VMware vCenter Configuration Manager Administration Guide vCenter Configuration Manager 5.6 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
vCenter Configuration Manager Administration Guide You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com © 2006–2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents About This Book Getting Started with VCM Understanding User Access Running VCM as Administrator on the Collector Log In to VCM Getting Familiar with the Portal General Information Bar Toolbar Sliders Customizing VCM for your Environment Installing and Getting Started with VCM Tools Install the VCM Tools Only VCM Import/Export and Content Wizard Tools Run the Import/Export Tool Run the Content Wizard to Access Additional Compliance Content Run the Deployment Utility Package Studio Foundation Check
vCenter Configuration Manager Administration Guide Discover vCloud Director vApp Virtual Machines Configure vShield Manager Collections Configure ESX Service Console OS Collections Configure the Collector as an Agent Proxy Configure Virtual Machine Hosts Copy Files to the ESX/ESXi Servers Collect ESX Logs Data Virtualization Collection Results Configure the vSphere Client VCM Plug-In Register the vSphere Client VCM Plug-In Configuring the vSphere Client VCM Plug-In Integration Settings Manage Machines from
Contents Create Your Own WCI PowerShell Collection Script Verify that Your Custom PowerShell Script is Valid Install PowerShell Collect Windows Custom Information Data Run the Script-Based Collection Filter View Windows Custom Information Job Status Details Windows Custom Information Collection Results Run Windows Custom Information Reports Troubleshooting Custom PowerShell Scripts Configuring Linux and UNIX Machines Configure Linux and UNIX Machines Upgrade Requirements for UNIX/Linux Machines Add UNIX/L
vCenter Configuration Manager Administration Guide Collect Patch Assessment Data from UNIX and Linux Machines Explore Assessment Results and Acquire and Store the Patches Default Location for UNIX/Linux Patches Deploy Patches to UNIX/Linux Machines How the Deploy Action Works Running VCM Patching Reports Customize Your Environment for VCM Patching Running and Enforcing Compliance Getting Started with SCAP Compliance Conduct SCAP Compliance Assessments Provisioning Physical or Virtual Machine Operating Sy
Contents Configure VCM for Active Directory as an Additional Product Install VCM for Active Directory on the Domain Controllers Run the Determine Forest Action Run the Domain Controller Setup Action Collect Active Directory Data Active Directory Collection Results Configuring Remote Machines VCM Remote Management Workflow Configuring VCM Remote Connection Types Using Certificates With VCM Remote Configure and Install the VCM Remote Client Configure the VCM Remote Settings Install the VCM Remote Client Con
vCenter Configuration Manager Administration Guide 8 VMware, Inc.
About This Book The VMware vCenter Configuration ManagerAdministration Guide describes the steps required to configure VCM to collect and manage data from your virtual and physical environment. Read this document and complete the associated procedures to prepare for a successful implementation of the components.
vCenter Configuration Manager Administration Guide Technical Support and Education Resources The following technical support resources are available to you. To access the current version of this book and other books, go to http://www.vmware.com/support/pubs. Online and Telephone To use online support to submit technical support requests, view your Support product and contract information, and register your products, go to http://www.vmware.com/support.
1 Getting Started with VCM When you use VCM, you must understand user access and how to start VCM from any physical or virtual machine. You must also familiarize yourself with the VCM Web Console features. This chapter includes the following topics: Understanding User Access 11 Log In to VCM 12 Getting Familiar with the Portal 13 Customizing VCM for your Environment 16 Understanding User Access User access determines who has access to VCM and with what roles.
vCenter Configuration Manager Administration Guide n Remote command execution n Change actions against target managed machines n Change rollback n Compliance enforcement n Patch deployment n Software deployment n OS provisioning n Machine reboots All VCM user accounts must have the following rights on the VCM Collector machine. n Ability to log on locally to access IIS n Read access to the System32 folder n Write access to the CMFiles$\Exported_Reports folder to export reports n If d
Getting Started with VCM Procedure 1. To connect to VCM from a physical or virtual machine on your network, open Internet Explorer and type http:///VCM. 2. Type your user network credentials. 3. (Optional) Select Automatically log on using this role to have VCM log you in. 4. Click Log On. Your VCM user account can have multiple roles.
vCenter Configuration Manager Administration Guide n Log Out: Exits the Web Console. The Web Console closes and the VCM Logon screen appears. n About: Displays information about how to contact VMware Technical Support and version information for VCM and all of its components. This information may be important when you contact VMware Technical Support. n Help: Opens the online Help for the currently-active display.
Getting Started with VCM Sliders The sliders on the left side of the Web Console include the items listed and described in the following table. The individual items that you see in VCM will vary depending on the components that you have licensed. n Active Directory and AD objects based on your role. n Patching options are available based on your role. n Administration is visible only to users who have Administrative rights to VCM as part of their VCM role.
vCenter Configuration Manager Administration Guide Slider Reports Patching Administration Action n View information about Active Directory Domains, DCs, and Trusts. n Track and display access control entries and security descriptor data on all collected objects. n View Active Directory Schema information. n Run out-of-the-box reports against your collected data. n Write your own SQL and SSRS reports using VCM’s report wizard. n Review a list of bulletins available to VCM.
Getting Started with VCM n Compliance Templates and Rule Groups: Use compliance templates and rule groups to define specific settings and verify whether the machines match those criteria. VCM provides prepackaged templates and rules to check the compliance of your machines with regulatory, industry, and vendor standards. VMware provides additional compliance packages that you can import into VCM. n Reports: Create and print tailored reports of information that does not appear in VCM.
vCenter Configuration Manager Administration Guide 18 VMware, Inc.
Installing and Getting Started with VCM Tools 2 VCM Installation Manager installs several VCM components and tools on the Collector machine during the installation. This chapter includes the following topics: Install the VCM Tools Only 19 VCM Import/Export and Content Wizard Tools 20 Run the Deployment Utility 21 Package Studio 22 Foundation Checker 22 Install the VCM Tools Only You can install the VCM tools on a non-Collector Windows machine.
vCenter Configuration Manager Administration Guide Procedure 1. On the non-Collector Windows machine on which you want to install the tools, insert the installation CD. 2. In Installation Manager, click Run Installation Manager. During the installation, follow the installation requirements that Installation Manager reports when Foundation Checker runs. 3. Complete the initial installation pages, and click Next on subsequent pages to access the Select Installation Type page. a.
Installing and Getting Started with VCM Tools Run the Import/Export Tool Use the Import/Export Tool to back up your VCM database business objects and import them into a new VCM database or into a recovered VCM database. This tool also supports the migration of any VCM Management Extension for Asset data that was manually added to VCM. Prerequisites Install the Import/Export Tool. See "Installing and Getting Started with VCM Tools" on page 19. Procedure 1. On the Collector, click Start. 2.
vCenter Configuration Manager Administration Guide Procedure 1. On the Collector, navigate to C:\Program Files (x86)\VMware\VCM\Tools. 2. Copy the DeployUtility-.zip file from the Collector to your Windows machine. 3. Extract the files. 4. Double-click DeployUtil.exe to start the application. What to do next In the Deployment Utility, click Help and review the procedure for the type of machine you are configuring.
Configuring VMware Cloud Infrastructure 3 VCM collects information from your instances of vCenter Server, vCloud Director, and vShield Manager so that you can then use the information to manage and maintain your virtual environment. The collected data appears in the Console under the Virtual Environments node. The information is organized in logical groupings based on the information sources, including vCenter Server, vCloud Director, and vShield Manager.
vCenter Configuration Manager Administration Guide Figure 3–1. Virtual Environments Configuration Diagram Managing Agents The Managing Agent machines must have the 5.5 Agent or later installed. They must also be configured to manage the secure communication between the vCenter Server, vCloud Director, and vShield Manager instances and the Collector. Depending on the size of your Cloud Infrastructure environment, you can use your Collector as a Managing Agent or you can use another Windows machine.
Configuring VMware Cloud Infrastructure CAUTION Do not use the Windows machines on which your vCenter Server instances are running as Managing Agent machines. Managing vCenter Server Instances, Hosts, and Guest Virtual Machines You collect data from vCenter Server instances regarding resources managed by the vCenter Server, and to identify and manage the host and guest machines. The host and guest machines are managed based on configured vCenter Server instances.
vCenter Configuration Manager Administration Guide Collect vCloud Director data so that you can identify and manage the guest operating systems of the vApp virtual machines. 7. "Configure vShield Manager Collections" on page 46 Configure collections from your vShield Manager instances so that you can run reports on the collected data. 8.
Configuring VMware Cloud Infrastructure Collect Machines Data From the Managing Agent Machines Collect data from your Managing Agent machines to ensure that VCM identifies the Windows machines as licensed and that the 5.5 Agent or later is installed. The Managing Agent is the Agent used to collect data from your instances of vCenter Server, vCloud Director and vShield Manager.
vCenter Configuration Manager Administration Guide Procedure 1. Click Administration. 2. Select Certificates. 3. Select the Managing Agent machines and click Change Trust Status. 4. Add any additional machines to trust to the lower data grid. 5. Select Check to trust or uncheck to untrust the selected machines and click Next. 6. Review the number of machines affected and click Finish. What to do next n If your Collector is not configured to use HTTPS, set the HTTPS bypass.
Configuring VMware Cloud Infrastructure Procedure 1. Click Administration. 2. Select Administration > Machines Manager > Licensed Machines > Licensed Windows Machiens. 3. Select the Managing Agent machines and click Change Managing Agent Status. 4. Add any additional machines to the lower data grid. 5. Select Enable - allow the selected machines to be used as managing agents and click Next. 6. Review the number of machines affected and click Finish.
vCenter Configuration Manager Administration Guide Configure vCenter Server Data Collections Collect data from your vCenter Server so that you can identify and manage your virtual environments, including ESX and ESXi hosts, and guest virtual machines. Prerequistes n Configure your Managing Agent machines. See "Configure Managing Agent Machines" on page 26. n To maintain secure communication, you need the SSL certificates from your instances of vCenter Server.
Configuring VMware Cloud Infrastructure Option Description Machine Name of the vCenter Server. Domain Domain to which the vCenter Server belongs. Type Domain type. Machine Type Select vCenter (Windows). 6. Click Add. The machine information is added to the list. 7. (Optional) Add other vCenter Server instances as needed. 8. When all your vCenter Server are added to the list, click Next. 9. On the Information page, review the summary and click Finish.
vCenter Configuration Manager Administration Guide Option Description or later installed. You can use the Collector as your managing agent. Port Type the port used by the VMware Infrastructure SDK on the vCenter Server instances. The default value is 443. User ID Type a vCenter Server instance user name. The user must have a vCenter Server administrative role or an unrestricted read only role. Password Type the password for the vCenter Server instance user ID.
Configuring VMware Cloud Infrastructure What to do next n Review the collected virtualization data. Click Console and select Virtual Environments > vCenter. n (Optional) Schedule vCenter Server collections. See "Configure vCenter Server Scheduled Collections" on page 33. vCenter Server Collection Results The collectedvCenter Server data appears in the Console in the Virtual Environments node. The collected vCenter Server data helps you identify and manage vCenter Server, host, and guest objects.
vCenter Configuration Manager Administration Guide Procedure 1. "Create a vCenter Server Machine Group" on page 34 Create a Windows machine group that contains your vCenter Server instances so that you can run collections on the member machines. 2.
Configuring VMware Cloud Infrastructure Procedure 1. Click Administration. 2. Select Job Manager > Scheduled. 3. Click Add. 4. Select Collection and click Next. 5. Type a job name and description and click Next. For example, vCenter Server Collections. 6. Select Default filter set and click Next. 7. Select your vCenter Server machine group and click Next. For example, vCenter Server Instances. 8. Configure when the collection job runs and click Next. For example, every four hours starting today. 9.
vCenter Configuration Manager Administration Guide Procedure 1. Click Administration. 2. Select Machines Manager > Available Machines > Licensed Virtual Environments. 3. Select the vCenter Servers and click Collect on the VCM toolbar. 4. On the Collection Type page, select Machine Data and click OK. 5. On the Machines page, verify that the Selected list includes all the vCenter Servers from which you are collecting and click Next. 6.
Configuring VMware Cloud Infrastructure What to do next n For Windows operating system guest machines on which you installed the Agent, collect from the Windows virtual machines. See "Collect Windows Data" on page 97. If you did not install the Agent, see "Install the VCM Windows Agent on Your Windows Machines" on page 91. n For UNIX/Linux operating system guest machines you must install the Agent. See "Install the Agent on UNIX/Linux Machines" on page 124.
vCenter Configuration Manager Administration Guide Procedure 1. Click Administration. 2. Select Machines Manager > Available Machines. 3. Click Add Machines. 4. On the Add Machines page, select Basic: Name, Domain, Type, Automatically license machines, and click Next. 5. On the Manually Add Machines - Basic page, configure these options to identify the instances of vCloud Director. Option Description Machine Name of the vCloud Director instance.
Configuring VMware Cloud Infrastructure Procedure 1. Click Administration. 2. Select Machines Manager > Licensed Machines > Licensed Virtual Environments. 3. Select the vCloud Director instances and click Configure Settings. 4. On the Virtual Environment page, verify that the vCloud Director instances appear in the lower pane and click Next. 5. On the Managing Agent and Communication Settings page, configure the settings that are applied to all selected vCloud Director instances and click Next.
vCenter Configuration Manager Administration Guide Prerequisites Configure the vCloud Director settings. See "Configure the vCloud Director Settings" on page 38. Procedure 1. Click Administration. 2. Select Machines Manager > Licensed Machines > Licensed Virtual Environments. 3. Select the vCloud Director instances and click Collect on the VCM toolbar. 4. On the Collection Type page, select Machine Data and click OK. 5.
Configuring VMware Cloud Infrastructure Option Description Administration Displays managed vCloud Director instances from which you are collecting data. Click Administration and select Machines Manager > Licensed Machines > Licensed Virtual Environments. Displays the discovered virtual machines with a machine name that is based on your configuration options in the discovery rule. For example, OrgName:vAppName:VirtualMachineName. Click Administration and select Machines Manager.
vCenter Configuration Manager Administration Guide n VCM is located in the vApp with the virtual machines that it is managing. n The vApp has a direct connection to the org network. n The vApp has a direct connection to the external network. n The vApp has a one-to-one IP address NAT connection to the organization network with direct connection to the external network.
Configuring VMware Cloud Infrastructure In a NAT mapped network environment, your best practice is to install the Agent on the vApp template machines. You must manually install the Agent with the HTTP mode enabled, but you must not collect data from these template machines. Collecting from the template machines generates machine-specific information that will cause the virtual machines created from the template to run incomplete collections.
vCenter Configuration Manager Administration Guide Option Description the name of the virtual machine in vCenter. n Org:vDC:vApp:VCName: Name of the vCloud Director organization with the virtual datacenter name, the name of the vApp that contains the virtual machine, and the name of the virtual machine in vCenter.
Configuring VMware Cloud Infrastructure Option Description The connection string depends on the type and level at which NAT mapping is configured. Cloud Name Filter n None (use DNS): The Collector resolves the IP address to the virtual machine based on the configured name resolution mechanisms. For example, DNS or Hosts. n Internal IP: The IP address that the virtual machine has in the vApp.
vCenter Configuration Manager Administration Guide Option Description rule in post collection IP update string information for the discovered machines when new vCloud Director data is collected. Select No to not update the connection string information. 8. On the Important page, select the options and click Finish. Option Description Would you like to run this Discovery Rule now? Select Yes.
Configuring VMware Cloud Infrastructure The collected vShield Manager data appears in the Console in the Virtual Environments node. See "vShield Manager Collection Results" on page 49. Add vShield Manager Instances Add the instances of vShield Manager to VCM so that you can license and collect vShield Manager data using the Managing Agent. Most vShield Manager instances are discovered, added, and licensed. Use this procedure if they are not added to VCM.
vCenter Configuration Manager Administration Guide Prerequisites n Collect Machines data from the Windows machine that you designated as your Managing Agent. See "Collect Machines Data From the Managing Agent Machines" on page 27. n If you are using SSL Certificates to maintain secure communication, you must provide the certificate thumbprint from the target system when configuring the settings. See "Obtain the SSL Certificate Thumbprint" on page 29. Procedure 1. Click Administration. 2.
Configuring VMware Cloud Infrastructure 6. If you selected No on the Managing Agent and Communication Settings page, you must type or paste the thumbprint string in the text box and click Next. 7. On the Important page, click Finish. What to do next Collect vCloud Director data. See "Collect vShield Manager Data" on page 49. Collect vShield Manager Data Collect the data from the instances of vShield Manager. The data is displayed by detailed data type and appears in the VCM Console.
vCenter Configuration Manager Administration Guide Option Description Manager instances. Administration > Machine Groups Dynamic machine groups based on vShield App instances security group membership and are used to limit the displayed data. Configure ESX Service Console OS Collections The ESX Service Console OS Linux data type data and the ESX logs are collected directly from the ESX operating systems, not from vCenter Server.
