VMware vSphere Replication Security
Guide
vSphere Replication 6.1
This document supports the version of each product listed and
supports all subsequent versions until the document is
replaced by a new edition. To check for more recent editions of
this document, see http://www.vmware.com/support/pubs.
EN-001758-01
VMware vSphere Replication Security Guide
You can find the most up-to-date technical documentation on the VMware Web site at:
hp://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2012–2017 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2 VMware, Inc.
Contents
About VMware vSphere Replication Security Guide 5
1
Updated Information 7
vSphere Replication Security Reference 9
2
Services, Ports, and External Interfaces that the vSphere Replication Virtual Appliance Uses 9
vSphere Replication Conguration Files 12
vSphere Replication Private Key, Certicate, and Keystore 13
vSphere Replication License and EULA File 13
vSphere Replication Log Files 13
vSphere Replication User Accounts 15
Security Updates and Patches for vSphere Replication 15
Index 17
VMware, Inc. 3
VMware vSphere Replication Security Guide
4 VMware, Inc.
About VMware vSphere Replication
Security Guide 1
The VMware vSphere Replication Security Guide provides a concise reference to the security features of
vSphere Replication.
To help you protect your vSphere Replication installation, this guide describes security features built into
vSphere Replication and the measures that you can take to safeguard it from aack.
External interfaces, ports, and services that are necessary for the proper operation of
n
vSphere Replication
Conguration options and seings that have security implications
n
Location of log les and their purpose
n
Required system accounts
n
Information about obtaining the latest security patches
n
Intended Audience
This information is intended for IT decision makers, architects, administrators, and others who must
familiarize themselves with the security components of vSphere Replication.
VMware, Inc.
5
VMware vSphere Replication Security Guide
6 VMware, Inc.
Updated Information
This VMware vSphere Replication Security Guide is updated with each release of the product or when
necessary.
This table provides the update history of the VMware vSphere Replication Security Guide.
Revision Description
EN-001758-01
EN-001758-00 Initial release.
Updated the information in topic “Security Updates and Patches for vSphere Replication,” on
n
page 15.
VMware, Inc. 7
VMware vSphere Replication Security Guide
8 VMware, Inc.
vSphere Replication Security
Reference 2
You can use the Security Reference to learn about the security features of vSphere Replication and the
measures that you can take to safeguard your environment from aack.
This chapter includes the following topics:
“Services, Ports, and External Interfaces that the vSphere Replication Virtual Appliance Uses,” on
n
page 9
“vSphere Replication Conguration Files,” on page 12
n
“vSphere Replication Private Key, Certicate, and Keystore,” on page 13
n
“vSphere Replication License and EULA File,” on page 13
n
“vSphere Replication Log Files,” on page 13
n
“vSphere Replication User Accounts,” on page 15
n
“Security Updates and Patches for vSphere Replication,” on page 15
n
Services, Ports, and External Interfaces that the vSphere Replication Virtual Appliance Uses
The operation of vSphere Replication depends on certain services, ports, and external interfaces.
vSphere Replication Services
The operation of vSphere Replication depends on several services that run on the vSphere Replication
virtual appliance.
Table 2‑1. vSphere Replication Services
Service Name Startup Type Description
hms Automatic for the
vSphere Replication appliance.
Disabled for the vSphere Replication
add-on appliance.
hbrsrv Automatic vSphere Replication Service
sshd Automatic Disabled by default.
VMware, Inc. 9
vSphere Replication Management
Service
VMware vSphere Replication Security Guide
Table 2‑1. vSphere Replication Services (Continued)
Service Name Startup Type Description
ntp Automatic Time service for syncing-up with
vaos Automatic Guest OS initialization that drives
Communication Ports
vSphere Replication uses several communication ports and protocols.
The vSphere Replication appliance requires certain ports to be open.
Note vSphere Replication servers must have NFC trac access to target ESXi hosts.
Internet Time Server through Network
Time Protocol.
Note After you install or upgrade a
vSphere Replication virtual appliance,
you must synchronize the appliance
with a time server.
network seings, host name seings,
ssh keys creation, EULA acceptance,
boot scripts execution, and VAMI
initialization.
Table 2‑2. Ports Used by the vSphere Replication Appliance
Source Target Port Protocol Description
vSphere
Replicationappliance
vSphere Replication
server in the
vSphere Replication
appliance
vSphere Replication
server in the
vSphere Replication
appliance
Browser vSphere Replication
vCenter Server proxy vSphere Replication
Remote
vCenter Server
Remote ESXi host 80 HTTP Used to establish the
Remote ESXi host 902 TCP and UDP Used by
appliance
appliance
80 TCP All management
trac to the
vSphere Replication
appliance goes to port
80 on the
vCenter Server proxy
system.
connection before
initial replication
starts.
vSphere Replication
servers to send
replication trac to
the destination ESXi
hosts.
5480 HTTPS vSphere Replication
virtual appliance
management interface
(VAMI) Web UI.
8043 SOAP Intra-site
communication from
the vCenter Server
proxy to the
vSphere Replication
appliance .
10 VMware, Inc.
Chapter 2 vSphere Replication Security Reference
Table 2‑2. Ports Used by the vSphere Replication Appliance (Continued)
Source Target Port Protocol Description
vSphere Replication
appliance
vSphere Web Client on
the source site
ESXi host on source
site
vSphere Replication
server
vCenter Server
Inventory Service on
the target site
vSphere Replication
server at the target
site
8123 SOAP Intra-site management
trac from the
vSphere Replication
Management server to
additional
vSphere Replication
server in the
environment.
10443 HTTPS ThevSphere
Replication UI uses
the Inventory Service
of the remote
vCenter Server to list
target datastores.
31031 Initial and outgoing
replication trac from
the ESXi host at the
source site to the
vSphere Replication
appliance or
vSphere Replication
server at the target
site.
If you deploy additional vSphere ReplicationvSphere Replication servers, you must open the ports that
vSphere Replication requires on those servers.
Table 2‑3. Ports Used by the vSphere Replication Server
Source Target Port Protocol Description
vSphere Replication
server in the
vSphere Replication
appliance
Browser vSphere Replication
vSphere Replication
Management server
ESXi host at the source
site
Remote ESXi host 902 TCP and UDP Trac between the
vSphere Replication
server and the ESXi
hosts on the same site.
Specically the trac
of the NFC service to
the destination ESXi
servers.
5480 HTTPS Administrator's Web
server
vSphere Replication
server
vSphere Replication
server
8123 SOAP Intra-site management
31031 Initial and outgoing
browser.
trac from the
vSphere Replication
appliance or
vSphere Replication
Management server to
the
vSphere Replication
servers.
replication trac from
the ESXi host at the
source site to the
vSphere Replication
appliance or
vSphere Replication
server at the target
site.
VMware, Inc. 11
VMware vSphere Replication Security Guide
When you create a connection to the cloud, the vCloud Tunneling Agent in the vSphere Replication
appliance creates a tunnel to secure the transfer of replication data to your cloud organization.
Table 2‑4. Ports Required for Cloud Replications
Source Destination Port Protocol Description
The ESXi host at the
source site
The
vSphere Replication
appliance at the source
site
The ESXi host at the
source site
The vCenter Server
at the source site
vCloud API 443 REST over HTTPS vSphere Replication
The
vSphere Replication
appliance at the
source site
80 TCP The vCenter Server
reverse proxy
forwards VIB
(vCloud Air Disaster
Recovery rewall
rules) download
request to the
vSphere Replication
appliance.
appliance connects to
this port to send
replication data to a
cloud organization.
10000-10010 TCP The vCloud Tunneling
Agent opens one of
these ports on the
vSphere Replication
appliance. ESXi hosts
connect to that port to
send replication data
to a cloud
organization.
Open Source and Third-Party Components
For the complete text of the open source licenses, a list of all open source and third-party components, and
the open source code used in vSphere Replication, you can go to
hp://www.vmware.com/download/open_source.html and see the VMware vSphere Replication Open Source
and Licenses section under the VMware vSphere Open Source link. If certain open source license requires it, the
vSphere Replication Open Source Disclosure Package (ODP) contains text les with instructions how to
build and replace the software libraries.
vSphere Replication Configuration Files
Some conguration les contain seings that aect the security of vSphere Replication.
Note All security-related resources are protected with the correct permissions and ownership. Do not
change the ownership or permissions of these les.
File Location Description
/opt/vmware/hms/conf/hms-configuration.xml
/opt/vmware/hms/conf/embedded_db.cfg
The default system conguration of the
vSphere Replication Management server.
The conguration le for the embedded database .
12 VMware, Inc.
Chapter 2 vSphere Replication Security Reference
vSphere Replication Private Key, Certificate, and Keystore
The private key, the certicate, and the keystore of vSphere Replication are located on the
vSphere Replication virtual appliance.
Note All security-related resources are protected with the correct permissions and ownership. Do not
change the ownership or permissions of these les.
/etc/vmware/ssl/hbrsrv.crt
n
/etc/vmware/ssl/hbrsrv.key
n
/opt/vmware/hms/security/hms-keystore.jks
n
/opt/vmware/hms/security/hms-truststore.jks
n
vSphere Replication License and EULA File
The end-user license agreement (EULA) and open source license les are located in the vSphere Replication
virtual appliance.
File Location
Open Source License
VMware Postgres
License
Pivotal TC Server
End-user license
agreement
/usr/share/doc/vmware-vspherereplication/OPEN_SOURCE_LICENSE
/usr/share/doc/vmwarevspherereplication/VMware_Postgres_9.3.6.0_open_source_licenses.txt
/usr/share/doc/vmware-vspherereplication/pivotal-tc-server-standard-opensource-licenses-3.1.0.RELEASE.txt
/opt/vmware/etc/isv/EULA/language_code/0
vSphere Replication Log Files
The les that contain system messages are located in the vSphere Replication virtual appliance.
File Location Description
/opt/vmware/hms/logs/hms-configtool.log
/opt/vmware/hms/logs/hmsn.log
/opt/vmware/var/log/lighttpd/error.log
/var/log/vmware/
/var/log/boot.msg
Log Messages Related to Security
The /opt/vmware/hms/logs/hms.log le contains login and logout event messages, authorization error
messages, and certicate verication error messages in the following format.
Login message
n
Used to log errors that occurred during the Virtual Appliance
Management Interface (VAMI) conguration.
Used to track the runtime information of vSphere Replication
Management server. The most recent log le is labeled hms.log, and
hms.n.log les contain older log messages. The le with the highest
n value contains the oldest messages.
The VAMI error log le. Used to track errors in the VAMI operations.
The folder contains the vSphere Replication server log les. Used to
track replication problems.
Used to track the startup process of the vSphere Replication
appliance.
VMware, Inc. 13
VMware vSphere Replication Security Guide
2015-03-23 15:54:05.558 DEBUG jvsl.security.authentication.sessionmap [tcweb-5]
(..security.authentication.SessionMap) operationID=087657ec-ef0f-494c-9739-a4af62a5c049-
HMS-1033 | Adding new session to the session
map:com.vmware.hms.security.authentication.HmsUserSession@234f4bed:[
com.vmware.vim.binding.hms.UserSession:
key = site_...1b034,
userName = root,
fullName = root ,
loginTime = ...,
lastActiveTime = ...,
hmsServers = null,
locale = en,
messageLocale = en
]
Logout message
n
15-03-23 15:54:05.585 INFO jvsl.security.authorization [tcweb-8]
(..security.authorization.SessionAuthorizer) | HmsSessionManager.HmsSessionManagerLogout
called on session-manager by root@/10.26.233.124:50776 with opId 43263a64-1681-4459-
a921-1d9406308dc8-HMS-1036
Authorization message
n
2015-06-25 16:10:35.994 INFO jvsl.security.authorization [tcweb-5]
(..security.authorization.SessionAuthorizer) | Authorization for method
"HmsRemoteSiteManager.HmsRemoteSiteManagerFindHmsServer" failed.
(vim.fault.NoPermission) {
faultCause = null,
faultMessage = null,
object = MoRef: type = HmsRemoteSiteManager, value = site-manager, serverGuid = 18327b1a-
dac2-44d9-972e-fa9dd99fce47,
privilegeId = HmsRemote.com.vmware.vcHms.Hms.View
}
Certicate verication error message
n
2015-06-25 16:19:13.794 WARN jvsl.sessions [hms-main-thread-1] (..hms.net.ServerRegistryHms)
| Can not start HMS connection to remote site 'some-address.com'
java.util.concurrent.ExecutionException: com.vmware.vim.vmomi.client.exception.SslException:
javax.net.ssl.SSLHandshakeException:
com.vmware.vim.vmomi.client.exception.VlsiCertificateException: Server certificate chain is
not trusted and thumbprint doesn't match
14 VMware, Inc.
Chapter 2 vSphere Replication Security Reference
vSphere Replication User Accounts
You must set up a root account for vSphere Replication. The root account is used to access both the virtual
appliance console and the Virtual Appliance Management Interface (VAMI).
vSphere Replication currently uses the root account as the administrator of the VAMI. No other user is
created.
When you deploy the vSphere Replication virtual appliance, you set the password for the root account in
the OVF Deployment wizard.
The root password must be at least 8 characters long.
Privileges Assigned to Default User Roles
vSphere Replication includes a set of roles. Each role includes a set of privileges, which allow users with
those roles to complete dierent actions.
See the topic vSphere Replication Roles and Permissions in the vSphere Replication Administration Guide.
Security Updates and Patches for vSphere Replication
vSphere Replication 6.1.0.x and 6.1.1 x use SUSE Linux Enterprise Server 11 (x86_64), version 11, Service
Pack 3 as the guest operating system.
vSphere Replication 6.1.2 uses SUSE Linux Enterprise Server 12 (x86_64), Service Pack 1 as the guest
operating system
You can apply the latest security update or patch by using the corresponding ISO le.
Before you apply an update or patch to the guest operating system, take into account the dependencies. See
“Services, Ports, and External Interfaces that the vSphere Replication Virtual Appliance Uses,” on page 9.
To receive the latest security announcements, you can subscribe to the VMware Security Announcements
mailing list at hp://lists.vmware.com/.
VMware, Inc. 15
VMware vSphere Replication Security Guide
16 VMware, Inc.
Index
C
certificate 13
E
embedded_db.cfg 12
EULA 13
G
guest OS 15
H
hms-configuration.xml 12
https 9
I
intended audience 5
K
keystore 13
L
license file 13
licenses 13
logs 13
U
updated information 7
user accounts 15
N
ntp 9
P
patches 15
ports 9
privileges 15
R
root password 15
S
security updates 15
security reference 9
services 9
sshd 9
system logs 13
T
truststore 13
VMware, Inc. 17
VMware vSphere Replication Security Guide
18 VMware, Inc.
Loading...