installing VCM.

Getting started with VCM and its components.

Maintenance and troubleshooting.

Read this document and complete the associated procedures to prepare for a successful installation.

The VCM Installation and Getting Started Guide covers VCM, Foundation Checker, and Service Desk Connector.

Intended Audience

The information presented in this manual is written for system administrators who are experienced Windows or UNIX/Linux system administrators and who are familiar with managing network users and resources, and performing system maintenance.

To use the information in this guide effectively, you must have a basic understanding of how to configure network resources, install software, and administer operating systems. You also need to fully understand your network’s topology and resource naming conventions.

Document Feedback

VMware welcomes your suggestions for improving our documentation. If you have comments, send your feedback to docfeedback@vmware.com.

VMware VCM Documentation

The vCenter Configuration Manager (VCM) documentation consists of the VCM Hardware and Software Requirements Guide, VCM Foundation Checker User's Guide, VCM online Help, this manual, and other

associated documentation.

VMware, Inc. 9

vCenter Configuration Manager Installation and Getting Started Guide

Technical Support and Education Resources

The following technical support resources are available to you. To access the current version of this book and other books, go to http://www.vmware.com/support/pubs.

Online and Telephone Support

Support Offerings To find out how VMware support offerings can help meet your business needs,

VMware Professional Services

To use online support to submit technical support requests, view your product and contract information, and register your products, go to

http://www.vmware.com/support.

Customers with appropriate support contracts should use telephone support for priority 1 issues. Go to http://www.vmware.com/support/phone_support.html.

go to http://www.vmware.com/support/services.

VMware Education Services courses offer extensive hands-on labs, case study examples, and course materials designed to be used as on-the-job reference tools. Courses are available onsite, in the classroom, and live online. For onsite pilot programs and implementation best practices, VMware Consulting Services provides offerings to help you assess, plan, build, and manage your virtual environment. To access information about education classes, certification programs, and consulting services, go to http://www.vmware.com/services.

10 VMware, Inc.

Preparing for Installation

This chapter provides important information that will help you prepare to install VCM components and tools in your enterprise. This chapter contains the following sections:

Using Installation Manager: Provides an overview of Installation Manager, which is used to install and

activate all VCM components and tools.

Understanding Installation Configurations: Describes the supported installation configurations for

VCM.

Understanding Tools Installation: Explains how VCM tools are installed.

Checking Prerequisites for Installation: Lists the prerequisites you should complete prior to using VCM

Installation Manager to perform the installation.

For an overview of the security precautions you should take before installing VCM, see the VCM Security Environment Requirements Technical White Paper on the VMware vCenter download site.

This document assumes that your hardware and software configuration meets the requirements described in VCM Hardware and Software Requirements Guide. If you have not already done so, verify that your configuration meets the installation requirements by performing a Tools Only installation of VCM Foundation Checker, and then running it once it is installed. If VCM Foundation Checker does not return any errors, then you are ready to proceed. For more information on performing a Tools only installation, see "Installing and Getting Started with VCM Tools" on page 241. If you choose to install and run the Foundation Checker before installation, it is important to uninstall the Foundation Checker before running the Installation Manager.

VMware, Inc. 11

vCenter Configuration Manager Installation and Getting Started Guide

Using Installation Manager

Installation Manager performs new installations as well as upgrades, and provides a highly simplified process for installing components and tools. Installation Manager has a straightforward interface that steps you through the entire installation or upgrade process.

Installation Manager:

Performs the checks to ensure the machine(s) meets the hardware and software prerequisites necessary for installing.

Provides confirmation of the license file you are applying during installation.

Installs VCM and all of its components and tools in the appropriate order on your machine(s).

Tests each progressive step during the installation to ensure that all components were successfully installed and that the licensed components were successfully activated.

In addition, Installation Manager operates with minimal user input, and provides clear feedback on progress throughout the entire installation process.

Installation Manager installs VCM and all of its components on your machine, even those that you have not purchased. However, only the components that have been purchased are licensed by your license file. This enables you to purchase more licenses later, and thereby activate additional components that are already installed.

To install VCM and all of its components and tools for the first time, follow the procedures described in

Using Installation Manager.

IMPORTANT When upgrading to VCM 5.3.0, be aware that you can use Installation Manager to upgrade from VCM 4.11.1 or later.

When performing a new installation or an upgrade, you must have the previous license file available and specify the path to the license file during the installation. Installation Manager will use the license file to activate the components that you have purchased. If you do not have the license file from VCM 4.11.1 or later, contact VMware Customer Support.

Understanding Installation Configurations

Before proceeding, you must have already configured your hardware and installed all of the prerequisite software based on the information in the VCM Hardware and Software Requirements Guide. VCM has two supported installation configurations: the default, single machine installation in which all components and tools are installed on a single machine; and the advanced, “split” installation in which the Collector and the database are installed on two separate machines.

IMPORTANT A split installation across two machines should be used only when your corporate policy requires you to have your SQL Server data stored on a centralized database server. Split installations are implemented and supported only by VMware Customer Support. Installation instructions are not provided in this manual.

Refer to the VCM Hardware and Software Requirements Guide for a detailed diagram of a complete installation.

12 VMware, Inc.

Understanding Tools Installation

The VCM tools include:

Foundation Checker

Job Manager

Import/Export and Configuration Content Wizard (CCW)

Web Services Toolkit

All of the tools are automatically installed. Installation procedures are provided in "Using Installation

Manager" on page 12.

VCM tools may be installed separately on a non-Collector machine as appropriate. To install Tools Only, follow the installation procedures in "Installing and Getting Started with VCM Tools" on page 241

Checking Prerequisites for Installation

This section lists the prerequisites that you should complete prior to using Installation Manager.

Hardware and Software Requirements

Preparing for Installation

Your hardware and software configuration must meet the requirements described in the VCM Hardware and Software Requirements Guide before you can proceed with your installation.

IMPORTANT You can ensure a smooth and efficient installation by validating that your machines meet all the requirements by performing a Tools Only installation of Foundation Checker (see "Installing and

Getting Started with VCM Tools" on page 241) and running it once it is installed. If Foundation Checker

returns no errors, then you are ready to proceed. If your machine(s) do not meet these requirements, the installation cannot proceed.

If you are installing on HP-UX 11.11, Patch PHSS_30966 is required for the HP-UX Agent. If you need assistance, contact VMware Customer Support.

Administration Rights

The User Account of the person performing your installation or upgrade must be all of the following:

A system administrator on the machine(s) on which the installation or upgrade is being performed, and

A system administrator on the database instance that will be used, and

A member of a domain.

The installing User Account should not be the account used to run the SQL Server Services; nor, after installation, should you create a VCM user with the SQL Server Services account credentials.

Default Network Authority Account

The default network authority account must be specified during the installation process. This account, which often is the system administrator’s (for example, a Domain Admin in the Local Admin Group), must be set up in the Local Administrators group on each machine prior to installation. This should have already been completed following the checklist in the VCM Hardware and Software Requirements Guide.

VMware, Inc. 13

vCenter Configuration Manager Installation and Getting Started Guide

The Local System account named NT AUTHORITY\System has unrestricted access to all local system resources. This account is a member of the Windows Administrators group on the local machine, and a member of the SQL Server sysadmin fixed server role. If the NT AUTHORITY\System account does not have access to the VCM installation binary files (possibly because someone removed the account or inherently removed access), the installation will result in an “access denied” error in the first step. Details of this error are not stored in the VCM error log. The solution is to grant access to the NT AUTHORITY\System account from the installation source directory (right-click the folder, select the Security tab, and then make sure the user or user’s group has Full Control of the file/folder). Then run the installation again.

NOTE The network authority account can be changed later in VCM at Administration | Settings | Network Authority.

Default Collector Services Account

The default services authority account must be specified during the installation process. This account, which may not necessarily be the system administrator’s, must exist in the Local Administrators group on the Collector machine. In addition, this account must not be a LocalSystem account.

IMPORTANT If the password for your services account changes, you must also change the password in both the Services Management and Component Services DCOM Config consoles.

To change your services password in the Services Management console, click Administrative Tools | Services. Locate all of the services that use the services account to log on. Right click each of these services, then select Properties. Click the Log On tab, and then update the password field to reflect your new password.

To change your services password in the Component Services DCOM Config console, click

Administrative Tools | Component Services. Expand the Component Services node, then select Computers | My Computer | DCOM Config. Right click the LicenseDcom file, then select Properties.

Click the Identity tab, and then update the password field to reflect your new password.

VMware Application Services Account

The VMware Application Services Account must be a domain user. Because this account will have full administrative authority for the CSI_Domain database, it should never be used as a VCM login or for any other purpose.

VCM Remote Virtual Directory

The VCM Remote Virtual Directory account must be specified during the installation process. This account should not be the same account you used for your Default Network Authority Account and/or your Default Services Account to reduce the chances of a security risk to those accounts.

NOTE The service account can be changed later if necessary using the IIS Management console.

14 VMware, Inc.

Preparing for Installation

Secure Communications Certificates

VCM uses Transport Layer Security (TLS) to secure all HTTP communication with Windows and UNIX Agents in HTTP mode (includes all UNIX Agents and Windows Agents in HTTP mode). TLS uses certificates to authenticate the Collector and Agents to each other. You must specify certificates for the Collector and for the Enterprise during the installation process. If you plan to use your own certificates, familiarize yourself with the certificate names so that you can select them during installation.

To be valid, a Collector certificate must meet the following criteria:

The Collector certificate must be located in the local machine personal certificate store.

The Collector certificate must be valid for Server Authentication. If any Enhanced Key Usage extension or property is present, it must include the Server Authentication OID 1.3.6.1.5.5.7.3.1. If the Key Usage extension is present, it must include DIGITAL_SIGNATURE.

The Collector certificate must not be expired.

If you want Installation Manager to generate the Collector and Enterprise certificates for you, select the Generate option during installation.

NOTE If you will be installing more than one Collector that will communicate with the same Agent(s), or you plan to replace/renew your certificates at a later date, there are special considerations for generating and selecting certificates in VCM Installation Manager. For more information about VCM and Transport Layer Security (TLS), see Transport Layer Security Implementation for VCM.

Server Authentication

Server Authentication is a method of authenticating the server to the client. VCM supports server authentication. In VCM environments where TLS is employed, VCM Agents verify the identity of the Collector (or Collectors) through the use and verification of certificates (over HTTP).

Typically, the server authenticates a client/user by requiring information, such as a user name and password. When server authentication is used, the client/user verifies that the server is valid. To accomplish this verification using TLS, the server provides a certificate issued by a trusted authority, such as Verisign®. If your client web browser has the Verisign® Certified Authority certificate in its trusted store, it can trust that the server is actually the web site you are accessing.

TLS uses certificates managed by a public key infrastructure (PKI) to guarantee the identity of servers and clients. A certificate is a package containing a public key and information that identifies the owner and source of that key, and one or more certifications (signatures) verifying that the package is authentic. To sign a certificate, an issuer adds information about itself to the information already in the certificate request. The public key and identifying information are hashed and signed using the private key of the issuer’s certificate.

Certificates are defined by the X.509 RFC standard, which includes fields that form a contract between the creator and consumer. The Enhanced Key Usage extension specifies the use for which the certificate is valid, including Server Authentication.

Enterprise and Collector Certificates

An Enterprise Certificate and one or more Collector Certificates enable secure HTTP Collector-Agent communication in VCM. The Enterprise Certificate enables VCM to operate in a multi-Collector environment. Agents have the Enterprise Certificate in their trusted certificate stores, which they use implicitly to validate any certificate issued by the Enterprise Certificate. All Collector Certificates are expected to be issued by the Enterprise Certificate, which is critical in environments where a single Agent

VMware, Inc. 15

vCenter Configuration Manager Installation and Getting Started Guide

is shared between two collectors.

Server Authentication is required to establish a TLS connection with an Agent. All Collectors should have a common Enterprise Certificate. Each Collector Certificate is issued by the Enterprise Certificate, and is capable of Server Authentication.