Configuring VMware Cloud Infrastructure Procedure 1. Click Administration. 2. Select Machines Manager > Licensed Machines > Licensed Windows Machines. 3. Determine whether the Collector machine name appears in the data grid. If it is listed in the data grid, the machine is licensed. If it is not listed, continue with the licensing process. 4. License the Collector. a. Select Machines Manager > Available Machines. b. Select the Collector in the data grid and click License c.
vCenter Configuration Manager Administration Guide Prerequisites n Verify that at least one Agent Proxy machine is configured. See "Configure the Collector as an Agent Proxy" on page 50. Procedure 1. Click Administration. 2. Select Machines Manager > Licensed Machines > Licensed ESX/ESXi Hosts. 3. Select the ESX host and click Configure Settings. 4. Add the machines to be configured to the lower grid and click Next.
Configuring VMware Cloud Infrastructure 5. Configure the settings on the Agent Proxy and Communication Setting page. Option Description Agent Proxy The configured Agent Proxy used to manage the selected virtual machine host machines. This option is required when you are licensing host machines, but it is optional if you are modifying the settings. SSH Select the check box to configure the settings for your ESX machines.
vCenter Configuration Manager Administration Guide For ESX machines, you import target machine information from VCM and copy the SSH public key file, the csiprep.py file, and the csiprep.config file to the target ESX machines. For ESXi machines, you import machine information and copy the necessary Web Services settings to the target machines. Prerequisites n License the ESX and ESXi machines. See "Configure Virtual Machine Hosts" on page 51. n Locate the UNIX/ESX/vSphere Deployment Utility file in C:\P
Configuring VMware Cloud Infrastructure n Use the same user name for both SSH and Web Services collections (ESX 3.x only). n Use the same password for all WebServices users. n Apply the same user names and passwords to all ESX servers. 10. Click Configure. All the machines where the Configure check box is selected now have the same version of the files copied to the location specified in the Remote Path field in the table. If no path is specified, the files are copied to the /tmp directory.
vCenter Configuration Manager Administration Guide Configure the vSphere Client VCM Plug-In The vSphere Client VCM Plug-In provides contextual access to VCM change, compliance, and management functions. It also provides direct access to collected vCenter Server, virtual machine host, and virtual machine guest data. When using the vSphere Client VCM Plug-In, the virtual machine host name in vCenter must match the virtual machine host name in VCM.
Configuring VMware Cloud Infrastructure Procedure 1. On the VCM Collector, browse to [path]\VMware\VCM\Tools\vSphere Client VCM Plugin\bin and double-click VCVPInstaller.exe. 2. In the VCVP Plug-in Registration dialog box, configure the following options. Option Description Register Select the option to register the URL for the plug-in. Select Unregister only if you are discontinuing the use of the plug-in on the target vSphere Client.
vCenter Configuration Manager Administration Guide Procedure 1. Select Administration > Settings > Integrated Products > VMware > vSphere Client VCM Plug-In. 2. Select the setting that you want to configure and click Edit Settings. 3. On the Settings Wizard page for each setting, configure the options. Option Description Machine group against which the external reports will be run Type the name of the machine group.
Configuring VMware Cloud Infrastructure You can use troubleshooting options to identify and resolve any problems. Invalid Certificate on a vSphere Client The vSphere Client connects to the vCenter Server using the SSL certificate and displays the datacenters, hosts, and any clusters. Problem When logging into a vSphere Client for the first time, if the certificate is not valid, a security warning about the SSL certificate appears. Cause The certificate is not valid. Solution 1.
vCenter Configuration Manager Administration Guide 60 VMware, Inc.
4 Running Compliance for the VMware Cloud Infrastructure Compliance templates evaluate the virtual environment object data to determine if the objects meets the criteria in the rules. If the property values on an object do not meet the criteria, and if there is no exception defined, then the object is flagged as noncompliant. When an object is non compliant, the template results provide the details of the settings or configurations that do not match the rules.
vCenter Configuration Manager Administration Guide The example used in this procedure is whether VMware Tools is running on guest virtual machines on all vCenter Server instances, but excluding vCenter_Dev. Prerequisites Collect virtual environments data. See "Configure Virtual Environments Collections" on page 25. Procedure 1. "Create Virtual Environment Compliance Rule Groups" on page 62 Create rule groups so that you can add rules and filters. 2.
