VMware vCenter Configuration Manager - 5.3 Installation Manual

Page 1

vCenter Configuration Manager Installation and

Getting Started Guide

vCenter Configuration Manager 5.3

This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see

http://www.vmware.com/support/pubs.

EN-000456-00

Page 2

vCenter Configuration Manager Installation and Getting Started Guide

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

docfeedback@vmware.com

http://www.vmware.com/go/patents.

VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

VMware, Inc.

3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

2 VMware, Inc.

Page 3

Contents

About This Book 9

Preparing for Installation 11

Using Installation Manager 12 Understanding Installation Configurations 12 Understanding Tools Installation 13 Checking Prerequisites for Installation 13

Hardware and Software Requirements 13 Administration Rights 13 Default Network Authority Account 13 Default Collector Services Account 14 VMware Application Services Account 14 VCM Remote Virtual Directory 14 Secure Communications Certificates 15 Server Authentication 15

Understanding VCM's Use of FIPS Cryptography 17

VCM’s Use of Microsoft Cryptographic Service Providers (CSPs) for Windows Machines 17 Cryptography for UNIX/Linux Platforms 17 Cryptography used in VCM Software Components 18 Supported Windows and UNIX Platforms 18

Installing VCM Using Installation Manager 19

Using the Installation Manager 19

Navigating VCM Installation Manager Screens 19 Installing VCM and the Related Components 19

Upgrading VCM and Related Components 35

Prerequisites 35

Backup and Recovery 35 Assumptions for Upgrading Your VCM Collector and Database 36

Upgrading to VCM 5.3 36

Upgrading the VCM Database Only 36 Upgrading VCM on a 32-Bit System 36 Upgrading to a 64-Bit System 36 Before Upgrading 37

Performing the Upgrade 37 Upgrading Existing Windows Agents 38 Upgrading Existing Remote Clients 39 Upgrading Existing UNIX Agents 40

To Upgrade the UNIX Agent(s) with a Local Package 40

To Upgrade the UNIX Agent(s) with a Remote Package 41 Upgrading VCM for Virtualization 42

Upgrading an Agent Proxy Machine 43

Upgrading the vSphere Client VCM Plug-in 45

Getting Started with VCM Components and Tools 47

Understanding User Access 47

VMware, Inc. 3

Page 4

vCenter Configuration Manager Installation and Getting Started Guide

Launching and Logging Onto VCM 48

How to Launch VCM and Log On 48 Getting Familiar with the Portal 48

General Information Bar 49

Portal Toolbar 49

Sliders 50 Where to Go Next 52

Getting Started with VCM 53

Discover, License, and Install Windows Machines 53

Verifying Available Domains 53

Checking the Network Authority 54

Assigning Network Authority Accounts 55

Discovering Windows Machines 56

Licensing Windows Machines 59

Installing the VCM Windows Agent on your Windows Machines 61

Performing an Initial Collection 67

Exploring Windows Collection Results 68

Getting Started Collecting Windows Custom Information 72 Discover, License, and Install UNIX/Linux Machines 80

Adding UNIX/Linux Machines 81

Licensing UNIX/Linux Machines 82

Installing the Agent on UNIX/Linux Machines 83

Performing a UNIX/Linux Collection 90

Exploring UNIX/Linux Collection Results 91 Discover, License, and Install Mac OS X Machines 94

Getting Started with VCM for Mac OS X 94

Adding Mac OS X Machines 94

Licensing Mac OS X Machines 96

Installing the Agent on Mac OS X Machines 97

Performing a Mac OS X Collection 103

Exploring Mac OS X Collection Results 106 Discover, License, and Collect Oracle Data from UNIX Machines 108

Adding UNIX Machines Hosting Oracle and Installing the Agent 109

Discovering Oracle Instances 109

Creating the Oracle Collection User Account 110

Performing an Oracle Collection 114

Exploring Oracle Collection Results 114

Reference Information about Oracle 114 Customize VCM for your Environment 115 How to Set Up and Use VCM Auditing 116

Getting Started with VCM for Virtualization 117

Virtual Environment Configuration 117

ESX 2.5/3.x,vSphere 4, and ESXi Servers Collections 118

vCenter Server Collections 118 Configuring Agent Proxy Virtualization Collections 118 Configuring Agent Proxy Machines 120

Licensing Agent Proxy Machines 120

Installing the Agent on the Agent Proxy Machine 121

Performing a Collection Using the Machines Data Type 121

Installing Agent Proxies 122 Configuring ESX/vSphere Servers 123

Copying Files to the ESX/vSphere Server 124

Running Scripts on the ESX/vSphere Server 124

Adding ESX/vSphere Servers to VCM 125

Licensing the ESX/vSphere Server in VCM 126

4 VMware, Inc.

Page 5

Contents

Licensing ESX/vSphere Server Machines as Virtual Machine (VM) Hosts 127 Configuring Web Services for ESX/vSphere Server Communication 128

Adding the Web Services User to the Administrator Role Using the VI Client/vCenter Client

Installing the ESX Web Services Certificate on the Agent Proxy Machine 130

For ESX 2.5.x Only: Setting Up VirtualCenter to Collect Virtualization Data 134

Adding Web Services Settings 134 Performing an Initial Virtualization Collection 134 Exploring Virtualization Collection Results 135 Configuring vCenter Server Data Collections 137

vCenter Server Collection Prerequisites 137

Collecting vCenter Server Data 141

Reviewing Collected vCenter Server Data 142

Troubleshooting vCenter Server Data Collections 142 About the vSphere Client VCM Plug-in 143

Registering the vSphere Client VCM Plug-in 143

Configuring the vSphere Client VCM Plug-in Integration Settings 144

Getting Started with the vSphere Client VCM Plug-in 145

Upgrading the vSphere Client VCM Plug-in 146 Further Reading 146

129

Getting Started with VCM Remote 147

Getting Started with VCM Remote 147 Installing the VCM Remote Client 148

Installing the Remote Client manually 149 Making VCM Aware of VCM Remote Clients 156 Configuring VCM Remote Settings 156

Creating Custom Collection Filter Sets 156

Specifying Custom Filter Sets in the VCM Remote Settings 156 Performing a Collection Using VCM Remote 157 Exploring VCM Remote Collection Results 157

Getting Started with VCM Patching 159

Getting Started with VCM Patching 159 Getting Started with VCM Patching for Windows Machines 159

Check for Updates to Bulletins 159

Collect Data from Windows Machines Using the VCM Patching Filter Sets 160

Launch an Assessment 161

Explore VCM Patching Windows Assessment Results 165

Deploy Patches to Windows Machines 165 Getting Started with VCM Patching for UNIX/Linux Machines 168

Getting Started 168

Check for Updates to Bulletins 169

Collect Assessment Data from UNIX/Linux Machines 169

Explore Assessment Results and Acquire the Patches 173

Deploy Patches to UNIX/Linux Machines 175

How the Deploy Action Works 176 Further Reading 177

Getting Started with Software Provisioning 179

VMware vCenter Configuration Manager Package Studio 179

Software Repository for Windows 179

Package Manager for Windows 179

Overview of Component Relationships 180 Installing the Software Provisioning Components 180

Install Software Repository for Windows 181

Software Repository Structure 182

VMware, Inc. 5

Page 6

vCenter Configuration Manager Installation and Getting Started Guide

Manually Uninstall the Repository 182

Install Package Studio 182

Manually Uninstall Package Studio 184

Install Package Manager on Managed Machines 184 Using Package Studio to Create Software Packages and Publish to Repositories 185

Creating Packages 185 Using VCM Software Provisioning for Windows 186

Prerequisites 186

Collect Package Manager Information from Machines 187

Collect Software Repository Data 187

Add Repository Sources to Package Managers 188

Install Packages 189 Related Software Provisioning Actions 190

Viewing Provisioning Jobs in the Job Manager 190

Creating Compliance Rules based on Provisioning Data 190

Creating Compliance Rules containing Provisioning Remediation Actions 191 Further Reading 193

Getting Started with VCM Management Extensions for Assets 195

Getting Started with VCM Management Extensions for Assets 195 Review Hardware and Software Configuration Item Fields 195

Modifying Hardware Configuration Item Fields 196

Modifying Software Configuration Item Fields 198 Adding Hardware Configuration Items 200

Editing Values for Devices 200

Modifying Other Devices 201 Adding Software Configuration Items 202 Further Reading 203

Getting Started with VCM Service Desk Integration 205

Getting Started with Service Desk Integration 205 Service Desk Integration in the Console 205 Service Desk Integration in Job Manager 206 Further Reading 207

Getting Started with VCM for Active Directory 209

Making VCM Aware of Domain Controllers 209

Confirming the Presence of Domains 210

Adding and Assigning Network Authority Accounts 211

Discovering Domain Controllers 211

Verifying Domain Controller Machines in Available Machines 213

Licensing and Deploying the VCM Agent 213

Performing a Machine Data Type Collection 216 Configuring VCM for Active Directory as an Additional Product 216

Deploying VCM for AD to the Domain Controllers 216

Running the Determine Forest Action 218

Running the Setup DCs Action 218 Performing an Active Directory Data Collection 220 Exploring Active Directory Collection Results 223 Further Reading 226

Getting Started with VCM for SMS 227

Getting Started with VCM for SMS 227 Making VCM Aware of the SMS Servers 227 Performing SMS Server Collections 228 Performing SMS Client Collections 229 Exploring SMS Collection Results 229

6 VMware, Inc.

Page 7

Contents

Viewing SMS Dashboards 229

Viewing SMS Server Data 230

Viewing SMS Client Data 231

Viewing SMS Reports 232 Further Reading 233

Getting Started with Windows Server Update Services 235

Getting Started with Windows Server Update Services 235 Making VCM Aware of the WSUS Server 235 Performing WSUS Server Collections 236 Performing WSUS Client Collections 236 Exploring WSUS Collection Results 237

Viewing WSUS Clients 237

Viewing WSUS Reports 238 Further Reading 238

Accessing Additional Compliance Content 239

Locating the Content Directory 239 Launching the Content Wizard to Import Relevant Content 239 Exploring Imported Content Results in the Portal 239

Installing and Getting Started with VCM Tools 241

Installing the VCM Tools Only 241 Foundation Checker 242 VCM Job Manager Tool 242 VCM Import/Export and Content Wizard (CW) 243

VCM Import/Export 244

Content Wizard 245

Maintaining VCM After Installation 247

Customize VCM and Component-specific Settings 247 Configure Database File Growth 249 Configure Database Recovery Settings 250 Create a Maintenance Plan for SQL Server 2005 250 Incorporate the VCM CMDB into your Backup/Disaster Recovery Plans 258

Troubleshooting Problems with VCM 259

Evaluating Missing UNIX Patch Assessment Results 259 Resolving Reports and Node Summaries Problems 260

To Resolve the Problem 260 Resolving Protected Storage Errors 260

To Resolve the Problem 261 Resetting the Required Secure Channel (SSL) 261

Updating the Web.config Configuration File 261

Updating the VCM Virtual Directory 262

Updating the IIS Settings in VCM 262 Resolving a Report Parameter Error 262

Configuring a Collector as an Agent Proxy 265

Verifying Membership to CSI_COMM_PROXY_SVC on the Agent Proxy Machine 265 Generating Key Pairs on the Agent Proxy Machine 266 Uploading Keys to the Database 266

Index 267

VMware, Inc. 7

Page 8

vCenter Configuration Manager Installation and Getting Started Guide

8 VMware, Inc.

Page 9

About This Book

This guide, VCM Installation and Getting Started Guide, describes the steps you must take in order to ensure a successful VMware vCenter Configuration Manager (VCM) installation. This document contains the following information:

Preparing for the VCM installation.

Installing VCM.

Getting started with VCM and its components.

Maintenance and troubleshooting.

Read this document and complete the associated procedures to prepare for a successful installation.

The VCM Installation and Getting Started Guide covers VCM, Foundation Checker, and Service Desk Connector.

Intended Audience

The information presented in this manual is written for system administrators who are experienced Windows or UNIX/Linux system administrators and who are familiar with managing network users and resources, and performing system maintenance.

To use the information in this guide effectively, you must have a basic understanding of how to configure network resources, install software, and administer operating systems. You also need to fully understand your network’s topology and resource naming conventions.

Document Feedback

VMware welcomes your suggestions for improving our documentation. If you have comments, send your feedback to docfeedback@vmware.com.

VMware VCM Documentation

The vCenter Configuration Manager (VCM) documentation consists of the VCM Hardware and Software Requirements Guide, VCM Foundation Checker User's Guide, VCM online Help, this manual, and other

associated documentation.

VMware, Inc. 9

Page 10

vCenter Configuration Manager Installation and Getting Started Guide

Technical Support and Education Resources

The following technical support resources are available to you. To access the current version of this book and other books, go to http://www.vmware.com/support/pubs.

Online and Telephone Support

Support Offerings To find out how VMware support offerings can help meet your business needs,

VMware Professional Services

To use online support to submit technical support requests, view your product and contract information, and register your products, go to

http://www.vmware.com/support.

Customers with appropriate support contracts should use telephone support for priority 1 issues. Go to http://www.vmware.com/support/phone_support.html.

go to http://www.vmware.com/support/services.

VMware Education Services courses offer extensive hands-on labs, case study examples, and course materials designed to be used as on-the-job reference tools. Courses are available onsite, in the classroom, and live online. For onsite pilot programs and implementation best practices, VMware Consulting Services provides offerings to help you assess, plan, build, and manage your virtual environment. To access information about education classes, certification programs, and consulting services, go to http://www.vmware.com/services.

10 VMware, Inc.

Page 11

Preparing for Installation

This chapter provides important information that will help you prepare to install VCM components and tools in your enterprise. This chapter contains the following sections:

Using Installation Manager: Provides an overview of Installation Manager, which is used to install and

activate all VCM components and tools.

Understanding Installation Configurations: Describes the supported installation configurations for

VCM.

Understanding Tools Installation: Explains how VCM tools are installed.

Checking Prerequisites for Installation: Lists the prerequisites you should complete prior to using VCM

Installation Manager to perform the installation.

For an overview of the security precautions you should take before installing VCM, see the VCM Security Environment Requirements Technical White Paper on the VMware vCenter download site.

This document assumes that your hardware and software configuration meets the requirements described in VCM Hardware and Software Requirements Guide. If you have not already done so, verify that your configuration meets the installation requirements by performing a Tools Only installation of VCM Foundation Checker, and then running it once it is installed. If VCM Foundation Checker does not return any errors, then you are ready to proceed. For more information on performing a Tools only installation, see "Installing and Getting Started with VCM Tools" on page 241. If you choose to install and run the Foundation Checker before installation, it is important to uninstall the Foundation Checker before running the Installation Manager.

VMware, Inc. 11

Page 12

vCenter Configuration Manager Installation and Getting Started Guide

Using Installation Manager

Installation Manager performs new installations as well as upgrades, and provides a highly simplified process for installing components and tools. Installation Manager has a straightforward interface that steps you through the entire installation or upgrade process.

Installation Manager:

Performs the checks to ensure the machine(s) meets the hardware and software prerequisites necessary for installing.

Provides confirmation of the license file you are applying during installation.

Installs VCM and all of its components and tools in the appropriate order on your machine(s).

Tests each progressive step during the installation to ensure that all components were successfully installed and that the licensed components were successfully activated.

In addition, Installation Manager operates with minimal user input, and provides clear feedback on progress throughout the entire installation process.

Installation Manager installs VCM and all of its components on your machine, even those that you have not purchased. However, only the components that have been purchased are licensed by your license file. This enables you to purchase more licenses later, and thereby activate additional components that are already installed.

To install VCM and all of its components and tools for the first time, follow the procedures described in

Using Installation Manager.

IMPORTANT When upgrading to VCM 5.3.0, be aware that you can use Installation Manager to upgrade from VCM 4.11.1 or later.

When performing a new installation or an upgrade, you must have the previous license file available and specify the path to the license file during the installation. Installation Manager will use the license file to activate the components that you have purchased. If you do not have the license file from VCM 4.11.1 or later, contact VMware Customer Support.

Understanding Installation Configurations

Before proceeding, you must have already configured your hardware and installed all of the prerequisite software based on the information in the VCM Hardware and Software Requirements Guide. VCM has two supported installation configurations: the default, single machine installation in which all components and tools are installed on a single machine; and the advanced, “split” installation in which the Collector and the database are installed on two separate machines.

IMPORTANT A split installation across two machines should be used only when your corporate policy requires you to have your SQL Server data stored on a centralized database server. Split installations are implemented and supported only by VMware Customer Support. Installation instructions are not provided in this manual.

Refer to the VCM Hardware and Software Requirements Guide for a detailed diagram of a complete installation.

12 VMware, Inc.

Page 13

Understanding Tools Installation

The VCM tools include:

Foundation Checker

Job Manager

Import/Export and Configuration Content Wizard (CCW)

Web Services Toolkit

All of the tools are automatically installed. Installation procedures are provided in "Using Installation

Manager" on page 12.

VCM tools may be installed separately on a non-Collector machine as appropriate. To install Tools Only, follow the installation procedures in "Installing and Getting Started with VCM Tools" on page 241

Checking Prerequisites for Installation

This section lists the prerequisites that you should complete prior to using Installation Manager.

Hardware and Software Requirements

Preparing for Installation

Your hardware and software configuration must meet the requirements described in the VCM Hardware and Software Requirements Guide before you can proceed with your installation.

IMPORTANT You can ensure a smooth and efficient installation by validating that your machines meet all the requirements by performing a Tools Only installation of Foundation Checker (see "Installing and

Getting Started with VCM Tools" on page 241) and running it once it is installed. If Foundation Checker

returns no errors, then you are ready to proceed. If your machine(s) do not meet these requirements, the installation cannot proceed.

If you are installing on HP-UX 11.11, Patch PHSS_30966 is required for the HP-UX Agent. If you need assistance, contact VMware Customer Support.

Administration Rights

The User Account of the person performing your installation or upgrade must be all of the following:

A system administrator on the machine(s) on which the installation or upgrade is being performed, and

A system administrator on the database instance that will be used, and

A member of a domain.

The installing User Account should not be the account used to run the SQL Server Services; nor, after installation, should you create a VCM user with the SQL Server Services account credentials.

Default Network Authority Account

The default network authority account must be specified during the installation process. This account, which often is the system administrator’s (for example, a Domain Admin in the Local Admin Group), must be set up in the Local Administrators group on each machine prior to installation. This should have already been completed following the checklist in the VCM Hardware and Software Requirements Guide.

VMware, Inc. 13

Page 14

vCenter Configuration Manager Installation and Getting Started Guide

The Local System account named NT AUTHORITY\System has unrestricted access to all local system resources. This account is a member of the Windows Administrators group on the local machine, and a member of the SQL Server sysadmin fixed server role. If the NT AUTHORITY\System account does not have access to the VCM installation binary files (possibly because someone removed the account or inherently removed access), the installation will result in an “access denied” error in the first step. Details of this error are not stored in the VCM error log. The solution is to grant access to the NT AUTHORITY\System account from the installation source directory (right-click the folder, select the Security tab, and then make sure the user or user’s group has Full Control of the file/folder). Then run the installation again.

NOTE The network authority account can be changed later in VCM at Administration | Settings | Network Authority.

