ACE Management Server Administrator's Manual

ACE Management Server Administrators Manual
VMware ACE 2.7
This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
EN-000405-00
You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com
Copyright 20072010 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.
VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com
VMware, Inc.
Contents
AboutThisBook
1 Introduction 7
FeaturesofACEManagementServer 7 SystemRequirements 8 RequiredHardware 8 SupportedOperatingSystems 8 SupportedExternalDatabases 9 SupportedProxies 9 RequiredWebBrowsers 9 Licensing 9
2 PlanninganACEManagementServerDeployment 11
DeploymentComponents 11 HostSystemOptions 12 WindowsHosts 12 LinuxHosts 12 ServerApplianceOption 12 DatabaseOptions 13 ActiveDirectoryAuthenticationOptions 13 PerformingCapacityPlanning 13 DatabaseThroughputandScalability 14 LDAPThroughput 14 NetworkBandwidthandPolicyUpdateFrequency 15 ACEPolicyConfiguration 15 LoadBalancers 15 SecurityFeaturesandConsiderations 16 UsingSSLCertificatesandProtocol 16 AccessingACEManagementServerfromOutsidetheCorporateFirewall 17 DeploymentPlanningWorksheet 18
3 InstallingandConfiguringACE Management Server 19

PreparingforInstallation 19 ConfigureTLSinYourBrowser 20 InstallingandUpgradingACEManagementServer 20 InstallanACEManagementServeronaWindowsHost 20 InstallACEManagementServeronaLinuxSystem 21 InstallanACEManagementServerAppliance 22 VerifyThattheApacheServiceIsStartedorRestarted 23 StartandConfigureACEManagementServer 24 LogIntoACEManagementServer 25
4 ConfigurationOptionsforACEManagementServer 27
PrerequisitesforConfiguringtheServer 27 CreateUsersandGroupsforIntegrationwithActiveDirectory 27 SetUpanExternalDatabase 28 CreatingaSystemDSNEntryforanExternalDatabase 29
VMware, Inc. 3
IncreasetheNumberofDatabaseConnectionsAllowed 30 EnableDatabaseConnectionPoolingonLinux 31 SetUpaConnectionBetweentheServerApplianceandanExternalDatabase PrepareCustomSecurityCertificates 32 ViewthePropertiesoftheSelfSignedCertificateFile 32 StartingACEManagementServerConfiguration 33 ViewingandChangingLicensingInformation 33 UsinganExternalDatabase 33 CreatingAccessControl 34 UploadingCustomSSLCertificates 34 LoggingEvents 35 ApplyingConfigurationSettings 36
31
5 LoadBalancingMultipleACEManagementServerInstances 37
TypicalSetupUsingLoadBalancedACEManagementServerInstances InstalltheRequiredServicesforLoadBalancing 38 UsetheSameSSLCertificateonAllServers 39 CreateNewSSLCertificatesandKeysforEachServer 40 InstallingandConfiguringtheLoadBalancer 41 VerifyThatACEInstancesAreUsingtheLoadBalancer 41 38
6 ManagingACEInstances 43
ViewingACEInstancesThattheServerManages 43 UsetheVMwareACEHelpDeskApplication 44 UsetheInstanceViewinWorkstation 44 SearchforanInstance 45 SortbyColumnHeadingandChangeColumnWidth 46 Show,Hide,andMoveColumnsintheInstanceView 46 CreateorDeleteCustomColumnsintheInstanceView 46 ViewInstanceDetails 47 Reactivate,Deactivate,orDeleteanACEInstance 47 ChangeaCopyProtectionID 47 ResettheAuthenticationPassword 48 AddInformationforCustomColumns 48
7 TroubleshootingandMaintenance 49
TroubleshootingConfigurationProblems 49 ConnectionProblemsBetweenaLinuxACEInstanceandACEManagementServer 49 ChangethePortAssignmentforACEManagementServer 49 DeletetheServerConfigurationFileandSetaNewAdministratorPassword 50 RestoreaBackupCopyofanSSLCertificate 50 ConfiguringMultipleACEManagementServerInstancestoUseSSL 51 DatabaseBackup 52
Appendix:DatabaseSchemaandAuditEventLogData
UsingDatabaseReportingTools 53 DatabaseSchema 53 QueryingtheAuditEventLogData 57
53
Glossary Index 63
61
VMware, Inc.
About This Book
Thismanual,theVMwareACEManagementServerAdministratorsManual,providesinformationabout installingandusingtheVMwareACEManagementServer,whichenablesyoutomanageACEinstancesin realtime.UsingACEManagementServerisoptional,butdoingsoprovidesthefollowingbenefits:

ManageactivationofACEpackages. Manageauthenticationofthoseactivatedpackages. DynamicallydeliverpolicyupdatestomanagedACEinstances. DynamicallydeliverinstancecustomizationdataformanagedACEinstanceswithWindowsguest operatingsystems.
Intended Audience
Thisbookisintendedforanyonewhoneedstoinstall,upgrade,oruseACEManagementServertomanage ACEinstances.ACEManagementServerisintendedforACEadministratorswhomustmaintainandupdate ACEpoliciesusedonvirtualmachinesdeployedthroughoutanenterprise.
Document Feedback
VMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhavecomments,sendyour feedbackto:docfeedback@vmware.com
Technical Support and Education Resources

Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.Toaccessthecurrentversion ofthisbookandotherbooks,gotohttp://www.vmware.com/support/pubs.
Online and Telephone Support

Touseonlinesupporttosubmittechnicalsupportrequests,viewyourproductandcontractinformation,and registeryourproducts,gotohttp://www.vmware.com/support. Customerswithappropriatesupportcontractsshouldusetelephonesupportforthefastestresponseon priority1issues.Gotohttp://www.vmware.com/support/phone_support.html.
Support Offerings
TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto http://www.vmware.com/support/services.
VMware, Inc.
VMware Professional Services

VMwareEducationServicescoursesofferextensivehandsonlabs,casestudyexamples,andcoursematerials designedtobeusedasonthejobreferencetools.Coursesareavailableonsite,intheclassroom,andlive online.Foronsitepilotprograms andimplementationbestpractices,VMwareConsultingServicesprovides offeringsto helpyouassess,plan,build,andmanageyourvirtualenvironment.Toaccessinformationabout educationclasses,certificationprograms,andconsultingservices,gotohttp://www.vmware.com/services.
VMware, Inc.
Introduction
TheVMwareACEManagementServerenablesyoutomanageVMwareACEinstances,todynamically publishpolicychangesforthoseinstances,andtotestanddeploypackagesmoreeasily. Thischapterincludesthefollowingtopics:

FeaturesofACEManagementServeronpage 7 SystemRequirementsonpage 8
Features of ACE Management Server

ACEManagementServeroffersscalabilityandreliability:

Youcanincreasecapacitybyaddingnetworkresourcessuchasloadbalancersandextraserverhardware. Fortestingenvironments,thedefaultembeddedbackingstoreprovidesasimpleandefficientdatabase solution.ToscaleACEManagementServerforproductiondeployments,youcanconfigureandusean externalrelationaldatabasemanagementsystem(RDBMS). InWindows,multithreadedprocesseshandleserverrequests.InLinux,multipleprocesseshandleserver requests.Ifoneprocessfails,anothertakesover.
ACEManagementServeroffersActiveDirectoryintegration:

YoucanuseActiveDirectorytoauthenticateusersofACEinstances. YoudonotneedaschemachangeforyourexistingActiveDirectory. LDAPisusedtoaccessActiveDirectory. InformationaboutWindowsdomainuseraccountstatesisprovidedinclearandusefulmessages. Reasonsforloginfailuresarepresentedaslockedoutorpasswordexpired. ACEManagementServeractsasanActiveDirectorypasswordchangeproxy. YoucanusetheinstancecustomizationfeatureinACEwithyourownestablishednamingconventionsto associateuserswithmachines.
Securityfeaturesincludethefollowing:

EncryptedcommunicationsbetweenserverandclientstraveloverHTTPStraffic. Passwordsarestoredsecurelyinhashedforminthebackingstore. FlexibledatabaseoptionsallowuseofanembeddeddatabaseorexternalRDBMStostoreACEinstance dataandpolicies. YoucanuploadcustomSSLcertificatewhileconfiguringtheACEManagementServer.
VMware, Inc.
ACEManagementServeriseasytoinstallandconfigure.Clienttrafficcanbeproxiedbyeasilyavailable products.Theserveruseseasilyavailablesoftwarecomponents:

ApacheWebserver2.0 ThedefaultSQLitedatabasestore
Theserversetupusesindustrystandardprotocols:

HTTPSandLDAP XMLRPCformessageencapsulation
ACEManagementServeroffersextensibilityandavailability:
YoucancreateandusemorethanoneACEManagementServer.Whenyouusemorethanoneserver,you cansettheserversupsothattheysharethesamedatabaseforloadbalancingorincreasedfaulttolerance. AWindowsACEManagementServercanbeonthesamesystemasWorkstation. YoucandesignateasingleACEManagementServername,suchas https://ace.policyserver.company.com,anduseDNSlookuptotranslatethehostnametoan address.TheaddressiscachedifaDNSserverisnotavailable.Additionally,youcanusedifferentACE ManagementServerinstancesifuserstravelbetweenofficesindifferentgeographiclocations. NOTEYourservernamemustbeeitherthemachinenameinEnglishortheIP address.International charactersarenotsupported.
System Requirements
ThefollowingsectionsdescribetheACEManagementServersystemrequirements.
Required Hardware
Aminimumofan800MHzcompatiblex86andx8664architectureprocessor Compatibleprocessorsinclude: Celeron,PentiumII,PentiumIII,Pentium4,PentiumM(includingcomputerswithCentrinomobile technology),Xeon(includingPrestonia),AMD,Athlon,Athlon MP,AthlonXP,Duron,Opteron,AMD64 Opteron,andAthlon64
ExperimentalsupportforIntelIA32eCPU 40MBoffreespaceisrequiredforbasicinstallation.VMwarerecommendsatleast10GBoffreediskspace. An8bitdisplayadapterisrequired. Forlocalareanetworking,anyEthernetcontrollerthattheoperatingsystemsupportsissufficient.
Supported Operating Systems

FollowingarethesupportedoperatingsystemsforACEManagementServer:
WindowsServer2003WebEditionSP1andSP2,WindowsServer2003StandardEditionSP1andSP2, WindowsServer2003EnterpriseEditionSP1andSP2(includes64bitandR2editions) WindowsXPProfessional(includes64biteditions) Windows2000ServerServicePack4andWindows2000AdvancedServerServicePack 4 RedHatEnterpriseLinuxAdvancedServer4.0withUpdate 4. SUSELinuxEnterpriseServer9ServicePack3
VMware, Inc.
Chapter 1 Introduction
Supported External Databases

AnSQLitedatabaseengineisembeddedinACEManagementServer.Althoughthisdatabaseisadequatefor testingpurposes,useoneofthefollowingexternaldatabasesinproductionenvironments:
ForaWindowsbasedACEManagementServerMicrosoftSQLServer2000orhigher; Oracle Database 10g IfyouuseaMicrosoftSQLServerdatabase,thedatabasemustbehostedonasystemthatusesthesame localeasthesystemthathostsACEManagementServer.Forexample,ifACEManagementServeris installedonaJapanesesystem,thedatabaseservermustalsobeinstalledonaJapanesesystemandmust useJapanesecollation.
ForaLinuxbasedACEManagementServerPostgreSQL7.4orhigher
Supported Proxies
YoucandeployACEManagementServerwiththefollowingHTTPSproxysolutions:

ApacheProxyUsingmod_proxy ZeusTechnologyLoadBalancerAcommerciallyavailableloadbalancerandtrafficmanagement solution
Required Web Browsers

ThebrowserbasedACEManagementServerSetupapplicationandtheVMwareACEHelpDeskapplication requireoneofthefollowingWebbrowsers:

MozillaFirefox1.52orhigher. InternetExplorer6.0orhigher.MakesurethattheInternetExplorerbrowserhasTLS1.0checkedtolog intotheAMSwebconfigurationpage.
Licensing
YoumustconfiguretheserverandentertheserialnumberintheserversetupWebapplication.Ifyoudonot, youcannotconnecttotheserverinWorkstation. Yourserialnumberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,the serialnumberissentbyemail.WorkstationandACEinstancescannotconnecttoanACEManagementServer withanexpiredornonexistentlicense.
VMware, Inc.
10
VMware, Inc.
Planning an ACE Management Server Deployment
ThischapterprovidesguidelinesfordeployingVMwareACEManagementServerinstances,including capacityplanningandbestpractices.Thischapterincludesthefollowingtopics:

DeploymentComponentsonpage 11 PerformingCapacityPlanningonpage 13 SecurityFeaturesandConsiderationsonpage 16 AccessingACEManagementServerfromOutsidetheCorporateFirewallonpage 17 DeploymentPlanningWorksheetonpage 18
Deployment Components
AtypicalACEManagementServerdeploymenthasthefollowingcomponents:
OneormoreACEManagementServerinstancesConfiguringmultipleserverstousethesame databaseincreasesthenumberofACEclientsyoucanmanageandguaranteeshighavailability. DatabaseserverForproductiondeployments,VMwarerecommendsOracleDatabase 10gorMSSQL forACEManagementServerinstalledonaWindowshost,andPostgresforACEManagementServer installedonaLinuxhost. (Optional)ActiveDirectorydomaincontrollerToenabletheACEManagementServerActive Directoryintegration,youmustconfigureACEManagementServertocommunicatewithyourdomain controller. (Optional)HTTPloadbalancerUsealoadbalancertohelpscalethecapacityofyourACEManagement Serverdeployment. (Optional)HTTPproxyIfclientswillaccessACEManagementServerfromoutsidethecorporate firewall,VMwarerecommendsusinganHTTPSproxyintheDMZ.YoucanuseACEManagementServer withApacheProxyandZeusTechnologyLoadBalancer.
ForanexampleofanACEManagementServerdeployment,seeFigure 21.
VMware, Inc.
11
Figure 2-1. Comprehensive ACE Management Server Deployment

WSAE client (within corporate network) Active Directory domain controller (optional)
LDAP Kerberos
ACE Player client (within corporate network)
HTTPS HTTPS HTTPS HTTPS
ACE Management Server (one or more)
load balancer (optional) database server
HTTPS ODBC
proxy for ACE Management Server service through corporate firewall (optional) ACE Player client (outside corporate network)
ACEManagementServeroffersconvenienceandflexibilityinitssetupoptions. YoucaninstalltheserveronWindowsorLinuxhosts.Fortestingpurposes,youcandownloadandrunthe serverasavirtualappliance.ACEManagementServerincludesitsownsecuritycertificatesandembedded database,butyoucanuseanexternaldatabaseandusecertificatesfromacertificateauthorityifyouprefer. YoucanalsoconfigureACEManagementServertouseActiveDirectoryforauthentication.
Host System Options

YoucaninstallACEManagementServeronaWindowshost,aLinuxhost,orasavirtualappliance.Ifyouset upmultipleACEManagementServerinstances,theymustallbethesametype.
Windows Hosts
IfyouplantointegratewithActiveDirectory,VMwarerecommendsthatyouinstallACEManagementServer onaWindowshost. TheWindowsACEManagementServerusestheWinLDAPlibrarybundledwithyourWindowsoperating systemtointegratewithActiveDirectory.InternaltestingresultsindicatethattheWindowsimplementation providesbetterperformancethanLinux.
Linux Hosts
YoucaninstallACEManagementServeronaLinuxhostanduseActiveDirectoryforauthentication,even thoughperformanceisslowerthanonWindowshosts.IfyouplantouseaLinuxhostinproduction environments,usetheLinuxinstallerratherthantheACEManagementServerappliance.Ifyoudonothave thesupportedLinuxoperatingsystemsinstalledonaphysicalserver,youcancreateavirtualmachine,install asupportedLinuxoperatingsystem,andinstallACEManagementServerinthevirtualmachine.
Server Appliance Option

TheACEManagementServerapplianceisaselfcontained,preinstalled,andpreconfiguredACE ManagementServerpackagedwithasmallLinuxoperatingsysteminavirtualmachine.Theapplianceis convenientandquicktosetupinatestingenvironmentbutisnotrecommendedforproductionenvironments. Bydefault,theapplianceattemptstoconfigureitsnetworkbyusingDHCP.IfyoudonotwanttouseDHCP, youcanusethebrowserbasedACEManagementServerSetupapplicationtoconfigurethenetworksettings. Youcanusethesameinterfacetoupdatetheappliancewhenupdatesbecomeavailable. YoumusthaveaccesstoaWebbrowser(Mozilla1.52orhigherorInternetExplorer6.0orhigher)tochange networksettingsorobtainupdatesfortheappliance.
12 VMware, Inc.
Chapter 2 Planning an ACE Management Server Deployment
Database Options
ACEManagementServeroffersthefollowingdatabaseoptions:
EmbeddedSQLitedatabaseThedefaultmodeofACEManagementServerworkswithanembedded SQLite3databaseengine.TheSQLitedatabaseengineisinitializedduringserverinstallationandrequires nospecialconfiguration.The embeddeddatabasesupportsuptoseveralgigabytesofdata. TheSQLitedatabaseisfilebasedandisnotdesignedtobeeffectivelysharedacrossmultipleprocesses.If youusethirdpartytoolstoaccessthedatabaseforareadoperation,therefore,youcannotdependon transactionalisolationofthependingwriteoperationsoftheACEManagementServer. Theembeddeddatabaseisadequatefortestingpurposes,butVMwarerecommendsthatyouusean externaldatabaseinproductionenvironments.
SupportedexternaldatabaseInproductionenvironments,useasupportedexternaldatabaseasa backingstoreforACEManagementServer,throughODBCconnectivity.Supportedexternaldatabase enginesarethefollowing:
ForWindowsbasedACEManagementServer,useMicrosoftSQLServer(SQLServer2000orSQL Server2005)orOracleDatabase10ginstalledonthesamesystemoradifferentWindowssystem ForLinuxbasedACEManagementServer,usePostgreSQL7.4orhigherinstalledonthesame systemoradifferentLinuxsystem
NOTEIfACEManagementServerisdeployedintheDMZ,useanexternaldatabaselocatedinsideyour corporatenetworkbehindafirewall. UsinganexternaldatabasewithACEManagementServeroffersthefollowingbenefits:
OnlinebackupsothatyoudonothavetoshutdownACEManagementServertobackupthe database. Enhancedsecuritymodel.Youcanfinetunepermissionstoaccesssensitivedata.TheSQLite databaseengineprovidesfilesystembasedsecurity. Performancefinetuning. Abilitytouseexternaldatabasemanagementandreportingtools. AbilitytouseloadbalancerswithmultipleACEManagementServerinstances.Youmustusean externalRDBMSasthebackingstore,becausetheSQLitedatabaseisnotdesignedtobeeffectively sharedacrossmultipleprocesses.
Active Directory Authentication Options

ActiveDirectoryintegrationprovidesthefollowingbenefits:

PermitsjoininganoperatingsystemthatisrunninganACEinstancetothedomainremotely. Providessearchfunctionssoyoucanquicklyfindaparticularindividualorgroup. EnablesyoutouseActiveDirectoryUsersandGroupstoconfigurerolebasedaccesstothefeaturesof ACEManagementServer.
Performing Capacity Planning

ACEManagementServerenablesyoutomanageACEinstancesandpoliciesinrealtime.Thenumberof clientsthatasingleACEManagementServercanservedependsonseveralkeyfactors:

Databasethroughputandscalability LDAPthroughput(ifyouareusingActiveDirectory) Networkbandwidthavailableforincomingclientrequests
VMware, Inc.
13
ACEpolicyconfiguration Loadbalancersforverylargedeployments(morethan5,000clients)
Table 21listsrecommendationsforthenumberofclientssupportedbasedonthehardwareyouareusing.The figuresforrecommendedclientsreservesomeserverprocessingpowersothatinteractiveclientsreceive responsesinatimelyfashionandtheserversatisfiesincreasesindemand. Table 2-1. Number of Clients Supported

Hardware 2GHzAMD2wayserver(Opteron280,4GBRAM) 2GHzIntel2waydesktopmachine(4GBRAM) Recommended Clients 6,000 4,000
Database Throughput and Scalability

Forproductiondeployments,VMwarerecommendsthatyouuseOracle,MSSQL,orPostgresasyour databaseplatform. Morethan95percentofthestoragespacethatanACEManagementServerrequiresisusedtologevent information,whichisanaudittrailofalltransactionsperformedthroughACEManagementServer.Table 22 listsrecommendeddatabasesizesbasedonthenumberofclientsbeingserved. Thefiguresinthetablearebasedona90daydatabasearchivalperiod.Backupthedatabaserecordsevery90 daysandkeepeventlogsfor90days.YoucanconfigureACEManagementServertopurgeeventlogsevery 90days. Table 2-2. Database Storage Recommendations
Number of Clients 100 1,000 10,000 Recommended Database Size 50Mb 500Mb 5,000Mb
Theauthenticationeventgeneratesmostofthedatabecauseaneventisgeneratedeverytimesomeone attemptstoauthenticatetoACEManagementServer.YoucanconfigureACEManagementServertologless eventinformation.SeeLoggingEventsonpage 35.
LDAP Throughput
ACEManagementServercancommunicatewithyourActiveDirectorydomaincontrollertoauthenticateuser credentials.YourdomaincontrollerinfrastructurehandlestheLDAPtrafficrequiredtosupportthenumber ofclientsthatyouanticipate. IntegratingwithActiveDirectorythroughLDAPisimplementeddifferentlyintheWindowsACE ManagementServerthanintheLinuxbasedACEManagementServer.TheWindowsACEManagement ServerusestheWinLDAPlibrarybundledwithyourWindowsoperatingsystem.TheLinuxACE ManagementServerusesathirdpartyKerberosLibraryandOpenSSL.VMwareinternaltestingresults indicatethattheWindowsimplementationprovidesbetterperformancethanLinux.
14
VMware, Inc.
Network Bandwidth and Policy Update Frequency

TheamountofnetworkbandwidththatACEManagementServerandACEinstancesrequiredependsonthe frequencyofpolicyupdatesthatyouconfigure.Table 23showstheamountofbandwidthneededwhenyou useapolicyupdatefrequencyvalueof10 minutes. Table 2-3. Network Bandwidth Required with a Policy Update Frequency of 10 Minutes
Number of Clients 100 1,000 10,000 Bandwidth Required 0.125Mb/sec. 1.25Mb/sec. 12.5Mb/sec.
VMwarerecommendsthatforlargedeployments(morethan5,000clients),youincreasethetimebetween policyupdatesbyclientsbecausethisreducestheamountofrequiredbandwidth. Table 24showsthebandwidthneededwhenthepolicyupdatefrequencyvalueissetto30minutes. Table 2-4. Network Bandwidth Required with a Policy Update Frequency of 30 Minutes
Number of Clients 100 1,000 10,000 Bandwidth Required 0.04Mb/sec. 0.4Mb/sec. 4Mb/sec.
Theamountofnetworkbandwidthrequiredcanalsobehigherifyourpolicysetisverycomplex. VMwarerecommendsthatyouhaveaseparatenetworklinkbetweenACEManagementServerandyour databaseserver,sothattrafficcomingandgoingfromACEManagementServertoitsclientsdoesnotinterfere withthetraffictoandfromyourdatabaseserver.
ACE Policy Configuration

TheconfigurationofACEpoliciescanaffectperformance.Youcanincreasetheamountofdatathatis transferredbetweenACEManagementServerandACEPlayerbyusingoneofthefollowingmethods:
HostpoliciesEnablinghostpolicies(suchashostnetworkquarantine)requiresthatahostsidedaemon retrievesthehostpoliciesfromtheACEManagementServer. ComplexnetworkquarantinepoliciesIfthesetofrulesthatmakesupyournetworkquarantineisvery large,thetransferoftheserulesfromtheACEManagementServertotheclientscanaffectthescalability. ThenumbersshowninTable 23andTable 24areestimatesofrequiredbandwidthgivenaveragesize rulesetsfornetworkquarantine.YoucanviewthesizeofyourpolicysetbyexaminingtheACEfile directoryandcountingthesizeofthe.vmplfile.Anaveragepolicysetis15KBorless.
Load Balancers
TheACEManagementServerclientserverprotocolisbuiltontopoftheHTTPSprotocol.YoucanuseHTTP loadbalancingsoftwareandhardwaresolutionstoscaleanACEManagementServerdeploymentbeyondthe capacityofasingleserver(orforhighavailabilitydeployments). ACEManagementServerscalesinalinearfashionwhenanenterprisegradeHTTPSloadbalancerisused.See Chapter 5,LoadBalancingMultipleACEManagementServerInstances,onpage 37.
VMware, Inc.
15
Security Features and Considerations

Bydefault,ACEManagementServerusestheSecureSocketsLayer(SSL)protocoltoprovideencryptedand securecommunications. FollowingisanoverviewofsecurityfeaturesandrecommendationsonhowtoconfiguretheACE ManagementServertoavoidsecurityproblems:
TraffictoandfromclientsisprotectedbyHTTPSBydefault,ACEManagementServercreatesa selfsignedcertificatewhenyouinstallittouseforHTTPStraffic.Thesecertificatesaresecure,butyou canalsoconfigureACEManagementServertouseyourowncertificateandkeypairs. TrafficfromACEManagementServertoActiveDirectoryisencryptedIftheserverisintegratedwith anActiveDirectoryservice,itcommunicateswiththeservicethroughanSSLprotectedlink.LDAPtraffic isencryptedattheapplicationlayer.CredentialsareprotectedbyusingtheKerberosprotocolto authenticatecredentials. SensitiveconfigurationoptionsareencryptedPasswordsstoredintheconfigurationfileareencrypted. DatabasesecurityThedatabasestorecontainssensitivedatasuchascryptographickeys.Configure yourdatabasesecuritysothatitisprotectedfromintrusionandprotectedincaseofdataloss.Formore informationaboutfeaturesthatareavailabletoprotectyourdata,seeyourdatabasedocumentation.
SSLencryptsdatathroughtheuseofapublickeyandprivatekeypair.Thepublickeyisknowntoeveryone andtheprivatekeyisknownonlytothemessagerecipient.URLs thatrequireanSSLconnectionstartwith https. DuringACEManagementServerinstallation,thefollowingtwofilesarecreated:

server.keyAnRSA1024bitkey,thisistheprivatekey. server.crtAselfsignedcertificate.Itssignatureisverifiedbythepublickey,whichisembeddedin thecertificate.Thispubliccertificateisvalidfor10yearsfromthedateandtimeatwhichtheserveris installed.ThecertificatefileisencodedinPEMformat.
Bydefault,thesefilesarestoredintheSSLdirectoryintheVMwareACEManagementServerprogram directory. VMwarePlayer,whichrunstheACEinstances,doesnottrustanycertificatesstoredonthehostmachineon whichitisrunning.Instead,itreliesonacompletecertificationchainthatisincludedintheACEpackage. Usingselfsignedcertificatesisadequateformostsecurityneeds. Youcan,however,useacertificateissuedbyacertificateauthority.IfyouhavemultipleACEManagement Serverinstances,youcanuseonecertificateforalloryoucanuseadifferentcertificateoneachone.
Using SSL Certificates and Protocol

WhenanACEenabledvirtualmachineconnectstoanACEManagementServer,itdownloadsthepublic certificateforthatserverandanychainofcertificatesrequiredtoverifytheserverspubliccertificate.Aserver certificatemighthaveachainofseveralcertificatesthatmustbeverifiedstepbystepuntiltheverification processreachestheroot,ortrusted,certificateinthecertificatestore.Thefirsttimeaconnectionismadetoa serverbyanyACEenabledvirtualmachineonaWorkstationadministratormachine,thecertificateandits verificationaredownloadedtotheWorkstationhostsystem. ThestoreorcollectionofcertificatesthatisdownloadedwhenanACEenabledvirtualmachineconnectstoa serverisincludedineachACEpackagethatyoucreatewiththatvirtualmachine.ItissavedintheACE Resourcesdirectory.WhenyoudeployandrunanACEinstanceofthisACEenabledvirtualmachine,the VMwarePlayerapplicationusesthecertificatesincludedinthepackagetoverifyconnectionsmadetotheACE ManagementServer.ItverifiesthatthecertificatesthatareintheACEpackagematchthosethattheserver provides.Iftheydonotmatchexactly,VMware Playerdisplaysanerrormessageanddoesnotrunthe instance.
16
VMware, Inc.
VMwarePlayercheckstheintegrityofthecertificatestoreincludedinthepackageeverytimeitcommunicates withtheserver.VMwarePlayerdoesnottrustanycertificatesstoredonthehostmachineonwhichitis running.Instead,itreliesonacompletecertificationchainthatisincludedintheACEpackage.Theuseof selfsignedcertificatesisadequateformostsecurityneeds. If,however,yourenterpriserequirestheuseofacertificatesignedbyacertificateauthority(internalor commercial),youcansetupthattypeofkeycertificatepairfortheACEpackagestouse.Acertificateauthority, orCA,isanentitythatissuesandsignspublickeycertificates,typicallyforafee.
Accessing ACE Management Server from Outside the Corporate Firewall

AllclientrequeststoACEManagementServerareHTTPStrafficonport443.This meansthatanysolution usingaproxytosecureHTTPStrafficintoyourcorporateserverscanbeusedtoproxyACEManagement Servertraffic. BecauseofthenumberofdataconnectionsthattheACEManagementServermustmakeonthebackend (LDAP,DNS,ODBC,Kerberos),VMwarerecommendsusinganHTTPSproxyintheDMZ.Thisproxycan relayACEManagementServertraffictotheactualACEManagementServerinsidethecorporatenetwork. Figure 2-2. Recommended Deployment for External Access
LDAP (port 389) HTTPS traffic (443) HTTPS traffic (443) KRB5 (port 88) DNS NETBIOS (port 137)
external client
external firewall HTTPS proxy server
internal firewall AMS server
ODBC
ACEManagementServercanbedeployedwiththefollowingHTTPSproxysolutions:

ApacheProxyUsingmod_proxy ZeusTechnologyLoadBalancerAcommerciallyavailableloadbalancerandtrafficmanagement solution
AvoidthefollowingproblemswhenyouuseaproxyfortrafficintoanACEManagementServer:
SSLTerminationIfyourHTTPSproxyterminatestheSSLconnection,youmustusethesameSSLkey andcertificateontheHTTPSproxyserverandACEManagementServer.Or,usetheACEManagement ServercertificatechaintoembedtheHTTPSproxycertificateverificationchainintheACEpackage. AnexampleofaproxyserverthatterminatesSSLconnectionsisApacheProxy.TheZeusloadbalancing productssupportSSLpassthrough,whichmeansthattheSSLconnectionisterminatedatACE ManagementServer.
MultipleACEManagementServerSSLcertificatesIfyouaredeployingmultipleACEManagement Serverinstancesbehindaloadbalancingsolution,allACEManagementServerinstancesmustusethe sameSSLkeyandcertificatepair.YoucanalsousetheACEManagementServercertificatechainfeature toembedeverySSLcertificateverificationchainintotheACEpackage. DNSresolutionWhenyoucreateanACEenabledvirtualmachine,youmustspecifyahostnamefor ACEManagementServer.ThishostnamemustresolvetotheappropriateIPaddressforbothinternaland externalclients.Internally,itcanresolvetoACEManagementServeritself.Externally,itcanresolvetothe HTTPSproxyserver.
BecausethetrafficcomingintoACEManagementServerisplainHTTPStrafficandtheserverisstateless,you candeploymanyotherconfigurationstoprovideexternalaccesstoanACEManagementServer.Whenyou designyourdeployment,thinkofACEManagementServerasaWebserverwithsecuretraffic.
VMware, Inc.
17
Deployment Planning Worksheet

Usethedeploymentplanningworksheettorecordyourchoiceofserversystem,database,securitycertificates, andoptionalcomponentsforaproductionenvironment. Table 2-5. Worksheet for ACE Management Server in a Production Environment
Component Active Directory integration Considerations PerformanceisbetterwhentheACE ManagementServerisinstalledona Windowshost. SeealsoCreateUsersandGroupsfor IntegrationwithActiveDirectoryon page 27. ACE Management Server Database server Loadbalancer Ifyouusemultipleservers,allmustbe installedonthesameplatform. Forcapacityplanning,seeNumberof ClientsSupportedonpage 14. Thedatabaseservermustbecompatible withtheACEManagementServerhost.See SupportedExternalDatabasesonpage 9. Usealoadbalancerforlargedeployments orforhighavailability.Itmustsupport HTTPSandrequiresanexternaldatabase. SeeLoadBalancersonpage 15. IfACEclientswillcontactACE ManagementServerfromoutsidethe firewall,useaproxy.SeeAccessingACE ManagementServerfromOutsidethe CorporateFirewallonpage 17. Ifyouusemultipleserversandplantouse adifferentSSLcertificateforeachone,you mustcreateorsendforthecertificates. ACEManagementServersupportsonly publickeycertificatesthataresignedusing theSHA1algorithm.SeeUsingSSL CertificatesandProtocolonpage 16. Ports ForActiveDirectory,useport389. FortheACEManagementServer appliance,useport8080.SeeChangethe PortAssignmentforACEManagement Serveronpage 49andAccessingACE ManagementServerfromOutsidethe CorporateFirewallonpage 17. Decision UseActiveDirectory?________ Ifyes,nameofuseraccountforACE ManagementServertoquerytheActive Directorydatabase:__________________ Fullyqualifieddomainnameofthe LDAPserver:_______________________ UseWindowsorLinux hosts?_____________ Howmanyservers?____________ MSQL,Oracle,orPostgresSQLdatabase? ____________________________ Usealoadbalancer?________
Proxy
Useaproxy?__________ ApacheProxyorZeusTechnologyLoad Balancer?________________________ Whichtypeofcertificate:selfsigned thirdparty,orinternalCA(certificate authority)?___________________ Numberofcertificates?__________
SSL certificates
Port8000forconfiguringtheACE ManagementServer. Port443forclientrequests. Whichadditionalports?______________
18
VMware, Inc.
Installing and Configuring ACE Management Server
Thischapterincludesthefollowingtopics:

PreparingforInstallationonpage 19 InstallingandUpgradingACEManagementServeronpage 20 VerifyThattheApacheServiceIsStartedorRestartedonpage 23 StartandConfigureACEManagementServeronpage 24 LogIntoACEManagementServeronpage 25
Preparing for Installation

BeforeyouinstallACEManagementServer,youmustplanyourdeployment.Completethefollowingtasks: 1 TodeterminewhichtypeofACEManagementServerinstallertouse,howmanyserverstoinstall,and whichdeploymentcomponentstoinclude,seeChapter 2,PlanninganACEManagementServer Deployment,onpage 11. ToconfigureyourWebbrowsertouseTransportLayerSecurity(TLS),seeConfigureTLSinYour Browseronpage 20. Tosynchronizetheclockonthehostsystemwiththeclientsystem,useNetworkTimeProtocol(NTP). TochooseanHTTPSportforthehostonwhichyouplantorunACEManagementServer,seeTable 31.
2 3 4
Table 3-1. Port Assignments, Default Settings, for ACE Management Server
HTTPS Port Number 443 8000 Description CommunicationsbetweenACEManagementServerandACE instances ACEManagementServerSetup(configuration)Webapplication ACEHelpDeskWebapplication 8080 ACEManagementServerApplianceconfiguration
NOTEIfanotherWebserverisinstalledthatusesanyofthesedefaultports,youmightneedtoresolvethe conflict.
VMware, Inc.
19
Configure TLS in Your Browser

TransportLayerSecurity(TLS)mustbeconfiguredonyourWebbrowsertooperateACEManagementServer. To configure TLS in your browser Dependingonthetypeofbrowser,dooneofthefollowing:
ForanInternetExplorerbrowser: a b ChooseTools>InternetOptions>AdvancedandscrolldowntoSecurity. SelecttheUseTLS1.0checkboxandclickOK.
ForaMozillabrowser: a b ChooseTools>Options>Advanced. SelecttheUseTLS1.0checkboxandclickOK.
Installing and Upgrading ACE Management Server

YoucaninstalloneormoreACEManagementServerinstancestoservicetheACEinstancesinyourenterprise. IfyousetupmultipleACEManagementServerinstances,theyallmustbeinstalledoneitherWindowshosts orLinuxhosts,orallmustbeinstalledasappliances. ToupgradefromACEManagementServer2.0to2.6,usethesameprocedureasforinstallingtheserverfor thefirsttime.Whentheinstallerdetectsanearlierversion,ituninstallstheoldversionbeforeinstallingthe newone.Configurationsettingsarepreserved. Forproductiondeployments,VMwarerecommendsthatACEManagementServerbeinstalledoneithera dedicatedserveroravirtualplatformwithsufficientavailableresourcestoensureperformanceandstability. SystemrequirementsdependalmostexclusivelyonthenumberofACEinstancesbeingsupportedandthe frequencywithwhichtheyareconfiguredtocommunicatewiththeserver.Formoreinformationabout VMwareperformancetesting,seePerformingCapacityPlanningonpage 13. However,ACEManagementServerwastestedandcanbeinstalledondesktoporworkstationplatformsto supportasmallnumberofclientsornonproductionevaluations.
Install an ACE Management Server on a Windows Host

InstallingACEManagementServeronaWindowshostinvolvesdownloadingandrunninganinstallation wizard.YoucaninstallACEManagementServeronthefollowingWindowssystems:

WindowsServer2003 WindowsXPProfessional(includes64biteditions) Windows2000Server
Beforeyoubegin,makesuretheclockissynchronizedandtherequiredportsareavailable,asdescribedin PreparingforInstallationonpage 19. UsethisinstallationproceduretoinstallorupdateACEManagementServersoftware. To install an ACE Management Server on a Windows host 1 DownloadtheVMware-ACE-Management-Server.exe filefromtheVMwareWebsiteandsavethefile onthesystemthatistohosttheserver. ThefileisavailableasaseparatedownloadablefileinthesamedownloadlocationastheWorkstation application. 2 DoubleclicktheVMware-ACE-Management-Server.exe filetostarttheinstallationwizard.
20
VMware, Inc.
Chapter 3 Installing and Configuring ACE Management Server
3 4
Followthepromptsintheinstallationwizard. Ifyouareusingacomputerthathasafirewallenabledandyouseeamessageattheendoftheinstallation askingwhetheryouwanttounblocktheApacheservice,chooseUnblock. ACEManagementServerdoesnotworkproperlyifyoudonotunblocktheApacheservice.
AfterACEManagementServerisinstalled,youcanconfigureit.SeeStartandConfigureACEManagement Serveronpage 24.
Install ACE Management Server on a Linux System

YoucaninstallACEManagementServeronthefollowingLinuxsystems:

RedHatEnterpriseLinux4 SUSELinuxEnterpriseServer9SP3
Beforeyoubegin,makesurethesystemmeetstheserequirements:
AworkinginstallationofApache2.0isinstalledonthesystem.(TheRPMforaWebserverisincluded withtheRedHatEnterpriseLinux4orSUSELinuxEnterpriseServer9installation.) ApacheWebserviceisoperatingnormallyandisreceivingrequestsforSSLHTTP. Themod_ldapandmod_sslmodulesareavailableonyoursystem. ThefollowingpackagesareinstalledonyourRedHatEnterpriseLinux4orSUSELinuxEnterpriseServer 9system:curl,openldap,openssl,apache,andgdbm. ForSUSELinuxEnterpriseServer9,thecyrus-sasl-gssapipackageisinstalled.Thispackageisnot installedbydefault. Whenyouusetheexternaldatabaseoption,thefollowingpackagesarerequiredaswell:

RedHatEnterpriseLinux4:unixODBC SUSELinuxEnterpriseServer9:unixODBC and,ifyouplantousetheX11graphicalconfiguration tool,unixODBC-gui-qt
Theclockissynchronizedandtherequiredportsareavailable,asdescribedinPreparingforInstallation onpage 19.
UsethisinstallationproceduretoinstallorupdateACEManagementServersoftware. To install ACE Management Server on a Linux system 1 Downloadthe.rpm filefromtheVMwareWebsiteandsavethefileonthesystemthatistohostthe server. ThefileisavailableasaseparatedownloadablefileinthesamedownloadlocationastheWorkstation application. 2 RuntheRedHatorSUSELinuxRPMinstallerforACEManagementServer:

vmware-ace-management-server-<build_number>.i386-rhel4.rpm vmware-ace-management-server-<build_number>.i386-sles9.rpm
Forexample:
rpm -Uhv vmware-ace-management-server-87693.i386-rhel4.rpm
VMware, Inc.
21
ForaSUSELinuxEnterpriseServer9server,ensurethattheLDAPmodule(mod_ldap)isconfiguredfor loading: a Openthefollowingfilewithatexteditor:

/etc/sysconfig/apache2
b c
AddtheldapconfigoptiontotheAPACHE_MODULESvariable. Saveandclosethefile.
AfterACEManagementServerisinstalled,youcanconfigureit.SeeStartandConfigureACEManagement Serveronpage 24.
Install an ACE Management Server Appliance

TheACEManagementServerapplianceisaselfcontained,preinstalled,andpreconfiguredACE ManagementServerpackagedwithasmalloperatingsysteminavirtualmachine.Althoughtheapplianceis adequatefortestenvironments,VMwarerecommendsthatyoudonotuseitinproductionenvironments. Beforeyoubegin,makesuretheclockissynchronizedandtherequiredportsareavailable,asdescribedin PreparingforInstallationonpage 19. To install an ACE Management Server appliance 1 2 3 4 5 Downloadthe.zipfilefortheappliancefromtheVMwareWebsiteandsavethefileonthesystemthat istohosttheserver. Extractthefilestothedirectorywheretheserveristobelocated. StartWorkstation,chooseFile>Opentoopen,andselecttheams_appliance.vmxfile. ClickthePowerOnbuttontostartthevirtualappliance. Atthepasswordprompt,enterapasswordandconfirmit. Thispasswordisusedforbothrootandnetworkaccounts.Makeanoteofthispasswordsothatyoucan useitforlaterappliancemanagementoperationsfromtheconsoleandtheWeb. TheapplianceconfiguresitsnetworkbyusingDHCP. Theconsoleviewdisplaysthefollowinginformation:

Currentnetworksettings URLsforremotelyadministeringtheapplianceandconfiguringtheACEManagementServeritself
IfyoupressReturnattheloginprompt,theinformationappearsagain. 6 7 Atthetimezoneprompt,acceptthecurrentsettingormakeachangeasneeded. (Optional)ToconfiguretheservertouseastaticIPaddressortospecifyaproxyserver,usetheAppliance ManagementandConfigurationapplication,asfollows: a b c d e f LeavetheACEManagementServerappliancerunning. Browsetohttps://<hostIPaddress>:8080. Intheconnectiondialogbox,typerootintheusernamefieldandyournetworkorrootpasswordin thepasswordfield. ClicktheNetworklinkonthefirstpageofthebrowserbasedACEManagementServerSetup application. Toviewinstructionsaboutconfiguringnetworksettings,clicktheHelplinkintheupperrightcorner oftheWebpage. Afteryouchangenetworksettings,clickApply.
22
VMware, Inc.
(Optional)Toreconfigureanyupdateoptions,forexample,todisableautomaticdownloadsofupdates, usetheApplianceManagementandConfigurationapplication,asfollows: a b c d e LeavetheACEManagementServerappliancerunning. Browsetohttps://<hostIPaddress>:8080. Intheconnectiondialogbox,typerootintheusernamefieldandyournetworkorrootpasswordin thepasswordfield. ClicktheUpdatelinkonthefirstpageoftheApplianceConfigurationandManagementWeb applicationandcompletetheApplianceUpdatepage. Toviewinstructionsaboutconfiguringupdateoptions,clicktheHelplinkintheupperrightcorner oftheWebpage.
Whenyoufinishconfiguringanynetworkorupdatesettings,navigatetotheACEManagementServer SetupWebapplicationtoconfiguretheserver. Toaccessthatapplication,chooseoneofthesemethods:
FromtheApplianceManagementandConfigurationWebapplicationpage,clicktheACELoginlink intheupperrightcornerofthepage. Fromacommandpromptwindow,closethewindow,openabrowser,andentertheURLfortheACE ManagementServerSetupWebapplication:

https://<hostIPaddress>:8000/
10
ClickConfigurationtoopentheWebapplication.
Verify That the Apache Service Is Started or Restarted

IfyouinstalledACEManagementServeronaLinuxhost,verifythattheApacheserviceisstartedbeforeyou attempttologin. Fortroubleshootingpurposes,youmightoccasionallyneedtomanuallyrestarttheApacheservicethatACE ManagementServeruses. To verify that the Apache service is started or restarted Dooneofthefollowing:
OnWindowshosts: a b c ClicktheApacheiconinthetaskbar. SelectApache2inthemenuthatappears. Choosetheappropriatecommand:
Tostarttheserviceifitisstopped,clickStart. Iftheserviceisalreadystarted,thiscommandisunavailable.
Torestart,clickStopandthenclickStart. EnsurethatyouclickStopandStartratherthanRestart.
OnSUSELinuxEnterpriseServer9hostsorinthevirtualmachinethatcontainstheACEManagement Serverappliance: a b Openaterminalwindowonthehostorinthevirtualmachine. Asroot,enterthefollowingcommand:

/etc/init.d/apache2 status
Ifthestatusisstarted,youcanlogintoACEManagementServer.SeeStartandConfigureACE ManagementServeronpage 24.
VMware, Inc.
23
Entertheappropriatecommand:
Tostarttheserviceifitisstopped,enterthefollowingcommand:
/etc/init.d/apache2 start
Torestarttheservice,enterthefollowingcommands:
/etc/init.d/apache2 stop /etc/init.d/apache2 start
OnRedHatEnterpriseLinux4: a b Openaterminalwindowonthehostorinthevirtualmachine. Asroot,enterthefollowingcommand:

/etc/init.d/httpd status
Ifthestatusisstarted,youcanlogintoACEManagementServer.SeeStartandConfigureACE ManagementServeronpage 24. c Entertheappropriatecommand:
Tostarttheserviceifitisstopped,enterthefollowingcommand:
/etc/init.d/httpd start
Torestarttheservice,enterthefollowingcommands:
/etc/init.d/httpd stop /etc/init.d/httpd start
Start and Configure ACE Management Server

Beforeyoubegin,makesurethatthefollowingprerequisitesaresatisfied,asapplicable:
IfyouinstalledACEManagementServeronaLinuxhostorareusingtheACEManagementServer appliance,verifythattheApacheserverisrunning.SeeVerifyThattheApacheServiceIsStartedor Restartedonpage 23. Ifthisisthefirsttimeyouareloggingin,makesureyouhavetheserialnumberfortheproduct.Theserial numberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,theserial numberissentbyemail. Ifyouplantouseanexternaldatabase,ActiveDirectoryintegration,orcustomSSLcertificates,youmust performsomesetuptasksbeforeyoucanconfigureACEManagementServer.Seethefollowingtopics,as applicable:

CreateUsersandGroupsforIntegrationwithActiveDirectoryonpage 27 SetUpanExternalDatabaseonpage 28 PrepareCustomSecurityCertificatesonpage 32
To start and configure ACE Management Server 1 OpenaWebbrowserandgotohttps://<hostname>:8000. The<hostname>valuecanbethefullyqualifiednameofthecomputeronwhichACEManagement ServerisinstalledoritcanbeanIPaddress. IfyouinstalledACEManagementServeronaWindowshostandyouareusingthathosttoconfigureit, youcanalternativelychooseStart>VMware>VMwareACEManagementServer. 2 AcceptthelicenseagreementandclickStart. Theconfigurationtabsappearastheydoinsubsequentlogins,butforthefirstlogin,wizardbuttons suchasNextandBackalsoappear.
24
VMware, Inc.
CompletetheinformationoneachtabandclickNext. TheonlyfieldsthatrequirechangesanddonothavedefaultsettingsaretheSerialNumberfieldonthe LicensingtabandtheAdministratorpasswordontheAccessControltab. Forinformationaboutspecificfieldsandtabs,clickHelponthetab.
Log In to ACE Management Server

ThefirsttimeyoulogintoACEManagementServer,youmustsetapassword.Thenexttimeyoulogin,you mustprovidethatpasswordorprovideActiveDirectorycredentialsifyouconfiguredtheservertouseActive Directoryforauthentication. CommunicationsbetweenWorkstationandACEManagementServertakeplaceoverasecureSSLconnection. IftheserverisintegratedwithActiveDirectoryservice,enteryouradministrativecredentialsinoneofthe formatsshowninTable 32. Table 3-2. Login Options When Using Active Directory Service
Option longname+password+ domainname longname+password Description Thelongnameisthe<First_name> <Last_name>format. Thelongnameisthe<First_name> <Last_name>format. LeavetheDomainfieldblank. shortname+password+ domain shortname+password Theshortnameisthe sAMAccountName. Theshortnameisthe sAMAccountName. LeavetheDomainfieldblank. emailaddress+password Youcanonlyusethisoptionfora domainthatisaccessedthrougha directconnection. LeavetheDomainfieldblank. NETBIOSDOMAIN NAME\username+ password username+password+ NETBIOSDOMAIN NAME TheNetBIOSnameisashortnamefor domainsthatisregisteredinthe NetBIOSNameService(WINS). LeavetheDomainfieldblank. TheNetBIOSnameisashortnamefor domainsthatisregisteredinthe NetBIOSNameService(WINS). ace (theshortformofthe longnameACEUser) ace (theshortformofthe longnameACEUser) user1@acme.com Example JohnDoe JohnDoe
To log in to ACE Management Server 1 OpenaWebbrowserandgotohttps://<hostname>:8000. The<hostname>valuecanbethefullyqualifiednameofthecomputeronwhichACEManagement ServerisinstalledoritcanbeanIPaddress. IfyouinstalledACEManagementServeronaWindowshostandyouareusingthathosttoconfigureit, youcanalternativelychooseStart>VMware>VMwareACEManagementServer. 2 Dooneofthefollowing:

ToconfigureACEManagementServer,clickConfiguration. ToviewandtakeactionsonACEinstancesmanagedbythisserver,clickHelp Desk.
VMware, Inc.
25
Enterlogincredentials. IfyouuseActiveDirectoryforauthentication,seeTable 32.Inmultidomainenvironments,youmightbe requiredtoenteradomain(forexample,eng.com).
26
VMware, Inc.
Configuration Options for ACE Management Server
AfteryouinstallACEManagementServer,youmustusethebrowserbasedACEManagementServerSetup applicationtoconfiguretheserver. Thischapterincludesthefollowingtopics:

PrerequisitesforConfiguringtheServeronpage 27 StartingACEManagementServerConfigurationonpage 33 ViewingandChangingLicensingInformationonpage 33 UsinganExternalDatabaseonpage 33 CreatingAccessControlonpage 34 UploadingCustomSSLCertificatesonpage 34 LoggingEventsonpage 35 ApplyingConfigurationSettingsonpage 36
Prerequisites for Configuring the Server

IfyouplantouseActiveDirectoryintegration(usingLDAP),anexternaldatabase,orcustomSSLcertificates, youmustperformsomesetuptasksbeforeyouconfiguretheACEManagementServer.
Create Users and Groups for Integration with Active Directory

TouseActiveDirectoryforauthenticatingusers,adduserstoanActiveDirectorygroupandcreateauserso thatACEManagementServercanqueryLDAP. WhenyouconfigureACEManagementServertouseLDAP,followtheseguidelinestoavoidnegatively affectingperformance:

ThedefaultdomainisthedomainforwhichtheLDAPhostisadomaincontroller. Thequeryuserisauserinthedefaultdomain. Theadminusergroupisagroupthatexistsinthedefaultdomain.
IntegratingwithActiveDirectorythroughLDAPisimplementeddifferentlyintheWindowsbasedACE ManagementServerthanintheLinuxbasedACEManagementServer.Theoperatingsystemsdifferinthe librariestheyusetoconnecttoActiveDirectoryandtheexternaldatabasestheysupport.TheWindowsACE ManagementServerusestheWinLDAPlibrarybundledwiththeWindowsoperatingsystem.The LinuxACE ManagementServerusesathirdpartyKerberosLibraryandOpenSSL.VMwareinternaltestingresults indicatethattheWindowsimplementationisprovidesbetterperformancethanLinux.
VMware, Inc.
27
To create users and groups for integration with Active Directory 1 CreateauserthatACEManagementServercanusetoconnecttotheLDAPserveranduseforquerying. MakeanoteofthesAMAccountNamevalueforthatuser(forexample,aceuser.) 2 3 4 CreateanACEAdministratorsgroupinthedomain. AddACEadministratoruserstotheACEAdministratorsgroup. (Optional)CreateaHelpDeskgroupandassignuserstoitfortheHelpDeskrole. YoucanlogintotheHelpDeskWebapplicationwithyouradministrativeLDAPcredentialsorpassword. CreatingaHelpDeskroleallowsyoutopermitcertainuserstoperformHelpDesktasksfromwithinthe HelpDeskapplicationbutdoesnotgivethemaccesstootheradministrativetools.
Set Up an External Database

Beforeyoubegin,makesurethatyouhaveoneofthefollowingsupporteddatabaseservers:
ForaWindowsbasedACEManagementServerMicrosoftSQLServer2000orhigher; Oracle Database 10g IfyouuseaMicrosoftSQLServerdatabase,thedatabasemustbehostedonasystemthatusesthesame localeasthesystemthathostsACEManagementServer.Forexample,ifACEManagementServeris installedonaJapanesesystem,thedatabaseservermustalsobeinstalledonaJapanesesystemandmust useJapanesecollation.
ForaLinuxbasedACEManagementServerPostgreSQL7.4orhigher
BeforeyouinstallthedatabaseonaLinuxhost,makesuretheunixODBCRPMpackageisinstalledontheLinux system.VMwarerecommendsthatyouupdatethepackagetothelatestversionreleasedforyourspecific Linuxdistribution.TheunixODBCpackageprovidesanODBCAPItoprogramsrunningonLinuxsystemsthat issimilartotheWindowsODBCAPI. Thepackagecontainsthelibodbcsharedlibrary,providingtheODBCDriverManagerAPItoother programs,asetofconfigurationutilities,andODBCdriversforpopulardatabases.OnbothRedHat EnterpriseLinuxandSUSELinuxEnterpriseServer 9,theODBCdriverforPostgreSQLisincludedinthe unixODBCbinarydistributionpackage. Also,makesuretheunixODBC-gui-qt packageisinstalled(thisutilityisincludedintheRedHatEnterprise LinuxunixODBCpackage).ThispackageisrequiredtousetheODBCConfigX11graphicalconfigurationtool forsettingupadatasourcename(DSN). To set up an external database 1 Installadatabaseserveronahost. TheexternaldatabasedoesnothavetobeinstalledonthesameserverasACEManagementServer,butit mustbeinstalledonthesameplatform.Forexample,ifACEManagementServerisinstalledona Windowshost,thedatabaseservermustalsobeinstalledonaWindowshost. ACEManagementServercreatesthedatabaseschemaautomaticallyifproperaccessrightsaregranted. 2 Configurethedatabase. Ensurethatyouhaveadedicateddatabaseandauseraccountthathasfullaccesstothisdatabase, includingrightstocreatetables.Donotgivethisdatabaseuserpermissionsthatitdoesnotneed.For example,youmightnotwanttogivethisaccountreadorwritepermissiontootherdatabasesthatyour RDBMSmanages. AlltablesthatarecreatedinthedatabasehaveanamestartingwithaPolicyDb_prefixandindexeswith PdbIns_orPdbLf_prefixes.YoumightprovideACEManagementServerwithaDSNtoadatabasethat itshareswithsomeotherapplication,ifthedatabasecountisatapremium.
28
VMware, Inc.
Chapter 4 Configuration Options for ACE Management Server
(Optional)IfACEManagementServerisgoingtoconnecttothedatabaseoverthenetwork(TCPsocket connection),ensurethatthefollowingareinplace:

TCPconnectivityisenabledinthedatabaseconfigurationoptions. TheTCPconnectionisnotblockedbyfirewallsettingsonthedatabaseserverortheACE ManagementServerhost. IfyouareusingaPostgreSQLdatabase,configureperuserpermissiontoconnecttothedatabase overthenetwork.Configurethatpermissioninthepg_hba.conf file,whichislocatedintheroot folderofyourdatabase.
(Optional)OntheACEManagementServermachine,toverifytheserversconnectivitytothedatabase withtheconfiguredusercredentials,runacommandlineorgraphicalSQLtool. Examplesofsuchtoolsaresqlcmd.exeforSQLServer,sqlplus.exeforOracle,andpsqlfor PostgresSQL.Fordatabaseconfigurationandverificationinstructions,seetherespectivedatabase documentation.
OntheACEManagementServermachine,createaSystemDSNentry.
Creating a System DSN Entry for an External Database

TheonlyrequiredinformationinDSNconfigurationistheDSNname,serverIPaddressorhostname,andthe databasename.YoudonotneedtoprovideausernameandpasswordintheDSNconfiguration.Youprovide ausernameandpasswordlater,whenyouusetheACEManagementServerSetupapplication. EnsurethatyoucreateasystemDSNandnotauserDSN.IfyoucreateauserDSN,itisvisibleonlytoyour useraccount.ACEManagementServerrunsunderthelocalsystemaccount,sotheservercannotdetectoruse auserDSN. Create a System DSN Entry for a Windows Database Regardlessofwhetherthehostis32bitor64bit,youcreateaDSNentryfora32bitsystem. Beforeyoubegin,todeterminethecorrectODBCdriver,seeyouroperatingsystemanddatabase documentation. To create a System DSN entry for a Windows database 1 Dooneofthefollowing:
On32bithosts,usetheODBCDataSourcespluginbychoosingControl Panel>Administrative Tools>DataSources(ODBC). On64bithosts,navigateto%WINDIR%\syswow64\odbcad32.exeandusethatprogramtocreatea SystemDSNentryfora32bitsubsystem.
ACEManagementServerdoesnotsupportODBCusinganSQLNativeClientdriveronWindows64bit systems. 2 3 4 CreateanentrythatincludestheDSNname,serverIPaddressorhostname,andthedatabasename. (Optional)IftheDSNSetupwizardprovidesanoptiontotesttheconnection,verifythattheconnection workswiththedatabaseusercredentials. MakeanoteofthedatabaseDSN,username,andpassword.
YoucannowusethebrowserbasedACEManagementServerSetupapplicationtoconnecttothisdatabase.
VMware, Inc.
29
Create a System DSN Entry for a Linux Database OnLinuxsystems,youuseatexteditorortheODBCConfiggraphical(X11)utilitytocreateasystemDSNentry. TheODBCConfigutilitymimicstheWindowsODBCDataSourcesControlPanelplugin. Beforeyoubegin,determinethecorrectODBCdriver:

OnRedHatEnterpriseServer,thedriverislocatedat/usr/lib/libodbcpsql.so. OnSUSELinuxEnterpriseServer9,thedriverislocatedat/user/lib/unixODBC/libodbcpsql.so.2. TheDSNconfigurationfortheunixODBCpackageisstoredinthe/etcdirectory(/etc/unixODBCfor SUSELinuxEnterpriseServer).
IfyouareusingtheACEManagementServerappliance,seeSetUpaConnectionBetweentheServer ApplianceandanExternalDatabaseonpage 31. Youusetheodbc.inifileforcreatingDSNsandtheodbcinst.inifilefordriverandgeneralODBCsystem configuration. To create a System DSN entry for a Linux database 1 Asroot,usetheODBCConfigutilitytocreateaSystemDSNentry. YoualsomustconfiguretheserveraddressandthedatabasenameintheDSNsettings. ForinformationaboutusingunixODBC,seetheunixODBCProjectWebpage. TheODBCConfigutilitymakeschangestotheodbc.iniandodbcinst.inifiles. 2 MakeanoteofthedatabaseDSN,username,andpassword.
YoucannowusethebrowserbasedACEManagementServerSetupapplicationtoconnecttothisdatabase.
Increase the Number of Database Connections Allowed

Foroptimalserverperformance,ACEManagementServerstartsmultipleparallelthreads(onWindows)or processes(onLinux)listeningfortheincomingconnectionsfromtheclients.Everyclientconnectiontypically runsadatabasetransaction,soitneedstoopenadatabaseconnection. ACEManagementServerusuallyrequiresasmanydatabaseconnectionsasitdoesparallelthreadsor processesforclientconnections.Iftheserverrunsoutofdatabaseconnections,theclientsmightstartreceiving connectionerrors. Table 41includesalistofthelocationsfortheApacheconfigurationfileandthetypicaldefaultnumberof connections: Table 4-1. Apache Configuration File Locations and Default Client Connections
Platform Windows Location C:\Program Files\VMware\VMware ACE Management Server\Apache2\ conf\httpd.conf /etc/httpd/conf/httpd.conf /etc/apache2/server-tuning.conf /etc/httpd/apache2.conf Client Connections 250 (WinNTMPMsection)
RedHatEnterpriseLinux SUSELinux ACEManagementServer appliance
256 (preforkMPMsection) 150 (preforkMPMsection) 20 (preforkMPMsection)
ThedefaultinstallationofthePostgreSQLdatabaseonRedHatEnterpriseLinuxallows100 remote connections,whichislessthanthenumberofparallelthreadsthattheApacheserverstartsbydefaultonthe sameplatform.Changethisnumberifyouexpectahighvolumeofclientrequeststoyourserver(morethan 100activeclients).
30
VMware, Inc.
To increase the number of database connections allowed 1 2 InspecttheApacheconfigurationfileontheACEManagementServerhosttodeterminethenumberof parallelthreadsorprocessesthatmightstartatthesametime. ConfigurethedatabasetoallowasmanyconnectionsastheApacheserver. Seeyourdatabasedocumentation.
Enable Database Connection Pooling on Linux

EnablingdatabaseconnectionpoolingfordatabasesonLinuxhostscangiveasubstantialperformancegain underhighloads.ACEManagementServercanreusedatabaseconnectionsratherthanopeningnew connectionsforeveryrequest. EnabledatabaseconnectionpoolingintheODBCDriverManager(itisdisabledbydefault)tooptimize performanceforserversonLinuxplatforms. OnWindowsplatforms,ODBCconnectionpoolingisenabledbydefault. To enable database connection pooling on Linux 1 2 3 StarttheODBCConfigutilityasarootuser. ClicktheAdvancedtab. SelecttheConnectionPoolingcheckbox.
Set Up a Connection Between the Server Appliance and an External Database

TheACEManagementServerappliancedoesnotcontainaPostgreSQLdatabaseserver.Youcan,however,use anexternaldatabaseserverwiththeappliance. To set up a connection between the server appliance and an external database 1 2 Logintotheserverapplianceconsoleasroot,usingthepasswordyoucreatedduringyourfirstrunof theserverappliance. Openthe/etc/odbc.inifileinatexteditor. Forexample:
vaos# vi /etc/odbc.ini
Thisfilecontainsthepostgres_dsn settingfortheOBSCDSN. 3 Uncommentalllinesinthepostgres_dsn fileexceptthefirsttwo. Touncommentlines,deletethepoundsign(#)atthebeginningofeachline. 4 5 6 Replaceplaceholders<...>withthePostgreSQLdatabaseserverDNSnameorIP addressandthedatabase nameofthisserver. Usethedefaultportnumberorsetadifferentportnumber. Savethefile.
Afteryoucompletethistask,postgres_dsnappearsinthedropdownmenuontheDatabasetabintheACE ManagementServerSetupapplication.
VMware, Inc.
31
Prepare Custom Security Certificates

TousecustomSSLcertificates,eitheryourownselfsignedcertificatesorthoseofathirdpartyorinternalCA (certificateauthority),youmustprovidethecertificate,key,and(inthecaseofCAs)certificatechainfiles. ThesefilesmustbePEMencoded. Afteryoucreateorobtainthesefiles,uploadthemtoACEManagementServerbyusingtheCustomSSL CertificatestabintheACEManagementServerSetupapplication. FormoreinformationabouthowVMwareACEusesSSLcertificates,seeUsingSSLCertificatesandProtocol onpage 16. To prepare custom security certificates 1 Createorprovidetheneededfiles:

Foryourownselfsignedcertificate,usetheopensslutilitytocreateanewselfsignedcertificate. ForathirdpartyCAorinternalCA,obtainanSSLcertificatesignedbythatCA,anda certificateverificationchainfile. ThechainfileisaconcatenationofeverycertificaterequiredtoverifythenewSSLcertificateyou createdorobtained.DependingontheCAandcertificateissued,anexamplechainfilecouldbea concatenationoftherootcertificate,oneormoreintermediarycertificates,andtheservercertificate. EachoftheindividualpiecesmustbeSHA1encodedandinPEMformatbeforeconcatenation.Steps forobtainingthecertificatechainvary,dependingonwhichhostoperatingsystemyouareusingand onthesourcefromwhichtheCAcertificateisobtained.ACAauthoritymayprovidethecomplete chainoryoumayneedtoassemblethechainyourself.
Aprivatekeyfile.SSLencryptsdatathroughtheuseofapublickeyandprivatekeypair.Thepublic keyisknowntoeveryoneandtheprivatekeyisknownonlytothemessagerecipient.
ThecertificatesignaturesmustusetheSHA1algorithmdigest.ThefilesmustbePEMencoded. 2 Renamethefiles,asfollows:

Renametheprivatekeyfiletoserver.key. Renamethecertificatefiletoserver.crt. Renamethecertificatechainfiletochain.crt.
YoucannowusetheACEManagementServerSetupapplicationtouploadthecertificatefiles.
View the Properties of the Self-Signed Certificate File

ThisfileisstoredintheSSLdirectoryintheVMwareACEManagementServerprogramdirectory. To view the properties of the self-signed certificate file Dooneofthefollowing:

OnaWindowshost,navigatetothelocationoftheserver.crtfileanddoubleclickthefilename. OnaLinuxhost,usethefollowingcommand:
openssl x509 -in /var/lib/vmware/acesc/ssl/server.crt -text
Toreplaceanexpiredcertificate,seePrepareCustomSecurityCertificatesonpage 32.Donotmodify certificatestomakethempermanent.
32
VMware, Inc.
Starting ACE Management Server Configuration

IfyouplantouseActiveDirectoryintegration(usingLDAP),anexternaldatabase,orcustomSSLcertificates, youmustperformsomesetuptasksbeforeconfiguringtheACEManagementServer.SeePrerequisitesfor ConfiguringtheServeronpage 27. ThetextthatappearsontheStarttabchanges,dependingonwhetheryouhavedoneaninitialconfiguration:
IfthispagesaysThisserverhasnotbeenconfiguredyet,youmustclickStarttocompletethe configurationsetupwizard. IfthispagesaysThisserverisconfigured,theNextandPreviouswizardbuttonsdonotappear.Youcan navigatetoothertabsbyclickingatab.
Viewing and Changing Licensing Information

AfteryouenteranACEManagementServerserialnumber,usetheLicensingtabtodeterminetheexpiration date,ifany. Theserialnumberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,theserial numberissentbyemail. IfthesystemonwhichyouinstalledACEManagementServercurrentlyhasmorethanonevalidserver license,justonelicenseappearsonthepage. YoucanusetheLicensingtabtoaddorchangeaserialnumber,username,orcompanyname. Ifyoumakechangestotheinformationonthistab,youmustclickApplyorCancelbeforeyoucannavigate toanothertab.
Using an External Database

TheembeddeddatabaseisanSQLitedatabase.VMwarerecommendsthatyouuseanexternaldatabasein productionenvironments. Theembeddeddatabaseisinitializedduringserverinstallationandrequiresnospecialconfiguration.This databaseisadequatefortestingpurposesbutisnotdesignedtobeeffectivelysharedacrossmultiple processes. BeforeyoucanconfiguretheACEManagementServertouseanexternaldatabase,youmustcreateasystem DSNandcredentialsforaccessingthatdatasource.SeeSetUpanExternalDatabaseonpage 28. UsethefollowinginformationtohelpyoucompletethefieldsontheDatabasetab:
DataSourceName(DSN)DatasourcenameyouusedwhenyoucreatedasystemDSNentryonthe ACEManagementServermachine. UserNameandPasswordCredentialsforauseraccountthathasfullaccesstothedatabase,including rightstocreatetables. Afteryouenterthedatabaseconnectioncredentials,thesetupapplicationchecksforanexistingdatabase.
CAUTIONAfteryouentercredentials,ifthemessageCompatible schema exists. Do you want to reinitialize the schema and overwrite the existing data?appears,selectUseexistingschema anddataunlessyouwanttoerasealldatainyourexistingdatabase.Toreinitializethedatabaseatsomelater time,youcanreopenthisconfigurationapplicationandreturntothispage. Iftheexistingschemaisnotcompatible,noschemaisavailableortheschemacannotbeupgraded.Ifyou overwritetheexistingschemaanddata,anewschemaiscreated.If youdonotoverwritetheexistingschema anddata,theconfigurationapplicationquits.
VMware, Inc.
33
Ifyouareupgradingtheserverfromthepreviousrelease,thedatabaseschemaisupgradedautomaticallyand youdonotloseyourpreviousdata.Theupgradeisperformedonthefirststartoftheupgradedserver,even ifyoudonotrerunthesetupapplication. IfyoumakechangestotheinformationontheDatabasetab,youmustclickApplyorCancelbeforeyoucan navigatetoanothertab.
Creating Access Control

OntheAccessControltab,youcancreatealocalAdministratorroleandHelpDeskroleoruseActive Directoryforauthenticatinguserswiththeseroles. BeforeyoucanconfiguretheACEManagementServertouseadomainaccountforauthentication,youmust createusersandgroupssothatACEManagementServercanconnecttotheLDAPserver.SeeCreateUsers andGroupsforIntegrationwithActiveDirectoryonpage 27. Usethefollowinginformationtohelpyoucompletethefieldsforauthentication:
LocalaccountIfyouspecifyapasswordfortheAdministratorroleandforgetorloseit,youmustdelete theserverconfigurationfile.Deletingthisfilesetstheserverbacktoitsinitialstate.Youmustreconfigure theserverandsettheadministratorpasswordagain. SeeDeletetheServerConfigurationFileandSetaNewAdministratorPasswordonpage 50.
Domainaccount(LDAP)TouseActiveDirectoryforauthentication,specifythehostandcredentials thattheACEManagementServerusestoconnecttoandquerythedomaincontroller:
HostNameEnterafullyqualifieddomainname(forexample,ldap.vmware.com)insteadofanIP addressorhostnamewithnoparentdomainname(forexample,ldap). QueryUsersAMAcountNameandQueryUserPasswordUsethepasswordandshortnamefor theuseraccountyoucreatedforthispurposeinActiveDirectory. QueryUserDomainThedomainmustbethedomainforwhichtheLDAPhostisadomain controller. AdminGroupDNandHelpDeskGroupDN(Optional)Enterthedistinguishednameforthese groups,whichyoucreatedforthispurposeinActiveDirectory(forexample, cn=Users,dc=simplecorp,dc=com). Ifthisoptionisnotenabled,anyonewhologsintotheHelpDeskapplicationmustbeamemberof theACEAdministratorsgroup.
HelpDeskRoleorGroupDNCreatingaHelpDeskroleallowsyoutopermitcertainuserstoperform HelpDesktasksfromtheHelpDeskapplication.Usersinthisrolecannotaccessotheradministrative tools.YoucanstilllogintotheHelpDeskWebapplicationwithyouradministrativeLDAPcredentialsor localAdministratorpassword.
IfyoumakechangestotheinformationontheAccessControltab,youmustclickApplyorCancelbeforeyou cannavigatetoanothertab.
Uploading Custom SSL Certificates

TohaveACEManagementServerusecustomSSLcertificates,eitheryourownselfsignedcertificatesorthose ofathirdpartyorinternalCA(certificateauthority),usetheCustomSSLCertificatestabtouploadthe PEMencodedfiles. BeforeyoucanuploadcustomSSLcertificates,youmustcreateandrenamethecertificatefiles.SeePrepare CustomSecurityCertificatesonpage 32.
34
VMware, Inc.
Bydefault,duringACEManagementServerinstallation,thefollowingtwofilesarecreated:

server.keyThisRSA1024bitkeyistheprivatekey. server.crtThisselfsignedcertificateisvalidfor10yearsfromthedateandtimeatwhichtheserveris installed.Itssignatureisverifiedbythepublickey,whichisembeddedinthecertificate.Thecertificate fileisencodedinPEMformat.
WhenyourunanACEinstance,theVMwarePlayerapplicationusesthecompletecertificationchainthatis includedinitspackage,notonthehost,toverifyconnectionsmadetoACEManagementServer.Therefore, theuseofselfsignedcertificatesisadequateformostsecurityneeds.Formoreinformationabouthow VMwareACEusessecuritycertificates,seeUsingSSLCertificatesandProtocolonpage 16. WhenyouclickUploadcertificates,asummarypagedisplaysthefilesandlocationsyouspecifyonthistab. Notethelocationofanybackupfiles.Youmightneedtousethebackupifyoufindthatthenewfileisinvalid whenyouclickApply.SeeRestoreaBackupCopyofanSSLCertificateonpage 50. AfteryouuploadcustomSSLcertificates,youmustupdateanyexistingACEenabledvirtualmachinestouse anewcertificateandkeyfile.Todoso,useWorkstationtocreateanupdatepackage.Whenyoudeploythe newpackage,ACEinstancesreceivethenewcertificatefileandcertificatechain.
Logging Events
Theservercollectslogentriesforeventsthatchangethedatabase.OntheLoggingtab,youcansetthelogging levelsandsetanoptionforpurginglogentries. ACEManagementServerusesthefollowingloggingcategories:

ACEAdministrationLogseventsforinstancecreation,update,anddestruction. PackageAdministrationLogseventsforpackagecreation,update,instancecustomization,andpackage removal. PolicyAdministrationLogseventsforpolicysetupdateandpublish,useraccesscontrolchanges,and instancepasswordssetbyanACEadministrator. InstanceAdministrationLogsACEinstancelifecycleevents,suchascreation,copying,revocation, reenablement,anddeletion.Alsologsinstancepasswordchangebyauseroranadministrator,changes inexpirationforeachinstance,changesofinstanceguestorhostoperatingsysteminformation,and settinginstancecustomfields.Thedebuglevelcanbeusedtologthemostubiquitoustrafficsuchas policyupdaterequestsfromactiveinstances.Failedinstanceverificationsareloggedonlyatthedebug level. AuthenticationLogseventsforeveryauthenticationrequest,suchasadministrationorhelpdesk authenticationattempts(atthenormallevel),instanceauthentication(attheinformationallevel),and remoteLDAPpasswordchange.Setloggingforthiscategorytothelowestlevelthatispracticalforyou. Thiscategorycangeneratealargevolumeofentries.
Foreachcategory,youcanchooseoneofthefollowinglogginglevels:

NoneNologentryismadeforthisevent. CriticalAnexampleofacriticallogeventisonethatremovesallpackages,instances,andpolicies associatedwithanACEenabledvirtualmachine. NormalThislevelofdetailissufficienttoanswermostqueries. InformativeEntriesfornondestructiveeventsthathavelimitedeffect. DebugEntriesforeveryclientaccessoftheserver.Itprovidesmorerecordsofcertaineventtypes, creatingalargenumberloggingentriescomparedtootherloglevels.Itlogsallinformationaltransactions, suchasinstancestatusandsoon.
VMware, Inc.
35
UsetheEventLogPurgingcontroltoconfiguretheamountoflogginginformationretained.Thepurge maintenanceprocessrunsapproximatelyeverysixhours. IfyoumakechangestotheinformationontheLoggingtab,youmustclickApplyorCancelbeforeyoucan navigatetoanothertab.
Applying Configuration Settings

TheRestartpageappearswhenyouclickApplyononeofthetabs.Youmustrestarttheserverforthe configurationsettingstotakeeffect. IfyouclickLater,youcanalwaysrestarttheserverbyclickingApplyonanyofthetabs,evenifyoudonot makechangesonthetab.
36
VMware, Inc.
Load-Balancing Multiple ACE Management Server Instances
Ifyouhavethousandsofclients,youcanconfiguremultipleVMwareACEManagementServerinstancesto worktogether.Youcansetuptwoormoreserversandusethemwithaloadbalancer. Thischapterincludesthefollowingtopics:

TypicalSetupUsingLoadBalancedACEManagementServerInstancesonpage 38 InstalltheRequiredServicesforLoadBalancingonpage 38 UsetheSameSSLCertificateonAllServersonpage 39 CreateNewSSLCertificatesandKeysforEachServeronpage 40 InstallingandConfiguringtheLoadBalanceronpage 41 VerifyThatACEInstancesAreUsingtheLoadBalanceronpage 41
VMware, Inc.
37
Typical Setup Using Load-Balanced ACE Management Server Instances

AsingleACEManagementServercanhandleapresetnumberofclients,butyoucanaddmoreserverstoyour ACEManagementServerinfrastructurebyusingloadbalancing.Whenyouaddmoreserverstothe loadbalancinggroup,thenumberofclientsthatyoucanservescaleslinearly.Forexample,ifyoucanserve 2,000 clientswithoneserver,usingtwoloadbalancedserversallowsyoutoserve4,000 clients. Figure 51showsasimpledeploymenttopologyforusingloadbalancing. Figure 5-1. Two ACE Management Server Instances Working Together
AMS Client
HTTPS HTTPS LDAP Kerberos
Active Directory domain controller
AMS Client
HTTPS
ACE Management Server 1 load balancer (optional)
ODBC LDAP Kerberos
database server
ODBC
AMS Client
HTTPS
HTTPS
ACE Management Server 2
Touseasetupsimilartotheonedepicted,youmusthavethefollowing:

Twoormoremachines(orvirtualmachines)tohosttheACEManagementServerprocesses AnexternaldatabasetohosttheACEManagementServerdata Aloadbalancingsolutiontomanagetraffic
Install the Required Services for Load Balancing

ServicesincludemultipleACEManagementServerinstances,anexternaldatabase,andWorkstation. To install the required services for load balancing 1 InstalltheACEManagementServerpackageontwoormoremachines(orvirtualmachines). SeeInstallingandUpgradingACEManagementServeronpage 20. 2 ConfigureeachACEManagementServerseparatelytoaccessthesameexternaldatabase. SeeStartandConfigureACEManagementServeronpage 24. BothACEManagementServerinstallationsmustbeabletoidentifythesamedatastoresoeither installationcanfieldqueriesforclientsandscalethenumberofclientsthatcanbeserved.
38
VMware, Inc.
Chapter 5 Load-Balancing Multiple ACE Management Server Instances
ToverifythatbothACEManagementServerinstancesareworkingproperly,startWorkstationand connecttoeachACEManagementServerdirectly: a b InWorkstation,chooseFile>ConnecttoACEManagementServer. EntertheIPorhostnameofthemachinewhereACEManagementServerisinstalled,changethe numberinthePortfieldifnecessary,andclickOK.
ThesetupissuccessfulifyoucanviewthesamedataintheInstanceViewwindowforeachACE ManagementServerinstance.IfyoucreateatestACEandpreviewit,youseethepreviewinstanceon bothservers.
Use the Same SSL Certificate on All Servers

Foraloadbalancingsolution,youcancopytheSSLcertificateandkeyfromoneACEManagementServerto another. CAUTIONThisproceduredirectsyoutouploadboththecertificatefile(the.crtfile)andthematchingkey file(the.keyfile).Ifyoudonotuploadboth,theApachehttpdserviceonthesecondACMManagement Servermightfreeze.Inthiscase,youmustuninstallandreinstallACEManagementServer. To use the same SSL certificate on all servers 1 2 LogintotheACEManagementServerSetupapplicationforthefirstACEManagementServer. ClicktheCustomSSLCertificatestabtodeterminethelocationoftheSSLcertificateandkeydirectory files.
OnWindows,thefilesarelocatedatC:\Program Files\VMware\VMware ACE Management Server\ssl. OnLinux,thefilesarelocatedat\var\lib\vmware\acesc\ssl.
Thecertificatefileisserver.crt.Thekeyfileisserver.key. 3 CopythefilestothesecondACEManagementServer. IfyouareusingtheACEManagementServervirtualappliance,usethescp(securecopy)commandto copythecertificateandkeyfiles: a b Openacommandprompt. Enterthefollowingcommand:

scp user@<host>:<file> user@<host>:<file>
YoucanalsoenablesharedfoldersifyouareusingWorkstationtorunthevirtualappliance,andcopythe filesfromthevirtualmachinethroughthesharedfoldersfeature.Formoreinformationaboutshared folders,seetheVMwareWorkstationUsersManual. 4 5 LogintotheACEManagementServerSetupapplicationforthesecondACEManagementServer. UsetheCustomSSLCertificatestabtouploadthefiles: a b c d SpecifythekeyfileintheServerPrivateKeyfield. SpecifythecertificatefileintheServerPublicCertificatefield. ClickUploadcertificates. ClickApplyandclickRestart.
VMware, Inc.
39
Create New SSL Certificates and Keys for Each Server

IfyoudonotwanttousethesameSSLcertificateandkeyforeachACEManagementServer,youmustcreate newSSLcertificatesandkeysforeachserver. IfyouplantoobtainSSLcertificatesfromacertificateauthority,youmustcreatecertificatechains.Figure 52 providesanoverviewofdeterminingwhichcertificatesareincludedinachain. Figure 5-2. Creating the Certificate Chain File
certificate verification chain convert to PEM then append to file
Root SSL Certificate
Certificate Chain File

[Root SSL Certificate in PEM format] [Intermediary SSL Certificate in PEM format] [AMS #1 SSL Certificate in PEM format] [AMS #1 SSL Certificate in PEM format]
convert to PEM then append to file
Intermediary SSL Certificate
Server SSL Certificates convert to PEM then append to file
ACE Management Server #1 SSL Certificate
ACE Management Server #2 SSL Certificate
convert to PEM then append to file
To create new SSL certificates and keys for each server 1 CreateasmanySSLcertificateandkeypairsasyouneed(oneforeachserverinyourserverfarm). Theprocedurevaries,dependingonthetoolsyouuse.Todeterminehowtocreatethesecertificatesand keys,seethedocumentationforyourplatform.Eachcertificatemusthaveauniquecommonnameanda uniqueserialnumber. 2 Ifyourcertificatesrequireacertificatechaintobeverified,createacertificatechainfileforeachcertificate. Thecertificatechainfileisatextfilethatcontainseverycertificate(inPEMformat)neededtoverifythe leafcertificate(includingtherootcertificateofthechain). a b Downloadtheverificationchainfromyourcertificateauthority. EachcertificatemustbeinPEMformatbeforeyoucreatethecertificatechainfile. ToconverttoPEMformat,usetheopenSSLtoolsavailableonline. c CreatethecertificatechainfilebyconcatenatingeachPEMencodedcertificateintoonefile.
Ifbothofyourcertificatesareselfsigned,yourcertificatechainfilemustbeafilethatcontains bothcertificatesconcatenated. Ifyoureceivedyourcertificatesfromthesamecertificateauthority,thechainfilemustcontain onlytheverificationchainforthesecertificates,andthechainsmustbethesame. Ifthecertificatescomefromdifferentcertificateauthorities,thechainfilemustcontainboth certificateverificationchains.
Forexample,ifyouareusingtwoACEManagementServerinstancesyouhavetwocertificatechainfiles.
40
VMware, Inc.
Chapter 5 Load-Balancing Multiple ACE Management Server Instances
Joinallofthecertificatechainfilesintoonefile. Ifyoucan,eliminatetheduplicateentries.
4 5 6
ConverttheserversSSLcertificatestoPEMformat. AddtheserversSSLcertificatesinPEMformattothecertificatechainfile. OntheCustomSSLCertificatestab,uploadtheSSLcertificatefile,theSSLkeyfile,andthecertificate chainfile: a b c d SpecifythekeyfileintheServerPrivateKeyfield. SpecifythecertificatefileintheServerPublicCertificatefield. ClickUploadcertificates. ClickApplyandclickRestart.
CompletethisstepforeveryACEManagementServerinyourfarmtouploadfilestoeachACE ManagementServer.
Installing and Configuring the Load Balancer

ACEManagementServerusesHTTPStocommunicatewithitsclients.Youcanuseanyloadbalancing solutionthatsupportsHTTPSwithACEManagementServer. Installtheloadbalancerandconfigureport443(HTTPoverSSL)forloadbalancing.Do notconfigure port 8080or8000forloadbalancing.Thesetwoportsareusedforconfiguration.Port 8080isthevirtual applianceconfigurationportand8000istheACEManagementServerconfigurationport.
Verify That ACE Instances Are Using the Load Balancer

AfteryouconfiguremultipleACEManagementServerinstancestoworkwithaloadbalancerandinstallthe necessarySSLcertificates,performverification.VerifythatACEinstancescanconnecttoACEManagement Serverinstancesbyusingtheaddressoftheloadbalancer. Beforeyoubegin,restartWorkstationsothatWorkstationcandownloadtheSSLcertificatewhenaconnection totheACEManagementServerisestablished. MakesurethatthirdpartyCAcertificatespasswordsdonothavemorethan8characters. To verify that ACE instances are using the load balancer 1 2 3 4 5 6 CreateanACEenabledvirtualmachine. Openthepolicyeditor. SelectPolicyUpdateFrequency. SelectDisableOfflineUsageandclickOK. RemovethefirstACEManagementServerfromtheloadbalancingconfigurationsothatalltrafficgoesto thesecondACEManagementServer. PreviewtheACEinstance. ThispreviewcreatesaninstanceontheACEManagementServer. 7 8 ClosetheACEPlayer. RemovethesecondACEManagementServerfromtheloadbalancingconfigurationandaddthefirst ACEManagementServerbacktotheconfiguration. AlltrafficgoestothefirstACEManagementServer. 9 PreviewthesameACEinstanceagain,andwhenpromptedwhethertoreinstantiateorreusetheinstance, selectUseExistingInstance. Iftheinstancestartssuccessfully,bothserversareusingthesameSSLcertificate.
VMware, Inc. 41
42
VMware, Inc.
Managing ACE Instances
AfterACEManagementServerisinstalledandconfigured,youcandothefollowing:

ViewACEinstancesthataremanagedbyaparticularACEManagementServer. Revokeandreenableaninstance. FixvariousproblemswiththeACEinstancesasreportedbyinstanceusers.

ViewingACEInstancesThattheServerManagesonpage 43 SearchforanInstanceonpage 45 SortbyColumnHeadingandChangeColumnWidthonpage 46 Show,Hide,andMoveColumnsintheInstanceViewonpage 46 CreateorDeleteCustomColumnsintheInstanceViewonpage 46 ViewInstanceDetailsonpage 47 Reactivate,Deactivate,orDeleteanACEInstanceonpage 47 ChangeaCopyProtectionIDonpage 47 ResettheAuthenticationPasswordonpage 48 AddInformationforCustomColumnsonpage 48
Viewing ACE Instances That the Server Manages

ToviewandmanageaserversACEinstances,youcanuseeithertheInstancespageoftheVMwareACEHelp DeskortheserversinstanceviewinWorkstation. BothuserinterfacesenableyoutofixalimitedsetofACEinstanceproblems,suchasreactivatinganinstance, changingtheinstancesexpirationdate,andresettingtheuserpasswordiftheuserhaslostorforgottenit. BecausetheVMwareACEHelpDeskisabrowserbasedapplication,youcanuseitoncomputersthatdonot haveWorkstationinstalled.TheHelpDeskalsoallowsyoutocreatearestrictedhelpdeskrole.Userswiththis rolecanfixalimitedsetofproblemsreportedbyendusers,buttheycannotchangeconfigurationsettingsfor theACEManagementServer. TheinstanceviewinWorkstationenablesyoutoperformallthetasksavailableintheVMwareACEHelpDesk andafewmoretasks.Forexample,intheinstanceview,youcancreatecustomcolumnsandsavethesearches youcreate.
VMware, Inc.
43
Use the VMware ACE Help Desk Application

ACEadministratorsandhelpdeskassistantscanaccessACEinstancesthroughtheVMwareACEHelpDesk Webapplication.YoucanusetheHelpDesktoreactivateaninstance,changetheinstancesexpirationdate, andresetauserpasswordifitislostorforgotten. To use the VMware ACE Help Desk application 1 OpenaWebbrowserandgotohttps://<hostname>:8000. The<hostname>valuecanbethefullyqualifiednameofthecomputeronwhichACEManagement ServerisinstalledoritcanbeanIPaddress. IfyouinstalledACEManagementServeronaWindowshostandyouareusingthathosttoconfigureit, youcanalternativelychooseStart>VMware>VMwareACEManagementServer. 2 3 ClicktheHelpDesklink. Supplythelogininformation. Usethefollowinginformationtohelpyoucompletethefieldsthatappearinthiswindow:
UserNameandPasswordIfahelpdeskrolewascreated,entercredentialsforthatrole.Otherwise, entercredentialsforadministeringtheACEManagementServer. DomainInmultidomainenvironments,youmightberequiredtoenteradomain(forexample, eng.com).
TheVMwareACEHelpDeskopenstheInstancespage,whichcontainsasummarytableofalltheinstances thattheservermanages.
Use the Instance View in Workstation

ACEadministratorscanaccessACEinstancesthroughtheinstanceview.Youcanusetheinstanceviewto reactivateaninstance,changetheinstancesexpirationdate,andresetauserpasswordifitislostorforgotten. TheinstanceviewinWorkstationenablesyoutoperformallthetasksavailableintheVMwareACEHelpDesk andafewmoretasks.Intheinstanceview,youcancreatecustomcolumnsandsavethesearchesyoucreate. Youmusthaveadministratorcredentialstousetheinstanceview. Aninstancehasoneofthefollowingstatustypes: Active Theinstanceisactiveandavailableforimmediateuse.
Deactivated
Thisinstancewaspurposelydeactivated.Youmust reactivateittomakeitusableagain. Theinstanceisstillactivebutisblocked(cannotberun) becauseofaviolationofapolicysuchasexpirationdate orcopyprotection.Fordetails,viewtheserverlogfor thatinstance.
Blockedby policies
TheValidFromandValidUntilcolumnsindicatetheperiodthattheinstanceisvalid.Theinstanceexpires aftertheValidUntildate.Ifnoexpirationdateissetfortheinstance,thosecolumnsareempty.
44
VMware, Inc.
Chapter 6 Managing ACE Instances
To use the instance view in Workstation 1 2 FromtheWorkstationmenubar,chooseFile>ConnecttoACEManagementServer. SpecifythefullyqualifiedhostnameortheIPaddressandclickOK. Inmostcases,thedefaultportnumberdoesnotneedtobechanged. 3 Completetheloginwindow. Usethefollowinginformationtohelpyoucompletethefieldsthatappearinthiswindow:

UserNameandPasswordEntercredentialsforadministeringtheACEManagementServer. DomainInmultidomainenvironments,youmightberequiredtoenteradomain(forexample, eng.com).
Search for an Instance

YoucanusethesearchfunctiontoquerytheACEManagementServerdatabaseforoneormoreparticular ACEinstances.SearchcriteriaarejoinedwithAND,notOR,operations. Beforeyoubegin,dooneofthefollowing:

LogintotheVMwareACEHelpDeskforanACEManagementServer. ConnecttoanACEManagementServerfromtheWorkstationwindow.
To search for an ACE instance 1 ClickSearchandspecifythecriteriatobeincludedwhenthedatabaseisqueried. Usethefollowinginformationtohelpyouspecifysearchcriteria:
ActivatedByActivationmethod,suchaspassword,ActiveDirectoryuser,oractivationkey.Ifno suchactivationmethodexists,N/Aappearsinthecolumn. ACEVMNameNameoftheACEenabledvirtualmachinefromwhichtheACEinstancewas created. GuestName(ForWindowsguestsonly)Computernameresolvedontheusersmachineduring instancecustomization,ifyouusethatfeature.The NetBIOSnameisreportedhere,anditisa maximumof15characterslong.Eveniftheactualcomputernamecontainsmorecharacters,thename alwaysappearsastheNetBIOSname. CustomcolumnsCustomcolumnsthatyoucreatedappeardirectlybelowtheGuestMACAddress criterion. ExactmatchonlyValuesarecasesensitive. Saveas(AvailableintheWorkstationinstanceviewonly)Savedsearchesarespecifictoeachserver. YoucaneditordeleteyoursavedsearchesbyselectingthenameofasavedsearchintheSaved SearchesdropdownmenuandclickingOptions.
ClickSearch. Inthesearchresults,thetotalnumberofinstancesappearsjustbelowthetable.
Tonavigatethroughalargenumberofresults,dooneofthefollowing:
IntheVMwareACEHelpDesk,clickthepreviousandnextarrowsattherightofthestatusbaratthe bottomoftheInstancestable. IntheinstanceviewinWorkstation,scrolldown.
Toreturntothefulllist,dooneofthefollowing:

IntheVMwareACEHelpDesk,clicktheBacktoallinstanceslink,locatedbelowtheSearchbutton. IntheinstanceviewinWorkstation,clickClearSearch.
VMware, Inc.
45
Sort by Column Heading and Change Column Width

Youcanreordertheinstancesinthetablealphabeticallyornumerically,dependingontheselectedcolumns contents,inascendingordescendingorder. To sort by column heading and change column width 1 Clickthecolumnheadingofthecolumntosort. Clickagaintoresortintheopposite(ascendingordescending)order. 2 Tochangecolumnwidths,clickacolumndivideranddragittoanewwidth.
Show, Hide, and Move Columns in the Instance View

AlthoughyoucansortandresizecolumnsineithertheVMwareACEHelpDeskortheWorkstationinstance view,youcanshow,hide,andmovecolumnsonlyintheWorkstationinstanceview. Columnchangesforoneserverdonotaffectotherservers. To show, hide, and move columns in the instance view 1 InWorkstation,connecttotheACEManagementServerandlogin. SeeUsetheInstanceViewinWorkstationonpage 44. 2 Toshoworhideacolumn,rightclickthecolumnheadingrowandselectordeselectthecolumntoshow orhide. Ifyoushowacolumnthatwaspreviouslyhidden,thecolumnisaddedtotherightsideofthetable. 3 Tomoveacolumn,clickthecolumnheader,dragthecolumntoanewlocation,andreleasethemouse button.
Create or Delete Custom Columns in the Instance View

CustomcolumnsenableyoutoaddcategoriesofinformationabouttheinstancesthatanACEManagement Servermanages.Forexample,youcanaddaHelpTicketcolumntorecordtheIDassociatedwithendusers supportrequests. YoucancreatecustomcolumnsonlyintheWorkstationinstanceview.Intheinstanceviewtable,youcanadd, delete,andrenameuptoninecustomcolumns. To create or delete custom columns in instance view 1 InWorkstation,connecttotheACEManagementServerandlogin. SeeUsetheInstanceViewinWorkstationonpage 44. 2 3 4 RightclickthecolumnheadingrowandchooseAddCustomColumn. TypeanameforthenewcolumnintheNametextboxandclickOK. Tochangethenameofordeleteacustomcolumn,rightclickthecustomcolumnheaderandchoosea commandfromthecontextmenu.
Afteryoucreateacustomcolumn,usetheInstanceDetailspageforeachACEinstancetoaddinformationto display.SeeAddInformationforCustomColumnsonpage 48.
46
VMware, Inc.
Chapter 6 Managing ACE Instances
View Instance Details

TheInstanceDetailspagedisplaysallofthesameinformationshownonthesummarypage,anditincludes informationabouttheACEinstancespolicysettings. Youcanreactivate,deactivate,orchangetheexpirationdatefromtheInstanceDetailspage,asyoucanfrom thesummarypage.ThefollowingtasksareavailableonlyfromtheInstanceDetailspage:

ChangingthecopyprotectionID Resettingtheauthenticationpassword Addinginformationforcustomcolumns
To view instance details 1 2 3 Selecttheinstancebyclickingitsinstancerow. ClicktheViewdetailiconatthetopofthetableordoubleclicktheinstancerow. IfyouusetheVMwareACEHelpDesk,toviewdetailsaboutnetworkaccess,clickthelinksunderZone, HostAccess,orGuestAccess. YoucanviewtheZonesorRulesDetailpageforthiszoneorthistypeofnetworkaccess. TheEverywhereandEverywhereelsezonesettingsarenotlinkedtoaZonesDetailpagebecausethey areselfexplanatory.
Reactivate, Deactivate, or Delete an ACE Instance

Youcanimmediatelydenyorallowaccesstoaninstancebydeactivatingorreactivating it.Afteryou deactivateaninstance,youcandeleteitfromthelistofinstancesthattheservermanages. Beforeyoubegin,dooneofthefollowing:

To reactivate, deactivate, or delete an ACE instance 1 2 3 4 5 Selecttheinstancebyclickingitsinstancerow. ClicktheDeactivateorReactivateiconintheupperleftcorneroftheInstancespage. IfyouclickedReactivate,whenprompted,resettheexpirationdates. (Optional)IfyouclickedDeactivate,clickDeletetodeletetheinstancerow. ClickOK.
Change a Copy Protection ID

IfanenduserattemptstocopyormoveacopyprotectedACEinstance,theuserreceivesanerrormessage thatcontainsanewcopyprotectionID.AftertheendusersendsthatIDtoyou,theadministrator,youcanuse ittoreplacetheoriginalID. Beforeyoubegin,dooneofthefollowing:

TheCopyProtectionIDfieldisalwaysactive,soyoucanchangetheIDatanytime. CAUTIONIfyouchangeacopyprotectionIDforanactiveinstance,theoriginalinstancenolongerruns.
VMware, Inc.
47
To change a copy protection ID 1 2 3 Selecttheinstancebyclickingitsinstancerow. ClicktheViewdetailiconatthetopofthetableordoubleclicktheinstancerow. Dooneofthefollowing:
IntheVMwareACEHelpDesk,replacethealphanumericstringintheCopy ProtectionIDfieldwith anewIDandclicktheSaveiconatthetopofthepage. InWorkstation,clickthePoliciestab,replacethecopyprotectionIDwithanewID,andclickOK.
Reset the Authentication Password

Youcanresetpasswordsforinstanceswithuserspecifiedpasswords.Thenewpasswordmusthaveatleast onecharacter. To reset the authentication password 1 2 3 Selecttheinstancebyclickingitsinstancerow. ClicktheViewdetailiconatthetopofthetableordoubleclicktheinstancerow. ClickResetPasswordandspecifyanewpassword. IntheWorkstationinstanceview,thisbuttonappearsonthePoliciestab. 4 Sendthenewpasswordtotheuserinanemailmessage.
Add Information for Custom Columns

AlthoughyoumustusetheinstanceviewinWorkstationtocreatecustomcolumns,youcanaddinformation tocustomcolumnfieldsineithertheinstanceviewortheVMwareACEHelpDesk. Beforeyoubegin,ifnecessary,usetheinstanceviewinWorkstationtocreatecustomcolumns.SeeCreateor DeleteCustomColumnsintheInstanceViewonpage 46. To add information for custom columns 1 2 3 Selecttheinstancebyclickingitsinstancerow. ClicktheViewdetailiconatthetopofthetableordoubleclicktheinstancerow. Dooneofthefollowing:
IntheVMwareACEHelpDesk,entercustomvaluesinoneormorecustomfieldsandclicktheSave iconatthetopofthepage. InWorkstation,clicktheCustomtab,entercustomvaluesinoneormorecustomfields,andclickOK.
48
VMware, Inc.
Troubleshooting and Maintenance

TroubleshootingConfigurationProblemsonpage 49 ConfiguringMultipleACEManagementServerInstancestoUseSSLonpage 51 DatabaseBackuponpage 52
Troubleshooting Configuration Problems

CommonconfigurationproblemsincluderesolvingconnectionproblemsandportconflictsandresettingACE administratorpasswords.
Connection Problems Between a Linux ACE Instance and ACE Management Server
IfanACEinstanceonaLinuxhostcannotcontacttheserver,determinewhetherafirewallorproxysettingis blockingorreroutingHTTPStrafficonport443. Bydefault,HTTPStrafficfromtheVMwarePlayertoACEManagementServerisroutedonport443.Disable thefirewallorturnofftheproxysettingtoallowVMware Playertoservertrafficonthatport.
Change the Port Assignment for ACE Management Server

ACEManagementServerisamodulerunningontheApache2.0platform.Tochangetheportthattheserver listenson,youmustmanuallyedittheApacheconfigurationfile. To change the port assignment for ACE Management Server 1 Usingatexteditor,opentheACEManagementServercomponentHTTPconfigurationfile. Dependingontheserversoperatingsystem,thefileisplacedinoneofthefollowinglocations:
WindowsC:\Program Files\VMware\VMware ACE Management Server\Apache2\conf\httpd.conf RedHatEnterpriseLinux4/etc/httpd/conf.d/acesc.conf SUSELinuxEnterpriseServer9SP3/etc/apache2/conf.d/acesc.conf
ThispathisdifferentifVMwareACEManagementServerisinstalledinadifferentlocation.Usethepath youestablishedforyourserver. 2 LocatethelineentryinthefilethatreadsListen 443andchangetheportnumber. Youcannotuseport8000,whichtheserverusesforconfiguration,orport 8080,whichtheACE ManagementServerapplianceuses.
VMware, Inc.
49
LocatethesectionheaderfortheVirtualServerconfigurationforport 443. Thislinelookssimilartothefollowing:

<VirtualHost -default_:443>
Changetheportnumberinthesectionheadertothedesiredportnumber. Forexample,tochangetoport8443,change443to8443.
5 6
Savethefile. StopandstarttheApacheservice. Forinstructions,seeVerifyThattheApacheServiceIsStartedorRestartedonpage 23.
WhenyoucreateanACEenabledvirtualmachine,youcanspecifywhichportistobeusedtocommunicate withACEManagementServer.
Delete the Server Configuration File and Set a New Administrator Password
Ifyouloseorforgettheadministratorpassword,youmustdeletetheconfigurationfileandreconfigurethe server.Aspartofthatconfiguration,yousetanewpassword. To delete the server configuration file and set a new administrator password 1 NavigatetothelocationoftheACEManagementServerconfigurationfile: Dependingontheserversoperatingsystem,thefileisplacedinoneofthefollowinglocations:

WindowsC:\Program Files\VMware\VMware ACE Management Server\conf\acesc.conf Linux/var/lib/vmware/acesc/conf/acesc.conf
2 3 4
Saveacopyofthefiletoanewlocationsothatyoucanrefertoitwhenyoureconfiguretheserver. Deletetheoriginalconfigurationfile. StarttheACEManagementServerSetupapplicationandconfiguretheserveragain,specifyinga passwordontheAccessControltab. SeeStartandConfigureACEManagementServeronpage 24.
ContinuewiththeACEManagementServerSetupapplicationinoneofthefollowingways:

Ifthisistheinitialconfigurationoftheserver,clickNext. Ifyouarereconfiguringtheserver,clickApplyandclickRestartorLater. IfyouclickLater,youmustrestarttheserverfortheconfigurationchangestotakeeffect.Youcan restarttheserverbyclickingApplyonanyofthetabs,evenifyoudonotmakechangesonthetab.
Restore a Backup Copy of an SSL Certificate

Ifyouuploadaninvalidcertificatefile,theACEManagementServerSetupapplicationfailswhenyouclick ApplyandthenRestartandyoucannotrestarttheApacheservice.Tofixthisproblem,restorethebackup certificatefileforthecorrespondingcertificate.
50
VMware, Inc.
Chapter 7 Troubleshooting and Maintenance
To restore a backup copy of an SSL certificate 1 NavigatetotheACEManagementServerdirectorywherethebackupisstored. Thefilenamesusethefollowingformat: <certificate_filename>.<date>-<time> The<certificate_filename>valueisoneofthefollowing:

server.crtTheserverpubliccertificate server.keyTheserverprivatekey chain.crtThecertificatechain
The <date>portionofthefilenameisintheformatYYYYMMDD(year,month,day). The <time>portionofthefilenameisintheformatHHMMSS(hours,minutes,seconds). Forexample,afilenamemightbeserver.crt.20070216-095344. 2 Savethefileinthecorrectlocationasssl/<filename>.crt and restarttheApacheservermanually. SeeVerifyThattheApacheServiceIsStartedorRestartedonpage 23. 3 StarttheACEManagementServerSetupapplicationandusetheCustomSSLCertificatestabtoupload thebackupcopy. StartandConfigureACEManagementServeronpage 24.
Configuring Multiple ACE Management Server Instances to Use SSL

YoumightconfiguremultipleACEManagementServerinstancestouseSSLinthefollowingscenarios:
Multipleserversbehindoneormoreproxyservers:

EachservercanhaveitsownSSLkeyandcertificate(ACEManagementServerandproxyserver). Thecert_chainfilemustcontainthecertificatefileandverificationchainfortheSSLcertificatesthat theproxyserversareusing.Placethiscert_chainfileineachACEManagementServer. Whenselfsignedcertificatesarebeingused,theactualcertificateistheverificationchain.Thechain filecontainseachselfsignedcertificatebeingthattheproxiesareusing. Youcanalsousethesamekeyandcertificateforeveryserverandproxy.Inthiscase,youdonotneed tocreateacert_chainfile. Eachcertificatemusthaveauniquecommonname.
MultipleserversusingDNSroundrobin:

EachservercanhaveitsownSSLkeyandcertificate(ACEManagementServerandproxyserver). Thecert_chainfilemustcontainthecertificateandverificationchainforeverycertificatethatthe serversuse.PlacethiscertificatechainfileineachACEManagementServer. Whenselfsignedcertificatesarebeingused,theactualcertificateistheverificationchain.Thechain filecontainseachselfsignedcertificatethateachoftheserversisusing. Youcanusethesamekeyandcertificateforeveryserver.Inthiscase,youdonotneedtocreatea cert_chainfile.
SeealsoChapter 5,LoadBalancingMultipleACEManagementServerInstances,onpage 37.
VMware, Inc.
51
Database Backup
Ifyouareusinganexternaldatabase,useabackupandrecoverystrategythatisappropriateforyourdatabase system.BackupyourACEManagementServerdatabaseonaregularbasistoensurethatthedatabasecanbe recoveredpromptlyifneeded. Ifyouareusingtheembeddeddatabase,youcanusestandardfilebackuptools,suchasntbackupordd.The dataisstoredinoneofthefollowinglocations:

WindowsC:\Program Files\VMware\VMware ACE Management Server\db\acesc.bin. Linux/var/lib/vmware/acesc/db/acesc.bin
Ifyouareusingtheembeddeddatabaseinaproductionenvironment,stoptheserver,copythefiletoa differentlocationforthebackup,andrestarttheserver.SQLiteisfilebased,sothedatabasefilemightbe modifiedbytheACEManagementServerprocessatthesametimethatitisbeingcopiedforbackup.An inconsistentdatabasesnapshotmightbeproduced.Thisproblemisunlikelytooccurbecausethefileisusually notlargeandiscopiedquickly. Otheralternativesforbackingupanopendatabase,asrecommendedbymembersofanSQLitecommunity, arethefollowing:
Usethesqlite3commandlinetooltologintotheSQLitedatabase.Usethe.dumpcommand,storethe resultinaseparatefile,andbackupthatresultfile.AnSQLscriptrecreatesthedatabase. UsetheShadowVolumeCopymechanismonWindowssystemsorLVMvolumesnapshotsonLinux(and thecrashrestorefeatureofSQLite)tobackupthecompletedatabasedirectory,includingjournalfilesif theyarepresent.OnaWindowsXPSP1orlateroperatingsystem,usentbackuponthedatabase directory. Usethesqlite3commandlinetooltologintotheSQLitedatabase.UsetheBEGIN EXCLUSIVE command,copythedatabasefile,andthenusetheCOMMITcommand.
Forinformationtohelpyouuseyourcompanysownmanagementorreportingtoolsorautomatedscripts withthedataintheVRMdatabase,seeAppendix:DatabaseSchemaandAuditEventLogDataonpage 53.
52
VMware, Inc.
Appendix: Database Schema and Audit Event Log Data
Thisappendixexplainstheformatofthedatastoredinthedatabaseandthebestwaystoaccessthisdata.This appendixincludesthefollowingtopics:

UsingDatabaseReportingToolsonpage 53 DatabaseSchemaonpage 53 QueryingtheAuditEventLogDataonpage 57
Using Database Reporting Tools

YoucanuseathirdpartydatabasemanagementorreportingtoolwiththeVMwareACEManagementServer database.Youcancreatecustomreportsofthesystemstatebyusingareportingtool.Youcanalsousea reportingtooltoinspecttheaudittrailoftheadministratororuseractionsstoredintheEventtable.For example,youmightfindactiveinstanceswithoutdatedACEpolicysets,orexcessivefailedauthentication attempts. TheRDBMSaccesscontrolmechanismprotectsthedatastoredinthedatabase.Donotallowthedatabaseuser accountthatyourreportingtoolusestohaveahigherthannecessarylevelofaccesstothedata.Otherwiseyou mightcompromisethesecurityofyourVMwareACEsystem. Forexample,reportingtoolstypicallydonotneedwriteaccesstothedatabase.Instead,youcancreatea separatereadonlyaccountforthereportingtool.Youmightalsowanttodisallowreadaccesstodatabase fieldsthatcontainsensitiveinformation,suchasuserpasswords,instancecustomizationdata(whichmight havethedomainadministratorlogin),orinstancediskencryptionkeys.TheembeddedSQLitedatabasedoes notsupportauthentication,soaccesscanbeprotectedonlybyfilebasedsecuritythatprovidesreadonly permissionsorpermissionstoperformanyoperation.
Database Schema
TablesintheACEManagementServerdatabaserepresentthemajorconfigurationobjectsofACE ManagementServer,includingAce,Package,Instance,AccessPolicy,RuntimePolicy,andUserData,which containsimagecustomizationsettingsandotherdataforeachuser.Administratoranduseractionsareaudit loggedintheEventtableinthedatabase,whilepossibleeventtypesarelistedintheEventTypetable. Notethefollowingaboutthedatabaseschema:

Afewtableswithinternalsysteminformationandindexesarenotlisted. BooleanvaluesarestoredasstringswithTRUEorFALSEvalues. Timestampsarestoredasdecimal64bitnumberstringsshowingthenumberofmicrosecondsfrom12:00 a.m01/01/1970.
VMware, Inc.
53
Otherdatesandtimesarestoredasdecimalstringsshowingthenumberofsecondsfrom12:00a.m 01/01/1970. ACE,Package,Instance,Access,andUserDatarecordsareneverdeletedfromthedatabase.Theyare markedasdeletedwiththedeletedfieldsettoTRUE,sothatthepreviousinformationcanbeinspected forauditpurposes. TheguestandhostoperatingsystemportionsoftheACEpolicysetarestoredinthe PolicyDb_RuntimePolicytableinrespectivefieldsasstrings,iftheirsizeislessthan2000bytes.Ifthe policycomponentexceeds2000bytes,thestringissplitin2000bytechunksandstoredinthe PolicyDb_LongFieldtable.Inthiscase,thevaluefortherespectiveExtKeyfieldintheRuntimePolicytable containstheforeignkeypointingtothecorrespondingseriesofstringsintheLongFieldtable(seethe notesinthetabledefinition).
Thefollowingisthedatabaseschemascript.
/* Name value pairs of service information, e.g. DB schema version number */ CREATE TABLE PolicyDb_MetaInfo ( name VARCHAR(128), /* Name of the name-value pair */ value VARCHAR(1024), /* Value of the name-value pair */ PRIMARY KEY(name)); /* This table holds data for guest and host policy sets, split in 2K chunks */ /* Select all fields for the key in the order of index and append strings together */ /* to reconstruct the policy set */ CREATE TABLE PolicyDb_LongField ( longFieldKey VARCHAR(128), /* Unique ID of the long field series */ longFieldIndex INTEGER, /* Index in the series */ longFieldValue VARCHAR(2000), /* Up to 2000 chars of field value chunk */ sessionExpires VARCHAR(21), /* Optional field for storing session blob */ PRIMARY KEY (longFieldKey, longFieldIndex)); /* ACE Master data */ CREATE TABLE PolicyDb_Ace ( aceUID VARCHAR(128), /* Unique ID (primary key) */ aceName VARCHAR(128), /* Name of this ace */ activePolicySetVersion INTEGER NOT NULL, /* Soft foreign key to active RT policy*/ aceTsCreated VARCHAR(21) DEFAULT 0 NOT NULL, /* Creation timestamp */ aceTsLastModified VARCHAR(21) DEFAULT 0 NOT NULL, /* Last modified timestamp */ deleted VARCHAR(7) DEFAULT 'FALSE', /* Is this entry deleted (tombstone) */ PRIMARY KEY(aceUID)); /* Package data */ CREATE TABLE PolicyDb_Package ( packageUID VARCHAR(128), /* Unique ID (primary key) */ aceUID VARCHAR(128) NOT NULL, /* The ACE it belongs to. */ pkgName VARCHAR(128), /* UI visible name. */ pkgUseValidDates VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Use validity dates or always valid */ pkgValidDateStart VARCHAR(21) NOT NULL, /* The package is valid from this date.*/ pkgValidDateEnd VARCHAR(21) NOT NULL, /* The package is valid till this date.*/ pkgDisabled VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Is the package disabled */ pkgProtectionKey VARCHAR(1024), /* The key used for package distribution */ pkgPreview VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Is preview package */ pkgTsCreated VARCHAR(21) DEFAULT 0 NOT NULL, /* Creation timestamp */ pkgTsLastModified VARCHAR(21) DEFAULT 0 NOT NULL, /* Last modified timestamp */ deleted VARCHAR(7) DEFAULT 'FALSE', /* Is this entry deleted (tombstone) */ PRIMARY KEY(packageUID), FOREIGN KEY(aceUID) REFERENCES PolicyDb_Ace(aceUID)); /* Access Control object data (single item of the list, associated with ACE CREATE TABLE PolicyDb_Access ( accessPK VARCHAR(128), /* Unique ID (primary key) */ aceUID VARCHAR(128), /* Ace for which this access policy identityData VARCHAR(128), /* Internal representation, SID /* case, token value goes here. accVersion INTEGER NOT NULL, /* Access object version number Master)*/
is (FK)*/ in AD */ */ */
54
VMware, Inc.
identityType INTEGER NOT NULL, /* AD User, Group, or Token Value */ identityName VARCHAR(128), /* UI visible user/group name in AD case */ accUseInstanceLimit VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Limit number of instances for this ID? */ accInstanceLimit INTEGER NOT NULL, /* Max no. of ACE instances allowed */ accTsCreated VARCHAR(21) DEFAULT 0 NOT NULL, /* Creation timestamp */ accTsLastModified VARCHAR(21) DEFAULT 0 NOT NULL, /* Last modified timestamp */ deleted VARCHAR(7) DEFAULT 'FALSE', /* Is this entry deleted (tombstone) */ PRIMARY KEY(accessPK), FOREIGN KEY(aceUID) REFERENCES PolicyDb_Ace(aceUID)); /* ACE Instance object data */ CREATE TABLE PolicyDb_Instance ( instanceUID VARCHAR(128), /* VM instance ID (primary key) */ packageUID VARCHAR(128) NOT NULL, /* The package it belongs to. */ aceUID VARCHAR(128) DEFAULT '' NOT NULL, /* The ACE Master it belongs to */ creatorIdName VARCHAR(128) NOT NULL, /* Display name of the activator user */ creatorIdData VARCHAR(256), /* Fully qualified name of the activator */ creatorAuthType INTEGER NOT NULL, /* The type of access check at activation */ activationDate VARCHAR(21) NOT NULL, /* The date and time for the activation. */ lastPolicyCheck VARCHAR(21) NOT NULL, /* Last time when the player called server */ revocationDate VARCHAR(21) NOT NULL, /* When the instance was revoked */ replacementDate VARCHAR(21) NOT NULL, /* When replaced because of Copy Protect. */ /* policy */ inheritsExpiration VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Use expiration info from Policy Set */ insUseValidDates VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Use validity dates or always valid */ insValidDateStart VARCHAR(21) NOT NULL, /* The instance is valid from this date*/ insValidDateEnd VARCHAR(21) NOT NULL, /* The instance is valid till this date*/ insPassword VARCHAR(128), /* The login password for non-AD */ /* authentication for this instance */ hostName VARCHAR(128), /* The name of the host PC the VM runs on */ hostIp VARCHAR(128), /* The IP addr of the host the VM runs on */ insProtectionKey VARCHAR(1024), /* Instance VM disk encryption key */ copyProtectionId VARCHAR(1024), /* Stores location of the copy */ insPreview VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Is preview instance */ guestIpAddress VARCHAR(128) DEFAULT '', /* Reported VM IP address */ guestMacAddress VARCHAR(128) DEFAULT '', /* Assigned VM MAC address */ guestMachineName VARCHAR(128) DEFAULT '', /* The guest (VM) OS host name */ guestConfigStatus INTEGER DEFAULT 0, /* The completion status of guest */ /* auto-configuration */ guestConfigMsg VARCHAR(512), /* Message for the guest auto-config */ insTsCreated VARCHAR(21) DEFAULT 0 NOT NULL, /* Creation timestamp */ insTsLastModified VARCHAR(21) DEFAULT 0 NOT NULL, /* Last modified timestamp */ deleted VARCHAR(7) DEFAULT 'FALSE', /* Is this entry deleted (tombstone) */ insCustom1 VARCHAR(255), /* User-defined field */ insCustom2 VARCHAR(255), /* User-defined field */ insCustom3 VARCHAR(255), /* User-defined field */ insCustom4 VARCHAR(255), /* User-defined field */ insCustom5 VARCHAR(255), /* User-defined field */ insCustom6 VARCHAR(255), /* User-defined field */ insCustom7 VARCHAR(255), /* User-defined field */ insCustom8 VARCHAR(255), /* User-defined field */ insCustom9 VARCHAR(255), /* User-defined field */ PRIMARY KEY(instanceUID), FOREIGN KEY(packageUID) REFERENCES PolicyDb_Package(packageUID), FOREIGN KEY(aceUID) REFERENCES PolicyDb_Ace(aceUID)); /* MAC Address Pool (reserved for future use) */ CREATE TABLE PolicyDb_MacPool ( macPoolUID VARCHAR(128), /* primary key */ aceUID VARCHAR(128) NOT NULL, /* ACE for which this MacPool is used */ macPoolName VARCHAR(128), /* User visible name */ description VARCHAR(128), /* name and description of the MAC pool*/ rangeStart VARCHAR(21) NOT NULL, /* Start address of the MAC pool */ rangeEnd VARCHAR(21) NOT NULL, /* End address of the MAC pool */ lastAssigned VARCHAR(21) NOT NULL, /* Last assigned address */
VMware, Inc.
55
mplTsCreated VARCHAR(21) DEFAULT 0 NOT NULL, /* Creation timestamp */ mplTsLastModified VARCHAR(21) DEFAULT 0 NOT NULL, /* Last modified timestamp */ deleted VARCHAR(7) DEFAULT 'FALSE', /* Is this entry deleted (tombstone) */ PRIMARY KEY(macPoolUID), FOREIGN KEY(aceUID) REFERENCES PolicyDb_Ace(aceUID)); /* Instance customization data */ CREATE TABLE PolicyDb_UserData ( userDataPK VARCHAR(516), /* Primary key */ aceUID VARCHAR(128), /* ACE for which this UserData is defined */ packageUID VARCHAR(128), /* Package for which this UserData is used */ activator VARCHAR(128), /* The user */ udataName VARCHAR(128), /* User data entry name */ udataType INTEGER NOT NULL, /* Attribute of the date */ udataValue VARCHAR(2048), /* User data entry value */ udtTsCreated VARCHAR(21) DEFAULT 0 NOT NULL, /* Creation timestamp */ udtTsLastModified VARCHAR(21) DEFAULT 0 NOT NULL, /* Last modified timestamp */ deleted VARCHAR(7) DEFAULT 'FALSE', /* Is this entry deleted (tombstone) */ FOREIGN KEY(aceUID) REFERENCES PolicyDb_Ace(aceUID), FOREIGN KEY(packageUID) REFERENCES PolicyDb_Package(packageUID), PRIMARY KEY(userDataPK)); /* ACE Master policy set */ CREATE TABLE PolicyDb_RuntimePolicy ( aceUID VARCHAR(128), /* The ACE it belongs to. */ policyVersion INTEGER, /* Version of the RT Policy for this ACE */ clientPolicyData VARCHAR(2000), /* Runtime policy for the guest OS */ clientPolicyDataExtKey VARCHAR(128), /* If too long store in LongField table */ hostPolicyData VARCHAR(2000), /* Runtime policy for the host OS (NQ) */ hostPolicyDataExtKey VARCHAR(128), /* If too long store in LongField table */ expirationType INTEGER NOT NULL, /* Expiration Type (enum) */ expValue_1 VARCHAR(21) NOT NULL, /* Expiration value (depends on type) */ expValue_2 VARCHAR(21) NOT NULL, /* Expiration value (depends on type) */ cacheLifetime VARCHAR(21) NOT NULL, /* How long could work without server */ rtpInstType INTEGER NOT NULL, /* Instantiation authentication check type */ rtpAuthType INTEGER NOT NULL, /* Runtime authentication check type */ rtpUseInstanceLimit VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Limit number of instances for this ACE? */ rtpInstanceLimit INTEGER NOT NULL, /* Max no. of ACE instances allowed */ rtpUsePerUserInstanceLimit VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Limit number of instances per user? */ rtpPerUserInstanceLimit INTEGER NOT NULL, /* Max no. of ACE instances per user */ copyPolicy INTEGER DEFAULT 0 NOT NULL, /* Behavior if VM instance is copied */ published VARCHAR(7) DEFAULT 'FALSE' NOT NULL,/* Policy published (update locked)*/ rtpTsCreated VARCHAR(21) DEFAULT 0 NOT NULL, /* Creation timestamp */ rtpTsLastModified VARCHAR(21) DEFAULT 0 NOT NULL, /* Last modified timestamp */ deleted VARCHAR(7) DEFAULT 'FALSE', /* Is this entry deleted (tombstone) */ PRIMARY KEY (aceUID, policyVersion), FOREIGN KEY(aceUID) REFERENCES PolicyDb_Ace(aceUID)); /* ACE Management Server info - reserved for future use */ CREATE TABLE PolicyDb_AcescServer ( serverHostname VARCHAR(128), /* Host name of the server computer */ serverPort INTEGER, /* TCP port number server is listening on */ secure VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Whether HTTPS is enabled */ sslCertificateExtKey VARCHAR(128), /* SSL Certificate data, key to stored */ /* in LongField table */ sslCertificateChainExtKey VARCHAR(128), /* SSL Certificate Chain data, key to */ /* stored in LongField table */ PRIMARY KEY (serverHostname, serverPort)); /* Audit Event Log Event Types lookup table */ CREATE TABLE PolicyDb_EventType ( eventType INTEGER, /* Event Type code (PK) */ eventMessage VARCHAR(1024), /* Printable message for this event type */ eventCategory INTEGER, /* Event Category code */ eventCategoryName VARCHAR(128), /* Event Category printable name */ eventLogLevel INTEGER, /* Event Log Level */ PRIMARY KEY (eventType));
56
VMware, Inc.
/* Audit Event Log data */ CREATE TABLE PolicyDb_Event ( eventUID INTEGER, /* Primary key of the table (sequential) */ eventTs VARCHAR(21), /* Timestamp of the event creation in uSec */ loginName VARCHAR(128), /* Login user name of the actor */ aceUID VARCHAR(128), /* UID of the ACE affected by event */ packageUID VARCHAR(128), /* UID of the package affected by event */ instanceUID VARCHAR(128), /* UID of the instance affected by event */ policyVersion INTEGER, /* Version of ACE policy affected by event */ eventCategory INTEGER, /* Event Category as defined in EventType */ eventType INTEGER, /* Event Type as defined in EventType */ sessionID VARCHAR(128), /* Ace Server Session ID */ clientIP VARCHAR(128), /* IP Address of the client machine (resvd) */ serverIP VARCHAR(128), /* IP Address of the Ace Server (reserved) */ turnaroundTime VARCHAR(21), /* Server-side execution time in ms */ handlerName VARCHAR(128), /* Name of the ClientLib handler (debug) */ returnCodeText VARCHAR(128), /* Text error code returned to the client */ messageParams VARCHAR(1024), /* Tab separated list of event data */ prevEventUID INTEGER UNIQUE, /* UID of the previous recorded event */ eventSignature VARCHAR(128), /* Event signature, signed with server key */ FOREIGN KEY(eventType) REFERENCES PolicyDb_EventType(eventType), FOREIGN KEY(prevEventUID) REFERENCES PolicyDb_Event(eventUID), PRIMARY KEY (eventUID));
Querying the Audit Event Log Data

YoucanusetheACEServerComponenttocreateanaudittrailforalltransactionsthattheserverperforms. Youcanusethissystemtotrackusage,securitybreaches,policyerrors,performance,andsoon. TheACEServerComponentEventLogginginfrastructureisflexibleenoughtoprovidedetailedloggingwhen necessary,withoutoverwhelmingthesystembyslowingperformance. Theeventloggingmechanismcapturesenoughinformationtoanswerthefollowingquestions:

Whoactivatedaninstance? Whenwasaninstanceactivated? Whorevokedaninstance? Whoturnedoffcopyprotectionpolicy? Whatchangestopolicyweremadeonaparticulardate? Whoisfailingtoauthenticate?
Themechanismdoesnotnecessarilyanswerthesequestionsdirectly,butprovidesenoughdatasothatan administratorcanvieweventlogsandfindanswers.Thedatabeingloggedmeetsthefollowingrequirements:

Providesdetailsofeachtransactionserved. Centralizesthegatheringofeventlogdatawhenmultipleserversareused. Providesameansforadministratorstoselectwhichtypeoftransactionsarelogged. Canbeconfiguredtoprovidemoreorfewerlogswhennecessary.
Someofthisaudittrailisalreadyvisiblethroughotherfeaturesoftheproduct.Forexample,theinstance viewerdisplaysthedateofthelastpolicygetoperation,ortheexpirationdate,andsoon.Theeventlogging mechanismcananswermoredifficultquestions,suchaswhichadministratormadewhichpolicychangesand whichadministratordeletedanACEinstance. Table A1describesthedatathatisstoredinalogentry.
VMware, Inc.
57
Table A-1. Log Entry Data

Data AuditlogeventID(PK) Logtimestamp Loginusername AffectedACEUID(FK) AffectedpackageUID(FK) AffectedinstanceUID(FK) AffectedPolicySetVersion Eventcategory Eventtypecode(FK) SessionID IncomingIPaddress ServerIPAddress Operationturnaroundtime Operationhandlername(debug) Returncodetext Messageparameters PreviouseventUUIDtopreventunauthorizedrecord deletionorinsertion Eventrecordhashwithaserverkeytorevealmodification oftherecord Success,failure,specificerror Tabseparatedlist Logintegrity Logintegrity Auth,AceAdmin,PkgAdmin,PolicyAdmin,InstAdmin ReferencesPolicyDb_EventTypetable Debug Reservedforfutureuse Reservedforfutureuse Timespentinserverinms Description Anincrementinginteger Inmicrosecondsfrom12:00a.m.01/01/1970,storedasa decimalstring
ACE,package,andinstanceUIDsandpolicyversionprovidecoordinatesofthelogeventinthespaceofACE Serverobjects.Theyhelplinktheeventwiththestateofthesystem.Byusingdatabasequerytools,youcan findallACEadministrationeventsthataffectedaparticularACEinstancefromitscreationuntilitsdeletion. Notallcoordinatesarepresentforallevents.Forexample,ifapackageexpirationdateupdateislogged,the instanceUIDfieldisnotset,becauseallinstanceswithinthepackageareaffected. Ifimmutabledataisstoredpermanentlyelsewhereinthedatabase,itisnotduplicatedinthelogentry.For example,whenanewpolicyispublished,thecompletepolicytextisnotincludedinthelogentry.Instead,its versionnumberisreferenced,sothatthecompletedataoftheeventcanbereconstructedfromPolicyDb_ RuntimePolicyandPolicyDb_Accesstablesifnecessary. NOTEACEManagementServerdoesnotlogsensitivedatalikepasswordsorencryptionkeys. TheeventtypecodeisassociatedwithalookuptablePolicyDb_EventType,whichcontainsatextmessage templateforeachtypeofevent,category,andlogleveloftheevent.Themessagecancontain%sparameter placeholders,inwhichcasetheMessageParametersfieldinthelogentrycontainsatabdelimitedlistof valuesfortheseparameters.Forexample,aninstanceadministrationeventwithtype=4110hasthefollowing message: 4110 -> "Instance Set Guest Info requested, IP address = %s, MAC address %s, configuration message \"%s\", machine name \"%s\", configuration status %s" Inthisexample,theMessageParametersfieldshows: 10.17.0.3 00:0C:29:1A:2B:3C OK ACETest 0
Theresultingparametersreplacethe%splaceholdersinthemessagetemplate.
58
VMware, Inc.
ACEManagementServereventloggingcontainsanexperimentaltamperevidencefeature.Everyrecordinthe eventlog(exceptthefirstone)musthaveauniquereferencetothepreviousevent,furtherenforcedbythe databaseforeignkeyanduniqueconstraint.EachsuccessiverecordhasauniqueIDincrementedby1,so missingrecordsareimmediatelyevident.Ifauserwithdirectaccesstothedatabasechanges,adds,orremoves somerecords,theusermustchangeeitherthepreviouseventpointerorotherdataintheremainingevent records.DatawithineveryrecordishashedtogetherwithaserverkeyandisstoredintheeventSignaturefield. Formoreinformationabouteventcategories,configuringlevelsofeventloggingforeachcategory,and purgingoldeventstokeepthetablesizeincheck,seeLoggingEventsonpage 35.
VMware, Inc.
59
60
VMware, Inc.
Glossary
ACEinstance AvirtualmachinethatACEadministratorscreate,associatewithvirtualrightsmanagement(VRM) policies,andthenpackagefordeploymenttousers. ACEManagementServer AserverthattheACEadministratorcaninstallanduseforactivatingandtrackingACEinstancesandfor hostingdynamicpoliciesforACEinstances. ACEenabledvirtualmachine AvirtualmachinetemplatethattheACEadministratorcreates.Thevirtualmachinecanbeconfigured withvariouspolicies,devicesanddeploymentsettings.Itcanthenbeusedasthebasisforcreating packagestobesenttoACEusers.InearlierversionsofVMwareACE,thistemplatewascalledanACE Master. activation AstepinanACEinstancesetupthatincludespackageprotectionandsettinguptheACEinstances runtimeauthenticationpolicy.Thesuccessfulcompletionofactivationmakesthepackagedvirtual machine,withitspoliciesandothersettings,anACEinstance.Theactivationsettingintheaccesscontrol policydetermineswhocanaccessaninstalledACEpackageandturnitintoanACEinstance.Seealso authentication. authentication AstepinanACEinstancesetupthatincludesinstanceprotection.Thesuccessfulcompletionofthe authenticationstepallowstheusertoruntheinstance.Seealsoactivation. deploymentsettings Asetofrulesandsettingsassociatedwithapackage,suchasinstancecustomizationsettings.These settingscannotbechangedafterpackaging.Theonlywaytochangedeploymentsettingsistocreatea newpackage. guestoperatingsystem AnoperatingsystemthatrunsinsideanACEinstance.Seealsohostoperatingsystem. hostcomputer ThephysicalcomputeronwhichtheVMwarePlayersoftwareisinstalled.IthoststheACEinstances. hostoperatingsystem Anoperatingsystemthatrunsonthehostmachine.Seealsoguestoperatingsystem. hotfix Aninstallablefilethatresetsauserspassword,renewsanexpiredvirtualmachineorenablesa copyprotectedvirtualmachinetorunfromanewlocation.
VMware, Inc.
61
instancecustomization TheactofcustomizinganACEinstance,thusmakingituniquefromallotherinstances.Theinstance customizationprocessautomatestheactionsoftheMicrosoftSyspreputility.ItalsoprovidestheACE administratorwithfeaturesneededtosetupanautomatedremotedomainjoinprocessoftheACE instancetoacompanyVPNnetwork. managedACEinstance AnACEinstancethatanACEManagementServermanages.SeealsoACEManagementServer. package Aninstallablebundlefordistributiontousers.AfullpackageincludesanACEenabledvirtualmachine configurationfile,virtualdiskfiles,policies,apackageinstaller,andresourcefiles.Italsoincludesthe VMwarePlayerapplicationusedtorunACEinstances. policy AformalsetofguidelinesthatcontrolthecapabilitiesofanACEinstance.Policiesaresetinthepolicy editorinWorkstation.Seealsopublish. preview AnoperatingandviewingmodethatanadministratorcanusetopreviewtheACEinstanceasitwillrun ontheusersmachine.Theadministratorcanusethisfeaturetoseetheeffectsofpolicyandconfiguration settingswithouthavingtoperformthepackaginganddeploymentsteps. publish TheprocessofmakingpoliciesavailableonACEManagementServersothatACEinstancescanreceive themaccordingtothepolicyupdateschedule.Seealsopolicy. standaloneACEinstance AnACEinstancethatisnotmanagedbyACEManagementServer.Anychangestoitspoliciesorother settingsaremadebytheadministratorsdistributionofupdatestotheuser. virtualmachine Avirtualmachineisasoftwarecomputerthat,likeaphysicalcomputer,runsanoperatingsystemand applications.Multiplevirtualmachinescanoperateonthesamehostsystemconcurrently.An ACEenabledvirtualmachinethathaspoliciesandothersettingsassociatedwithitisknownasanACE instance.SeealsoACEinstance. VMwarePlayer AnapplicationthatallowsausertocreateandrunanyvirtualmachineonaWindowsorLinuxmachine. VMwarePlayercanrunanACEinstanceonaWindowsmachine. Workstation Theprogramthatanadministratorusestocreate,deploy,andupdateACEpackagesandmanageACE instances.FormerlynamedVMwareACEManagerorVMwareWorkstationACEEdition. VMwareTools Asuiteofutilitiesanddriversthatenhancestheperformanceandfunctionalityoftheguestoperating system.KeyfeaturesofVMwareToolsincludesomeorallofthefollowing,dependingonyourguest operatingsystem:anSVGAdriver,amousedriver,theVMwareToolscontrolpage,andsupportforsuch featuresassharedfolders,shrinkingvirtualdisks,timesynchronizationwiththehost,VMwareTools scripts,andconnectinganddisconnectingdeviceswhiletheACEinstanceisrunning.
62
VMware, Inc.
Index
A
ACE instance log events for 35 on Linux host, fixing server connection problem 49 security certificates in 16 ACE Management Server Active Directory integration 13 changing port assignment 49 configuring 27 creating Active Directory user and group for 27 database backup 52 database schema 53 default port assignments 20 embedded database 13 external database option 13 features 7 fixing connection problem with ACE instance on Linux host 49 hardware requirements 8 installing 20 installing on Linux system 21 installing on Windows system 20 installment options 20 licensing 33 logging on 25 querying the audit event log data 53 serial number 33 stopping and starting manually 23 using 43 Active Directory creating group for use with ACE Management Server 27 creating user for use with ACE Management Server 27 integration with ACE Management Server 13 logon options, ACE Management Server 25 audit event log data, querying 57
copy protection, changing the ID for 47 custom fields in instance view 46
D
database backup 52 external 13 for ACE 13 database for ACE Management Server 13 deactivate an ACE instance 47 details for an instance, viewing 47
E
event logging 35 expiration dates, changing 47
H
Help Desk advanced instance queries 45 Instances page 43 using 44 Help Desk Instance Details page 47
I
installing ACE Management Server 20 Instance Details page 47 instance queries 45 instance view custom fields 46 customizing columns in 46 details 47 Instances page 43
L
LDAP See Active Directory licensing, ACE Management Server 33 logging events 35 logging on to the ACE Management Server 25
C
certificates, setting up 32 change the copy protection ID 47 clock synchronization (note) 19 column headings, sorting by 46 configuration Restart page 36 configuring ACE Management Server instances 27
VMware, Inc.
P
passwords, resetting admin password for ACE Management Server 50 for ACE instances 48 port assignments, default 20 port for ACE Management Server 49
63
R
reactivate an ACE instance 47 reset the password for an instance 48 Restart page 36 restarting the ACE Management Server 36
S
searching for instances in Help Desk 45 security, SSL 16 sort instances 46 SQLite database for ACE Management server 13 SSL certification, using 16 SSL protocol, using 16 stopping and starting the Apache service manually 23
T
troubleshooting with the Help Desk application 44
U
using the ACE Management Server 43
V
view details for an instance 47 VMware Player fixing ACE Server connection problem on Linux host 49
64
VMware, Inc.

ACE Management Server Administrator&#39;s Manual

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ACE Management Server Administrator&#39;s Manual

Uploaded by

Copyright:

Available Formats

ACE Management Server Administrators Manual

VMware ACE 2.7