ACE Management Server Administrator’s Manual VMware ACE 2.
ACE Management Server Administrator’s Manual ACE Management Server Administrator’s Manual Item: EN-000042-00 You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com © 2007, 2008 VMware, Inc. All rights reserved. Protected by one or more U.S. Patent Nos.
Contents About This Book 7 1 Introduction 9 Features of ACE Management Server 9 System Requirements 11 Required Hardware 11 Supported Operating Systems 11 Supported External Databases 12 Supported Proxies 12 Required Web Browsers 12 Licensing 12 2 Planning an ACE Management Server Deployment 13 Deployment Components 13 Host System Options 15 Windows Hosts 15 Linux Hosts 15 Server Appliance Option 15 Database Options 16 Active Directory Authentication Options 17 Performing Capacity Planning 17 Database T
ACE Management Server Administrator’s Manual 3 Installing and Configuring ACE Management Server 25 Preparing for Installation 25 Configure TLS in Your Browser 26 Installing and Upgrading ACE Management Server 26 Install an ACE Management Server on a Windows Host 27 Install ACE Management Server on a Linux System 28 Install an ACE Management Server Appliance 29 Verify That the Apache Service Is Started or Restarted 31 Start and Configure ACE Management Server 33 Log In to ACE Management Server 34 4 Configu
Contents 6 Managing ACE Instances 59 Viewing ACE Instances That the Server Manages 60 Use the VMware ACE Help Desk Application 60 Use the Instance View in Workstation 61 Search for an Instance 62 Sort by Column Heading and Change Column Width 63 Show, Hide, and Move Columns in the Instance View 64 Create or Delete Custom Columns in the Instance View 64 View Instance Details 65 Reactivate, Deactivate, or Delete an ACE Instance 65 Change a Copy Protection ID 66 Reset the Authentication Password 66 Add Inform
ACE Management Server Administrator’s Manual 6 VMware, Inc.
About This Book This manual, the VMware ACE Management Server Administrator’s Manual, provides information about installing and using the VMware® ACE Management Server, which enables you to manage ACE instances in real time. Using ACE Management Server is optional, but doing so provides the following benefits: Manage activation of ACE packages. Manage authentication of those activated packages. Dynamically deliver policy updates to managed ACE instances.
ACE Management Server Administrator’s Manual Technical Support and Education Resources The following sections describe the technical support resources available to you. To access the current versions of this book and other books, go to: http://www.vmware.com/support/pubs Online and Telephone Support Use online support to submit technical support requests, view your product and contract information, and register your products. Go to: http://www.vmware.
1 Introduction 1 The VMware ACE Management Server enables you to manage VMware ACE instances, to dynamically publish policy changes for those instances, and to test and deploy packages more easily.
ACE Management Server Administrator’s Manual Information about Windows domain user account states is provided in clear and useful messages. Reasons for login failures are presented as “locked out” or “password expired.” ACE Management Server acts as an Active Directory password change proxy. You can use the instance customization feature in ACE with your own established naming conventions to associate users with machines.
Chapter 1 Introduction System Requirements The following sections describe the ACE Management Server system requirements.
ACE Management Server Administrator’s Manual Supported External Databases An SQLite database engine is embedded in the ACE Management Server.
2 Planning an ACE Management Server Deployment 2 This chapter provides guidelines for deploying VMware ACE Management Server instances, including capacity planning and best practices.
ACE Management Server Administrator’s Manual (Optional) HTTP load balancer – Use a load balancer to help scale the capacity of your ACE Management Server deployment. (Optional) HTTP proxy – If clients will access ACE Management Server from outside the corporate firewall, VMware recommends using an HTTPS proxy in the DMZ. You can use ACE Management Server with Apache Proxy and Zeus Technology Load Balancer. For an example of an ACE Management Server deployment, see Figure 2‐1. Figure 2-1.
Chapter 2 Planning an ACE Management Server Deployment Host System Options You can install ACE Management Server on a Windows host, a Linux host, or as a virtual appliance. If you set up multiple ACE Management Server instances, they must all be the same type. Windows Hosts If you plan to integrate with Active Directory, VMware recommends that you install ACE Management Server on a Windows host.
ACE Management Server Administrator’s Manual Database Options ACE Management Server offers the following database options: Embedded SQLite database – The default mode of ACE Management Server works with an embedded SQLite 3 database engine. The SQLite database engine is initialized during server installation and requires no special configuration. The embedded database supports up to several gigabytes of data.
Chapter 2 Planning an ACE Management Server Deployment Active Directory Authentication Options Active Directory integration provides the following benefits: Permits joining an operating system that is running an ACE instance to the domain remotely. Provides search functions so you can quickly find a particular individual or group. Enables you to use Active Directory Users and Groups to configure role‐based access to the features of ACE Management Server.
ACE Management Server Administrator’s Manual Database Throughput and Scalability For production deployments, VMware recommends that you use Oracle, MS‐SQL, or Postgres as your database platform. More than 95 percent of the storage space that an ACE Management Server requires is used to log event information, which is an audit trail of all transactions performed through ACE Management Server. Table 2‐2 lists recommended database sizes based on the number of clients being served.
Chapter 2 Planning an ACE Management Server Deployment Network Bandwidth and Policy Update Frequency The amount of network bandwidth that ACE Management Server and ACE instances require depends on the frequency of policy updates that you configure. Table 2‐3 shows the amount of bandwidth needed when you use a policy update frequency value of 10 minutes. Table 2-3. Network Bandwidth Required with a Policy Update Frequency of 10 Minutes Number of Clients Bandwidth Required 100 0.125Mb/sec. 1,000 1.
ACE Management Server Administrator’s Manual ACE Policy Configuration The configuration of ACE policies can affect performance. You can increase the amount of data that is transferred between ACE Management Server and ACE Player by using one of the following methods: Host policies – Enabling host policies (such as host network quarantine) requires that a host‐side daemon retrieves the host policies from the ACE Management Server.
Chapter 2 Planning an ACE Management Server Deployment Sensitive configuration options are encrypted – Passwords stored in the configuration file are encrypted. Database security – The database store contains sensitive data such as cryptographic keys. Configure your database security so that it is protected from intrusion and protected in case of data loss. For more information about features that are available to protect your data, see your database documentation.
ACE Management Server Administrator’s Manual The store or collection of certificates that is downloaded when an ACE‐enabled virtual machine connects to a server is included in each ACE package that you create with that virtual machine. It is saved in the ACE Resources directory. When you deploy and run an ACE instance of this ACE‐enabled virtual machine, the VMware Player application uses the certificates included in the package to verify connections made to the ACE Management Server.
Chapter 2 Planning an ACE Management Server Deployment ACE Management Server can be deployed with the following HTTPS proxy solutions: Apache Proxy – Using mod_proxy Zeus Technology Load Balancer – A commercially available load balancer and traffic management solution Avoid the following problems when you use a proxy for traffic into an ACE Management Server: SSL Termination – If your HTTPS proxy terminates the SSL connection, you must use the same SSL key and certificate on the HTTPS proxy serv
ACE Management Server Administrator’s Manual Deployment Planning Worksheet Use the deployment planning worksheet to record your choice of server system, database, security certificates, and optional components for a production environment. Table 2-5. Worksheet for ACE Management Server in a Production Environment Component Considerations Decision Active Directory integration Performance is better when the ACE Management Server is installed on a Windows host.
3 Installing and Configuring ACE Management Server 3 This chapter includes the following topics: “Preparing for Installation” on page 25 “Installing and Upgrading ACE Management Server” on page 26 “Verify That the Apache Service Is Started or Restarted” on page 31 “Start and Configure ACE Management Server” on page 33 “Log In to ACE Management Server” on page 34 Preparing for Installation Before you install ACE Management Server, you must plan your deployment.
ACE Management Server Administrator’s Manual Table 3-1. Port Assignments, Default Settings, for ACE Management Server HTTPS Port Number Description 443 Communications between ACE Management Server and ACE instances 8000 ACE Management Server Setup (configuration) Web application ACE Help Desk Web application 8080 ACE Management Server Appliance configuration NOTE If another Web server is installed that uses any of these default ports, you might need to resolve the conflict.
Chapter 3 Installing and Configuring ACE Management Server For production deployments, VMware recommends that ACE Management Server be installed on either a dedicated server or a virtual platform with sufficient available resources to ensure performance and stability. System requirements depend almost exclusively on the number of ACE instances being supported and the frequency with which they are configured to communicate with the server.
ACE Management Server Administrator’s Manual Install ACE Management Server on a Linux System You can install ACE Management Server on the following Linux systems: Red Hat Enterprise Linux 4 SUSE Linux Enterprise Server 9 SP3 Before you begin, make sure the system meets these requirements: A working installation of Apache 2.0 is installed on the system. (The RPM for a Web server is included with the Red Hat Enterprise Linux 4 or SUSE Linux Enterprise Server 9 installation.
Chapter 3 Installing and Configuring ACE Management Server For example: rpm -Uhv vmware-ace-management-server-87693.i386-rhel4.rpm 3 For a SUSE Linux Enterprise Server 9 server, ensure that the LDAP module (mod_ldap) is configured for loading: a Open the following file with a text editor: /etc/sysconfig/apache2 b Add the ldap config option to the APACHE_MODULES variable. c Save and close the file. After ACE Management Server is installed, you can configure it.
ACE Management Server Administrator’s Manual The console view displays the following information: Current network settings URLs for remotely administering the appliance and configuring the ACE Management Server itself If you press Return at the login prompt, the information appears again. 6 At the time zone prompt, accept the current setting or make a change as needed.
Chapter 3 Installing and Configuring ACE Management Server 9 When you finish configuring any network or update settings, navigate to the ACE Management Server Setup Web application to configure the server. To access that application, choose one of these methods: From the Appliance Management and Configuration Web application page, click the ACE Login link in the upper‐right corner of the page.
ACE Management Server Administrator’s Manual On SUSE Linux Enterprise Server 9 hosts or in the virtual machine that contains the ACE Management Server appliance: a Open a terminal window on the host or in the virtual machine. b As root, enter the following command: /etc/init.d/apache2 status If the status is started, you can log in to ACE Management Server. See “Start and Configure ACE Management Server” on page 33.
Chapter 3 Installing and Configuring ACE Management Server Start and Configure ACE Management Server Before you begin, make sure that the following prerequisites are satisfied, as applicable: If you installed ACE Management Server on a Linux host or are using the ACE Management Server appliance, verify that the Apache server is running. See “Verify That the Apache Service Is Started or Restarted” on page 31.
ACE Management Server Administrator’s Manual Log In to ACE Management Server The first time you log in to ACE Management Server, you must set a password. The next time you log in, you must provide that password or provide Active Directory credentials if you configured the server to use Active Directory for authentication. Communications between Workstation and ACE Management Server take place over a secure SSL connection.
Chapter 3 Installing and Configuring ACE Management Server To log in to ACE Management Server 1 Open a Web browser and go to https://:8000. The value can be the fully qualified name of the computer on which ACE Management Server is installed or it can be an IP address. If you installed ACE Management Server on a Windows host and you are using that host to configure it, you can alternatively choose Start > VMware > VMware ACE Management Server.
ACE Management Server Administrator’s Manual 36 VMware, Inc.
4 Configuration Options for ACE Management Server 4 After you install ACE Management Server, you must use the browser‐based ACE Management Server Setup application to configure the server.
ACE Management Server Administrator’s Manual Create Users and Groups for Integration with Active Directory To use Active Directory for authenticating users, add users to an Active Directory group and create a user so that ACE Management Server can query LDAP. When you configure ACE Management Server to use LDAP, follow these guidelines to avoid negatively affecting performance: The default domain is the domain for which the LDAP host is a domain controller.
Chapter 4 Configuration Options for ACE Management Server Set Up an External Database Before you begin, make sure that you have one of the following supported database servers: Windows‐based servers – Microsoft SQL Server 2000 or higher; Oracle Database 10g If you use a Microsoft SQL Server database, the database must be hosted on a system that uses the same locale as the system that hosts ACE Management Server.
ACE Management Server Administrator’s Manual 2 Configure the database. Ensure that you have a dedicated database and a user account that has full access to this database, including rights to create tables. Do not give this database user permissions that it does not need. For example, you might not want to give this account read or write permission to other databases that your RDBMS manages.
Chapter 4 Configuration Options for ACE Management Server Create a System DSN Entry for a Windows Database Regardless of whether the host is 32‐bit or 64‐bit, you create a DSN entry for a 32‐bit system. Before you begin, to determine the correct ODBC driver, see your operating system and database documentation.