The Collector Certificate is used to initiate and secure a TLS communication channel with an HTTP Agent. The Agent must be able to establish that the Collector Certificate can be trusted, which means that the Collector Certificate is valid and the certification path starting with the Collector Certificate ends with a trusted certificate. By design, the Enterprise Certificate is installed in the Agent’s trusted store, and the chain ends with the Enterprise Certificate.

A Collector Certificate can also be used to issue Agent certificates. As long as all Collector Certificates are issued by the same Enterprise Certificate, any Agent Certificate may be issued by any Collector Certificate, and all Agents will be able to trust all Collectors. Similarly, all collectors will be able to validate all Agent Certificates. Agent Certificates are used for Mutual Authentication only. Mutual authentication is supported, but requires interaction with VMware Customer Support and a Collector Certificate that also has certificate signing capability.

The Collector Certificate and associated private key must be available to the Collector. This certificate is stored in the (local machine) personal system store.

Collector Certificates in VCM must adhere to the requirements specified above in Secure Communications Certificates.

Delivering Initial Certificates to Agents

VCM Agents use the Enterprise Certificate to validate Collector Certificates. Therefore, the Agent must have access to the Enterprise Certificate as a trusted certificate. In most cases, VCM will deliver and install the Enterprise Certificate as needed.

Installing the Agent from a Disk (Windows® only): The VCM Installation DVD does not contain customer-specific certificates. If HTTP is specified, the manual VCM Installer requests the location of the Enterprise Certificate file during the installation. You must have this file available at installation time. The certificate file (with a .pem extension) can be copied from the CollectorData folder of the Collector. This will be the case whether you run the manual installer directly (CMAgentInstall.exe) or use the “Agent Only” option from the DVD auto-run program.

Using CMAgentInstall.exe to Install the Agent (Windows® only): CMAgtInstall.exe or CMAgent[version].msi is the manual Agent installer program. The manual installer will request the location of the Enterprise Certificate file, if HTTP is specified. You must have this file available at installation time. The certificate file can be copied from the CollectorData folder of the Collector.

MSI Install Package: If HTTP is specified, the MSI agent install package also requires access to the .pem file.

Installing the Agent for UNIX/Linux: See Installing the VCM Agent on UNIX/Linux Machines in this document.

Installing the Agent Using a Provisioning System

For Windows®, the manual installation program is available in .exe and .msi formats. Both versions allow the Enterprise Certificate file to be specified with a command line switch. The certificate installation step may also be omitted with a command line switch. When these programs are run through a provisioning system, you must ensure that the Enterprise Certificate is available (and still secure), and configure the program options appropriately. Alternatively, you may choose to push the Enterprise Certificate to Agents by some other means and configure the provisioning system to omit certificate installation.

16 VMware, Inc.

For UNIX/Linux, each UNIX/Linux installation package is targeted for one or more supported platforms. To install the UNIX/Linux Agent using a provisioning system, extract the installation package as appropriate and then deploy the extracted file with the provisioning system. The Enterprise Certificate is embedded in the installation package on the collector.

For more information about Installing the Agent on UNIX/Linux Machines and UNIX/Linux packages and platforms, refer to section Installing the VCM Agent on UNIX/Linux Machines.

Understanding VCM's Use of FIPS Cryptography

Federal Information Processing Standards (FIPS) are developed by the US National Institute of Standards (NIST) and the Canadian Communications Security Establishment (CSE). VCM incorporates cryptography as set forth in the FIPS standards. Components of VCM use cryptography to protect the confidentiality, integrity, availability, and authenticity of customer data. The FIPS standards require adherence by VCM to the following standards:

FIPS 46-3: Data Encryption Standard (DES)

FIPS 81: DES Modes of Operation

FIPS 113: Computer Data Authentication

FIPS 171: Key Management

Preparing for Installation

FIPS 180-1: Secure Hash Standard (SHA-1)

FIPS 186-2: Digital Signature Standard (DSA) and Random Number Generation (RNG)

FIPS 198: Message Authentication Codes (MACs) using SHA-1

FIPS 197: Advanced Encryption Standard (AES) Cipher

FIPS 200: Federal Information Security Management Act (FISMA)

SP 800-2: Public Key Cryptography (including RSA)

SP 800-20: Triple DES Encryption (3DES) Cipher

VCM’s Use of Microsoft Cryptographic Service Providers (CSPs) for Windows Machines

On Windows machines, VCM uses cryptography by way of the Microsoft CryptoAPI, which is a framework that dispatches to Microsoft Cryptographic Service Providers (CSPs). CSPs are not shipped with VCM or installed by VCM, but instead are part of the security environment included with Microsoft Windows. In the configurations supported by VCM, these CSPs are FIPS 140-2 validated.

Cryptography for UNIX/Linux Platforms

On UNIX/Linux platforms, the VCM Agent uses the cryptography of the OpenSSL v0.9.7 module. This cryptographic library is installed with the VCM Agent.

VMware, Inc. 17

vCenter Configuration Manager Installation and Getting Started Guide

Cryptography used in VCM Software Components

VCM uses various software components that also use cryptography. Microsoft’s IIS, Internet Explorer, and SChannel (SSL/TLS) systems also call the CryptoAPI, and thus use the Windows FIPS-validated modules. VCM for Virtualization uses ActiveX COM components for SSH and SFTP, and for wodSSH, wodSFTP, and wodKeys (by WeOnlyDo! Software at www.weonlydo.com), which utilize the FIPScertified OpenSSL crypto library. wodSSH is used for windowless communication with remote consoletype services in unattended mode on the VCM for Virtualization Agent Proxy’s host, which is a Windows platform.

Table 1-1. Installed or Used Crytography Modules

System Platform

UI Windows Used

VCMServer Windows Installed Used

Virt Proxy Windows Installed Used

AD Agent Windows Used

Win Agent Windows Used

OpenSSLFIPS

1.1.2

OpenSSLFIPS

1.1.1

OpenSSLCrypt

0.9.7

Crypto++ CryptoAPI

UNIX

Agent

ESX Server All No cryptography modules are used or installed on ESX.

HP/UX Installed Installed

AIX Installed Installed

Solaris Installed Installed

Debian Installed Installed

Red Hat Installed Installed

SUSE Installed Installed

Supported Windows and UNIX Platforms

For a list of supported Windows and UNIX platforms, and their architectures, see the VCM Hardware and Software Requirements Guide. For information about TLS, see Transport Layer Security (TLS) Implementation for VCM located on the VMware vCenter download site.

18 VMware, Inc.

Installing VCM Using Installation Manager

This chapter explains how to use VCM Installation Manager to install VCM and all of its components and tools. To install only the VCM tools, follow the installation procedures in "Installing and Getting Started

with VCM Tools" on page 241.

IMPORTANT When performing an upgrade to VCM 5.3.0, be sure to read Upgrading VCM and Related

Components.

This chapter provides a step-by-step guide to the Installation Manager.

CAUTION Before Installing VCM 5.3.0 on a 32-bit System, check for the following registry entry, and

rename or remove it if it exists: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node. VCM 5.3.0 uses this registry entry to detect whether the system is a 32-bit or 64-bit operating system.

Using the Installation Manager

The Installation Manager checks your system to ensure it is properly configured, and then installs the licensed components based on the options selected during the installation process.

Navigating VCM Installation Manager Screens

Every VCM Installation Manager screen shows the progress of the installation in the left-most pane. VCM Installation Manager also has the following buttons available at the bottom of every screen:

Help: Opens the VCM Installation and Getting Started Guide.

Back, Next: Navigates to the previous or next screen in the installation process, respectively.

Cancel: Exits the installation. If you click Cancel, a confirmation pop-up dialog box appears. If you click OK in this dialog box, Installation Manager will close. No state information is saved. Any information

you have entered thus far during the installation process is lost.

Installing VCM and the Related Components

Follow these steps to start and run the Installation Manager. Be sure to read through the detail about each configurable component as it is presented to make sure you are supplying the appropriate information, as the defaults may not fit your configuration. If you are upgrading VCM or SQL Server, or are upgrading to a 64-bit system, see "Upgrading VCM and Related Components" on page 35.

VMware, Inc. 19

vCenter Configuration Manager Installation and Getting Started Guide

1. Insert the installation CD into the machine on which you are installing VCM and all of its components. The installation screen appears.

NOTE If the installation screen does not appear automatically or if you are installing from a network location, navigate to the root directory on the CD or share and double-click setup.exe.

The installation screen provides the following options:

Run Installation Manager: Launches Installation Manager.

View the Installation and Getting Started Guide: Opens the VCM Installation and Getting Started Guide.

Browse Contents of Installation CD: Launches Windows Explorer showing the contents of the root directory of the installation CD. You can navigate through the directory structure should you need to access documentation directly.

Contact Support: Opens a pop-up dialog box that lists how to contact VMware Customer Support by e-mail and phone, including hours of operation.

Exit: Exits Installation Manager and closes the installation screen.

20 VMware, Inc.

Installing VCM Using Installation Manager

2. Click Run Installation Manager. The Introduction page of the Installation Manager appears.

3. Click Next. The License Agreement page appears.

4. If you accept the terms explained on the License Agreement page, select the appropriate option and check boxes, and then click Next. The Identify Available and Installed Components page appears.

It may take a few minutes for Installation Manager to identify which components are available for installation. During this time, the Back and Next buttons are inactive until Installation Manager finishes processing.

When the evaluation process is completed, the Select Installation Type page appears.

VMware, Inc. 21

vCenter Configuration Manager Installation and Getting Started Guide

5. When the Select Installation Type page first appears, the VMware vCenter Configuration Manager and Tools options are automatically selected.

To view all the components, select the Advanced Installation check box. The list expands to display the individual components. For a normal installation, all of the options should be selected.

Click Next. The Gather System Information page appears.

6. The Gather System Information displays the status of the Foundation Checker. The Foundation Checker reviews the machine's configuration and validates that the machine meets all the requirements for the installation. As Foundation Checker runs, various messages about the status of the check appear in the scrolling text box in the Gather System Information page.

22 VMware, Inc.

Installing VCM Using Installation Manager

If the Foundation Checker detects missing or improperly configured settings, you are notified with the message "Errors detected". You will not be allowed to proceed with the installation until the errors are resolved. Click View Results. The Foundation Checker Results Web page appears. See the following example.

If the Foundation Checker completes the validation successfully, you are notified with the message "Checks were successful!" and the Next button becomes active. Even though the checks were successful, VMware recommends you click the View Results button and read through the results to review any warnings that may represent potential issues for installation.

If you have only one or two errors, do not close the Installation Manager.

On the Foundation Checker Results Web page, review the Errors. Click the link associated with the errors you must resolve. A brief description is provided, along with a link to more detailed instructions for resolving the problem.

Refer to the VCM Hardware and Software Requirements Guide and the VCM Foundation Checker User’s Guide for more information. If problems persist, contact VMware Customer Support.

If the fixes to the issues did not require a reboot, click Recheck on the Gather System Information page to restart the Foundation Checker process. If you are required to reboot the machine, you must start the installation process from the beginning.

When the process completes successfully, "Checks were successful!" appears in the text box.

VMware, Inc. 23

vCenter Configuration Manager Installation and Getting Started Guide

7. When the Foundation Checker process has completed successfully and you have viewed the results of the checking process, click Next. The Specify License Location dialog box appears in front of the Verify Components to be Activated page.

8. Click Browse to locate the license file provided by VMware. When you click OK, the Verify

Components to be Activated page appears.

NOTE If you have not received your license file for VCM 5.3, contact your VMware Account

Manager.

24 VMware, Inc.

Installing VCM Using Installation Manager

9. The Verify Components to be Activated page updates to display the components included in the license. Installation Manager installs VCM and all of its components on your machine. However, only the licensed components will be activated. Review the Components list to confirm the contents of your license file. If you applied an incorrect license file, click the link below the Components list and browse for a different file.

If you have selected an invalid or expired license file, an error message will appear in a pop-up dialog box. Click OK, and the VCM Specify License Location dialog box appears, in which you can specify a valid license file.