Default Collector Services Account

The default services authority account must be specified during the installation process. This account, which may not necessarily be the system administrator’s, must exist in the Local Administrators group on the Collector machine. In addition, this account must not be a LocalSystem account.

IMPORTANT If the password for your services account changes, you must also change the password in both the Services Management and Component Services DCOM Config consoles.

To change your services password in the Services Management console, click Administrative Tools | Services. Locate all of the services that use the services account to log on. Right click each of these services, then select Properties. Click the Log On tab, and then update the password field to reflect your new password.

To change your services password in the Component Services DCOM Config console, click

Administrative Tools | Component Services. Expand the Component Services node, then select Computers | My Computer | DCOM Config. Right click the LicenseDcom file, then select Properties.

Click the Identity tab, and then update the password field to reflect your new password.

VMware Application Services Account

The VMware Application Services Account must be a domain user. Because this account will have full administrative authority for the CSI_Domain database, it should never be used as a VCM login or for any other purpose.

VCM Remote Virtual Directory

The VCM Remote Virtual Directory account must be specified during the installation process. This account should not be the same account you used for your Default Network Authority Account and/or your Default Services Account to reduce the chances of a security risk to those accounts.

NOTE The service account can be changed later if necessary using the IIS Management console.

14 VMware, Inc.

Page 15

Preparing for Installation

Secure Communications Certificates

VCM uses Transport Layer Security (TLS) to secure all HTTP communication with Windows and UNIX Agents in HTTP mode (includes all UNIX Agents and Windows Agents in HTTP mode). TLS uses certificates to authenticate the Collector and Agents to each other. You must specify certificates for the Collector and for the Enterprise during the installation process. If you plan to use your own certificates, familiarize yourself with the certificate names so that you can select them during installation.

To be valid, a Collector certificate must meet the following criteria:

The Collector certificate must be located in the local machine personal certificate store.

The Collector certificate must be valid for Server Authentication. If any Enhanced Key Usage extension or property is present, it must include the Server Authentication OID 1.3.6.1.5.5.7.3.1. If the Key Usage extension is present, it must include DIGITAL_SIGNATURE.

The Collector certificate must not be expired.

If you want Installation Manager to generate the Collector and Enterprise certificates for you, select the Generate option during installation.

NOTE If you will be installing more than one Collector that will communicate with the same Agent(s), or you plan to replace/renew your certificates at a later date, there are special considerations for generating and selecting certificates in VCM Installation Manager. For more information about VCM and Transport Layer Security (TLS), see Transport Layer Security Implementation for VCM.

Server Authentication

Server Authentication is a method of authenticating the server to the client. VCM supports server authentication. In VCM environments where TLS is employed, VCM Agents verify the identity of the Collector (or Collectors) through the use and verification of certificates (over HTTP).

Typically, the server authenticates a client/user by requiring information, such as a user name and password. When server authentication is used, the client/user verifies that the server is valid. To accomplish this verification using TLS, the server provides a certificate issued by a trusted authority, such as Verisign®. If your client web browser has the Verisign® Certified Authority certificate in its trusted store, it can trust that the server is actually the web site you are accessing.

TLS uses certificates managed by a public key infrastructure (PKI) to guarantee the identity of servers and clients. A certificate is a package containing a public key and information that identifies the owner and source of that key, and one or more certifications (signatures) verifying that the package is authentic. To sign a certificate, an issuer adds information about itself to the information already in the certificate request. The public key and identifying information are hashed and signed using the private key of the issuer’s certificate.

Certificates are defined by the X.509 RFC standard, which includes fields that form a contract between the creator and consumer. The Enhanced Key Usage extension specifies the use for which the certificate is valid, including Server Authentication.

Enterprise and Collector Certificates

An Enterprise Certificate and one or more Collector Certificates enable secure HTTP Collector-Agent communication in VCM. The Enterprise Certificate enables VCM to operate in a multi-Collector environment. Agents have the Enterprise Certificate in their trusted certificate stores, which they use implicitly to validate any certificate issued by the Enterprise Certificate. All Collector Certificates are expected to be issued by the Enterprise Certificate, which is critical in environments where a single Agent

VMware, Inc. 15

Page 16

vCenter Configuration Manager Installation and Getting Started Guide

is shared between two collectors.

Server Authentication is required to establish a TLS connection with an Agent. All Collectors should have a common Enterprise Certificate. Each Collector Certificate is issued by the Enterprise Certificate, and is capable of Server Authentication.

The Collector Certificate is used to initiate and secure a TLS communication channel with an HTTP Agent. The Agent must be able to establish that the Collector Certificate can be trusted, which means that the Collector Certificate is valid and the certification path starting with the Collector Certificate ends with a trusted certificate. By design, the Enterprise Certificate is installed in the Agent’s trusted store, and the chain ends with the Enterprise Certificate.

A Collector Certificate can also be used to issue Agent certificates. As long as all Collector Certificates are issued by the same Enterprise Certificate, any Agent Certificate may be issued by any Collector Certificate, and all Agents will be able to trust all Collectors. Similarly, all collectors will be able to validate all Agent Certificates. Agent Certificates are used for Mutual Authentication only. Mutual authentication is supported, but requires interaction with VMware Customer Support and a Collector Certificate that also has certificate signing capability.

The Collector Certificate and associated private key must be available to the Collector. This certificate is stored in the (local machine) personal system store.

Collector Certificates in VCM must adhere to the requirements specified above in Secure Communications Certificates.

Delivering Initial Certificates to Agents

VCM Agents use the Enterprise Certificate to validate Collector Certificates. Therefore, the Agent must have access to the Enterprise Certificate as a trusted certificate. In most cases, VCM will deliver and install the Enterprise Certificate as needed.

Installing the Agent from a Disk (Windows® only): The VCM Installation DVD does not contain customer-specific certificates. If HTTP is specified, the manual VCM Installer requests the location of the Enterprise Certificate file during the installation. You must have this file available at installation time. The certificate file (with a .pem extension) can be copied from the CollectorData folder of the Collector. This will be the case whether you run the manual installer directly (CMAgentInstall.exe) or use the “Agent Only” option from the DVD auto-run program.

Using CMAgentInstall.exe to Install the Agent (Windows® only): CMAgtInstall.exe or CMAgent[version].msi is the manual Agent installer program. The manual installer will request the location of the Enterprise Certificate file, if HTTP is specified. You must have this file available at installation time. The certificate file can be copied from the CollectorData folder of the Collector.

MSI Install Package: If HTTP is specified, the MSI agent install package also requires access to the .pem file.

Installing the Agent for UNIX/Linux: See Installing the VCM Agent on UNIX/Linux Machines in this document.

Installing the Agent Using a Provisioning System

For Windows®, the manual installation program is available in .exe and .msi formats. Both versions allow the Enterprise Certificate file to be specified with a command line switch. The certificate installation step may also be omitted with a command line switch. When these programs are run through a provisioning system, you must ensure that the Enterprise Certificate is available (and still secure), and configure the program options appropriately. Alternatively, you may choose to push the Enterprise Certificate to Agents by some other means and configure the provisioning system to omit certificate installation.

16 VMware, Inc.

Page 17

For UNIX/Linux, each UNIX/Linux installation package is targeted for one or more supported platforms. To install the UNIX/Linux Agent using a provisioning system, extract the installation package as appropriate and then deploy the extracted file with the provisioning system. The Enterprise Certificate is embedded in the installation package on the collector.

For more information about Installing the Agent on UNIX/Linux Machines and UNIX/Linux packages and platforms, refer to section Installing the VCM Agent on UNIX/Linux Machines.

Understanding VCM's Use of FIPS Cryptography

Federal Information Processing Standards (FIPS) are developed by the US National Institute of Standards (NIST) and the Canadian Communications Security Establishment (CSE). VCM incorporates cryptography as set forth in the FIPS standards. Components of VCM use cryptography to protect the confidentiality, integrity, availability, and authenticity of customer data. The FIPS standards require adherence by VCM to the following standards:

FIPS 46-3: Data Encryption Standard (DES)

FIPS 81: DES Modes of Operation

FIPS 113: Computer Data Authentication

FIPS 171: Key Management

Preparing for Installation

FIPS 180-1: Secure Hash Standard (SHA-1)

FIPS 186-2: Digital Signature Standard (DSA) and Random Number Generation (RNG)

FIPS 198: Message Authentication Codes (MACs) using SHA-1

FIPS 197: Advanced Encryption Standard (AES) Cipher

FIPS 200: Federal Information Security Management Act (FISMA)

SP 800-2: Public Key Cryptography (including RSA)

SP 800-20: Triple DES Encryption (3DES) Cipher

VCM’s Use of Microsoft Cryptographic Service Providers (CSPs) for Windows Machines

On Windows machines, VCM uses cryptography by way of the Microsoft CryptoAPI, which is a framework that dispatches to Microsoft Cryptographic Service Providers (CSPs). CSPs are not shipped with VCM or installed by VCM, but instead are part of the security environment included with Microsoft Windows. In the configurations supported by VCM, these CSPs are FIPS 140-2 validated.

Cryptography for UNIX/Linux Platforms

On UNIX/Linux platforms, the VCM Agent uses the cryptography of the OpenSSL v0.9.7 module. This cryptographic library is installed with the VCM Agent.

VMware, Inc. 17

Page 18

vCenter Configuration Manager Installation and Getting Started Guide

Cryptography used in VCM Software Components

VCM uses various software components that also use cryptography. Microsoft’s IIS, Internet Explorer, and SChannel (SSL/TLS) systems also call the CryptoAPI, and thus use the Windows FIPS-validated modules. VCM for Virtualization uses ActiveX COM components for SSH and SFTP, and for wodSSH, wodSFTP, and wodKeys (by WeOnlyDo! Software at www.weonlydo.com), which utilize the FIPScertified OpenSSL crypto library. wodSSH is used for windowless communication with remote consoletype services in unattended mode on the VCM for Virtualization Agent Proxy’s host, which is a Windows platform.

Table 1-1. Installed or Used Crytography Modules

System Platform

UI Windows Used

VCMServer Windows Installed Used

Virt Proxy Windows Installed Used

AD Agent Windows Used

Win Agent Windows Used

OpenSSLFIPS

1.1.2

OpenSSLFIPS

1.1.1

OpenSSLCrypt

0.9.7

Crypto++ CryptoAPI

UNIX

Agent

ESX Server All No cryptography modules are used or installed on ESX.

HP/UX Installed Installed

AIX Installed Installed

Solaris Installed Installed

Debian Installed Installed

Red Hat Installed Installed

SUSE Installed Installed

Supported Windows and UNIX Platforms

For a list of supported Windows and UNIX platforms, and their architectures, see the VCM Hardware and Software Requirements Guide. For information about TLS, see Transport Layer Security (TLS) Implementation for VCM located on the VMware vCenter download site.

18 VMware, Inc.

Page 19

Installing VCM Using Installation Manager

This chapter explains how to use VCM Installation Manager to install VCM and all of its components and tools. To install only the VCM tools, follow the installation procedures in "Installing and Getting Started

with VCM Tools" on page 241.

IMPORTANT When performing an upgrade to VCM 5.3.0, be sure to read Upgrading VCM and Related

Components.

This chapter provides a step-by-step guide to the Installation Manager.

CAUTION Before Installing VCM 5.3.0 on a 32-bit System, check for the following registry entry, and

rename or remove it if it exists: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node. VCM 5.3.0 uses this registry entry to detect whether the system is a 32-bit or 64-bit operating system.

Using the Installation Manager

The Installation Manager checks your system to ensure it is properly configured, and then installs the licensed components based on the options selected during the installation process.

Navigating VCM Installation Manager Screens

Every VCM Installation Manager screen shows the progress of the installation in the left-most pane. VCM Installation Manager also has the following buttons available at the bottom of every screen:

Help: Opens the VCM Installation and Getting Started Guide.

Back, Next: Navigates to the previous or next screen in the installation process, respectively.

Cancel: Exits the installation. If you click Cancel, a confirmation pop-up dialog box appears. If you click OK in this dialog box, Installation Manager will close. No state information is saved. Any information

you have entered thus far during the installation process is lost.

Installing VCM and the Related Components

Follow these steps to start and run the Installation Manager. Be sure to read through the detail about each configurable component as it is presented to make sure you are supplying the appropriate information, as the defaults may not fit your configuration. If you are upgrading VCM or SQL Server, or are upgrading to a 64-bit system, see "Upgrading VCM and Related Components" on page 35.

VMware, Inc. 19

Page 20

vCenter Configuration Manager Installation and Getting Started Guide

1. Insert the installation CD into the machine on which you are installing VCM and all of its components. The installation screen appears.

NOTE If the installation screen does not appear automatically or if you are installing from a network location, navigate to the root directory on the CD or share and double-click setup.exe.

The installation screen provides the following options:

Run Installation Manager: Launches Installation Manager.

View the Installation and Getting Started Guide: Opens the VCM Installation and Getting Started Guide.

Browse Contents of Installation CD: Launches Windows Explorer showing the contents of the root directory of the installation CD. You can navigate through the directory structure should you need to access documentation directly.

Contact Support: Opens a pop-up dialog box that lists how to contact VMware Customer Support by e-mail and phone, including hours of operation.

Exit: Exits Installation Manager and closes the installation screen.

20 VMware, Inc.

Page 21

Installing VCM Using Installation Manager

2. Click Run Installation Manager. The Introduction page of the Installation Manager appears.

3. Click Next. The License Agreement page appears.

4. If you accept the terms explained on the License Agreement page, select the appropriate option and check boxes, and then click Next. The Identify Available and Installed Components page appears.

It may take a few minutes for Installation Manager to identify which components are available for installation. During this time, the Back and Next buttons are inactive until Installation Manager finishes processing.

When the evaluation process is completed, the Select Installation Type page appears.

VMware, Inc. 21

Page 22

vCenter Configuration Manager Installation and Getting Started Guide

5. When the Select Installation Type page first appears, the VMware vCenter Configuration Manager and Tools options are automatically selected.

To view all the components, select the Advanced Installation check box. The list expands to display the individual components. For a normal installation, all of the options should be selected.

Click Next. The Gather System Information page appears.

6. The Gather System Information displays the status of the Foundation Checker. The Foundation Checker reviews the machine's configuration and validates that the machine meets all the requirements for the installation. As Foundation Checker runs, various messages about the status of the check appear in the scrolling text box in the Gather System Information page.

22 VMware, Inc.

Page 23

Installing VCM Using Installation Manager

If the Foundation Checker detects missing or improperly configured settings, you are notified with the message "Errors detected". You will not be allowed to proceed with the installation until the errors are resolved. Click View Results. The Foundation Checker Results Web page appears. See the following example.

If the Foundation Checker completes the validation successfully, you are notified with the message "Checks were successful!" and the Next button becomes active. Even though the checks were successful, VMware recommends you click the View Results button and read through the results to review any warnings that may represent potential issues for installation.

If you have only one or two errors, do not close the Installation Manager.

On the Foundation Checker Results Web page, review the Errors. Click the link associated with the errors you must resolve. A brief description is provided, along with a link to more detailed instructions for resolving the problem.

Refer to the VCM Hardware and Software Requirements Guide and the VCM Foundation Checker User’s Guide for more information. If problems persist, contact VMware Customer Support.

If the fixes to the issues did not require a reboot, click Recheck on the Gather System Information page to restart the Foundation Checker process. If you are required to reboot the machine, you must start the installation process from the beginning.

When the process completes successfully, "Checks were successful!" appears in the text box.

VMware, Inc. 23

Page 24

vCenter Configuration Manager Installation and Getting Started Guide

7. When the Foundation Checker process has completed successfully and you have viewed the results of the checking process, click Next. The Specify License Location dialog box appears in front of the Verify Components to be Activated page.

8. Click Browse to locate the license file provided by VMware. When you click OK, the Verify

Components to be Activated page appears.

NOTE If you have not received your license file for VCM 5.3, contact your VMware Account

Manager.

24 VMware, Inc.

Page 25

Installing VCM Using Installation Manager

9. The Verify Components to be Activated page updates to display the components included in the license. Installation Manager installs VCM and all of its components on your machine. However, only the licensed components will be activated. Review the Components list to confirm the contents of your license file. If you applied an incorrect license file, click the link below the Components list and browse for a different file.

If you have selected an invalid or expired license file, an error message will appear in a pop-up dialog box. Click OK, and the VCM Specify License Location dialog box appears, in which you can specify a valid license file.

10. When you are ready to continue, click Next. The Configure Components: Install Database Support Components to page appears.

11. Specify the location for the VCM application files on the machine, and then click Next. The Database Instance and Name configuration page appears, where you will define the location for the VCM database.

VMware, Inc. 25

Page 26

vCenter Configuration Manager Installation and Getting Started Guide

12. Specify the SQL Server instance and type a database name as needed. Click Validate. It could take a minute or two, and then the page updates to include the other SQL Server database settings.

13. Modify any file locations as needed, and then click Next. Most SQL database system administrators recommend that the Data files (.mdf) and the log files (.ldf) be placed on separate physical drives (spindles), and often require the files to be on a drive or partition other than the OS drive/partition. The Install Web Console to configuration page appears.

14. Specify the location if it is other than the default location, and then click Next. The URLto the Application configuration page appears.

26 VMware, Inc.

Page 27

Installing VCM Using Installation Manager

15. Change the values as needed, otherwise click Next. The SRS Instance configuration page appears.

16. Click Validate and wait for the validation process to complete (it could take a minute or two). If the validation fails (for example, if the SSRS installation passed, but the foundation checks failed during the validation process), first verify that both "http://localhost/reports" and "http://localhost/reportserver" are accessible through a web browser. If that fails, stop the installation and call VMware Customer Support. The Install Collector Components to configuration page appears. When the validation process completes, click Next.

17. Change the path as needed, otherwise click Next. The page updates to display the option to specify a new location based on minimum space needs. Make any necessary changes. The Install Collector Files to configuration page appears.

VMware, Inc. 27

Page 28

vCenter Configuration Manager Installation and Getting Started Guide

18. Change the path as needed, otherwise click Next. The NetBIOS and Active Directory configuration page appears.

19. If you are managing only specific domains with this Collector, click the Specific NetBIOS Domains and Specific AD Domains options and configure as needed; otherwise, click Next. The Default Network Authority Account configuration page appears.

At this point, you will need the Default Network Authority Account, Default Services Account, and Application Services Account. Additionally, you will need your Virtual Directory credentials if you intend to use VCM Remote.See "Checking Prerequisites for Installation" on page 13 for details.

Only the Default Network Authority Account page is displayed below. The other Account pages have the same format but require different account information.

28 VMware, Inc.

Page 29

Installing VCM Using Installation Manager

20. Type the account information as specified in "Default Network Authority Account" on page 13, and then click Next. The Default Collector Service Account configuration page appears.

21. Type the account information as specified in "Default Collector Services Account" on page 14, and then click Next. The Application Services Account configuration page appears.

22. Type the account information as specified in "VMware Application Services Account" on page 14, and then click Next. The Select or Generate your Collector Certificate configuration page appears.

23. Select one of the following options:

Select: If you already have a pair of certificates with an established trust, click Select and then choose your certificates. All eligible certificates will be displayed in the Collector Certificate dialog. The Enterprise selection dialog is populated with certificates that are valid for the selected Collector Certificate.

Generate: If you do not have a pair of certificates with an established trust, click Generate to have Installation Manager generate the Collector and Enterprise certificates for you.

