vCenter Configuration Manager Security Environment Requirements
TECHNICAL WHITE PAPER / 26
12.1 All published packages are signed by trusted parties
Package Manager assumes that all packages must be signed with a private key before they are installed or
uninstalled. To accommodate customers that do not use software signing or where the immediate circumstances
require you to ignore that signature, override options are provided. However, secure operation of Software Provisioning
requires that these practices should be followed:
l
All packages should be signed
l
Signatures should always be validated
l
Certification authorities should be trusted
Further, repositories should not contain unsigned packages placed there independently of Package Studio.
12.2 Protect repositories
Packages in a repository are available for download by Package Manager. These repositories must be protected from
tampering or unauthorized deletion of important content. Repositories should reside on access-controlled hosts
protected with the measures previously described for hosts in Hosting Environment on page 11.
12.3 Accept only reputable software package publishers
VMware packages are signed by the VMware Software Publisher Certificate verifiable by Verisign. This certificate is
available for download from:
http://downloads.vmware.com/d/info/datacenter_downloads/vmware_vcenter_configuration_manager/5_0
Customer packages (or re-packaging of VMware Software) should be signed by the SPC's of other reputable
publishers and be verifiable by Package Manager at package installation time.
12.4 Configure only trusted sources over secure channels
Package Manager is the application installed on machines to install and remove the packages stored in software
repositories. Package Manager can be configured to use one or more repositories as package sources.
Only trusted repositories should be configured as sources. Further the URI specified as the package source should
use a secure channel scheme like https to a repository with a trusted SSL server certificate or to a secure file share.
12.5 Take precautions when using VCM Software Provisioning Extensions
Normally VCM does not store credentials on a managed machine. However, during software provisioning actions
(package management: install/remove package actions), the network authority credentials are temporarily used as
local service credentials in order to authorize package installation/removal, UAC, access to network repositories, and
reboot/resume activities. Service credentials are protected from disclosure to machine users, but are accessible to a
determined local machine administrator using custom software.
(82 Seiten)
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Kommentare zu diesen Handbüchern