10. When you are ready to continue, click Next. The Configure Components: Install Database Support Components to page appears.

11. Specify the location for the VCM application files on the machine, and then click Next. The Database Instance and Name configuration page appears, where you will define the location for the VCM database.

VMware, Inc. 25

vCenter Configuration Manager Installation and Getting Started Guide

12. Specify the SQL Server instance and type a database name as needed. Click Validate. It could take a minute or two, and then the page updates to include the other SQL Server database settings.

13. Modify any file locations as needed, and then click Next. Most SQL database system administrators recommend that the Data files (.mdf) and the log files (.ldf) be placed on separate physical drives (spindles), and often require the files to be on a drive or partition other than the OS drive/partition. The Install Web Console to configuration page appears.

14. Specify the location if it is other than the default location, and then click Next. The URLto the Application configuration page appears.

26 VMware, Inc.

Installing VCM Using Installation Manager

15. Change the values as needed, otherwise click Next. The SRS Instance configuration page appears.

16. Click Validate and wait for the validation process to complete (it could take a minute or two). If the validation fails (for example, if the SSRS installation passed, but the foundation checks failed during the validation process), first verify that both "http://localhost/reports" and "http://localhost/reportserver" are accessible through a web browser. If that fails, stop the installation and call VMware Customer Support. The Install Collector Components to configuration page appears. When the validation process completes, click Next.

17. Change the path as needed, otherwise click Next. The page updates to display the option to specify a new location based on minimum space needs. Make any necessary changes. The Install Collector Files to configuration page appears.

VMware, Inc. 27

vCenter Configuration Manager Installation and Getting Started Guide

18. Change the path as needed, otherwise click Next. The NetBIOS and Active Directory configuration page appears.

19. If you are managing only specific domains with this Collector, click the Specific NetBIOS Domains and Specific AD Domains options and configure as needed; otherwise, click Next. The Default Network Authority Account configuration page appears.

At this point, you will need the Default Network Authority Account, Default Services Account, and Application Services Account. Additionally, you will need your Virtual Directory credentials if you intend to use VCM Remote.See "Checking Prerequisites for Installation" on page 13 for details.

Only the Default Network Authority Account page is displayed below. The other Account pages have the same format but require different account information.

28 VMware, Inc.

Installing VCM Using Installation Manager

20. Type the account information as specified in "Default Network Authority Account" on page 13, and then click Next. The Default Collector Service Account configuration page appears.

21. Type the account information as specified in "Default Collector Services Account" on page 14, and then click Next. The Application Services Account configuration page appears.

22. Type the account information as specified in "VMware Application Services Account" on page 14, and then click Next. The Select or Generate your Collector Certificate configuration page appears.

23. Select one of the following options:

Select: If you already have a pair of certificates with an established trust, click Select and then choose your certificates. All eligible certificates will be displayed in the Collector Certificate dialog. The Enterprise selection dialog is populated with certificates that are valid for the selected Collector Certificate.

Generate: If you do not have a pair of certificates with an established trust, click Generate to have Installation Manager generate the Collector and Enterprise certificates for you.

VMware, Inc. 29

vCenter Configuration Manager Installation and Getting Started Guide

To specify a certificate different from the Collector certificate, click the Select button associated with Select your Enterprise Certificate. For more information about certificates, see "Secure

Communications Certificates" on page 15.

NOTE VCM does not allow apostrophes in TLS certificate names. Before selecting a certificate, verify that the name does not contain an apostrophe.

IMPORTANT If you will be installing more than one Collector that will communicate with the same Agent(s), or if you plan to replace/renew your certificates at a later date, there are special considerations for generating and selecting certificates in Installation Manager. For more information about VCM and TLS, see the Transport Layer Security (TLS) Implementation for VCM white paper located on the VMware vCenter download site.

24. Click Next. The Remote Virtual Directory configuration page appears.

25. Enter the account information as specified in "VCM Remote Virtual Directory" on page 14, and then click Next. The vSphere Client VCM Plug-in (VCVP) configuration page appears.

30 VMware, Inc.

+ 244 hidden pages