VMware, Inc. 29

Page 30

vCenter Configuration Manager Installation and Getting Started Guide

To specify a certificate different from the Collector certificate, click the Select button associated with Select your Enterprise Certificate. For more information about certificates, see "Secure

Communications Certificates" on page 15.

NOTE VCM does not allow apostrophes in TLS certificate names. Before selecting a certificate, verify that the name does not contain an apostrophe.

IMPORTANT If you will be installing more than one Collector that will communicate with the same Agent(s), or if you plan to replace/renew your certificates at a later date, there are special considerations for generating and selecting certificates in Installation Manager. For more information about VCM and TLS, see the Transport Layer Security (TLS) Implementation for VCM white paper located on the VMware vCenter download site.

24. Click Next. The Remote Virtual Directory configuration page appears.

25. Enter the account information as specified in "VCM Remote Virtual Directory" on page 14, and then click Next. The vSphere Client VCM Plug-in (VCVP) configuration page appears.

30 VMware, Inc.

Page 31

Installing VCM Using Installation Manager

26. The vSphere Client VCM Plug-in (VCVP) provides VMware vSphere Client users with the ability to Collect, Run Compliance, Run VCM Patching Assessments, and Run Reports on VM Hosts and Guests.

To configure the settings:

Select Use SSL only if you configured the machine for SSL.

Whether you are using SSL or not, you should define the user name and password at this time. The credentials provided here are similar to the credentials used for Application Services, providing client access using HTTP.

27. Click Next. The Install Package Manager Components to the Package Manager folder under page appears.

28. Package Manager Components will be installed in order to support Software Provisioning functionality, including installing and removing packages. Either change the path or click Next. The Local Packages Cache page appears.

29. The Packages Cache Folder is used by Software Provisioning to store packages that have been

VMware, Inc. 31

Page 32

vCenter Configuration Manager Installation and Getting Started Guide

downloaded. Either change the path or click Next. The Create a Software Repository and local cache under page appears.

30. The Software Repository is used by Software Provisioning as a location to store packages for distribution to other systems. Either change the path or click Next. The Virtual Directory page for the Software Repository appears.

31. Enter a name for the virtual directory, and then click Next. The Install Package Studio Components to the Package Studio folder under page appears.

32 VMware, Inc.

Page 33

Installing VCM Using Installation Manager

32. Package Studio Components will be installed in order to support Software Provisioning functionality, including creating and publishing packages. Either change the path or click Next. The Installation Summary page appears.

33. Wait for the components to be installed. The Installation Complete page appears.

VMware, Inc. 33

Page 34

vCenter Configuration Manager Installation and Getting Started Guide

34. When the installation completes, you can select the Launch Product Portal option to start VCM after you click Finish.

35. Review the displayed information. If it is incorrect, click Back and make any necessary changes. If it is correct, click Install. The installation process begins. A status bar displays the process stages until the installation is completed, at which time the Installation Complete page appears.

NOTE Depending upon your hardware configuration, the installation process for a new installation may take 30 minutes or longer to complete.

If Installation Manager encounters an irrecoverable installation error, a message to this effect appears in a pop-up dialog box, with a path to the installation log where you can view information about the error. When you click OK, both the pop-up dialog box and Installation Manager close. In this case, read the information about the error in the installation log, capture the log, and contact the VMware Customer Support before proceeding.

36. To open VCM, select Launch Product Portal, and then click Finish.

NOTE VMware recommends that you take the time to configure SQL Server settings now, including configuring the database file growth and database recovery settings, in order to fine-tune your VCM Database. Instructions for configuring these settings are provided in "Maintaining VCM After

Installation" on page 247.

CAUTION As part of installation, a folder containing VCM-related .msi files is added to

%windir%\Installer\. If the contents of this folder are moved or deleted, you will be unable to successfully upgrade, repair, or uninstall using the VCM Installation Manager.

34 VMware, Inc.

Page 35

Upgrading VCM and Related Components

This chapter provides important information that will help you upgrade VCM and the tools in your enterprise. This chapter describes the following:

Upgrading to VCM 5.3.0

Upgrading Existing UNIX Agents

Upgrading VCM for Virtualization

Upgrading VCM Reports

Prerequisites

VCM provides support for 64-bit systems (64-bit hardware and 64-bit operating system), and SQL Server

2005. If you intend to move from a 32-bit environment to a 64-bit environment, you must prepare your 64-bit environment for a VCM installation by following the instructions in this chapter.

For information about configuring a 64-bit machine as a Collector, see the VCM Hardware and Software Guide.

Before upgrading to VCM 5.3.0, your version of VCM must be 4.11.1 or later.

CAUTION Before Installing VCM 5.3.0 on a 32-bit System, check for the following registry entry, and

rename or remove it if it exists: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432node. VCM 5.3.0 uses this registry entry to detect whether the system is a 32-bit or 64-bit operating system.

Backup and Recovery

CAUTION Before starting any VCM upgrade, be sure to back up your databases and file system.

The upgrade may be from SCM to VCM or VCMto VCM. If you are upgrading VCM, the databases to back up include the following: CSI_Domain, VCM, VCM_Coll, VCM_UNIX, ReportServer, master, and msdb.If you are upgrading SCMto VCM, the databases to back up include the following: CSI_Domain, SCM, SCM_Coll, SCM_UNIX, ReportServer, master, and msdb.

The file system to back up is the entire contents of the CMFILES$ share. The default location is C:\Program Files\VMware\VCM\WebConsole\L1033\Files\. If customizations have been made to your collector, or if reports have been exported to a non-default location, you must also ensure that these additional files are backed up.

VMware, Inc. 35

Page 36

vCenter Configuration Manager Installation and Getting Started Guide

To recover if the upgrade process is unsuccessful, reinstall the version from which you were upgrading, reconnect the databases from the back up copies, and replace the CMFILES$ share files. Contact VMware Customer Support to assist with identifying possible causes for the unsuccessful upgrade process before again attempting the upgrade.

Assumptions for Upgrading Your VCM Collector and Database

Your current installation is functional.

Your customer number is consistent throughout the upgrade process.

All running jobs have completed, and no jobs are scheduled to start during the upgrade process. The upgrade will stop the SQLAgent service. This will cancel any running jobs and prevent new jobs from starting.

All users are logged off and will not be accessing VCM for the duration of the upgrade process.

If you have any questions regarding these procedures, contact VMware Customer Support before proceeding.

Upgrading to VCM 5.3

The upgrade from VCM 4.11.1 or later to 5.3 supports installation of the VCM Collector with the following:

32-bit hardware running Windows Server 2003 SP2 32-bit, with SQL Server 2005 32-bit

64-bit hardware running Windows Server 2003 SP2 64-bit, with SQL Server 2005 64-bit and 32-bit SQL Server Reporting Services

Microsoft SQL Server 2005

CAUTION Before upgrading, be sure to back up your database(s) to avoid any potential loss of data.

Upgrading the VCM Database Only

To “upgrade” an existing VCM database (4.11.1 or later), move the database to a 64-bit SQL Server, attach it to SQL Server, and then install VCM.

Upgrading VCM on a 32-Bit System

If you are using a version of VCM prior to 4.11.1, such as version 4.9.1 which uses SQL 2000, when upgrading on a 32-bit system (32-bit hardware and a 32-bit operating system), you must upgrade SQL Server 2000 to SQL Server 2005, including Reporting Services (32-bit only), and then install SQL Server 2005 SP3.

You must then upgrade to VCM 4.11.1 by following the upgrade documentation for that version, and then upgrade to VCM 5.3.

Upgrading to a 64-Bit System

When upgrading to a 64-bit system (64-bit hardware and a 64-bit operating system), you must install 64bit SQL Server 2005 and SP3. You must also install, update, and configure 32-bit SQL Server Reporting Services (SSRS). After installing the 32-bit version of SSRS, you must also install the 32-bit SSRS SP3.

When upgrading to a 64-bit system, during the upgrade process you will:

36 VMware, Inc.

Page 37

Upgrading VCM and Related Components

1. Detach a VCM 4.11.1 or newer database that is running in a 32-bit system.

2. Copy the VCM database to a 64-bit machine that is running the 64-bit version of SQL Server 2005.

3. Attach the existing VCM 4.11.1 or newer database to SQL Server.

4. Install VCM 5.3.

Because versions of VCM prior to 4.11.1 cannot be installed on a 64-bit platform, you will not be upgrading VCM on a 64-bit platform.

Before Upgrading

Before upgrading to VCM 5.3, make sure that you have already installed the following components, as described in the VCM Hardware and Software Requirements Guide.

VCM 4.11.1 or later.

The required versions of the Microsoft .NET Framework. See the Hardware and Software Requirements Guide for details.

For 32-bit systems: SQL Server 2005, and then install SQL Server 2005 SP3.

For 64-bit systems: 64-bit SQL Server 2005 and SQL Server 2005 SP2, and 32-bit SQL Server Reporting Services and SSRS SP3.

NOTE When the installation of these software packages is complete, the VCM Foundation Checker results should be successful. If errors still occur, resolve them using the built-in Help and the VCM Hardware and Software Requirements Guide.

Performing the Upgrade

Use the following procedure to upgrade from VCM 4.11.1 or later to VCM 5.3.

1. Start the upgrade from the VMware vCenter download site or the CD, and select the Upgrade VCM

option.

The Upgrade, Uninstall, and Repair options are available as follows:

Installing directly: When running the installation setup.exe file directly, options to Upgrade and Remove (uninstall) VCM are available.

VMware, Inc. 37

Page 38

vCenter Configuration Manager Installation and Getting Started Guide

Installing using Add/Remove Programs: When invoking setup.exe from Add/Remove Programs, the option to repair VCM is available. The Repair option checks for missing files and settings, and then replaces them.

CAUTION You should not invoke Repair unless directed to do so by VMware Customer Support.

Repair requires access to your original installation media.

2. Click Next. The License Agreement page appears.

3. Review and accept the license agreement, and then click Next. The Select Installation Type page

appears.

4. Ensure that all of the components are marked for installation.

NOTE If one of the software components cannot be upgraded, the check box for the specified component will be cleared and a note will be added next to the node in the selection dialog indicating why it is disabled. This situation can occur due to an invalid upgrade or an incomplete copy of the install image.

5. Click Next. The Gather System Information page appears.

6. Foundation Checker will gather information about the machine to prepare it for the installation. When the system check is complete, the Foundation Checker results will either be successful or show errors. For the upgrade to proceed, the results must be successful. If the system checks encounter errors, you must resolve those errors before proceeding. Click View Results and use Foundation Checker Help to locate the source of the problem.

7. After the system checks are successful, Installation Manager displays a summary of the components to be installed. To continue, click Next. The Configure Components page appears, requesting confirmation of the Default Collector Service Account.

8. If the account is changing, type the new values. If the account remains the same, click Next. The Application Services Account configuration page appears.

9. If the account is changing, type the new values. If the account remains the same, click Next. The CM Remote Virtual Directory configuration page appears.

10. If the account is changing, type the new values. If the account remains the same, click Next. The Virtualization Client Plug-in configuration page appears.

11. Do not select SSL unless your machine is already configured for SSL.

12. If the account is changing, type the new values. If the account remains the same, click Next. The Install Components page appears.

13. Review the summary list, and then click Upgrade. The installation process begins. Depending on your hardware configuration, the process may take 30 minutes or longer.

14. When the process is completed, the Upgrade/Repair Complete page appears.

15. When the Installation Manager has successfully upgraded the software components, click Finish.

NOTE VMware strongly recommends that you take the time to configure SQL Server settings now, including configuring the VCM database file growth and database recovery settings, in order to fine-tune your VCM Database. Instructions for configuring these settings are provided in "Maintaining VCM After

Installation" on page 247.

Upgrading Existing Windows Agents

Use the Upgrade Agent wizard to upgrade the Agent files on one or more machines.

38 VMware, Inc.

Page 39

Upgrading VCM and Related Components

To upgrade an Agent:

1. Click Administration | Machines Manager | Licensed Machines | Licensed Windows Machines.

2. Select the machine or machines you are upgrading, and then click the Upgrade Agent icon on the

Licensed Windows Machines toolbar. The Machines page appears.

3. Select a machines option.

Option Defin ition

All machines Upgrade the Agent on all machines that appear in the list of licensed

machines.

Filtered machines only

This option is available only if the Licensed Machines list is being filtered. Upgrade the Agent on all machines that appear in the filtered list of machines.

Selected machine(s)

Upgrade the Agent only on select individual machines. Use the standard selection method to select individual machines.

only

4. Click Next. The Install Options page appears.

5. In the Install From field, select or verify the necessary information.

The default source of the Agent files is the Collector machine. If you have created an Alternate Source, you can select it from the drop-down list.

The Upgrade process:

Will fail for any machine on which an Agent does not already exist.

Will use an Agent's current settings. For example, if the Agent uses DCOM, the Upgrade will maintain that setting. If the Agent uses HTTP on Port 1024, the Upgrade will maintain that setting.

Will not upgrade components that do not require upgrading.

6. Click Next. The Schedule page appears.

7. Schedule the operation. You can enter the Date in the specified format, or click the Calendar icon.

8. Click Next. The Important page appears.

9. Verify the actions that will be performed and then click Finish.

Upgrading Existing Remote Clients

VMware recommends that you upgrade your Remote client versions. When the automatic upgrade setting (Will Remote automatically upgrade old Remote clients) is set to Yes, the next client-server contact automatically downloads and install the upgrade files.

If the Remote client does not have a certificate, the upgrade process will automatically extract the certificate and send it to the client, along with the new Agent.

To automatically upgrade your remote clients:

VMware, Inc. 39

Page 40

vCenter Configuration Manager Installation and Getting Started Guide

1. Click Administration | Settings | General Settings | VCM Remote.

2. Select Will Remote automatically upgrade old Remote clients.

3. Click Edit Setting. The Edit Setting wizard appears.

4. Change the setting to Yes.

5. Click Next. The confirmation page appears.

6. Click Finish. The setting change is saved.

Upgrading Existing UNIX Agents

Upgrade packages are available to update the UNIX Agents on various platforms. To upgrade the UNIX Agents to the latest software release, use one of the following methods:

Upgrade the UNIX Agent(s) with the Local Package

Upgrade the UNIX Agent(s) with a Remote Package

VCM supports TLS for UNIX/Linux. For more information, see TLS Implementation for VCM, posted on the VMware vCenter download site.

If you are installing on HP-UX 11.11, Patch PHSS_30966 is required for the HP-UX Agent. If you need assistance, contact VMware Customer Support.

Upgrading Red Hat Workstations

In previous versions of VCM, Red Hat machines, either workstations or servers, were licensed as Red Hat servers. Beginning with version 5.2.0, Red Hat machines were licensed as either workstations or servers. When you upgrade to 5.2.0 or later, the workstations, previously managed with a server licenses, will be unmanaged in VCM. The unmanaged Red Hat workstations should be listed in the Available UNIX Machines list. To manage the machines in VCM, go to Administration | Machines Manager | Available Machines | Available UNIX Machines and re-license the machines using Linux/Mac Workstation licenses.

If you are unable to identify your now unmanaged Red Hat machines, contact VMware Customer Support.

Platforms Not Supported for Upgrade to 5.3 Agent

Installing or upgrading on the following platforms is supported only to the 5.1.3 UNIX Agent. You can install the 5.3 Agent; however these platforms are not tested with any additional 5.3 functionality.

Platform Supp orted Ag ent Version Agent F ile Name

AIX 4.3.3 5.1.3 CMAgent.5.1.0.AIX.4

Red Hat 2.1 5.1.3 CMAgent.5.1.0.Linux.2.1

Solaris 2.5 5.1.3 Contact VMware Customer Support if you are

installing or upgrading the Agent on this platform.

Solaris 2.6 5.2.1 Contact VMware Customer Support if you are

installing or upgrading the Agent on this platform.

To Upgrade the UNIX Agent(s) with a Local Package

To upgrade the UNIX Agent(s) using the local upgrade package, follow these steps:

40 VMware, Inc.

Page 41

Upgrading VCM and Related Components

1. Locate the AgentUpgradeLocal.sh file in \Program Files\VMware\VCM\WebConsole\L1033\Files\UNIX_Remote_Command_Files.

2. Open the AgentUpgradeLocal.sh file with a text editor like Wordpad.

3. In the AgentUpgradeLocal.sh file, locate the following entry:

CSI_INSTALL_PACKAGE_LOCATION = CHANGE_THIS_TO_A_LOCAL_OR_NFS_DIRECTORY

4. Change this entry to point to either a local directory or an NFS directory where the VCM Agent Install Packages are located (for example, /tmp/VCMu_Agent).

NOTE Agent install packages are installed on the Collector machine at \Program Files\VMware\VCM\Installer\Packages.

5. Save and close the AgentUpgradeLocal.sh file.

6. Log into VCM and open the Console slider. Navigate to Console | UNIX Remote Commands | UNIX Agent Upgrade. The UNIX Agent Upgrade data grid appears.

7. Select Agent Upgrade - Local Package.

8. Click Run. The Remote Commands wizard appears.

9. Select the machine(s) on which you want to upgrade the agent.

NOTE To determine which Agent is currently on a UNIX machine, navigate to Administration | Machines Manager | Licensed Machines | Licensed UNIX Machines. To determine the latest version

number for the Agent, select About | Versions.

10. Click the arrow button to move the machines from the Available list to the Selected list. Click Next.

11. Select whether you want to upgrade the Agent now or later. To change the date, click the Calendar icon. When you schedule the action, it is placed in the Administration | Job Manager | Scheduled list.

NOTE The Time of Day settings you choose are based on your User time zone. All VCM jobs run based on the VCM Database time zone. You must account for the time and date differences between your VCM User time and your VCM Database time. For example, if your VCM Database server is in the Eastern time zone, and your VCM User is in the Pacific time zone, to run your job at midnight, you would enter 9 PM.

12. Click Next, and then click Finish.

To Upgrade the UNIX Agent(s) with a Remote Package

This method sends the upgrade package with the remote command to execute on the UNIX machine. The following remote upgrade packages are designed specifically for the various operating systems where the Agent(s) can be upgraded:

AIX 4.3.3 Agent Upgrade (use only CMAgent.5.1.0.AIX.4)

AIX 5 Agent Upgrade

HP-UX (Itanium) Agent Upgrade

VMware, Inc. 41

Page 42

vCenter Configuration Manager Installation and Getting Started Guide

HP-UX (PA-RISC) Agent Upgrade

Red Hat Enterprise 2.1 Agent Upgrade (use only CMAgent.5.1.0.Linux.2.1)

Red Hat Enterprise 3.0, 4.0, 5.0, 5.1, 5.2, SUSE Enterprise 9 and above Agent Upgrade

Solaris (SPARC) Agent Upgrade

Solaris (x86) Agent Upgrade

To upgrade the UNIX Agent(s) using one of the remote upgrade packages, follow these steps:

1. Navigate to Console | UNIX Remote Commands | UNIX Agent Upgrade. The UNIX Agent

Upgrade data grid appears.

2. Click to highlight the remote upgrade package that is appropriate for the operating system and version of the machine(s) that you want to upgrade.

3. Click Run and follow the wizard instructions to send the remote command and the upgrade package to the Agent(s) on the selected machine(s). The Agent will then execute the upgrade package.

