vCenter Configuration Manager – First Run

Aka vSphere Hardening – Part 6

In Part 4 of this series, we ended with the collection of Data from our vCenter Server.

Before we continue, I will point to a few issues I have encountered while working with vCM.

First, while opening one of the Dashboards (Console -> Dashboards -> Select dashboard), the following error message was received; “An error has occurred performing an SRS security request. You must use Internet Explorer with the Run as administrator option to view dashboard reports when working locally on the Collector.”
VMware has multiple Knowledge Base articles discussing this error. The one that solved the problem in my case was KB “SSRS authentication must be configured in two-tier and three-tier installation environments that use Basic authentication (2000082)”. Also note, I run a one-tier installation!

But that was not all…

Now that the Dashboards came alive, one of the best features of the dashboards, the drill down functionality did not work. IE sometimes showed the “Only secure content is displayed” message. This issue was resolved by adjusting one of many IE settings. In IE, go to “Internet Options”, go to tab “Security”, button “Custom level…” and make sure that “Display mixed content” is set to “enable”.

Hardening-06-01Figure 1

This series about the vCenter Configuration Manager (vCM) started with a reason; to explore the compliance capabilities of vCM. So let’s continue.

As you can see in the menu, a complete section has been dedicated to enforcing Compliance.

Hardening-06-02Figure 2

But before we can take off, there waits another task. Compliance does not query an individual VM, but compares the data gathered during a Collection with compliance templates. Those compliance templates contain the rules that are set in regulatory like Sarbanes-Oxley, HIPAA or Hardening and Best Practices guides.

First we need to download and import the templates. VMware provides predefined templates that you can download from the Center for Policy and Compliance. Once downloaded, templates can be modified to your needs.

With the installation of the Collector, comes the Content Wizard Tool.

  • Make sure that the server has Internet access and start this tool (All Programs > VMware vCenter Configuration Manager > Tools > Content Wizard Tool.).
  • Select Get Updates from the Internet and click Next.
  • After the updates are identified, click Next.
  • Select the update(s) to install and click Install.

Hardening-06-03Figure 3

  • The installation takes some time, do not interrupt.

Hardening-06-04Figure 4

  • When the import process is finished, review the Event Log Results to verify a successful download and click Close.

Hardening-06-05Figure 5

When we take a closer look in the Compliance section, under the “Virtual Environment Compliance” section, the structure of the templates becomes clear. The elements are; Templates, Rule Groups, Rules Filters and Exceptions.

Hardening-06-06Figure 6 – Templates and Rule Groups

  • Templates consist of one or more Rule Groups.
  • Rule Groups: A rule group comprises rules and filters.
  • Rules: The rules define the optimal configuration standards (the actual check).
  • Filters: The filters limit the machines on which the template runs to only the machines that meet the filter criteria. If filters are not defined, the rules are run against all machines in the machine group based on the data types against which the rules run.
  • Exceptions: The exceptions are optional permanent or temporary exceptions to the template results. The defined exception indicates that a specific result is compliant or noncompliant, even though it does not match the requirements of the rules.

Hardening-06-07Figure 7 – Rule Groups and Rules

And finally an example of a Filter.

Hardening-06-08Figure 8 – Filter limits to ESXi 5.5.

In another post, we will analyze the anatomy of a rule in more detail. For now let’s see how to apply a Template.

Select a Template and choose “Run Template”.

Hardening-06-09Figure 9

Next, you will be prompted to select options for the run. Depending on the kind of template, one of the options is the ability to enforce (or not) noncompliant results.

Hardening-06-10Figure 10

The progress is shown and when the run has completed successfully, the results are presented in an overview.

Hardening-06-11Figure 11 – Results work to do…

For a closer look at the results, press the “View Data Grid” button.

Hardening-06-12Figure 12

The second column shows the Status, the green sign means “Compliant”. To get a quick overview of the compliant and non compliant results, drag the second column (header is not labeled) to the line that says: “Column Grouping”.

Hardening-06-13Figure 13 –  Non Compliant Non Enforcable

The Red exclamation mark in the Red circle means status is Non-Compliant, Non Enforceable.

Reading the table this way, is a bit hard. Resizing the column headers is not possible, another option is to select a row, right click and select “View row cells” .

Hardening-06-14Figure 14

This view is much more comfortable, it is also possible to browse through the rows, by using the arrow keys.

Hardening-06-15Figure 15

After installing VCM, doing the initial configuration, collecting data from our virtual environment, importing and running templates, we have come to the point that we have some compliance data available. In the next episodes we will explore the options to resolve non-compliant objects and ways to make sure that our environment stays compliant.

As always, I thank you for reading and I welcome your comments.

This post is the sixth part in a series about vSphere hardening. See also:
Part 1 vSphere Hardening, Introduction
Part 2 vSphere Hardening, Available Tools
Part 3 vCenter Configuration Manager – Installation
Part 4 vCenter Configuration Manager – Configuration
Part 5 vCenter Configuration Manager – The Videos
Part 6 vCenter Configuration Manager – First Run

3 Responses to vCenter Configuration Manager – First Run

  1. Lieven says:

    Thanks for the series of post on vCenter Configuration Manager. It’s been really helpful.
    Do you know of any other good public resources (blogs, books, video’s) or people (twitter handles) that talk about vCenter Configuration Manager?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: