ace management server
TRANSCRIPT
-
8/6/2019 ACE Management Server
1/64
ACE Management ServerAdministrators Manual
VMware ACE 2.7
This document supports the version of each product listed and
supports all subsequent versions until the document is replaced
by a new edition. To check for more recent editions of thisdocument, see http://www.vmware.com/support/pubs.
EN-000405-00
http://www.vmware.com/support/pubshttp://www.vmware.com/support/pubs -
8/6/2019 ACE Management Server
2/64
VMware, Inc.
3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com
2 VMware, Inc.
ACE Management Server Administrators Manual
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
Copyright 20072010 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright andintellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents .VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marksand names mentioned herein may be trademarks of their respective companies.
http://www.vmware.com/supportmailto:[email protected]://www.vmware.com/go/patentshttp://www.vmware.com/go/patentshttp://www.vmware.com/go/patentshttp://www.vmware.com/go/patentshttp://www.vmware.com/go/patentsmailto:[email protected]://www.vmware.com/supporthttp://www.vmware.com/support/ -
8/6/2019 ACE Management Server
3/64
VMware, Inc. 3
Contents
About
This
Book 5
1 Introduction 7FeaturesofACEManagementServer 7
SystemRequirements 8
RequiredHardware 8
SupportedOperatingSystems 8
SupportedExternalDatabases 9
SupportedProxies 9
RequiredWebBrowsers 9
Licensing 9
2 PlanninganACEManagementServerDeployment 11DeploymentComponents 11
HostSystemOptions 12
WindowsHosts 12
LinuxHosts 12
ServerApplianceOption 12
DatabaseOptions 13
ActiveDirectoryAuthenticationOptions 13
PerformingCapacityPlanning 13
DatabaseThroughputandScalability 14
LDAPThroughput 14
NetworkBandwidthandPolicyUpdateFrequency 15
ACEPolicyConfiguration 15LoadBalancers 15
SecurityFeaturesandConsiderations 16
UsingSSLCertificatesandProtocol 16
AccessingACEManagementServerfromOutsidetheCorporateFirewall 17
DeploymentPlanningWorksheet 18
3 InstallingandConfiguringACE Management Server 19PreparingforInstallation 19
ConfigureTLSinYourBrowser 20
InstallingandUpgradingACEManagementServer 20
InstallanACEManagementServeronaWindowsHost 20
InstallACEManagementServeronaLinuxSystem 21
InstallanACEManagementServerAppliance 22
VerifyThattheApacheServiceIsStartedorRestarted 23
StartandConfigureACEManagementServer 24
LogIntoACEManagementServer 25
4 ConfigurationOptionsforACEManagementServer 27PrerequisitesforConfiguringtheServer 27
CreateUsersandGroupsforIntegrationwithActiveDirectory 27
SetUpanExternalDatabase 28
CreatingaSystemDSNEntryforanExternalDatabase 29
-
8/6/2019 ACE Management Server
4/64
ACE Management Server Administrators Manual
4 VMware, Inc.
IncreasetheNumberofDatabaseConnectionsAllowed 30
EnableDatabaseConnectionPoolingonLinux 31
SetUpaConnectionBetweentheServerApplianceandanExternalDatabase 31
PrepareCustomSecurityCertificates 32
ViewthePropertiesoftheSelfSignedCertificateFile 32
StartingACEManagementServerConfiguration 33
ViewingandChangingLicensingInformation 33
UsinganExternalDatabase 33CreatingAccessControl 34
UploadingCustomSSLCertificates 34
LoggingEvents 35
ApplyingConfigurationSettings 36
5 LoadBalancingMultipleACEManagementServerInstances 37TypicalSetupUsingLoadBalancedACEManagementServerInstances 38
InstalltheRequiredServicesforLoadBalancing 38
UsetheSameSSLCertificateonAllServers 39
CreateNewSSLCertificatesandKeysforEachServer 40
Installing
and
Configuring
the
Load
Balancer 41VerifyThatACEInstancesAreUsingtheLoadBalancer 41
6 ManagingACEInstances 43ViewingACEInstancesThattheServerManages 43
UsetheVMwareACEHelpDeskApplication 44
UsetheInstanceViewinWorkstation 44
SearchforanInstance 45
SortbyColumnHeadingandChangeColumnWidth 46
Show,Hide,andMoveColumnsintheInstanceView 46
CreateorDeleteCustomColumnsintheInstanceView 46
ViewInstanceDetails 47
Reactivate,Deactivate,orDeleteanACEInstance 47
ChangeaCopyProtectionID 47
ResettheAuthenticationPassword 48
AddInformationforCustomColumns 48
7 TroubleshootingandMaintenance 49TroubleshootingConfigurationProblems 49
ConnectionProblemsBetweenaLinuxACEInstanceandACEManagementServer 49
ChangethePortAssignmentforACEManagementServer 49
DeletetheServerConfigurationFileandSetaNewAdministratorPassword 50
RestoreaBackupCopyofanSSLCertificate 50
Configuring
Multiple
ACE
Management
Server
Instances
to
Use
SSL 51DatabaseBackup 52
Appendix:DatabaseSchemaandAuditEventLogData 53UsingDatabaseReportingTools 53
DatabaseSchema 53
QueryingtheAuditEventLogData 57
Glossary 61
Index 63
-
8/6/2019 ACE Management Server
5/64
VMware, Inc. 5
Thismanual,theVMwareACEManagementServerAdministratorsManual,providesinformationaboutinstallingandusingtheVMwareACEManagementServer,whichenablesyoutomanageACEinstancesin
realtime.UsingACEManagementServerisoptional,butdoingsoprovidesthefollowingbenefits:
ManageactivationofACEpackages.
Manage
authentication
of
those
activated
packages. DynamicallydeliverpolicyupdatestomanagedACEinstances.
DynamicallydeliverinstancecustomizationdataformanagedACEinstanceswithWindowsguest
operatingsystems.
Intended Audience
Thisbookisintendedforanyonewhoneedstoinstall,upgrade,oruseACEManagementServertomanage
ACEinstances.ACEManagementServerisintendedforACEadministratorswhomustmaintainandupdate
ACEpoliciesusedonvirtualmachinesdeployedthroughoutanenterprise.
Document FeedbackVMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhavecomments,sendyour
feedbackto:[email protected]
Technical Support and Education Resources
Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.Toaccessthecurrentversion
ofthisbookandotherbooks,gotohttp://www.vmware.com/support/pubs.
Online and Telephone Support
Touseonlinesupporttosubmittechnicalsupportrequests,viewyourproductandcontractinformation,and
registeryourproducts,gotohttp://www.vmware.com/support.
Customerswithappropriatesupportcontractsshouldusetelephonesupportforthefastestresponseon
priority1issues.Gotohttp://www.vmware.com/support/phone_support.html.
Support Offerings
TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto
http://www.vmware.com/support/services.
About This Book
mailto:[email protected]://www.vmware.com/support/pubshttp://www.vmware.com/supporthttp://www.vmware.com/support/phone_support.htmlhttp://www.vmware.com/support/serviceshttp://www.vmware.com/support/serviceshttp://www.vmware.com/support/phone_support.htmlhttp://www.vmware.com/supportmailto:[email protected]://www.vmware.com/support/pubs -
8/6/2019 ACE Management Server
6/64
ACE Management Server Administrators Manual
6 VMware, Inc.
VMware Professional Services
VMwareEducationServicescoursesofferextensivehandsonlabs,casestudyexamples,andcoursematerials
designedtobeusedasonthejobreferencetools.Coursesareavailableonsite,intheclassroom,andlive
online.Foronsitepilotprograms andimplementationbestpractices,VMwareConsultingServicesprovides
offeringsto helpyouassess,plan,build,andmanageyourvirtualenvironment.Toaccessinformationabout
educationclasses,certificationprograms,andconsultingservices,gotohttp://www.vmware.com/services.
http://www.vmware.com/services/http://www.vmware.com/services/ -
8/6/2019 ACE Management Server
7/64
VMware, Inc. 7
1
TheVMwareACEManagementServerenablesyoutomanageVMwareACEinstances,todynamically
publishpolicychangesforthoseinstances,andtotestanddeploypackagesmoreeasily.
Thischapterincludesthefollowingtopics:
FeaturesofACEManagementServeronpage 7
SystemRequirementsonpage 8
Features of ACE Management Server
ACEManagementServeroffersscalabilityandreliability:
Youcanincreasecapacitybyaddingnetworkresourcessuchasloadbalancersandextraserverhardware.
Fortestingenvironments,thedefaultembeddedbackingstoreprovidesasimpleandefficientdatabase
solution.ToscaleACEManagementServerforproductiondeployments,youcanconfigureandusean
externalrelationaldatabasemanagementsystem(RDBMS).
InWindows,multithreadedprocesseshandleserverrequests.InLinux,multipleprocesseshandleserver
requests.Ifoneprocessfails,anothertakesover.
ACEManagementServeroffersActiveDirectoryintegration:
YoucanuseActiveDirectorytoauthenticateusersofACEinstances.
YoudonotneedaschemachangeforyourexistingActiveDirectory.
LDAPisusedtoaccessActiveDirectory.
InformationaboutWindowsdomainuseraccountstatesisprovidedinclearandusefulmessages.
Reasonsforloginfailuresarepresentedaslockedoutorpasswordexpired.
ACEManagementServeractsasanActiveDirectorypasswordchangeproxy.
YoucanusetheinstancecustomizationfeatureinACEwithyourownestablishednamingconventionsto
associateuserswithmachines.
Securityfeaturesincludethefollowing:
EncryptedcommunicationsbetweenserverandclientstraveloverHTTPStraffic.
Passwordsarestoredsecurelyinhashedforminthebackingstore.
FlexibledatabaseoptionsallowuseofanembeddeddatabaseorexternalRDBMStostoreACEinstance
dataandpolicies.
YoucanuploadcustomSSLcertificatewhileconfiguringtheACEManagementServer.
Introduction 1
-
8/6/2019 ACE Management Server
8/64
-
8/6/2019 ACE Management Server
9/64
VMware, Inc. 9
Chapter 1 Introduction
Supported External Databases
AnSQLitedatabaseengineisembeddedinACEManagementServer.Althoughthisdatabaseisadequatefor
testingpurposes,useoneofthefollowingexternaldatabasesinproductionenvironments:
ForaWindowsbasedACEManagementServerMicrosoftSQLServer2000orhigher;
Oracle Database 10g
IfyouuseaMicrosoftSQLServerdatabase,thedatabasemustbehostedonasystemthatusesthesame
localeasthesystemthathostsACEManagementServer.Forexample,ifACEManagementServeris
installedonaJapanesesystem,thedatabaseservermustalsobeinstalledonaJapanesesystemandmust
useJapanesecollation.
ForaLinuxbasedACEManagementServerPostgreSQL7.4orhigher
Supported Proxies
YoucandeployACEManagementServerwiththefollowingHTTPSproxysolutions:
ApacheProxyUsingmod_proxy
ZeusTechnologyLoadBalancerAcommerciallyavailableloadbalancerandtrafficmanagement
solution
Required Web Browsers
ThebrowserbasedACEManagementServerSetupapplicationandtheVMwareACEHelpDeskapplication
requireoneofthefollowingWebbrowsers:
MozillaFirefox1.52orhigher.
InternetExplorer6.0orhigher.MakesurethattheInternetExplorerbrowserhasTLS1.0checkedtolog
intotheAMSwebconfigurationpage.
Licensing
YoumustconfiguretheserverandentertheserialnumberintheserversetupWebapplication.Ifyoudonot,
youcannotconnecttotheserverinWorkstation.
Yourserialnumberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,the
serialnumberissentbyemail.WorkstationandACEinstancescannotconnecttoanACEManagementServer
withanexpiredornonexistentlicense.
-
8/6/2019 ACE Management Server
10/64
ACE Management Server Administrators Manual
10 VMware, Inc.
-
8/6/2019 ACE Management Server
11/64
VMware, Inc. 11
2
ThischapterprovidesguidelinesfordeployingVMwareACEManagementServerinstances,including
capacityplanningandbestpractices.Thischapterincludesthefollowingtopics:
DeploymentComponentsonpage 11
PerformingCapacityPlanningonpage 13
SecurityFeaturesandConsiderationsonpage 16
AccessingACEManagementServerfromOutsidetheCorporateFirewallonpage 17
DeploymentPlanningWorksheetonpage 18
Deployment Components
AtypicalACEManagementServerdeploymenthasthefollowingcomponents:
OneormoreACEManagementServerinstancesConfiguringmultipleserverstousethesame
databaseincreasesthenumberofACEclientsyoucanmanageandguaranteeshighavailability.
DatabaseserverForproductiondeployments,VMwarerecommendsOracleDatabase 10gorMSSQL
forACEManagementServerinstalledonaWindowshost,andPostgresforACEManagementServerinstalledonaLinuxhost.
(Optional)ActiveDirectorydomaincontrollerToenabletheACEManagementServerActive
Directoryintegration,youmustconfigureACEManagementServertocommunicatewithyourdomain
controller.
(Optional)HTTPloadbalancerUsealoadbalancertohelpscalethecapacityofyourACEManagement
Serverdeployment.
(Optional)HTTPproxyIfclientswillaccessACEManagementServerfromoutsidethecorporate
firewall,VMwarerecommendsusinganHTTPSproxyintheDMZ.YoucanuseACEManagementServer
withApacheProxyandZeusTechnologyLoadBalancer.
ForanexampleofanACEManagementServerdeployment,seeFigure 21.
Planning an ACE Management ServerDeployment 2
-
8/6/2019 ACE Management Server
12/64
ACE Management Server Administrators Manual
12 VMware, Inc.
Figure 2-1. Comprehensive ACE Management Server Deployment
ACEManagementServeroffersconvenienceandflexibilityinitssetupoptions.
YoucaninstalltheserveronWindowsorLinuxhosts.Fortestingpurposes,youcandownloadandrunthe
serverasavirtualappliance.ACEManagementServerincludesitsownsecuritycertificatesandembedded
database,butyoucanuseanexternaldatabaseandusecertificatesfromacertificateauthorityifyouprefer.
YoucanalsoconfigureACEManagementServertouseActiveDirectoryforauthentication.
Host System Options
YoucaninstallACEManagementServeronaWindowshost,aLinuxhost,orasavirtualappliance.Ifyouset
upmultipleACEManagementServerinstances,theymustallbethesametype.
Windows Hosts
IfyouplantointegratewithActiveDirectory,VMwarerecommendsthatyouinstallACEManagementServer
onaWindowshost.
TheWindowsACEManagementServerusestheWinLDAPlibrarybundledwithyourWindowsoperating
systemtointegratewithActiveDirectory.InternaltestingresultsindicatethattheWindowsimplementation
providesbetterperformancethanLinux.
Linux Hosts
YoucaninstallACEManagementServeronaLinuxhostanduseActiveDirectoryforauthentication,even
thoughperformanceisslowerthanonWindowshosts.IfyouplantouseaLinuxhostinproduction
environments,usetheLinuxinstallerratherthantheACEManagementServerappliance.Ifyoudonothave
thesupportedLinuxoperatingsystemsinstalledonaphysicalserver,youcancreateavirtualmachine,install
a
supported
Linux
operating
system,
and
install
ACE
Management
Server
in
the
virtual
machine.
Server Appliance Option
TheACEManagementServerapplianceisaselfcontained,preinstalled,andpreconfiguredACE
ManagementServerpackagedwithasmallLinuxoperatingsysteminavirtualmachine.Theapplianceis
convenientandquicktosetupinatestingenvironmentbutisnotrecommendedforproductionenvironments.
Bydefault,theapplianceattemptstoconfigureitsnetworkbyusingDHCP.IfyoudonotwanttouseDHCP,
youcanusethebrowserbasedACEManagementServerSetupapplicationtoconfigurethenetworksettings.
Youcanusethesameinterfacetoupdatetheappliancewhenupdatesbecomeavailable.
YoumusthaveaccesstoaWebbrowser(Mozilla1.52orhigherorInternetExplorer6.0orhigher)tochange
networksettingsorobtainupdatesfortheappliance.
ACE Management Server(one or more)
Active Directorydomain controller
(optional)
databaseserver
proxy for ACE Management Serverservice through corporate firewall
(optional)
WSAE client(within
corporatenetwork)
loadbalancer(optional)
ACE Player client(outside corporate network)
ACE Player client(within
corporatenetwork)
LDAPKerberos
ODBC
HTTPS
HTTPS
HTTPS
HTTPSHTTPS
-
8/6/2019 ACE Management Server
13/64
VMware, Inc. 13
Chapter 2 Planning an ACE Management Server Deployment
Database Options
ACEManagementServeroffersthefollowingdatabaseoptions:
EmbeddedSQLitedatabaseThedefaultmodeofACEManagementServerworkswithanembedded
SQLite3databaseengine.TheSQLitedatabaseengineisinitializedduringserverinstallationandrequires
nospecialconfiguration.The embeddeddatabasesupportsuptoseveralgigabytesofdata.
TheSQLitedatabaseisfilebasedandisnotdesignedtobeeffectivelysharedacrossmultipleprocesses.If
youusethirdpartytoolstoaccessthedatabaseforareadoperation,therefore,youcannotdependon
transactionalisolationofthependingwriteoperationsoftheACEManagementServer.
Theembeddeddatabaseisadequatefortestingpurposes,butVMwarerecommendsthatyouusean
externaldatabaseinproductionenvironments.
SupportedexternaldatabaseInproductionenvironments,useasupportedexternaldatabaseasa
backingstoreforACEManagementServer,throughODBCconnectivity.Supportedexternaldatabase
enginesarethefollowing:
ForWindowsbasedACEManagementServer,useMicrosoftSQLServer(SQLServer2000orSQL
Server2005)orOracleDatabase10ginstalledonthesamesystemoradifferentWindowssystem
ForLinuxbasedACEManagementServer,usePostgreSQL7.4orhigherinstalledonthesame
system
or
a
different
Linux
system
UsinganexternaldatabasewithACEManagementServeroffersthefollowingbenefits:
OnlinebackupsothatyoudonothavetoshutdownACEManagementServertobackupthe
database.
Enhancedsecuritymodel.Youcanfinetunepermissionstoaccesssensitivedata.TheSQLite
databaseengineprovidesfilesystembasedsecurity.
Performancefinetuning.
Abilitytouseexternaldatabasemanagementandreportingtools.
AbilitytouseloadbalancerswithmultipleACEManagementServerinstances.Youmustusean
externalRDBMSasthebackingstore,becausetheSQLitedatabaseisnotdesignedtobeeffectively
sharedacrossmultipleprocesses.
Active Directory Authentication Options
ActiveDirectoryintegrationprovidesthefollowingbenefits:
PermitsjoininganoperatingsystemthatisrunninganACEinstancetothedomainremotely.
Providessearchfunctionssoyoucanquicklyfindaparticularindividualorgroup.
Enables
you
to
use
Active
Directory
Users
and
Groups
to
configure
role
based
access
to
the
features
of
ACEManagementServer.
Performing Capacity Planning
ACEManagementServerenablesyoutomanageACEinstancesandpoliciesinrealtime.Thenumberof
clientsthatasingleACEManagementServercanservedependsonseveralkeyfactors:
Databasethroughputandscalability
LDAPthroughput(ifyouareusingActiveDirectory)
Networkbandwidthavailableforincomingclientrequests
NOTE IfACEManagementServerisdeployedintheDMZ,useanexternaldatabaselocatedinsideyour
corporatenetworkbehindafirewall.
-
8/6/2019 ACE Management Server
14/64
ACE Management Server Administrators Manual
14 VMware, Inc.
ACEpolicyconfiguration
Loadbalancersforverylargedeployments(morethan5,000clients)
Table 21listsrecommendationsforthenumberofclientssupportedbasedonthehardwareyouareusing.The
figuresforrecommendedclientsreservesomeserverprocessingpowersothatinteractiveclientsreceive
responsesinatimelyfashionandtheserversatisfiesincreasesindemand.
Database Throughput and Scalability
Forproductiondeployments,VMwarerecommendsthatyouuseOracle,MSSQL,orPostgresasyour
databaseplatform.
Morethan95percentofthestoragespacethatanACEManagementServerrequiresisusedtologevent
information,whichisanaudittrailofalltransactionsperformedthroughACEManagementServer.Table 22
listsrecommendeddatabasesizesbasedonthenumberofclientsbeingserved.
Thefiguresinthetablearebasedona90daydatabasearchivalperiod.Backupthedatabaserecordsevery90
daysandkeepeventlogsfor90days.YoucanconfigureACEManagementServertopurgeeventlogsevery
90days.
Theauthenticationeventgeneratesmostofthedatabecauseaneventisgeneratedeverytimesomeone
attemptstoauthenticatetoACEManagementServer.YoucanconfigureACEManagementServertologless
eventinformation.SeeLoggingEventsonpage 35.
LDAP Throughput
ACEManagementServercancommunicatewithyourActiveDirectorydomaincontrollertoauthenticateuser
credentials.YourdomaincontrollerinfrastructurehandlestheLDAPtrafficrequiredtosupportthenumber
ofclientsthatyouanticipate.
IntegratingwithActiveDirectorythroughLDAPisimplementeddifferentlyintheWindowsACE
ManagementServerthanintheLinuxbasedACEManagementServer.TheWindowsACEManagement
ServerusestheWinLDAPlibrarybundledwithyourWindowsoperatingsystem.TheLinuxACE
ManagementServerusesathirdpartyKerberosLibraryandOpenSSL.VMwareinternaltestingresults
indicatethattheWindowsimplementationprovidesbetterperformancethanLinux.
Table 2-1. Number of Clients Supported
Hardware Recommended Clients
2GHzAMD2wayserver(Opteron280,4GBRAM) 6,000
2GHzIntel2waydesktopmachine(4GBRAM) 4,000
Table 2-2. Database Storage Recommendations
Number of Clients Recommended Database Size
100 50Mb
1,000 500Mb
10,000 5,000Mb
-
8/6/2019 ACE Management Server
15/64
VMware, Inc. 15
Chapter 2 Planning an ACE Management Server Deployment
Network Bandwidth and Policy Update Frequency
TheamountofnetworkbandwidththatACEManagementServerandACEinstancesrequiredependsonthe
frequencyofpolicyupdatesthatyouconfigure.Table 23showstheamountofbandwidthneededwhenyou
useapolicyupdatefrequencyvalueof10 minutes.
VMwarerecommendsthatforlargedeployments(morethan5,000clients),youincreasethetimebetween
policyupdatesbyclientsbecausethisreducestheamountofrequiredbandwidth.
Table 24showsthebandwidthneededwhenthepolicyupdatefrequencyvalueissetto30minutes.
Theamountofnetworkbandwidthrequiredcanalsobehigherifyourpolicysetisverycomplex.
VMwarerecommendsthatyouhaveaseparatenetworklinkbetweenACEManagementServerandyour
databaseserver,sothattrafficcomingandgoingfromACEManagementServertoitsclientsdoesnotinterfere
withthetraffictoandfromyourdatabaseserver.
ACE Policy Configuration
TheconfigurationofACEpoliciescanaffectperformance.Youcanincreasetheamountofdatathatis
transferredbetweenACEManagementServerandACEPlayerbyusingoneofthefollowingmethods:
HostpoliciesEnablinghostpolicies(suchashostnetworkquarantine)requiresthatahostsidedaemon
retrievesthehostpoliciesfromtheACEManagementServer.
ComplexnetworkquarantinepoliciesIfthesetofrulesthatmakesupyournetworkquarantineisvery
large,thetransferoftheserulesfromtheACEManagementServertotheclientscanaffectthescalability.
ThenumbersshowninTable 23andTable 24areestimatesofrequiredbandwidthgivenaveragesize
rulesetsfornetworkquarantine.YoucanviewthesizeofyourpolicysetbyexaminingtheACEfile
directoryandcountingthesizeofthe.vmplfile.Anaveragepolicysetis15KBorless.
Load Balancers
TheACEManagementServerclientserverprotocolisbuiltontopoftheHTTPSprotocol.YoucanuseHTTP
loadbalancingsoftwareandhardwaresolutionstoscaleanACEManagementServerdeploymentbeyondthe
capacityofasingleserver(orforhighavailabilitydeployments).
ACEManagementServerscalesinalinearfashionwhenanenterprisegradeHTTPSloadbalancerisused.See
Chapter 5,LoadBalancingMultipleACEManagementServerInstances,onpage 37.
Table 2-3. Network Bandwidth Required with a Policy Update Frequency of 10 Minutes
Number of Clients Bandwidth Required
100 0.125Mb/sec.
1,000 1.25Mb/sec.
10,000 12.5Mb/sec.
Table 2-4. Network Bandwidth Required with a Policy Update Frequency of 30 Minutes
Number of Clients Bandwidth Required
100 0.04Mb/sec.1,000 0.4Mb/sec.
10,000 4Mb/sec.
-
8/6/2019 ACE Management Server
16/64
ACE Management Server Administrators Manual
16 VMware, Inc.
Security Features and Considerations
Bydefault,ACEManagementServerusestheSecureSocketsLayer(SSL)protocoltoprovideencryptedand
securecommunications.
FollowingisanoverviewofsecurityfeaturesandrecommendationsonhowtoconfiguretheACE
ManagementServertoavoidsecurityproblems:
TraffictoandfromclientsisprotectedbyHTTPSBydefault,ACEManagementServercreatesa
selfsignedcertificatewhenyouinstallittouseforHTTPStraffic.Thesecertificatesaresecure,butyou
canalsoconfigureACEManagementServertouseyourowncertificateandkeypairs.
TrafficfromACEManagementServertoActiveDirectoryisencryptedIftheserverisintegratedwith
anActiveDirectoryservice,itcommunicateswiththeservicethroughanSSLprotectedlink.LDAPtraffic
isencryptedattheapplicationlayer.CredentialsareprotectedbyusingtheKerberosprotocolto
authenticatecredentials.
SensitiveconfigurationoptionsareencryptedPasswordsstoredintheconfigurationfileareencrypted.
DatabasesecurityThedatabasestorecontainssensitivedatasuchascryptographickeys.Configure
yourdatabasesecuritysothatitisprotectedfromintrusionandprotectedincaseofdataloss.Formore
informationaboutfeaturesthatareavailabletoprotectyourdata,seeyourdatabasedocumentation.
SSLencryptsdatathroughtheuseofapublickeyandprivatekeypair.Thepublickeyisknowntoeveryoneandtheprivatekeyisknownonlytothemessagerecipient.URLs thatrequireanSSLconnectionstartwith
https.
DuringACEManagementServerinstallation,thefollowingtwofilesarecreated:
server.keyAnRSA1024bitkey,thisistheprivatekey.
server.crtAselfsignedcertificate.Itssignatureisverifiedbythepublickey,whichisembeddedin
thecertificate.Thispubliccertificateisvalidfor10yearsfromthedateandtimeatwhichtheserveris
installed.ThecertificatefileisencodedinPEMformat.
Bydefault,thesefilesarestoredintheSSLdirectoryintheVMwareACEManagementServerprogram
directory.
VMwarePlayer,whichrunstheACEinstances,doesnottrustanycertificatesstoredonthehostmachineon
whichitisrunning.Instead,itreliesonacompletecertificationchainthatisincludedintheACEpackage.
Usingselfsignedcertificatesisadequateformostsecurityneeds.
Youcan,however,useacertificateissuedbyacertificateauthority.IfyouhavemultipleACEManagement
Serverinstances,youcanuseonecertificateforalloryoucanuseadifferentcertificateoneachone.
Using SSL Certificates and Protocol
WhenanACEenabledvirtualmachineconnectstoanACEManagementServer,itdownloadsthepublic
certificateforthatserverandanychainofcertificatesrequiredtoverifytheserverspubliccertificate.Aserver
certificatemighthaveachainofseveralcertificatesthatmustbeverifiedstepbystepuntiltheverification
processreachestheroot,ortrusted,certificateinthecertificatestore.Thefirsttimeaconnectionismadetoa
serverbyanyACEenabledvirtualmachineonaWorkstationadministratormachine,thecertificateandits
verificationaredownloadedtotheWorkstationhostsystem.
ThestoreorcollectionofcertificatesthatisdownloadedwhenanACEenabledvirtualmachineconnectstoa
serverisincludedineachACEpackagethatyoucreatewiththatvirtualmachine.ItissavedintheACE
Resourcesdirectory.WhenyoudeployandrunanACEinstanceofthisACEenabledvirtualmachine,the
VMwarePlayerapplicationusesthecertificatesincludedinthepackagetoverifyconnectionsmadetotheACE
ManagementServer.ItverifiesthatthecertificatesthatareintheACEpackagematchthosethattheserver
provides.Iftheydonotmatchexactly,VMware Playerdisplaysanerrormessageanddoesnotrunthe
instance.
-
8/6/2019 ACE Management Server
17/64
VMware, Inc. 17
Chapter 2 Planning an ACE Management Server Deployment
VMwarePlayercheckstheintegrityofthecertificatestoreincludedinthepackageeverytimeitcommunicates
withtheserver.VMwarePlayerdoesnottrustanycertificatesstoredonthehostmachineonwhichitis
running.Instead,itreliesonacompletecertificationchainthatisincludedintheACEpackage.Theuseof
selfsignedcertificatesisadequateformostsecurityneeds.
If,however,yourenterpriserequirestheuseofacertificatesignedbyacertificateauthority(internalor
commercial),youcansetupthattypeofkeycertificatepairfortheACEpackagestouse.Acertificateauthority,orCA,isanentitythatissuesandsignspublickeycertificates,typicallyforafee.
Accessing ACE Management Server from Outside the CorporateFirewall
AllclientrequeststoACEManagementServerareHTTPStrafficonport443.This meansthatanysolution
usingaproxytosecureHTTPStrafficintoyourcorporateserverscanbeusedtoproxyACEManagement
Servertraffic.
BecauseofthenumberofdataconnectionsthattheACEManagementServermustmakeonthebackend
(LDAP,DNS,ODBC,Kerberos),VMwarerecommendsusinganHTTPSproxyintheDMZ.Thisproxycan
relayACEManagementServertraffictotheactualACEManagementServerinsidethecorporatenetwork.
Figure 2-2. Recommended Deployment for External Access
ACEManagementServercanbedeployedwiththefollowingHTTPSproxysolutions:
ApacheProxyUsingmod_proxy
ZeusTechnologyLoadBalancerAcommerciallyavailableloadbalancerandtrafficmanagement
solution
AvoidthefollowingproblemswhenyouuseaproxyfortrafficintoanACEManagementServer:
SSLTerminationIfyourHTTPSproxyterminatestheSSLconnection,youmustusethesameSSLkey
andcertificateontheHTTPSproxyserverandACEManagementServer.Or,usetheACEManagement
ServercertificatechaintoembedtheHTTPSproxycertificateverificationchainintheACEpackage.
AnexampleofaproxyserverthatterminatesSSLconnectionsisApacheProxy.TheZeusloadbalancing
productssupportSSLpassthrough,whichmeansthattheSSLconnectionisterminatedatACE
ManagementServer.
MultipleACEManagementServerSSLcertificatesIfyouaredeployingmultipleACEManagement
Serverinstancesbehindaloadbalancingsolution,allACEManagementServerinstancesmustusethe
sameSSLkeyandcertificatepair.YoucanalsousetheACEManagementServercertificatechainfeature
toembedeverySSLcertificateverificationchainintotheACEpackage.
DNSresolutionWhenyoucreateanACEenabledvirtualmachine,youmustspecifyahostnamefor
ACEManagementServer.ThishostnamemustresolvetotheappropriateIPaddressforbothinternaland
externalclients.Internally,itcanresolvetoACEManagementServeritself.Externally,itcanresolvetothe
HTTPSproxyserver.
BecausethetrafficcomingintoACEManagementServerisplainHTTPStrafficandtheserverisstateless,you
candeploymanyotherconfigurationstoprovideexternalaccesstoanACEManagementServer.Whenyou
designyourdeployment,thinkofACEManagementServerasaWebserverwithsecuretraffic.
HTTPSproxy server
external client ODBC
NETBIOS (port 137)
DNS
KRB5 (port 88)
LDAP (port 389)
HTTPS traffic(443)
HTTPS traffic(443)
externalfirewall
AMS server
internalfirewall
-
8/6/2019 ACE Management Server
18/64
ACE Management Server Administrators Manual
18 VMware, Inc.
Deployment Planning Worksheet
Usethedeploymentplanningworksheettorecordyourchoiceofserversystem,database,securitycertificates,
andoptionalcomponentsforaproductionenvironment.
Table 2-5. Worksheet for ACE Management Server in a Production Environment
Component Considerations Decision
Active
Directoryintegration
Performance
is
better
when
the
ACE
ManagementServerisinstalledonaWindowshost.
SeealsoCreateUsersandGroupsforIntegrationwithActiveDirectoryonpage 27.
Use
Active
Directory?
________Ifyes,nameofuseraccountforACEManagementServertoquerytheActiveDirectorydatabase:__________________
FullyqualifieddomainnameoftheLDAPserver:_______________________
ACEManagementServer
Ifyouusemultipleservers,allmustbeinstalledonthesameplatform.
Forcapacityplanning,seeNumberofClientsSupportedonpage 14.
UseWindowsorLinuxhosts?_____________
Howmanyservers?____________
Databaseserver
ThedatabaseservermustbecompatiblewiththeACEManagementServerhost.SeeSupportedExternalDatabasesonpage 9.
MSQL,Oracle,orPostgresSQLdatabase?
____________________________
Load balancer Usealoadbalancerforlargedeploymentsorforhighavailability.ItmustsupportHTTPSandrequiresanexternaldatabase.SeeLoadBalancersonpage 15.
Usealoadbalancer?________
Proxy IfACEclientswillcontactACEManagementServerfromoutsidethefirewall,useaproxy.SeeAccessingACEManagementServerfromOutsidetheCorporateFirewallonpage 17.
Useaproxy?__________
ApacheProxyorZeusTechnologyLoadBalancer?________________________
SSLcertificates
IfyouusemultipleserversandplantouseadifferentSSLcertificateforeachone,youmustcreateorsendforthecertificates.
ACEManagementServersupportsonly
public
key
certificates
that
are
signed
using
theSHA1algorithm.SeeUsingSSLCertificatesandProtocolonpage 16.
Whichtypeofcertificate:selfsignedthirdparty,orinternalCA(certificateauthority)?___________________
Numberofcertificates?__________
Ports ForActiveDirectory,useport389.
FortheACEManagementServerappliance,useport8080.SeeChangethePortAssignmentforACEManagementServeronpage 49andAccessingACEManagementServerfromOutsidetheCorporateFirewallonpage 17.
Port8000forconfiguringtheACEManagementServer.
Port443forclientrequests.
Whichadditionalports?______________
-
8/6/2019 ACE Management Server
19/64
VMware, Inc. 19
3
Thischapterincludesthefollowingtopics:
PreparingforInstallationonpage 19
InstallingandUpgradingACEManagementServeronpage 20
VerifyThattheApacheServiceIsStartedorRestartedonpage 23
StartandConfigureACEManagementServeronpage 24
LogIntoACEManagementServeronpage 25
Preparing for Installation
BeforeyouinstallACEManagementServer,youmustplanyourdeployment.Completethefollowingtasks:
1 TodeterminewhichtypeofACEManagementServerinstallertouse,howmanyserverstoinstall,and
whichdeploymentcomponentstoinclude,seeChapter 2,PlanninganACEManagementServer
Deployment,onpage 11.
2 ToconfigureyourWebbrowsertouseTransportLayerSecurity(TLS),seeConfigureTLSinYour
Browseronpage 20.
3 Tosynchronizetheclockonthehostsystemwiththeclientsystem,useNetworkTimeProtocol(NTP).
4 TochooseanHTTPSportforthehostonwhichyouplantorunACEManagementServer,seeTable 31.
Installing and ConfiguringACE Management Server 3
Table 3-1. Port Assignments, Default Settings, for ACE Management Server
HTTPS Port Number Description
443 CommunicationsbetweenACEManagementServerandACEinstances
8000 ACEManagementServerSetup(configuration)Webapplication
ACEHelpDeskWebapplication
8080 ACE
Management
Server
Appliance
configuration
NOTE IfanotherWebserverisinstalledthatusesanyofthesedefaultports,youmightneedtoresolvethe
conflict.
-
8/6/2019 ACE Management Server
20/64
ACE Management Server Administrators Manual
20 VMware, Inc.
Configure TLS in Your Browser
TransportLayerSecurity(TLS)mustbeconfiguredonyourWebbrowsertooperateACEManagementServer.
To configure TLS in your browser
Dependingonthetypeofbrowser,dooneofthefollowing:
ForanInternetExplorerbrowser:
a ChooseTools>InternetOptions>AdvancedandscrolldowntoSecurity.
b SelecttheUseTLS1.0checkboxandclickOK.
ForaMozillabrowser:
a ChooseTools>Options>Advanced.
b SelecttheUseTLS1.0checkboxandclickOK.
Installing and Upgrading ACE Management Server
YoucaninstalloneormoreACEManagementServerinstancestoservicetheACEinstancesinyourenterprise.
IfyousetupmultipleACEManagementServerinstances,theyallmustbeinstalledoneitherWindowshosts
orLinuxhosts,orallmustbeinstalledasappliances.
ToupgradefromACEManagementServer2.0to2.6,usethesameprocedureasforinstallingtheserverfor
thefirsttime.Whentheinstallerdetectsanearlierversion,ituninstallstheoldversionbeforeinstallingthe
newone.Configurationsettingsarepreserved.
Forproductiondeployments,VMwarerecommendsthatACEManagementServerbeinstalledoneithera
dedicatedserveroravirtualplatformwithsufficientavailableresourcestoensureperformanceandstability.
SystemrequirementsdependalmostexclusivelyonthenumberofACEinstancesbeingsupportedandthe
frequencywithwhichtheyareconfiguredtocommunicatewiththeserver.Formoreinformationabout
VMwareperformancetesting,seePerformingCapacityPlanningonpage 13.
However,ACEManagementServerwastestedandcanbeinstalledondesktoporworkstationplatformsto
supportasmallnumberofclientsornonproductionevaluations.
Install an ACE Management Server on a Windows Host
InstallingACEManagementServeronaWindowshostinvolvesdownloadingandrunninganinstallation
wizard.YoucaninstallACEManagementServeronthefollowingWindowssystems:
WindowsServer2003
WindowsXPProfessional(includes64biteditions)
Windows2000Server
Beforeyoubegin,makesuretheclockissynchronizedandtherequiredportsareavailable,asdescribedin
PreparingforInstallationonpage 19.
UsethisinstallationproceduretoinstallorupdateACEManagementServersoftware.
To install an ACE Management Server on a Windows host
1 DownloadtheVMware-ACE-Management-Server.exe filefromtheVMwareWebsiteandsavethefile
onthesystemthatistohosttheserver.
ThefileisavailableasaseparatedownloadablefileinthesamedownloadlocationastheWorkstation
application.
2 DoubleclicktheVMware-ACE-Management-Server.exe filetostarttheinstallationwizard.
-
8/6/2019 ACE Management Server
21/64
VMware, Inc. 21
Chapter 3 Installing and Configuring ACE Management Server
3 Followthepromptsintheinstallationwizard.
4 Ifyouareusingacomputerthathasafirewallenabledandyouseeamessageattheendoftheinstallation
askingwhetheryouwanttounblocktheApacheservice,chooseUnblock.
ACEManagementServerdoesnotworkproperlyifyoudonotunblocktheApacheservice.
AfterACEManagementServerisinstalled,youcanconfigureit.SeeStartandConfigureACEManagement
Serveronpage 24.
Install ACE Management Server on a Linux System
YoucaninstallACEManagementServeronthefollowingLinuxsystems:
RedHatEnterpriseLinux4
SUSELinuxEnterpriseServer9SP3
Beforeyoubegin,makesurethesystemmeetstheserequirements:
AworkinginstallationofApache2.0isinstalledonthesystem.(TheRPMforaWebserverisincluded
withtheRedHatEnterpriseLinux4orSUSELinuxEnterpriseServer9installation.)
ApacheWebserviceisoperatingnormallyandisreceivingrequestsforSSLHTTP.
Themod_ldapandmod_sslmodulesareavailableonyoursystem.
ThefollowingpackagesareinstalledonyourRedHatEnterpriseLinux4orSUSELinuxEnterpriseServer
9system:curl,openldap,openssl,apache,andgdbm.
ForSUSELinuxEnterpriseServer9,thecyrus-sasl-gssapipackageisinstalled.Thispackageisnot
installedbydefault.
Whenyouusetheexternaldatabaseoption,thefollowingpackagesarerequiredaswell:
RedHatEnterpriseLinux4:unixODBC
SUSELinuxEnterpriseServer9:unixODBC and,ifyouplantousetheX11graphicalconfiguration
tool,unixODBC-gui-qt
Theclockissynchronizedandtherequiredportsareavailable,asdescribedinPreparingforInstallation
onpage 19.
UsethisinstallationproceduretoinstallorupdateACEManagementServersoftware.
To install ACE Management Server on a Linux system
1 Downloadthe.rpm filefromtheVMwareWebsiteandsavethefileonthesystemthatistohostthe
server.
ThefileisavailableasaseparatedownloadablefileinthesamedownloadlocationastheWorkstation
application.
2 RuntheRedHatorSUSELinuxRPMinstallerforACEManagementServer:
vmware-ace-management-server-.i386-rhel4.rpm
vmware-ace-management-server-.i386-sles9.rpm
Forexample:
rpm -Uhv vmware-ace-management-server-87693.i386-rhel4.rpm
-
8/6/2019 ACE Management Server
22/64
ACE Management Server Administrators Manual
22 VMware, Inc.
3 ForaSUSELinuxEnterpriseServer9server,ensurethattheLDAPmodule(mod_ldap)isconfiguredfor
loading:
a Openthefollowingfilewithatexteditor:
/etc/sysconfig/apache2
b AddtheldapconfigoptiontotheAPACHE_MODULESvariable.
c Saveandclosethefile.
AfterACEManagementServerisinstalled,youcanconfigureit.SeeStartandConfigureACEManagement
Serveronpage 24.
Install an ACE Management Server Appliance
TheACEManagementServerapplianceisaselfcontained,preinstalled,andpreconfiguredACE
ManagementServerpackagedwithasmalloperatingsysteminavirtualmachine.Althoughtheapplianceis
adequatefortestenvironments,VMwarerecommendsthatyoudonotuseitinproductionenvironments.
Beforeyoubegin,makesuretheclockissynchronizedandtherequiredportsareavailable,asdescribedin
PreparingforInstallationonpage 19.
To install an ACE Management Server appliance
1 Downloadthe.zipfilefortheappliancefromtheVMwareWebsiteandsavethefileonthesystemthat
istohosttheserver.
2 Extractthefilestothedirectorywheretheserveristobelocated.
3 StartWorkstation,chooseFile>Opentoopen,andselecttheams_appliance.vmxfile.
4 ClickthePowerOnbuttontostartthevirtualappliance.
5 Atthepasswordprompt,enterapasswordandconfirmit.
Thispasswordisusedforbothrootandnetworkaccounts.Makeanoteofthispasswordsothatyoucan
useitforlaterappliancemanagementoperationsfromtheconsoleandtheWeb.
TheapplianceconfiguresitsnetworkbyusingDHCP.
Theconsoleviewdisplaysthefollowinginformation:
Currentnetworksettings
URLsforremotelyadministeringtheapplianceandconfiguringtheACEManagementServeritself
IfyoupressReturnattheloginprompt,theinformationappearsagain.
6 Atthetimezoneprompt,acceptthecurrentsettingormakeachangeasneeded.
7 (Optional)ToconfiguretheservertouseastaticIPaddressortospecifyaproxyserver,usetheAppliance
ManagementandConfigurationapplication,asfollows:
a LeavetheACEManagementServerappliancerunning.
b Browsetohttps://:8080.
c Intheconnectiondialogbox,typerootintheusernamefieldandyournetworkorrootpasswordin
thepasswordfield.
d ClicktheNetworklinkonthefirstpageofthebrowserbasedACEManagementServerSetup
application.
e Toviewinstructionsaboutconfiguringnetworksettings,clicktheHelplinkintheupperrightcorner
oftheWebpage.
f Afteryouchangenetworksettings,clickApply.
-
8/6/2019 ACE Management Server
23/64
VMware, Inc. 23
Chapter 3 Installing and Configuring ACE Management Server
8 (Optional)Toreconfigureanyupdateoptions,forexample,todisableautomaticdownloadsofupdates,
usetheApplianceManagementandConfigurationapplication,asfollows:
a LeavetheACEManagementServerappliancerunning.
b Browsetohttps://:8080.
c Intheconnectiondialogbox,typerootintheusernamefieldandyournetworkorrootpasswordin
thepasswordfield.
d ClicktheUpdatelinkonthefirstpageoftheApplianceConfigurationandManagementWeb
applicationandcompletetheApplianceUpdatepage.
e Toviewinstructionsaboutconfiguringupdateoptions,clicktheHelplinkintheupperrightcorner
oftheWebpage.
9 Whenyoufinishconfiguringanynetworkorupdatesettings,navigatetotheACEManagementServer
SetupWebapplicationtoconfiguretheserver.
Toaccessthatapplication,chooseoneofthesemethods:
FromtheApplianceManagementandConfigurationWebapplicationpage,clicktheACELoginlink
intheupperrightcornerofthepage.
Fromacommandpromptwindow,closethewindow,openabrowser,andentertheURLfortheACE
ManagementServerSetupWebapplication:
https://:8000/
10 ClickConfigurationtoopentheWebapplication.
Verify That the Apache Service Is Started or Restarted
IfyouinstalledACEManagementServeronaLinuxhost,verifythattheApacheserviceisstartedbeforeyou
attempttologin.
Fortroubleshootingpurposes,youmightoccasionallyneedtomanuallyrestarttheApacheservicethatACE
ManagementServeruses.
To verify that the Apache service is started or restarted
Dooneofthefollowing:
OnWindowshosts:
a ClicktheApacheiconinthetaskbar.
b SelectApache2inthemenuthatappears.
c Choosetheappropriatecommand:
Tostarttheserviceifitisstopped,clickStart.
Iftheserviceisalreadystarted,thiscommandisunavailable.
Torestart,clickStopandthenclickStart.
EnsurethatyouclickStopandStartratherthanRestart.
OnSUSELinuxEnterpriseServer9hostsorinthevirtualmachinethatcontainstheACEManagement
Serverappliance:
a Openaterminalwindowonthehostorinthevirtualmachine.
b Asroot,enterthefollowingcommand:
/etc/init.d/apache2 status
Ifthestatusisstarted,youcanlogintoACEManagementServer.SeeStartandConfigureACE
ManagementServeronpage 24.
-
8/6/2019 ACE Management Server
24/64
-
8/6/2019 ACE Management Server
25/64
-
8/6/2019 ACE Management Server
26/64
ACE Management Server Administrators Manual
26 VMware, Inc.
3 Enterlogincredentials.
IfyouuseActiveDirectoryforauthentication,seeTable 32.Inmultidomainenvironments,youmightbe
requiredtoenteradomain(forexample,eng.com).
-
8/6/2019 ACE Management Server
27/64
VMware, Inc. 27
4
AfteryouinstallACEManagementServer,youmustusethebrowserbasedACEManagementServerSetup
applicationtoconfiguretheserver.
Thischapterincludesthefollowingtopics:
PrerequisitesforConfiguringtheServeronpage 27
StartingACEManagementServerConfigurationonpage 33
ViewingandChangingLicensingInformationonpage 33
UsinganExternalDatabaseonpage 33
CreatingAccessControlonpage 34
UploadingCustomSSLCertificatesonpage 34
LoggingEventsonpage 35
ApplyingConfigurationSettingsonpage 36
Prerequisites for Configuring the Server
IfyouplantouseActiveDirectoryintegration(usingLDAP),anexternaldatabase,orcustomSSLcertificates,
youmustperformsomesetuptasksbeforeyouconfiguretheACEManagementServer.
Create Users and Groups for Integration with Active Directory
TouseActiveDirectoryforauthenticatingusers,adduserstoanActiveDirectorygroupandcreateauserso
thatACEManagementServercanqueryLDAP.
WhenyouconfigureACEManagementServertouseLDAP,followtheseguidelinestoavoidnegatively
affectingperformance:
ThedefaultdomainisthedomainforwhichtheLDAPhostisadomaincontroller.
Thequeryuserisauserinthedefaultdomain.
Theadminusergroupisagroupthatexistsinthedefaultdomain.
IntegratingwithActiveDirectorythroughLDAPisimplementeddifferentlyintheWindowsbasedACE
ManagementServerthanintheLinuxbasedACEManagementServer.Theoperatingsystemsdifferinthe
librariestheyusetoconnecttoActiveDirectoryandtheexternaldatabasestheysupport.TheWindowsACE
ManagementServerusestheWinLDAPlibrarybundledwiththeWindowsoperatingsystem.The LinuxACE
ManagementServerusesathirdpartyKerberosLibraryandOpenSSL.VMwareinternaltestingresults
indicatethattheWindowsimplementationisprovidesbetterperformancethanLinux.
Configuration Options for ACEManagement Server 4
-
8/6/2019 ACE Management Server
28/64
ACE Management Server Administrators Manual
28 VMware, Inc.
To create users and groups for integration with Active Directory
1 CreateauserthatACEManagementServercanusetoconnecttotheLDAPserveranduseforquerying.
MakeanoteofthesAMAccountNamevalueforthatuser(forexample,aceuser.)
2 CreateanACEAdministratorsgroupinthedomain.
3 AddACEadministratoruserstotheACEAdministratorsgroup.
4 (Optional)CreateaHelpDeskgroupandassignuserstoitfortheHelpDeskrole.
YoucanlogintotheHelpDeskWebapplicationwithyouradministrativeLDAPcredentialsorpassword.
CreatingaHelpDeskroleallowsyoutopermitcertainuserstoperformHelpDesktasksfromwithinthe
HelpDeskapplicationbutdoesnotgivethemaccesstootheradministrativetools.
Set Up an External Database
Beforeyoubegin,makesurethatyouhaveoneofthefollowingsupporteddatabaseservers:
ForaWindowsbasedACEManagementServerMicrosoftSQLServer2000orhigher;
Oracle Database 10g
IfyouuseaMicrosoftSQLServerdatabase,thedatabasemustbehostedonasystemthatusesthesame
localeasthesystemthathostsACEManagementServer.Forexample,ifACEManagementServerisinstalledonaJapanesesystem,thedatabaseservermustalsobeinstalledonaJapanesesystemandmust
useJapanesecollation.
ForaLinuxbasedACEManagementServerPostgreSQL7.4orhigher
BeforeyouinstallthedatabaseonaLinuxhost,makesuretheunixODBCRPMpackageisinstalledontheLinux
system.VMwarerecommendsthatyouupdatethepackagetothelatestversionreleasedforyourspecific
Linuxdistribution.TheunixODBCpackageprovidesanODBCAPItoprogramsrunningonLinuxsystemsthat
issimilartotheWindowsODBCAPI.
Thepackagecontainsthelibodbcsharedlibrary,providingtheODBCDriverManagerAPItoother
programs,asetofconfigurationutilities,andODBCdriversforpopulardatabases.OnbothRedHat
EnterpriseLinuxandSUSELinuxEnterpriseServer 9,theODBCdriverforPostgreSQLisincludedinthe
unixODBCbinarydistributionpackage.
Also,makesuretheunixODBC-gui-qt packageisinstalled(thisutilityisincludedintheRedHatEnterprise
LinuxunixODBCpackage).ThispackageisrequiredtousetheODBCConfigX11graphicalconfigurationtool
forsettingupadatasourcename(DSN).
To set up an external database
1 Installadatabaseserveronahost.
TheexternaldatabasedoesnothavetobeinstalledonthesameserverasACEManagementServer,butit
mustbeinstalledonthesameplatform.Forexample,ifACEManagementServerisinstalledona
Windowshost,thedatabaseservermustalsobeinstalledonaWindowshost.
ACEManagementServercreatesthedatabaseschemaautomaticallyifproperaccessrightsaregranted.
2 Configurethedatabase.
Ensurethatyouhaveadedicateddatabaseandauseraccountthathasfullaccesstothisdatabase,
includingrightstocreatetables.Donotgivethisdatabaseuserpermissionsthatitdoesnotneed.For
example,youmightnotwanttogivethisaccountreadorwritepermissiontootherdatabasesthatyour
RDBMSmanages.
AlltablesthatarecreatedinthedatabasehaveanamestartingwithaPolicyDb_prefixandindexeswith
PdbIns_orPdbLf_prefixes.YoumightprovideACEManagementServerwithaDSNtoadatabasethat
itshareswithsomeotherapplication,ifthedatabasecountisatapremium.
-
8/6/2019 ACE Management Server
29/64
VMware, Inc. 29
Chapter 4 Configuration Options for ACE Management Server
3 (Optional)IfACEManagementServerisgoingtoconnecttothedatabaseoverthenetwork(TCPsocket
connection),ensurethatthefollowingareinplace:
TCPconnectivityisenabledinthedatabaseconfigurationoptions.
TheTCPconnectionisnotblockedbyfirewallsettingsonthedatabaseserverortheACE
ManagementServerhost.
IfyouareusingaPostgreSQLdatabase,configureperuserpermissiontoconnecttothedatabase
overthenetwork.Configurethatpermissioninthepg_hba.conf file,whichislocatedintherootfolderofyourdatabase.
4 (Optional)OntheACEManagementServermachine,toverifytheserversconnectivitytothedatabase
withtheconfiguredusercredentials,runacommandlineorgraphicalSQLtool.
Examplesofsuchtoolsaresqlcmd.exeforSQLServer,sqlplus.exeforOracle,andpsqlfor
PostgresSQL.Fordatabaseconfigurationandverificationinstructions,seetherespectivedatabase
documentation.
5 OntheACEManagementServermachine,createaSystemDSNentry.
Creating a System DSN Entry for an External Database
TheonlyrequiredinformationinDSNconfigurationistheDSNname,serverIPaddressorhostname,andthe
databasename.YoudonotneedtoprovideausernameandpasswordintheDSNconfiguration.Youprovide
ausernameandpasswordlater,whenyouusetheACEManagementServerSetupapplication.
EnsurethatyoucreateasystemDSNandnotauserDSN.IfyoucreateauserDSN,itisvisibleonlytoyour
useraccount.ACEManagementServerrunsunderthelocalsystemaccount,sotheservercannotdetectoruse
auserDSN.
Create a System DSN Entry for a Windows Database
Regardlessofwhetherthehostis32bitor64bit,youcreateaDSNentryfora32bitsystem.
Beforeyoubegin,todeterminethecorrectODBCdriver,seeyouroperatingsystemanddatabase
documentation.
To create a System DSN entry for a Windows database
1 Dooneofthefollowing:
On32bithosts,usetheODBCDataSourcespluginbychoosingControl Panel>Administrative
Tools>DataSources(ODBC).
On64bithosts,navigateto%WINDIR%\syswow64\odbcad32.exeandusethatprogramtocreatea
SystemDSNentryfora32bitsubsystem.
ACEManagementServerdoesnotsupportODBCusinganSQLNativeClientdriveronWindows64bit
systems.
2 CreateanentrythatincludestheDSNname,serverIPaddressorhostname,andthedatabasename.
3 (Optional)
If
the
DSN
Setup
wizard
provides
an
option
to
test
the
connection,
verify
that
the
connection
workswiththedatabaseusercredentials.
4 MakeanoteofthedatabaseDSN,username,andpassword.
YoucannowusethebrowserbasedACEManagementServerSetupapplicationtoconnecttothisdatabase.
-
8/6/2019 ACE Management Server
30/64
ACE Management Server Administrators Manual
30 VMware, Inc.
Create a System DSN Entry for a Linux Database
OnLinuxsystems,youuseatexteditorortheODBCConfiggraphical(X11)utilitytocreateasystemDSNentry.
TheODBCConfigutilitymimicstheWindowsODBCDataSourcesControlPanelplugin.
Beforeyoubegin,determinethecorrectODBCdriver:
OnRedHatEnterpriseServer,thedriverislocatedat/usr/lib/libodbcpsql.so.
OnSUSELinuxEnterpriseServer9,thedriverislocatedat/user/lib/unixODBC/libodbcpsql.so.2.
TheDSNconfigurationfortheunixODBCpackageisstoredinthe/etcdirectory(/etc/unixODBCfor
SUSELinuxEnterpriseServer).
IfyouareusingtheACEManagementServerappliance,seeSetUpaConnectionBetweentheServer
ApplianceandanExternalDatabaseonpage 31.
Youusetheodbc.inifileforcreatingDSNsandtheodbcinst.inifilefordriverandgeneralODBCsystem
configuration.
To create a System DSN entry for a Linux database
1 Asroot,usetheODBCConfigutilitytocreateaSystemDSNentry.
YoualsomustconfiguretheserveraddressandthedatabasenameintheDSNsettings.
ForinformationaboutusingunixODBC,seetheunixODBCProjectWebpage.
TheODBCConfigutilitymakeschangestotheodbc.iniandodbcinst.inifiles.
2 MakeanoteofthedatabaseDSN,username,andpassword.
YoucannowusethebrowserbasedACEManagementServerSetupapplicationtoconnecttothisdatabase.
Increase the Number of Database Connections Allowed
Foroptimalserverperformance,ACEManagementServerstartsmultipleparallelthreads(onWindows)or
processes(onLinux)listeningfortheincomingconnectionsfromtheclients.Everyclientconnectiontypically
runsadatabasetransaction,soitneedstoopenadatabaseconnection.
ACEManagementServerusuallyrequiresasmanydatabaseconnectionsasitdoesparallelthreadsor
processesforclientconnections.Iftheserverrunsoutofdatabaseconnections,theclientsmightstartreceiving
connectionerrors.
Table 41includesalistofthelocationsfortheApacheconfigurationfileandthetypicaldefaultnumberof
connections:
Table 4-1. Apache Configuration File Locations and Default Client Connections
ThedefaultinstallationofthePostgreSQLdatabaseonRedHatEnterpriseLinuxallows100 remote
connections,whichislessthanthenumberofparallelthreadsthattheApacheserverstartsbydefaultonthe
sameplatform.Changethisnumberifyouexpectahighvolumeofclientrequeststoyourserver(morethan
100activeclients).
Platform Location Client Connections
Windows C:\Program Files\VMware\VMware ACEManagement Server\Apache2\
conf\httpd.conf
250 (WinNTMPMsection)
RedHatEnterpriseLinux /etc/httpd/conf/httpd.conf 256 (preforkMPMsection)
SUSELinux /etc/apache2/server-tuning.conf 150 (preforkMPMsection)
ACEManagementServerappliance
/etc/httpd/apache2.conf 20 (preforkMPMsection)
-
8/6/2019 ACE Management Server
31/64
VMware, Inc. 31
Chapter 4 Configuration Options for ACE Management Server
To increase the number of database connections allowed
1 InspecttheApacheconfigurationfileontheACEManagementServerhosttodeterminethenumberof
parallelthreadsorprocessesthatmightstartatthesametime.
2 ConfigurethedatabasetoallowasmanyconnectionsastheApacheserver.
Seeyourdatabasedocumentation.
Enable Database Connection Pooling on Linux
EnablingdatabaseconnectionpoolingfordatabasesonLinuxhostscangiveasubstantialperformancegain
underhighloads.ACEManagementServercanreusedatabaseconnectionsratherthanopeningnew
connectionsforeveryrequest.
EnabledatabaseconnectionpoolingintheODBCDriverManager(itisdisabledbydefault)tooptimize
performanceforserversonLinuxplatforms.
OnWindowsplatforms,ODBCconnectionpoolingisenabledbydefault.
To enable database connection pooling on Linux
1 StarttheODBCConfigutilityasarootuser.
2 ClicktheAdvancedtab.
3 SelecttheConnectionPoolingcheckbox.
Set Up a Connection Between the Server Appliance and an External Database
TheACEManagementServerappliancedoesnotcontainaPostgreSQLdatabaseserver.Youcan,however,use
anexternaldatabaseserverwiththeappliance.
To set up a connection between the server appliance and an external database
1 Logintotheserverapplianceconsoleasroot,usingthepasswordyoucreatedduringyourfirstrunof
theserverappliance.
2 Openthe/etc/odbc.inifileinatexteditor.
Forexample:
vaos# vi /etc/odbc.ini
Thisfilecontainsthepostgres_dsn settingfortheOBSCDSN.
3 Uncommentalllinesinthepostgres_dsn fileexceptthefirsttwo.
Touncommentlines,deletethepoundsign(#)atthebeginningofeachline.
4 ReplaceplaceholderswiththePostgreSQLdatabaseserverDNSnameorIP addressandthedatabase
nameofthisserver.
5 Usethedefaultportnumberorsetadifferentportnumber.
6 Save
the
file.
Afteryoucompletethistask,postgres_dsnappearsinthedropdownmenuontheDatabasetabintheACE
ManagementServerSetupapplication.
-
8/6/2019 ACE Management Server
32/64
ACE Management Server Administrators Manual
32 VMware, Inc.
Prepare Custom Security Certificates
TousecustomSSLcertificates,eitheryourownselfsignedcertificatesorthoseofathirdpartyorinternalCA
(certificateauthority),youmustprovidethecertificate,key,and(inthecaseofCAs)certificatechainfiles.
ThesefilesmustbePEMencoded.
Afteryoucreateorobtainthesefiles,uploadthemtoACEManagementServerbyusingtheCustomSSL
Certificates tabintheACEManagementServerSetupapplication.
FormoreinformationabouthowVMwareACEusesSSLcertificates,seeUsingSSLCertificatesandProtocol
onpage 16.
To prepare custom security certificates
1 Createorprovidetheneededfiles:
Foryourownselfsignedcertificate,usetheopensslutilitytocreateanewselfsignedcertificate.
ForathirdpartyCAorinternalCA,obtainanSSLcertificatesignedbythatCA,anda
certificateverificationchainfile.
ThechainfileisaconcatenationofeverycertificaterequiredtoverifythenewSSLcertificateyou
createdorobtained.DependingontheCAandcertificateissued,anexamplechainfilecouldbea
concatenationoftherootcertificate,oneormoreintermediarycertificates,andtheservercertificate.
EachoftheindividualpiecesmustbeSHA1encodedandinPEMformatbeforeconcatenation.Steps
forobtainingthecertificatechainvary,dependingonwhichhostoperatingsystemyouareusingand
onthesourcefromwhichtheCAcertificateisobtained.ACAauthoritymayprovidethecomplete
chainoryoumayneedtoassemblethechainyourself.
Aprivatekeyfile.SSLencryptsdatathroughtheuseofapublickeyandprivatekeypair.Thepublic
keyisknowntoeveryoneandtheprivatekeyisknownonlytothemessagerecipient.
ThecertificatesignaturesmustusetheSHA1algorithmdigest.ThefilesmustbePEMencoded.
2 Renamethefiles,asfollows:
Renametheprivatekeyfiletoserver.key.
Rename
the
certificate
file
toserver.crt
.
Renamethecertificatechainfiletochain.crt.
YoucannowusetheACEManagementServerSetupapplicationtouploadthecertificatefiles.
View the Properties of the Self-Signed Certificate File
ThisfileisstoredintheSSLdirectoryintheVMwareACEManagementServerprogramdirectory.
To view the properties of the self-signed certificate file
Dooneofthefollowing:
OnaWindowshost,navigatetothelocationoftheserver.crtfileanddoubleclickthefilename.
OnaLinuxhost,usethefollowingcommand:
openssl x509 -in /var/lib/vmware/acesc/ssl/server.crt -text
Toreplaceanexpiredcertificate,seePrepareCustomSecurityCertificatesonpage 32.Donotmodify
certificatestomakethempermanent.
-
8/6/2019 ACE Management Server
33/64
VMware, Inc. 33
Chapter 4 Configuration Options for ACE Management Server
Starting ACE Management Server Configuration
IfyouplantouseActiveDirectoryintegration(usingLDAP),anexternaldatabase,orcustomSSLcertificates,
youmustperformsomesetuptasksbeforeconfiguringtheACEManagementServer.SeePrerequisitesfor
ConfiguringtheServeronpage 27.
ThetextthatappearsontheStarttabchanges,dependingonwhetheryouhavedoneaninitialconfiguration:
IfthispagesaysThisserverhasnotbeenconfiguredyet,youmustclickStarttocompletethe
configurationsetupwizard.
IfthispagesaysThisserverisconfigured,theNextandPreviouswizardbuttonsdonotappear.Youcan
navigatetoothertabsbyclickingatab.
Viewing and Changing Licensing Information
AfteryouenteranACEManagementServerserialnumber,usetheLicensingtabtodeterminetheexpiration
date,ifany.
Theserialnumberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,theserial
numberissentbyemail.
IfthesystemonwhichyouinstalledACEManagementServercurrentlyhasmorethanonevalidserver
license,justonelicenseappearsonthepage.
YoucanusetheLicensingtabtoaddorchangeaserialnumber,username,orcompanyname.
Ifyoumakechangestotheinformationonthistab,youmustclickApplyorCancelbeforeyoucannavigate
toanothertab.
Using an External Database
TheembeddeddatabaseisanSQLitedatabase.VMwarerecommendsthatyouuseanexternaldatabasein
productionenvironments.
Theembeddeddatabaseisinitializedduringserverinstallationandrequiresnospecialconfiguration.This
databaseisadequatefortestingpurposesbutisnotdesignedtobeeffectivelysharedacrossmultiple
processes.
BeforeyoucanconfiguretheACEManagementServertouseanexternaldatabase,youmustcreateasystem
DSNandcredentialsforaccessingthatdatasource.SeeSetUpanExternalDatabaseonpage 28.
UsethefollowinginformationtohelpyoucompletethefieldsontheDatabasetab:
DataSourceName(DSN)DatasourcenameyouusedwhenyoucreatedasystemDSNentryonthe
ACEManagementServermachine.
UserNameandPasswordCredentialsforauseraccountthathasfullaccesstothedatabase,including
rightstocreatetables.
Afteryouenterthedatabaseconnectioncredentials,thesetupapplicationchecksforanexistingdatabase.
Iftheexistingschemaisnotcompatible,noschemaisavailableortheschemacannotbeupgraded.Ifyou
overwritetheexistingschemaanddata,anewschemaiscreated.If youdonotoverwritetheexistingschema
anddata,theconfigurationapplicationquits.
CAUTION Afteryouentercredentials,ifthemessageCompatible schema exists. Do you want to
reinitialize the schema and overwrite the existing data?appears,selectUseexistingschema
anddataunlessyouwanttoerasealldatainyourexistingdatabase.Toreinitializethedatabaseatsomelater
time,youcanreopenthisconfigurationapplicationandreturntothispage.
-
8/6/2019 ACE Management Server
34/64
ACE Management Server Administrators Manual
34 VMware, Inc.
Ifyouareupgradingtheserverfromthepreviousrelease,thedatabaseschemaisupgradedautomaticallyand
youdonotloseyourpreviousdata.Theupgradeisperformedonthefirststartoftheupgradedserver,even
ifyoudonotrerunthesetupapplication.
IfyoumakechangestotheinformationontheDatabasetab,youmustclickApplyorCancelbeforeyoucan
navigatetoanothertab.
Creating Access Control
OntheAccessControltab,youcancreatealocalAdministratorroleandHelpDeskroleoruseActive
Directoryforauthenticatinguserswiththeseroles.
BeforeyoucanconfiguretheACEManagementServertouseadomainaccountforauthentication,youmust
createusersandgroupssothatACEManagementServercanconnecttotheLDAPserver.SeeCreateUsers
andGroupsforIntegrationwithActiveDirectoryonpage 27.
Usethefollowinginformationtohelpyoucompletethefieldsforauthentication:
LocalaccountIfyouspecifyapasswordfortheAdministratorroleandforgetorloseit,youmustdelete
theserverconfigurationfile.Deletingthisfilesetstheserverbacktoitsinitialstate.Youmustreconfigure
theserverandsettheadministratorpasswordagain.
SeeDeletetheServerConfigurationFileandSetaNewAdministratorPasswordonpage 50.
Domainaccount(LDAP)TouseActiveDirectoryforauthentication,specifythehostandcredentials
thattheACEManagementServerusestoconnecttoandquerythedomaincontroller:
HostNameEnterafullyqualifieddomainname(forexample,ldap.vmware.com)insteadofanIP
addressorhostnamewithnoparentdomainname(forexample,ldap).
QueryUsersAMAcountNameandQueryUserPasswordUsethepasswordandshortnamefor
theuseraccountyoucreatedforthispurposeinActiveDirectory.
QueryUserDomainThedomainmustbethedomainforwhichtheLDAPhostisadomain
controller.
AdminGroupDNandHelpDeskGroupDN(Optional)Enterthedistinguishednameforthese
groups,
which
you
created
for
this
purpose
in
Active
Directory
(for
example,
cn=Users,dc=simplecorp,dc=com).
Ifthisoptionisnotenabled,anyonewhologsintotheHelpDeskapplicationmustbeamemberof
theACEAdministratorsgroup.
HelpDeskRoleorGroupDNCreatingaHelpDeskroleallowsyoutopermitcertainuserstoperform
HelpDesktasksfromtheHelpDeskapplication.Usersinthisrolecannotaccessotheradministrative
tools.YoucanstilllogintotheHelpDeskWebapplicationwithyouradministrativeLDAPcredentialsor
localAdministratorpassword.
IfyoumakechangestotheinformationontheAccessControltab,youmustclickApplyorCancelbeforeyou
cannavigatetoanothertab.
Uploading Custom SSL CertificatesTohaveACEManagementServerusecustomSSLcertificates,eitheryourownselfsignedcertificatesorthose
ofathirdpartyorinternalCA(certificateauthority),usetheCustomSSLCertificatestabtouploadthe
PEMencodedfiles.
BeforeyoucanuploadcustomSSLcertificates,youmustcreateandrenamethecertificatefiles.SeePrepare
CustomSecurityCertificatesonpage 32.
-
8/6/2019 ACE Management Server
35/64
VMware, Inc. 35
Chapter 4 Configuration Options for ACE Management Server
Bydefault,duringACEManagementServerinstallation,thefollowingtwofilesarecreated:
server.keyThisRSA1024bitkeyistheprivatekey.
server.crtThisselfsignedcertificateisvalidfor10yearsfromthedateandtimeatwhichtheserveris
installed.Itssignatureisverifiedbythepublickey,whichisembeddedinthecertificate.Thecertificate
fileisencodedinPEMformat.
WhenyourunanACEinstance,theVMwarePlayerapplicationusesthecompletecertificationchainthatis
includedinitspackage,notonthehost,toverifyconnectionsmadetoACEManagementServer.Therefore,theuseofselfsignedcertificatesisadequateformostsecurityneeds.Formoreinformationabouthow
VMwareACEusessecuritycertificates,seeUsingSSLCertificatesandProtocolonpage 16.
WhenyouclickUploadcertificates,asummarypagedisplaysthefilesandlocationsyouspecifyonthistab.
Notethelocationofanybackupfiles.Youmightneedtousethebackupifyoufindthatthenewfileisinvalid
whenyouclickApply.SeeRestoreaBackupCopyofanSSLCertificateonpage 50.
AfteryouuploadcustomSSLcertificates,youmustupdateanyexistingACEenabledvirtualmachinestouse
anewcertificateandkeyfile.Todoso,useWorkstationtocreateanupdatepackage.Whenyoudeploythe
newpackage,ACEinstancesreceivethenewcertificatefileandcertificatechain.
Logging Events
Theservercollectslogentriesforeventsthatchangethedatabase.OntheLoggingtab,youcansetthelogging
levelsandsetanoptionforpurginglogentries.
ACEManagementServerusesthefollowingloggingcategories:
ACEAdministrationLogseventsforinstancecreation,update,anddestruction.
PackageAdministrationLogseventsforpackagecreation,update,instancecustomization,andpackage
removal.
PolicyAdministrationLogseventsforpolicysetupdateandpublish,useraccesscontrolchanges,and
instancepasswordssetbyanACEadministrator.
InstanceAdministrationLogsACEinstancelifecycleevents,suchascreation,copying,revocation,
reenablement,
and
deletion.
Also
logs
instance
password
change
by
a
user
or
an
administrator,
changes
inexpirationforeachinstance,changesofinstanceguestorhostoperatingsysteminformation,and
settinginstancecustomfields.Thedebuglevelcanbeusedtologthemostubiquitoustrafficsuchas
policyupdaterequestsfromactiveinstances.Failedinstanceverificationsareloggedonlyatthedebug
level.
AuthenticationLogseventsforeveryauthenticationrequest,suchasadministrationorhelpdesk
authenticationattempts(atthenormallevel),instanceauthentication(attheinformationallevel),and
remoteLDAPpasswordchange.Setloggingforthiscategorytothelowestlevelthatispracticalforyou.
Thiscategorycangeneratealargevolumeofentries.
Foreachcategory,youcanchooseoneofthefollowinglogginglevels:
NoneNologentryismadeforthisevent.
CriticalAnexampleofacriticallogeventisonethatremovesallpackages,instances,andpolicies
associatedwithanACEenabledvirtualmachine.
NormalThislevelofdetailissufficienttoanswermostqueries.
InformativeEntriesfornondestructiveeventsthathavelimitedeffect.
DebugEntriesforeveryclientaccessoftheserver.Itprovidesmorerecordsofcertaineventtypes,
creatingalargenumberloggingentriescomparedtootherloglevels.Itlogsallinformationaltransactions,
suchasinstancestatusandsoon.
-
8/6/2019 ACE Management Server
36/64
ACE Management Server Administrators Manual
36 VMware, Inc.
UsetheEventLogPurgingcontroltoconfiguretheamountoflogginginformationretained.Thepurge
maintenanceprocessrunsapproximatelyeverysixhours.
IfyoumakechangestotheinformationontheLoggingtab,youmustclickApplyorCancelbeforeyoucan
navigatetoanothertab.
Applying Configuration Settings
TheRestartpageappearswhenyouclickApplyononeofthetabs.Youmustrestarttheserverfortheconfigurationsettingstotakeeffect.
IfyouclickLater,youcanalwaysrestarttheserverbyclickingApplyonanyofthetabs,evenifyoudonot
makechangesonthetab.
-
8/6/2019 ACE Management Server
37/64
VMware, Inc. 37
5
Ifyouhavethousandsofclients,youcanconfiguremultipleVMwareACEManagementServerinstancesto
worktogether.Youcansetuptwoormoreserversandusethemwithaloadbalancer.
Thischapterincludesthefollowingtopics:
TypicalSetupUsingLoadBalancedACEManagementServerInstancesonpage 38
InstalltheRequiredServicesforLoadBalancingonpage 38
UsetheSameSSLCertificateonAllServersonpage 39
CreateNewSSLCertificatesandKeysforEachServeronpage 40
InstallingandConfiguringtheLoadBalanceronpage 41
VerifyThatACEInstancesAreUsingtheLoadBalanceronpage 41
Load-Balancing Multiple ACEManagement Server Instances 5
-
8/6/2019 ACE Management Server
38/64
ACE Management Server Administrators Manual
38 VMware, Inc.
Typical Setup Using Load-Balanced ACE Management ServerInstances
AsingleACEManagementServercanhandleapresetnumberofclients,butyoucanaddmoreserverstoyour
ACEManagementServerinfrastructurebyusingloadbalancing.Whenyouaddmoreserverstothe
loadbalancinggroup,thenumberofclientsthatyoucanservescaleslinearly.Forexample,ifyoucanserve
2,000 clientswithoneserver,usingtwoloadbalancedserversallowsyoutoserve4,000 clients.
Figure 51showsasimpledeploymenttopologyforusingloadbalancing.
Figure 5-1. Two ACE Management Server Instances Working Together
Touseasetupsimilartotheonedepicted,youmusthavethefollowing:
Twoormoremachines(orvirtualmachines)tohosttheACEManagementServerprocesses
AnexternaldatabasetohosttheACEManagementServerdata
Aloadbalancingsolutiontomanagetraffic
Install the Required Services for Load Balancing
ServicesincludemultipleACEManagementServerinstances,anexternaldatabase,andWorkstation.
To install the required services for load balancing
1 InstalltheACEManagementServerpackageontwoormoremachines(orvirtualmachines).
SeeInstallingandUpgradingACEManagementServeronpage 20.
2 ConfigureeachACEManagementServerseparatelytoaccessthesameexternaldatabase.
SeeStartandConfigureACEManagementServeronpage 24.
BothACEManagementServerinstallationsmustbeabletoidentifythesamedatastoresoeither
installationcanfieldqueriesforclientsandscalethenumberofclientsthatcanbeserved.
ACEManagement
Server 1
ACEManagement
Server 2
Active Directorydomain controller
databaseserver
loadbalancer(optional)
AMS Client
AMS Client
AMS Client
LDAPKerberos
LDAPKerberos
ODBC
ODBC
HTTPS
HTTPS
HTTPS
HTTPS
HTTPS
-
8/6/2019 ACE Management Server
39/64
VMware, Inc. 39
Chapter 5 Load-Balancing Multiple ACE Management Server Instances
3 ToverifythatbothACEManagementServerinstancesareworkingproperly,startWorkstationand
connecttoeachACEManagementServerdirectly:
a InWorkstation,chooseFile>ConnecttoACEManagementServer.
b EntertheIPorhostnameofthemachinewhereACEManagementServerisinstalled,changethe
numberinthePortfieldifnecessary,andclickOK.
ThesetupissuccessfulifyoucanviewthesamedataintheInstanceViewwindowforeachACE
ManagementServerinstance.IfyoucreateatestACEandpreviewit,youseethepreviewinstanceonbothservers.
Use the Same SSL Certificate on All Servers
Foraloadbalancingsolution,youcancopytheSSLcertificateandkeyfromoneACEManagementServerto
another.
To use the same SSL certificate on all servers
1 LogintotheACEManagementServerSetupapplicationforthefirstACEManagementServer.
2 ClicktheCustomSSLCertificatestabtodeterminethelocationoftheSSLcertificateandkeydirectory
files.
OnWindows,thefilesarelocatedatC:\Program Files\VMware\VMware ACE Management
Server\ssl.
OnLinux,thefilesarelocatedat\var\lib\vmware\acesc\ssl.
Thecertificatefileisserver.crt.Thekeyfileisserver.key.
3 CopythefilestothesecondACEManagementServer.
If
you
are
using
the
ACE
Management
Server
virtual
appliance,
use
the
scp
(secure
copy)
command
to
copythecertificateandkeyfiles:
a Openacommandprompt.
b Enterthefollowingcommand:
scp user@: user@:
YoucanalsoenablesharedfoldersifyouareusingWorkstationtorunthevirtualappliance,andcopythe
filesfromthevirtualmachinethroughthesharedfoldersfeature.Formoreinformationaboutshared
folders,seetheVMwareWorkstationUsersManual.4 LogintotheACEManagementServerSetupapplicationforthesecondACEManagementServer.
5 UsetheCustomSSLCertificatestabtouploadthefiles:
a SpecifythekeyfileintheServerPrivateKeyfield.
b SpecifythecertificatefileintheServerPublicCertificatefield.
c ClickUploadcertificates.
d ClickApplyandclickRestart.
CAUTION Thisproceduredirectsyoutouploadboththecertificatefile(the.crtfile)andthematchingkey
file(the.keyfile).Ifyoudonotuploadboth,theApachehttpdserviceonthesecondACMManagement
Servermightfreeze.Inthiscase,youmustuninstallandreinstallACEManagementServer.
-
8/6/2019 ACE Management Server
40/64
ACE Management Server Administrators Manual
40 VMware, Inc.
Create New SSL Certificates and Keys for Each Server
IfyoudonotwanttousethesameSSLcertificateandkeyforeachACEManagementServer,youmustcreate
newSSLcertificatesandkeysforeachserver.
IfyouplantoobtainSSLcertificatesfromacertificateauthority,youmustcreatecertificatechains.Figure 52
providesanoverviewofdeterminingwhichcertificatesareincludedinachain.
Figure 5-2. Creating the Certificate Chain File
To create new SSL certificates and keys for each server
1 CreateasmanySSLcertificateandkeypairsasyouneed(oneforeachserverinyourserverfarm).
Theprocedurevaries,dependingonthetoolsyouuse.Todeterminehowtocreatethesecertificatesand
keys,seethedocumentationforyourplatform.Eachcertificatemusthaveauniquecommonnameanda
uniqueserialnumber.
