background image

TECHNICAL WHITE PAPER / 9

Figure 3: Trust Chain in a Shared Collector-Agent Relationship

In addition, for Mutual Authentication in a shared Collector-Agent relationship, each Collector trusts the Agent
Certificate because that Agent Certificate was issued by a Collector Certificate which was, in turn, issued by the
trusted Enterprise Certificate. Since both Collectors trust the Enterprise Certificate, then they can also trust the Agent
Certificate that was issued by a Collector Certificate that was issued by the Enterprise Certificate.

Enterprise Certificates in VCM must have the following properties:

l

Must be capable of signing certificate requests.

l

The path length basic constraint, if present, must be at least two if the Collector certificate will be used for issu-
ing Agent certificates. This means that the Enterprise Certificate may issue a Collector Certificate that may
issue Agent Certificates.

l

May be self-signed. If the certificate is self-signed, it will have to be trusted itself. Trust is bestowed by placing
the certificate in the Trusted Root store (Windows) or in the VCM store (UNIX). This represents a VCM-specific
trust chain.

l

May be signed by another certificate in an existing PKI and placed in the trusted store.

l

Must be stored in the local machine Trusted Root Certification Authorities store on the Windows Collector and
Agents (Windows only).

l

On UNIX platforms, the Agent has a vendor-implemented certificate store. The Enterprise Certificate(s) must
be added to this store. One will be included during initial installation, and subsequent certificate(s) must be
added manually using the CSI_ManageCertificateStore utility included with your VCM UNIX Agent installation.

TLS Implementation for VCM

Summary of Contents for VCM 5.3

Page 1: ...vCenter Configuration Manager Transport Layer Security Implementation VMware VCM 5 3 WHITE PAPER ...

Page 2: ...tors 12 Installation of Certificates to Collectors 12 Installation of Certificates to Additional Collectors 12 Changing Certificates 13 Renewing Certificates 13 Replacing Certificates 13 Delivering Initial Certificates to Agents 15 Installing the Agent from the Collector 15 New Installations 15 Upgrades 15 Changing Protocols from DCOM to HTTP 15 Changing Protocol from HTTP to DCOM 15 Installing th...

Page 3: ...s for Additional Collectors 21 Import the Certificates on the Collector Machines 23 MakeCert Options 23 Appendix B Updating the Collector Certificate Thumbprint in the VCM Collector Database 26 Appendix C Managing the VCM UNIX Agent Certificate Store 27 Using CSI_ManageCertificateStore 27 Setting up the Command Line Environment for CSI_ManageCertificateStore 27 CSI_ManageCertificateStore Options 2...

Page 4: ...ssued by a trusted authority such as Verisign If your browser has the Verisign Certification Authority certificate in its trusted store it can trust that the server really is Amazon Typically the server authenticates the client user by asking for authentication information such as a user name and password VCM supports Server Authentication That is in VCM environments where TLS is employed VCM Agen...

Page 5: ...on about itself to the information already in a certificate request The public key and identifying information are hashed and signed using the private key of the issuer s certificate If you have the public key of the issuer you can verify that the public key in the certificate belongs to the entity identified in the certificate if you trust the issuer You will have a certificate for the issuer wit...

Page 6: ...iscussion of Microsoft certificate stores in this document refers to logical stores For a description of the logical system stores provided by Microsoft see Microsoft TechNet Certificate Stores On UNIX systems Collector Certificates for Server Authentication and Agent Certificates and Agent private keys for Mutual Authentication are stored in a proprietary protected store Although this store is no...

Page 7: ...ector environment Agents have the Enterprise Certificate in their trusted certificate stores and can use it implicitly to validate any certificate issued by the Enterprise Certificate All Collector Certificates are expected to be issued by the Enterprise Certificate This is critical in environments where a single Agent is shared between two Collectors Figure 1 Dedicated Collector Agent Relationshi...

Page 8: ...tor certificates were issued by the same trusted authority the Agent that is shared between the two can trust both Collector Certificates This is useful in multi collector Server Authentication environments If you employ Mutual Authenticate and if a single Agent is shared between two Collectors then it becomes necessary for each Collector to use an Agent Certificate that is issued by a Collector o...

Page 9: ...sed for issu ing Agent certificates This means that the Enterprise Certificate may issue a Collector Certificate that may issue Agent Certificates l May be self signed If the certificate is self signed it will have to be trusted itself Trust is bestowed by placing the certificate in the Trusted Root store Windows or in the VCM store UNIX This represents a VCM specific trust chain l May be signed b...

Page 10: ...able to the Collector This certificate will be stored in the local machine personal system store Collector Certificates in VCM must adhere to the following requirements l Must be located in the local machine personal certificate store of the Collector l Must be valid for Server Authentication OID 1 3 6 1 5 5 7 3 1 l If the Collector certificate will be used to issue Agent certificates for mutual a...

Page 11: ...stablishment of Server Authentication and Mutual Authentication relationships are l Once an agent has established Server Authentication the Collector will not allow non TLS HTTP com munication l Once an agent has established Mutual Authentication the Collector will not allow non TLS HTTP or Server only Authenticated TLS communication l The Collector supports both TLS and non TLS capable Agents fro...

Page 12: ...he VMware vCenter Configuration Manager Installation and Getting Started Guide l Creating Certificates Prior to Installation If you want to create your own certificates in advance of VCM instal lation refer to The Collector Certificate on page 10 for requirements or to Creating Certificates for TLS Using Makecert on page 20 if you are creating your own certificates without PKI support Once your ce...

Page 13: ...es have different dates the Agent will install the new certificates The current trust level is preserved No certificate will be added to the trusted store unless an equivalent certificate is already present The old certificates are not removed Replacing Certificates The only way to ensure the authenticity of a new root or trusted certificate is to receive it from a secure and trusted source During...

Page 14: ...lector Certificate Thumbprint in the VCM Collector Database on page 26 6 Restart the Collector service 7 Import the Enterprise Certificate into the Trusted Root store on the VCM Windows Agent systems see Cer tificate Transport on page 17 install the VCM Agent with the Enable HTTP option selected or change pro tocol to DCOM and back to HTTP only if the Collector can communicate with Agents using DC...

Page 15: ...icate will not be installed Upgrades All upgrades of HTTP enabled Agents from non TLS Agents to TLS Agents receive a new version of the EcmComSocketListenerService and the Enterprise Certificate This also applies to upgrades via the License and Install Agent on Discovered Machines Discovery rule option see VCM Help for more information on VCM Discoveries Changing Protocols from DCOM to HTTP Changi...

Page 16: ...e is targeted for one or more supported platforms Because the Enterprise and Collector Certificates are embedded within the Agent installation package if they were specified when the Collector was installed they are automatically inserted into the UNIX Agent Certificate store during the Agent installation process To manage the VCM UNIX Agent Certificate store use the CSI_ ManageCertificateStore ut...

Page 17: ...information and an authenticating signature Though none of this information is secret the information should still be protected A certificate can be stored in a format that includes the private key When this is the case the data is secret and must be safeguarded stored and transported securely Note The following information pertains to Windows platforms only To import or export a certificate to UN...

Page 18: ...ngs and then click Finish Importing Certificates Windows Only There are two ways in which you can import a certificate Your machine may be set up with file associations that allow you to view and import certificate files This method imports certificates to the appropriate store for the current user Because VCM expects to find certificates in the Local Computer stores the certificates would have to...

Page 19: ...key you will be prompted for a password If the file contains a private key you will have the option of marking it as exportable If you do not the private key cannot be exported from the system you will still have the file though Do NOT Enable Strong Protection 11 Verify that the certificate will be stored in the correct location and then click Next 12 The Summary dialog box appears Verify your set...

Page 20: ...or Makecert Certificate Creation Tool cert2spc Software Publisher Certificate Test Tool pvkimprt PVK Digital Certificate Files Importer and many related utilities are available as part of the SDK download from Microsoft For more information visit the Microsoft Developer Network and search for the downloads by platform pre Vista or Vista l Pre Vista Windows Server 2003 SP1 Platform SDK full downloa...

Page 21: ...ss is required to generate the additional Collector Certificates issued by the Enterprise Certificate This process can be followed even if the original certificates were generated by the VCM Installation Manager Use the following procedure to create an additional Collector Certificate signed by the Enterprise Certificate This procedure must be executed on the Enterprise machine probably the initia...

Page 22: ...tificate store containing our certificate and the private key in the key file to a PFX file pvkimprt pfx collector_cert_name spc collector_cert_key_file This launches the Certificate Export Wizard Select Yes export the private key Keep the pfx format Uncheck all of the checkboxes Optionally choose a password for secure transport of the file recommended Example vkimprt pfx CM Collector Certificate ...

Page 23: ...e now available for use in the VCM installation MakeCert Options Refer to the following table for a list of the options used in the previously described MakeCert commands and their definitions Note The strings AAAAAA AAAAAA and BBBBBBBB BBBBB represent GUIDS VMware uses GUIDS to help create unique names GUIDS are a useful convention for programmatically creating uniqueness and are generally not ne...

