ace management server

8/6/2019 ACE Management Server

1/64

ACE Management ServerAdministrators Manual

VMware ACE 2.7

This document supports the version of each product listed and

supports all subsequent versions until the document is replaced

by a new edition. To check for more recent editions of thisdocument, see http://www.vmware.com/support/pubs.

EN-000405-00
http://www.vmware.com/support/pubshttp://www.vmware.com/support/pubs


2/64

VMware, Inc.

3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

2 VMware, Inc.

ACE Management Server Administrators Manual

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

[email protected]

Copyright 20072010 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright andintellectual property laws. VMware products are covered by one or more patents listed at

http://www.vmware.com/go/patents .VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marksand names mentioned herein may be trademarks of their respective companies.
http://www.vmware.com/supportmailto:[email protected]://www.vmware.com/go/patentshttp://www.vmware.com/go/patentshttp://www.vmware.com/go/patentshttp://www.vmware.com/go/patentshttp://www.vmware.com/go/patentsmailto:[email protected]://www.vmware.com/supporthttp://www.vmware.com/support/


3/64

VMware, Inc. 3

Contents

About

This

Book 5

1 Introduction 7FeaturesofACEManagementServer 7

SystemRequirements 8

RequiredHardware 8

SupportedOperatingSystems 8

SupportedExternalDatabases 9

SupportedProxies 9

RequiredWebBrowsers 9

Licensing 9

2 PlanninganACEManagementServerDeployment 11DeploymentComponents 11

HostSystemOptions 12

WindowsHosts 12

LinuxHosts 12

ServerApplianceOption 12

DatabaseOptions 13

ActiveDirectoryAuthenticationOptions 13

PerformingCapacityPlanning 13

DatabaseThroughputandScalability 14

LDAPThroughput 14

NetworkBandwidthandPolicyUpdateFrequency 15

ACEPolicyConfiguration 15LoadBalancers 15

SecurityFeaturesandConsiderations 16

UsingSSLCertificatesandProtocol 16

AccessingACEManagementServerfromOutsidetheCorporateFirewall 17

DeploymentPlanningWorksheet 18

3 InstallingandConfiguringACE Management Server 19PreparingforInstallation 19

ConfigureTLSinYourBrowser 20

InstallingandUpgradingACEManagementServer 20

InstallanACEManagementServeronaWindowsHost 20

InstallACEManagementServeronaLinuxSystem 21

InstallanACEManagementServerAppliance 22

VerifyThattheApacheServiceIsStartedorRestarted 23

StartandConfigureACEManagementServer 24

LogIntoACEManagementServer 25

4 ConfigurationOptionsforACEManagementServer 27PrerequisitesforConfiguringtheServer 27

CreateUsersandGroupsforIntegrationwithActiveDirectory 27

SetUpanExternalDatabase 28

CreatingaSystemDSNEntryforanExternalDatabase 29


4/64


4 VMware, Inc.

IncreasetheNumberofDatabaseConnectionsAllowed 30

EnableDatabaseConnectionPoolingonLinux 31

SetUpaConnectionBetweentheServerApplianceandanExternalDatabase 31

PrepareCustomSecurityCertificates 32

ViewthePropertiesoftheSelfSignedCertificateFile 32

StartingACEManagementServerConfiguration 33

ViewingandChangingLicensingInformation 33

UsinganExternalDatabase 33CreatingAccessControl 34

UploadingCustomSSLCertificates 34

LoggingEvents 35

ApplyingConfigurationSettings 36

5 LoadBalancingMultipleACEManagementServerInstances 37TypicalSetupUsingLoadBalancedACEManagementServerInstances 38

InstalltheRequiredServicesforLoadBalancing 38

UsetheSameSSLCertificateonAllServers 39

CreateNewSSLCertificatesandKeysforEachServer 40

Installing

and

Configuring

the

Load

Balancer 41VerifyThatACEInstancesAreUsingtheLoadBalancer 41

6 ManagingACEInstances 43ViewingACEInstancesThattheServerManages 43

UsetheVMwareACEHelpDeskApplication 44

UsetheInstanceViewinWorkstation 44

SearchforanInstance 45

SortbyColumnHeadingandChangeColumnWidth 46

Show,Hide,andMoveColumnsintheInstanceView 46

CreateorDeleteCustomColumnsintheInstanceView 46

ViewInstanceDetails 47

Reactivate,Deactivate,orDeleteanACEInstance 47

ChangeaCopyProtectionID 47

ResettheAuthenticationPassword 48

AddInformationforCustomColumns 48

7 TroubleshootingandMaintenance 49TroubleshootingConfigurationProblems 49

ConnectionProblemsBetweenaLinuxACEInstanceandACEManagementServer 49

ChangethePortAssignmentforACEManagementServer 49

DeletetheServerConfigurationFileandSetaNewAdministratorPassword 50

RestoreaBackupCopyofanSSLCertificate 50

Configuring

Multiple

ACE

Management

Server

Instances

to

Use

SSL 51DatabaseBackup 52

Appendix:DatabaseSchemaandAuditEventLogData 53UsingDatabaseReportingTools 53

DatabaseSchema 53

QueryingtheAuditEventLogData 57

Glossary 61

Index 63


5/64

VMware, Inc. 5

Thismanual,theVMwareACEManagementServerAdministratorsManual,providesinformationaboutinstallingandusingtheVMwareACEManagementServer,whichenablesyoutomanageACEinstancesin

realtime.UsingACEManagementServerisoptional,butdoingsoprovidesthefollowingbenefits:

ManageactivationofACEpackages.

Manage

authentication

of

those

activated

packages. DynamicallydeliverpolicyupdatestomanagedACEinstances.

DynamicallydeliverinstancecustomizationdataformanagedACEinstanceswithWindowsguest

operatingsystems.

Intended Audience

Thisbookisintendedforanyonewhoneedstoinstall,upgrade,oruseACEManagementServertomanage

ACEinstances.ACEManagementServerisintendedforACEadministratorswhomustmaintainandupdate

ACEpoliciesusedonvirtualmachinesdeployedthroughoutanenterprise.

Document FeedbackVMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhavecomments,sendyour

feedbackto:[email protected]

Technical Support and Education Resources

Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.Toaccessthecurrentversion

ofthisbookandotherbooks,gotohttp://www.vmware.com/support/pubs.

Online and Telephone Support

Touseonlinesupporttosubmittechnicalsupportrequests,viewyourproductandcontractinformation,and

registeryourproducts,gotohttp://www.vmware.com/support.

Customerswithappropriatesupportcontractsshouldusetelephonesupportforthefastestresponseon

priority1issues.Gotohttp://www.vmware.com/support/phone_support.html.

Support Offerings

TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto

http://www.vmware.com/support/services.

About This Book
mailto:[email protected]://www.vmware.com/support/pubshttp://www.vmware.com/supporthttp://www.vmware.com/support/phone_support.htmlhttp://www.vmware.com/support/serviceshttp://www.vmware.com/support/serviceshttp://www.vmware.com/support/phone_support.htmlhttp://www.vmware.com/supportmailto:[email protected]://www.vmware.com/support/pubs


6/64


6 VMware, Inc.

VMware Professional Services

VMwareEducationServicescoursesofferextensivehandsonlabs,casestudyexamples,andcoursematerials

designedtobeusedasonthejobreferencetools.Coursesareavailableonsite,intheclassroom,andlive

online.Foronsitepilotprograms andimplementationbestpractices,VMwareConsultingServicesprovides

offeringsto helpyouassess,plan,build,andmanageyourvirtualenvironment.Toaccessinformationabout

educationclasses,certificationprograms,andconsultingservices,gotohttp://www.vmware.com/services.
http://www.vmware.com/services/http://www.vmware.com/services/


7/64

VMware, Inc. 7

1

TheVMwareACEManagementServerenablesyoutomanageVMwareACEinstances,todynamically

publishpolicychangesforthoseinstances,andtotestanddeploypackagesmoreeasily.

Thischapterincludesthefollowingtopics:

FeaturesofACEManagementServeronpage 7

SystemRequirementsonpage 8

Features of ACE Management Server

ACEManagementServeroffersscalabilityandreliability:

Youcanincreasecapacitybyaddingnetworkresourcessuchasloadbalancersandextraserverhardware.

Fortestingenvironments,thedefaultembeddedbackingstoreprovidesasimpleandefficientdatabase

solution.ToscaleACEManagementServerforproductiondeployments,youcanconfigureandusean

externalrelationaldatabasemanagementsystem(RDBMS).

InWindows,multithreadedprocesseshandleserverrequests.InLinux,multipleprocesseshandleserver

requests.Ifoneprocessfails,anothertakesover.

ACEManagementServeroffersActiveDirectoryintegration:

YoucanuseActiveDirectorytoauthenticateusersofACEinstances.

YoudonotneedaschemachangeforyourexistingActiveDirectory.

LDAPisusedtoaccessActiveDirectory.

InformationaboutWindowsdomainuseraccountstatesisprovidedinclearandusefulmessages.

Reasonsforloginfailuresarepresentedaslockedoutorpasswordexpired.

ACEManagementServeractsasanActiveDirectorypasswordchangeproxy.

YoucanusetheinstancecustomizationfeatureinACEwithyourownestablishednamingconventionsto

associateuserswithmachines.

Securityfeaturesincludethefollowing:

EncryptedcommunicationsbetweenserverandclientstraveloverHTTPStraffic.

Passwordsarestoredsecurelyinhashedforminthebackingstore.

FlexibledatabaseoptionsallowuseofanembeddeddatabaseorexternalRDBMStostoreACEinstance

dataandpolicies.

YoucanuploadcustomSSLcertificatewhileconfiguringtheACEManagementServer.

Introduction 1


8/64


9/64

VMware, Inc. 9

Chapter 1 Introduction

Supported External Databases

AnSQLitedatabaseengineisembeddedinACEManagementServer.Althoughthisdatabaseisadequatefor

testingpurposes,useoneofthefollowingexternaldatabasesinproductionenvironments:

ForaWindowsbasedACEManagementServerMicrosoftSQLServer2000orhigher;

Oracle Database 10g

IfyouuseaMicrosoftSQLServerdatabase,thedatabasemustbehostedonasystemthatusesthesame

localeasthesystemthathostsACEManagementServer.Forexample,ifACEManagementServeris

installedonaJapanesesystem,thedatabaseservermustalsobeinstalledonaJapanesesystemandmust

useJapanesecollation.

ForaLinuxbasedACEManagementServerPostgreSQL7.4orhigher

Supported Proxies

YoucandeployACEManagementServerwiththefollowingHTTPSproxysolutions:

ApacheProxyUsingmod_proxy

ZeusTechnologyLoadBalancerAcommerciallyavailableloadbalancerandtrafficmanagement

solution

Required Web Browsers

ThebrowserbasedACEManagementServerSetupapplicationandtheVMwareACEHelpDeskapplication

requireoneofthefollowingWebbrowsers:

MozillaFirefox1.52orhigher.

InternetExplorer6.0orhigher.MakesurethattheInternetExplorerbrowserhasTLS1.0checkedtolog

intotheAMSwebconfigurationpage.

Licensing

YoumustconfiguretheserverandentertheserialnumberintheserversetupWebapplication.Ifyoudonot,

youcannotconnecttotheserverinWorkstation.

Yourserialnumberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,the

serialnumberissentbyemail.WorkstationandACEinstancescannotconnecttoanACEManagementServer

withanexpiredornonexistentlicense.


10/64


10 VMware, Inc.


11/64

VMware, Inc. 11

2

ThischapterprovidesguidelinesfordeployingVMwareACEManagementServerinstances,including

capacityplanningandbestpractices.Thischapterincludesthefollowingtopics:

DeploymentComponentsonpage 11

PerformingCapacityPlanningonpage 13

SecurityFeaturesandConsiderationsonpage 16

AccessingACEManagementServerfromOutsidetheCorporateFirewallonpage 17

DeploymentPlanningWorksheetonpage 18

Deployment Components

AtypicalACEManagementServerdeploymenthasthefollowingcomponents:

OneormoreACEManagementServerinstancesConfiguringmultipleserverstousethesame

databaseincreasesthenumberofACEclientsyoucanmanageandguaranteeshighavailability.

DatabaseserverForproductiondeployments,VMwarerecommendsOracleDatabase 10gorMSSQL

forACEManagementServerinstalledonaWindowshost,andPostgresforACEManagementServerinstalledonaLinuxhost.

(Optional)ActiveDirectorydomaincontrollerToenabletheACEManagementServerActive

Directoryintegration,youmustconfigureACEManagementServertocommunicatewithyourdomain

controller.

(Optional)HTTPloadbalancerUsealoadbalancertohelpscalethecapacityofyourACEManagement

Serverdeployment.

(Optional)HTTPproxyIfclientswillaccessACEManagementServerfromoutsidethecorporate

firewall,VMwarerecommendsusinganHTTPSproxyintheDMZ.YoucanuseACEManagementServer

withApacheProxyandZeusTechnologyLoadBalancer.

ForanexampleofanACEManagementServerdeployment,seeFigure 21.

Planning an ACE Management ServerDeployment 2


12/64


12 VMware, Inc.

Figure 2-1. Comprehensive ACE Management Server Deployment

ACEManagementServeroffersconvenienceandflexibilityinitssetupoptions.

YoucaninstalltheserveronWindowsorLinuxhosts.Fortestingpurposes,youcandownloadandrunthe

serverasavirtualappliance.ACEManagementServerincludesitsownsecuritycertificatesandembedded

database,butyoucanuseanexternaldatabaseandusecertificatesfromacertificateauthorityifyouprefer.

YoucanalsoconfigureACEManagementServertouseActiveDirectoryforauthentication.

Host System Options

YoucaninstallACEManagementServeronaWindowshost,aLinuxhost,orasavirtualappliance.Ifyouset

upmultipleACEManagementServerinstances,theymustallbethesametype.

Windows Hosts

IfyouplantointegratewithActiveDirectory,VMwarerecommendsthatyouinstallACEManagementServer

onaWindowshost.

TheWindowsACEManagementServerusestheWinLDAPlibrarybundledwithyourWindowsoperating

systemtointegratewithActiveDirectory.InternaltestingresultsindicatethattheWindowsimplementation

providesbetterperformancethanLinux.

Linux Hosts

YoucaninstallACEManagementServeronaLinuxhostanduseActiveDirectoryforauthentication,even

thoughperformanceisslowerthanonWindowshosts.IfyouplantouseaLinuxhostinproduction

environments,usetheLinuxinstallerratherthantheACEManagementServerappliance.Ifyoudonothave

thesupportedLinuxoperatingsystemsinstalledonaphysicalserver,youcancreateavirtualmachine,install

a

supported

Linux

operating

system,

and

install

ACE

Management

Server

in

the

virtual

machine.

Server Appliance Option

TheACEManagementServerapplianceisaselfcontained,preinstalled,andpreconfiguredACE

ManagementServerpackagedwithasmallLinuxoperatingsysteminavirtualmachine.Theapplianceis

convenientandquicktosetupinatestingenvironmentbutisnotrecommendedforproductionenvironments.

Bydefault,theapplianceattemptstoconfigureitsnetworkbyusingDHCP.IfyoudonotwanttouseDHCP,

youcanusethebrowserbasedACEManagementServerSetupapplicationtoconfigurethenetworksettings.

Youcanusethesameinterfacetoupdatetheappliancewhenupdatesbecomeavailable.

YoumusthaveaccesstoaWebbrowser(Mozilla1.52orhigherorInternetExplorer6.0orhigher)tochange

networksettingsorobtainupdatesfortheappliance.

ACE Management Server(one or more)

Active Directorydomain controller

(optional)

databaseserver

proxy for ACE Management Serverservice through corporate firewall

(optional)

WSAE client(within

corporatenetwork)

loadbalancer(optional)

ACE Player client(outside corporate network)

ACE Player client(within

corporatenetwork)

LDAPKerberos

ODBC

HTTPS

HTTPS

HTTPS

HTTPSHTTPS


13/64

VMware, Inc. 13

Chapter 2 Planning an ACE Management Server Deployment

Database Options

ACEManagementServeroffersthefollowingdatabaseoptions:

EmbeddedSQLitedatabaseThedefaultmodeofACEManagementServerworkswithanembedded

SQLite3databaseengine.TheSQLitedatabaseengineisinitializedduringserverinstallationandrequires

nospecialconfiguration.The embeddeddatabasesupportsuptoseveralgigabytesofdata.

TheSQLitedatabaseisfilebasedandisnotdesignedtobeeffectivelysharedacrossmultipleprocesses.If

youusethirdpartytoolstoaccessthedatabaseforareadoperation,therefore,youcannotdependon

transactionalisolationofthependingwriteoperationsoftheACEManagementServer.

Theembeddeddatabaseisadequatefortestingpurposes,butVMwarerecommendsthatyouusean

externaldatabaseinproductionenvironments.

SupportedexternaldatabaseInproductionenvironments,useasupportedexternaldatabaseasa

backingstoreforACEManagementServer,throughODBCconnectivity.Supportedexternaldatabase

enginesarethefollowing:

ForWindowsbasedACEManagementServer,useMicrosoftSQLServer(SQLServer2000orSQL

Server2005)orOracleDatabase10ginstalledonthesamesystemoradifferentWindowssystem

ForLinuxbasedACEManagementServer,usePostgreSQL7.4orhigherinstalledonthesame

system

or

a

different

Linux

system

UsinganexternaldatabasewithACEManagementServeroffersthefollowingbenefits:

OnlinebackupsothatyoudonothavetoshutdownACEManagementServertobackupthe

database.

Enhancedsecuritymodel.Youcanfinetunepermissionstoaccesssensitivedata.TheSQLite

databaseengineprovidesfilesystembasedsecurity.

Performancefinetuning.

Abilitytouseexternaldatabasemanagementandreportingtools.

AbilitytouseloadbalancerswithmultipleACEManagementServerinstances.Youmustusean

externalRDBMSasthebackingstore,becausetheSQLitedatabaseisnotdesignedtobeeffectively

sharedacrossmultipleprocesses.

Active Directory Authentication Options

ActiveDirectoryintegrationprovidesthefollowingbenefits:

PermitsjoininganoperatingsystemthatisrunninganACEinstancetothedomainremotely.

Providessearchfunctionssoyoucanquicklyfindaparticularindividualorgroup.

Enables

you

to

use

Active

Directory

Users

and

Groups

to

configure

role

based

access

to

the

features

of

ACEManagementServer.

Performing Capacity Planning

ACEManagementServerenablesyoutomanageACEinstancesandpoliciesinrealtime.Thenumberof

clientsthatasingleACEManagementServercanservedependsonseveralkeyfactors:

Databasethroughputandscalability

LDAPthroughput(ifyouareusingActiveDirectory)

Networkbandwidthavailableforincomingclientrequests

NOTE IfACEManagementServerisdeployedintheDMZ,useanexternaldatabaselocatedinsideyour

corporatenetworkbehindafirewall.


14/64


14 VMware, Inc.

ACEpolicyconfiguration

Loadbalancersforverylargedeployments(morethan5,000clients)

Table 21listsrecommendationsforthenumberofclientssupportedbasedonthehardwareyouareusing.The

figuresforrecommendedclientsreservesomeserverprocessingpowersothatinteractiveclientsreceive

responsesinatimelyfashionandtheserversatisfiesincreasesindemand.

Database Throughput and Scalability

Forproductiondeployments,VMwarerecommendsthatyouuseOracle,MSSQL,orPostgresasyour

databaseplatform.

Morethan95percentofthestoragespacethatanACEManagementServerrequiresisusedtologevent

information,whichisanaudittrailofalltransactionsperformedthroughACEManagementServer.Table 22

listsrecommendeddatabasesizesbasedonthenumberofclientsbeingserved.

Thefiguresinthetablearebasedona90daydatabasearchivalperiod.Backupthedatabaserecordsevery90

daysandkeepeventlogsfor90days.YoucanconfigureACEManagementServertopurgeeventlogsevery

90days.

Theauthenticationeventgeneratesmostofthedatabecauseaneventisgeneratedeverytimesomeone

attemptstoauthenticatetoACEManagementServer.YoucanconfigureACEManagementServertologless

eventinformation.SeeLoggingEventsonpage 35.

LDAP Throughput

ACEManagementServercancommunicatewithyourActiveDirectorydomaincontrollertoauthenticateuser

credentials.YourdomaincontrollerinfrastructurehandlestheLDAPtrafficrequiredtosupportthenumber

ofclientsthatyouanticipate.

IntegratingwithActiveDirectorythroughLDAPisimplementeddifferentlyintheWindowsACE

ManagementServerthanintheLinuxbasedACEManagementServer.TheWindowsACEManagement

ServerusestheWinLDAPlibrarybundledwithyourWindowsoperatingsystem.TheLinuxACE

ManagementServerusesathirdpartyKerberosLibraryandOpenSSL.VMwareinternaltestingresults

indicatethattheWindowsimplementationprovidesbetterperformancethanLinux.

Table 2-1. Number of Clients Supported

Hardware Recommended Clients

2GHzAMD2wayserver(Opteron280,4GBRAM) 6,000

2GHzIntel2waydesktopmachine(4GBRAM) 4,000

Table 2-2. Database Storage Recommendations

Number of Clients Recommended Database Size

100 50Mb

1,000 500Mb

10,000 5,000Mb


15/64

VMware, Inc. 15


Network Bandwidth and Policy Update Frequency

TheamountofnetworkbandwidththatACEManagementServerandACEinstancesrequiredependsonthe

frequencyofpolicyupdatesthatyouconfigure.Table 23showstheamountofbandwidthneededwhenyou

useapolicyupdatefrequencyvalueof10 minutes.

VMwarerecommendsthatforlargedeployments(morethan5,000clients),youincreasethetimebetween

policyupdatesbyclientsbecausethisreducestheamountofrequiredbandwidth.

Table 24showsthebandwidthneededwhenthepolicyupdatefrequencyvalueissetto30minutes.

Theamountofnetworkbandwidthrequiredcanalsobehigherifyourpolicysetisverycomplex.

VMwarerecommendsthatyouhaveaseparatenetworklinkbetweenACEManagementServerandyour

databaseserver,sothattrafficcomingandgoingfromACEManagementServertoitsclientsdoesnotinterfere

withthetraffictoandfromyourdatabaseserver.

ACE Policy Configuration

TheconfigurationofACEpoliciescanaffectperformance.Youcanincreasetheamountofdatathatis

transferredbetweenACEManagementServerandACEPlayerbyusingoneofthefollowingmethods:

HostpoliciesEnablinghostpolicies(suchashostnetworkquarantine)requiresthatahostsidedaemon

retrievesthehostpoliciesfromtheACEManagementServer.

ComplexnetworkquarantinepoliciesIfthesetofrulesthatmakesupyournetworkquarantineisvery

large,thetransferoftheserulesfromtheACEManagementServertotheclientscanaffectthescalability.

ThenumbersshowninTable 23andTable 24areestimatesofrequiredbandwidthgivenaveragesize

rulesetsfornetworkquarantine.YoucanviewthesizeofyourpolicysetbyexaminingtheACEfile

directoryandcountingthesizeofthe.vmplfile.Anaveragepolicysetis15KBorless.

Load Balancers

TheACEManagementServerclientserverprotocolisbuiltontopoftheHTTPSprotocol.YoucanuseHTTP

loadbalancingsoftwareandhardwaresolutionstoscaleanACEManagementServerdeploymentbeyondthe

capacityofasingleserver(orforhighavailabilitydeployments).

ACEManagementServerscalesinalinearfashionwhenanenterprisegradeHTTPSloadbalancerisused.See

Chapter 5,LoadBalancingMultipleACEManagementServerInstances,onpage 37.

Table 2-3. Network Bandwidth Required with a Policy Update Frequency of 10 Minutes

Number of Clients Bandwidth Required

100 0.125Mb/sec.

1,000 1.25Mb/sec.

10,000 12.5Mb/sec.

Table 2-4. Network Bandwidth Required with a Policy Update Frequency of 30 Minutes

Number of Clients Bandwidth Required

100 0.04Mb/sec.1,000 0.4Mb/sec.

10,000 4Mb/sec.


16/64


16 VMware, Inc.

Security Features and Considerations

Bydefault,ACEManagementServerusestheSecureSocketsLayer(SSL)protocoltoprovideencryptedand

securecommunications.

FollowingisanoverviewofsecurityfeaturesandrecommendationsonhowtoconfiguretheACE

ManagementServertoavoidsecurityproblems:

TraffictoandfromclientsisprotectedbyHTTPSBydefault,ACEManagementServercreatesa

selfsignedcertificatewhenyouinstallittouseforHTTPStraffic.Thesecertificatesaresecure,butyou

canalsoconfigureACEManagementServertouseyourowncertificateandkeypairs.

TrafficfromACEManagementServertoActiveDirectoryisencryptedIftheserverisintegratedwith

anActiveDirectoryservice,itcommunicateswiththeservicethroughanSSLprotectedlink.LDAPtraffic

isencryptedattheapplicationlayer.CredentialsareprotectedbyusingtheKerberosprotocolto

authenticatecredentials.

SensitiveconfigurationoptionsareencryptedPasswordsstoredintheconfigurationfileareencrypted.

DatabasesecurityThedatabasestorecontainssensitivedatasuchascryptographickeys.Configure

yourdatabasesecuritysothatitisprotectedfromintrusionandprotectedincaseofdataloss.Formore

informationaboutfeaturesthatareavailabletoprotectyourdata,seeyourdatabasedocumentation.

SSLencryptsdatathroughtheuseofapublickeyandprivatekeypair.Thepublickeyisknowntoeveryoneandtheprivatekeyisknownonlytothemessagerecipient.URLs thatrequireanSSLconnectionstartwith

https.

DuringACEManagementServerinstallation,thefollowingtwofilesarecreated:

server.keyAnRSA1024bitkey,thisistheprivatekey.

server.crtAselfsignedcertificate.Itssignatureisverifiedbythepublickey,whichisembeddedin

thecertificate.Thispubliccertificateisvalidfor10yearsfromthedateandtimeatwhichtheserveris

installed.ThecertificatefileisencodedinPEMformat.

Bydefault,thesefilesarestoredintheSSLdirectoryintheVMwareACEManagementServerprogram

directory.

VMwarePlayer,whichrunstheACEinstances,doesnottrustanycertificatesstoredonthehostmachineon

whichitisrunning.Instead,itreliesonacompletecertificationchainthatisincludedintheACEpackage.

Usingselfsignedcertificatesisadequateformostsecurityneeds.

Youcan,however,useacertificateissuedbyacertificateauthority.IfyouhavemultipleACEManagement

Serverinstances,youcanuseonecertificateforalloryoucanuseadifferentcertificateoneachone.

Using SSL Certificates and Protocol

WhenanACEenabledvirtualmachineconnectstoanACEManagementServer,itdownloadsthepublic

certificateforthatserverandanychainofcertificatesrequiredtoverifytheserverspubliccertificate.Aserver

certificatemighthaveachainofseveralcertificatesthatmustbeverifiedstepbystepuntiltheverification

processreachestheroot,ortrusted,certificateinthecertificatestore.Thefirsttimeaconnectionismadetoa

serverbyanyACEenabledvirtualmachineonaWorkstationadministratormachine,thecertificateandits

verificationaredownloadedtotheWorkstationhostsystem.

ThestoreorcollectionofcertificatesthatisdownloadedwhenanACEenabledvirtualmachineconnectstoa

serverisincludedineachACEpackagethatyoucreatewiththatvirtualmachine.ItissavedintheACE

Resourcesdirectory.WhenyoudeployandrunanACEinstanceofthisACEenabledvirtualmachine,the

VMwarePlayerapplicationusesthecertificatesincludedinthepackagetoverifyconnectionsmadetotheACE

ManagementServer.ItverifiesthatthecertificatesthatareintheACEpackagematchthosethattheserver

provides.Iftheydonotmatchexactly,VMware Playerdisplaysanerrormessageanddoesnotrunthe

instance.


17/64

VMware, Inc. 17


VMwarePlayercheckstheintegrityofthecertificatestoreincludedinthepackageeverytimeitcommunicates

withtheserver.VMwarePlayerdoesnottrustanycertificatesstoredonthehostmachineonwhichitis

running.Instead,itreliesonacompletecertificationchainthatisincludedintheACEpackage.Theuseof

selfsignedcertificatesisadequateformostsecurityneeds.

If,however,yourenterpriserequirestheuseofacertificatesignedbyacertificateauthority(internalor

commercial),youcansetupthattypeofkeycertificatepairfortheACEpackagestouse.Acertificateauthority,orCA,isanentitythatissuesandsignspublickeycertificates,typicallyforafee.

Accessing ACE Management Server from Outside the CorporateFirewall

AllclientrequeststoACEManagementServerareHTTPStrafficonport443.This meansthatanysolution

usingaproxytosecureHTTPStrafficintoyourcorporateserverscanbeusedtoproxyACEManagement

Servertraffic.

BecauseofthenumberofdataconnectionsthattheACEManagementServermustmakeonthebackend

(LDAP,DNS,ODBC,Kerberos),VMwarerecommendsusinganHTTPSproxyintheDMZ.Thisproxycan

relayACEManagementServertraffictotheactualACEManagementServerinsidethecorporatenetwork.

Figure 2-2. Recommended Deployment for External Access

ACEManagementServercanbedeployedwiththefollowingHTTPSproxysolutions:

ApacheProxyUsingmod_proxy

ZeusTechnologyLoadBalancerAcommerciallyavailableloadbalancerandtrafficmanagement

solution

AvoidthefollowingproblemswhenyouuseaproxyfortrafficintoanACEManagementServer:

SSLTerminationIfyourHTTPSproxyterminatestheSSLconnection,youmustusethesameSSLkey

andcertificateontheHTTPSproxyserverandACEManagementServer.Or,usetheACEManagement

ServercertificatechaintoembedtheHTTPSproxycertificateverificationchainintheACEpackage.

AnexampleofaproxyserverthatterminatesSSLconnectionsisApacheProxy.TheZeusloadbalancing

productssupportSSLpassthrough,whichmeansthattheSSLconnectionisterminatedatACE

ManagementServer.

MultipleACEManagementServerSSLcertificatesIfyouaredeployingmultipleACEManagement

Serverinstancesbehindaloadbalancingsolution,allACEManagementServerinstancesmustusethe

sameSSLkeyandcertificatepair.YoucanalsousetheACEManagementServercertificatechainfeature

toembedeverySSLcertificateverificationchainintotheACEpackage.

DNSresolutionWhenyoucreateanACEenabledvirtualmachine,youmustspecifyahostnamefor

ACEManagementServer.ThishostnamemustresolvetotheappropriateIPaddressforbothinternaland

externalclients.Internally,itcanresolvetoACEManagementServeritself.Externally,itcanresolvetothe

HTTPSproxyserver.

BecausethetrafficcomingintoACEManagementServerisplainHTTPStrafficandtheserverisstateless,you

candeploymanyotherconfigurationstoprovideexternalaccesstoanACEManagementServer.Whenyou

designyourdeployment,thinkofACEManagementServerasaWebserverwithsecuretraffic.

HTTPSproxy server

external client ODBC

NETBIOS (port 137)

DNS

KRB5 (port 88)

LDAP (port 389)

HTTPS traffic(443)

HTTPS traffic(443)

externalfirewall

AMS server

internalfirewall


18/64


18 VMware, Inc.

Deployment Planning Worksheet

Usethedeploymentplanningworksheettorecordyourchoiceofserversystem,database,securitycertificates,

andoptionalcomponentsforaproductionenvironment.

Table 2-5. Worksheet for ACE Management Server in a Production Environment

Component Considerations Decision

Active

Directoryintegration

Performance

is

better

when

the

ACE

ManagementServerisinstalledonaWindowshost.

SeealsoCreateUsersandGroupsforIntegrationwithActiveDirectoryonpage 27.

Use

Active

Directory?

________Ifyes,nameofuseraccountforACEManagementServertoquerytheActiveDirectorydatabase:__________________

FullyqualifieddomainnameoftheLDAPserver:_______________________

ACEManagementServer

Ifyouusemultipleservers,allmustbeinstalledonthesameplatform.

Forcapacityplanning,seeNumberofClientsSupportedonpage 14.

UseWindowsorLinuxhosts?_____________

Howmanyservers?____________

Databaseserver

ThedatabaseservermustbecompatiblewiththeACEManagementServerhost.SeeSupportedExternalDatabasesonpage 9.

MSQL,Oracle,orPostgresSQLdatabase?

____________________________

Load balancer Usealoadbalancerforlargedeploymentsorforhighavailability.ItmustsupportHTTPSandrequiresanexternaldatabase.SeeLoadBalancersonpage 15.

Usealoadbalancer?________

Proxy IfACEclientswillcontactACEManagementServerfromoutsidethefirewall,useaproxy.SeeAccessingACEManagementServerfromOutsidetheCorporateFirewallonpage 17.

Useaproxy?__________

ApacheProxyorZeusTechnologyLoadBalancer?________________________

SSLcertificates

IfyouusemultipleserversandplantouseadifferentSSLcertificateforeachone,youmustcreateorsendforthecertificates.

ACEManagementServersupportsonly

public

key

certificates

that

are

signed

using

theSHA1algorithm.SeeUsingSSLCertificatesandProtocolonpage 16.

Whichtypeofcertificate:selfsignedthirdparty,orinternalCA(certificateauthority)?___________________

Numberofcertificates?__________

Ports ForActiveDirectory,useport389.

FortheACEManagementServerappliance,useport8080.SeeChangethePortAssignmentforACEManagementServeronpage 49andAccessingACEManagementServerfromOutsidetheCorporateFirewallonpage 17.

Port8000forconfiguringtheACEManagementServer.

Port443forclientrequests.

Whichadditionalports?______________


19/64

VMware, Inc. 19

3


PreparingforInstallationonpage 19

InstallingandUpgradingACEManagementServeronpage 20

VerifyThattheApacheServiceIsStartedorRestartedonpage 23

StartandConfigureACEManagementServeronpage 24

LogIntoACEManagementServeronpage 25

Preparing for Installation

BeforeyouinstallACEManagementServer,youmustplanyourdeployment.Completethefollowingtasks:

1 TodeterminewhichtypeofACEManagementServerinstallertouse,howmanyserverstoinstall,and

whichdeploymentcomponentstoinclude,seeChapter 2,PlanninganACEManagementServer

Deployment,onpage 11.

2 ToconfigureyourWebbrowsertouseTransportLayerSecurity(TLS),seeConfigureTLSinYour

Browseronpage 20.

3 Tosynchronizetheclockonthehostsystemwiththeclientsystem,useNetworkTimeProtocol(NTP).

4 TochooseanHTTPSportforthehostonwhichyouplantorunACEManagementServer,seeTable 31.

Installing and ConfiguringACE Management Server 3

Table 3-1. Port Assignments, Default Settings, for ACE Management Server

HTTPS Port Number Description

443 CommunicationsbetweenACEManagementServerandACEinstances

8000 ACEManagementServerSetup(configuration)Webapplication

ACEHelpDeskWebapplication

8080 ACE

Management

Server

Appliance

configuration

NOTE IfanotherWebserverisinstalledthatusesanyofthesedefaultports,youmightneedtoresolvethe

conflict.


20/64


20 VMware, Inc.

Configure TLS in Your Browser

TransportLayerSecurity(TLS)mustbeconfiguredonyourWebbrowsertooperateACEManagementServer.

To configure TLS in your browser

Dependingonthetypeofbrowser,dooneofthefollowing:

ForanInternetExplorerbrowser:

a ChooseTools>InternetOptions>AdvancedandscrolldowntoSecurity.

b SelecttheUseTLS1.0checkboxandclickOK.

ForaMozillabrowser:

a ChooseTools>Options>Advanced.

b SelecttheUseTLS1.0checkboxandclickOK.

Installing and Upgrading ACE Management Server

YoucaninstalloneormoreACEManagementServerinstancestoservicetheACEinstancesinyourenterprise.

IfyousetupmultipleACEManagementServerinstances,theyallmustbeinstalledoneitherWindowshosts

orLinuxhosts,orallmustbeinstalledasappliances.

ToupgradefromACEManagementServer2.0to2.6,usethesameprocedureasforinstallingtheserverfor

thefirsttime.Whentheinstallerdetectsanearlierversion,ituninstallstheoldversionbeforeinstallingthe

newone.Configurationsettingsarepreserved.

Forproductiondeployments,VMwarerecommendsthatACEManagementServerbeinstalledoneithera

dedicatedserveroravirtualplatformwithsufficientavailableresourcestoensureperformanceandstability.

SystemrequirementsdependalmostexclusivelyonthenumberofACEinstancesbeingsupportedandthe

frequencywithwhichtheyareconfiguredtocommunicatewiththeserver.Formoreinformationabout

VMwareperformancetesting,seePerformingCapacityPlanningonpage 13.

However,ACEManagementServerwastestedandcanbeinstalledondesktoporworkstationplatformsto

supportasmallnumberofclientsornonproductionevaluations.

Install an ACE Management Server on a Windows Host

InstallingACEManagementServeronaWindowshostinvolvesdownloadingandrunninganinstallation

wizard.YoucaninstallACEManagementServeronthefollowingWindowssystems:

WindowsServer2003

WindowsXPProfessional(includes64biteditions)

Windows2000Server

Beforeyoubegin,makesuretheclockissynchronizedandtherequiredportsareavailable,asdescribedin

PreparingforInstallationonpage 19.

UsethisinstallationproceduretoinstallorupdateACEManagementServersoftware.

To install an ACE Management Server on a Windows host

1 DownloadtheVMware-ACE-Management-Server.exe filefromtheVMwareWebsiteandsavethefile

onthesystemthatistohosttheserver.

ThefileisavailableasaseparatedownloadablefileinthesamedownloadlocationastheWorkstation

application.

2 DoubleclicktheVMware-ACE-Management-Server.exe filetostarttheinstallationwizard.


21/64

VMware, Inc. 21

Chapter 3 Installing and Configuring ACE Management Server

3 Followthepromptsintheinstallationwizard.

4 Ifyouareusingacomputerthathasafirewallenabledandyouseeamessageattheendoftheinstallation

askingwhetheryouwanttounblocktheApacheservice,chooseUnblock.

ACEManagementServerdoesnotworkproperlyifyoudonotunblocktheApacheservice.

AfterACEManagementServerisinstalled,youcanconfigureit.SeeStartandConfigureACEManagement

Serveronpage 24.

Install ACE Management Server on a Linux System

YoucaninstallACEManagementServeronthefollowingLinuxsystems:

RedHatEnterpriseLinux4

SUSELinuxEnterpriseServer9SP3

Beforeyoubegin,makesurethesystemmeetstheserequirements:

AworkinginstallationofApache2.0isinstalledonthesystem.(TheRPMforaWebserverisincluded

withtheRedHatEnterpriseLinux4orSUSELinuxEnterpriseServer9installation.)

ApacheWebserviceisoperatingnormallyandisreceivingrequestsforSSLHTTP.

Themod_ldapandmod_sslmodulesareavailableonyoursystem.

ThefollowingpackagesareinstalledonyourRedHatEnterpriseLinux4orSUSELinuxEnterpriseServer

9system:curl,openldap,openssl,apache,andgdbm.

ForSUSELinuxEnterpriseServer9,thecyrus-sasl-gssapipackageisinstalled.Thispackageisnot

installedbydefault.

Whenyouusetheexternaldatabaseoption,thefollowingpackagesarerequiredaswell:

RedHatEnterpriseLinux4:unixODBC

SUSELinuxEnterpriseServer9:unixODBC and,ifyouplantousetheX11graphicalconfiguration

tool,unixODBC-gui-qt

Theclockissynchronizedandtherequiredportsareavailable,asdescribedinPreparingforInstallation

onpage 19.

UsethisinstallationproceduretoinstallorupdateACEManagementServersoftware.

To install ACE Management Server on a Linux system

1 Downloadthe.rpm filefromtheVMwareWebsiteandsavethefileonthesystemthatistohostthe

server.

ThefileisavailableasaseparatedownloadablefileinthesamedownloadlocationastheWorkstation

application.

2 RuntheRedHatorSUSELinuxRPMinstallerforACEManagementServer:

vmware-ace-management-server-.i386-rhel4.rpm

vmware-ace-management-server-.i386-sles9.rpm

Forexample:

rpm -Uhv vmware-ace-management-server-87693.i386-rhel4.rpm


22/64


22 VMware, Inc.

3 ForaSUSELinuxEnterpriseServer9server,ensurethattheLDAPmodule(mod_ldap)isconfiguredfor

loading:

a Openthefollowingfilewithatexteditor:

/etc/sysconfig/apache2

b AddtheldapconfigoptiontotheAPACHE_MODULESvariable.

c Saveandclosethefile.

AfterACEManagementServerisinstalled,youcanconfigureit.SeeStartandConfigureACEManagement

Serveronpage 24.

Install an ACE Management Server Appliance

TheACEManagementServerapplianceisaselfcontained,preinstalled,andpreconfiguredACE

ManagementServerpackagedwithasmalloperatingsysteminavirtualmachine.Althoughtheapplianceis

adequatefortestenvironments,VMwarerecommendsthatyoudonotuseitinproductionenvironments.

Beforeyoubegin,makesuretheclockissynchronizedandtherequiredportsareavailable,asdescribedin

PreparingforInstallationonpage 19.

To install an ACE Management Server appliance

1 Downloadthe.zipfilefortheappliancefromtheVMwareWebsiteandsavethefileonthesystemthat

istohosttheserver.

2 Extractthefilestothedirectorywheretheserveristobelocated.

3 StartWorkstation,chooseFile>Opentoopen,andselecttheams_appliance.vmxfile.

4 ClickthePowerOnbuttontostartthevirtualappliance.

5 Atthepasswordprompt,enterapasswordandconfirmit.

Thispasswordisusedforbothrootandnetworkaccounts.Makeanoteofthispasswordsothatyoucan

useitforlaterappliancemanagementoperationsfromtheconsoleandtheWeb.

TheapplianceconfiguresitsnetworkbyusingDHCP.

Theconsoleviewdisplaysthefollowinginformation:

Currentnetworksettings

URLsforremotelyadministeringtheapplianceandconfiguringtheACEManagementServeritself

IfyoupressReturnattheloginprompt,theinformationappearsagain.

6 Atthetimezoneprompt,acceptthecurrentsettingormakeachangeasneeded.

7 (Optional)ToconfiguretheservertouseastaticIPaddressortospecifyaproxyserver,usetheAppliance

ManagementandConfigurationapplication,asfollows:

a LeavetheACEManagementServerappliancerunning.

b Browsetohttps://:8080.

c Intheconnectiondialogbox,typerootintheusernamefieldandyournetworkorrootpasswordin

thepasswordfield.

d ClicktheNetworklinkonthefirstpageofthebrowserbasedACEManagementServerSetup

application.

e Toviewinstructionsaboutconfiguringnetworksettings,clicktheHelplinkintheupperrightcorner

oftheWebpage.

f Afteryouchangenetworksettings,clickApply.


23/64

VMware, Inc. 23

Chapter 3 Installing and Configuring ACE Management Server

8 (Optional)Toreconfigureanyupdateoptions,forexample,todisableautomaticdownloadsofupdates,

usetheApplianceManagementandConfigurationapplication,asfollows:

a LeavetheACEManagementServerappliancerunning.

b Browsetohttps://:8080.

c Intheconnectiondialogbox,typerootintheusernamefieldandyournetworkorrootpasswordin

thepasswordfield.

d ClicktheUpdatelinkonthefirstpageoftheApplianceConfigurationandManagementWeb

applicationandcompletetheApplianceUpdatepage.

e Toviewinstructionsaboutconfiguringupdateoptions,clicktheHelplinkintheupperrightcorner

oftheWebpage.

9 Whenyoufinishconfiguringanynetworkorupdatesettings,navigatetotheACEManagementServer

SetupWebapplicationtoconfiguretheserver.

Toaccessthatapplication,chooseoneofthesemethods:

FromtheApplianceManagementandConfigurationWebapplicationpage,clicktheACELoginlink

intheupperrightcornerofthepage.

Fromacommandpromptwindow,closethewindow,openabrowser,andentertheURLfortheACE

ManagementServerSetupWebapplication:

https://:8000/

10 ClickConfigurationtoopentheWebapplication.

Verify That the Apache Service Is Started or Restarted

IfyouinstalledACEManagementServeronaLinuxhost,verifythattheApacheserviceisstartedbeforeyou

attempttologin.

Fortroubleshootingpurposes,youmightoccasionallyneedtomanuallyrestarttheApacheservicethatACE

ManagementServeruses.

To verify that the Apache service is started or restarted

Dooneofthefollowing:

OnWindowshosts:

a ClicktheApacheiconinthetaskbar.

b SelectApache2inthemenuthatappears.

c Choosetheappropriatecommand:

Tostarttheserviceifitisstopped,clickStart.

Iftheserviceisalreadystarted,thiscommandisunavailable.

Torestart,clickStopandthenclickStart.

EnsurethatyouclickStopandStartratherthanRestart.

OnSUSELinuxEnterpriseServer9hostsorinthevirtualmachinethatcontainstheACEManagement

Serverappliance:

a Openaterminalwindowonthehostorinthevirtualmachine.

b Asroot,enterthefollowingcommand:

/etc/init.d/apache2 status

Ifthestatusisstarted,youcanlogintoACEManagementServer.SeeStartandConfigureACE

ManagementServeronpage 24.


24/64


25/64


26/64


26 VMware, Inc.

3 Enterlogincredentials.

IfyouuseActiveDirectoryforauthentication,seeTable 32.Inmultidomainenvironments,youmightbe

requiredtoenteradomain(forexample,eng.com).


27/64

VMware, Inc. 27

4

AfteryouinstallACEManagementServer,youmustusethebrowserbasedACEManagementServerSetup

applicationtoconfiguretheserver.


PrerequisitesforConfiguringtheServeronpage 27

StartingACEManagementServerConfigurationonpage 33

ViewingandChangingLicensingInformationonpage 33

UsinganExternalDatabaseonpage 33

CreatingAccessControlonpage 34

UploadingCustomSSLCertificatesonpage 34

LoggingEventsonpage 35

ApplyingConfigurationSettingsonpage 36

Prerequisites for Configuring the Server

IfyouplantouseActiveDirectoryintegration(usingLDAP),anexternaldatabase,orcustomSSLcertificates,

youmustperformsomesetuptasksbeforeyouconfiguretheACEManagementServer.

Create Users and Groups for Integration with Active Directory

TouseActiveDirectoryforauthenticatingusers,adduserstoanActiveDirectorygroupandcreateauserso

thatACEManagementServercanqueryLDAP.

WhenyouconfigureACEManagementServertouseLDAP,followtheseguidelinestoavoidnegatively

affectingperformance:

ThedefaultdomainisthedomainforwhichtheLDAPhostisadomaincontroller.

Thequeryuserisauserinthedefaultdomain.

Theadminusergroupisagroupthatexistsinthedefaultdomain.

IntegratingwithActiveDirectorythroughLDAPisimplementeddifferentlyintheWindowsbasedACE

ManagementServerthanintheLinuxbasedACEManagementServer.Theoperatingsystemsdifferinthe

librariestheyusetoconnecttoActiveDirectoryandtheexternaldatabasestheysupport.TheWindowsACE

ManagementServerusestheWinLDAPlibrarybundledwiththeWindowsoperatingsystem.The LinuxACE

ManagementServerusesathirdpartyKerberosLibraryandOpenSSL.VMwareinternaltestingresults

indicatethattheWindowsimplementationisprovidesbetterperformancethanLinux.

Configuration Options for ACEManagement Server 4


28/64


28 VMware, Inc.

To create users and groups for integration with Active Directory

1 CreateauserthatACEManagementServercanusetoconnecttotheLDAPserveranduseforquerying.

MakeanoteofthesAMAccountNamevalueforthatuser(forexample,aceuser.)

2 CreateanACEAdministratorsgroupinthedomain.

3 AddACEadministratoruserstotheACEAdministratorsgroup.

4 (Optional)CreateaHelpDeskgroupandassignuserstoitfortheHelpDeskrole.

YoucanlogintotheHelpDeskWebapplicationwithyouradministrativeLDAPcredentialsorpassword.

CreatingaHelpDeskroleallowsyoutopermitcertainuserstoperformHelpDesktasksfromwithinthe

HelpDeskapplicationbutdoesnotgivethemaccesstootheradministrativetools.

Set Up an External Database

Beforeyoubegin,makesurethatyouhaveoneofthefollowingsupporteddatabaseservers:

ForaWindowsbasedACEManagementServerMicrosoftSQLServer2000orhigher;

Oracle Database 10g

IfyouuseaMicrosoftSQLServerdatabase,thedatabasemustbehostedonasystemthatusesthesame

localeasthesystemthathostsACEManagementServer.Forexample,ifACEManagementServerisinstalledonaJapanesesystem,thedatabaseservermustalsobeinstalledonaJapanesesystemandmust

useJapanesecollation.

ForaLinuxbasedACEManagementServerPostgreSQL7.4orhigher

BeforeyouinstallthedatabaseonaLinuxhost,makesuretheunixODBCRPMpackageisinstalledontheLinux

system.VMwarerecommendsthatyouupdatethepackagetothelatestversionreleasedforyourspecific

Linuxdistribution.TheunixODBCpackageprovidesanODBCAPItoprogramsrunningonLinuxsystemsthat

issimilartotheWindowsODBCAPI.

Thepackagecontainsthelibodbcsharedlibrary,providingtheODBCDriverManagerAPItoother

programs,asetofconfigurationutilities,andODBCdriversforpopulardatabases.OnbothRedHat

EnterpriseLinuxandSUSELinuxEnterpriseServer 9,theODBCdriverforPostgreSQLisincludedinthe

unixODBCbinarydistributionpackage.

Also,makesuretheunixODBC-gui-qt packageisinstalled(thisutilityisincludedintheRedHatEnterprise

LinuxunixODBCpackage).ThispackageisrequiredtousetheODBCConfigX11graphicalconfigurationtool

forsettingupadatasourcename(DSN).

To set up an external database

1 Installadatabaseserveronahost.

TheexternaldatabasedoesnothavetobeinstalledonthesameserverasACEManagementServer,butit

mustbeinstalledonthesameplatform.Forexample,ifACEManagementServerisinstalledona

Windowshost,thedatabaseservermustalsobeinstalledonaWindowshost.

ACEManagementServercreatesthedatabaseschemaautomaticallyifproperaccessrightsaregranted.

2 Configurethedatabase.

Ensurethatyouhaveadedicateddatabaseandauseraccountthathasfullaccesstothisdatabase,

includingrightstocreatetables.Donotgivethisdatabaseuserpermissionsthatitdoesnotneed.For

example,youmightnotwanttogivethisaccountreadorwritepermissiontootherdatabasesthatyour

RDBMSmanages.

AlltablesthatarecreatedinthedatabasehaveanamestartingwithaPolicyDb_prefixandindexeswith

PdbIns_orPdbLf_prefixes.YoumightprovideACEManagementServerwithaDSNtoadatabasethat

itshareswithsomeotherapplication,ifthedatabasecountisatapremium.


29/64

VMware, Inc. 29

Chapter 4 Configuration Options for ACE Management Server

3 (Optional)IfACEManagementServerisgoingtoconnecttothedatabaseoverthenetwork(TCPsocket

connection),ensurethatthefollowingareinplace:

TCPconnectivityisenabledinthedatabaseconfigurationoptions.

TheTCPconnectionisnotblockedbyfirewallsettingsonthedatabaseserverortheACE

ManagementServerhost.

IfyouareusingaPostgreSQLdatabase,configureperuserpermissiontoconnecttothedatabase

overthenetwork.Configurethatpermissioninthepg_hba.conf file,whichislocatedintherootfolderofyourdatabase.

4 (Optional)OntheACEManagementServermachine,toverifytheserversconnectivitytothedatabase

withtheconfiguredusercredentials,runacommandlineorgraphicalSQLtool.

Examplesofsuchtoolsaresqlcmd.exeforSQLServer,sqlplus.exeforOracle,andpsqlfor

PostgresSQL.Fordatabaseconfigurationandverificationinstructions,seetherespectivedatabase

documentation.

5 OntheACEManagementServermachine,createaSystemDSNentry.

Creating a System DSN Entry for an External Database

TheonlyrequiredinformationinDSNconfigurationistheDSNname,serverIPaddressorhostname,andthe

databasename.YoudonotneedtoprovideausernameandpasswordintheDSNconfiguration.Youprovide

ausernameandpasswordlater,whenyouusetheACEManagementServerSetupapplication.

EnsurethatyoucreateasystemDSNandnotauserDSN.IfyoucreateauserDSN,itisvisibleonlytoyour

useraccount.ACEManagementServerrunsunderthelocalsystemaccount,sotheservercannotdetectoruse

auserDSN.

Create a System DSN Entry for a Windows Database

Regardlessofwhetherthehostis32bitor64bit,youcreateaDSNentryfora32bitsystem.

Beforeyoubegin,todeterminethecorrectODBCdriver,seeyouroperatingsystemanddatabase

documentation.

To create a System DSN entry for a Windows database

1 Dooneofthefollowing:

On32bithosts,usetheODBCDataSourcespluginbychoosingControl Panel>Administrative

Tools>DataSources(ODBC).

On64bithosts,navigateto%WINDIR%\syswow64\odbcad32.exeandusethatprogramtocreatea

SystemDSNentryfora32bitsubsystem.

ACEManagementServerdoesnotsupportODBCusinganSQLNativeClientdriveronWindows64bit

systems.

2 CreateanentrythatincludestheDSNname,serverIPaddressorhostname,andthedatabasename.

3 (Optional)

If

the

DSN

Setup

wizard

provides

an

option

to

test

the

connection,

verify

that

the

connection

workswiththedatabaseusercredentials.

4 MakeanoteofthedatabaseDSN,username,andpassword.

YoucannowusethebrowserbasedACEManagementServerSetupapplicationtoconnecttothisdatabase.


30/64


30 VMware, Inc.

Create a System DSN Entry for a Linux Database

OnLinuxsystems,youuseatexteditorortheODBCConfiggraphical(X11)utilitytocreateasystemDSNentry.

TheODBCConfigutilitymimicstheWindowsODBCDataSourcesControlPanelplugin.

Beforeyoubegin,determinethecorrectODBCdriver:

OnRedHatEnterpriseServer,thedriverislocatedat/usr/lib/libodbcpsql.so.

OnSUSELinuxEnterpriseServer9,thedriverislocatedat/user/lib/unixODBC/libodbcpsql.so.2.

TheDSNconfigurationfortheunixODBCpackageisstoredinthe/etcdirectory(/etc/unixODBCfor

SUSELinuxEnterpriseServer).

IfyouareusingtheACEManagementServerappliance,seeSetUpaConnectionBetweentheServer

ApplianceandanExternalDatabaseonpage 31.

Youusetheodbc.inifileforcreatingDSNsandtheodbcinst.inifilefordriverandgeneralODBCsystem

configuration.

To create a System DSN entry for a Linux database

1 Asroot,usetheODBCConfigutilitytocreateaSystemDSNentry.

YoualsomustconfiguretheserveraddressandthedatabasenameintheDSNsettings.

ForinformationaboutusingunixODBC,seetheunixODBCProjectWebpage.

TheODBCConfigutilitymakeschangestotheodbc.iniandodbcinst.inifiles.

2 MakeanoteofthedatabaseDSN,username,andpassword.

YoucannowusethebrowserbasedACEManagementServerSetupapplicationtoconnecttothisdatabase.

Increase the Number of Database Connections Allowed

Foroptimalserverperformance,ACEManagementServerstartsmultipleparallelthreads(onWindows)or

processes(onLinux)listeningfortheincomingconnectionsfromtheclients.Everyclientconnectiontypically

runsadatabasetransaction,soitneedstoopenadatabaseconnection.

ACEManagementServerusuallyrequiresasmanydatabaseconnectionsasitdoesparallelthreadsor

processesforclientconnections.Iftheserverrunsoutofdatabaseconnections,theclientsmightstartreceiving

connectionerrors.

Table 41includesalistofthelocationsfortheApacheconfigurationfileandthetypicaldefaultnumberof

connections:

Table 4-1. Apache Configuration File Locations and Default Client Connections

ThedefaultinstallationofthePostgreSQLdatabaseonRedHatEnterpriseLinuxallows100 remote

connections,whichislessthanthenumberofparallelthreadsthattheApacheserverstartsbydefaultonthe

sameplatform.Changethisnumberifyouexpectahighvolumeofclientrequeststoyourserver(morethan

100activeclients).

Platform Location Client Connections

Windows C:\Program Files\VMware\VMware ACEManagement Server\Apache2\

conf\httpd.conf

250 (WinNTMPMsection)

RedHatEnterpriseLinux /etc/httpd/conf/httpd.conf 256 (preforkMPMsection)

SUSELinux /etc/apache2/server-tuning.conf 150 (preforkMPMsection)

ACEManagementServerappliance

/etc/httpd/apache2.conf 20 (preforkMPMsection)


31/64

VMware, Inc. 31


To increase the number of database connections allowed

1 InspecttheApacheconfigurationfileontheACEManagementServerhosttodeterminethenumberof

parallelthreadsorprocessesthatmightstartatthesametime.

2 ConfigurethedatabasetoallowasmanyconnectionsastheApacheserver.

Seeyourdatabasedocumentation.

Enable Database Connection Pooling on Linux

EnablingdatabaseconnectionpoolingfordatabasesonLinuxhostscangiveasubstantialperformancegain

underhighloads.ACEManagementServercanreusedatabaseconnectionsratherthanopeningnew

connectionsforeveryrequest.

EnabledatabaseconnectionpoolingintheODBCDriverManager(itisdisabledbydefault)tooptimize

performanceforserversonLinuxplatforms.

OnWindowsplatforms,ODBCconnectionpoolingisenabledbydefault.

To enable database connection pooling on Linux

1 StarttheODBCConfigutilityasarootuser.

2 ClicktheAdvancedtab.

3 SelecttheConnectionPoolingcheckbox.

Set Up a Connection Between the Server Appliance and an External Database

TheACEManagementServerappliancedoesnotcontainaPostgreSQLdatabaseserver.Youcan,however,use

anexternaldatabaseserverwiththeappliance.

To set up a connection between the server appliance and an external database

1 Logintotheserverapplianceconsoleasroot,usingthepasswordyoucreatedduringyourfirstrunof

theserverappliance.

2 Openthe/etc/odbc.inifileinatexteditor.

Forexample:

vaos# vi /etc/odbc.ini

Thisfilecontainsthepostgres_dsn settingfortheOBSCDSN.

3 Uncommentalllinesinthepostgres_dsn fileexceptthefirsttwo.

Touncommentlines,deletethepoundsign(#)atthebeginningofeachline.

4 ReplaceplaceholderswiththePostgreSQLdatabaseserverDNSnameorIP addressandthedatabase

nameofthisserver.

5 Usethedefaultportnumberorsetadifferentportnumber.

6 Save

the

file.

Afteryoucompletethistask,postgres_dsnappearsinthedropdownmenuontheDatabasetabintheACE

ManagementServerSetupapplication.


32/64


32 VMware, Inc.

Prepare Custom Security Certificates

TousecustomSSLcertificates,eitheryourownselfsignedcertificatesorthoseofathirdpartyorinternalCA

(certificateauthority),youmustprovidethecertificate,key,and(inthecaseofCAs)certificatechainfiles.

ThesefilesmustbePEMencoded.

Afteryoucreateorobtainthesefiles,uploadthemtoACEManagementServerbyusingtheCustomSSL

Certificates tabintheACEManagementServerSetupapplication.

FormoreinformationabouthowVMwareACEusesSSLcertificates,seeUsingSSLCertificatesandProtocol

onpage 16.

To prepare custom security certificates

1 Createorprovidetheneededfiles:

Foryourownselfsignedcertificate,usetheopensslutilitytocreateanewselfsignedcertificate.

ForathirdpartyCAorinternalCA,obtainanSSLcertificatesignedbythatCA,anda

certificateverificationchainfile.

ThechainfileisaconcatenationofeverycertificaterequiredtoverifythenewSSLcertificateyou

createdorobtained.DependingontheCAandcertificateissued,anexamplechainfilecouldbea

concatenationoftherootcertificate,oneormoreintermediarycertificates,andtheservercertificate.

EachoftheindividualpiecesmustbeSHA1encodedandinPEMformatbeforeconcatenation.Steps

forobtainingthecertificatechainvary,dependingonwhichhostoperatingsystemyouareusingand

onthesourcefromwhichtheCAcertificateisobtained.ACAauthoritymayprovidethecomplete

chainoryoumayneedtoassemblethechainyourself.

Aprivatekeyfile.SSLencryptsdatathroughtheuseofapublickeyandprivatekeypair.Thepublic

keyisknowntoeveryoneandtheprivatekeyisknownonlytothemessagerecipient.

ThecertificatesignaturesmustusetheSHA1algorithmdigest.ThefilesmustbePEMencoded.

2 Renamethefiles,asfollows:

Renametheprivatekeyfiletoserver.key.

Rename

the

certificate

file

toserver.crt

.

Renamethecertificatechainfiletochain.crt.

YoucannowusetheACEManagementServerSetupapplicationtouploadthecertificatefiles.

View the Properties of the Self-Signed Certificate File

ThisfileisstoredintheSSLdirectoryintheVMwareACEManagementServerprogramdirectory.

To view the properties of the self-signed certificate file

Dooneofthefollowing:

OnaWindowshost,navigatetothelocationoftheserver.crtfileanddoubleclickthefilename.

OnaLinuxhost,usethefollowingcommand:

openssl x509 -in /var/lib/vmware/acesc/ssl/server.crt -text

Toreplaceanexpiredcertificate,seePrepareCustomSecurityCertificatesonpage 32.Donotmodify

certificatestomakethempermanent.


33/64

VMware, Inc. 33


Starting ACE Management Server Configuration

IfyouplantouseActiveDirectoryintegration(usingLDAP),anexternaldatabase,orcustomSSLcertificates,

youmustperformsomesetuptasksbeforeconfiguringtheACEManagementServer.SeePrerequisitesfor

ConfiguringtheServeronpage 27.

ThetextthatappearsontheStarttabchanges,dependingonwhetheryouhavedoneaninitialconfiguration:

IfthispagesaysThisserverhasnotbeenconfiguredyet,youmustclickStarttocompletethe

configurationsetupwizard.

IfthispagesaysThisserverisconfigured,theNextandPreviouswizardbuttonsdonotappear.Youcan

navigatetoothertabsbyclickingatab.

Viewing and Changing Licensing Information

AfteryouenteranACEManagementServerserialnumber,usetheLicensingtabtodeterminetheexpiration

date,ifany.

Theserialnumberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,theserial

numberissentbyemail.

IfthesystemonwhichyouinstalledACEManagementServercurrentlyhasmorethanonevalidserver

license,justonelicenseappearsonthepage.

YoucanusetheLicensingtabtoaddorchangeaserialnumber,username,orcompanyname.

Ifyoumakechangestotheinformationonthistab,youmustclickApplyorCancelbeforeyoucannavigate

toanothertab.

Using an External Database

TheembeddeddatabaseisanSQLitedatabase.VMwarerecommendsthatyouuseanexternaldatabasein

productionenvironments.

Theembeddeddatabaseisinitializedduringserverinstallationandrequiresnospecialconfiguration.This

databaseisadequatefortestingpurposesbutisnotdesignedtobeeffectivelysharedacrossmultiple

processes.

BeforeyoucanconfiguretheACEManagementServertouseanexternaldatabase,youmustcreateasystem

DSNandcredentialsforaccessingthatdatasource.SeeSetUpanExternalDatabaseonpage 28.

UsethefollowinginformationtohelpyoucompletethefieldsontheDatabasetab:

DataSourceName(DSN)DatasourcenameyouusedwhenyoucreatedasystemDSNentryonthe

ACEManagementServermachine.

UserNameandPasswordCredentialsforauseraccountthathasfullaccesstothedatabase,including

rightstocreatetables.

Afteryouenterthedatabaseconnectioncredentials,thesetupapplicationchecksforanexistingdatabase.

Iftheexistingschemaisnotcompatible,noschemaisavailableortheschemacannotbeupgraded.Ifyou

overwritetheexistingschemaanddata,anewschemaiscreated.If youdonotoverwritetheexistingschema

anddata,theconfigurationapplicationquits.

CAUTION Afteryouentercredentials,ifthemessageCompatible schema exists. Do you want to

reinitialize the schema and overwrite the existing data?appears,selectUseexistingschema

anddataunlessyouwanttoerasealldatainyourexistingdatabase.Toreinitializethedatabaseatsomelater

time,youcanreopenthisconfigurationapplicationandreturntothispage.


34/64


34 VMware, Inc.

Ifyouareupgradingtheserverfromthepreviousrelease,thedatabaseschemaisupgradedautomaticallyand

youdonotloseyourpreviousdata.Theupgradeisperformedonthefirststartoftheupgradedserver,even

ifyoudonotrerunthesetupapplication.

IfyoumakechangestotheinformationontheDatabasetab,youmustclickApplyorCancelbeforeyoucan

navigatetoanothertab.

Creating Access Control

OntheAccessControltab,youcancreatealocalAdministratorroleandHelpDeskroleoruseActive

Directoryforauthenticatinguserswiththeseroles.

BeforeyoucanconfiguretheACEManagementServertouseadomainaccountforauthentication,youmust

createusersandgroupssothatACEManagementServercanconnecttotheLDAPserver.SeeCreateUsers

andGroupsforIntegrationwithActiveDirectoryonpage 27.

Usethefollowinginformationtohelpyoucompletethefieldsforauthentication:

LocalaccountIfyouspecifyapasswordfortheAdministratorroleandforgetorloseit,youmustdelete

theserverconfigurationfile.Deletingthisfilesetstheserverbacktoitsinitialstate.Youmustreconfigure

theserverandsettheadministratorpasswordagain.

SeeDeletetheServerConfigurationFileandSetaNewAdministratorPasswordonpage 50.

Domainaccount(LDAP)TouseActiveDirectoryforauthentication,specifythehostandcredentials

thattheACEManagementServerusestoconnecttoandquerythedomaincontroller:

HostNameEnterafullyqualifieddomainname(forexample,ldap.vmware.com)insteadofanIP

addressorhostnamewithnoparentdomainname(forexample,ldap).

QueryUsersAMAcountNameandQueryUserPasswordUsethepasswordandshortnamefor

theuseraccountyoucreatedforthispurposeinActiveDirectory.

QueryUserDomainThedomainmustbethedomainforwhichtheLDAPhostisadomain

controller.

AdminGroupDNandHelpDeskGroupDN(Optional)Enterthedistinguishednameforthese

groups,

which

you

created

for

this

purpose

in

Active

Directory

(for

example,

cn=Users,dc=simplecorp,dc=com).

Ifthisoptionisnotenabled,anyonewhologsintotheHelpDeskapplicationmustbeamemberof

theACEAdministratorsgroup.

HelpDeskRoleorGroupDNCreatingaHelpDeskroleallowsyoutopermitcertainuserstoperform

HelpDesktasksfromtheHelpDeskapplication.Usersinthisrolecannotaccessotheradministrative

tools.YoucanstilllogintotheHelpDeskWebapplicationwithyouradministrativeLDAPcredentialsor

localAdministratorpassword.

IfyoumakechangestotheinformationontheAccessControltab,youmustclickApplyorCancelbeforeyou

cannavigatetoanothertab.

Uploading Custom SSL CertificatesTohaveACEManagementServerusecustomSSLcertificates,eitheryourownselfsignedcertificatesorthose

ofathirdpartyorinternalCA(certificateauthority),usetheCustomSSLCertificatestabtouploadthe

PEMencodedfiles.

BeforeyoucanuploadcustomSSLcertificates,youmustcreateandrenamethecertificatefiles.SeePrepare

CustomSecurityCertificatesonpage 32.


35/64

VMware, Inc. 35


Bydefault,duringACEManagementServerinstallation,thefollowingtwofilesarecreated:

server.keyThisRSA1024bitkeyistheprivatekey.

server.crtThisselfsignedcertificateisvalidfor10yearsfromthedateandtimeatwhichtheserveris

installed.Itssignatureisverifiedbythepublickey,whichisembeddedinthecertificate.Thecertificate

fileisencodedinPEMformat.

WhenyourunanACEinstance,theVMwarePlayerapplicationusesthecompletecertificationchainthatis

includedinitspackage,notonthehost,toverifyconnectionsmadetoACEManagementServer.Therefore,theuseofselfsignedcertificatesisadequateformostsecurityneeds.Formoreinformationabouthow

VMwareACEusessecuritycertificates,seeUsingSSLCertificatesandProtocolonpage 16.

WhenyouclickUploadcertificates,asummarypagedisplaysthefilesandlocationsyouspecifyonthistab.

Notethelocationofanybackupfiles.Youmightneedtousethebackupifyoufindthatthenewfileisinvalid

whenyouclickApply.SeeRestoreaBackupCopyofanSSLCertificateonpage 50.

AfteryouuploadcustomSSLcertificates,youmustupdateanyexistingACEenabledvirtualmachinestouse

anewcertificateandkeyfile.Todoso,useWorkstationtocreateanupdatepackage.Whenyoudeploythe

newpackage,ACEinstancesreceivethenewcertificatefileandcertificatechain.

Logging Events

Theservercollectslogentriesforeventsthatchangethedatabase.OntheLoggingtab,youcansetthelogging

levelsandsetanoptionforpurginglogentries.

ACEManagementServerusesthefollowingloggingcategories:

ACEAdministrationLogseventsforinstancecreation,update,anddestruction.

PackageAdministrationLogseventsforpackagecreation,update,instancecustomization,andpackage

removal.

PolicyAdministrationLogseventsforpolicysetupdateandpublish,useraccesscontrolchanges,and

instancepasswordssetbyanACEadministrator.

InstanceAdministrationLogsACEinstancelifecycleevents,suchascreation,copying,revocation,

reenablement,

and

deletion.

Also

logs

instance

password

change

by

a

user

or

an

administrator,

changes

inexpirationforeachinstance,changesofinstanceguestorhostoperatingsysteminformation,and

settinginstancecustomfields.Thedebuglevelcanbeusedtologthemostubiquitoustrafficsuchas

policyupdaterequestsfromactiveinstances.Failedinstanceverificationsareloggedonlyatthedebug

level.

AuthenticationLogseventsforeveryauthenticationrequest,suchasadministrationorhelpdesk

authenticationattempts(atthenormallevel),instanceauthentication(attheinformationallevel),and

remoteLDAPpasswordchange.Setloggingforthiscategorytothelowestlevelthatispracticalforyou.

Thiscategorycangeneratealargevolumeofentries.

Foreachcategory,youcanchooseoneofthefollowinglogginglevels:

NoneNologentryismadeforthisevent.

CriticalAnexampleofacriticallogeventisonethatremovesallpackages,instances,andpolicies

associatedwithanACEenabledvirtualmachine.

NormalThislevelofdetailissufficienttoanswermostqueries.

InformativeEntriesfornondestructiveeventsthathavelimitedeffect.

DebugEntriesforeveryclientaccessoftheserver.Itprovidesmorerecordsofcertaineventtypes,

creatingalargenumberloggingentriescomparedtootherloglevels.Itlogsallinformationaltransactions,

suchasinstancestatusandsoon.


36/64


36 VMware, Inc.

UsetheEventLogPurgingcontroltoconfiguretheamountoflogginginformationretained.Thepurge

maintenanceprocessrunsapproximatelyeverysixhours.

IfyoumakechangestotheinformationontheLoggingtab,youmustclickApplyorCancelbeforeyoucan

navigatetoanothertab.

Applying Configuration Settings

TheRestartpageappearswhenyouclickApplyononeofthetabs.Youmustrestarttheserverfortheconfigurationsettingstotakeeffect.

IfyouclickLater,youcanalwaysrestarttheserverbyclickingApplyonanyofthetabs,evenifyoudonot

makechangesonthetab.


37/64

VMware, Inc. 37

5

Ifyouhavethousandsofclients,youcanconfiguremultipleVMwareACEManagementServerinstancesto

worktogether.Youcansetuptwoormoreserversandusethemwithaloadbalancer.


TypicalSetupUsingLoadBalancedACEManagementServerInstancesonpage 38

InstalltheRequiredServicesforLoadBalancingonpage 38

UsetheSameSSLCertificateonAllServersonpage 39

CreateNewSSLCertificatesandKeysforEachServeronpage 40

InstallingandConfiguringtheLoadBalanceronpage 41

VerifyThatACEInstancesAreUsingtheLoadBalanceronpage 41

Load-Balancing Multiple ACEManagement Server Instances 5


38/64


38 VMware, Inc.

Typical Setup Using Load-Balanced ACE Management ServerInstances

AsingleACEManagementServercanhandleapresetnumberofclients,butyoucanaddmoreserverstoyour

ACEManagementServerinfrastructurebyusingloadbalancing.Whenyouaddmoreserverstothe

loadbalancinggroup,thenumberofclientsthatyoucanservescaleslinearly.Forexample,ifyoucanserve

2,000 clientswithoneserver,usingtwoloadbalancedserversallowsyoutoserve4,000 clients.

Figure 51showsasimpledeploymenttopologyforusingloadbalancing.

Figure 5-1. Two ACE Management Server Instances Working Together

Touseasetupsimilartotheonedepicted,youmusthavethefollowing:

Twoormoremachines(orvirtualmachines)tohosttheACEManagementServerprocesses

AnexternaldatabasetohosttheACEManagementServerdata

Aloadbalancingsolutiontomanagetraffic

Install the Required Services for Load Balancing

ServicesincludemultipleACEManagementServerinstances,anexternaldatabase,andWorkstation.

To install the required services for load balancing

1 InstalltheACEManagementServerpackageontwoormoremachines(orvirtualmachines).

SeeInstallingandUpgradingACEManagementServeronpage 20.

2 ConfigureeachACEManagementServerseparatelytoaccessthesameexternaldatabase.

SeeStartandConfigureACEManagementServeronpage 24.

BothACEManagementServerinstallationsmustbeabletoidentifythesamedatastoresoeither

installationcanfieldqueriesforclientsandscalethenumberofclientsthatcanbeserved.

ACEManagement

Server 1

ACEManagement

Server 2

Active Directorydomain controller

databaseserver

loadbalancer(optional)

AMS Client

AMS Client

AMS Client

LDAPKerberos

LDAPKerberos

ODBC

ODBC

HTTPS

HTTPS

HTTPS

HTTPS

HTTPS


39/64

VMware, Inc. 39

Chapter 5 Load-Balancing Multiple ACE Management Server Instances

3 ToverifythatbothACEManagementServerinstancesareworkingproperly,startWorkstationand

connecttoeachACEManagementServerdirectly:

a InWorkstation,chooseFile>ConnecttoACEManagementServer.

b EntertheIPorhostnameofthemachinewhereACEManagementServerisinstalled,changethe

numberinthePortfieldifnecessary,andclickOK.

ThesetupissuccessfulifyoucanviewthesamedataintheInstanceViewwindowforeachACE

ManagementServerinstance.IfyoucreateatestACEandpreviewit,youseethepreviewinstanceonbothservers.

Use the Same SSL Certificate on All Servers

Foraloadbalancingsolution,youcancopytheSSLcertificateandkeyfromoneACEManagementServerto

another.

To use the same SSL certificate on all servers

1 LogintotheACEManagementServerSetupapplicationforthefirstACEManagementServer.

2 ClicktheCustomSSLCertificatestabtodeterminethelocationoftheSSLcertificateandkeydirectory

files.

OnWindows,thefilesarelocatedatC:\Program Files\VMware\VMware ACE Management

Server\ssl.

OnLinux,thefilesarelocatedat\var\lib\vmware\acesc\ssl.

Thecertificatefileisserver.crt.Thekeyfileisserver.key.

3 CopythefilestothesecondACEManagementServer.

If

you

are

using

the

ACE

Management

Server

virtual

appliance,

use

the

scp

(secure

copy)

command

to

copythecertificateandkeyfiles:

a Openacommandprompt.

b Enterthefollowingcommand:

scp user@: user@:

YoucanalsoenablesharedfoldersifyouareusingWorkstationtorunthevirtualappliance,andcopythe

filesfromthevirtualmachinethroughthesharedfoldersfeature.Formoreinformationaboutshared

folders,seetheVMwareWorkstationUsersManual.4 LogintotheACEManagementServerSetupapplicationforthesecondACEManagementServer.

5 UsetheCustomSSLCertificatestabtouploadthefiles:

a SpecifythekeyfileintheServerPrivateKeyfield.

b SpecifythecertificatefileintheServerPublicCertificatefield.

c ClickUploadcertificates.

d ClickApplyandclickRestart.

CAUTION Thisproceduredirectsyoutouploadboththecertificatefile(the.crtfile)andthematchingkey

file(the.keyfile).Ifyoudonotuploadboth,theApachehttpdserviceonthesecondACMManagement

Servermightfreeze.Inthiscase,youmustuninstallandreinstallACEManagementServer.


40/64


40 VMware, Inc.

Create New SSL Certificates and Keys for Each Server

IfyoudonotwanttousethesameSSLcertificateandkeyforeachACEManagementServer,youmustcreate

newSSLcertificatesandkeysforeachserver.

IfyouplantoobtainSSLcertificatesfromacertificateauthority,youmustcreatecertificatechains.Figure 52

providesanoverviewofdeterminingwhichcertificatesareincludedinachain.

Figure 5-2. Creating the Certificate Chain File

To create new SSL certificates and keys for each server

1 CreateasmanySSLcertificateandkeypairsasyouneed(oneforeachserverinyourserverfarm).

Theprocedurevaries,dependingonthetoolsyouuse.Todeterminehowtocreatethesecertificatesand

keys,seethedocumentationforyourplatform.Eachcertificatemusthaveauniquecommonnameanda

uniqueserialnumber.

2 Ifyourcertificatesrequireacertificatechaintobeverified,createacertificatechainfileforeachcertificate.

Thecertificatechainfileisatextfilethatcontainseverycertificate(inPEMformat)neededtoverifythe

leafcertificate(includingtherootcertificateofthechain).

a Downloadtheverificationchainfromyourcertificateauthority.

b EachcertificatemustbeinPEMformatbeforeyoucreatethecertificatechainfile.

ToconverttoPEMformat,usetheopenSSLtoolsavailableonline.

c CreatethecertificatechainfilebyconcatenatingeachPEMencodedcertificateintoonefile.

Ifbothofyourcertificatesareselfsigned,yourcertificatechainfilemustbeafilethatcontains

bothcertificatesconcatenated.

Ifyoureceivedyourcertificatesfromthesamecertificateauthority,thechainfilemustcontain

onlytheverificationchainforthesecertificates,andthechainsmustbethesame.

Ifthecertificatescomefromdifferentcertificateauthorities,thechainfilemustcontainboth

certificateverificationchains.

Forexample,ifyouareusingtwoACEManagementServerinstancesyouhavetwocertificatechainfiles.

[Root SSL Certificate in PEM format]

[Intermediary SSL Certificate in PEM format]

[AMS #1 SSL Certificate in PEM format]

[AMS #1 SSL Certificate in PEM format]

convert to PEMthen append to file




certificateverification

chain

Server SSLCertificates

Certificate Chain FileRoot SSL Certificate

Intermediary SSL Certificate

ACE Management Server #1SSL Certificate

ACE Management Server #2SSL Certificate


41/64

VMware, Inc. 41

Chapter 5 Load-Balancing Multiple ACE Management Server Instances

3 Joinallofthecertificatechainfilesintoonefile.

Ifyoucan,eliminatetheduplicateentries.

4 ConverttheserversSSLcertificatestoPEMformat.

5 AddtheserversSSLcertificatesinPEMformattothecertificatechainfile.

6 OntheCustomSSLCertificatestab,uploadtheSSLcertificatefile,theSSLkeyfile,andthecertificate

chainfile:

a SpecifythekeyfileintheServerPrivateKeyfield.

b SpecifythecertificatefileintheServerPublicCertificatefield.

c ClickUploadcertificates.

d ClickApplyandclickRestart.

CompletethisstepforeveryACEManagementServerinyourfarmtouploadfilestoeachACE

ManagementServer.

Installing and Configuring the Load Balancer

ACEManagementServerusesHTTPStocommunicatewithitsclients.Youcanuseanyloadbalancing

solutionthatsupportsHTTPSwithACEManagementServer.

Installtheloadbalancerandconfigureport443(HTTPoverSSL)forloadbalancing.Do notconfigure

port 8080or8000forloadbalancing.Thesetwoportsareusedforconfiguration.Port 8080isthevirtual

applianceconfigurationportand8000istheACEManagementServerconfigurationport.

Verify That ACE Instances Are Using the Load Balancer

AfteryouconfiguremultipleACEManagementServerinstancestoworkwithaloadbalancerandinstallthe

necessarySSLcertificates,performverification.VerifythatACEinstancescanconnecttoACEManagement

Serverinstancesbyusingtheaddressoftheloadbalancer.

Beforeyoubegin,restartWorkstationsothatWorkstationcandownloadtheSSLcertificatewhenaconnection

totheACEManagementServerisestablished.

MakesurethatthirdpartyCAcertificatespasswordsdonothavemorethan8characters.

To verify that ACE instances are using the load balancer

1 CreateanACEenabledvirtualmachine.

2 Openthepolicyeditor.

3 SelectPolicyUpdateFrequency.

4 SelectDisableOfflineUsageandclickOK.

5 RemovethefirstACEManagementServerfromtheloadbalancingconfigurationsothatalltrafficgoesto

the

second

ACE

Management

Server.6 PreviewtheACEinstance.

ThispreviewcreatesaninstanceontheACEManagementServer.

7 ClosetheACEPlayer.

8 RemovethesecondACEManagementServerfromtheloadbalancingconfigurationandaddthefirst

ACEManagementServerbacktotheconfiguration.

AlltrafficgoestothefirstACEManagementServer.

9 PreviewthesameACEinstanceagain,andwhenpromptedwhethertoreinstantiateorreusetheinstance,

selectUseExistingInstance.

If

the

instance

starts

successfully,

both

servers

are

using

the

same

SSL

certificate.


42/64


42 VMware, Inc.


43/64

VMware, Inc. 43

6

AfterACEManagementServerisinstalledandconfigured,youcandothefollowing:

ViewACEinstancesthataremanagedbyaparticularACEManagementServer.

Revokeandreenableaninstance.

FixvariousproblemswiththeACEinstancesasreportedbyinstanceusers.


ViewingACEInstancesThattheServerManagesonpage 43

SearchforanInstanceonpage 45

SortbyColumnHeadingandChangeColumnWidthonpage 46

Show,Hide,andMoveColumnsintheInstanceViewonpage 46

CreateorDeleteCustomColumnsintheInstanceViewonpage 46

ViewInstanceDetailsonpage 47

Reactivate,Deactivate,orDeleteanACEInstanceonpage 47

ChangeaCopyProtectionIDonpage 47

ResettheAuthenticationPasswordonpage 48

AddInformationforCustomColumnsonpage 48

Viewing ACE Instances That the Server Manages

ToviewandmanageaserversACEinstances,youcanuseeithertheInstancespageoftheVMwareACEHelp

DeskortheserversinstanceviewinWorkstation.

BothuserinterfacesenableyoutofixalimitedsetofACEinstanceproblems,suchasreactivatinganinstance,

changingtheinstancesexpirationdate,andresettingtheuserpasswordiftheuserhaslostorforgottenit.

BecausetheVMwareACEHelpDeskisabrowserbasedapplication,youcanuseitoncomputersthatdonot

haveWorkstationinstalled.TheHelpDeskalsoallowsyoutocreatearestrictedhelpdeskrole.Userswiththis

rolecanfixalimitedsetofproblemsreportedbyendusers,buttheycannotchangeconfigurationsettingsfor

theACEManagementServer.

TheinstanceviewinWorkstationenablesyoutoperformallthetasksavailableintheVMwareACEHelpDesk

andafewmoretasks.Forexample,intheinstanceview,youcancreatecustomcolumnsandsavethesearches

youcreate.

Managing ACE Instances 6


44/64


44 VMware, Inc.

Use the VMware ACE Help Desk Application

ACEadministratorsandhelpdeskassistantscanaccessACEinstancesthroughtheVMwareACEHelpDesk

Webapplication.YoucanusetheHelpDesktoreactivateaninstance,changetheinstancesexpirationdate,

andresetauserpasswordifitislostorforgotten.

To use the VMware ACE Help Desk application

1 OpenaWebbrowserandgotohttps://:8000.

ThevaluecanbethefullyqualifiednameofthecomputeronwhichACEManagement

ServerisinstalledoritcanbeanIPaddress.

IfyouinstalledACEManagementServeronaWindowshostandyouareusingthathosttoconfigureit,

youcanalternativelychooseStart>VMware>VMwareACEManagementServer.

2 ClicktheHelpDesklink.

3 Supplythelogininformation.

Usethefollowinginformationtohelpyoucompletethefieldsthatappearinthiswindow:

UserNameandPasswordIfahelpdeskrolewascreated,entercredentialsforthatrole.Otherwise,

entercredentialsforadministeringtheACEManagementServer.

DomainInmultidomainenvironments,youmightberequiredtoenteradomain(forexample,

eng.com).

TheVMwareACEHelpDeskopenstheInstancespage,whichcontainsasummarytableofalltheinstances

thattheservermanages.

Use the Instance View in Workstation

ACEadministratorscanaccessACEinstancesthroughtheinstanceview.Youcanusetheinstanceviewto

reactivateaninstance,changetheinstancesexpirationdate,andresetauserpasswordifitislostorforgotten.

TheinstanceviewinWorkstationenablesyoutoperformallthetasksavailableintheVMwareACEHelpDesk

andafewmoretasks.Intheinstanceview,youcancreatecustomcolumnsandsavethesearchesyoucreate.

Youmusthaveadministratorcredentialstousetheinstanceview.

Aninstancehasoneofthefollowingstatustypes:

TheValidFromandValidUntilcolumnsindicatetheperiodthattheinstanceisvalid.Theinstanceexpires

aftertheValidUntildate.Ifnoexpirationdateissetfortheinstance,thosecolumnsareempty.

Active Theinstanceisactiveandavailableforimmediateuse.

Deactivated Thisinstancewaspurposelydeactivated.Youmust

reactivateittomakeitusableagain.

Blockedby

policies

Theinstanceisstillactivebutisblocked(cannotberun)

becauseofaviolationofapolicysuchasexpirationdate

orcopyprotection.Fordetails,viewtheserverlogfor

thatinstance.


45/64

VMware, Inc. 45

Chapter 6 Managing ACE Instances

To use the instance view in Workstation

1 FromtheWorkstationmenubar,chooseFile>ConnecttoACEManagementServer.

2 SpecifythefullyqualifiedhostnameortheIPaddressandclickOK.

Inmostcases,thedefaultportnumberdoesnotneedtobechanged.

3 Completetheloginwindow.

Usethefollowinginformationtohelpyoucompletethefieldsthatappearinthiswindow:

UserNameandPasswordEntercredentialsforadministeringtheACEManagementServer.

DomainInmultidomainenvironments,youmightberequiredtoenteradomain(forexample,

eng.com).

Search for an Instance

YoucanusethesearchfunctiontoquerytheACEManagementServerdatabaseforoneormoreparticular

ACEinstances.SearchcriteriaarejoinedwithAND,notOR,operations.

Beforeyoubegin,dooneofthefollowing:

LogintotheVMwareACEHelpDeskforanACEManagementServer.

ConnecttoanACEManagementServerfromtheWorkstationwindow.

To search for an ACE instance

1 ClickSearchandspecifythecriteriatobeincludedwhenthedatabaseisqueried.

Usethefollowinginformationtohelpyouspecifysearchcriteria:

ActivatedByActivationmethod,suchaspassword,ActiveDirectoryuser,oractivationkey.Ifno

suchactivationmethodexists,N/Aappearsinthecolumn.

ACEVMNameNameoftheACEenabledvirtualmachinefromwhichtheACEinstancewas

created.

GuestName(ForWindowsguestsonly)Computernameresolvedontheusersmachineduring

instancecustomization,ifyouusethatfeature.The NetBIOSnameisreportedhere,anditisa

maximumof15characterslong.Eveniftheactualcomputernamecontainsmorecharacters,thename

alwaysappearsastheNetBIOSname.

CustomcolumnsCustomcolumnsthatyoucreatedappeardirectlybelowtheGuestMACAddress

criterion.

ExactmatchonlyValuesarecasesensitive.

Saveas(AvailableintheWorkstationinstanceviewonly)Savedsearchesarespecifictoeachserver.

YoucaneditordeleteyoursavedsearchesbyselectingthenameofasavedsearchintheSaved

Searchesdropdownmenuandclickin

ace management server

Documents