The UNIX Agents are now using TLS, therefore the Enterprise Certificate is embedded in the Agent package. If multiple Collectors need to talk to a single Agent, then all of the Collectors should share an Enterprise Certificate. If the Collectors have different Enterprise Certificates, then the Enterprise Certificate from each Collector must be uploaded to the Agent. For more information, see TLS Implementation for VCM, located on the VMware vCenter download site.

Upgrading VCM for Virtualization

When upgrading a Collector to VCM 5.3, the Agent Proxy is automatically upgraded, and the Agent Proxy protected storage and user account configuration settings are preserved. However, for existing non-Collector Agent Proxy machines, you must upgrade VCM for Virtualization, and select to retain the Secure Communication settings.

To upgrade the VCM for Virtualization Agent Proxy on non-Collector machines, you must use one of these methods, depending on your configuration:

Manually Upgrade VCM for Virtualization on a non-Collector Agent Proxy Machine

Use VCM to Upgrade VCM for Virtualization on a non-Collector Agent Proxy Machine

CAUTION When upgrading VCM for Virtualization, take the following precautions:

Do not change the password for the CSI Communication Proxy service. Doing so may require the Agent Proxy to be reinstalled and reconfigured.

Avoid installing the Agent Proxy and the Active Directory product on the same machine. The operations involved to install, uninstall, upgrade, and reinstall these products may result in the Agent Proxy needing to be reinstalled and reconfigured.

If you plan to uninstall VCM for Virtualization manually, make sure that you execute RetainSecureCommSettings.exe before uninstalling it. Otherwise, the Agent Proxy configuration settings will be removed, and the Agent Proxy will need to be reconfigured. The RetainSecureCommSettings.exe is located at: C:\Program Files\VMware\VCM\Installer\Packages, or in the path relative to where you installed the software.

42 VMware, Inc.

Page 43

Upgrading VCM and Related Components

Platform Not Supported for Upgrade to 5.3 Agent Proxy

You can install or upgrade an Agent Proxy machine only to the 5.1.3 Agent if it is collecting from this platform. This platform is not tested with the 5.3 functionality.

Platform Supp orted Ag ent Version Agen t File Name

ESX 2.5 5.1.3

Upgrading an Agent Proxy Machine

If a new version of the Agent Proxy becomes available, the upgrade process installs the newer version on your agent proxy machine.

1. Click Administration | Machines Manager | Additional Components | VCM for Virtualization | Agent Proxies. The Agent Proxies data grid appears.

2. Select the machine or machines on which you are upgrading the Agent Proxy.

3. Click Upgrade. The Machines page of the Upgrade Agent Proxies wizard appears.

4. The available machines are displayed in the upper list. The selected machines are displayed in the lower list. You can perform the following actions on the page:

All Machines: Select the option to run the process on all eligible machines.

Selected Machines Only: (Default option) Select the option to run the process on all machines listed in the lower pane.

Filtered Machines: Click Define to create a filter based on Machine Name or Domain Name, and then select the Filtered Machines option.

Arrow buttons: Select a machine name in one of the panes and use the arrow buttons to move it from one pane to the other. Additionally, you may double-click a machine name to move it between panes.

5. Click Next. The Option page appears.

6. Configure the following options:

Install From: In the drop-down list, select the name of the Collector used to manage virtual machines.

Schedule: Select Run Action now to install immediately, or select Schedule the Action to run later and configure the settings to run at a designated time.

7. Click Next. The Important page appears. Review the contents, click Back to make any necessary alterations.

8. Click Finish. The Agent Proxy is upgraded at the time specified.

9. To verify the completion of the upgrade process, click Jobs on the Portal toolbar to access the Jobs Summary. You can also verify jobs for the past 24 hours if you think that you may have missed it. Go to Administration | Job Manager | History | Other Jobs | Past 24 Hours.

Manually Upgrading an Agent Proxy Machine

The steps provided in this section are an optional upgrade method if you choose not to use the Upgrade option in VCM. To manually upgrade an Agent Proxy machine, you must have already upgraded your Collector machine to VCM 5.3. Then you will uninstall the VCM Agent, select to retain the Secure Communication settings, install the VCM Agent (version 5.3), and then install VCM for Virtualization, as described in the following steps.

VMware, Inc. 43

Page 44

vCenter Configuration Manager Installation and Getting Started Guide

1. The following executable must be accessible from your non-Collector Agent Proxy Machine. The path to this file on the Collector machine is as follows, or is in the path relative to where you installed the software.

C:\Program Files\VMware\VCM\AgentFiles\CMAgentInstall.exe

Then execute the copied CMAgentInstall.exe on your Agent Proxy machine.

2. The installer detects the previous version of VCM, and then requests permission to uninstall it. Select Yes.

3. The installer detects that Secure Communication is installed, and requests whether you want to retain your settings. Select Yes. The installer proceeds to remove the VCM Virtualization product and VCM Agent from your Agent Proxy machine. During this process, your Secure Communication settings are retained.

4. When the installer displays the license agreement, read and then accept the conditions.

5. The installer prompts whether to perform the installation of the VCM Windows Agent in HTTP mode. Allowing HTTPcommunication will allow the Agent to communicate through the HTTP port specified if DCOM is not available. Locking an Agent will prevent the Agent from being removed or upgraded. To use this mode, select Allow HTTP, and click Next.

6. The installer proceeds with the installation. When the VCM Windows Agent has been successfully installed, click Finish.

7. Copy the following executable from your upgraded Collector machine to any location on your nonCollector Agent Proxy machine. The path to this file on the Collector machine is as follows, or is in the path relative to where you installed the software.

C:\Program

Files\VMware\VCM\AgentFiles\Products\VirtualizationProductInstall.exe

Run the copied VirtualizationProductInstall.exe on your non-Collector Agent Proxy machine. This step begins the installation of VCM for Virtualization.

8. Proceed through the installation screens to install VCM for Virtualization.

9. The installer proceeds to install VCM for Virtualization. When VCM for Virtualization has installed successfully, click Finish. You can now begin collecting using your upgraded Agent Proxy.

44 VMware, Inc.

Page 45

Upgrading VCM and Related Components

NOTE If you have previously used this Agent Proxy to perform a collection from your upgraded Collector, the first collection may fail due to a password encryption issue. If so, try resetting the VM Host password at Administration | Machines Manager | Additional Components | VCM for Virtualization | Licensed VM Hosts. You may set the password for multiple hosts at the same time if desired.

All VCM-managed Windows machines will include the VCM Agent extension for VCM Provisioning, which is a separate installation.

For Agent Proxy machines, if the virtualization proxy and VCM Agent extensions for Provisioning are installed, you must run ProvisioningProductInstall.exe from the Collector.

Upgrading the vSphere Client VCM Plug-in

The vSphere Client VCM Plug-in integrates VMware vCenter Configuration Manager into the vSphere Client to provide VCM data and functionality within vCenter. After upgrading VCM, you must upgrade the Plug-in, which means vCenter users must un-register it and then re-register it.

Upgrading the Plug-In

To upgrade the vSphere Client VCM Plug-in, follow these steps:

1. Upgrade VCM.

2. Manually un-register the pre-VCM 5.3 version of the Plug-in, as described in Un-register the Previous Version of the Plug-in in Un-register the Previous Version of the Plug-in.

3. Register the new Plug-in by following the instructions in "Registering the vSphere Client VCM Plug-in"

on page 143.

Un-register the Previous Version of the Plug-in

If you have already upgraded VMware vCenter Configuration Manager, you must manually un-register the previous version of the Plug-in before registering the VCM 5.3 Plug-in. Although the upgrade to VCM removes files for the previous Plug-in, and installs the new Plug-in files in new locations and with new names, it does not register the new Plug-in with the vSphere Client. To un-register the existing Plug-in, follow these steps.

1. Browse to the following link, where "{vCenter machine name}" is the name of your vCenter 4 Server instance:

https://{vCenter machine name}/mob/?moid=ExtensionManager

2. In the Methods area, click the UnregisterExtension link.

3. Enter the following string value for extensionKey: com.CM.VirtualCenterCompliancePlugIn

4. Click Invoke Method.

VMware, Inc. 45

Page 46

vCenter Configuration Manager Installation and Getting Started Guide

46 VMware, Inc.

Page 47

Getting Started with VCM Components and Tools

This chapter covers global getting started procedures for VCM and all of its components and tools. After completing this chapter, you should proceed to the specific getting started chapters in this manual that apply to the components you have licensed and the VCM tools you plan to use. The remaining getting started chapters within this document build on this one. Therefore, you should have a solid understanding of the content within this chapter before proceeding to the remaining chapters.

This chapter contains the following sections:

Understanding User Access

Launching and Logging onto VCM

Getting Familiar with the Portal

Where to Go Next

Understanding User Access

After your installation is complete, the user who performed the installation is explicitly granted access and is placed in the roles of ADMIN and USER. This user is also placed into the Admin role. Hence, this user can immediately log in using the Admin role. The role of AD_Admin allows full administration access to AD objects only.

Other user accounts can then be added after the Admin user logs in by going to Administration | User Manager | VCM Logins. For instructions on how to add user accounts, see the online Help.

Whenever a user is either added to the Admin role in VCM, or granted access to the Administration | User Manager node, the user is placed in the fixed machine roles Security Administrators and Bulk Insert

Administrators Groups. They are also added to the database roles public, ADMIN, and User on the VCM Database.

Users who will not have access to the Administration | User Manager node will be assigned to public. Depending on the functions granted to any particular user, more or fewer privileges may be needed in order for their role to function properly.

All VCM user accounts must have the following rights on the VCM Collector machine:

Ability to log on locally to access IIS.

Read access to the System32 folder.

Write access to the CMFiles$\Exported_Reports folder for exporting reports.

If default permissions have been changed, read access to the C:\Program Files\VMware\VCM\WebConsole directory, along with all subdirectories and files.

VMware, Inc. 47

Page 48

vCenter Configuration Manager Installation and Getting Started Guide

Launching and Logging Onto VCM

If you have not already launched VCM after closing Installation Manager, follow the procedure detailed below to launch and log onto VCM.

IMPORTANT Before you launch VCM, you must either configure Internet Explorer Pop-up Blocker Settings to add your Collector to your list of allowed web sites, or disable Pop-up Blocker. Click Internet Explorer | Tools | Popup Blocker Settings, then add the path for your Collector in the allowable address field.

How to Launch VCM and Log On

1. If you are launching VCM on the Collector Machine, go to Start | All Programs | VMware vCenter Configuration Manager | Web Console. If you prefer to connect to VCM from another machine on

your network, you may do so by pointing your browser to http://<name_of_Collector_ machine>/VCM. For the specific browsers that are supported, refer to the VCM Hardware and Software

Requirements Guide. The Logon screen appears.

2. Depending on your browser security settings, you may have to supply your user network credentials.

3. (Optional) Select Automatically log on using this role to have VCM automatically log you on without prompting you for a role in the future.

4. Click Log On. The Portal appears.

In the future, your VCM user account may have multiple roles. At that time, if you have the Automatically log on using this role option checked, VCM will automatically log you on as the User Role displayed on the Logon screen. To change roles, you must use the Logoff button in the top right corner of the Console. This action will return you to the Logon screen so you can use the drop-down menu to select a different role.

Getting Familiar with the Portal

The VCM Portal uses a browser-based interface so it can be run from any Windows system running IE or with the IE tab plugin for Firefox, and having access to the machine on which VCM is installed. The Portal provides access to all VCM features for managing your enterprise.

48 VMware, Inc.

Page 49

Getting Started with VCM Components and Tools

As shown in the following diagram, there are several major controls and areas in the Portal. The following subsections describe the general information bar, global toolbar, and sliders in the Portal.

General Information Bar

The general information bar displays the VCM Collector’s (active SQL Server) name, your VCM user name and active Role, and the following buttons:

Log Out: Exits the Portal. The Portal closes, and the VCM Logon screen appears again.

About: Displays information about how to contact VMware Customer Support. It also displays version information for VCM and all of its components. This information may be important when contacting VMware Customer Support.

Help: Launches the online Help for the currently-active display.

Portal Toolbar

The global toolbar provides you with easily-accessible options to enhance control of your environment and data.

The left and right arrow buttons navigate to the previous or next page in the data area.

The Jobs button launches the Jobs Running status window. This button also provides access to the Collector status and allows you to stop/restart the Collector service.

The Collect button launches a wizard allowing you to define and initiate data collections.

The Remote Commands button allows you to invoke the Remote Commands wizard from the toolbar without having to access the node.

The Refresh data grid view button refreshes the data grid view. Pressing F5 on the keyboard accomplishes this as well.

The View row cells button displays a vertically scrolling view of a single row of data rather than the table-based data grid view in a separate window, and allows you to move between records.

VMware, Inc. 49

Page 50

vCenter Configuration Manager Installation and Getting Started Guide

The Select all displayed data rows button selects all the rows in the data grid.

The Copy button is used to copy information from the selected rows in the data grid to the clipboard.

The Copy link to clipboard button is used to copy the link of the content on-screen to the clipboard.

Click the View data grid in separate window button to display the data grid in a separate window.

The Export displayed data button exports data to a CSV formatted file. This file is exported to \\<name_of_Collector_machine>\CMfiles$\Exported Reports.

The Options button opens the User Options window. These settings pertain to the User who is logged on to VCM. All VCM Users will want to configure these to their

individual preferences.

Sliders

The sliders on the left side of the Portal include the items listed and described in the following table. The individual items that you see in VCM will vary, depending on the components that you have licensed.

For detailed instructions regarding any of these features, refer to the online Help.

Select: If you want to:

Console

View, export, or print enterprise-wide, summary information.

Review or acknowledge current alert notifications.

Compliance

Active Directory*

Manage both VCM discovered and non-VCM discovered hardware and software assets.

Review changes that occurred from one collection to the next.

Create, edit, or run remote commands on a VCM managed Windows or UNIX machine.

View information about VCM discovered domains.

Navigate and manage VCM-integrated service desk events.

Manage VCM-managed virtual machines.

View your Windows NT Domain and Active Directory related data.

View information for enterprise-level applications.

Review non-security related UNIX machine-specific information.

Review UNIX security data to ensure consistent security configurations across your enterprise.

Create and manage Compliance rule groups and templates based on either AD objects* or machine group data.

View, export, or print enterprise-wide, summary information for Active Directory objects.

Review alert notifications for the selected AD location.

Review Active Directory-related changes that occurred from one collection to the next.

View collected information about Active Directory objects such as Users, Groups, Contacts, Computers, Printers, Shares, and Organizational Units.

Review Active Directory site lists, including Site Links, Site Link Bridges, Subnets,

50 VMware, Inc.

Page 51

Select: If you want to:

Intersite Transports, Servers, Connections and Licensing.

View Active Directory Group Policy Container Settings.

View information about Active Directory Domains, DCs, and Trusts.

Track and display access control entries and security descriptor data on all collected objects.

View Active Directory Schema information.

Reports

Patching(**)

Run "out-of-the-box" reports against your collected data.

Write your own SQL and SSRS reports using VCM’s report wizard.

Review a list of Microsoft bulletins available to VCM.

Create, run, or import VCM Patching templates to show which machines require the patches described in each bulletin.

Select machines to license, set options for assessment and deployment, or monitor VCM Patching jobs.

Deploy patches.

Administration***

Manage basic configuration options for VCM.

Getting Started with VCM Components and Tools

Establish filters to limit the data you collect from machines in your enterprise.

Manage your VCM licenses.

Organize and manage your enterprise using VCM.

Manage VCM Logins and Roles.

View the status of jobs that are currently running, scheduled to run, or completed.

Configure VCM to notify you of certain conditions in your enterprise.

* Available only when VCM for Active Directory (AD) is licensed. This slider is viewable based on your role.

** Available only when VCM Patching is licensed. This slider is viewable based on your role.

*** Visible only to users with Administrative rights to VCM as part of their VCM role.

VMware, Inc. 51

Page 52

vCenter Configuration Manager Installation and Getting Started Guide

Where to Go Next

You are now ready to proceed to Getting Started with VCM to start using VCM and all of its components and tools.

Once you have completed the steps in Getting Started with VCM, you must proceed to the next applicable chapter in this guide relevant to the components you have licensed in your installation. VMware has intentionally ordered the instructions in the remainder of this guide such that they build upon one another as you proceed through this guide; therefore, it is imperative that you proceed in order.

You can skip any chapters that do not pertain to your installation as you proceed through this guide in order.

NOTE If you choose to license another VCM component at a later date, you will be able to go back and configure it at that time.

52 VMware, Inc.

Page 53

Getting Started with VCM

Before you can begin using VCM to manage the machines in your enterprise, you must complete the following steps:

1. Discover, License, and Install Windows Machines.

2. Discover, License, and Install UNIX/Linux Machines.

3. Discover, License, and Install Mac OS X Machines.

4. Discover, License, and Collect Oracle Data from UNIX Machines.

5. Customize VCM for your Environment.

6. Set up and use VCM auditing.

Discover, License, and Install Windows Machines

The following steps must be performed before collecting data from Windows machines:

1. Verifying Available Domains

2. Checking the Network Authority

3. Assigning Network Authority Accounts

4. Discovering Windows machines.

5. Licensing Windows machines.

6. Installing the VCM Agent on your Windows machines.

7. Performing an initial Windows collection.

8. Exploring the Windows collection results.

These steps are explained in the following subsections.

Verifying Available Domains

The VCM Collector must gain access to each domain in order to interact with all enterprise Windows machines. During installation, VCM discovered all of the domains that the Network Authority Account you provided had access to.

To view a list of these discovered domains in VCM, navigate to Administration | Settings | Network Authority | Available Domains. VCM displays the available domains in the data grid.

VMware, Inc. 53

Page 54

vCenter Configuration Manager Installation and Getting Started Guide

If the Windows machines that you want to manage belongs to a domain that is not shown in this list, then you must add that domain manually. Click Add, then follow the steps in the Add Domain wizard to manually add that domain. Once the domain is shown in the Available Domains list, you will be able to manage Windows machines in that domain.

Checking the Network Authority

Your VCM Collector has to gain access to each domain to interact with the Windows machines in your enterprise. An account having Domain Administrator rights must be created for each domain that has Windows machines you want to manage. An initial account (your default Network Authority Account) was specified through VCM Installation Manager during installation; you may need to create others. Once an account has been created, it must be assigned to domains or machine groups (see Assign Network

Authority Accounts).

The following procedure enables you to check for available accounts and add new ones if necessary.

54 VMware, Inc.

Page 55

1. Click Administration | Settings | Network Authority | Available Accounts.

2. If you need to add a new account, click Add and follow the prompts.

Getting Started with VCM

NOTE Repeat the Network Authority Available Accounts wizard, creating a specific account for each domain that has machines that you intend to manage through VCM.

Assigning Network Authority Accounts

VCM offers considerable flexibility in assigning Network Authority Accounts to domains and machine groups. You can assign one account to all domains and machine groups, or assign a different account to each. You can even assign multiple accounts to each domain and machine group.

VMware, Inc. 55

Page 56

vCenter Configuration Manager Installation and Getting Started Guide

The following procedure illustrates how to assign Network Authority to accounts by NetBios domain. However, you can also assign Network Authority by Active Directory Domain, or even by Machine Group (Administration | Settings | Network Authority | Assigned Accounts | By Machine Group). For more information on these options, see the online Help.