Page 24: ... CN Generic name based on a GUID generated for each set of certificates created This field is required l T Static field identifying VCM generated certificates and is the same for all generated certificates This field is optional l OU Static field This field is optional l O Contains the customer name identified in the license file This field is optional n enterprise_cert_ name The subject of the En...

Page 25: ...ky exchange Use the key exchange keypair rather than the signature keypair sr LocalMachine Specifies the subject s certificate store location VCM and the examples in this document use LocalMachine ss My Specifies the subject s certificate store name that stores the output certificate My designates the personal certificate store ss Root Specifies the subject s certificate store name that stores the...

Page 26: ...own to the Thumbprint field Copy the value for use in the SQL script shown below 4 Use the following SQL script to update the Enterprise Certificate in the VCM Collector database replace 68 32 d7 fd 4d 9d 29 ba ac 0c 2c 90 8f 64 4b 52 d8 b0 16 0d with your Collector Certificate s thumbprint use insert your VCM SB name here update ecm_sysdat_configuration_values set configuration_value upper replac...

Page 27: ...tended begin end dates in many cases the new certificate will be automatically added to the store Using CSI_ManageCertificateStore The CSI_ManageCertificateStore command line tool is provided for manual management of the VCM UNIX Agent certificate store It helps the user to view and modify the contents of the store The following documentation assumes the UNIX VCM agent was installed to the default...

Page 28: ...em fingerprint is the hex SHA1 hash of the certificate f File that contains a certificate external to the certificate store to use The certificate in the file must be in PEM format g SHA1 hash fingerprint of the certificate in the store to act upon i Insert certificate into the certificate store k File that contains the private key associated with the certificate Private certificate keys are only ...

Page 29: ...ingerprint Delete existing certificates from the certificate store opt CMAgent CFC 3 0 bin CSI_ManageCertificateStore d s subject Delete all existing certificates from the certificate store opt CMAgent CFC 3 0 bin CSI_ManageCertificateStore d a Display an existing certificate from the certificate store opt CMAgent CFC 3 0 bin CSI_ManageCertificateStore l f filename or opt CMAgent CFC 3 0 bin CSI_M...

Page 30: ...ificate Subject Subject of the certificate CSI_ManageCertificateStore Examples Following are just a few examples of CSI_ManageCertificateStore use with some additional explanation to give a feel for the tool Example of listing certificate store contents By default the l option for listing certificates will cause all certificates in the store to be listed This behavior can be modified by specifying...

Page 31: ...rtificate 7780CB3B 281F 47DF B48B 5BDE5806C156 Example of deleting a certificate from the store root localhost tmp CSI_ManageCertificateStore d f Enterprise_Certificate_ 2CA82018 20E1 4487 8A02 DA7A2CFD4304 pem Deleting Certificate Fingerprint 0041AB5ECF869E1D6A38389A6B834D5768932397 Common Name Enterprise Certificate 2CA82018 20E1 4487 8A02 DA7A2CFD4304 Subject O VMware Inc OU VMware vCenter Conf...

Page 32: ...1 VMware com Subject CN testca1 VMware com ST Colorado C US emailAddress ca1 VMware com O VMware Inc OU Testing Exporting Certificate Fingerprint 779403A8D53B1258F3EB09E62A8D17B14CD81DC3 Common Name Enterprise Certificate 9ACD1B00 42CF 4794 B4E8 B6BDBEC1D4B6 Subject O CSI SE OU VMware vCenter Configuration Manager title VCM Certificate 7529006C 222F 4EBF A7E7 F6AB15DB626F CN Enterprise Certificate...

Page 33: ...389A6B834D5768932397 cert pem 1C564431B9B28DC4D24BB920FD98B539FF57C0C2 cert pem 765831AFF8E15332F78D7CBC805F1C68089C8640 cert pem 779403A8D53B1258F3EB09E62A8D17B14CD81DC3 cert pem If the certificate in the store has an associated private key this is only used if mutual authentication is set up an additional file named fingerprint key pem will be created The fingerprint used in the name is the fing...

Page 34: ... S and international copyright and intellectual property laws VMware products are covered by one or more patents listed at http www vmware com go patents VMware is a registered trademark or trademark of VMware Inc in the United States and or other jurisdictions All other marks and names mentioned herein might be trademarks of their respective companies TLS Implementation for VCM ...

Reviews: