Download - Infoace Vmware
-
8/3/2019 Infoace Vmware
1/66
ACE Management ServerAdministrators Manual
VMware ACE 2.6
This document supports the version of each product listed and
supports all subsequent versions until the document is replaced
by a new edition. To check for more recent editions of thisdocument, see http://www.vmware.com/support/pubs.
EN-000169-00
http://www.vmware.com/support/pubshttp://www.vmware.com/support/pubs -
8/3/2019 Infoace Vmware
2/66
VMware, Inc.
3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com
2 VMware, Inc.
ACE Management Server Administrators Manual
You can find the most up-to-date technical documentation on the VMware Web site at:
http://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
Copyright 20072009 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright andintellectual property laws. VMware products are covered by one or more patents listed at
http://www.vmware.com/go/patents .VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marksand names mentioned herein may be trademarks of their respective companies.
http://www.vmware.com/supportmailto:[email protected]://www.vmware.com/go/patentshttp://www.vmware.com/go/patentshttp://www.vmware.com/go/patentshttp://www.vmware.com/go/patentshttp://www.vmware.com/go/patentsmailto:[email protected]://www.vmware.com/supporthttp://www.vmware.com/support/ -
8/3/2019 Infoace Vmware
3/66
VMware, Inc. 3
Contents
About
This
Book 7
1 Introduction 9FeaturesofACEManagementServer 9
SystemRequirements 10
RequiredHardware 10
SupportedOperatingSystems 10
SupportedExternalDatabases 10
SupportedProxies 11
RequiredWebBrowsers 11
Licensing 11
2 Planningan
ACE
Management
Server
Deployment 13
DeploymentComponents 13
HostSystemOptions 14
WindowsHosts 14
LinuxHosts 14
ServerApplianceOption 14
DatabaseOptions 15
ActiveDirectoryAuthenticationOptions 15
PerformingCapacityPlanning 15
DatabaseThroughputandScalability 16
LDAPThroughput 16
NetworkBandwidthandPolicyUpdateFrequency 16
ACEPolicy
Configuration 17
LoadBalancers 17
SecurityFeaturesandConsiderations 17
UsingSSLCertificatesandProtocol 18
AccessingACEManagementServerfromOutsidetheCorporateFirewall 19
DeploymentPlanningWorksheet 19
3 InstallingandConfiguringACE Management Server 21PreparingforInstallation 21
ConfigureTLSinYourBrowser 21
InstallingandUpgradingACEManagementServer 22
InstallanACEManagementServeronaWindowsHost 22
InstallACEManagementServeronaLinuxSystem 23
InstallanACEManagementServerAppliance 24
VerifyThattheApacheServiceIsStartedorRestarted 25
StartandConfigureACEManagementServer 26
LogIntoACEManagementServer 26
-
8/3/2019 Infoace Vmware
4/66
ACE Management Server Administrators Manual
4 VMware, Inc.
4 ConfigurationOptionsforACEManagementServer 29PrerequisitesforConfiguringtheServer 29
CreateUsersandGroupsforIntegrationwithActiveDirectory 29
SetUpanExternalDatabase 30
CreatingaSystemDSNEntryforanExternalDatabase 31
IncreasetheNumberofDatabaseConnectionsAllowed 32
EnableDatabaseConnectionPoolingonLinux 33
SetUp
aConnection
Between
the
Server
Appliance
and
an
External
Database 33
PrepareCustomSecurityCertificates 33
ViewthePropertiesoftheSelfSignedCertificateFile 34
StartingACEManagementServerConfiguration 34
ViewingandChangingLicensingInformation 34
UsinganExternalDatabase 35
CreatingAccessControl 35
UploadingCustomSSLCertificates 36
LoggingEvents 37
ApplyingConfigurationSettings 37
5 Load
Balancing
Multiple
ACE
Management
Server
Instances 39TypicalSetupUsingLoadBalancedACEManagementServerInstances 40InstalltheRequiredServicesforLoadBalancing 40
UsetheSameSSLCertificateonAllServers 41
CreateNewSSLCertificatesandKeysforEachServer 41
InstallingandConfiguringtheLoadBalancer 43
VerifyThatACEInstancesAreUsingtheLoadBalancer 43
6 ManagingACEInstances 45ViewingACEInstancesThattheServerManages 45
UsetheVMwareACEHelpDeskApplication 46
UsetheInstanceViewinWorkstation 46
Searchfor
an
Instance 47
SortbyColumnHeadingandChangeColumnWidth 47
Show,Hide,andMoveColumnsintheInstanceView 48
CreateorDeleteCustomColumnsintheInstanceView 48
ViewInstanceDetails 48
Reactivate,Deactivate,orDeleteanACEInstance 49
PoliciesTab 49
ChangeaCopyProtectionID 49
ResettheAuthenticationPassword 50
AddInformationforCustomColumns 50
7 Troubleshootingand
Maintenance 51
TroubleshootingConfigurationProblems 51
ConnectionProblemsBetweenaLinuxACEInstanceandACEManagementServer 51
ChangethePortAssignmentforACEManagementServer 51
DeletetheServerConfigurationFileandSetaNewAdministratorPassword 52
RestoreaBackupCopyofanSSLCertificate 52
ConfiguringMultipleACEManagementServerInstancestoUseSSL 53
DatabaseBackup 53
http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?-http://-/?- -
8/3/2019 Infoace Vmware
5/66
VMware, Inc. 5
Contents
Appendix:DatabaseSchemaandAuditEventLogData 55UsingDatabaseReportingTools 55
DatabaseSchema 55
QueryingtheAuditEventLogData 59
Glossary 63
Index 65
-
8/3/2019 Infoace Vmware
6/66
ACE Management Server Administrators Manual
6 VMware, Inc.
-
8/3/2019 Infoace Vmware
7/66
VMware, Inc. 7
Thismanual,theVMwareACEManagementServerAdministratorsManual,providesinformationaboutinstallingandusingtheVMwareACEManagementServer,whichenablesyoutomanageACEinstancesin
realtime.UsingACEManagementServerisoptional,butdoingsoprovidesthefollowingbenefits:
ManageactivationofACEpackages.
Manage
authentication
of
those
activated
packages. DynamicallydeliverpolicyupdatestomanagedACEinstances.
DynamicallydeliverinstancecustomizationdataformanagedACEinstanceswithWindowsguest
operatingsystems.
Intended Audience
Thisbookisintendedforanyonewhoneedstoinstall,upgrade,oruseACEManagementServertomanage
ACEinstances.ACEManagementServerisintendedforACEadministratorswhomustmaintainandupdate
ACEpoliciesusedonvirtualmachinesdeployedthroughoutanenterprise.
Document FeedbackVMwarewelcomesyoursuggestionsforimprovingourdocumentation.Ifyouhavecomments,sendyour
feedbackto:
Technical Support and Education Resources
Thefollowingsectionsdescribethetechnicalsupportresourcesavailabletoyou.Toaccessthecurrentversion
ofthisbookandotherbooks,gotohttp://www.vmware.com/support/pubs.
Online and Telephone Support
Touse
online
support
to
submit
technical
support
requests,
view
your
product
and
contract
information,
and
registeryourproducts,gotohttp://www.vmware.com/support.
Customerswithappropriatesupportcontractsshouldusetelephonesupportforthefastestresponseon
priority1issues.Gotohttp://www.vmware.com/support/phone_support.html.
Support Offerings
TofindouthowVMwaresupportofferingscanhelpmeetyourbusinessneeds,goto
http://www.vmware.com/support/services.
About This Book
mailto:[email protected]://www.vmware.com/support/pubshttp://www.vmware.com/supporthttp://www.vmware.com/support/phone_support.htmlhttp://www.vmware.com/support/serviceshttp://www.vmware.com/support/serviceshttp://www.vmware.com/support/phone_support.htmlhttp://www.vmware.com/supportmailto:[email protected]://www.vmware.com/support/pubs -
8/3/2019 Infoace Vmware
8/66
ACE Management Server Administrators Manual
8 VMware, Inc.
VMware Professional Services
VMwareEducationServicescoursesofferextensivehandsonlabs,casestudyexamples,andcoursematerials
designedtobeusedasonthejobreferencetools.Coursesareavailableonsite,intheclassroom,andlive
online.Foronsitepilotprograms andimplementationbestpractices,VMwareConsultingServicesprovides
offeringsto helpyouassess,plan,build,andmanageyourvirtualenvironment.Toaccessinformationabout
educationclasses,certificationprograms,andconsultingservices,gotohttp://www.vmware.com/services.
http://www.vmware.com/services/http://www.vmware.com/services/ -
8/3/2019 Infoace Vmware
9/66
VMware, Inc. 9
1
TheVMwareACEManagementServerenablesyoutomanageVMwareACEinstances,todynamically
publishpolicychangesforthoseinstances,andtotestanddeploypackagesmoreeasily.
Thischapterincludesthefollowingtopics:
FeaturesofACEManagementServeronpage 9
SystemRequirements
on
page 10
Features of ACE Management Server
ACEManagementServeroffersscalabilityandreliability:
Youcanincreasecapacitybyaddingnetworkresourcessuchasloadbalancersandextraserverhardware.
Fortestingenvironments,thedefaultembeddedbackingstoreprovidesasimpleandefficientdatabase
solution.ToscaleACEManagementServerforproductiondeployments,youcanconfigureandusean
externalrelationaldatabasemanagementsystem(RDBMS).
InWindows,multithreadedprocesseshandleserverrequests.InLinux,multipleprocesseshandleserver
requests.Ifoneprocessfails,anothertakesover.
ACEManagementServeroffersActiveDirectoryintegration:
YoucanuseActiveDirectorytoauthenticateusersofACEinstances.
YoudonotneedaschemachangeforyourexistingActiveDirectory.
LDAPisusedtoaccessActiveDirectory.
InformationaboutWindowsdomainuseraccountstatesisprovidedinclearandusefulmessages.
Reasonsforloginfailuresarepresentedaslockedoutorpasswordexpired.
ACEManagementServeractsasanActiveDirectorypasswordchangeproxy.
YoucanusetheinstancecustomizationfeatureinACEwithyourownestablishednamingconventionsto
associateuserswithmachines.
Securityfeaturesincludethefollowing:
EncryptedcommunicationsbetweenserverandclientstraveloverHTTPStraffic.
Passwordsarestoredsecurelyinhashedforminthebackingstore.
FlexibledatabaseoptionsallowuseofanembeddeddatabaseorexternalRDBMStostoreACEinstance
dataandpolicies.
Introduction 1
-
8/3/2019 Infoace Vmware
10/66
ACE Management Server Administrators Manual
10 VMware, Inc.
ACEManagementServeriseasytoinstallandconfigure.Clienttrafficcanbeproxiedbyeasilyavailable
products.Theserveruseseasilyavailablesoftwarecomponents:
ApacheWebserver2.0
ThedefaultSQLitedatabasestore
Theserversetupusesindustrystandardprotocols:
HTTPSandLDAP
XMLRPCformessageencapsulation
ACEManagementServeroffersextensibilityandavailability:
YoucancreateandusemorethanoneACEManagementServer.Whenyouusemorethanoneserver,you
cansettheserversupsothattheysharethesamedatabaseforloadbalancingorincreasedfaulttolerance.
AWindowsACEManagementServercanbeonthesamesystemasWorkstation.
YoucandesignateasingleACEManagementServername,suchas
https://ace.policyserver.company.com,anduseDNSlookuptotranslatethehostnametoan
address.TheaddressiscachedifaDNSserverisnotavailable.Additionally,youcanusedifferentACE
ManagementServerinstancesifuserstravelbetweenofficesindifferentgeographiclocations.
System Requirements
ThefollowingsectionsdescribetheACEManagementServersystemrequirements.
Required Hardware
Aminimumofan800MHzcompatiblex86andx8664architectureprocessor
Compatibleprocessorsinclude:
Celeron,Pentium
II,
Pentium
III,
Pentium
4,
Pentium
M
(including
computers
with
Centrino
mobile
technology),Xeon(includingPrestonia),AMD,Athlon,Athlon MP,AthlonXP,Duron,Opteron,AMD64
Opteron,andAthlon64
ExperimentalsupportforIntelIA32eCPU
40MBoffreespaceisrequiredforbasicinstallation.VMwarerecommendsatleast10GBoffreediskspace.
An8bitdisplayadapterisrequired.
Forlocalareanetworking,anyEthernetcontrollerthattheoperatingsystemsupportsissufficient.
Supported Operating Systems
Following
are
the
supported
operating
systems
for
ACE
Management
Server: WindowsServer2003WebEditionSP1andSP2,WindowsServer2003StandardEditionSP1andSP2,
WindowsServer2003EnterpriseEditionSP1andSP2(includes64bitandR2editions)
WindowsXPProfessional(includes64biteditions)
Windows2000ServerServicePack4andWindows2000AdvancedServerServicePack 4
RedHatEnterpriseLinuxAdvancedServer4.0withUpdate 4.
SUSELinuxEnterpriseServer9ServicePack3
NOTE YourservernamemustbeeitherthemachinenameinEnglishortheIP address.International
charactersarenotsupported.
-
8/3/2019 Infoace Vmware
11/66
VMware, Inc. 11
Chapter 1 Introduction
Supported External Databases
AnSQLitedatabaseengineisembeddedinACEManagementServer.Althoughthisdatabaseisadequatefor
testingpurposes,useoneofthefollowingexternaldatabasesinproductionenvironments:
ForaWindowsbasedACEManagementServerMicrosoftSQLServer2000orhigher;
Oracle Database 10g
IfyouuseaMicrosoftSQLServerdatabase,thedatabasemustbehostedonasystemthatusesthesame
localeas
the
system
that
hosts
ACE
Management
Server.
For
example,
if
ACE
Management
Server
is
installedonaJapanesesystem,thedatabaseservermustalsobeinstalledonaJapanesesystemandmust
useJapanesecollation.
ForaLinuxbasedACEManagementServerPostgreSQL7.4orhigher
Supported Proxies
YoucandeployACEManagementServerwiththefollowingHTTPSproxysolutions:
ApacheProxyUsingmod_proxy
ZeusTechnologyLoadBalancerAcommerciallyavailableloadbalancerandtrafficmanagement
solution
Required Web Browsers
ThebrowserbasedACEManagementServerSetupapplicationandtheVMwareACEHelpDeskapplication
requireoneofthefollowingWebbrowsers:
MozillaFirefox1.52orhigher
InternetExplorer6.0orhigher.MakesurethattheInternetExplorerbrowserhasTLS1.0checkedtolog
intotheAMSwebconfigurationpage.
Licensing
YoumustconfiguretheserverandentertheserialnumberintheserversetupWebapplication.Ifyoudonot,
youcannot
connect
to
the
server
in
Workstation.
Yourserialnumberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,the
serialnumberissentbyemail.WorkstationandACEinstancescannotconnecttoanACEManagementServer
withanexpiredornonexistentlicense.
-
8/3/2019 Infoace Vmware
12/66
ACE Management Server Administrators Manual
12 VMware, Inc.
-
8/3/2019 Infoace Vmware
13/66
VMware, Inc. 13
2
ThischapterprovidesguidelinesfordeployingVMwareACEManagementServerinstances,including
capacityplanningandbestpractices.Thischapterincludesthefollowingtopics:
DeploymentComponentsonpage 13
PerformingCapacityPlanningonpage 15
SecurityFeatures
and
Considerations
on
page 17
AccessingACEManagementServerfromOutsidetheCorporateFirewallonpage 19
DeploymentPlanningWorksheetonpage 19
Deployment Components
AtypicalACEManagementServerdeploymenthasthefollowingcomponents:
OneormoreACEManagementServerinstancesConfiguringmultipleserverstousethesame
databaseincreasesthenumberofACEclientsyoucanmanageandguaranteeshighavailability.
DatabaseserverForproductiondeployments,VMwarerecommendsOracleDatabase 10gorMSSQL
forACE
Management
Server
installed
on
aWindows
host,
and
Postgres
for
ACE
Management
Server
installedonaLinuxhost.
(Optional)ActiveDirectorydomaincontrollerToenabletheACEManagementServerActive
Directoryintegration,youmustconfigureACEManagementServertocommunicatewithyourdomain
controller.
(Optional)HTTPloadbalancerUsealoadbalancertohelpscalethecapacityofyourACEManagement
Serverdeployment.
(Optional)HTTPproxyIfclientswillaccessACEManagementServerfromoutsidethecorporate
firewall,VMwarerecommendsusinganHTTPSproxyintheDMZ.YoucanuseACEManagementServer
withApacheProxyandZeusTechnologyLoadBalancer.
ForanexampleofanACEManagementServerdeployment,seeFigure 21.
Planning an ACE Management ServerDeployment 2
-
8/3/2019 Infoace Vmware
14/66
ACE Management Server Administrators Manual
14 VMware, Inc.
Figure 2-1. Comprehensive ACE Management Server Deployment
ACEManagementServeroffersconvenienceandflexibilityinitssetupoptions.
YoucaninstalltheserveronWindowsorLinuxhosts.Fortestingpurposes,youcandownloadandrunthe
serverasavirtualappliance.ACEManagementServerincludesitsownsecuritycertificatesandembedded
database,butyoucanuseanexternaldatabaseandusecertificatesfromacertificateauthorityifyouprefer.
YoucanalsoconfigureACEManagementServertouseActiveDirectoryforauthentication.
Host System Options
YoucaninstallACEManagementServeronaWindowshost,aLinuxhost,orasavirtualappliance.Ifyouset
upmultipleACEManagementServerinstances,theymustallbethesametype.
Windows Hosts
Ifyou
plan
to
integrate
with
Active
Directory,
VMware
recommends
that
you
install
ACE
Management
Server
onaWindowshost.
TheWindowsACEManagementServerusestheWinLDAPlibrarybundledwithyourWindowsoperating
systemtointegratewithActiveDirectory.InternaltestingresultsindicatethattheWindowsimplementation
providesbetterperformancethanLinux.
Linux Hosts
YoucaninstallACEManagementServeronaLinuxhostanduseActiveDirectoryforauthentication,even
thoughperformanceisslowerthanonWindowshosts.IfyouplantouseaLinuxhostinproduction
environments,usetheLinuxinstallerratherthantheACEManagementServerappliance.Ifyoudonothave
thesupportedLinuxoperatingsystemsinstalledonaphysicalserver,youcancreateavirtualmachine,install
a
supported
Linux
operating
system,
and
install
ACE
Management
Server
in
the
virtual
machine.
Server Appliance Option
TheACEManagementServerapplianceisaselfcontained,preinstalled,andpreconfiguredACE
ManagementServerpackagedwithasmallLinuxoperatingsysteminavirtualmachine.Theapplianceis
convenientandquicktosetupinatestingenvironmentbutisnotrecommendedforproductionenvironments.
Bydefault,theapplianceattemptstoconfigureitsnetworkbyusingDHCP.IfyoudonotwanttouseDHCP,
youcanusethebrowserbasedACEManagementServerSetupapplicationtoconfigurethenetworksettings.
Youcanusethesameinterfacetoupdatetheappliancewhenupdatesbecomeavailable.
YoumusthaveaccesstoaWebbrowser(Mozilla1.52orhigherorInternetExplorer6.0orhigher)tochange
networksettingsorobtainupdatesfortheappliance.
ACE Management Server(one or more)
Active Directorydomain controller
(optional)
databaseserver
proxy for ACE Management Serverservice through corporate firewall
(optional)
WSAE client(within
corporatenetwork)
loadbalancer(optional)
ACE Player client(outside corporate network)
ACE Player client(within
corporatenetwork)
LDAPKerberos
ODBC
HTTPS
HTTPS
HTTPS
HTTPSHTTPS
-
8/3/2019 Infoace Vmware
15/66
VMware, Inc. 15
Chapter 2 Planning an ACE Management Server Deployment
Database Options
ACEManagementServeroffersthefollowingdatabaseoptions:
EmbeddedSQLitedatabaseThedefaultmodeofACEManagementServerworkswithanembedded
SQLite3databaseengine.TheSQLitedatabaseengineisinitializedduringserverinstallationandrequires
nospecialconfiguration.The embeddeddatabasesupportsuptoseveralgigabytesofdata.
TheSQLitedatabaseisfilebasedandisnotdesignedtobeeffectivelysharedacrossmultipleprocesses.If
youuse
third
party
tools
to
access
the
database
for
aread
operation,
therefore,
you
cannot
depend
on
transactionalisolationofthependingwriteoperationsoftheACEManagementServer.
Theembeddeddatabaseisadequatefortestingpurposes,butVMwarerecommendsthatyouusean
externaldatabaseinproductionenvironments.
SupportedexternaldatabaseInproductionenvironments,useasupportedexternaldatabaseasa
backingstoreforACEManagementServer,throughODBCconnectivity.Supportedexternaldatabase
enginesarethefollowing:
ForWindowsbasedACEManagementServer,useMicrosoftSQLServer(SQLServer2000orSQL
Server2005)orOracleDatabase10ginstalledonthesamesystemoradifferentWindowssystem
ForLinuxbasedACEManagementServer,usePostgreSQL7.4orhigherinstalledonthesame
system
or
a
different
Linux
system
UsinganexternaldatabasewithACEManagementServeroffersthefollowingbenefits:
OnlinebackupsothatyoudonothavetoshutdownACEManagementServertobackupthe
database.
Enhancedsecuritymodel.Youcanfinetunepermissionstoaccesssensitivedata.TheSQLite
databaseengineprovidesfilesystembasedsecurity.
Performancefinetuning.
Abilityto
use
external
database
management
and
reporting
tools.
AbilitytouseloadbalancerswithmultipleACEManagementServerinstances.Youmustusean
externalRDBMSasthebackingstore,becausetheSQLitedatabaseisnotdesignedtobeeffectively
sharedacrossmultipleprocesses.
Active Directory Authentication Options
ActiveDirectoryintegrationprovidesthefollowingbenefits:
PermitsjoininganoperatingsystemthatisrunninganACEinstancetothedomainremotely.
Providessearchfunctionssoyoucanquicklyfindaparticularindividualorgroup.
Enables
you
to
use
Active
Directory
Users
and
Groups
to
configure
role
based
access
to
the
features
of
ACEManagementServer.
Performing Capacity Planning
ACEManagementServerenablesyoutomanageACEinstancesandpoliciesinrealtime.Thenumberof
clientsthatasingleACEManagementServercanservedependsonseveralkeyfactors:
Databasethroughputandscalability
LDAPthroughput(ifyouareusingActiveDirectory)
Networkbandwidthavailableforincomingclientrequests
NOTE IfACEManagementServerisdeployedintheDMZ,useanexternaldatabaselocatedinsideyour
corporatenetworkbehindafirewall.
-
8/3/2019 Infoace Vmware
16/66
ACE Management Server Administrators Manual
16 VMware, Inc.
ACEpolicyconfiguration
Loadbalancersforverylargedeployments(morethan5,000clients)
Table 21listsrecommendationsforthenumberofclientssupportedbasedonthehardwareyouareusing.The
figuresforrecommendedclientsreservesomeserverprocessingpowersothatinteractiveclientsreceive
responsesinatimelyfashionandtheserversatisfiesincreasesindemand.
Database Throughput and Scalability
Forproductiondeployments,VMwarerecommendsthatyouuseOracle,MSSQL,orPostgresasyour
databaseplatform.
Morethan95percentofthestoragespacethatanACEManagementServerrequiresisusedtologevent
information,whichisanaudittrailofalltransactionsperformedthroughACEManagementServer.Table 22
listsrecommendeddatabasesizesbasedonthenumberofclientsbeingserved.
Thefiguresinthetablearebasedona90daydatabasearchivalperiod.Backupthedatabaserecordsevery90
daysandkeepeventlogsfor90days.YoucanconfigureACEManagementServertopurgeeventlogsevery
90days.
Theauthenticationeventgeneratesmostofthedatabecauseaneventisgeneratedeverytimesomeone
attemptstoauthenticatetoACEManagementServer.YoucanconfigureACEManagementServertologless
eventinformation.SeeLoggingEventsonpage 36.
LDAP Throughput
ACEManagementServercancommunicatewithyourActiveDirectorydomaincontrollertoauthenticateuser
credentials.YourdomaincontrollerinfrastructurehandlestheLDAPtrafficrequiredtosupportthenumber
ofclientsthatyouanticipate.
IntegratingwithActiveDirectorythroughLDAPisimplementeddifferentlyintheWindowsACE
ManagementServerthanintheLinuxbasedACEManagementServer.TheWindowsACEManagement
ServerusestheWinLDAPlibrarybundledwithyourWindowsoperatingsystem.TheLinuxACE
ManagementServerusesathirdpartyKerberosLibraryandOpenSSL.VMwareinternaltestingresults
indicatethattheWindowsimplementationprovidesbetterperformancethanLinux.
Table 2-1. Number of Clients Supported
Hardware Recommended Clients
2GHzAMD2wayserver(Opteron280,4GBRAM) 6,000
2GHzIntel2waydesktopmachine(4GBRAM) 4,000
Table 2-2. Database Storage Recommendations
Number of Clients Recommended Database Size
100 50Mb
1,000 500Mb
10,000 5,000Mb
-
8/3/2019 Infoace Vmware
17/66
VMware, Inc. 17
Chapter 2 Planning an ACE Management Server Deployment
Network Bandwidth and Policy Update Frequency
TheamountofnetworkbandwidththatACEManagementServerandACEinstancesrequiredependsonthe
frequencyofpolicyupdatesthatyouconfigure.Table 23showstheamountofbandwidthneededwhenyou
useapolicyupdatefrequencyvalueof10 minutes.
VMwarerecommendsthatforlargedeployments(morethan5,000clients),youincreasethetimebetween
policyupdatesbyclientsbecausethisreducestheamountofrequiredbandwidth.
Table 24showsthebandwidthneededwhenthepolicyupdatefrequencyvalueissetto30minutes.
Theamountofnetworkbandwidthrequiredcanalsobehigherifyourpolicysetisverycomplex.
VMwarerecommendsthatyouhaveaseparatenetworklinkbetweenACEManagementServerandyour
databaseserver,sothattrafficcomingandgoingfromACEManagementServertoitsclientsdoesnotinterfere
withthetraffictoandfromyourdatabaseserver.
ACE Policy Configuration
TheconfigurationofACEpoliciescanaffectperformance.Youcanincreasetheamountofdatathatis
transferredbetweenACEManagementServerandACEPlayerbyusingoneofthefollowingmethods:
HostpoliciesEnablinghostpolicies(suchashostnetworkquarantine)requiresthatahostsidedaemon
retrievesthehostpoliciesfromtheACEManagementServer.
ComplexnetworkquarantinepoliciesIfthesetofrulesthatmakesupyournetworkquarantineisvery
large,thetransferoftheserulesfromtheACEManagementServertotheclientscanaffectthescalability.
ThenumbersshowninTable 23andTable 24areestimatesofrequiredbandwidthgivenaveragesize
rulesetsfornetworkquarantine.YoucanviewthesizeofyourpolicysetbyexaminingtheACEfile
directoryandcountingthesizeofthe.vmplfile.Anaveragepolicysetis15KBorless.
Load Balancers
TheACEManagementServerclientserverprotocolisbuiltontopoftheHTTPSprotocol.YoucanuseHTTP
loadbalancingsoftwareandhardwaresolutionstoscaleanACEManagementServerdeploymentbeyondthe
capacityofasingleserver(orforhighavailabilitydeployments).
ACEManagementServerscalesinalinearfashionwhenanenterprisegradeHTTPSloadbalancerisused.See
Chapter 5,LoadBalancingMultipleACEManagementServerInstances,onpage 39.
Table 2-3. Network Bandwidth Required with a Policy Update Frequency of 10 Minutes
Number of Clients Bandwidth Required
100 0.125Mb/sec.
1,000 1.25Mb/sec.
10,000 12.5Mb/sec.
Table 2-4. Network Bandwidth Required with a Policy Update Frequency of 30 Minutes
Number of Clients Bandwidth Required
100 0.04Mb/sec.1,000 0.4Mb/sec.
10,000 4Mb/sec.
-
8/3/2019 Infoace Vmware
18/66
ACE Management Server Administrators Manual
18 VMware, Inc.
Security Features and Considerations
Bydefault,ACEManagementServerusestheSecureSocketsLayer(SSL)protocoltoprovideencryptedand
securecommunications.
FollowingisanoverviewofsecurityfeaturesandrecommendationsonhowtoconfiguretheACE
ManagementServertoavoidsecurityproblems:
TraffictoandfromclientsisprotectedbyHTTPSBydefault,ACEManagementServercreatesa
selfsigned
certificate
when
you
install
it
to
use
for
HTTPS
traffic.
These
certificates
are
secure,
but
you
canalsoconfigureACEManagementServertouseyourowncertificateandkeypairs.
TrafficfromACEManagementServertoActiveDirectoryisencryptedIftheserverisintegratedwith
anActiveDirectoryservice,itcommunicateswiththeservicethroughanSSLprotectedlink.LDAPtraffic
isencryptedattheapplicationlayer.CredentialsareprotectedbyusingtheKerberosprotocolto
authenticatecredentials.
SensitiveconfigurationoptionsareencryptedPasswordsstoredintheconfigurationfileareencrypted.
DatabasesecurityThedatabasestorecontainssensitivedatasuchascryptographickeys.Configure
yourdatabasesecuritysothatitisprotectedfromintrusionandprotectedincaseofdataloss.Formore
informationaboutfeaturesthatareavailabletoprotectyourdata,seeyourdatabasedocumentation.
SSLencrypts
data
through
the
use
of
apublic
key
and
private
key
pair.
The
public
key
is
known
to
everyone
andtheprivatekeyisknownonlytothemessagerecipient.URLs thatrequireanSSLconnectionstartwith
https.
DuringACEManagementServerinstallation,thefollowingtwofilesarecreated:
server.keyAnRSA1024bitkey,thisistheprivatekey.
server.crtAselfsignedcertificate.Itssignatureisverifiedbythepublickey,whichisembeddedin
thecertificate.Thispubliccertificateisvalidfor10yearsfromthedateandtimeatwhichtheserveris
installed.ThecertificatefileisencodedinPEMformat.
Bydefault,thesefilesarestoredintheSSLdirectoryintheVMwareACEManagementServerprogram
directory.
VMwarePlayer,
which
runs
the
ACE
instances,
does
not
trust
any
certificates
stored
on
the
host
machine
on
whichitisrunning.Instead,itreliesonacompletecertificationchainthatisincludedintheACEpackage.
Usingselfsignedcertificatesisadequateformostsecurityneeds.
Youcan,however,useacertificateissuedbyacertificateauthority.IfyouhavemultipleACEManagement
Serverinstances,youcanuseonecertificateforalloryoucanuseadifferentcertificateoneachone.
Using SSL Certificates and Protocol
WhenanACEenabledvirtualmachineconnectstoanACEManagementServer,itdownloadsthepublic
certificateforthatserverandanychainofcertificatesrequiredtoverifytheserverspubliccertificate.Aserver
certificatemighthaveachainofseveralcertificatesthatmustbeverifiedstepbystepuntiltheverification
processreachestheroot,ortrusted,certificateinthecertificatestore.Thefirsttimeaconnectionismadetoa
serverby
any
ACE
enabled
virtual
machine
on
aWorkstation
administrator
machine,
the
certificate
and
its
verificationaredownloadedtotheWorkstationhostsystem.
ThestoreorcollectionofcertificatesthatisdownloadedwhenanACEenabledvirtualmachineconnectstoa
serverisincludedineachACEpackagethatyoucreatewiththatvirtualmachine.ItissavedintheACE
Resourcesdirectory.WhenyoudeployandrunanACEinstanceofthisACEenabledvirtualmachine,the
VMwarePlayerapplicationusesthecertificatesincludedinthepackagetoverifyconnectionsmadetotheACE
ManagementServer.ItverifiesthatthecertificatesthatareintheACEpackagematchthosethattheserver
provides.Iftheydonotmatchexactly,VMware Playerdisplaysanerrormessageanddoesnotrunthe
instance.
-
8/3/2019 Infoace Vmware
19/66
VMware, Inc. 19
Chapter 2 Planning an ACE Management Server Deployment
VMwarePlayercheckstheintegrityofthecertificatestoreincludedinthepackageeverytimeitcommunicates
withtheserver.VMwarePlayerdoesnottrustanycertificatesstoredonthehostmachineonwhichitis
running.Instead,itreliesonacompletecertificationchainthatisincludedintheACEpackage.Theuseof
selfsignedcertificatesisadequateformostsecurityneeds.
If,however,yourenterpriserequirestheuseofacertificatesignedbyacertificateauthority(internalor
commercial),youcansetupthattypeofkeycertificatepairfortheACEpackagestouse.Acertificateauthority,orCA,isanentitythatissuesandsignspublickeycertificates,typicallyforafee.
Accessing ACE Management Server from Outside the CorporateFirewall
AllclientrequeststoACEManagementServerareHTTPStrafficonport443.This meansthatanysolution
usingaproxytosecureHTTPStrafficintoyourcorporateserverscanbeusedtoproxyACEManagement
Servertraffic.
BecauseofthenumberofdataconnectionsthattheACEManagementServermustmakeonthebackend
(LDAP,DNS,ODBC,Kerberos),VMwarerecommendsusinganHTTPSproxyintheDMZ.Thisproxycan
relayACEManagementServertraffictotheactualACEManagementServerinsidethecorporatenetwork.
Figure 2-2. Recommended Deployment for External Access
ACEManagementServercanbedeployedwiththefollowingHTTPSproxysolutions:
ApacheProxyUsingmod_proxy
ZeusTechnologyLoadBalancerAcommerciallyavailableloadbalancerandtrafficmanagement
solution
AvoidthefollowingproblemswhenyouuseaproxyfortrafficintoanACEManagementServer:
SSLTerminationIfyourHTTPSproxyterminatestheSSLconnection,youmustusethesameSSLkey
andcertificateontheHTTPSproxyserverandACEManagementServer.Or,usetheACEManagement
ServercertificatechaintoembedtheHTTPSproxycertificateverificationchainintheACEpackage.
AnexampleofaproxyserverthatterminatesSSLconnectionsisApacheProxy.TheZeusloadbalancing
productssupportSSLpassthrough,whichmeansthattheSSLconnectionisterminatedatACE
ManagementServer.
MultipleACEManagementServerSSLcertificatesIfyouaredeployingmultipleACEManagement
Serverinstances
behind
aload
balancing
solution,
all
ACE
Management
Server
instances
must
use
the
sameSSLkeyandcertificatepair.YoucanalsousetheACEManagementServercertificatechainfeature
toembedeverySSLcertificateverificationchainintotheACEpackage.
DNSresolutionWhenyoucreateanACEenabledvirtualmachine,youmustspecifyahostnamefor
ACEManagementServer.ThishostnamemustresolvetotheappropriateIPaddressforbothinternaland
externalclients.Internally,itcanresolvetoACEManagementServeritself.Externally,itcanresolvetothe
HTTPSproxyserver.
BecausethetrafficcomingintoACEManagementServerisplainHTTPStrafficandtheserverisstateless,you
candeploymanyotherconfigurationstoprovideexternalaccesstoanACEManagementServer.Whenyou
designyourdeployment,thinkofACEManagementServerasaWebserverwithsecuretraffic.
HTTPSproxy server
external client ODBC
NETBIOS (port 137)
DNS
KRB5 (port 88)
LDAP (port 389)
HTTPS traffic(443)
HTTPS traffic(443)
externalfirewall
AMS server
internalfirewall
-
8/3/2019 Infoace Vmware
20/66
ACE Management Server Administrators Manual
20 VMware, Inc.
Deployment Planning Worksheet
Usethedeploymentplanningworksheettorecordyourchoiceofserversystem,database,securitycertificates,
andoptionalcomponentsforaproductionenvironment.
Table 2-5. Worksheet for ACE Management Server in a Production Environment
Component Considerations Decision
Active
Directoryintegration
Performance
is
better
when
the
ACE
ManagementServerisinstalledonaWindowshost.
SeealsoCreateUsersandGroupsforIntegrationwithActiveDirectoryonpage 29.
Use
Active
Directory?
________Ifyes,nameofuseraccountforACEManagementServertoquerytheActiveDirectorydatabase:__________________
FullyqualifieddomainnameoftheLDAPserver:_______________________
ACEManagementServer
Ifyouusemultipleservers,allmustbeinstalledonthesameplatform.
Forcapacityplanning,seeNumberofClientsSupportedonpage 16.
UseWindowsorLinuxhosts?_____________
Howmanyservers?____________
Databaseserver
ThedatabaseservermustbecompatiblewiththeACEManagementServerhost.SeeSupportedExternalDatabasesonpage 11.
MSQL,Oracle,orPostgresSQLdatabase?
____________________________
Load balancer Usealoadbalancerforlargedeploymentsorforhighavailability.ItmustsupportHTTPSandrequiresanexternaldatabase.SeeLoadBalancersonpage 17.
Usealoadbalancer?________
Proxy IfACEclientswillcontactACEManagementServerfromoutsidethefirewall,useaproxy.SeeAccessingACEManagementServerfromOutsidetheCorporateFirewallonpage 19.
Useaproxy?__________
ApacheProxyorZeusTechnologyLoadBalancer?________________________
SSLcertificates
IfyouusemultipleserversandplantouseadifferentSSLcertificateforeachone,youmustcreateorsendforthecertificates.
ACE
Management
Server
supports
only
publickeycertificatesthataresignedusingtheSHA1algorithm.SeeUsingSSLCertificatesandProtocolonpage 18.
Whichtypeofcertificate:selfsignedthirdparty,orinternalCA(certificateauthority)?___________________
Numberofcertificates?__________
Ports ForActiveDirectory,useport389.
FortheACEManagementServerappliance,useport8080.SeeChangethePortAssignmentforACEManagementServeronpage 51andAccessingACEManagementServerfromOutsidetheCorporateFirewallonpage 19.
Port8000forconfiguringtheACEManagementServer.
Port443forclientrequests.
Whichadditionalports?______________
-
8/3/2019 Infoace Vmware
21/66
VMware, Inc. 21
3
Thischapterincludesthefollowingtopics:
PreparingforInstallationonpage 21
InstallingandUpgradingACEManagementServeronpage 22
VerifyThattheApacheServiceIsStartedorRestartedonpage 25
StartandConfigureACEManagementServeronpage 26
LogIntoACEManagementServeronpage 26
Preparing for Installation
BeforeyouinstallACEManagementServer,youmustplanyourdeployment.Completethefollowingtasks:
1 TodeterminewhichtypeofACEManagementServerinstallertouse,howmanyserverstoinstall,and
whichdeploymentcomponentstoinclude,seeChapter 2,PlanninganACEManagementServer
Deployment,onpage 13.
2 ToconfigureyourWebbrowsertouseTransportLayerSecurity(TLS),seeConfigureTLSinYour
Browseron
page 21.
3 Tosynchronizetheclockonthehostsystemwiththeclientsystem,useNetworkTimeProtocol(NTP).
4 TochooseanHTTPSportforthehostonwhichyouplantorunACEManagementServer,seeTable 31.
Installing and ConfiguringACE Management Server 3
Table 3-1. Port Assignments, Default Settings, for ACE Management Server
HTTPS Port Number Description
443 CommunicationsbetweenACEManagementServerandACEinstances
8000 ACEManagementServerSetup(configuration)Webapplication
ACEHelpDeskWebapplication
8080 ACE
Management
Server
Appliance
configuration
NOTE IfanotherWebserverisinstalledthatusesanyofthesedefaultports,youmightneedtoresolvethe
conflict.
-
8/3/2019 Infoace Vmware
22/66
ACE Management Server Administrators Manual
22 VMware, Inc.
Configure TLS in Your Browser
TransportLayerSecurity(TLS)mustbeconfiguredonyourWebbrowsertooperateACEManagementServer.
To configure TLS in your browser
Dependingonthetypeofbrowser,dooneofthefollowing:
ForanInternetExplorerbrowser:
a ChooseTools
>Internet
Options
>Advanced
and
scroll
down
to
Security.
b SelecttheUseTLS1.0checkboxandclickOK.
ForaMozillabrowser:
a ChooseTools>Options>Advanced.
b SelecttheUseTLS1.0checkboxandclickOK.
Installing and Upgrading ACE Management Server
YoucaninstalloneormoreACEManagementServerinstancestoservicetheACEinstancesinyourenterprise.
IfyousetupmultipleACEManagementServerinstances,theyallmustbeinstalledoneitherWindowshosts
orLinux
hosts,
or
all
must
be
installed
as
appliances.
ToupgradefromACEManagementServer2.0to2.6,usethesameprocedureasforinstallingtheserverfor
thefirsttime.Whentheinstallerdetectsanearlierversion,ituninstallstheoldversionbeforeinstallingthe
newone.Configurationsettingsarepreserved.
Forproductiondeployments,VMwarerecommendsthatACEManagementServerbeinstalledoneithera
dedicatedserveroravirtualplatformwithsufficientavailableresourcestoensureperformanceandstability.
SystemrequirementsdependalmostexclusivelyonthenumberofACEinstancesbeingsupportedandthe
frequencywithwhichtheyareconfiguredtocommunicatewiththeserver.Formoreinformationabout
VMwareperformancetesting,seePerformingCapacityPlanningonpage 15.
However,ACEManagementServerwastestedandcanbeinstalledondesktoporworkstationplatformsto
supportasmallnumberofclientsornonproductionevaluations.
Install an ACE Management Server on a Windows Host
InstallingACEManagementServeronaWindowshostinvolvesdownloadingandrunninganinstallation
wizard.YoucaninstallACEManagementServeronthefollowingWindowssystems:
WindowsServer2003
WindowsXPProfessional(includes64biteditions)
Windows2000Server
Beforeyoubegin,makesuretheclockissynchronizedandtherequiredportsareavailable,asdescribedin
PreparingforInstallationonpage 21.
Usethis
installation
procedure
to
install
or
update
ACE
Management
Server
software.
To install an ACE Management Server on a Windows host
1 DownloadtheVMware-ACE-Management-Server.exe filefromtheVMwareWebsiteandsavethefile
onthesystemthatistohosttheserver.
ThefileisavailableasaseparatedownloadablefileinthesamedownloadlocationastheWorkstation
application.
2 DoubleclicktheVMware-ACE-Management-Server.exe filetostarttheinstallationwizard.
-
8/3/2019 Infoace Vmware
23/66
VMware, Inc. 23
Chapter 3 Installing and Configuring ACE Management Server
3 Followthepromptsintheinstallationwizard.
4 Ifyouareusingacomputerthathasafirewallenabledandyouseeamessageattheendoftheinstallation
askingwhetheryouwanttounblocktheApacheservice,chooseUnblock.
ACEManagementServerdoesnotworkproperlyifyoudonotunblocktheApacheservice.
AfterACEManagementServerisinstalled,youcanconfigureit.SeeStartandConfigureACEManagement
Serveronpage 26.
Install ACE Management Server on a Linux System
YoucaninstallACEManagementServeronthefollowingLinuxsystems:
RedHatEnterpriseLinux4
SUSELinuxEnterpriseServer9SP3
Beforeyoubegin,makesurethesystemmeetstheserequirements:
AworkinginstallationofApache2.0isinstalledonthesystem.(TheRPMforaWebserverisincluded
withtheRedHatEnterpriseLinux4orSUSELinuxEnterpriseServer9installation.)
ApacheWebserviceisoperatingnormallyandisreceivingrequestsforSSLHTTP.
Themod_ldap
and
mod_ssl
modules
are
available
on
your
system.
ThefollowingpackagesareinstalledonyourRedHatEnterpriseLinux4orSUSELinuxEnterpriseServer
9system:curl,openldap,openssl,apache,andgdbm.
ForSUSELinuxEnterpriseServer9,thecyrus-sasl-gssapipackageisinstalled.Thispackageisnot
installedbydefault.
Whenyouusetheexternaldatabaseoption,thefollowingpackagesarerequiredaswell:
RedHatEnterpriseLinux4:unixODBC
SUSELinuxEnterpriseServer9:unixODBC and,ifyouplantousetheX11graphicalconfiguration
tool,unixODBC-gui-qt
Theclock
is
synchronized
and
the
required
ports
are
available,
as
described
in
Preparing
for
Installation
onpage 21.
UsethisinstallationproceduretoinstallorupdateACEManagementServersoftware.
To install ACE Management Server on a Linux system
1 Downloadthe.rpm filefromtheVMwareWebsiteandsavethefileonthesystemthatistohostthe
server.
ThefileisavailableasaseparatedownloadablefileinthesamedownloadlocationastheWorkstation
application.
2 RuntheRedHatorSUSELinuxRPMinstallerforACEManagementServer:
vmware-ace-management-server-.i386-rhel4.rpm
vmware-ace-management-server-.i386-sles9.rpm
Forexample:
rpm -Uhv vmware-ace-management-server-87693.i386-rhel4.rpm
-
8/3/2019 Infoace Vmware
24/66
ACE Management Server Administrators Manual
24 VMware, Inc.
3 ForaSUSELinuxEnterpriseServer9server,ensurethattheLDAPmodule(mod_ldap)isconfiguredfor
loading:
a Openthefollowingfilewithatexteditor:
/etc/sysconfig/apache2
b AddtheldapconfigoptiontotheAPACHE_MODULESvariable.
c Saveandclosethefile.
AfterACEManagementServerisinstalled,youcanconfigureit.SeeStartandConfigureACEManagement
Serveronpage 26.
Install an ACE Management Server Appliance
TheACEManagementServerapplianceisaselfcontained,preinstalled,andpreconfiguredACE
ManagementServerpackagedwithasmalloperatingsysteminavirtualmachine.Althoughtheapplianceis
adequatefortestenvironments,VMwarerecommendsthatyoudonotuseitinproductionenvironments.
Beforeyoubegin,makesuretheclockissynchronizedandtherequiredportsareavailable,asdescribedin
PreparingforInstallationonpage 21.
To install an ACE Management Server appliance
1 Downloadthe.zipfilefortheappliancefromtheVMwareWebsiteandsavethefileonthesystemthat
istohosttheserver.
2 Extractthefilestothedirectorywheretheserveristobelocated.
3 StartWorkstation,chooseFile>Opentoopen,andselecttheams_appliance.vmxfile.
4 ClickthePowerOnbuttontostartthevirtualappliance.
5 Atthepasswordprompt,enterapasswordandconfirmit.
Thispasswordisusedforbothrootandnetworkaccounts.Makeanoteofthispasswordsothatyoucan
useitforlaterappliancemanagementoperationsfromtheconsoleandtheWeb.
Theappliance
configures
its
network
by
using
DHCP.
Theconsoleviewdisplaysthefollowinginformation:
Currentnetworksettings
URLsforremotelyadministeringtheapplianceandconfiguringtheACEManagementServeritself
IfyoupressReturnattheloginprompt,theinformationappearsagain.
6 Atthetimezoneprompt,acceptthecurrentsettingormakeachangeasneeded.
7 (Optional)ToconfiguretheservertouseastaticIPaddressortospecifyaproxyserver,usetheAppliance
ManagementandConfigurationapplication,asfollows:
a LeavetheACEManagementServerappliancerunning.
b Browsetohttps://:8080.
c Intheconnectiondialogbox,typerootintheusernamefieldandyournetworkorrootpasswordin
thepasswordfield.
d ClicktheNetworklinkonthefirstpageofthebrowserbasedACEManagementServerSetup
application.
e Toviewinstructionsaboutconfiguringnetworksettings,clicktheHelplinkintheupperrightcorner
oftheWebpage.
f Afteryouchangenetworksettings,clickApply.
-
8/3/2019 Infoace Vmware
25/66
VMware, Inc. 25
Chapter 3 Installing and Configuring ACE Management Server
8 (Optional)Toreconfigureanyupdateoptions,forexample,todisableautomaticdownloadsofupdates,
usetheApplianceManagementandConfigurationapplication,asfollows:
a LeavetheACEManagementServerappliancerunning.
b Browsetohttps://:8080.
c Intheconnectiondialogbox,typerootintheusernamefieldandyournetworkorrootpasswordin
thepasswordfield.
d Clickthe
Update
link
on
the
first
page
of
the
Appliance
Configuration
and
Management
Web
applicationandcompletetheApplianceUpdatepage.
e Toviewinstructionsaboutconfiguringupdateoptions,clicktheHelplinkintheupperrightcorner
oftheWebpage.
9 Whenyoufinishconfiguringanynetworkorupdatesettings,navigatetotheACEManagementServer
SetupWebapplicationtoconfiguretheserver.
Toaccessthatapplication,chooseoneofthesemethods:
FromtheApplianceManagementandConfigurationWebapplicationpage,clicktheACELoginlink
intheupperrightcornerofthepage.
Fromacommandpromptwindow,closethewindow,openabrowser,andentertheURLfortheACE
ManagementServerSetupWebapplication:
https://:8000/
10 ClickConfigurationtoopentheWebapplication.
Verify That the Apache Service Is Started or Restarted
IfyouinstalledACEManagementServeronaLinuxhost,verifythattheApacheserviceisstartedbeforeyou
attempttologin.
Fortroubleshootingpurposes,youmightoccasionallyneedtomanuallyrestarttheApacheservicethatACE
ManagementServeruses.
To verify that the Apache service is started or restarted
Dooneofthefollowing:
OnWindowshosts:
a ClicktheApacheiconinthetaskbar.
b SelectApache2inthemenuthatappears.
c Choosetheappropriatecommand:
Tostarttheserviceifitisstopped,clickStart.
Iftheserviceisalreadystarted,thiscommandisunavailable.
Torestart,
click
Stop
and
then
click
Start.
EnsurethatyouclickStopandStartratherthanRestart.
OnSUSELinuxEnterpriseServer9hostsorinthevirtualmachinethatcontainstheACEManagement
Serverappliance:
a Openaterminalwindowonthehostorinthevirtualmachine.
b Asroot,enterthefollowingcommand:
/etc/init.d/apache2 status
Ifthestatusisstarted,youcanlogintoACEManagementServer.SeeStartandConfigureACE
ManagementServeronpage 26.
-
8/3/2019 Infoace Vmware
26/66
ACE Management Server Administrators Manual
26 VMware, Inc.
c Entertheappropriatecommand:
Tostarttheserviceifitisstopped,enterthefollowingcommand:
/etc/init.d/apache2 start
Torestarttheservice,enterthefollowingcommands:
/etc/init.d/apache2 stop
/etc/init.d/apache2 start
OnRedHatEnterpriseLinux4:
a Openaterminalwindowonthehostorinthevirtualmachine.
b Asroot,enterthefollowingcommand:
/etc/init.d/httpd status
Ifthestatusisstarted,youcanlogintoACEManagementServer.SeeStartandConfigureACE
ManagementServeronpage 26.
c Entertheappropriatecommand:
Tostarttheserviceifitisstopped,enterthefollowingcommand:
/etc/init.d/httpd start
Torestarttheservice,enterthefollowingcommands:
/etc/init.d/httpd stop
/etc/init.d/httpd start
Start and Configure ACE Management Server
Beforeyoubegin,makesurethatthefollowingprerequisitesaresatisfied,asapplicable:
IfyouinstalledACEManagementServeronaLinuxhostorareusingtheACEManagementServer
appliance,verifythattheApacheserverisrunning.SeeVerifyThattheApacheServiceIsStartedor
Restartedonpage 25.
If
this
is
the
first
time
you
are
logging
in,
make
sure
you
have
the
serial
number
for
the
product.
The
serial
numberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,theserial
numberissentbyemail.
Ifyouplantouseanexternaldatabase,ActiveDirectoryintegration,orcustomSSLcertificates,youmust
performsomesetuptasksbeforeyoucanconfigureACEManagementServer.Seethefollowingtopics,as
applicable:
CreateUsersandGroupsforIntegrationwithActiveDirectoryonpage 29
SetUpanExternalDatabaseonpage 30
PrepareCustomSecurityCertificatesonpage 33
To start and configure ACE Management Server
1 OpenaWebbrowserandgotohttps://:8000.
ThevaluecanbethefullyqualifiednameofthecomputeronwhichACEManagement
ServerisinstalledoritcanbeanIPaddress.
IfyouinstalledACEManagementServeronaWindowshostandyouareusingthathosttoconfigureit,
youcanalternativelychooseStart>VMware>VMwareACEManagementServer.
2 AcceptthelicenseagreementandclickStart.
Theconfigurationtabsappearastheydoinsubsequentlogins,butforthefirstlogin,wizardbuttons
suchasNextandBackalsoappear.
-
8/3/2019 Infoace Vmware
27/66
VMware, Inc. 27
Chapter 3 Installing and Configuring ACE Management Server
3 CompletetheinformationoneachtabandclickNext.
TheonlyfieldsthatrequirechangesanddonothavedefaultsettingsaretheSerialNumberfieldonthe
LicensingtabandtheAdministratorpasswordontheAccessControltab.
Forinformationaboutspecificfieldsandtabs,clickHelponthetab.
Log In to ACE Management Server
Thefirst
time
you
log
in
to
ACE
Management
Server,
you
must
set
apassword.
The
next
time
you
log
in,
you
mustprovidethatpasswordorprovideActiveDirectorycredentialsifyouconfiguredtheservertouseActive
Directoryforauthentication.
CommunicationsbetweenWorkstationandACEManagementServertakeplaceoverasecureSSLconnection.
IftheserverisintegratedwithActiveDirectoryservice,enteryouradministrativecredentialsinoneofthe
formatsshowninTable 32.
To log in to ACE Management Server
1 OpenaWebbrowserandgotohttps://:8000.
The
value
can
be
the
fully
qualified
name
of
the
computer
on
which
ACE
Management
ServerisinstalledoritcanbeanIPaddress.
IfyouinstalledACEManagementServeronaWindowshostandyouareusingthathosttoconfigureit,
youcanalternativelychooseStart>VMware>VMwareACEManagementServer.
2 Dooneofthefollowing:
ToconfigureACEManagementServer,clickConfiguration.
ToviewandtakeactionsonACEinstancesmanagedbythisserver,clickHelp Desk.
Table 3-2. Login Options When Using Active Directory Service
Option Description Example
longname+password+domainname
Thelongnameistheformat.
JohnDoe
longname+password Thelongnameistheformat.
LeavetheDomainfieldblank.
JohnDoe
shortname+password+domain
TheshortnameisthesAMAccountName.
ace
(theshortformofthelongnameACEUser)
shortname+password TheshortnameisthesAMAccountName.
LeavetheDomainfieldblank.
ace
(theshortformofthelongnameACEUser)
emailaddress+password Youcanonlyusethisoptionforadomainthatisaccessedthroughadirectconnection.
LeavetheDomainfieldblank.
NETBIOSDOMAINNAME\username+password
TheNetBIOSnameisashortnamefordomainsthatisregisteredintheNetBIOSNameService(WINS).
LeavetheDomainfieldblank.
username+password+NETBIOSDOMAINNAME
TheNetBIOSnameisashortnamefordomainsthatisregisteredintheNetBIOSNameService(WINS).
-
8/3/2019 Infoace Vmware
28/66
ACE Management Server Administrators Manual
28 VMware, Inc.
3 Enterlogincredentials.
IfyouuseActiveDirectoryforauthentication,seeTable 32.Inmultidomainenvironments,youmightbe
requiredtoenteradomain(forexample,eng.com).
-
8/3/2019 Infoace Vmware
29/66
VMware, Inc. 29
4
AfteryouinstallACEManagementServer,youmustusethebrowserbasedACEManagementServerSetup
applicationtoconfiguretheserver.
Thischapterincludesthefollowingtopics:
PrerequisitesforConfiguringtheServeronpage 29
StartingACE
Management
Server
Configuration
on
page 34
ViewingandChangingLicensingInformationonpage 35
UsinganExternalDatabaseonpage 35
CreatingAccessControlonpage 36
UploadingCustomSSLCertificatesonpage 36
LoggingEventsonpage 37
ApplyingConfigurationSettingsonpage 37
Prerequisites for Configuring the Server
IfyouplantouseActiveDirectoryintegration(usingLDAP),anexternaldatabase,orcustomSSLcertificates,
youmustperformsomesetuptasksbeforeyouconfiguretheACEManagementServer.
Create Users and Groups for Integration with Active Directory
TouseActiveDirectoryforauthenticatingusers,adduserstoanActiveDirectorygroupandcreateauserso
thatACEManagementServercanqueryLDAP.
WhenyouconfigureACEManagementServertouseLDAP,followtheseguidelinestoavoidnegatively
affectingperformance:
ThedefaultdomainisthedomainforwhichtheLDAPhostisadomaincontroller.
Thequery
user
is
auser
in
the
default
domain.
Theadminusergroupisagroupthatexistsinthedefaultdomain.
IntegratingwithActiveDirectorythroughLDAPisimplementeddifferentlyintheWindowsbasedACE
ManagementServerthanintheLinuxbasedACEManagementServer.Theoperatingsystemsdifferinthe
librariestheyusetoconnecttoActiveDirectoryandtheexternaldatabasestheysupport.TheWindowsACE
ManagementServerusestheWinLDAPlibrarybundledwiththeWindowsoperatingsystem.The LinuxACE
ManagementServerusesathirdpartyKerberosLibraryandOpenSSL.VMwareinternaltestingresults
indicatethattheWindowsimplementationisprovidesbetterperformancethanLinux.
Configuration Options for ACEManagement Server 4
-
8/3/2019 Infoace Vmware
30/66
ACE Management Server Administrators Manual
30 VMware, Inc.
To create users and groups for integration with Active Directory
1 CreateauserthatACEManagementServercanusetoconnecttotheLDAPserveranduseforquerying.
MakeanoteofthesAMAccountNamevalueforthatuser(forexample,aceuser.)
2 CreateanACEAdministratorsgroupinthedomain.
3 AddACEadministratoruserstotheACEAdministratorsgroup.
4 (Optional)Create
aHelp
Desk
group
and
assign
users
to
it
for
the
Help
Desk
role.
YoucanlogintotheHelpDeskWebapplicationwithyouradministrativeLDAPcredentialsorpassword.
CreatingaHelpDeskroleallowsyoutopermitcertainuserstoperformHelpDesktasksfromwithinthe
HelpDeskapplicationbutdoesnotgivethemaccesstootheradministrativetools.
Set Up an External Database
Beforeyoubegin,makesurethatyouhaveoneofthefollowingsupporteddatabaseservers:
ForaWindowsbasedACEManagementServerMicrosoftSQLServer2000orhigher;
Oracle Database 10g
IfyouuseaMicrosoftSQLServerdatabase,thedatabasemustbehostedonasystemthatusesthesame
localeas
the
system
that
hosts
ACE
Management
Server.
For
example,
if
ACE
Management
Server
is
installedonaJapanesesystem,thedatabaseservermustalsobeinstalledonaJapanesesystemandmust
useJapanesecollation.
ForaLinuxbasedACEManagementServerPostgreSQL7.4orhigher
BeforeyouinstallthedatabaseonaLinuxhost,makesuretheunixODBCRPMpackageisinstalledontheLinux
system.VMwarerecommendsthatyouupdatethepackagetothelatestversionreleasedforyourspecific
Linuxdistribution.TheunixODBCpackageprovidesanODBCAPItoprogramsrunningonLinuxsystemsthat
issimilartotheWindowsODBCAPI.
Thepackagecontainsthelibodbcsharedlibrary,providingtheODBCDriverManagerAPItoother
programs,asetofconfigurationutilities,andODBCdriversforpopulardatabases.OnbothRedHat
EnterpriseLinuxandSUSELinuxEnterpriseServer 9,theODBCdriverforPostgreSQLisincludedinthe
unixODBCbinary
distribution
package.
Also,makesuretheunixODBC-gui-qt packageisinstalled(thisutilityisincludedintheRedHatEnterprise
LinuxunixODBCpackage).ThispackageisrequiredtousetheODBCConfigX11graphicalconfigurationtool
forsettingupadatasourcename(DSN).
To set up an external database
1 Installadatabaseserveronahost.
TheexternaldatabasedoesnothavetobeinstalledonthesameserverasACEManagementServer,butit
mustbeinstalledonthesameplatform.Forexample,ifACEManagementServerisinstalledona
Windowshost,thedatabaseservermustalsobeinstalledonaWindowshost.
ACEManagementServercreatesthedatabaseschemaautomaticallyifproperaccessrightsaregranted.
2 Configurethedatabase.
Ensurethatyouhaveadedicateddatabaseandauseraccountthathasfullaccesstothisdatabase,
includingrightstocreatetables.Donotgivethisdatabaseuserpermissionsthatitdoesnotneed.For
example,youmightnotwanttogivethisaccountreadorwritepermissiontootherdatabasesthatyour
RDBMSmanages.
AlltablesthatarecreatedinthedatabasehaveanamestartingwithaPolicyDb_prefixandindexeswith
PdbIns_orPdbLf_prefixes.YoumightprovideACEManagementServerwithaDSNtoadatabasethat
itshareswithsomeotherapplication,ifthedatabasecountisatapremium.
-
8/3/2019 Infoace Vmware
31/66
VMware, Inc. 31
Chapter 4 Configuration Options for ACE Management Server
3 (Optional)IfACEManagementServerisgoingtoconnecttothedatabaseoverthenetwork(TCPsocket
connection),ensurethatthefollowingareinplace:
TCPconnectivityisenabledinthedatabaseconfigurationoptions.
TheTCPconnectionisnotblockedbyfirewallsettingsonthedatabaseserverortheACE
ManagementServerhost.
IfyouareusingaPostgreSQLdatabase,configureperuserpermissiontoconnecttothedatabase
overthe
network.
Configure
that
permission
in
the
pg_hba.conf file,
which
is
located
in
the
root
folderofyourdatabase.
4 (Optional)OntheACEManagementServermachine,toverifytheserversconnectivitytothedatabase
withtheconfiguredusercredentials,runacommandlineorgraphicalSQLtool.
Examplesofsuchtoolsaresqlcmd.exeforSQLServer,sqlplus.exeforOracle,andpsqlfor
PostgresSQL.Fordatabaseconfigurationandverificationinstructions,seetherespectivedatabase
documentation.
5 OntheACEManagementServermachine,createaSystemDSNentry.
Creating a System DSN Entry for an External Database
TheonlyrequiredinformationinDSNconfigurationistheDSNname,serverIPaddressorhostname,andthe
databasename.YoudonotneedtoprovideausernameandpasswordintheDSNconfiguration.Youprovide
ausernameandpasswordlater,whenyouusetheACEManagementServerSetupapplication.
EnsurethatyoucreateasystemDSNandnotauserDSN.IfyoucreateauserDSN,itisvisibleonlytoyour
useraccount.ACEManagementServerrunsunderthelocalsystemaccount,sotheservercannotdetectoruse
auserDSN.
Create a System DSN Entry for a Windows Database
Regardlessofwhetherthehostis32bitor64bit,youcreateaDSNentryfora32bitsystem.
Beforeyoubegin,todeterminethecorrectODBCdriver,seeyouroperatingsystemanddatabase
documentation.
To create a System DSN entry for a Windows database
1 Dooneofthefollowing:
On32bithosts,usetheODBCDataSourcespluginbychoosingControl Panel>Administrative
Tools>DataSources(ODBC).
On64bithosts,navigateto%WINDIR%\syswow64\odbcad32.exeandusethatprogramtocreatea
SystemDSNentryfora32bitsubsystem.
ACEManagementServerdoesnotsupportODBCusinganSQLNativeClientdriveronWindows64bit
systems.
2 CreateanentrythatincludestheDSNname,serverIPaddressorhostname,andthedatabasename.
3 (Optional)
If
the
DSN
Setup
wizard
provides
an
option
to
test
the
connection,
verify
that
the
connection
workswiththedatabaseusercredentials.
4 MakeanoteofthedatabaseDSN,username,andpassword.
YoucannowusethebrowserbasedACEManagementServerSetupapplicationtoconnecttothisdatabase.
-
8/3/2019 Infoace Vmware
32/66
ACE Management Server Administrators Manual
32 VMware, Inc.
Create a System DSN Entry for a Linux Database
OnLinuxsystems,youuseatexteditorortheODBCConfiggraphical(X11)utilitytocreateasystemDSNentry.
TheODBCConfigutilitymimicstheWindowsODBCDataSourcesControlPanelplugin.
Beforeyoubegin,determinethecorrectODBCdriver:
OnRedHatEnterpriseServer,thedriverislocatedat/usr/lib/libodbcpsql.so.
OnSUSELinuxEnterpriseServer9,thedriverislocatedat/user/lib/unixODBC/libodbcpsql.so.2.
TheDSN
configuration
for
the
unixODBC
package
is
stored
in
the
/etc
directory
(/etc/unixODBC
for
SUSELinuxEnterpriseServer).
IfyouareusingtheACEManagementServerappliance,seeSetUpaConnectionBetweentheServer
ApplianceandanExternalDatabaseonpage 33.
Youusetheodbc.inifileforcreatingDSNsandtheodbcinst.inifilefordriverandgeneralODBCsystem
configuration.
To create a System DSN entry for a Linux database
1 Asroot,usetheODBCConfigutilitytocreateaSystemDSNentry.
YoualsomustconfiguretheserveraddressandthedatabasenameintheDSNsettings.
Forinformation
about
using
unixODBC,
see
the
unixODBC
Project
Web
page.
TheODBCConfigutilitymakeschangestotheodbc.iniandodbcinst.inifiles.
2 MakeanoteofthedatabaseDSN,username,andpassword.
YoucannowusethebrowserbasedACEManagementServerSetupapplicationtoconnecttothisdatabase.
Increase the Number of Database Connections Allowed
Foroptimalserverperformance,ACEManagementServerstartsmultipleparallelthreads(onWindows)or
processes(onLinux)listeningfortheincomingconnectionsfromtheclients.Everyclientconnectiontypically
runsadatabasetransaction,soitneedstoopenadatabaseconnection.
ACEManagementServerusuallyrequiresasmanydatabaseconnectionsasitdoesparallelthreadsor
processesfor
client
connections.
If
the
server
runs
out
of
database
connections,
the
clients
might
start
receiving
connectionerrors.
FollowingisalistofthelocationsfortheApacheconfigurationfileandthetypicaldefaultnumberof
connections:
ThedefaultinstallationofthePostgreSQLdatabaseonRedHatEnterpriseLinuxallows100 remote
connections,whichislessthanthenumberofparallelthreadsthattheApacheserverstartsbydefaultonthe
sameplatform.Changethisnumberifyouexpectahighvolumeofclientrequeststoyourserver(morethan
100activeclients).
Platform Location Client Connections
Windows C:\Program Files\VMware\VMwareACE Management Server\Apache2\
conf\httpd.conf
250 (WinNTMPMsection)
RedHatEnterpriseLinux
/etc/httpd/conf/httpd.conf 256 (preforkMPMsection)
SUSELinux /etc/apache2/server-tuning.conf 150 (prefork
MPM
section)
ACEManagementServerappliance
/etc/httpd/apache2.conf 20 (preforkMPMsection)
-
8/3/2019 Infoace Vmware
33/66
VMware, Inc. 33
Chapter 4 Configuration Options for ACE Management Server
To increase the number of database connections allowed
1 InspecttheApacheconfigurationfileontheACEManagementServerhosttodeterminethenumberof
parallelthreadsorprocessesthatmightstartatthesametime.
2 ConfigurethedatabasetoallowasmanyconnectionsastheApacheserver.
Seeyourdatabasedocumentation.
Enable Database Connection Pooling on Linux
EnablingdatabaseconnectionpoolingfordatabasesonLinuxhostscangiveasubstantialperformancegain
underhighloads.ACEManagementServercanreusedatabaseconnectionsratherthanopeningnew
connectionsforeveryrequest.
EnabledatabaseconnectionpoolingintheODBCDriverManager(itisdisabledbydefault)tooptimize
performanceforserversonLinuxplatforms.
OnWindowsplatforms,ODBCconnectionpoolingisenabledbydefault.
To enable database connection pooling on Linux
1 StarttheODBCConfigutilityasarootuser.
2 Clickthe
Advanced
tab.
3 SelecttheConnectionPoolingcheckbox.
Set Up a Connection Between the Server Appliance and an External Database
TheACEManagementServerappliancedoesnotcontainaPostgreSQLdatabaseserver.Youcan,however,use
anexternaldatabaseserverwiththeappliance.
To set up a connection between the server appliance and an external database
1 Logintotheserverapplianceconsoleasroot,usingthepasswordyoucreatedduringyourfirstrunof
theserverappliance.
2 Openthe/etc/odbc.inifileinatexteditor.
Forexample:
vaos# vi /etc/odbc.ini
Thisfilecontainsthepostgres_dsn settingfortheOBSCDSN.
3 Uncommentalllinesinthepostgres_dsn fileexceptthefirsttwo.
Touncommentlines,deletethepoundsign(#)atthebeginningofeachline.
4 ReplaceplaceholderswiththePostgreSQLdatabaseserverDNSnameorIP addressandthedatabase
nameofthisserver.
5 Usethedefaultportnumberorsetadifferentportnumber.
6 Save
the
file.
Afteryoucompletethistask,postgres_dsnappearsinthedropdownmenuontheDatabasetabintheACE
ManagementServerSetupapplication.
-
8/3/2019 Infoace Vmware
34/66
ACE Management Server Administrators Manual
34 VMware, Inc.
Prepare Custom Security Certificates
TousecustomSSLcertificates,eitheryourownselfsignedcertificatesorthoseofathirdpartyorinternalCA
(certificateauthority),youmustprovidethecertificate,key,and(inthecaseofCAs)certificatechainfiles.
ThesefilesmustbePEMencoded.
Afteryoucreateorobtainthesefiles,uploadthemtoACEManagementServerbyusingtheCustomSSL
Certificates tabintheACEManagementServerSetupapplication.
Formore
information
about
how
VMware
ACE
uses
SSL
certificates,
see
Using
SSL
Certificates
and
Protocol
onpage 18.
To prepare custom security certificates
1 Createorprovidetheneededfiles:
Foryourownselfsignedcertificate,usetheopensslutilitytocreateanewselfsignedcertificate.
ForathirdpartyCAorinternalCA,obtainanSSLcertificatesignedbythatCA,anda
certificateverificationchainfile.
ThechainfileisaconcatenationofeverycertificaterequiredtoverifythenewSSLcertificateyou
createdorobtained.Stepsforobtainingthecertificatechainvary,dependingonwhichhostoperating
systemyouareusingandonthesourcefromwhichtheCAcertificateisobtained.
Aprivatekeyfile.SSLencryptsdatathroughtheuseofapublickeyandprivatekeypair.Thepublic
keyisknowntoeveryoneandtheprivatekeyisknownonlytothemessagerecipient.
ThecertificatesignaturesmustusetheSHA1algorithmdigest.ThefilesmustbePEMencoded.
2 Renamethefiles,asfollows:
Renametheprivatekeyfiletoserver.key.
Renamethecertificatefiletoserver.crt.
Renamethecertificatechainfiletochain.crt.
YoucannowusetheACEManagementServerSetupapplicationtouploadthecertificatefiles.
View the Properties of the Self-Signed Certificate File
ThisfileisstoredintheSSLdirectoryintheVMwareACEManagementServerprogramdirectory.
To view the properties of the self-signed certificate file
Dooneofthefollowing:
OnaWindowshost,navigatetothelocationoftheserver.crtfileanddoubleclickthefilename.
OnaLinuxhost,usethefollowingcommand:
openssl x509 -in /var/lib/vmware/acesc/ssl/server.crt -text
Toreplaceanexpiredcertificate,seePrepareCustomSecurityCertificatesonpage 34.Donotmodify
certificatesto
make
them
permanent.
Starting ACE Management Server Configuration
IfyouplantouseActiveDirectoryintegration(usingLDAP),anexternaldatabase,orcustomSSLcertificates,
youmustperformsomesetuptasksbeforeconfiguringtheACEManagementServer.SeePrerequisitesfor
ConfiguringtheServeronpage 29.
-
8/3/2019 Infoace Vmware
35/66
VMware, Inc. 35
Chapter 4 Configuration Options for ACE Management Server
ThetextthatappearsontheStarttabchanges,dependingonwhetheryouhavedoneaninitialconfiguration:
IfthispagesaysThisserverhasnotbeenconfiguredyet,youmustclickStarttocompletethe
configurationsetupwizard.
IfthispagesaysThisserverisconfigured,theNextandPreviouswizardbuttonsdonotappear.Youcan
navigatetoothertabsbyclickingatab.
Viewing and Changing Licensing InformationAfteryouenteranACEManagementServerserialnumber,usetheLicensingtabtodeterminetheexpiration
date,ifany.
Theserialnumberisontheregistrationcardinyourpackage.IfyoupurchasedVMwareACEonline,theserial
numberissentbyemail.
IfthesystemonwhichyouinstalledACEManagementServercurrentlyhasmorethanonevalidserver
license,justonelicenseappearsonthepage.
YoucanusetheLicensingtabtoaddorchangeaserialnumber,username,orcompanyname.
Ifyoumakechangestotheinformationonthistab,youmustclickApplyorCancelbeforeyoucannavigate
toanothertab.
Using an External Database
TheembeddeddatabaseisanSQLitedatabase.VMwarerecommendsthatyouuseanexternaldatabasein
productionenvironments.
Theembeddeddatabaseisinitializedduringserverinstallationandrequiresnospecialconfiguration.This
databaseisadequatefortestingpurposesbutisnotdesignedtobeeffectivelysharedacrossmultiple
processes.
BeforeyoucanconfiguretheACEManagementServertouseanexternaldatabase,youmustcreateasystem
DSNandcredentialsforaccessingthatdatasource.SeeSetUpanExternalDatabaseonpage 30.
UsethefollowinginformationtohelpyoucompletethefieldsontheDatabasetab:
DataSourceName(DSN)DatasourcenameyouusedwhenyoucreatedasystemDSNentryonthe
ACEManagementServermachine.
UserNameandPasswordCredentialsforauseraccountthathasfullaccesstothedatabase,including
rightstocreatetables.
Afteryouenterthedatabaseconnectioncredentials,thesetupapplicationchecksforanexistingdatabase.
Ifthe
existing
schema
is
not
compatible,
no
schema
is
available
or
the
schema
cannot
be
upgraded.
If
you
overwritetheexistingschemaanddata,anewschemaiscreated.If youdonotoverwritetheexistingschema
anddata,theconfigurationapplicationquits.
Ifyouareupgradingtheserverfromthepreviousrelease,thedatabaseschemaisupgradedautomaticallyand
youdonotloseyourpreviousdata.Theupgradeisperformedonthefirststartoftheupgradedserver,even
ifyoudonotrerunthesetupapplication.
IfyoumakechangestotheinformationontheDatabasetab,youmustclickApplyorCancelbeforeyoucan
navigatetoanothertab.
CAUTION Afteryouentercredentials,ifthemessageCompatible schema exists. Do you want to
reinitialize the schema and overwrite the existing data?appears,selectUseexistingschema
anddataunlessyouwanttoerasealldatainyourexistingdatabase.Toreinitializethedatabaseatsomelater
time,youcanreopenthisconfigurationapplicationandreturntothispage.
-
8/3/2019 Infoace Vmware
36/66
ACE Management Server Administrators Manual
36 VMware, Inc.
Creating Access Control
OntheAccessControltab,youcancreatealocalAdministratorroleandHelpDeskroleoruseActive
Directoryforauthenticatinguserswiththeseroles.
BeforeyoucanconfiguretheACEManagementServertouseadomainaccountforauthentication,youmust
createusersandgroupssothatACEManagementServercanconnecttotheLDAPserver.SeeCreateUsers
andGroupsforIntegrationwithActiveDirectoryonpage 29.
Usethe
following
information
to
help
you
complete
the
fields
for
authentication:
LocalaccountIfyouspecifyapasswordfortheAdministratorroleandforgetorloseit,youmustdelete
theserverconfigurationfile.Deletingthisfilesetstheserverbacktoitsinitialstate.Youmustreconfigure
theserverandsettheadministratorpasswordagain.
SeeDeletetheServerConfigurationFileandSetaNewAdministratorPasswordonpage 52.
Domainaccount(LDAP)TouseActiveDirectoryforauthentication,specifythehostandcredentials
thattheACEManagementServerusestoconnecttoandquerythedomaincontroller:
HostNameEnterafullyqualifieddomainname(forexample,ldap.vmware.com)insteadofanIP
addressorhostnamewithnoparentdomainname(forexample,ldap).
QueryUsersAMAcountNameandQueryUserPasswordUsethepasswordandshortnamefor
theuser
account
you
created
for
this
purpose
in
Active
Directory.
QueryUserDomainThedomainmustbethedomainforwhichtheLDAPhostisadomain
controller.
AdminGroupDNandHelpDeskGroupDN(Optional)Enterthedistinguishednameforthese
groups,whichyoucreatedforthispurposeinActiveDirectory(forexample,
cn=Users,dc=simplecorp,dc=com).
Ifthisoptionisnotenabled,anyonewhologsintotheHelpDeskapplicationmustbeamemberof
theACEAdministratorsgroup.
HelpDeskRoleorGroupDNCreatingaHelpDeskroleallowsyoutopermitcertainuserstoperform
HelpDesktasksfromtheHelpDeskapplication.Usersinthisrolecannotaccessotheradministrative
tools.You
can
still
log
in
to
the
Help
Desk
Web
application
with
your
administrative
LDAP
credentials
or
localAdministratorpassword.
IfyoumakechangestotheinformationontheAccessControltab,youmustclickApplyorCancelbeforeyou
cannavigatetoanothertab.
Uploading Custom SSL Certificates
TohaveACEManagementServerusecustomSSLcertificates,eitheryourownselfsignedcertificatesorthose
ofathirdpartyorinternalCA(certificateauthority),usetheCustomSSLCertificatestabtouploadthe
PEMencodedfiles.
BeforeyoucanuploadcustomSSLcertificates,youmustcreateandrenamethecertificatefiles.SeePrepare
Custom
Security
Certificates
on
page 34.
Bydefault,duringACEManagementServerinstallation,thefollowingtwofilesarecreated:
server.keyThisRSA1024bitkeyistheprivatekey.
server.crtThisselfsignedcertificateisvalidfor10yearsfromthedateandtimeatwhichtheserveris
installed.Itssignatureisverifiedbythepublickey,whichisembeddedinthecertificate.Thecertificate
fileisencodedinPEMformat.
WhenyourunanACEinstance,theVMwarePlayerapplicationusesthecompletecertificationchainthatis
includedinitspackage,notonthehost,toverifyconnectionsmadetoACEManagementServer.Therefore,
theuseofselfsignedcertificatesisadequateformostsecurityneeds.Formoreinformationabouthow
VMwareACEusessecuritycertificates,seeUsingSSLCertificatesandProtocolonpage 18.
-
8/3/2019 Infoace Vmware
37/66
VMware, Inc. 37
Chapter 4 Configuration Options for ACE Management Server
WhenyouclickUploadcertificates,asummarypagedisplaysthefilesandlocationsyouspecifyonthistab.
Notethelocationofanybackupfiles.Youmightneedtousethebackupifyoufindthatthenewfileisinvalid
whenyouclickApply.SeeRestoreaBackupCopyofanSSLCertificateonpage 52.
AfteryouuploadcustomSSLcertificates,youmustupdateanyexistingACEenabledvirtualmachinestouse
anewcertificateandkeyfile.Todoso,useWorkstationtocreateanupdatepackage.Whenyoudeploythe
newpackage,ACEinstancesreceivethenewcertificatefileandcertificatechain.
Logging EventsTheservercollectslogentriesforeventsthatchangethedatabase.OntheLoggingtab,youcansetthelogging
levelsandsetanoptionforpurginglogentries.
ACEManagementServerusesthefollowingloggingcategories:
ACEAdministrationLogseventsforinstancecreation,update,anddestruction.
PackageAdministrationLogseventsforpackagecreation,update,instancecustomization,andpackage
removal.
PolicyAdministrationLogseventsforpolicysetupdateandpublish,useraccesscontrolchanges,and
instancepasswordssetbyanACEadministrator.
InstanceAdministration
Logs
ACE
instance
life
cycle
events,
such
as
creation,
copying,
revocation,
reenablement,anddeletion.Alsologsinstancepasswordchangebyauseroranadministrator,changes
inexpirationforeachinstance,changesofinstanceguestorhostoperatingsysteminformation,and
settinginstancecustomfields.Thedebuglevelcanbeusedtologthemostubiquitoustrafficsuchas
policyupdaterequestsfromactiveinstances.Failedinstanceverificationsareloggedonlyatthedebug
level.
AuthenticationLogseventsforeveryauthenticationrequest,suchasadministrationorhelpdesk
authenticationattempts(atthenormallevel),instanceauthentication(attheinformationallevel),and
remoteLDAPpasswordchange.Setloggingforthiscategorytothelowestlevelthatispracticalforyou.
Thiscategorycangeneratealargevolumeofentries.
Foreachcategory,youcanchooseoneofthefollowinglogginglevels:
NoneNo
log
entry
is
made
for
this
event.
CriticalAnexampleofacriticallogeventisonethatremovesallpackages,instances,andpolicies
associatedwithanACEenabledvirtualmachine.
NormalThislevelofdetailissufficienttoanswermostqueries.
InformativeEntriesfornondestructiveeventsthathavelimitedeffect.
DebugEntriesforeveryclientaccessoftheserver.Itprovidesmorerecordsofcertaineventtypes,
creatingalargenumberloggingentriescomparedtootherloglevels.Itlogsallinformationaltransactions,
suchasinstancestatusandsoon.
UsetheEventLogPurgingcontroltoconfiguretheamountoflogginginformationretained.Thepurge
maintenanceprocessrunsapproximatelyeverysixhours.
IfyoumakechangestotheinformationontheLoggingtab,youmustclickApplyorCancelbeforeyoucan
navigatetoanothertab.
Applying Configuration Settings
TheRestartpageappearswhenyouclickApplyononeofthetabs.Youmustrestarttheserverforthe
configurationsettingstotakeeffect.
IfyouclickLater,youcanalwaysrestarttheserverbyclickingApplyonanyofthetabs,evenifyoudonot
makechangesonthetab.
-
8/3/2019 Infoace Vmware
38/66
ACE Management Server Administrators Manual
38 VMware, Inc.
-
8/3/2019 Infoace Vmware
39/66
VMware, Inc. 39
5
Ifyouhavethousandsofclients,youcanconfiguremultipleVMwareACEManagementServerinstancesto
worktogether.Youcansetuptwoormoreserversandusethemwithaloadbalancer.
Thischapterincludesthefollowingtopics:
TypicalSetupUsingLoadBalancedACEManagementServerInstancesonpage 40
Installthe
Required
Services
for
Load
Balancing
on
page 40
UsetheSameSSLCertificateonAllServersonpage 41
CreateNewSSLCertificatesandKeysforEachServeronpage 41
InstallingandConfiguringtheLoadBalanceronpage 43
VerifyThatACEInstancesAreUsingtheLoadBalanceronpage 43
Load-Balancing Multiple ACEManagement Server Instances 5
-
8/3/2019 Infoace Vmware
40/66
ACE Management Server Administrators Manual
40 VMware, Inc.
Typical Setup Using Load-Balanced ACE Management ServerInstances
AsingleACEManagementServercanhandleapresetnumberofclients,butyoucanaddmoreserverstoyour
ACEManagementServerinfrastructurebyusingloadbalancing.Whenyouaddmoreserverstothe
loadbalancinggroup,thenumberofclientsthatyoucanservescaleslinearly.Forexample,ifyoucanserve
2,000 clientswithoneserver,usingtwoloadbalancedserversallowsyoutoserve4,000 clients.
Figure 51shows
asimple
deployment
topology
for
using
load
balancing.
Figure 5-1. Two ACE Management Server Instances Working Together
Touseasetupsimilartotheonedepicted,youmusthavethefollowing:
Twoormoremachines(orvirtualmachines)tohosttheACEManagementServerprocesses
AnexternaldatabasetohosttheACEManagementServerdata
Aloadbalancingsolutiontomanagetraffic
Install the Required Services for Load Balancing
ServicesincludemultipleACEManagementServerinstances,anexternaldatabase,andWorkstation.
To install the required services for load balancing
1 InstalltheACEManagementServerpackageontwoormoremachines(orvirtualmachines).
SeeInstallingandUpgradingACEManagementServeronpage 22.
2 Configureeach
ACE
Management
Server
separately
to
access
the
same
external
database.
SeeStartandConfigureACEManagementServeronpage 26.
BothACEManagementServerinstallationsmustbeabletoidentifythesamedatastoresoeither
installationcanfieldqueriesforclientsandscalethenumberofclientsthatcanbeserved.
ACEManagement
Server 1
ACEManagement
Server 2
Active Directorydomain controller
databaseserver
loadbalancer(optional)
AMS Client
AMS Client
AMS Client
LDAPKerberos
LDAPKerberos
ODBC
ODBC
HTTPS
HTTPS
HTTPS
HTTPS
HTTPS
-
8/3/2019 Infoace Vmware
41/66
VMware, Inc. 41
Chapter 5 Load-Balancing Multiple ACE Management Server Instances
3 ToverifythatbothACEManagementServerinstancesareworkingproperly,startWorkstationand
connecttoeachACEManagementServerdirectly:
a InWorkstation,chooseFile>ConnecttoACEManagementServer.
b EntertheIPorhostnameofthemachinewhereACEManagementServerisinstalled,changethe
numberinthePortfieldifnecessary,andclickOK.
ThesetupissuccessfulifyoucanviewthesamedataintheInstanceViewwindowforeachACE
ManagementServer
instance.
If
you
create
atest
ACE
and
preview
it,
you
see
the
preview
instance
on
bothservers.
Use the Same SSL Certificate on All Servers
Foraloadbalancingsolution,youcancopytheSSLcertificateandkeyfromoneACEManagementServerto
another.
To use the same SSL certificate on all servers
1 LogintotheACEManagementServerSetupapplicationforthefirstACEManagementServer.
2 ClicktheCustomSSLCertificatestabtodeterminethelocationoftheSSLcertificateandkeydirectory
files.
OnWindows,thefilesarelocatedatC:\Program Files\VMware\VMware ACE Management
Server\ssl.
OnLinux,thefilesarelocatedat\var\lib\vmware\acesc\ssl.
Thecertificatefileisserver.crt.Thekeyfileisserver.key.
3 CopythefilestothesecondACEManagementServer.
If
you
are
using
the
ACE
Management
Server
virtual
appliance,
use
the
scp
(secure
copy)
command
to
copythecertificateandkeyfiles:
a Openacommandprompt.
b Enterthefollowingcommand:
scp user@: user@:
YoucanalsoenablesharedfoldersifyouareusingWorkstationtorunthevirtualappliance,andcopythe
filesfromthevirtualmachinethroughthesharedfoldersfeature.Formoreinformationaboutshared
folders,seetheVMwareWorkstationUsersManual.4 LogintotheACEManagementServerSetupapplicationforthesecondACEManagementServer.
5 UsetheCustomSSLCertificatestabtouploadthefiles:
a SpecifythekeyfileintheServerPrivateKeyfield.
b SpecifythecertificatefileintheServerPublicCertificatefield.
c ClickUploadcertificates.
d ClickApplyandclickRestart.
CAUTION Thisproceduredirectsyoutouploadboththecertificatefile(the.crtfile)andthematchingkey
file(the.keyfile).Ifyoudonotuploadboth,theApachehttpdserviceonthesecondACMManagement
Servermightfreeze.Inthiscase,youmustuninstallandreinstallACEManagementServer.
-
8/3/2019 Infoace Vmware
42/66
ACE Management Server Administrators Manual
42 VMware, Inc.
Create New SSL Certificates and Keys for Each Server
IfyoudonotwanttousethesameSSLcertificateandkeyforeachACEManagementServer,youmustcreate
newSSLcertificatesandkeysforeachserver.
IfyouplantoobtainSSLcertificatesfromacertificateauthority,youmustcreatecertificatechains.Figure 52
providesanoverviewofdeterminingwhichcertificatesareincludedinachain.
Figure 5-2. Creating the Certificate Chain File
To create new SSL certificates and keys for each server
1 CreateasmanySSLcertificateandkeypairsasyouneed(oneforeachserverinyourserverfarm).
Theprocedurevaries,dependingonthetoolsyouuse.Todeterminehowtocreatethesecertificatesand
keys,seethedocumentationforyourplatform.Eachcertificatemusthaveauniquecommonnameanda
uniqueserialnumber.
2 Ifyourcertificatesrequireacertificatechaintobeverified,createacertificatechainfileforeachcertificate.
Thecertificatechainfileisatextfilethatcontainseverycertificate(inPEMformat)neededtoverifythe
leafcertificate(includingtherootcertificateofthechain).
a Downloadtheverificationchainfromyourcertificateauthority.
b EachcertificatemustbeinPEMformatbeforeyoucreatethecertificatechainfile.
Toconvert
to
PEM
format,
use
the
open
SSL