VMware VCM 5.3 - TRANSPORT LAYER SECURITY IMPLEMENTATION Bedienungsanleitung PDF herunterladen (Seite 12)

TLS Implementation for VCM

TECHNICAL WHITE PAPER / 12

Creating and Installing Certificates for Collectors

Certificates can either be generated during VCM installation, or created in advance of installation and stored in the

local certificate store.

When you select either of these options, the VCM Installation Manager will automatically register the selected

certificates in VCM and configure the Agents to trust these certificates.

Installation of Certificates to Collectors

VCM Installation Manager offers you the options of either generating your certificates during installation (see VMware

vCenter Configuration Manager Installation and Getting Started Guide) or browsing to your certificate store to select

pre-generated certificates.

If you will be providing your own pre-generated certificates, they must exist on the Collector machine prior to VCM

Installation. The Collector Certificate must be in the Local Machine Personal system store, and the Enterprise

Certificate must be in the Local Machine Trusted Root system store. The private key of the Enterprise certificate does

not need to be available. The certificates do not need to be available on the database machine in a split configuration.

The install interview will prompt the you for the names of the certificates to be used.

Generating Certificates During Installation: During VCM installation, the VCM Installation Manager allows you

to generate your Collector and Enterprise Certificates during the installation process. For more information

about generating certificates during VCM installation, refer to the VMware vCenter Configuration Manager

Installation and Getting Started Guide.

Creating Certificates Prior to Installation: If you want to create your own certificates in advance of VCM instal-

lation, refer to The Collector Certificate on page 10 for requirements or to Creating Certificates for TLS Using

Makecert on page 20 if you are creating your own certificates without PKI support. Once your certificates are

created, you can select them during the installation process.

After VCM installation, if you decide that you want to use different certificates than the ones that you either generated

or selected during the installation process, you must replace those certificates. For more information on replacing

certificates, see Changing Certificates on page 13.

Installation of Certificates to Additional Collectors

All Collector Certificates in a customer environment should be issued by the same Enterprise Certificate to ensure

seamless operation across Agents and Collectors. Generating certificates for more than a single Collector during

installation fails to create this relationship. Just as the VCM certificates were expected to be in place prior to the

installation of the first Collector, the VCM certificates must also be installed on subsequent Collectors prior to

installation. Each Collector needs its own Collector Certificate, and access to the Enterprise Certificate. If all HTTP

Agents are to be contacted by only a single Collector, then a single trust hierarchy is not strictly necessary.

If you plan to use more than one Collector for the same Agent machine, you must establish a parent-to-multiple-

Collector children relationship, and cannot use generated certificates on additional Collectors. Contact Customer

Support for further details and assistance.

1 2 ... 7 8 9 10 11 12 13 14 15 16 17 ... 33 34

Keine Kommentare

VMware VCM 5.3 - TRANSPORT LAYER SECURITY IMPLEMENTATION Bedienungsanleitung Seite 12