2 Ifyourcertificatesrequireacertificatechaintobeverified,createacertificatechainfileforeachcertificate.
Thecertificatechainfileisatextfilethatcontainseverycertificate(inPEMformat)neededtoverifythe
leafcertificate(includingtherootcertificateofthechain).
a Downloadtheverificationchainfromyourcertificateauthority.
b EachcertificatemustbeinPEMformatbeforeyoucreatethecertificatechainfile.
ToconverttoPEMformat,usetheopenSSLtoolsavailableonline.
c CreatethecertificatechainfilebyconcatenatingeachPEMencodedcertificateintoonefile.
Ifbothofyourcertificatesareselfsigned,yourcertificatechainfilemustbeafilethatcontains
bothcertificatesconcatenated.
Ifyoureceivedyourcertificatesfromthesamecertificateauthority,thechainfilemustcontain
onlytheverificationchainforthesecertificates,andthechainsmustbethesame.
Ifthecertificatescomefromdifferentcertificateauthorities,thechainfilemustcontainboth
certificateverificationchains.
Forexample,ifyouareusingtwoACEManagementServerinstancesyouhavetwocertificatechainfiles.
[Root SSL Certificate in PEM format]
[Intermediary SSL Certificate in PEM format]
[AMS #1 SSL Certificate in PEM format]
[AMS #1 SSL Certificate in PEM format]
convert to PEMthen append to file
convert to PEMthen append to file
convert to PEMthen append to file
convert to PEMthen append to file
certificateverification
chain
Server SSLCertificates
Certificate Chain FileRoot SSL Certificate
Intermediary SSL Certificate
ACE Management Server #1SSL Certificate
ACE Management Server #2SSL Certificate
-
8/6/2019 ACE Management Server
41/64
VMware, Inc. 41
Chapter 5 Load-Balancing Multiple ACE Management Server Instances
3 Joinallofthecertificatechainfilesintoonefile.
Ifyoucan,eliminatetheduplicateentries.
4 ConverttheserversSSLcertificatestoPEMformat.
5 AddtheserversSSLcertificatesinPEMformattothecertificatechainfile.
6 OntheCustomSSLCertificatestab,uploadtheSSLcertificatefile,theSSLkeyfile,andthecertificate
chainfile:
a SpecifythekeyfileintheServerPrivateKeyfield.
b SpecifythecertificatefileintheServerPublicCertificatefield.
c ClickUploadcertificates.
d ClickApplyandclickRestart.
CompletethisstepforeveryACEManagementServerinyourfarmtouploadfilestoeachACE
ManagementServer.
Installing and Configuring the Load Balancer
ACEManagementServerusesHTTPStocommunicatewithitsclients.Youcanuseanyloadbalancing
solutionthatsupportsHTTPSwithACEManagementServer.
Installtheloadbalancerandconfigureport443(HTTPoverSSL)forloadbalancing.Do notconfigure
port 8080or8000forloadbalancing.Thesetwoportsareusedforconfiguration.Port 8080isthevirtual
applianceconfigurationportand8000istheACEManagementServerconfigurationport.
Verify That ACE Instances Are Using the Load Balancer
AfteryouconfiguremultipleACEManagementServerinstancestoworkwithaloadbalancerandinstallthe
necessarySSLcertificates,performverification.VerifythatACEinstancescanconnecttoACEManagement
Serverinstancesbyusingtheaddressoftheloadbalancer.
Beforeyoubegin,restartWorkstationsothatWorkstationcandownloadtheSSLcertificatewhenaconnection
totheACEManagementServerisestablished.
MakesurethatthirdpartyCAcertificatespasswordsdonothavemorethan8characters.
To verify that ACE instances are using the load balancer
1 CreateanACEenabledvirtualmachine.
2 Openthepolicyeditor.
3 SelectPolicyUpdateFrequency.
4 SelectDisableOfflineUsageandclickOK.
5 RemovethefirstACEManagementServerfromtheloadbalancingconfigurationsothatalltrafficgoesto
the
second
ACE
Management
Server.6 PreviewtheACEinstance.
ThispreviewcreatesaninstanceontheACEManagementServer.
7 ClosetheACEPlayer.
8 RemovethesecondACEManagementServerfromtheloadbalancingconfigurationandaddthefirst
ACEManagementServerbacktotheconfiguration.
AlltrafficgoestothefirstACEManagementServer.
9 PreviewthesameACEinstanceagain,andwhenpromptedwhethertoreinstantiateorreusetheinstance,
selectUseExistingInstance.
If
the
instance
starts
successfully,
both
servers
are
using
the
same
SSL
certificate.
-
8/6/2019 ACE Management Server
42/64
ACE Management Server Administrators Manual
42 VMware, Inc.
-
8/6/2019 ACE Management Server
43/64
VMware, Inc. 43
6
AfterACEManagementServerisinstalledandconfigured,youcandothefollowing:
ViewACEinstancesthataremanagedbyaparticularACEManagementServer.
Revokeandreenableaninstance.
FixvariousproblemswiththeACEinstancesasreportedbyinstanceusers.
Thischapterincludesthefollowingtopics:
ViewingACEInstancesThattheServerManagesonpage 43
SearchforanInstanceonpage 45
SortbyColumnHeadingandChangeColumnWidthonpage 46
Show,Hide,andMoveColumnsintheInstanceViewonpage 46
CreateorDeleteCustomColumnsintheInstanceViewonpage 46
ViewInstanceDetailsonpage 47
Reactivate,Deactivate,orDeleteanACEInstanceonpage 47
ChangeaCopyProtectionIDonpage 47
ResettheAuthenticationPasswordonpage 48
AddInformationforCustomColumnsonpage 48
Viewing ACE Instances That the Server Manages
ToviewandmanageaserversACEinstances,youcanuseeithertheInstancespageoftheVMwareACEHelp
DeskortheserversinstanceviewinWorkstation.
BothuserinterfacesenableyoutofixalimitedsetofACEinstanceproblems,suchasreactivatinganinstance,
changingtheinstancesexpirationdate,andresettingtheuserpasswordiftheuserhaslostorforgottenit.
BecausetheVMwareACEHelpDeskisabrowserbasedapplication,youcanuseitoncomputersthatdonot
haveWorkstationinstalled.TheHelpDeskalsoallowsyoutocreatearestrictedhelpdeskrole.Userswiththis
rolecanfixalimitedsetofproblemsreportedbyendusers,buttheycannotchangeconfigurationsettingsfor
theACEManagementServer.
TheinstanceviewinWorkstationenablesyoutoperformallthetasksavailableintheVMwareACEHelpDesk
andafewmoretasks.Forexample,intheinstanceview,youcancreatecustomcolumnsandsavethesearches
youcreate.
Managing ACE Instances 6
-
8/6/2019 ACE Management Server
44/64
ACE Management Server Administrators Manual
44 VMware, Inc.
Use the VMware ACE Help Desk Application
ACEadministratorsandhelpdeskassistantscanaccessACEinstancesthroughtheVMwareACEHelpDesk
Webapplication.YoucanusetheHelpDesktoreactivateaninstance,changetheinstancesexpirationdate,
andresetauserpasswordifitislostorforgotten.
To use the VMware ACE Help Desk application
1 OpenaWebbrowserandgotohttps://:8000.
ThevaluecanbethefullyqualifiednameofthecomputeronwhichACEManagement
ServerisinstalledoritcanbeanIPaddress.
IfyouinstalledACEManagementServeronaWindowshostandyouareusingthathosttoconfigureit,
youcanalternativelychooseStart>VMware>VMwareACEManagementServer.
2 ClicktheHelpDesklink.
3 Supplythelogininformation.
Usethefollowinginformationtohelpyoucompletethefieldsthatappearinthiswindow:
UserNameandPasswordIfahelpdeskrolewascreated,entercredentialsforthatrole.Otherwise,
entercredentialsforadministeringtheACEManagementServer.
DomainInmultidomainenvironments,youmightberequiredtoenteradomain(forexample,
eng.com).
TheVMwareACEHelpDeskopenstheInstancespage,whichcontainsasummarytableofalltheinstances
thattheservermanages.
Use the Instance View in Workstation
ACEadministratorscanaccessACEinstancesthroughtheinstanceview.Youcanusetheinstanceviewto
reactivateaninstance,changetheinstancesexpirationdate,andresetauserpasswordifitislostorforgotten.
TheinstanceviewinWorkstationenablesyoutoperformallthetasksavailableintheVMwareACEHelpDesk
andafewmoretasks.Intheinstanceview,youcancreatecustomcolumnsandsavethesearchesyoucreate.
Youmusthaveadministratorcredentialstousetheinstanceview.
Aninstancehasoneofthefollowingstatustypes:
TheValidFromandValidUntilcolumnsindicatetheperiodthattheinstanceisvalid.Theinstanceexpires
aftertheValidUntildate.Ifnoexpirationdateissetfortheinstance,thosecolumnsareempty.
Active Theinstanceisactiveandavailableforimmediateuse.
Deactivated Thisinstancewaspurposelydeactivated.Youmust
reactivateittomakeitusableagain.
Blockedby
policies
Theinstanceisstillactivebutisblocked(cannotberun)
becauseofaviolationofapolicysuchasexpirationdate
orcopyprotection.Fordetails,viewtheserverlogfor
thatinstance.
-
8/6/2019 ACE Management Server
45/64
VMware, Inc. 45
Chapter 6 Managing ACE Instances
To use the instance view in Workstation
1 FromtheWorkstationmenubar,chooseFile>ConnecttoACEManagementServer.
2 SpecifythefullyqualifiedhostnameortheIPaddressandclickOK.
Inmostcases,thedefaultportnumberdoesnotneedtobechanged.
3 Completetheloginwindow.
Usethefollowinginformationtohelpyoucompletethefieldsthatappearinthiswindow:
UserNameandPasswordEntercredentialsforadministeringtheACEManagementServer.
DomainInmultidomainenvironments,youmightberequiredtoenteradomain(forexample,
eng.com).
Search for an Instance
YoucanusethesearchfunctiontoquerytheACEManagementServerdatabaseforoneormoreparticular
ACEinstances.SearchcriteriaarejoinedwithAND,notOR,operations.
Beforeyoubegin,dooneofthefollowing:
LogintotheVMwareACEHelpDeskforanACEManagementServer.
ConnecttoanACEManagementServerfromtheWorkstationwindow.
To search for an ACE instance
1 ClickSearchandspecifythecriteriatobeincludedwhenthedatabaseisqueried.
Usethefollowinginformationtohelpyouspecifysearchcriteria:
ActivatedByActivationmethod,suchaspassword,ActiveDirectoryuser,oractivationkey.Ifno
suchactivationmethodexists,N/Aappearsinthecolumn.
ACEVMNameNameoftheACEenabledvirtualmachinefromwhichtheACEinstancewas
created.
GuestName(ForWindowsguestsonly)Computernameresolvedontheusersmachineduring
instancecustomization,ifyouusethatfeature.The NetBIOSnameisreportedhere,anditisa
maximumof15characterslong.Eveniftheactualcomputernamecontainsmorecharacters,thename
alwaysappearsastheNetBIOSname.
CustomcolumnsCustomcolumnsthatyoucreatedappeardirectlybelowtheGuestMACAddress
criterion.
ExactmatchonlyValuesarecasesensitive.
Saveas(AvailableintheWorkstationinstanceviewonly)Savedsearchesarespecifictoeachserver.
YoucaneditordeleteyoursavedsearchesbyselectingthenameofasavedsearchintheSaved
Searchesdropdownmenuandclickin