vCenter Configuration Manager – Configuration

Aka vSphere Hardening – Part 4

UPDATED: 23-12-2013

The previous post in this series discussed the installation of vCenter Configuration Manager (vCM). We ended with the completion of the installation. Now it is time to review the result of our labor.

According to the official documentation, there are a few post-installation tasks to complete the installation of your environment. In summary:

  • Exclude VCM database files and the folder of the VCM Collector (default location is:  C:\Program Files (x86)\VMware\VCM\) from the on-access antivirus scannners.
  • Configure database settings for optimal SQL performance.

Hardening-04-01Figure 1

  • Use the SQL Server Management Studio to adjust these database properties:
    Default index fill factor = 80%
    Recovery interval (minutes) = 5 minutes
  • It is also recommended to configure some SQL Server Processor settings. Right-click the correct SQL server instance, select properties and select the Processor page. In the Enable processors area, select Automatically set I/O affinity mask for all processors. Select I/O Affinity for all processors in the Enable processors list.
  • There are also some recommendations for using SQLIO. I have skipped that section (remember, this is a simple POC).

From here, I started using the vCenter Configuration Manager Administration Guide.

For our first login to VCM, it is recommended to use a virtual or physical workstation with  Internet Explorer 8 or higher.

At the beginning, I experienced some issues, using the IE on my workstation. So I started setting up a RDP session to the VCM server.

Hardening-04-02Figure 2

In the menu, you will find the option “VMware VCM Web Console”, and open this.

Next, you will be prompted for an account and password. Enter the credentials of the domain VCMadmin user.

Hardening-04-03Figure 3

In the next window, in the overview, you will see; the active VCM collector, account details and the User Role. VCMadmin is the first user and with the User Role “Admin”, has all privileges. If you place a tick at “Automatically log in using this role”, you will continue to VCM.

Hardening-04-04Figure 4

This window is the first that you will see after a successful login. The menu has many, many options. At this time, I will not go into detail; also a blog is not the proper medium for this. I consider the recording of a brief walk around.

Before we continue, one more graphic from the VMware documentation. So far we talked about the parts that made up the VCM server; the VCM Collector, the SQL server and the Web Server. There is also the need of a managing agent.

Hardening-04-05Figure 5 – graphic provided by VMware

As we want to check the compliance of our infrastructure and VMs, we need to collect data. We will collect data from vCenter Server, vCloud Director, and/or vShield Manager. To collect the data, you will need one or more Managing Agent machines.
Luckily the documentation states: “. If your individual vCenter Server instances manage no more than 1–30 hosts and a maximum of 1000 guests, then you can use the Collector as your Managing Agent. If any of your vCenter Server instances exceed this amount, you must use a Windows machine that is not your Collector as a Managing Agent”.

So for the POC, there is no need to install an additional Managing Agent Machine, as we can use our VCM server. However to fully manage the guest machines, you need to install the VCM Agent on the virtual machines and manage their operating systems.

Next, we need to verify that our Managing agent is licensed and that it has the correct VCM agent installed.

Procedure

1. Click Administration.

2. Select Machines Manager > Licensed Machines > Licensed Windows Machines.

3. Select the target machines and click Collect on the VCM toolbar.

4. Select Machine Data and click OK.

5. Verify that the Selected list includes our VCM server and click Next.

6. Expand the Windows tree, select Machines, and click Next.

7. Resolve any conflicts and click Finish.

Hardening-04-06Figure 6

When the job is finished, verify that the Agent Version value in the data grid is 5.5 or later.

Next we will verify the Trust status for the Managing Agent Machine.

Procedure

1. Click Administration.

2. Select Certificates.

3. Select the VCM Server and click Change Trust Status.

4. Make sure the VCM server is in the lower data grid.

5. Select Check to trust or uncheck to untrust the selected machines and click Next.

6. Review the number of machines affected (should report “1 machine(s) will be trusted”) and click Finish.

Hardening-04-07Figure 7

Next the Managing Agent machines must be enabled to perform the necessary communication with your vCenter Server.

Procedure

1. Click Administration.

2. Select Administration > Machines Manager > Licensed Machines > Licensed Windows Machines.

3. Select the VCM Server and click Change Managing Agent Status. The icons are a bit hard to interpret. You can also right-click and choose the option from the menu.

4. Make sure the VCM server is in the lower data grid.

5. Select Enable – allow the selected machines to be used as managing agents and click Next.

6. Review the number of machines affected and click Finish.

Hardening-04-08Figure 8

The next step is to configure the vCenter Server for Data collection. Before doing this, there is one prerequisite, you should be aware; Know the names and domain information for the vCenter Server instances in your environment.

Procedure

1. Click Administration.

2. Select Machines Manager > Available Machines.

3. Click Add Machines.

Hardening-04-09Figure 9

4. On the Add Machines page, select Basic: Name, Domain, Type, and check Automatically license machines, and click Next.

Hardening-04-10Figure 10

5. On the Manually Add Machines – Basic page, configure these options to identify the vCenter Server instance(s).
In this example; Machine = vc01, domain = virtual.local, Machine Type = vCenter (Windows).

6. Click Add.

Hardening-04-11Figure 11

7. (Optional) Add other vCenter Server instances as needed.

8. When all your vCenter Server are added to the list, click Next.

9. On the Information page, review the summary and click Finish.

Next we need to configure the Managing Agent, communication, and vCenter Server access options so that VCM can collect host and guest data from the vCenter Server instances.

Procedure

1. Click Administration.

2. Select Machines Manager > Licensed Machines > Licensed Virtual Environments.

3. Select the vCenter Server instances and click Configure Settings.

4. On the Virtual Environment page, verify that the vCenter Server instances appear in the lower pane (vc01 in our example) and click Next.

Hardening-04-12Figure 12

5. On the Managing Agent and Communication Settings page, configure the settings that are applied to all selected vCenter Server instances and click Next.

Hardening-04-13Figure 13

Managing Agent:  Select the Windows machine to manage communication between the Collector and the vCenter Server instances. In our case VCM.

Port : defaults to 443.

User ID : we use our vCenter Administrator account here.

Password : no comment

Ignore untrusted SSL Certificate : Yes. Although No is the better option. (If you selected No on the Managing Agent and Communication Settings page, you must type or paste the thumbprint string in the text box. That part failed in my case).

6. On the Important page, click Finish.

After finishing this operation, the configuration status has changed from a yellow triangle to a green dot.

Hardening-04-14Figure 14

At this stage, we are finally ready and start collecting vCenter Server data.
Procedure

1. Click Administration.

2. Select Machines Manager > Licensed Machines > Licensed Virtual Environments.

3. Select the vCenter Server instances (vc01 in our case) and click Collect on the VCM toolbar.

Hardening-04-15Figure 15

4. On the Collection Type page, select Machine Data and click OK.

5. On the Machines page, verify that the Selected list includes all the vCenter Server instances from which you are collecting and click Next.

Hardening-04-16Figure 16

6. On the Data Types page, select the Virtualization vCenter Server data types that you want to collect from the vCenter Server instances and click Next.

Hardening-04-17Figure 17

7. On the Important page, resolve any conflicts and click Finish.

Hardening-04-18Figure 18

The progress of the collection can be followed by clicking Jobs on the VCM toolbar.

Hardening-04-19Figure 19

The collected vCenter Server data appears in the Console in the Virtual Environments node. The collected vCenter Server data helps you identify and manage vCenter Server, host, and guest objects.

View the collected vCenter Server data. Click Console and select Virtual Environments > vCenter to access the collected data.

Hardening-04-20Figure 20 – vCenter Summary

Hardening-04-21Figure 21 – VM summary

From there, you can drill down and observe the collected data.

In the next episode of this series, we will continue with Compliance Management using VCM.

As always, I thank you for reading, and I welcome your comments.

This post is the fourth part in a series about vSphere hardening. See also:
Part 1 vSphere Hardening, Introduction
Part 2 vSphere Hardening, Available Tools
Part 3 vCenter Configuration Manager – Installation
Part 4 vCenter Configuration Manager – Configuration
Part 5 vCenter Configuration Manager – The Videos
Part 6 vCenter Configuration Manager – First Run

Advertisements

7 Responses to vCenter Configuration Manager – Configuration

  1. E7130 says:

    Thanks a bunch for the post. I’ve followed your setup exactly, but when I go to collect on vCenter (windows) I get a failure on Download Files to Agent.

    Everything is green on the agent etc. Not sure what the issue is.

    • paulgrevink says:

      Thanks for your reply.
      What is the exact error message?
      There are no Conficts

      Best regards,

      Paul

      • E7130 says:

        The error in the job states: Error calling unprotect. Cannot find certificate and private key for decryption.

  2. E7130 says:

    I haven’t looked at the log files in CM, but in the job, it just fails in the collection. I’m using the VM Agent on the VCM server as your demo showed. All the connections show OK.

    Right now I’m testing installing an agent on the vCenter server itself to see if I can use that to collect.

  3. E7130 says:

    In the certificates, I see my VCM having an older certificate. I believe the database I used to install VCM was also used for an older version so it kept the certificate information from the previous install… Now how do I update the certificate with the new one that is on the server?

    • E7130 says:

      I believe I’ve resolve it be restoring the certificates on my VCM store. I would be curious to know how to update the certificate within the VCM Database.

  4. E7130 says:

    Jobs complete but no data is pulled…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: