VMware vCenter Configuration Manager - 5.4 Installation Manual

VMware vCenter Configuration Manager Installation

and Getting Started Guide

vCenter Configuration Manager 5.4

This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see

http://www.vmware.com/support/pubs.

EN-000485-01

vCenter Configuration Manager Installation and Getting Started Guide

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

docfeedback@vmware.com

http://www.vmware.com/go/patents.

VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

VMware, Inc.

3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

2 VMware, Inc.

Contents

Updated Information 9

About This Book 11

Preparing for Installation 13

Use Installation Manager 14 Understand Installation Configurations 14 Understand Tools Installation 15 Check Prerequisites for Installation 15

Hardware and Software Requirements 15 Administration Rights 15 Default Network Authority Account 15 Collector Services Account 16 VMware Application Services Account 16 VCM Remote Virtual Directory 16 Secure Communications Certificates 16 Server Authentication 17

Understand Use of FIPS Cryptography by VCM 19

VCM Use of Microsoft Cryptographic Service Providers (CSPs) for Windows Machines 19 Cryptography for UNIX/Linux Platforms 19 Cryptography used in VCM Software Components 20 Supported Windows and UNIX Platforms 20

Installing VCM 21

Using Installation Manager 21

Installing and Configuring the OS Provisioning Server and Components 23

Installing the Operating System Provisioning Server 23

Best Practices 23 Install the OS Provisioning Server 23

Preparing Boot Images for Windows Provisioning 28

Create Windows Boot Image 28 Copy the VCM Certificate to the OS Provisioning Server for Linux Provisioning 29 Importing Distributions into the OS Provisioning Server Repository 29

Create Directories for Windows Distributions 29

Import Windows Distributions 30

Import Linux/ESX Distributions 31

basicimport Command Options 32 Configuring the OS Provisioning Server Integration with the VCM Collector 32

Configure Stunnel on the OS Provisioning Server 33

Configure Stunnel on the VCM Collector 34

Confirm Stunnel Configuration 36 Maintaining Operating System Provisioning Servers 37

Backup the OS Provisioning Repository 37

Restore the OS Provisioning Repository From Backup 38

Managing the OS Provisioning Server System Logs 43

Upgrading or Migrating vCenter Configuration Manager 45

VMware, Inc. 3

vCenter Configuration Manager Installation and Getting Started Guide

Upgrade and Migration Scenarios 45 Prerequisites 46 Back up Your Databases 47 Back up Your Files 47 Back up Your Certificates 47 Software Supported by the VCMCollector 47 Migration Process 48

Prerequisites 48

Foundation Checker Must Run Successfully 48

Use the SQLMigration Helper Tool 48

Migrate Only Your Database 48

Replace your existing 32-Bit Environment with the Supported 64-bit Environment 49

How to Recover Your Machine if the Migration is not Successful 49

Migrate a 32-bit environment running VCM 5.3 or earlier to VCM 5.4 50

Migrate a 64-bit environment running VCM 5.3 or earlier to VCM 5.4 51

Migrate a split installation of VCM 5.3 or earlier to a single-server installation 52

After You Migrate VCM 52 Upgrade Process 52

After You Upgrade VCM 53 Upgrading Existing Windows Agents 53 Upgrading Existing Remote Clients 54 Upgrading Existing UNIX Agents 54

To Upgrade the UNIX Agent(s) with a Local Package 55

To Upgrade the UNIX Agent(s) with a Remote Package 56 Upgrading VCM for Virtualization 56

Upgrading an Agent Proxy Machine 57

Upgrade the vSphere Client VCM Plug-In 59

Getting Started with VCM Components and Tools 61

Understanding User Access 61

Do Not Use the Collector as a Web Console 62 Starting and Logging Onto VCM 62

How to Start VCM and Log On 62 Getting Familiar with the Portal 63

General Information Bar 64

Portal Toolbar 64

Sliders 65 Where to Go Next 67

Getting Started with VCM 69

Discover, License, and Install Windows Machines 69

Verifying Available Domains 69

Checking the Network Authority 70

Assigning Network Authority Accounts 71

Discovering Windows Machines 72

Licensing Windows Machines 75

Installing the VCM Windows Agent on your Windows Machines 77

Performing an Initial Collection 83

Exploring Windows Collection Results 84

Getting Started Collecting Windows Custom Information 88 Discover, License, and Install UNIX/Linux Machines 97

Adding UNIX/Linux Machines 97

Licensing UNIX/Linux Machines 98

Installing the Agent on UNIX/Linux Machines 99

Performing a UNIX/Linux Collection 106

Exploring UNIX/Linux Collection Results 107 Discover, License, and Install Mac OS X Machines 110

4 VMware, Inc.

Contents

Getting Started with VCM for Mac OS X 110

Adding Mac OS X Machines 111

Licensing Mac OS X Machines 112

Installing the Agent on Mac OS X Machines 113

Performing a Mac OS X Collection 119

Exploring Mac OS X Collection Results 121 Discover, License, and Collect Oracle Data from UNIX Machines 123

Adding UNIX Machines Hosting Oracle and Installing the Agent 124

Discovering Oracle Instances 124

Creating the Oracle Collection User Account 125

Performing an Oracle Collection 129

Exploring Oracle Collection Results 129

Reference Information about Oracle 129 Customize VCM for your Environment 130 How to Set Up and Use VCM Auditing 131

Getting Started with VCM for Virtualization 133

Virtual Environments Configuration 133

ESX/ESXi Server Collections 134

vCenter Server Collections 135 Configuring vCenter Server Data Collections 135

vCenter Server Collection Upgrade Considerations 135

vCenter Server Collection Prerequisites 135

Collect vCenter Server Data 137

Reviewing Collected vCenter Server Data 137

Troubleshooting vCenter Server Data Collections 138 Configuring VM Host Collections 138

Configure the Collector as an Agent Proxy 138

License and Configure VMHosts 139

Copy Files to the ESX/ESXi Servers 141

Perform an Initial Virtualization Collection 142

Reviewing Virtualization Collection Results 143 Configuring the vSphere Client VCM Plug-In 143