1. Click Administration | Settings | Network Authority | Assigned Accounts | By Domain and then select NetBios.

2. Select a listed domain.

3. Click Edit Assigned Accounts and follow the prompts.

Discovering Windows Machines

The discovery process identifies which machines can be accessed on your network. VCM uses one or more Discovery Rules to discover the machines that are present on your network and available to VCM. The Discovery Rules can be very general to discover many machines, or very precise to discover a particular subset of your machines.

56 VMware, Inc.

Page 57

Getting Started with VCM

Your initial discovery can take anywhere from one afternoon to a couple of days, depending on the size of your network. You may not have a 100% success rate with the first discovery process you run because some machines may not be available during that time (for example, laptops that are not currently on the network). It may, therefore, take a few days to coordinate and resolve scenarios in order for you to discover the machines in your enterprise.

NOTE It is not necessary to complete the discovery of every machine in your enterprise before you proceed with licensing machines. If you choose to move forward and license a subset of your machines, be sure to review these chapters when you discover additional machines at a later time.

All discovered Windows machines will be placed in the Administration | Machines Manager | Available

Windows Machines list, and all discovered UNIX/Linux machines will be placed in the Administration | Machines Manager | Available UNIX Machines list.

NOTE A Discovered Machines Import Tool (DMIT) is available from VMware Customer Support to assist

you with the following process. This tool imports machines discovered by the Network Mapper (Nmap) into the configuration database. To use the tool, contact VMware Customer Support; otherwise, use the following process.

After the initial discovery, VMware recommends that you generally perform a discovery about once each week to keep the list of available machines current. You can schedule these future discoveries during your organization’s off-hours, if you prefer.

NOTE To schedule a VCM job for discovery, go to Administration | Job Manager | Scheduled and follow the Wizard. Refer to the online Help for more information.

Use the following procedure to discover machines.

1. Click Administration | Machines Manager | Discovery Rules.

2. Click Add to create a Discovery Rule. The Discovery Rules wizard appears.

VMware, Inc. 57

Page 58

vCenter Configuration Manager Installation and Getting Started Guide

3. Type a Name and Description for this new Discovery Rule, then click Next. The Discovery Method page appears.

4. If you have Active Directory in your environment, VMware recommends a discovery that is targeted for Active Directory. Select By Active Directory.

5. For an initial discovery, do not select Also discover the presence and version of the VCM Agent when this rule is run. Because the VCM Agent is not present on the machines yet, you cannot discover the Agent version.

6. Click Next. If you used By Active Directory, the AD Domain page appears.

7. Specify the AD Domain, accept the defaults, and then click Next. The Discovery Filters page appears.

58 VMware, Inc.

Page 59

Getting Started with VCM

8. Create the filter. For more specific filtering of machines for discovery and other advanced features, refer to the online Help. Click Next. The Important page appears.

9. Select Yes so that you can run the Discovery Rule immediately. Because you are discovering machines for the first time, you want to run the discovery now. Leave License and Install Agent on Discovered Machines unselected. If the box is checked, VCM will proceed with licensing and installing the Agent on each machine discovered, potentially exceeding your license count. For future scheduled discoveries, VMware suggests checking the box, but not for your initial discovery.

10. Click the Jobs button at the top of the Portal to verify that your discovery job has completed before

proceeding to the next step. The Jobs Running window appears, listing your job name and summary information. If the job has completed, it will not appear here.

NOTE You can also verify jobs for the past 24 hours if you think that you may have missed your running discovery job by going to Administration | Job Manager | History | Other Jobs| Past 24 Hours. Refer to the online Help for additional information regarding VCM Jobs.

Licensing Windows Machines

You are now ready to license the Windows machines you have discovered. In the following sections, you will license, install VCM Agents on, and collect data from your Windows machines. Later, we will guide you through these actions on your UNIX/Linux machines.

VMware, Inc. 59

Page 60

vCenter Configuration Manager Installation and Getting Started Guide

VCM requires that you specify the machines you want to manage. Remember, the number of licenses you have purchased may not match the number of machines that have been discovered and are visible in

IMPORTANT If the machine type (that is, workstation or server) of a discovered Windows machine is

indeterminate, then the machine cannot be licensed. The machine type is visible in the second column of the Available Machines Data Grid found at Administration | Machines Manager | Available Machines |

Available Windows Machines. If you need assistance resolving the machine type for machines you plan

to license, contact VMware Customer Support for guidance.

Use the following procedure to license your Windows machines.

1. Select Administration | Machines Manager | Available Machines | Available Windows Machines.

NOTE Remember, discovered machines with an indeterminate Machine Type will not be licensed if they are included in your selection.

2. Select the machine(s) you want to license. To select multiple machines, use Shift-click or Ctrl-click.

3. Click License. The Available Machines License dialog box appears.

60 VMware, Inc.

Page 61

Getting Started with VCM

4. Leave the Install VCM Agents for the selected machines box unchecked during your first pass at licensing machines. Once you have more experience licensing machines and deploying the VCM Windows Agent, you may choose to check this box when licensing. The machines that you selected appear in the Selected area. Click Next to view your Product License Details. The licensed machine count has increased by the number of machines that you have selected to license.

5. Click Next. VCM confirms that the licenses you requested will be applied to the selected machine(s).

6. Click Finish.

Installing the VCM Windows Agent on your Windows Machines

Before you can collect data from a machine, the VCM Windows Agent must be installed on your licensed Windows machine. You can install the VCM Windows Agent through VCM or manually. Both methods are described here.

Machines that will be affected are those that are listed in the Administration | Machines Manager | Licensed Machines | Licensed Windows Machines view.

The following procedure describes how to install the VCM Windows Agent on your licensed Windows machines.

NOTE If you are installing the Agent on Windows 7, 2008, 2008 R2, or Vista, you may need to disable the UAC during installation. See"Disabling UAC for Agent Installation" on page 214 for information.

Use the following steps to install the VCM Windows Agent on your licensed Windows machines.

1. Navigate to Administration | Machines Manager | Licensed Machines | Licensed Windows Machines.

2. Select the Windows machine(s) on which you want to install the VCM Windows Agent. To select multiple machines, use Shift-click or Ctrl-click.

VMware, Inc. 61

Page 62

vCenter Configuration Manager Installation and Getting Started Guide

3. Click Install and follow the prompts.

NOTE To use advanced options such as HTTP communication for your agent, or to deploy the agent from an alternate source, refer to the online Help. To access the online Help at any time during the wizard, click the Help button in the lower left corner of the dialog box.

4. Verify that your agent installation job has completed. To check the status of an active job, click the Jobs button at the top of the Portal window to access the Jobs Summary.

NOTE You can also verify jobs for the past 24 hours if you think that you may have missed your running discovery job by going to Administration | Job Manager | History | Other Jobs | Past 24 Hours. Refer to the online Help for details regarding VCM Jobs.

Manually Installing the VCM Windows Agent

You can manually install the VCM Windows Agent using either the EXE (.exe, executable) file or the MSI (.msi, Microsoft Installer) file that is supplied with VCM. Choose your install method based on the following:

EXE files detect an existing software version and provide the option to uninstall the existing version. EXE files can also be used for unattended silent installations.

MSI files are database files executed by the Windows MSIEXEC.EXE executable, which reads data in the MSI file and executes the installation. MSI files can be used for unattended, silent installations. The MSI installer will also uninstall an existing agent (non-msi), but it does not ask. If you run it again, you have the option of removal only. If you upgrade an MSI-installed agent with the new MSI, the old agent is uninstalled.

The VCM Enterprise Certificate, which is selected during the initial installation of VCM, is installed in the certificate store on the Agent machine during the Agent installation process if HTTP is selected. The Collector root certificate (Enterprise Certificate) is used to authenticate requests from a collector (using the Collector Certificate and its established trust to the Enterprise Certificate) on the Agent machine before a collection/change request is processed.

Using the .exe

To manually install the VCM Windows base Agent (CMAgentInstall.exe) on a target machine using the .exe file, follow these steps.

62 VMware, Inc.

Page 63

Getting Started with VCM

1. On your Collector, navigate to the Agent files directory at: c:\Program Files\VMware\VCM\AgentFiles

2. Locate the CMAgentInstall.exe file, and then install it from a network share or copy it to the target machine.

3. Navigate to the collector data directory at: c:\Program Files\VMware\VCM\CollectorData. Locate the Enterprise Certificate .pem file. This file must be accessible during the agent installation. The path used here is the default location. If your files are not in the default location, click Administration | Settings | General Settings | Collector. In the data grid, go to the Root directory for all collector files. The current path is displayed in the Value column.

NOTE If the Enterprise Certificate has been distributed by a mechanism outside of the scope of VCM, such as a corporate Public Key Infrastructure (PKI), you may not need to include the Enterprise Certificate file.

4. In Windows Explorer, double-click the CMAgentInstall.exe. You will be asked for the certificate path and port.

If you are performing a silent install, on the target machine run the CMAgentInstall.exe using the following parameters:

CMAgentInstall.exe /s INSTALLPATH=%Systemroot%\CMAgent PORTNUMBER=26542

CERTIFICATEFILE=<filename>

NOTE The %Systemroot% environment variable specifies the directory where Windows is installed (typically \WINNT or \WINDOWS).

Where:

CMAgentInstall.exe is the executable used to install the Agent.

/s indicates a silent install, which means that popups and menus do not appear. When running this command from the command line, VMware recommends using the /s option. When performing a silent install, if the VCM Windows Agent is found locked, the installation will fail. To unlock the Agent so that the installation will proceed, use the -UNLOCK option. When used, the Agent will remain unlocked when the installation completes. The syntax is:

CMAgentInstall.exe /s -UNLOCK INSTALLPATH=%Systemroot%\CMAgent

PORTNUMBER=26542 CERTIFICATEFILE=<filename>

NOTE To re-lock your machine, submit a lock request from the VCM Collector.

INSTALLPATH is the location where the Agent will be installed.

PORTNUMBER is specified for HTTP Agents. If the PORT parameter is not present, the protocol will be DCOM. In this case, the communication socket listener service will not be installed and the certificate is not required.

CERTIFICATEFILE is the certificate that was generated or specified on the Collector during the Collector installation. The location of the certificate file will be in the path relative to where you installed the software on the Collector, and by default is C:\Program Files\VMware\VCM\CollectorData\[certificate name].pem. If you specify a PORTNUMBER, but do not want to use a certificate, you must use the parameter CERTIFICATEFILE=SKIP to allow an HTTP Agent without a valid CERTIFICATEFILE path.

VMware, Inc. 63

Page 64

vCenter Configuration Manager Installation and Getting Started Guide

NOTE For Vista, Windows7, and Windows 2008 only: If you set compatibility mode on any Agent executables to a prior version of Windows, the operating system may be reported incorrectly in VCM.

To Manually Uninstall the VCM Windows Agent

The VCM Windows Agent uninstall executable will be present only if the Agent was installed manually using CMAgentInstall.exe or CMAgentInstall.msi. To uninstall the VCM Windows Agent manually, execute the following command (this command assumes the default installation directory was selected):

%SystemRoot%\CMAgent\Uninstall\Packages\CMAgentInstall\UnCMAgentInstall.exe

Using the .msi

To manually install the VCM Windows base Agent (CMAgent[Version].msi) on a target machine using the .msi file, follow these steps:

1. On your Collector, navigate to the agent files directory. The location of the .msi will be in the path relative to where you installed the software on the Collector, and by default is c:\Program Files\VMware\VCM\AgentFiles.

2. Locate the CMAgent[Version].msi file. This file must be accessible by the target machine.

3. Navigate to the collector data directory at: c:\Program Files\VMware\VCM\CollectorData. Locate the VCM Enterprise Certificate .pem file, and then copy this file to the target machine in a secure manner.

NOTE If your Collector is operating in a full Public Key Infrastructure (PKI), and the client can validate the Collector root certificate (Enterprise Certificate), the .pem file is not necessary.

4. On the target machine, double-click the .msi or run the .msi file using the command line syntax. Command line options and parameters are described below.

msiexec /Option <Required Parameter> [Optional Parameter]

For example:

msiexec.exe /qn /i "[PathToFile]\CMAgent[Version].msi" [PORTNUMBER=<available

port>] [INSTALLDIR="<new path>"]

When executing the Windows installer file with default options, any existing Window Agent is removed. The new VCM Windows Agent is then installed in the %SystemRoot%\CMAgent directory, and will use DCOM to communicate. The %SystemRoot% variable defaults to C:\WinNT or C:\Windows.

For HTTP installs, where PORTNUMBER is set, you must also specify an Enterprise Certificate. To do so, use this syntax: CERTIFICATEFILE=”x:\[mypath]\[mycert].pem”. If you specify PORTNUMBER, you must also provide CERTIFICATEFILE with either SKIP or the path to a certificate file.

Command line options, showing required and optional parameters, include the following. These options are all parameters to msiexec.

/qb - Runs the command in a basic user interface, displaying the progress and error messages.

/qn - Runs the command in quiet mode; no user interaction is required.

/i - Specifies the command as an installation.

/x - Specifies the command as an uninstall process.

64 VMware, Inc.

Page 65

Getting Started with VCM

PORTNUMBER: Installs the Windows Agent on the port number specified, using HTTP instead of DCOM. For HTTP installs, where PORTNUMBER is set, you must also specify a certificate file using the syntax: CERTIFICATEFILE=”x:\[mypath]\[mycert].pem”. For example:

msiexec.exe /qn /i "C:\temp\CMAgent[VersionNumber].msi" PORTNUMBER=2666

CERTIFICATEFILE=”x:\mypath\mycert.pem”

INSTALLDIR: Changes the default root directory specification (%SystemRoot%\CMAgent). For example:

msiexec.exe /qn /i "C:\temp\CMAgent[VersionNumber].msi" INSTALLDIR="C:\VCM"

CERTIFICATEFILE: Specifies the Enterprise Certificate. For example:

CERTIFICATEFILE=”x:\[mypath]\[mycert].pem” or CERTIFICATEFILE=”SKIP”

For more information about the command line options and descriptions, click Start | Run | msiexec or visit http://www.microsoft.com.

You must specify optional parameters using UPPERCASE letters, following the required "/i" parameter. Quotation marks are necessary only when a path includes spaces. For example, when one or more spaces exist in the source file location and the INSTALLDIR parameter. The optional parameters can be specified in any combination and order.

Disabling UAC for Agent Installation

The following steps are required only if you are installing the Agent on a Windows 2008 or Vista machine. When installing the Agent on Windows 2008 or Vista, you must disable the User Account Control (UAC), install the Agent, and then re-enable the UAC.

Disabling UAC on One Machine

1. On the target Windows 2008 machine, click Start | Run. The Run dialog box appears.

2. Type msconfig in the Open text box.

3. Click OK. The System Configuration dialog box appears. (This dialog box differs for Windows 2008 R2 machines.)

4. Click the Tools tab.

5. In the Tool Name list, select Disable UAC.

6. Click Launch. A Command window displays the running action. When the command is completed, close the window.

7. Close the System Configuration dialog box.

VMware, Inc. 65

Page 66

vCenter Configuration Manager Installation and Getting Started Guide

8. Restart the machine to apply the changes.

9. Install the Agent as specified in Licensing and Deploying the VCM Agent.

10. After installing the Agent on the target machine, re-enable UAC. To enable, perform the steps

specified above. In Step 5, select Enable UAC in the Tool Name list.

11. Restart the machine to apply the changes.

Disabling UAC using Group Policy

Use the following procedure to disable the UACon multiple machines. The instructions assume you have configured the Windows 2008 and Vista machines targeted for Agent install in a common Active Directory domain/OU.

1. On a Domain Controller, click Start | Run. The Run dialog box appears.

2. Type mmc in the Open text box.

3. Click OK. The Console window appears.

4. Select Console Root, and then click File | Add/Remove Snap-in. The Add or Remove Snap-ins dialog box appears.

5. In the Available snap-ins list, double-click Group Policy Management Editor. The Select Group Policy Object dialog box appears.

6. Click Browse. The Browse for a Group Policy Object dialog box appears.

7. On the Domains/OUs tab, select the domain/OU to which the target machines belong, and then click OK.

8. On the Select Group Policy Object dialog box, click Finish.

9. On the Add or Remove Snap-Ins dialog box, click OK.

10. The domain/OU policy is added to the Console Root in the left pane.

12. In the right pane, locate the User Access Control policies. On each of the policies specified below, right- click and select Properties. Configure as follows:

User Account Control: Behavior of the elevation prompt for administration in Admin Approval Mode: Elevate without prompting.

User Account Control: Detect application installations and prompt for elevation: Disabled

User Account Control: Run all administrators in Admin Approval Mode: Disabled

13. Restart the machine to apply the changes.

14. Install the Agent as specified in the previous section, "Licensing and Deploying the VCM Agent".

15. After installing the Agent on the target machines, re-enable UAC. To enable, perform the steps specified above. In Step 5, change the policies to Enabled.

16. Restart the machine to apply the changes.

66 VMware, Inc.

Page 67

Getting Started with VCM

Performing an Initial Collection

You are now ready to collect data. VMware recommends using the default filter set, which collects a general view of the licensed Windows machines in your enterprise configuration, until you are ready to build specific filters and target your collections. The first time you use the default filter set for a collection, the VCM Agent will return all of the data (as specified by the filters in the default filter set) to be stored in the VCM database. Subsequent collections using the default filter set will return only a delta collection (meaning the differences between the data found on the target machine and what is already stored in the VCM database), unless you specify within the Collect Wizard to return the full collection. The delta collection feature makes subsequent collections run faster and more efficiently than the initial collection with that particular filter set.

IMPORTANT You can run Compliance Templates and perform reporting on data that has been collected and stored in VCM. Therefore, it is necessary to perform collections on a regular basis. This ensures that the data you are reporting on is current. When performing a full collection on your entire enterprise, you may want to run VCM overnight because the collection could potentially affect the performance of your machines. Once the initial collection completes, any future delta collections should be unnoticed by users. Be sure to perform collections on a routine basis to ensure accurate reporting.

1. Click Collect, located on the main Portal toolbar. The Collection Type page of the wizard appears.

2. Select Machine Data, and then click OK. The Machines page appears.

3. Select the machine(s) from which you want to collect data. To select multiple machines, use Shift-click or Ctrl-click. Use the double arrow to move all visible machines to the selection window, 500 at a time. Leave the default options selected, then click Next.

IMPORTANT To collect from machines running Windows XP SP2 or Vista using DCOM, you must either enable ICMP pings in the firewall settings, or disable ICMP pings in the Portal. Refer to the online Help for more information.

4. The Data Types dialog box appears. Check the Select All checkbox, then confirm that the Use default filters option button is also selected. Click Next.

VMware, Inc. 67

Page 68

vCenter Configuration Manager Installation and Getting Started Guide

5. For initial collections, there should be no conflicts with previously scheduled or running jobs containing the same data types. Click Finish.

6. Verify that your collection job has completed before proceeding to the next step. To do so, click the

Jobs button at the top of the Portal window to access the Jobs Summary.

NOTE You can also verify jobs for the past 24 hours if you think that you may have missed your collection job by going to Administration | Job Manager | History | Instant Collections | Past 24 Hours. Refer to the online Help for additional detail regarding Jobs.