ACE Management Server Administrator’s Manual You use the odbc.ini file for creating DSNs and the odbcinst.ini file for driver and general ODBC system configuration. To create a System DSN entry for a Linux database 1 As root, use the ODBCConfig utility to create a System DSN entry. You also must configure the server address and the database name in the DSN settings. For information about using unixODBC, see the unixODBC Project Web page. The ODBCConfig utility makes changes to the odbc.ini and odbcinst.
Chapter 4 Configuration Options for ACE Management Server To increase the number of database connections allowed 1 Inspect the Apache configuration file on the ACE Management Server host to determine the number of parallel threads or processes that might start at the same time. 2 Configure the database to allow as many connections as the Apache server. See your database documentation.
ACE Management Server Administrator’s Manual 4 Replace placeholders <...> with the PostgreSQL database server DNS name or IP address and the database name of this server. 5 Use the default port number or set a different port number. 6 Save the file. After you complete this task, postgres_dsn appears in the drop‐down menu on the Database tab in the ACE Management Server Setup application.
Chapter 4 Configuration Options for ACE Management Server 2 Rename the files, as follows: Rename the private key file to server.key. Rename the certificate file to server.crt. Rename the certificate chain file to chain.crt. You can now use the ACE Management Server Setup application to upload the certificate files. View the Properties of the Self-Signed Certificate File This file is stored in the SSL directory in the VMware ACE Management Server program directory.
ACE Management Server Administrator’s Manual Viewing and Changing Licensing Information After you enter an ACE Management Server serial number, use the Licensing tab to determine the expiration date, if any. The serial number is on the registration card in your package. If you purchased VMware ACE online, the serial number is sent by email. If the system on which you installed ACE Management Server currently has more than one valid server license, just one license appears on the page.
Chapter 4 Configuration Options for ACE Management Server If the existing schema is not compatible, no schema is available or the schema cannot be upgraded. If you overwrite the existing schema and data, a new schema is created. If you do not overwrite the existing schema and data, the configuration application quits. If you are upgrading the server from the previous release, the database schema is upgraded automatically and you do not lose your previous data.
ACE Management Server Administrator’s Manual Query User Domain – The domain must be the domain for which the LDAP host is a domain controller. Admin Group DN and Help Desk Group DN – (Optional) Enter the distinguished name for these groups, which you created for this purpose in Active Directory (for example, cn=Users,dc=simplecorp,dc=com). If this option is not enabled, anyone who logs in to the Help Desk application must be a member of the ACE Administrators group.
Chapter 4 Configuration Options for ACE Management Server After you upload custom SSL certificates, you must update any existing ACE‐enabled virtual machines to use a new certificate and key file. To do so, use Workstation to create an update package. When you deploy the new package, ACE instances receive the new certificate file and certificate chain. Logging Events The server collects log entries for events that change the database.
ACE Management Server Administrator’s Manual Use the Event Log Purging control to configure the amount of logging information retained. The purge maintenance process runs approximately every six hours. If you make changes to the information on the Logging tab, you must click Apply or Cancel before you can navigate to another tab. Applying Configuration Settings The Restart page appears when you click Apply on one of the tabs. You must restart the server for the configuration settings to take effect.
5 Load-Balancing Multiple ACE Management Server Instances 5 If you have thousands of clients, you can configure multiple VMware ACE Management Server instances to work together. You can set up two or more servers and use them with a load balancer.
ACE Management Server Administrator’s Manual Typical Setup Using Load-Balanced ACE Management Server Instances A single ACE Management Server can handle a preset number of clients, but you can add more servers to your ACE Management Server infrastructure by using load balancing. When you add more servers to the load‐balancing group, the number of clients that you can serve scales linearly.
Chapter 5 Load-Balancing Multiple ACE Management Server Instances Install the Required Services for Load Balancing Services include multiple ACE Management Server instances, an external database, and Workstation. To install the required services for load balancing 1 Install the ACE Management Server package on two or more machines (or virtual machines). See “Installing and Upgrading ACE Management Server” on page 26. 2 Configure each ACE Management Server separately to access the same external database.
ACE Management Server Administrator’s Manual To use the same SSL certificate on all servers 1 Log in to the ACE Management Server Setup application for the first ACE Management Server. 2 Click the Custom SSL Certificates tab to determine the location of the SSL certificate and key directory files. On Windows, the files are located at C:\Program Files\VMware\VMware ACE Management Server\ssl. On Linux, the files are located at \var\lib\vmware\acesc\ssl. The certificate file is server.crt.
Chapter 5 Load-Balancing Multiple ACE Management Server Instances Create New SSL Certificates and Keys for Each Server If you do not want to use the same SSL certificate and key for each ACE Management Server, you must create new SSL certificates and keys for each server. If you plan to obtain SSL certificates from a certificate authority, you must create certificate chains. Figure 5‐2 provides an overview of determining which certificates are included in a chain. Figure 5-2.
ACE Management Server Administrator’s Manual 2 If your certificates require a certificate chain to be verified, create a certificate chain file for each certificate. The certificate chain file is a text file that contains every certificate (in PEM format) needed to verify the leaf certificate (including the root certificate of the chain). a Download the verification chain from your certificate authority. b Each certificate must be in PEM format before you create the certificate chain file.
Chapter 5 Load-Balancing Multiple ACE Management Server Instances Installing and Configuring the Load Balancer ACE Management Server uses HTTPS to communicate with its clients. You can use any load balancing solution that supports HTTPS with ACE Management Server. Install the load balancer and configure port 443 (HTTP over SSL) for load balancing. Do not configure port 8080 or 8000 for load balancing. These two ports are used for configuration.
ACE Management Server Administrator’s Manual 58 VMware, Inc.
6 Managing ACE Instances 6 After ACE Management Server is installed and configured, you can do the following: View ACE instances that are managed by a particular ACE Management Server. Revoke and re‐enable an instance. Fix various problems with the ACE instances as reported by instance users.
ACE Management Server Administrator’s Manual Viewing ACE Instances That the Server Manages To view and manage a server’s ACE instances, you can use either the Instances page of the VMware ACE Help Desk or the server’s instance view in Workstation. Both user interfaces enable you to fix a limited set of ACE instance problems, such as reactivating an instance, changing the instance’s expiration date, and resetting the user password if the user has lost or forgotten it.
Chapter 6 Managing ACE Instances 3 Supply the login information. Use the following information to help you complete the fields that appear in this window: User Name and Password – If a help desk role was created, enter credentials for that role. Otherwise, enter credentials for administering the ACE Management Server. Domain – In multidomain environments, you might be required to enter a domain (for example, eng.com).
ACE Management Server Administrator’s Manual To use the instance view in Workstation 1 From the Workstation menu bar, choose File > Connect to ACE Management Server. 2 Specify the fully qualified host name or the IP address and click OK. In most cases, the default port number does not need to be changed. 3 Complete the login window.
Chapter 6 Managing ACE Instances 2 Custom columns – Custom columns that you created appear directly below the Guest MAC Address criterion. Exact match only – Values are case‐sensitive. Save as – (Available in the Workstation instance view only) Saved searches are specific to each server. You can edit or delete your saved searches by selecting the name of a saved search in the Saved Searches drop‐down menu and clicking Options. Click Search.
ACE Management Server Administrator’s Manual Show, Hide, and Move Columns in the Instance View Although you can sort and resize columns in either the VMware ACE Help Desk or the Workstation instance view, you can show, hide, and move columns only in the Workstation instance view. Column changes for one server do not affect other servers. To show, hide, and move columns in the instance view 1 In Workstation, connect to the ACE Management Server and log in.
Chapter 6 Managing ACE Instances View Instance Details The Instance Details page displays all of the same information shown on the summary page, and it includes information about the ACE instance’s policy settings. You can reactivate, deactivate, or change the expiration date from the Instance Details page, as you can from the summary page.
ACE Management Server Administrator’s Manual 4 (Optional) If you clicked Deactivate, click Delete to delete the instance row. 5 Click OK. Change a Copy Protection ID If an end user attempts to copy or move a copy‐protected ACE instance, the user receives an error message that contains a new copy protection ID. After the end user sends that ID to you, the administrator, you can use it to replace the original ID.
Chapter 6 Managing ACE Instances 3 Click Reset Password and specify a new password. In the Workstation instance view, this button appears on the Policies tab. 4 Send the new password to the user in an e‐mail message. Add Information for Custom Columns Although you must use the instance view in Workstation to create custom columns, you can add information to custom column fields in either the instance view or the VMware ACE Help Desk.
ACE Management Server Administrator’s Manual 68 VMware, Inc.
7 Troubleshooting and Maintenance 7 This chapter includes the following topics: “Troubleshooting Configuration Problems” on page 69 “Configuring Multiple ACE Management Server Instances to Use SSL” on page 73 “Database Backup” on page 74 Troubleshooting Configuration Problems Common configuration problems include resolving connection problems and port conflicts and resetting ACE administrator passwords.
ACE Management Server Administrator’s Manual Change the Port Assignment for ACE Management Server ACE Management Server is a module running on the Apache 2.0 platform. To change the port that the server listens on, you must manually edit the Apache configuration file. To change the port assignment for ACE Management Server 1 Using a text editor, open the ACE Management Server component HTTP configuration file.
Chapter 7 Troubleshooting and Maintenance Delete the Server Configuration File and Set a New Administrator Password If you lose or forget the administrator password, you must delete the configuration file and reconfigure the server. As part of that configuration, you set a new password.
ACE Management Server Administrator’s Manual Restore a Backup Copy of an SSL Certificate If you upload an invalid certificate file, the ACE Management Server Setup application fails when you click Apply and then Restart and you cannot restart the Apache service. To fix this problem, restore the backup certificate file for the corresponding certificate. To restore a backup copy of an SSL certificate 1 Navigate to the ACE Management Server directory where the backup is stored.
Chapter 7 Troubleshooting and Maintenance Configuring Multiple ACE Management Server Instances to Use SSL You might configure multiple ACE Management Server instances to use SSL in the following scenarios: Multiple servers behind one or more proxy servers: Each server can have its own SSL key and certificate (ACE Management Server and proxy server). The cert_chain file must contain the certificate file and verification chain for the SSL certificates that the proxy servers are using.
ACE Management Server Administrator’s Manual Database Backup If you are using an external database, use a backup and recovery strategy that is appropriate for your database system. Back up your ACE Management Server database on a regular basis to ensure that the database can be recovered promptly if needed. If you are using the embedded database, you can use standard file‐backup tools, such as ntbackup or dd. The data is stored in one of the following locations: Windows – C:\Program Files\VMware\VMware
Appendix: Database Schema and Audit Event Log Data This appendix explains the format of the data stored in the database and the best ways to access this data. This appendix includes the following topics: “Using Database Reporting Tools” on page 75 “Database Schema” on page 76 “Querying the Audit Event Log Data” on page 81 Using Database Reporting Tools You can use a third‐party database management or reporting tool with the VMware ACE Management Server database.
ACE Management Server Administrator’s Manual Database Schema Tables in the ACE Management Server database represent the major configuration objects of ACE Management Server, including Ace, Package, Instance, Access Policy, Runtime Policy, and User Data, which contains image customization settings and other data for each user. Administrator and user actions are audit logged in the Event table in the database, while possible event types are listed in the EventType table.
Appendix: Database Schema and Audit Event Log Data /* ACE Master data */ CREATE TABLE PolicyDb_Ace ( aceUID VARCHAR(128), /* Unique ID (primary key) */ aceName VARCHAR(128), /* Name of this ace */ activePolicySetVersion INTEGER NOT NULL, /* Soft foreign key to active RT policy*/ aceTsCreated VARCHAR(21) DEFAULT 0 NOT NULL, /* Creation timestamp */ aceTsLastModified VARCHAR(21) DEFAULT 0 NOT NULL, /* Last modified timestamp */ deleted VARCHAR(7) DEFAULT 'FALSE', /* Is this entry deleted (tombstone) */ PRIMA
ACE Management Server Administrator’s Manual packageUID VARCHAR(128) NOT NULL, /* The package it belongs to. */ aceUID VARCHAR(128) DEFAULT '' NOT NULL, /* The ACE Master it belongs to */ creatorIdName VARCHAR(128) NOT NULL, /* Display name of the activator user */ creatorIdData VARCHAR(256), /* Fully qualified name of the activator */ creatorAuthType INTEGER NOT NULL, /* The type of access check at activation */ activationDate VARCHAR(21) NOT NULL, /* The date and time for the activation.
Appendix: Database Schema and Audit Event Log Data description VARCHAR(128), /* name and description of the MAC pool*/ rangeStart VARCHAR(21) NOT NULL, /* Start address of the MAC pool */ rangeEnd VARCHAR(21) NOT NULL, /* End address of the MAC pool */ lastAssigned VARCHAR(21) NOT NULL, /* Last assigned address */ mplTsCreated VARCHAR(21) DEFAULT 0 NOT NULL, /* Creation timestamp */ mplTsLastModified VARCHAR(21) DEFAULT 0 NOT NULL, /* Last modified timestamp */ deleted VARCHAR(7) DEFAULT 'FALSE', /* Is thi
ACE Management Server Administrator’s Manual deleted VARCHAR(7) DEFAULT 'FALSE', /* Is this entry deleted (tombstone) */ PRIMARY KEY (aceUID, policyVersion), FOREIGN KEY(aceUID) REFERENCES PolicyDb_Ace(aceUID)); /* ACE Management Server info - reserved for future use */ CREATE TABLE PolicyDb_AcescServer ( serverHostname VARCHAR(128), /* Host name of the server computer */ serverPort INTEGER, /* TCP port number server is listening on */ secure VARCHAR(7) DEFAULT 'FALSE' NOT NULL, /* Whether HTTPS is enabled
Appendix: Database Schema and Audit Event Log Data Querying the Audit Event Log Data You can use the ACE Server Component to create an audit trail for all transactions that the server performs. You can use this system to track usage, security breaches, policy errors, performance, and so on. The ACE Server Component Event Logging infrastructure is flexible enough to provide detailed logging when necessary, without overwhelming the system by slowing performance.
ACE Management Server Administrator’s Manual Table A‐1 describes the data that is stored in a log entry. Table A-1. Log Entry Data Data Description Audit log event ID (PK) An incrementing integer Log timestamp In microseconds from 12:00 a.m.
Appendix: Database Schema and Audit Event Log Data If immutable data is stored permanently elsewhere in the database, it is not duplicated in the log entry. For example, when a new policy is published, the complete policy text is not included in the log entry. Instead, its version number is referenced, so that the complete data of the event can be reconstructed from PolicyDb_ RuntimePolicy and PolicyDb_Access tables if necessary.
ACE Management Server Administrator’s Manual 84 VMware, Inc.
Glossary ACE instance A virtual machine that ACE administrators create, associate with virtual rights management (VRM) policies, and then package for deployment to users. ACE Management Server A server that the ACE administrator can install and use for activating and tracking ACE instances and for hosting dynamic policies for ACE instances. ACE‐enabled virtual machine A virtual machine template that the ACE administrator creates.
ACE Management Server Administrator’s Manual deployment settings A set of rules and settings associated with a package, such as instance customization settings. These settings cannot be changed after packaging. The only way to change deployment settings is to create a new package. guest operating system An operating system that runs inside an ACE instance. See also host operating system. host computer The physical computer on which the VMware Player software is installed. It hosts the ACE instances.
Glossary preview An operating and viewing mode that an administrator can use to preview the ACE instance as it will run on the user’s machine. The administrator can use this feature to see the effects of policy and configuration settings without having to perform the packaging and deployment steps. publish The process of making policies available on ACE Management Server so that ACE instances can receive them according to the policy update schedule. See also policy.
ACE Management Server Administrator’s Manual 88 VMware, Inc.
Index A ACE instance log events for 49 on Linux host, fixing server connection problem 69 security certificates in 21 ACE Management Server Active Directory integration 17 changing port assignment 70 configuring 37 creating Active Directory user and group for 37, 38 database backup 74 database schema 76 default port assignments 26 embedded database 16 external database option 16 features 9 fixing connection problem with ACE instance on Linux host 69 hardware requirements 11 installing 26 installing on Linu
ACE Management Server Administrator’s Manual E R event logging 49 expiration dates, changing 65 reactivate an ACE instance 65 reset the password for an instance 66 Restart page 50 restarting the ACE Management Server 50 H Help Desk advanced instance queries 62 Instances page 60 using 60 Help Desk Instance Details page 65 I installing ACE Management Server 26 Instance Details page 65 instance queries 62 instance view custom fields 64 customizing columns in 64 details 65 Instances page 60 L LDAP See Ac