Configuring the vSphere Client VCM Plug-In Integration Settings 144

Manage Machines from the vSphere Client 145

Upgrade the vSphere Client VCM Plug-In 145

Troubleshooting the vSphere Client VCM Plug-In Registration 146

Getting Started with VCM Remote 149

Getting Started with VCM Remote 149 Installing the VCM Remote Client 150

Installing the Remote Client manually 151 Making VCM Aware of VCM Remote Clients 158 Configuring VCM Remote Settings 158

Creating Custom Collection Filter Sets 158

Specifying Custom Filter Sets in the VCM Remote Settings 158 Performing a Collection Using VCM Remote 159 Exploring VCM Remote Collection Results 159

Getting Started with VCM Patching 161

VCM Patching for Windows and UNIX/Linux 161

VCM Patching for Windows 161

VCM Patching for UNIX/Linux 162

Minimum System Requirements 162

About UNIXPatch Assessment and Deployment 162

Getting Started with VCM Patching 165

VMware, Inc. 5

vCenter Configuration Manager Installation and Getting Started Guide

Running VCM Patching Reports 174

Customize Your Environment for VCM Patching 175

Getting Started with Operating System Provisioning 177

About OS Provisioning 177 OS Provisioning Components 177

Provision Machines Workflow 178 Collect OS Distributions 179 Discover Provisionable Machines 179 Provision Machines 180

Configure ESX and ESXi Machines 181

Change Agent Communication 182 Working with Provisioned Machines 182 Re-Provision Machines 182

Getting Started with Software Provisioning 185

Introduction to VCM Software Provisioning 185

Using Package Studio to Create Software Packages and Publish to Repositories 185

Software Repository for Windows 185

Package Manager for Windows 185

Installing the Software Provisioning Components 186

Install Software Repository for Windows 187

Install Package Studio 188

Install Package Manager on Managed Machines 190 Using Package Studio to Create Software Packages and Publish to Repositories 190

Creating Packages 191 Using VCM Software Provisioning for Windows 192

Prerequisites 192

Collect Package Manager Information from Machines 193

Collect Software Repository Data 193

Add Repository Sources to Package Managers 194

Install Packages 195 Related Software Provisioning Actions 196

Viewing Provisioning Jobs in the Job Manager 196

Creating Compliance Rules based on Provisioning Data 196

Creating Compliance Rules containing Provisioning Remediation Actions 197 Further Reading 199

186

Getting Started with VCM Management Extensions for Assets 201

Getting Started with VCM Management Extensions for Assets 201 Review Hardware and Software Configuration Item Fields 201

Modifying Hardware Configuration Item Fields 202

Modifying Software Configuration Item Fields 204 Adding Hardware Configuration Items 205

Editing Values for Devices 205

Modifying Other Devices 206 Adding Software Configuration Items 207 Further Reading 208

Getting Started with VCM Service Desk Integration 209

Getting Started with Service Desk Integration 209 Service Desk Integration in the Console 209 Service Desk Integration in Job Manager 210 Further Reading 211

Getting Started with VCM for Active Directory 213

6 VMware, Inc.

Contents

Making VCM Aware of Domain Controllers 213

Confirming the Presence of Domains 214

Adding and Assigning Network Authority Accounts 215

Discovering Domain Controllers 215

Verifying Domain Controller Machines in Available Machines 217

Licensing and Deploying the VCM Agent 217

Performing a Machine Data Type Collection 220 Configuring VCM for Active Directory as an Additional Product 221

Deploying VCM for AD to the Domain Controllers 221

Running the Determine Forest Action 222

Running the Setup DCs Action 223 Performing an Active Directory Data Collection 225 Exploring Active Directory Collection Results 227 Further Reading 230

Accessing Additional Compliance Content 231

Locating the Content Directory 231 Launching the Content Wizard to Import Relevant Content 231 Exploring Imported Content Results in the Portal 231

Installing and Getting Started with VCM Tools 233

Installing the VCM Tools Only 233 Foundation Checker 234 VCM Import/Export and Content Wizard (CW) 234

VCM Import/Export 235

Content Wizard 236

Maintaining VCM After Installation 237

Customize VCM and Component-specific Settings 237 Configure Database File Growth 239 Configure Database Recovery Settings 240 Create a Maintenance Plan for SQL Server 2008 R2 240 Incorporate the VCM CMDB into your Backup and Disaster Recovery Plans 248

Troubleshooting Problems with VCM 249

Evaluating Missing UNIX Patch Assessment Results 249 Resolving Reports and Node Summaries Problems 250

To Resolve the Problem 250 Resolving Protected Storage Errors 250 Resetting the Required Secure Channel (SSL) 251

Updating the VCM Virtual Directory 251

Updating the IIS Settings in VCM 251 Resolving a Report Parameter Error 252

Index 253

VMware, Inc. 7

vCenter Configuration Manager Installation and Getting Started Guide

8 VMware, Inc.

Updated Information

VCM Installation and Getting Started Guide is updated with each release of the product or when necessary.

This table provides the update history of the vCenter Configuration Manager Installation and Getting Started Guide.

Revision Description

EN-000485-01

"Maintaining Operating System Provisioning Servers" on page 37

added to provide information regarding backup and recovery instructions, and file maintenance requirements.

"Confirm Stunnel Configuration" on page 42 removed the final

confirmation step as it was redundant of the procedure in

"Confirm Stunnel Configuration" on page 42.

"Provision Machines" on page 180 and "Re-Provision Machines" on page 182 updated to indicate that the step 6 information regarding

the use of DHCP and the host name resolving to localhost applies only to ESX and ESXi machines. Additionally, the PostProvisioning Action at the end of the procedure now includes Windows 2008 SP1 and SP2 as operating systems requiring Internet access to complete the license activation process.

EN-000485-00 Initial Release.

VMware, Inc. 9

vCenter Configuration Manager Installation and Getting Started Guide

10 VMware, Inc.

About This Book

The VMware vCenter Configuration Manager Installation and Getting Started Guide describes the steps necessary for a successful VCM installation.

This document contains the following information:

Preparing for the VCM installation.

Installing VCM.

Getting started with VCM and its components.

Maintenance and troubleshooting.

Read this document and complete the associated procedures to prepare for a successful installation.

The VMware vCenter Configuration Manager Installation and Getting Started Guide applies to VCM, Foundation Checker, and Service Desk Connector.

Intended Audience

This information is written for experienced Windows or UNIX/Linux/Mac OS X system administrators who are familiar with managing network users and resources and with performing system maintenance.

To use this information effectively, you must have a basic understanding of how to configure network resources, install software, and administer operating systems. You also need to fully understand your network’s topology and resource naming conventions.

Document Feedback

VMware welcomes your suggestions for improving our documentation. If you have comments, send your feedback to docfeedback@vmware.com.

VMware VCM Documentation

The vCenter Configuration Manager (VCM) documentation consists of the VCM Hardware and Software Requirements Guide, VCM Foundation Checker User's Guide, VCM Installation and Getting Started Guide, VCM

online Help, and other associated documentation.

VMware, Inc. 11

vCenter Configuration Manager Installation and Getting Started Guide

Technical Support and Education Resources

The following technical support resources are available to you. To access the current version of this book and other books, go to http://www.vmware.com/support/pubs.

Online and Telepho ne

Supp ort

Supp ort Offerings To find out how VMware support offerings can help meet your business needs, go to

VMware Prof ession al

Services

To use online support to submit technicalsupport requests,view your product and contract

information, and register your products, go to http://www.vmware.com/support.

Customers with appropriate support contracts should use telephone support for priority 1

issues. Go to http://www.vmware.com/support/phone_suppor t.html.

http://www.vmware.com/support/services.

VMware Education Services courses offer extensive hands-on labs, case study examples,

and course materials designed to be used as on-the-job reference tools. Courses are

available onsite, in the classroom, and live online. For onsite pilot programs and

implementation best practices, VMwar e Consulting Services providesofferings to help you

assess, plan, build, and manage your virtual environment. To access information about

education classes, certification programs, and consulting services, go to

http://www.vmware.com/services.

12 VMware, Inc.

Preparing for Installation

Use this information to help you prepare to install VCM components and tools in your enterprise.

Use Installation Manager: Provides an overview of Installation Manager, which is used to install and

activate all VCM components and tools.

Understand Installation Configurations: Describes the supported installation configurations for VCM.

Understand Tools Installation: Explains how VCM tools are installed.

Check Prerequisites for Installation: Lists the prerequisites you should complete prior to using VCM

Installation Manager to perform the installation.

For an overview of the security precautions you should take before installing VCM, see the VCM Security Environment Requirements White Paper on the Download VMware vCenter Configuration Manager.

This document assumes that your hardware and software configuration meets the requirements described in the VCM Hardware and Software Requirements Guide. If you have not already done so, verify that your configuration meets the installation requirements by performing a Tools Only installation of VCM Foundation Checker, and then running it after it is installed. If VCM Foundation Checker does not return any errors, then you are ready to proceed. For more information on performing a Tools only installation, see "Installing and Getting Started with VCM Tools" on page 233.

VMware, Inc. 13

vCenter Configuration Manager Installation and Getting Started Guide

Use Installation Manager

Use Installation Manager to perform new installations as well as upgrades. Installation Manager provides a highly simplified process for installing components and tools, and steps you through the entire installation or upgrade process. Installation Manager:

Performs checks to ensure the machine(s) meets the hardware and software prerequisites necessary for installation.

Provides confirmation of the license file you apply during installation.

Installs VCM and all of its components and tools in the appropriate order on your machine(s).

Tests each progressive step during the installation to ensure that all components are successfully installed and that the licensed components are successfully activated.

Installation Manager operates with minimal user input and provides clear feedback on progress throughout the entire installation process.

Installation Manager installs VCM and all of its components on your machine, even components that you have not purchased. However, only the components that you have purchased are licensed by your license file, which enables you to purchase more licenses later, and thereby activate additional components that are already installed.

To install VCM and all of its components and tools for the first time, follow the procedures in "Installing

VCM" on page 21.

IMPORTANT You can use Installation Manager to upgrade from VMware VCM 5.3, EMC Ionix SCM 5.0 or

greater, or Configuresoft ECM 4.11.1 or greater to VCM 5.4.

When performing a new installation or a migration, you must have the previous license file available and specify the path to the license file during the installation. Installation Manager will use the license file to activate the components that you have purchased. If you do not have the license file from VCM 4.11.1 or later, contact VMware Customer Support.

Understand Installation Configurations

Before proceeding, you must have already configured your hardware and installed all of the prerequisite software based on the information in the VCM Hardware and Software Requirements Guide.

As of VCM 5.4, split installations are not supported. To migrate a split installation of VCM 5.3 or earlier to a single-server installation, see the section on migrating VCM. For more information, contact VMware Customer Support.

For a detailed diagram of a complete installation, see the VCM Hardware and Software Requirements Guide.

14 VMware, Inc.

Understand Tools Installation

Several tools are installed with automatically VCM. These tools include:

Foundation Checker

Import/Export Tool and Content Wizard Tool

Package Studio

You may install VCM tools separately on a non-Collector machine as needed. To install the Tools only, use the installation procedures in "Installing and Getting Started with VCM Tools" on page 233.

Check Prerequisites for Installation

Complete these prerequisites prior to using Installation Manager.

Hardware and Software Requirements

Before you can install VCM, your hardware and software configuration must meet the requirements in the VCM Hardware and Software Requirements Guide.

IMPORTANT Installation Manager runs Foundation Checker automatically during the VCM installation,

which checks the machine to verify that all of the prerequisites are satisfied for a successful installation of VCM. Running Foundation Checker as part of the Installation Manager process, rather than running it as a standalone tool, captures common issues that are difficult to remediate as well as issues related to specific components and the version of VCM being installed. Because Foundation Checker verifies componentspecific issues against VCM, you should use Installation Manager to run Foundation Checker. Foundation Checker must run without producing before you can proceed with the VCM installation. For more information about the standalone Foundation Checker, see "Installing and Getting Started with VCM

Tools" on page 233).

Preparing for Installation

If you install the Agent on HP-UX 11.11, you must also install Patch PHSS_30966, which is required. If you need assistance, contact VMware Customer Support.

Administration Rights

The User Account of the person performing your installation or upgrade must be all of the following:

A system administrator on the machine(s) on which the installation or upgrade is being performed, and

A system administrator on the database instance that will be used, and

A member of a domain.

The installing User Account should not be the account used to run the SQL Server Services; nor, after installation, should you create a VCM user with the SQL Server Services account credentials.

Default Network Authority Account

You must specify the default network authority account during the installation. The default network authority account, which is often the system administrator’s account (for example, a Domain Admin in the Local Admin Group), must be set up in the Local Administrators group on each machine prior to installation. You should have already completed this step by following the checklist in the VCM Hardware and Software Requirements Guide.

VMware, Inc. 15

vCenter Configuration Manager Installation and Getting Started Guide

The Local System account named NT AUTHORITY\System has unrestricted access to all local system resources. This account is a member of the Windows Administrators group on the local machine, and a member of the SQL Server sysadmin fixed server role. If the NT AUTHORITY\System account does not have access to the VCM installation binary files (possibly because someone removed the account or inherently removed access), the installation will result in an “access denied” error on the first step. Details of this error are not stored in the VCM error log. The solution is to grant access to the NT AUTHORITY\System account from the installation source directory, and then run the installation again (right-click the folder, select the Security tab, and make sure the user or user’s group has Full Control of the file/folder).

NOTE The network authority account can be changed later in VCM at Administration > Settings > Network Authority.

Collector Services Account

The Collector Services Account must be specified during the installation process. This account, which may not necessarily be the system administrator’s, must exist in the Local Administrators group on the Collector machine. In addition, this account must not be the LocalSystem account.

IMPORTANT If the password for your services account changes, you must also change the password in

both the Services Management and Component Services DCOM Config consoles.

To change your services password in the Services Management console, click Administrative Tools > Services. Locate all of the services that use the services account to log on. Right-click each of these services and select Properties. Click the Log On tab and update the password field to reflect your new password.

To change your services password in the Component Services DCOM Config console, click

Administrative Tools > Component Services. Expand the Component Services node and select Computers > My Computer > DCOM Config. Right click the LicenseDcom file and select Properties. Click the Identity tab and update the password field to reflect your new password.

VMware Application Services Account

The VMware Application Services Account must be a domain user. Because this account will have full administrative authority for the CSI_Domain database, you should never use it as a VCM login or for any other purpose.

VCM Remote Virtual Directory

You must specify the VCM Remote Virtual Directory account during the installation. To reduce the chances of a security risk to accounts, this account should not be the same account that you used for your Default Network Authority Account and/or your Services Account.

NOTE If necessary, you can change the service account later using the IIS Management console.

Secure Communications Certificates

VCM uses Transport Layer Security (TLS) to secure all HTTP communication with Windows and UNIX Agents in HTTP mode (includes all UNIX Agents and Windows Agents in HTTP mode). TLS uses certificates to authenticate the Collector and Agents to each other. You must specify certificates for the Collector and for the Enterprise during the installation. If you plan to use your own certificates, familiarize yourself with the certificate names so that you can select them during installation.

16 VMware, Inc.

Preparing for Installation

To be valid, a Collector certificate must be:

Located in the local machine personal certificate store.

Valid for Server Authentication. If any Enhanced Key Usage extension or property is present, it must include the Server Authentication OID 1.3.6.1.5.5.7.3.1. If the Key Usage extension is present, it must include DIGITAL_SIGNATURE.

Active, and not expired.

Alternatively, Installation Manager can generate the Collector and Enterprise certificates for you; select the

Generate option during installation.

NOTE If you will install more than one Collector that will communicate with the same Agent(s), or plan

to replace/renew your certificates later, special considerations are required to generate and select certificates in VCM Installation Manager. For details about VCM and Transport Layer Security (TLS), see Transport Layer Security Implementation for VCM.

Server Authentication

Server Authentication is a method of authenticating the server to the client. VCM supports server authentication. In VCM environments where TLS is employed, VCM Agents verify the identity of the Collector(s) through the use and verification of certificates (over HTTP).

Typically, the server authenticates a client/user by requiring information such as a user name and password. When server authentication is used, the client/user verifies that the server is valid. To accomplish this verification using TLS, the server provides a certificate issued by a trusted authority, such as Verisign®. If your client web browser has the Verisign® Certified Authority certificate in its trusted store, it can trust that the server is actually the Web site you access.

TLS uses certificates managed by a public key infrastructure (PKI) to guarantee the identity of servers and clients. A certificate is a package containing a public key and information that identifies the owner and source of that key, and one or more certifications (signatures) to verify that the package is authentic. To sign a certificate, an issuer adds information about itself to the information already in the certificate request. The public key and identifying information are hashed and signed using the private key of the issuer’s certificate.

Certificates are defined by the X.509 RFC standard, which includes fields that form a contract between the creator and consumer. The Enhanced Key Usage extension specifies the use for which the certificate is valid, including Server Authentication.

Enterprise and Collector Certificates

An Enterprise Certificate and one or more Collector Certificates enable secure HTTP Collector-Agent communication in VCM. The Enterprise Certificate enables VCM to operate in a multi-Collector environment. Agents have the Enterprise Certificate in their trusted certificate stores, which they use implicitly to validate any certificate issued by the Enterprise Certificate. All Collector Certificates are expected to be issued by the Enterprise Certificate, which is critical in environments where a single Agent is shared between two collectors.

Server Authentication is required to establish a TLS connection with an Agent. All Collectors should have a common Enterprise Certificate. Each Collector Certificate is issued by the Enterprise Certificate, and is capable of Server Authentication.

VMware, Inc. 17

vCenter Configuration Manager Installation and Getting Started Guide

The Collector Certificate is used to initiate and secure a TLS communication channel with an HTTP Agent. The Agent must be able to establish that the Collector Certificate can be trusted, which means that the Collector Certificate is valid and the certification path starting with the Collector Certificate ends with a trusted certificate. By design, the Enterprise Certificate is installed in the Agent’s trusted store, and the chain ends with the Enterprise Certificate.

A Collector Certificate can also be used to issue Agent certificates. As long as all Collector Certificates are issued by the same Enterprise Certificate, any Agent Certificate may be issued by any Collector Certificate, and all Agents will be able to trust all Collectors. Similarly, all collectors will be able to validate all Agent Certificates. Agent Certificates are used for Mutual Authentication only. Mutual authentication is supported, but requires interaction with VMware Customer Support and a Collector Certificate that also has certificate signing capability.

The Collector Certificate and associated private key must be available to the Collector. This certificate is stored in the (local machine) personal system store.

Collector Certificates in VCM must adhere to the requirements specified above in Secure Communications Certificates.

Delivering Initial Certificates to Agents

VCM Agents use the Enterprise Certificate to validate Collector Certificates. Therefore, the Agent must have access to the Enterprise Certificate as a trusted certificate. In most cases, VCM will deliver and install the Enterprise Certificate as needed.

Installing the Agent from a Disk (Windows only): The VCM Installation DVD does not contain customer-specific certificates. If HTTP is specified, the manual VCM Installer requests the location of the Enterprise Certificate file during the installation. You must have this file available at installation time. The certificate file (with a .pem extension) can be copied from the CollectorData folder of the Collector. This will be the case whether you run the manual installer directly (CMAgentInstall.exe) or use the “Agent Only” option from the DVD auto-run program.

Using CMAgentInstall.exe to Install the Agent (Windows only): CMAgentInstall.exe or CMAgent[version].msi is the manual Agent installer program. The manual installer will request the location of the Enterprise Certificate file, if HTTP is specified. You must have this file available at installation time. The certificate file can be copied from the CollectorData folder of the Collector.

MSI Install Package: If HTTP is specified, the MSI agent install package also requires access to the .pem file.

Installing the Agent for UNIX/Linux: See Installing the VCM Agent on UNIX/Linux Machines in this document.

Installing the Agent Using a Provisioning System

For Windows®, the manual installation program is available in .exe and .msi formats. Both versions allow the Enterprise Certificate file to be specified with a command line switch. You may also omit the certificate installation step by use of a command line switch. When these programs are run through a provisioning system, you must ensure that the Enterprise Certificate is available (and still secure), and configure the program options appropriately. Alternatively, you may choose to push the Enterprise Certificate to Agents by some other means and configure the provisioning system to omit certificate installation.

For UNIX/Linux, each UNIX/Linux installation package is targeted for one or more supported platforms. To install the UNIX/Linux Agent using a provisioning system, extract the installation package as appropriate and then deploy the extracted file with the provisioning system. The Enterprise Certificate is embedded in the installation package on the Collector.

18 VMware, Inc.

For more information about Installing the Agent on UNIX/Linux Machines and UNIX/Linux packages and platforms, refer to section Installing the VCM Agent on UNIX/Linux Machines.

Understand Use of FIPS Cryptography by VCM

Federal Information Processing Standards (FIPS) are developed by the US National Institute of Standards (NIST) and the Canadian Communications Security Establishment (CSE). VCM incorporates cryptographic service providers that conform to these FIPS standards:

FIPS 140-2: Security Requirements for Cryptographic Modules

FIPS 46-3: Data Encryption Standard (DES)

FIPS 81: DES Modes of Operation

FIPS 113: Computer Data Authentication

FIPS 171: Key Management

FIPS 180-1: Secure Hash Standard (SHA-1)

FIPS 186-2: Digital Signature Standard (DSA) and Random Number Generation (RNG)

FIPS 198: Message Authentication Codes (MACs) using SHA-1

FIPS 197: Advanced Encryption Standard (AES) Cipher

Preparing for Installation

FIPS 200: Federal Information Security Management Act (FISMA)

SP 800-2: Public Key Cryptography (including RSA)

SP 800-20: Triple DES Encryption (3DES) Cipher

VCM Use of Microsoft Cryptographic Service Providers (CSPs) for Windows Machines

On Windows machines, VCM uses cryptography by way of the Microsoft CryptoAPI, which is a framework that dispatches to Microsoft Cryptographic Service Providers (CSPs). CSPs are not shipped with VCM or installed by VCM, but instead are part of the security environment included with Microsoft Windows. In the configurations supported by VCM, these CSPs are FIPS 140-2 validated. An up-to-date table of FIPS certificate numbers is at: http://technet.microsoft.com/en-us/library/cc750357.aspx.

Cryptography for UNIX/Linux Platforms

On UNIX/Linux platforms, the VCM Agent uses the cryptography of the OpenSSL v0.9.7 module. This cryptographic library is installed with the VCM Agent.

VMware, Inc. 19

vCenter Configuration Manager Installation and Getting Started Guide

Cryptography used in VCM Software Components

VCM uses various software components that also use cryptography. Microsoft IIS, Internet Explorer, and SChannel (SSL/TLS) systems call the CryptoAPI, and thus use the Windows FIPS-validated modules. VCM for Virtualization uses ActiveX COM components from WeOnlyDo! Software (WOD) for SSH and SFTP services. WOD utilizes the FIPS 140-2 compliant OpenSSL library.

Table 1-1. Installed or Used Crytography Modules

System

UI Windows Used

VCMServer Windows Installed Used

Virt Proxy Windows Installed Used

AD Agent Windows Used

Win Agent Windows Used

UNIX Agent HP/UX Installed Installed

Platform

AIX Installed Installed

Solaris Installed Installed

OpenSSLFIPS 1.1.2 OpenSSLFIPS 1.1.1 OpenSSLCrypt 0.9.7 Crypto++ CryptoAPI

Debian Installed Installed

Red Hat Installed Installed

SUSE Installed Installed

ESX Server All No cryptography modules are used or installed on ESX.

Supported Windows and UNIX Platforms

Supported Windows and UNIX platforms, and their architectures, are listed in the VCM Hardware and Software Requirements Guide. For information about TLS, see Transport Layer Security (TLS) Implementation for VCM on the Download VMware vCenter Configuration Manager.

20 VMware, Inc.

Installing VCM

Use Installation Manager to install VCM and all of its components and tools.

To install only the VCM tools, follow the installation procedures in "Installing and Getting Started with

VCM Tools" on page 233.

IMPORTANT Before you migrate VCM to VCM 5.4, read Migrating VCM and Related Components.

VMware vCenter Configuration Manager (VCM) Installation Manager is a standalone application that checks your machine to ensure it is properly configured and configures licensed components during the installation process.

When you install VCM and related components, read about each configurable component to ensure you supply the appropriate information. The default settings may not fit your configuration exactly. If you migrate VCM or SQL Server, or migrate to a 64-bit system, see "Upgrading or Migrating vCenter

Configuration Manager" on page 45.

When you insert the installation CD into the machine to install VCM, the initial installation screen appears and displays several options.

If the installation screen does not appear automatically, or if you begin the installation from a network location, navigate to the CD root directory or the file share and double-click setup.exe.

VMware, Inc. 21

vCenter Configuration Manager Installation and Getting Started Guide

1. Select one of these options:

Run Installation Manager. Starts Installation Manager and begins the installation.

View Help. Displays the Installation Manager Help, which describes the selections that appear during the installation.

Browse Contents of Installation CD. Starts Windows Explorer and displays the content of the installation CD, which includes documentation.

Contact Support Team. Displays instructions to contact VMware Customer Support.

Exit. Closes Installation Manager.

2. Click Run Installation Manager to begin the installation process.

3. Follow the steps through the wizard to complete the installation. For details about the installation options, see the Installation Manager Help.

After the installation completes, configure SQL Server settings to configure the database file growth and database recovery settings to fine-tune your VCM Database. See the instructions in "Maintaining VCM

After Installation" on page 237.

CAUTION During the installation, a folder containing VCM-related MSI files is added to

%windir%\Installer\. If you move or delete the contents of this folder, you will not be able to use Installation Manager to upgrade, repair, or uninstall VCM successfully.

22 VMware, Inc.

Installing and Configuring the OS Provisioning Server and Components

The Operating System (OS) Provisioning server installs OS distributions on target machines. The OS Provisioning server is installed and configured on a Red Hat server, and then operating systems are imported into the OS Provisioning Server repository. After the distributions are imported, the server manages the installation process.

When the OS Provisioning server is installed, configured, and OS distributions have been imported, you then use VCM to provision target machines with an operating system. See "About OS Provisioning" on

page 177 for more information.

Installing the Operating System Provisioning Server

VCM OS provisioning supports one instance of VCM with one instance of the Operating System (OS) Provisioning Server.

You must first configure the server to meet the prerequisites specified in the VCM Hardware and Software Requirements Guide, install the OS Provisioning Server application, and then perform post-install configurations.

Best Practices

Configure your OS Provisioning Server in a private or restricted network. When provisioning machines, connect the machines to the private network. This practice maintains security during the provisioning process.

For additional security information, see VMware vCenter Configuration Manager Security Environment Requirements White Paper.

Install the OS Provisioning Server

The OS Provisioning Server manages the installation of operating system distributions on target machines. You install the OS Provisioning Server using supplied media or media images. The installation must be run as the root user for the installation to complete correctly.

Prerequisites

Ensure the machine meets all the prerequisites to installation specified in the VCM Hardware and Software Requirements Guide.

Disable SELinux to allow the loading of shared libraries.

VMware, Inc. 23

vCenter Configuration Manager Installation and Getting Started Guide

Procedure

1. Mount the VCM-OS-Provisioning-Server-<version number>.iso by either attaching to the media image or mounting the image.

When mounting the image, do not use the no-exec option.

2. Change the directory to where the image is located.

cd /<OS Provisioning Server ISO>

where <OS Provisioning Server ISO> is the path to the mounted file.

3. Run the # ./INSTALL-ME-FIRST command to install the database package.

When completed, "The installation completed successfully" message is displayed.

For more information about the process if it fails, see the DB2 installation log at /tmp/db2setup.log.

4. Run the # ./INSTALL-ME-SECOND command to install the OS Provisioning Server software.

The autoinstall -d -a y utility can be used for unattended installation of OS Provisioning Server.

5. In the Nixstaller window, click Next.

6. On the dialog box, click Continue.

7. When the installation is completed, click Close.

8. Click Finish.

9. Run the # service FastScale status command to verify that the installation has completed successfully.

A successful installation displays results similar to the following (pid values vary):

FSrepository does not implement a status command

rsyslogd (pid 3335) is running...

fsmesgd (pid 3517) is running...

fsrepod (pid 3683) is running...

fsadmin (pid 12618 12617 12614 3785 3784 3783 3782 3781 3778 3777 3776 3753)

is running...

dhcpd (pid 3786) is running...

Checking Basic Server: EMC HomeBase Server (Database) is running (PID: 3951).

Checking Basic Server: EMC HomeBase Server is running (PID: 4143).

fsjobd (pid 4237) is running...

fshinvd (pid 4249) is stopped...

stunnel (pid 4262 4261 4260 4259 4258 4257) is running...

An unsuccessful installation either displays the following error message:

“FastScale: unrecognized service”

or a few of the above mentioned services might not be running. If so, review the logs to determine possible problems.

10. Run the commands to create the repository database.

This action destroys any existing repository information.

24 VMware, Inc.

Installing and Configuring the OS Provisioning Server and Components

# su - fsrepo

[fsrepo@<machine name>~]$ create-repository

11. When the action completes, run the [fsrepo@<machine name>~]$ exit command.

If necessary you can review the /opt/FastScale/home/fsrepo/fscreate-repo.log.

The OS Provisioning Server maintenance commands can also be added to the root user's path. The default shell profiles are modified by OS Provisioning Server to add /opt/FastScale/sbin to the root account. When the user is root, the maintenance commands in /opt/FastScale/sbin are available in the default path and are available when the profile is reloaded.

12. Reboot the OS Provisioning Server to ensure that all related services are started in the correct order.

13. Run the # service FastScale status command to verify the OS Provisioning Server services after reboot.

A successful installation displays the same results as above.

What to do next

When you install the OS Provisioning Server, specific OS Provisioning users were created.

fsrepo: Used to create the repository.

vcmuser: Used to run basicimport of distributions and for communication with VCM.

The ensure proper security, you must set the password for the vcmuser. See "Set the vcmuser Password"

on page 25.

Set the vcmuser Password

The vcmuser is used when importing distributions into the OS Provisioning repository and for communication between VCM and the OS Provisioning Server. You must not delete the user or change the permissions, but you should set the vcmuser password based on your corporate standards.

Prerequisit es

The OS Provisioning Server is installed.

Procedu re

1. Log on to the OS Provisioning Server as root.

2. Run the passwd vcmuser command.

3. Type the new password, and then confirm the password.

Configure DHCP

The recommended configuration for OS provisioning is to use a private isolated network set up specifically for OS provisioning. When using a private provisioning network, the best practice is to configure the DHCP server included with the OS Provisioning Server to provide addresses and network boot information to nodes connected to this isolated network. If, however, you are provisioning systems on a network shared for other uses, you will likely already have a DHCP server on the network. In this case, you must disable the OS Provisioning Server's DHCP server and configure your regular DHCP server to provide network boot information for machines to be provisioned. See "Configure a DHCP Server other

than the OS Provisioning Server" on page 26 for more information.

VMware, Inc. 25

vCenter Configuration Manager Installation and Getting Started Guide

Whether you use a private provisioning network or a shared network you can use either the OS Provisioning Server DHCP server or a separate DHCP server; however, only one DHCP server should be active on any network, and the DHCP server will need to be able to “point” new systems to the OS Provisioning Server for discovery and provisioning.

The OS Provisioning Server provides DHCP services on the provisioning network by default. The DHCP server must be configured to listen on the private provisioning network interface.

Procedu re

1. Open the /opt/FastScale/etc/dhcpd.conf file and configure the settings as necessary for your environment.

Option Description

subnet The IP address subnet of the private network interface. Default value: 10.11.12.0

netmask The netmask of the subnet. Default value: 255.255.255.0

address range The range of allocated IP addresses for the provisioned nodes. Default value:

10.11.12.100 – 10.11.12.200

broadcast-

The broadcast address on the subnet. Default value: 10.11.12.255

address

next-server The IP address of the private network interface. Default value: 10.11.12.1

Configure a DHCP Server other than the OS Provisioning Server

If you are provisioning using an external DHCP server, you must modify your regular DHCP network using this procedure.

Configuring the corporate DHCP server to use the IP address of the OS Provisioning Server for PXE Boot allows the nodes to connect to the OS Provisioning Server after DHCP had completed. When the nodes are set to NetBoot (PXE) on startup, the nodes download the boot kernel through TFTP from the OS Provisioning Server. For this process to work, you must turn off DHCP on the OS Provisioning Server.

Prerequisit e

Turn off DHCP on the OS Provisioning Server.

Procedu re

1. On the OS Provisioning Server, log in as root and edit /etc/sysconfig/FSdhcpd to prevent the DHCP resetting after a reboot.

Change DHCPD_CONF=/opt/FastScale/etc/dhcpd.conf

to DHCPD_CONF=/opt/FastScale/etc/dhcpd.conf.none

2. On the OS Provisioning Server, run the following command:

/opt/FastScale/etc/init.d/FSdhcpd stop

26 VMware, Inc.

Installing and Configuring the OS Provisioning Server and Components

3. On the corporate DHCP server, update the dhcpd.conf file with the following options:

allow bootp;

allow booting;

next-server <IP address of the OS Provisioning Server>; where <IP address of the OS

Provisioning Server> is replaced with the specified IP address.

Configure TFTP

The OS Provisioning Server provides TFTP services on the provisioning network, which, by default, has a private IP address. The TFTP server must be configured to listen on this private network interface.

Procedu re

1. Open the /opt/FastScale/homebase-server/etc/channels/TFTP.xml file and configure the settings as necessary for your environment.

Option Description

connectionActive Enables or disables TFTPserver. A value of true enables the server, and a value of false

disables the server. The default value is true.

localHost The IP address of the private network interface. The default value is 10.11.12.1.

The utility fstftp_conf, located in /opt/FastScale/sbin, can also be used to update the file.

2. If you make changes, restart the basic service using the service FastScale FSbasic restart command.

Uninstall the OS Provisioning Server

Uninstall the OS Provisioning Server by first mounting the OS Provisioning Server media, and then running the uninstall command. These programs must be run as the root user for the uninstall process to complete correctly.

CAUTION The uninstall process removes the application and deletes all the data stored in the database.

Procedu re

1. Mount the OS Provisioning Server ISO by either attaching to the media image or mounting the image.

2. Change the directory to where the image is located.

cd /<OS Provisioning Server ISO Location>

where <OS Provisioning Server ISO Location> is the path to the mounted media.

3. Run the following command to uninstall the application:

./UNINSTALL-ME

4. Type Yes.

The following is a sample of the uninstall log:

[Thu Jul 22 08:57:06 IST 2010] UNINSTALL-ME: Starting uninstallation of

Application Stack Manager...

[Thu Jul 22 08:57:08 IST 2010] UNINSTALL-ME: FastScale service is running

[Thu Jul 22 08:57:08 IST 2010] UNINSTALL-ME: Stopping FastScale service

VMware, Inc. 27

vCenter Configuration Manager Installation and Getting Started Guide

[Thu Jul 22 08:57:08 IST 2010] UNINSTALL-ME: Command : /sbin/service FastScale

stop

Shutting down FSnetfs: [ OK ]

Shutting down FSsyslog: [ OK ]

Shutting down FSmesgd: [ OK ]

Shutting down FSdhcpd: [ OK ]

..........

[Thu Jul 22 09:00:44 IST 2010] UNINSTALL-ME: Uninstallation complete!

Preparing Boot Images for Windows Provisioning

It is necessary to prepare a Windows boot image to successfully provision target Windows machines. The boot image, created once on a Windows machine and applied to the OS Provisioning Server, is used to meet the booting needs of the Windows distribution installations on target machines.

Create Windows Boot Image

You must create a Windows boot image and add it the OS Provisioning Server. The image is created on a Windows machine and deployed to the OS Provisioning Server.

Prerequisites

Verify that the Windows Automated Install Kit (WAIK) is installed.

Verify that Java Virtual Machine (JVM), version 1.6.0 or later, is installed.

Verify that the OS Provisioning Server is accessible on the network to the Windows machine, usually the Collector, on which you are creating the image.

Procedure

1. Copy /opt/FastScale/homebase-server from the OS Provisioning Server to a directory on the Windows machines. For example, c:\Program Files (x86)\VMware\VCM\Tools\homebase- server.

2. On the OS Provisioning Server, import a supported Windows operating system using the basicimport command.

See "Import Windows Distributions" on page 30 for more information.

3. On the Windows machine, change the directory to the bin directory in the homebase-server directory.

For example, c:\Program Files (x86)\VMware\VCM\Tools\homebase-server\bin.

4. Run the create command.

hbd create windows --waik <Path to WAIK> -l <OS Provisioning Server Public IP>

--deploymenturl <OS Provisioning Server Private IP Address> -u <HB User> -p

Option Description

<Path to

WAIK>

<OS OS Provisioning Server's Public Interface IP Address.

28 VMware, Inc.

Path to the WAIK installation. For example, "c:\Program Files (x86)\Windows AIK".

Option Description

Provisioning

Server

Public IP>

Installing and Configuring the OS Provisioning Server and Components

<OS

Provisioning

Server

Private IP>

<HB User> HomeBaseServer configured username. The default username is "admin".

<HB

password>

OS Provisioning Server's Private Interface IP Address. The default configuration is 10.11.12.1. If

the Windows AIK machine is connected to OS Provisioning Server using the d eployment

network, then the '--deploymenturl' option is not necessary. Instead, you should specify the

deployment IP address as the argument to the '-l' option.

HomeBaseServer configured password. T he default password is "admin".

5. Verify that the boot image files are created on the OS Provisioning Server in /opt/FastScale/homebase-server/deployment.

Copy the VCMCertificate to the OS Provisioning Server for Linux Provisioning

If you are using the OS Provisioning Server to install Linux distributions, you must copy the VCM certificate file to the OS Provisioning Server to ensure the certificate is included with the VCM Agent when the configured session is created prior to provisioning.

Procedure

1. Copy the VCM certificate, VMware_VCM_Enterprise_Certificate_*.pem, located on the VCM Collector in \Program Files (x86)\VMware\VCM\CollectorData, to the OS Provisioning Server /opt/FastScale/var/fsadmin/basic/directory.

Importing Distributions into the OS Provisioning Server Repository

Operating system distributions must be imported into the OS Provisioning Server repository before you can use VCM to install them on target machines. The basicimport command uses an -i option to specify an .iso and a -d option to specify directories.

The supported operating systems are listed in VCM Hardware and Software Requirements Guide.

Create Directories for Windows Distributions

Some Windows operating systems distribution files are issued on multiple CDs. Due to the dependencies within the packages, multiple CDs cannot be loaded using separate basicimport commands for each CD. You must create a single directory out of multiple Windows operating system CDs before importing.

Procedure

1. On the OS Provisioning Server, create a directory to contain the files from both CDs by typing:

# mkdir -p /tmp/<directory name>

For example, # mkdir -p /tmp/Win2003-R2-SP2-Standard

2. Insert the first CD in the drive and type:

# cp -R /media/cdrom/<source directory name> /tmp/<directory name>

VMware, Inc. 29

vCenter Configuration Manager Installation and Getting Started Guide

For example, # cp -R /media/cdrom/Win2003-R2-SP2-Standard /tmp/Win2003-R2-SP2-Standard

3. Replace the first CD with the second CD and type:

# cp -R /media/cdrom/<source directory name> /tmp/<directory name>

For example, # cp -R /media/cdrom/Win2003-R2-SP2-Standard /tmp/Win2003-R2-SP2-Standard

When importing the second CD, do not replace any files if prompted during the copy operation.

Import Windows Distributions

Distributions are the operating system installation files. You must import each OS distribution into the OS Provisioning repository before you can use VCM to install it on target machines.

NOTE Importing distributions with spaces in the file name is not supported. Before importing, remove the spaces or replace the spaces with underscores.

Procedure

1. Mount the ISO by either attaching to the media image or mounting the image. For Windows 2008 and Windows 7, use -t udf mount type and do not include any spaces in the path. For all other Windows, use loopback. For example, $ mount -oloop /<iso_file.iso> /<mount point>

NOTE Do not use -t iso9660 when mounting the image. Some automounted media will not import. If you receive a fingerprint error message during basicimport, unmount the directory and manually mount it without the -t iso9660 option.

2. Log in as vcmuser.

3. For your first import, type the command:

# basicimport -d /mnt/<directory name> -l <OS Provisioning Server IP address>

NOTE Changing the OS Provisioning Server IP address at a later time is not currently supported. If the initial IP address of the OS Provisioning Server after install is not the address you intend for it to have when it is put into production, you must change its address, and related DHCP and TFTP configurations, before you import any OS distributions.

For subsequent imports, the -l option is not necessary:

# basicimport -d /mnt/<directory name>/

Where the <directory name> is the file name. For example, Win2k3SE-R2-SP2-i386. If you created a /tmp/ directory for a multi-CD distribution, include the path. For example /tmp/<directory name>, or /tmp/Win2003-R2-SP2-Standard.

4. Type the Family Name.

For example, Windows. You must provide a unique family name to perform the basicimport of different operating systems in the same family. No other family can exist with the same combination of name, version, and architecture values.

5. Type the Family Version.

For example, 2008R2.

6. Type the Family Architecture, either i386 or x86_64

7. Type the Provenance.

For example, CD, hotfix, or SP.

30 VMware, Inc.

+ 228 hidden pages