TIP Collecting certain Windows data types the first time results in a secondary SID lookup (looks up user

accounts associated with a user ID) query back to the machine from which the data type was collected. To speed up initial collections that require a SID lookup, first collect the Accounts and the Groups data types from the Primary Domain Controller (PDC) of each domain. The PDCs have the necessary account information, and doing so automatically resolves the SIDs. The data types that cause the automatic additional query are:

• User Rights

• Registry Key Permissions

• Directory Permissions

• Share Permissions

• Disk Quota

• Event Log

• Services

• Processes

Exploring Windows Collection Results

Now that you have performed an initial Windows collection, you can explore that data in the VCM Portal. VCM presents summary information in graphical SSRS charts, for machines in the active machine group, which you can view, export, or print. The individual VCM Dashboards visible in the VCM Portal will vary, based upon which VCM components you have licensed. Each VCM Dashboard is run only when the node is selected against the current data available in the CMDB for machines in the active machine group. Therefore, Dashboard data is only current as of the time when it was collected. In addition, it may take time for the data to display based upon the volume or complexity of the data requested.

68 VMware, Inc.

Page 69

Getting Started with VCM

1. Begin by looking at the Windows Operating Systems Dashboard under Console | Dashboards | Windows | Operating Systems.

2. Note that several other Windows Dashboards are also available. Take time to familiarize yourself with the remainder of the Windows Dashboards. Windows Collection Results are also available to you in a more “raw” format by data class. This level of “reporting” is more relevant for day-to-day operations, troubleshooting, and analysis, and can be viewed in a Summary report or data grid format.

3. Now take a look at your Windows Operating System Information by clicking the Windows tab in the Console. Then, click Operating System | Machines.

VMware, Inc. 69

Page 70

vCenter Configuration Manager Installation and Getting Started Guide

4. When you select the node, you will see a Summary Report as displayed above of the data class that you selected. Click View Data Grid to go directly to the data grid, or click an area of the Summary Report to filter the data before the data grid is displayed.

70 VMware, Inc.

Page 71

Getting Started with VCM

TIP The default view is the Summary Report; however, at any time you may switch the default view to go directly to the data grid by using the ’Enable/Disable Summary’ feature on the data grid view. See About Data Grids in the online Help for more information on how to filter and sort your data and get full use of the data grid.

Several other categories (called “data classes”) of information regarding your Windows Collection are available under the Windows tab, which is located in the Console. This is where the remainder of your collected Windows data is visible through the Portal.

An alternative way to view your collected Windows data is by running Reports or creating your own custom reports using the reporting wizard. To begin exploring VCM’s Reporting functionality, go to the Reports slider, then click Machine Group Reports | Windows.

Like Dashboards, Reports are run against the current data available in the CMDB for machines in the active machine group, and therefore are only as current as the last collection. In addition, the report may require significant time to generate based upon the volume or complexity of the data requested. Refer to the online Help for more information on how to schedule and disseminate reports.

5. You may now begin to check Compliance for your collected data. To run a Compliance check, click the Compliance slider, then follow the steps as described in the online Help to create rule groups, rules, filters, and templates.

VMware, Inc. 71

Page 72

vCenter Configuration Manager Installation and Getting Started Guide

Getting Started Collecting Windows Custom Information

As a System Administrator, you can extend the data that VCM can collect by using a script, which will allow you to view, report on, alert on, detect change on, and run compliance against data not currently exposed by VCM. This extension allows you to view, report on, alert on, detect change on, and run compliance against custom data not currently exposed by VCM.

You can use the Windows Custom Information data type to perform user-defined, script-based collections from VCM-managed machines. To collect the custom data, you build a collection filter, which includes a script and other parameters relating to the execution of the script and the handling of its results. When this filter is used in a collection, the VCM agent will call a script engine to run the script, and will then parse the results so they can be returned to the VCM database and displayed in the VCM console. As of this release, VCM supports PowerShell scripting and XML output.

During the collection process, the VCM Agent launches PowerShell to execute the script, which in turn generates an XML result file. The Agent then parses the XML result into a format that can be checked for changes (deltas), and then those changes are returned to the Collector.

Prerequisites

Before collecting Windows Custom Information (WCI), you must ensure the following prerequisites are met.

72 VMware, Inc.

Page 73

Getting Started with VCM

You must obtain or write a PowerShell script that will return data in a VCM-compatible elementnormal XML format.

The VCM agent (for VCM 5.3 or later) must be installed on each VCM-managed machine used to collect the Windows custom information. Older agents must first be upgraded.

PowerShell must be installed on each VCM-managed machine. PowerShell is installed by default on Windows 2008 R2 and Windows 7 machines. For Windows XP, 2003, 2003 R2, 2008, and Vista machines, PowerShell must be installed separately. You cannot install PowerShell on Windows 2000 or NT4 machines. In cases where PowerShell is not installed on the target VCM-managed machine, the WCI collection will return a "Not Executed" success status. See Job Status Reporting for WCI.

Windows Custom Information supports PowerShell version 2.0, and should work with later versions of PowerShell as well.

After installing PowerShell on a VCM-managed machine, you must reboot the machine to ensure that collections will work properly.

If the VCM Collector will be used as a client for WCI collections, ensure that PowerShell is installed on the Collector machine.

VCM ships with default Administration settings for Agent Thread (default is set to below normal thread priority) and Agent Data Retention (default is 15-day change log). However, you can change these settings if you desire.

Before file-based PowerShell scripts can be executed by the WCI collection filter on the VCM Collector and/or the VCM-managed machine, you change the execution policy on the VCM-managed machines. The PowerShell execution policy on the VCM machine must be set to Remote Signed, All Signed, or Unrestricted. If the policy is set to All Signed, the scripts must be signed, and the appropriate certificates distributed before collections can be run.

Procedure

To collect and view Windows Custom Information from VCM-managed machines, follow these steps.

1. Obtain PowerShell script(s) from VMware Professional Services or another source (or you can write your own). For more information about scripts, see Getting Started with PowerShell Scripts.

2. Select Administration | Collection Filters | Filters.

3. Click Add Filter to add a collection filter. The Collection Filter Wizard appears.

4. Enter a name for the filter, and then click Next. The Data Type page appears.

5. Select Windows, and then the Custom Information (Win) data type. Click Next. The Windows Custom Information Filter page appears.

6. Select your Script Type, which defaults to PowerShell v1.0 Text Output.

7. Select the Output Type of Element Normal XML.

8. Specify the Timeout in seconds. This setting specifies how long the Agent will allow a PowerShell script to run before attempting to end the process. The purpose of this setting is to prevent blocked or excessively long-running scripts from blocking other Agent requests.

9. In the Script area, paste the content of your user-defined PowerShell script, which contains statements specific to the data type you will be collecting. Depending on your script, parameters to be configured may exist near the top of the script.

10. VCM handles violations of any duplicate path attributes in the PowerShell scripts through the

Duplicate Handling settings. In the Duplicate Handling area, select one of the following: Discard, Increment, or Fail with Error.

VMware, Inc. 73

Page 74

vCenter Configuration Manager Installation and Getting Started Guide

11. Click Next and then Finish.

12. Run a collection using your new collection filter.

13. Ensure the job completes.

14. View data in the Custom Information nodes ( Console | Windows | Operating System | Custom Information).

When the Windows Custom Information data is available in the VCM database, you can generate reports and enforce compliance.

Change Detection in Windows Custom Information Data

Deltas in WCI are maintained on a per-filter basis at the client side, which means that if multiple filters return data under the same top-level element name (such as NetStat), each filter will have its own change detection.

In the following example, using multiple filters that collect the same open ports data and return it under the NetStat top-level element name, if a client machine has just started listening on port 80, each filter will report this new data as a newly created value the first time the filter “sees” this data. The best practice is to avoid this type of overlap of filters.

For example, two copies of the File Permission With Audit filter could be created in order to collect file permissions data from different parts of the file system, but they should not overlap. Having one filter get data from C:\ and another filter get data from C:\Windows would be a good practice. However, having one filter get data from C:\Windows with audit information and another filter get data from C:\Windows without audit information would not be a good practice because both filters would generate "new file" and "deleted file" events each time a new file was added or removed.

For an element such as NetStat, only one filter should be used.

For an element such as NTFS file system (NTFSDirectory), multiple filters would likely be used. For example, one filter would be used to obtain the details under C:\, and another filter would be used for C:\Windows\System. Both would merge under the NTFSDirectory top-level element, but there should be no overlap; instead they would each collect separate parts of the file structure to avoid “extra” change reporting.

Purge for Windows Custom Information

As with other data types, purge for WCI will purge all data for a machine. This means that if a single WCI filter is collected with the “Do not limit to delta” option selected, all WCI data for that machine will be purged from the client’s master file and from the VCM database, and it will be replaced with the resulting data from the single filter.

Job Status Reporting for WCI

Job status reporting for WCI is provided on a per script/filter level, and includes detailed reporting about exit codes and process standard error output. As each script/filter is executed, VCM captures detailed results information during the execution of the WCI collection filter scripts.

You can view the detailed information in the VCM user interface in the Administration | Job Manager | History node by selecting the executed job and then selecting View Details in the Job History Machine Detail pane of a collection job that includes WCI data.

74 VMware, Inc.

Page 75

Getting Started with VCM

The Job History Machine Detail view displays a single row for each WCI filter included in the collection job. These rows provide information about the execution of the WCI scripts and the parsing of the script results. In cases where the script cannot be executed because prerequisite components are not installed or available (such as PowerShell is not installed), the status for a row will be “Not Executed.” This status does not result in a failure for the inspection because PowerShell (or other script engines) are optional components and may not even be installable on all VCM-supported OS versions.

If a WCI collection job encounters errors on a machine, detailed information about the failure will be reported. The failure could occur during the launch of PowerShell, during script execution, or during the interpretation of the script results. For example, an error could occur in the PowerShell launch process if PowerShell is not installed on the VCM-managed machine. However, since PowerShell is an optional component, such a failure does not roll up as an error to the job level, although the job details will show Not Executed to show such skipped steps. On the other hand, if a PowerShell script generates errors due to syntactical or typographical defects in the script itself, these errors will roll up to a “completed with errors…” status at the collection job level.

Running Reports

Several reports are included for reporting on Windows Custom Information, including:

Netstat Open Ports:Reports port and protocol information from the netstat –A command.

SQLSMO Database: Reports database details collected.

SQL SMO Instance: Reports basic information about SQL Server instances collected.

These reports are in Reports | Machine Group Reports | Windows | Custom Information.

Getting Started with PowerShell Scripts

The Windows Custom Information data type (WCI) uses extensions to the VCM Windows agent to allow the agent to invoke scripts that are passed down as part of a collection filter’s parameters, and then parse the results. As a result, these extensions are very flexible in that they use filter parameters to detail the command line to invoke the scripting engine, and a COM class name to specify the parser the Agent will need in order to parse the script output. This allows the eventual extension of the system to support multiple different scripting engines/languages and multiple options for output format.

For this version of WCI, the base requirement supports PowerShell for the scripting engine and a specific XML format, named Element Normal XML, as the output.

This topic describes:

Executing PowerShell Scripts

Developing Custom Collection Scripts

Example of Developing a Custom PowerShell Script for Use with the WCI Data Type

Troubleshooting Custom PowerShell Filter Scripts

VMware, Inc. 75

Page 76

vCenter Configuration Manager Installation and Getting Started Guide

Executing PowerShell Scripts

PowerShell contains built-in policies, which limit its use as an attack vector. The primary policy is for script execution. By default the script execution policy is set to Restricted, which means that PowerShell can only be used interactively or for executing commands directly from the command line. The additional policy settings are as follows:

AllSigned: Any PowerShell script (.ps1 is the typical extension) must be signed by a verifiable certificate (from the SPC certificate store)

RemoteSigned: Any PowerShell script that is downloaded from the Internet (by a supporting browser such as Internet Explorer) must be signed. Script files that are created locally, or scripts that are downloaded by a means that does not support flagging of the file source, do not need to be signed.

Unrestricted: All PowerShell script files will be executed regardless of whether they are signed.

In addition, PowerShell 2.0 adds the capability to set different script signing policies at the machine, user, and process (single execution of powershell.exe) scopes.

WCI uses Script Type information in the collection filter definition to indicate how PowerShell should be executed and how the script should be passed to it. The primary ways a WCI script may be passed to PowerShell is either in-line or through a script file

In-line: Requires a collection script that can be represented as a single line of PowerShell code. In-line scripts can be run regardless of the execution policy; because an in-line script is run on the PowerShell command line rather than from a file, the execution policy does not apply. The default WCI filter uses an in-line script to collect basic information about the PowerShell version, .NET version, and execution policy settings of a system.

Script file: Requires that the execution policy be set to Remote Signed at the most restrictive, since the script is being run from a file locally on the client system. Because of its additional ability to have execution policy set at the process level, PowerShell 2.0 is the base requirement for WCI in VCM. The default script type command line used for script based filters in WCI includes options to set the processlevel execution policy to Remote Signed. This allows WCI to execute collection scripts against systems whose machine and user level signing policies may be anything, without having to change the setting. Out-of-the-box VCM WCI non-in-line collection filters will fail if executed against PowerShell 1.0 client systems.

VMware recommends that you upgrade from PowerShell 1.0 to PowerShell 2.0, which introduced a number of useful functions. PowerShell 2.0 is also supported on all platforms that support PowerShell 1.0.

It is possible to execute WCI PowerShell collection scripts against PowerShell 1.0 systems as well, although it has not been tested, and is not officially supported. In-line WCI filters that do not employ PowerShell 2.0 commands should work directly. For script file based filters to work, you must create them with the PowerShell v1.0 Text Output script type, and the system must already have its execution policy set to Remote Signed, at the most restrictive, with un-signed scripts, or to All Signed with signed scripts (see below). This setting can be accomplished by the Group Policy Object (GPO), through the use of a VCM Remote Command, or by using a registry change action or enforceable compliance to set the policy directly. For example:

HKLM\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell "ExecutionPolicy"="RemoteSigned"

76 VMware, Inc.

Page 77

Getting Started with VCM

For additional information about Windows PowerShell and signing scripts, see:

Scripting with Windows PowerShell: http://technet.microsoft.com/en-us/scriptcenter/dd742419.aspx

Windows PowerShell Owner's Manual: http://technet.microsoft.com/en-us/library/ee176949.aspx

Signing Windows PowerShell Scripts: http://technet.microsoft.com/en-

us/magazine/2008.04.powershell.aspx

Execution Policies: http://technet.microsoft.com/en-us/library/dd347641.aspx

Registry value that controls execution policy: http://msdn.microsoft.com/en-

us/library/bb648598(VS.85).aspx

Developing Custom Collection Scripts

Development of custom collection scripts requires planning the data structure. WCI internally stores data hierarchically, as displayed in the Tree View - Standard node. The collection script is required to provide all of the structure that can be seen in any branch under this node.

The root element in the XML result data set will become a top level (root) element in the WCI data type node. Child elements will appear in the same locations in the VCMuser interface as the locations they populate in the XML document that is returned by the script.

When developing custom collection scripts, follow these guidelines:

XML element names must be unique at their level (for example, two "Child1" nodes can exist, as long as they are not siblings).

Attributes must be unique at their level.

Element and attribute names used must be valid XML when returned by the script. If data is to be returned as an element or an attribute name that is not valid for XML, the name can be encoded using the [ToCMBase64String] function. The inserter will recognize names encoded with this function and will decode them during the raw insert process. The inserter is a Collector job that is executed during each collection. It is responsible for parsing the Agent results files and putting the data into a new raw database table. The raw data is then transformed into the data that appears in the nodes in the user interface.

function ToCMBase64String([string]$input_string)

{

return [string]("cmbase64-" +

[Sys-

tem.Co-

nvert]::ToBase64String([System.Text.Encoding]::UNICODE.GetBytes($input_

string))).replace("=","-")

}

If a script has configurable parameters, they should be described in a comment block near the top of the script, along with configurable entries of the parameters near the top of the script, so that a user who is cloning a WCI collection filter can easily see and set the parameters in the Edit Filter wizard (in Administration | Collection Filters | Filters).

Declaration of variables, and any other tasks in a script that produce output that is not part of the XML result set, should be redirected to out-null, such as:

[reflection.assembly]::LoadWithPartialName("Microsoft.SqlServer.Smo") | out-

null

The default WCI filter returns PowerShell version information from VCM-managed machines.

See also the example below of developing a custom PowerShell script for use with the WCI data type.

VMware, Inc. 77

Page 78

vCenter Configuration Manager Installation and Getting Started Guide

Example of Developing a Custom PowerShell Script for Use with the WCI Data Type

In this example, the objective is to collect scheduled tasks information from Windows clients. On newer systems, Windows conveniently provides the schtasks.exe utility to report on scheduled tasks created either through the Task Scheduler user interface or through use of the AT command.

Running schtasks by itself returns only basic data about tasks.

Adding the /query /v switches provides additional information, but the formatting is difficult for automated processing.

The schtasks /query /? command provides additional possibilities.

The option set of schtasks /query /v /fo:csv is selected as the source for the data for the collection script. These options give full details for all tasks in a comma-separated value result set.

PowerShell makes working with tabular result sets from commands easy. A first step for this script is to run a command similar to:

$schtasks = schtasks /query /v /fo:csv

Since the data returned from schtasks includes multiple rows, PowerShell makes the $schtasks variable into an array. As such, $schtasks[0] represents the first row returned from the command. Viewing the result set by looking at $schtasks[n] shows that that the first line, $schtasks[0], is blank; $schtasks[1] contains column names, and $schtasks[2] is the first row of task data. The goal, then, is to parse this data into a structure compatible with VCM’s XML format for return to the Collector.

The Scheduled Tasks script uses the split method of PowerShell strings to separate the columns of the $schtasks rows into separate values in arrays. The column names row provides the names to use for attributes, and the corresponding data from the scheduled task rows provide the values to use for these attributes.

Once parsed, the XML returned by the script should look something like:

<attribute1>Value1</attribute1>

<attribute2>Value2</attribute2>

…

</taskname1>

<attribute1>Value1</attribute1>

<attribute2>Value2</attribute2>

…

</taskname2>

…

</schtasks>

The <schtasks> top-level name is an arbitrary name picked to distinguish the results of this script from others. A couple of additional challenges must also be overcome with this data, related to column names returned by the schtasks command, and the fact that the schtasks command does not include any unique and repeatable identifier for specific task entries. Details about these challenges are described next.

78 VMware, Inc.

Page 79

Getting Started with VCM

The first challenge can be seen by looking at the column names returned by the schtasks command. Even the basic schtasks command (no options) has a column name of Next Run Time. Since this column name includes spaces, it cannot be used as-is as an attribute name in an XML document. Other column names returned by the more verbose execution of schtasks have similar problems. To preserve these column names in the form that they are returned from the schtasks command, but still allow for XML handling, the names are encoded with the ToCMBase64String function:

function ToCMBase64String([string]$input_string)

{

return [string]("cmbase64-" +

[Sys-

tem.Co-

nvert]::ToBase64String([System.Text.Encoding]::UNICODE.GetBytes($input_

string))).replace("=","-")

}

This function uses Unicode base64 encoding, along with some character substitution (a dash instead of an equal sign) to create an XML-legal form of any element or attribute name. The string is prefixed with cmbase64- to indicate to the VCM inserter that the data will need to be decoded prior to loading it into the VCM database. The end result is that rather than containing invalid data like this:

12:32:00, 5/26/2010

</Next Run Time>

The XML will contain this:

<cmbase64-TgBlAHgAdAAgAFIAdQBuACAAVABpAG0AZQA->

12:32:00, 5/26/2010

</cmbase64-TgBlAHgAdAAgAFIAdQBuACAAVABpAG0AZQA->

The second problem is that the <schtasks> command does not include any unique and repeatable identifier for specific task entries. For example, many test systems observed had more than one task with the name: GoogleUpdateTaskMachineCore. Unique element names are a requirement for valid VCM XML, and repeatable identifiers are desirable to prevent false indications of changes at the VCM Collector. For example, if the script was to arbitrarily label rows as Task1, Task2, …, and Task1 was deleted, Task2 would then become Task1, and VCM would show a lot of changed details for Task1 (command line changed, next run time changed, etc), when in fact, that task had not changed at all – it had only changed places in the sequence.

One way to handle creation of unique and repeatable names for elements is to create a name based on a hash of the data contained in the row. That is useful for data that has no name-type attribute at all. In this case, however, there is a task name, but it is not guaranteed to be unique. Since the task name is userfriendly and useful, it is desirable to try to preserve and use it through the collection script. To preserve it, the task name is used as the element name for task rows, but the “increment” option is selected for duplicate handling when creating a collection filter based on this script. This action allows the collection process to add an incremental entry to a list of multiple entries with the same task name: the first example of GoogleUpdateTaskMachineCore, while the second example will be relabeled as GoogleUpdateTaskMachineCore_1.

VMware, Inc. 79

Page 80

vCenter Configuration Manager Installation and Getting Started Guide

It is still possible that reordering the list among tasks that have the same name, will cause “extra” changes to be reported, but regardless of these changes, it is reasonable to have VCMdisplay the friendly task names in the user interface. Because task names also can contain characters that would not be valid for XML element names, the task names, as with the column names, are encoded using the ToCMBase64String function.

Troubleshooting Custom PowerShell Filter Scripts

You can interactively test a custom PowerShell script using the following procedures.

Procedu re

Verify the script runs correctly within a PowerShell shell.

1. Start PowerShell from the command line on a VCM-managed machine.

2. Paste the inspection script into the PowerShell shell window.

3. Depending on the last character, it may require one extra hit of the Enter key to start the script

4. The script should run to completion without throwing any errors (red text in the command line based powershell.exe environment).

5. Once completed, the script should return a set of XML, without any formatting white space (no CR LF at the end of elements, nodes, or attributes).

6. When this test is successful, run the script from a file.

Procedu re

After you have verified the script runs correctly within PowerShell, run the script from a file:

1. Save the script to a .ps1 file.

2. From a command line run the script directly:

For PowerShell 2.0, execute: PowerShell –command set-executionpolicy RemoteSigned – scope Process ; scriptname.ps1 > resultfile.xml

For PowerShell 1.0 (with the execution policy already set to Remote Signed or less restrictive), execute: PowerShell –file scriptname.ps1 > resultfile.xml

When the script is complete, the XML result file should be created.

3. Verify that the XML file in question can be opened in Internet Explorer (you may have to allow blocked content in order to see the entire file). If the XML file cannot be parsed by Internet Explorer, the formatting errors in the XML from the script will need to be corrected before the script can be used as a collection filter script. Visual Studio can be a useful tool for finding formatting errors in larger XML files.

For details the job status reporting for WCI, see Getting Started Collecting Windows Custom Information.

Discover, License, and Install UNIX/Linux Machines

The following steps must be performed before collecting data from UNIX/Linux machines:

1. Add UNIX/Linux machines.

2. License your UNIX/Linux machines.

3. Install the VCM Agent on your UNIX/Linux machines.

4. Perform an initial UNIX/Linux collection.

5. Explore the UNIX/Linux collection results.

80 VMware, Inc.

Page 81

Getting Started with VCM

These steps are explained in the following subsections.

Adding UNIX/Linux Machines

Before you can collect data from your UNIX/Linux machines, they must be displayed in the Available UNIX Machines list located in the Portal under Administration | Machines Manager | Available

Machines.

NOTE A Discovered Machines Import Tool (DMIT) is available from VMware Customer Support to assist

1. Click Administration | Machines Manager | Available Machines | Available UNIX Machines.

2. Click Add Machines. The Add Machines page appears.

3. Select Basic, and then click Next. The Manually Add Machines - Basic page appears.

VMware, Inc. 81

Page 82

vCenter Configuration Manager Installation and Getting Started Guide

NOTE When you expand your UNIX/Linux collections to a broader set of machines, you may want to use other methods to add your UNIX/Linux machines. Refer to the online Help for the advanced features such as importing from a file or using IP Discovery.

4. Enter the Machine and the Domain, and then select DNS for Type. For Machine Type, select the appropriate operating system. Modify the port number if you are not using the default.

NOTE The port number specified must be the same number used when the Agent is installed on the managed UNIX/Linux machine.

5. Click Add to add the entry to the list.

6. Repeat for any other machines.

7. Click Next and accept the changes.

NOTE If your Collector cannot resolve a host name with a DNS Server, be sure to use an IP address in place of a Machine name for your machines as you enter them.

Licensing UNIX/Linux Machines

When the UNIX/Linux machines are displayed in your Available UNIX Machines list, you may begin licensing these machines.

Upgrading Red Hat Workstations

If you are unable to identify your now unmanaged Red Hat machines, contact VMware Customer Support.

Use the following procedure to license your UNIX/Linux machines.

1. Click Administration | Machines Manager | Available Machines | Available UNIX Machines.

NOTE Remember, discovered machines with an indeterminate Machine Type will not be licensed if they are included in your selection.

2. Select the machine(s) you want to license. To select multiple machines, use Shift-click or Ctrl-click.

3. Click License. The Machines page appears.

4. The machines that you specified appear in the Selected area. Add or remove machines from the list as needed.

82 VMware, Inc.

Page 83

Getting Started with VCM

5. Click Next. The Product License Details page appears.

6. The licensed machine count has increased by the number of machines that you have selected to license.

7. Click Next. The Important page appears.

8. Review the information.

9. Click Finish.

Installing the Agent on UNIX/Linux Machines

Before collecting data from your UNIX/Linux machines, you must install the VCM Agent on each licensed UNIX/Linux machine. For information about upgrading existing Agents, see the online Help.

IMPORTANT The Collector should be installed before the Agents are installed. The configuration parameter CSI_USER assigns the account used to run the Agent daemon or service. If the parameter is changed, the user account must not have a valid login shell. You must be logged in to a target UNIX/Linux machine as root.

NOTE If you have copied your custom configuration file from a previous installation, follow the optional step provided in this procedure. If you are using a custom configuration file, perform the installation in Silent Mode.

Installing the Agent on UNIX/Linux machines is a manual operation.

NOTE A Deployment Tool is available from Customer Support to assist you with the following process for UNIX/Linux. To use the tool, contact support; otherwise, follow the steps in the following process.

IMPORTANT To install the UNIX Agent on SUSE and Red Hat machines, you may need to disable or reconfigure firewalls.

Platforms Not Supported for Upgrade to 5.3 Agent

Platform Supp orted Ag ent Version Agent F ile Name

AIX 4.3.3 5.1.3 CMAgent.5.1.0.AIX.4

Red Hat 2.1 5.1.3 CMAgent.5.1.0.Linux.2.1

Solaris 2.5 5.1.3 Contact VMware Customer Support if you are

installing or upgrading the Agent on this platform.

Solaris 2.6 5.2.1 Contact VMware Customer Support if you are

installing or upgrading the Agent on this platform.

Use the following steps to install the Agent.

VMware, Inc. 83

Page 84

vCenter Configuration Manager Installation and Getting Started Guide

1. Verify that the machine on which you intend to install the agent has enough free disk space. For more information, see the VCM Hardware and Software Requirements Guide.

2. When VCM is installed on the VCM Collector machine, the necessary Agent packages are created in the following locations:

\Program Files (x86)\VMware\VCM\Installer\Packages

or \Program Files\VMware\VCM\Installer\Packages.

The following agent binaries are available in these locations for the associated operating systems:

Operating SystemVersion Agen t Binary

Red Hat (Enterprise) Linux Edition (Version 2.1)

Red Hat (Enterprise) Linux Edition (Version 3.0, 4.0,

5.0, 5.1, 5.2, 5.3) SUSE Linux Enterprise Server (9, 10), Debian (4)

Solaris (Versions 8, 9, and 10 supported on Sparc)

Solaris (Version 10 for x86)

HP-UX 11i Versions 1.0, 2.0, 3.0 (11.11, 11.23, and

11.31; Supported on PA-RISC)

HP-UX 11i Version 2.0, 3.0 (11.23 and 11.31Supported on Itanium)

AIX Version 4.3.3

AIX Version 5L (5.1, 5.2, 5.3, and 6L (6.1))

CMAgent.<version>.Linux.2.1

CMAgent.<version>.Linux

CMAgent.<version>.SunOS

CMAgent.<version>.SunOS.x86.5.10

CMAgent.<version>.HP-UX.11.pa

CMAgent.<version>.HPUX.11.ia64

CMAgent.<version>.AIX.4

CMAgent.<version>.AIX.5

3. Copy the installation package to the machine on which you want to install the agent. You can use ftp, sftp, or cp using an NFS share.

NOTE If you use ftp to copy the package to your machine, be sure to use binary mode.

4. Use chmod u+x <filename> to change the permissions on the agent binary file.

5. In the directory where you copied the file, execute the agent binary package to create the necessary directory structure and extract the files. The command and output will look similar to the following example, with differing file names depending on the operating system:

# ./CMAgent.<version>.SunOS

UnZipSFX 5.51 of 22 May 2004, by Info-ZIP (http://www.info-zip.org).

creating: CSIInstall/

creating: CSIInstall/packages/

inflating: CSIInstall/packages/Agent.1.0.SunOS

inflating: CSIInstall/packages/CFC.1.0.SunOS

inflating: CSIInstall/packages/ECMu.1.0.SunOS

inflating: CSIInstall/packages/ThirdParty.1.0.SunOS

inflating: CSIInstall/packages/cis.1.0.SunOS

extracting: CSIInstall/packages/package.sizes.SunOS

inflating: CSIInstall/packages/python.23.SunOS

creating: CSIInstall/scripts/

inflating: CSIInstall/scripts/checksum

inflating: CSIInstall/scripts/BootStrapInstall.sh

inflating: CSIInstall/scripts/AltSource_filesystem.sh

84 VMware, Inc.

Page 85

Getting Started with VCM

inflating: CSIInstall/scripts/AltSource_ftp.sh

inflating: CSIInstall/scripts/AltSource_rcp.sh

inflating: CSIInstall/scripts/AltSource_sftp.sh

inflating: CSIInstall/scripts/AltSource_wget.sh

extracting: CSIInstall/scripts/AltSourceCmd

inflating: CSIInstall/InstallCMAgent

inflating: CSIInstall/csi.config

inflating: CSIInstall/CMAgent.<version.OS>

creating: CSIInstall/.security/certificates/

inflating:CSIInstall/.security/certificates/<EnterpriseCertificate>

NOTE To force an overwrite of any existing files, include the -o option when executing the package. For example: /CMAgent.<version>.SunOS -o.

6. Change the directory to the location where the InstallCMAgent executable file was extracted. For example:

# cd <extractedpath>/CSIInstall

7. Use the ls -la command to validate that the following files are in this directory:

InstallCMAgent: The installation script.

csi.config: The configuration file for the installation, where you can modify the installation options.

packages: Contains the installation packages.

scripts: Contains the scripts needed for the install.

8. To customize the settings for the installation variables, modify the installation configuration file, csi.config, and then save your changes. If this file has only read permissions set, you will need to give the file write permissions with the chmod u+x csi.config command. See the following installation options for details.

Installation Options with Default Values

Description

CSI_AGENT_RUN_OPTION The Agent can be installed as a daemon process or installed to be run by

inetd/xinetd/launchd.

• A value of inetd will install the Agent for execution by inetd/xinetd/launchd.

• A value of daemon will install the agent for execution as a daemon process.

CSI_NO_LOGIN_SHELL= +S:+A:+/sbin/noshell+/bin/false+ /sbin/false+/usr/bin/false

The CSI_USER account must not have a login shell. This parameter lists all valid no-login shells and is used to verify the CSI_USER has no-login shell.

+/sbin/nologin

If your system has a valid no login shell that is not listed, then append a plus sign and add the no login shell to the list.

The following describes the options available for this parameter:

• +S means only for Solaris

• +A means only for AIX

• +H means only for HP-UX

• +L means only for Linux

• +D means only for Darwin (Mac OS X)

• + means for all OS

VMware, Inc. 85

Page 86

vCenter Configuration Manager Installation and Getting Started Guide

Installation Options with Default Values

CSI_CREATE_USER=Y Recommend keeping default value.

CSI_USER_ID=501 Recommend keeping default value.

CSI_USER_NO_LOGIN_ SHELL=/bin/false Recommend keeping default value.

CSI_USER_PRIMARY_ GROUP=csi_acct Recommend keeping default value.

CSI_CREATE_USER_ PRIMARY_GROUP=Y Recommend keeping default value.

CSI_USER_PRIMARY_GID=501 Recommend keeping default value.

CSI_USER_USE_NEXT_ AVAILABLE_LOCAL_GID=Y Recommend keeping default value.

CSI_USER=csi_acct Recommend keeping default value.

CSI_CFGSOFT_GID=500 Recommend keeping default value.

CSI_CREATE_LOCAL_ GROUP=Y Recommend keeping default value.

Description

The user is being created. This value indicates whether or not the user is to be created. Note:When installing in trusted mode on HP-UX v1.0 (11.11), the user must already existon the target machine. If you attempt to install and create the user, the installation of the Agent fails.

This value is the integer value for the user ID of the created user.

Indicates the desired no-login shell value to use when creating the user.

Group name to use when creating a new user as the user’s primary group. This group is for low security access. Most inspections are executed with the lowest possible privileges using this group while also preventing access by way of this group to the high security group privileges.

This value indicates the need to create a low-security primary group for the CSI_USER.

Create user’s primary Group ID.

Setting this option to Y will allow the Group ID to be the next available local Group ID over CSI_USER_PRIMARY_GID.

The user assigned to the cfgsoft group. The CSI listener process runs under this user.

The Group ID of the cfgsoft group. This value can change if the GID is already in use. This group is for high-security access. Some inspections require root privileges, which are provided indirectly through this group and setuid to root.

Setting this option to Y allows the cfgsoft group to be created. This setting allows the system call to groupadd.

86 VMware, Inc.

Page 87

Getting Started with VCM

Installation Options with Default Values

CSI_USE_NEXT_AVAILABLE_ LOCAL_GID=Y Recommend

Description

Setting this option to Y will allow this Group ID to be the next available local Group ID starting at CSI_CFGSOFT_GID.

keeping default value.

CSI_AGENT_PORT=26542

This option specifies the port that the CM Agent will be listening on. Recommend keeping default value.

CSI_CREATE_LOCAL_ SERVICE=Y Recommend

Setting CSI_CREATE_LOCAL_SERVICE to Y allows the system to create

the local service (copy files to system directories). keeping default value.

CSI_REFRESH_INETD=Y Keep default value only if you

Setting this option to allows the system to refresh xinetd (Linux) or inetd

(Solaris, AIX, and HP-UX). are running your agent as inetd.

If you are running your agent as a daemon, select CSI_ REFRESH_INETD=N

CSI_NICE=10 Recommend

This option sets the nice value for the agent listener process.

keeping default value.

CSI_CERTIFICATE_PATH= This option specifies the path to Collector Certificates. The certificates

specified at this path are copied to the Agent. If your Collector Certificates are stored in an accessible location on this machine, you can use this option to have the certificates put in the Agent location (VMware encourages you to install the Enterprise Certificates so that multiple Collectors collecting from the same set of Agents can be supported). If this package was copied from a collector installation, this package already contains that Collector’s Enterprise Certificate.

CSI_PARENT_ DIRECTORY=/opt

CSI_PARENT_DATA_ DIRECTORY=/opt

This option specifies the parent directory of the CM Agent. The root directory of CMAgent will be CSI_PARENT_DIRECTORY/CMAgent.

This option specifies the parent directory of the CMAgent data directory. The data directory will be CSI_PARENT_DATA_DIRECTORY/ CMAgent/data

CSI_PARENT_LOG_ DIRECTORY=default

This option specifies where agent operational log files are kept. The log directory is CSI_PARENT_LOG_DIRECTORY/CMAgent/log. The default value indicates to use the following:

• Linux - /var/log

• AIX, HP-UX, and Solaris - /var/adm

• Mac OS X- log ->private/var/log/CMAgent/log

CSI_KEEP_CSIINSTALL=N Recommend keeping default

After a successful installation, the temp installation directory CSIInstall is deleted. To keep this installation directory, set this parameter to Y.

value.

9. If you modified and saved the csi.config installation file, copy the saved csi.config to the extracted

location. For example:

# cp /<safelocation>/csi.config /<extractedlocation>/CSIInstall/csi.config

10. Change the directory to the location where the InstallCMAgent executable file was extracted. For example:

# cd <extractedpath>/CSIInstall

11. Execute InstallCMAgent in either silent mode or interactive mode, as described in the following options.

VMware, Inc. 87

Page 88

vCenter Configuration Manager Installation and Getting Started Guide

NOTE If you are using the custom configuration file, csi.config, proceed with the installation in Silent Mode.

Silent Mode:

If you execute InstallCMAgent in silent mode, the installation proceeds silently. It uses the values specified in csi.config without prompting for input. To run the installation in silent mode, enter:

# ./CSIInstall/InstallCMAgent -s

You might use this method if you have manually edited the csi.config file, if you have modified the csi.config file using the interactive method, or if you are using a custom configuration file that you saved from a previous agent installation.

When the silent installation completes, a summary of the installation process and status is displayed. Make sure the installation completed without errors.

You can check the installation status at anytime by viewing the installation log file at <CSI_ PARENT_DIRECTORY>/log/install.log.

Interactive Mode:

If you execute the installation with no options, it runs in an interactive mode, prompting you to accept or change each parameter in the csi.config file.

NOTE When you use interactive mode, the csi.config file is modified.

To run the installation in interactive mode, enter:

# ./CSIInstall/InstallCMAgent

During the pre-installation stage of interactive mode, the check for a valid user (CSI_USER) is performed. If the user already exists (either the Administrator has manually added the account or is selecting an existing one), the following configuration values will not be requested (the questions will be skipped) by the installer:

CSI_USER_NO_LOGIN_SHELL

CSI_USER_PRIMARY_GROUP

CSI_USER_PRIMARY_GID

CSI_USER_USE_NEXT_AVAILABLE_LOCAL_GID

These prompts will be requested only when the CSI_USER user account is not found.

When the silent installation completes, a summary of the installation process and status is displayed. Make sure the installation completed without errors.

You can check the installation status at anytime by viewing the installation log file at <CSI_ PARENT_DIRECTORY>/log/install.log.

NOTE If you selected inetd for CSI_AGENT_RUN_OPTION and xinetd (Linux only) is not running, the following error message will be displayed: SYSTEM_WARNING: xinetd is not running - the agent will be disabled until it is started. If this message appears, you must either start xinetd, or install the Agent as a daemon.

88 VMware, Inc.

Page 89

Getting Started with VCM

12. In addition to creating the necessary user and groups, and configuring the machine to run the Agent, the installation also creates a new directory in the <CSI_PARENT_DIRECTORY> named CMAgent (unless this directory was changed in the configuration). This directory contains the following files and subdirectories:

# ls –la /CSI_PARENT_DIRECTORY/CMAgent

drwxr-x--- 3 root cfgsoft 4096 Jul 2 17:34 Agent

drwxr-x--- 3 root cfgsoft 4096 Jul 2 17:34 CFC

-rw-rw---- 1 root cfgsoft 49993 Jul 2 17:34 CSIRegistry

-rw-rw---- 1 root cfgsoft 0 Jul 2 17:34 .CSIRegistry.lck

drwxrwx--- 3 csi_acct cfgsoft 4096 Jul 2 17:34 data

drwxrwx--- 3 root cfgsoft 4096 Jul 2 17:34 ECMu

drwxr-x--- 6 root cfgsoft 4096 Jul 2 17:34 install

lrwxrwxrwx 1 root root 20 Jul 2 17:34 log -> /var/log/CMAgent/log

dr-xr-x--x 3 root cfgsoft 4096 Jul 2 17:34 ThirdParty

drwxr-xr-x 2 root root 4096 Jul 2 17:34 uninstall

13. To verify the Agent was installed correctly and is listening on the port and ready to collect data, execute the following command:

# netstat -na | grep <port_number>

Where the default <port_number> is typically 26542 for VCM installations.

14. For SUSE machines, after the installation completes, you may need to start xinetd using the command:

# ./etc/init.d/xinetd start

After you have installed the Agent on the UNIX/Linux machines, you are now ready to start collecting data from them. To do this, see "Performing a UNIX/Linux Collection". After selecting UNIX/Linux machines, note that UNIX/Linux data classes are available for collection.

Updates to UNIXPatch Assessment Content Affects UNIX Agent Performance

By default, VCM Patching checks for patch updates every 4 hours. The time required to perform this action depends on the amount of new content downloaded to the Collector during the update process.

When the UNIX patch assessment content is pushed out to the UNIX agents, the time required to execute jobs such as collections and remote commands will increase slightly. The time required will vary based on how much new or updated content needs to by synchronized between the Collector and the agent. This content push will happen when the first communication is initiated after installing the UNIX agent package, or when there is new patch content on the Collector that is applicable to the UNIX agent platform since the last agent/collector communication occurred.

Manually Uninstalling the UNIX/Linux Agent

Every installation generates an uninstall script, UninstallCMAgent, located at:

<path>/CMAgent/uninstall

Consider these points when uninstalling an Agent:

VMware, Inc. 89

Page 90

vCenter Configuration Manager Installation and Getting Started Guide

The uninstall reverses all changes made by installation, however the installation log files are retained in <AgentRoot>/install. <AgentRoot> defaults to the CMAgent directory that was created during installation. Refer to "Locating the Agent Directory" if necessary.

After executing UninstallCMAgent, VMware recommends that you delete the remaining the CMAgent directory prior to running a new installation.

To uninstall the Agent, use the steps in the following procedure. If you want to use a custom configuration file, follow the optional step below before uninstalling the Agent.

1. (Optional) Copy csi.config, the file that contains all of the custom configuration settings, to a safe location. (This file can be found in <path>/CMAgent/install.)

2. Navigate up one level from the uninstall directory in the CMAgent directory.

3. Run the uninstall script using the following command:

# ./uninstall/UninstallCMAgent

NOTE Consider these points when uninstalling an Agent:

• The uninstall reverses all changes made by installation, however the installation log files are retained in <AgentRoot>/install. <AgentRoot> defaults to the CMAgent directory that was created during installation. Refer to "Locating the Agent Directory" later in this document if necessary.

• After executing UninstallCMAgent, VMware recommends that you delete the remaining the CMAgent directory prior to running a new installation.

Performing a UNIX/Linux Collection

After the UNIX/Linux machines are added and licensed in VCM, and installed with the VCM Agent, you can perform a collection on those machines. The process for performing a UNIX/Linux collection is similar to other collections, including Windows, except that you select UNIX data types during your collection instead of Windows data types.

1. Click Collect, located on the Portal toolbar.

2. The Collection Type wizard page appears. Select Machine Data, and then click OK. The Machines page appears.

90 VMware, Inc.

Page 91

Getting Started with VCM

NOTE UNIX Patch Assessment is automatically licensed and enabled if you have licensed your UNIX/Linux Agent machines. If you are upgrading from a previous version of VCM, you will need a new license file to access this functionality.

In order to view Patch Assessment data, click Select a Collection Filter Set to apply to these machines instead of the default collection options, and then select the UNIX Patch Assessment filter set. For more information, see the "UNIX Patch Assessment" Help topic.

4. The Data Types dialog box appears. Select the Select All check box, then confirm that the Use default filters option button is also selected. Click Next.

5. For initial collections, there should be no conflicts with previously scheduled or running jobs containing the same data types. Click Finish.

6. Verify that your collection job has completed before proceeding to the next step. To do so, click the

Jobs button at the top of the Portal window to access the Jobs Summary.

Exploring UNIX/Linux Collection Results

Now that you have performed an initial UNIX/Linux collection, you can explore that data in the Portal.

Dashboards

Each Dashboard is run only when the node is selected against the current data available in the CMDB for the machines in the active machine group. Therefore, Dashboard data is only current as of the time it was collected. In addition, it may take time for the data to display based on the volume or complexity of the data requested.

Begin by looking at the UNIX Operating System Dashboard under Console | Dashboards | UNIX | Operating Systems.

VMware, Inc. 91

Page 92

vCenter Configuration Manager Installation and Getting Started Guide

Note that several other UNIX Dashboards are also available. Take time to familiarize yourself with the remainder of the UNIX Dashboards. UNIX Collection Results are also available to you in a more “raw” format as well. This level of reporting is more relevant for day-to-day operations, troubleshooting, and analysis, and can be viewed in a Summary report or data grid format.

Look at your UNIX Operating System information by clicking the UNIX tab in the Console. Then, click Operating System | Machines | General.

92 VMware, Inc.

Page 93

Getting Started with VCM

When you select the node, you see a Summary Report as displayed above of the data type that you selected. Click View data grid to go directly to the data grid, or click an area of the Summary Report to filter the data before the data grid appears.

Several other categories (called “data classes”) of information regarding your UNIX/Linux Collection are available under the UNIX tab.

The UNIXtab is where the remainder of your collected UNIX/Linux data is visible through the Portal.

Reports

An alternate way to view your collected UNIX/Linux data is by running VCM Reports or creating your own custom reports using VCM ’s reporting wizard. To begin exploring the reporting functionality, go to the Reports slider, then click Machine Group Reports | UNIX.

VMware, Inc. 93

Page 94

vCenter Configuration Manager Installation and Getting Started Guide

Like Dashboards, Reports are run real time against the current data available in the CMDB for the machines in the active machine group, and therefore they are only as current as the time of the last collection. In addition, it may require time for the report to generate based on the volume or complexity of the data requested. Refer to the online Help for more information on how to schedule and disseminate reports.

Compliance

You may now begin to check Compliance values for your collected data. To run a Compliance check, select the Compliance slider, then follow the steps described in the online Help to create rule groups, rules, filters, and templates.

Discover, License, and Install Mac OS X Machines

Getting Started with VCM for Mac OS X

The following steps must be performed before collecting data from Mac OS X machines:

1. Add Mac OS X machines.

2. License your Mac OS X machines.

3. Install the VCM Agent on your Mac OS X machines.

4. Perform an initial Mac OS X collection.

5. Explore the Mac OS X collection results.

These steps are explained in the following subsections.

Mac OS X machines are managed in conjunction with UNIX machines.

Adding Mac OS X Machines

Before you can collect data from your Mac OS X machines, they must be displayed in the Available UNIX Machines list located in the Portal under Administration | Machines Manager | Available Machines.

NOTE A Discovered Machines Import Tool (DMIT) is available from VMware Customer Support to assist you with the following process. This tool imports machines discovered by the Network Mapper (Nmap) into the configuration database. To use the tool, contact VMware Customer Support; otherwise, use the following process.

1. Click Administration | Machines Manager | Available Machines | Available UNIX Machines.

94 VMware, Inc.

Page 95

2. Click Add Machines. The Add Machines page appears.

Getting Started with VCM

3. Select Basic, and then click Next. The Manually Add Machines - Basic page appears.

NOTE When you expand your Mac OS X collections to a broader set of machines, you may want to use other methods to add your Mac OS X machines. Refer to the online Help for the advanced features such as importing from a file or using IP Discovery.

VMware, Inc. 95

Page 96

vCenter Configuration Manager Installation and Getting Started Guide

4. Enter the Machine and the Domain, and then select DNS for Type. For Machine Type, select the appropriate operating system. Modify the port number if you are not using the default.

NOTE The port number specified must be the same number used when the Agent is installed on the managed Mac OS X machine.

5. Click Add to add the entry to the list.

6. Repeat for any other machines.

7. Click Next and accept the changes.

NOTE If your Collector cannot resolve a host name with a DNS Server, be sure to use an IP address in place of a Machine name for your machines as you enter them.

Licensing Mac OS X Machines

When the Mac OS X machines are displayed in your Available UNIX Machines list, you may begin licensing these machines.

Use the following procedure to license your Mac OS X machines.

1. Click Administration | Machines Manager | Available Machines | Available UNIX Machines.

NOTE Remember, discovered machines with an indeterminate Machine Type will not be licensed if they are included in your selection.

2. Select the machine(s) you want to license. To select multiple machines, use Shift-click or Ctrl-click.

3. Click License. The Machines page appears.

4. The machines that you specified appear in the Selected area. Add or remove machines from the list as needed.

96 VMware, Inc.

Page 97

Getting Started with VCM

5. Click Next. The Product License Details page appears.

6. The licensed machine count has increased by the number of machines that you have selected to license.

7. Click Next. The Important page appears.

8. Review the information.

9. Click Finish.

Installing the Agent on Mac OS X Machines

Before collecting data from your Mac OS X machines, you must install the VCM Agent on each licensed Mac OS X machine.

Installing the Agent on Mac OS X machines is a manual operation. The Agent is packaged as a Universal Binary Installer.

Use the following steps to install the Agent.

1. Verify that the machine on which you intend to install the agent has enough free disk space. For more information, see the VCM Hardware and Software Requirements Guide.

2. When VCM is installed on the VCM Collector machine, the necessary Agent packages are created in the following locations:

\Program Files (x86)\VMware\VCM\Installer\Packages

or \Program Files\VMware\VCM\Installer\Packages.

The following agent binaries are available in these locations for the associated operating systems:

Operating SystemVersion Agen t Binary

Mac OS X (Version 10.4 and 10.5)

CMAgent.<version>.Darwin

3. Copy the installation package to the machine on which you want to install the agent. You can use ftp, sftp, or cp using an NFS share.

NOTE If you use ftp to copy the package to your machine, be sure to use binary mode.

VMware, Inc. 97

Page 98

vCenter Configuration Manager Installation and Getting Started Guide

4. Use chmod u+x <filename> to change the permissions on the agent binary file.

# ./CMAgent.<version>.Darwin

UnZipSFX 5.51 of 22 May 2004, by Info-ZIP (http://www.info-zip.org).

creating: CSIInstall/

inflating: CSIInstall/CMAgent.5.1.0.Darwin.i386

inflating: CSIInstall/CMAgent.5.1.0.Darwin.ppc

inflating: CSIInstall/csi.config

inflating: CSIInstall/InstallCMAgent

NOTE To force an overwrite of any existing files, include the -o option when executing the package. For example: /CMAgent.<version>.Darwin -o.

6. Change the directory to the location where the InstallCMAgent executable file was extracted. For example:

# cd <extractedpath>/CSIInstall

7. Use the ls -la command to validate that the following files are in this directory:

InstallCMAgent: The installation script.

csi.config: The configuration file for the installation, where you can modify the installation options.

packages: Contains the installation packages.

scripts: Contains the scripts needed for the install.

Installation Options with Default Values

Description

CSI_AGENT_RUN_OPTION The Agent can be installed as a daemon process or installed to be run by

inetd/xinetd/launchd.

• A value of inetd will install the Agent for execution by inetd/xinetd/launchd.

• A value of daemon will install the agent for execution as a daemon process.

CSI_NO_LOGIN_SHELL= +S:+A:+/sbin/noshell+/bin/false+ /sbin/false+/usr/bin/false

The CSI_USER account must not have a login shell. This parameter lists all valid no-login shells and is used to verify the CSI_USER has no-login shell.

+/sbin/nologin

If your system has a valid no login shell that is not listed, then append a plus sign and add the no login shell to the list.

The following describes the option available for this parameter:

• +S means only for Solaris

• +A means only for AIX

98 VMware, Inc.

Page 99

Getting Started with VCM

Installation Options with Default Values

CSI_CREATE_USER=Y Recommend keeping default value.

CSI_USER_ID=501 Recommend keeping default value.

CSI_USER_NO_LOGIN_ SHELL=/bin/false Recommend keeping default value.

CSI_USER_PRIMARY_ GROUP=csi_acct Recommend keeping default value.

CSI_CREATE_USER_ PRIMARY_GROUP=Y Recommend keeping default value.

CSI_USER_PRIMARY_GID=501 Recommend keeping default value.

CSI_USER_USE_NEXT_ AVAILABLE_LOCAL_GID=Y Recommend keeping default value.

CSI_USER=csi_acct Recommend keeping default value.

CSI_CFGSOFT_GID=500 Recommend keeping default value.

CSI_CREATE_LOCAL_ GROUP=Y Recommend keeping default value.

Description

• +H means only for HP-UX

• +L means only for Linux

• +D means only for Darwin (Mac OS X)

• + means for all OS

The user is being created. This value indicates whether or not the user is to be created.

This value is the integer value for the user ID of the created user.

Indicates the desired no-login shell value to use when creating the user.

This value indicates the need to create a low-security primary group for the CSI_USER.

Create user’s primary Group ID.

Setting this option to Y will allow the Group ID to be the next available local Group ID over CSI_USER_PRIMARY_GID.

The user assigned to the cfgsoft group. The CSI listener process runs under this user.

Setting this option to Y allows the cfgsoft group to be created. This setting allows the system call to groupadd.

VMware, Inc. 99

Page 100

vCenter Configuration Manager Installation and Getting Started Guide

Installation Options with Default Values

CSI_USE_NEXT_AVAILABLE_ LOCAL_GID=Y Recommend

Description

Setting this option to Y will allow this Group ID to be the next available local Group ID starting at CSI_CFGSOFT_GID.

keeping default value.

CSI_AGENT_PORT=26542

This option specifies the port that the CM Agent will be listening on. Recommend keeping default value.

CSI_CREATE_LOCAL_ SERVICE=Y Recommend

Setting CSI_CREATE_LOCAL_SERVICE to Y allows the system to create

the local service (copy files to system directories). keeping default value.

CSI_REFRESH_INETD=Y Keep default value only if you

Setting this option to allows the system to refresh xinetd (Linux) or inetd

(Solaris, AIX, and HP-UX). This option does not apply to Mac OS X. are running your agent as inetd.

If you are running your agent as a daemon, select CSI_ REFRESH_INETD=N

CSI_NICE=10 Recommend

This option sets the nice value for the agent listener process.

keeping default value.

CSI_CERTIFICATE_PATH= This option specifies the path to Collector Certificates. The certificates

CSI_PARENT_ DIRECTORY=/opt

CSI_PARENT_DATA_ DIRECTORY=/opt

This option specifies the parent directory of the CM Agent. The root directory of CMAgent will be CSI_PARENT_DIRECTORY/CMAgent.

This option specifies the parent directory of the CMAgent data directory. The data directory will be CSI_PARENT_DATA_DIRECTORY/ CMAgent/data

CSI_PARENT_LOG_ DIRECTORY=default

This option specifies where agent operational log files are kept. The log directory is CSI_PARENT_LOG_DIRECTORY/CMAgent/log. The default value indicates to use the following:

• Linux - /var/log

• AIX, HP-UX, and Solaris - /var/adm

• Mac OS X- log ->private/var/log/CMAgent/log

CSI_KEEP_CSIINSTALL=N Recommend keeping default

After a successful installation, the temp installation directory CSIInstall is deleted. To keep this installation directory, set this parameter to Y.

value.

9. If you modified and saved the csi.config installation file, copy the saved csi.config to the extracted

location. For example:

# cp /<safelocation>/csi.config /<extractedlocation>/CSIInstall/csi.config

10. Change the directory to the location where the InstallCMAgent executable file was extracted. For example:

# cd <extractedpath>/CSIInstall

11. Execute InstallCMAgent in either silent mode or interactive mode, as described in the following options.

100 VMware, Inc.

VMware vCenter Configuration Manager - 5.3 Installation Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

About This Book

Preparing for Installation

Using Installation Manager

Understanding Installation Configurations

Understanding Tools Installation

Checking Prerequisites for Installation

Hardware and Software Requirements

Administration Rights

Default Network Authority Account

Default Collector Services Account

VMware Application Services Account

VCM Remote Virtual Directory

Secure Communications Certificates

Server Authentication

Understanding VCM's Use of FIPS Cryptography

Cryptography for UNIX/Linux Platforms

Cryptography used in VCM Software Components

Supported Windows and UNIX Platforms

Installing VCM Using Installation Manager

Using the Installation Manager

Navigating VCM Installation Manager Screens

Installing VCM and the Related Components

Upgrading VCM and Related Components

Prerequisites

Backup and Recovery

Assumptions for Upgrading Your VCM Collector and Database

Upgrading to VCM 5.3

Upgrading the VCM Database Only

Upgrading VCM on a 32-Bit System

Upgrading to a 64-Bit System

Before Upgrading

Performing the Upgrade

Upgrading Existing Windows Agents

Upgrading Existing Remote Clients

Upgrading Existing UNIX Agents

To Upgrade the UNIX Agent(s) with a Local Package

To Upgrade the UNIX Agent(s) with a Remote Package

Upgrading VCM for Virtualization

Upgrading an Agent Proxy Machine

Upgrading the vSphere Client VCM Plug-in

Getting Started with VCM Components and Tools

Understanding User Access

Launching and Logging Onto VCM

How to Launch VCM and Log On

Getting Familiar with the Portal

General Information Bar

Portal Toolbar

Sliders

Where to Go Next

Getting Started with VCM

Discover, License, and Install Windows Machines

Verifying Available Domains

Checking the Network Authority

Assigning Network Authority Accounts

Discovering Windows Machines

Licensing Windows Machines

Installing the VCM Windows Agent on your Windows Machines

Performing an Initial Collection

Exploring Windows Collection Results

Getting Started Collecting Windows Custom Information

Getting Started with PowerShell Scripts

Discover, License, and Install UNIX/Linux Machines

Adding UNIX/Linux Machines

Licensing UNIX/Linux Machines

Installing the Agent on UNIX/Linux Machines

Performing a UNIX/Linux Collection

Exploring UNIX/Linux Collection Results

Discover, License, and Install Mac OS X Machines

Getting Started with VCM for Mac OS X

Adding Mac OS X Machines

Licensing Mac OS X Machines

Installing the Agent on Mac OS X Machines