Running Compliance for the VMware Cloud Infrastructure Create and Test Virtual Environment Compliance Rules Create rules that define the ideal value that objects should have to be considered compliant. The data types correspond to the collected virtual environments data that is displayed in the Console. To identify the values you are configuring for compliance, review the data grids so that you can locate the correct data type in the rule wizard.
vCenter Configuration Manager Administration Guide Create and Test Virtual Environment Compliance Filters Create filters that limit the objects on which the templates run to only the objects that meet the filter criteria. If filters are not defined, the rules are run against all objects in the selected virtual objects group. The example used in this procedure is whether VMware Tools is running on guest virtual machines on all vCenter Server instances, but excluding vCenter_Dev.
Running Compliance for the VMware Cloud Infrastructure The example used in this procedure is whether VMware Tools is running on guest virtual machines on all vCenter Server instances, but excluding vCenter_Dev. Prerequisites n Create a rule group. See "Create Virtual Environment Compliance Rule Groups" on page 62. n Create a rule. See "Create and Test Virtual Environment Compliance Rules" on page 63. n Create compliance filters. See "Create and Test Virtual Environment Compliance Filters" on page 64.
vCenter Configuration Manager Administration Guide Prerequisites Create a rule group. See "Create and Test Virtual Environment Compliance Rules" on page 63. Procedure 1. Click Compliance. 2. Select Virtual Environment Compliance > Templates. 3. Click Add. 4. Type the Name and Description in the text boxes and click Next. For example, Tools Running Not vCenter_Dev and a description. 5. Move the rule group, for this example, Guest Tools Running, to the list on the right and click Next. 6.
Running Compliance for the VMware Cloud Infrastructure What to do next n If you find results that you want to temporarily make compliant or noncompliant, create an exception. See "Create Virtual Environment Compliance Exceptions" on page 68. n Evaluate the results and resolve any issues on the noncompliant objects.
vCenter Configuration Manager Administration Guide 6. Select the machines or objects that you identified as noncompliant and click the applicable action button on the data grid. For example, select the virtual machines that are powered off that should be powered on to be compliant and click Power VM On. 7. Follow the prompts to configure the options, select Run action now, and click Finish.
Running Compliance for the VMware Cloud Infrastructure For this example, select All Virtual Objects. 7. Select the override options and the expiration date. a. Select Override non-compliant results to compliant. b. Select No Expiration. c. Click Next. 8. To define the exception values, modify, delete, or add to the properties, operators, and values for the selected results. In this example, you are specifying the RHEL_60_ProdDev as the exception. a. Click Add. b.
vCenter Configuration Manager Administration Guide Create Virtual Environment Compliance Alert Rules Alert rules are the conditions you define that determine when an alert is generated. Virtual environment alert rules are based on virtual environment compliance templates. Prerequisites Verify that you have virtual environment compliance templates. See "Create and Run Virtual Environment Compliance Templates" on page 61. Procedure 1. Click Administration. 2. Select Alerts > Rules. 3. Click Add. 4.
Running Compliance for the VMware Cloud Infrastructure What to do next Schedule a job to run your the virtual environments compliance templates on a timetable of your choosing. See "Schedule Virtual Environments Compliance Template Runs" on page 71. Schedule Virtual Environments Compliance Template Runs Schedule a regular run of your virtual environments compliance templates to ensure that the collected data is regularly assessed for adherence to the defined compliance rules.
vCenter Configuration Manager Administration Guide 72 VMware, Inc.
Configuring vCenter Operations Manager Integration 5 Integration of VCM with vCenter Operations Manager reports VCM configuration change events and standard compliance results in vCenter Operations Manager.
vCenter Configuration Manager Administration Guide Procedure 1. In VCM, click Administration. 2. Select Settings > Integrated Products > VMware > vCenter Operations Manager > Change Events. 3. Configure VCM to report a UNIX data type, such as UNIX Patch Assessment, to vCenter Operations Manager. a. Select UNIX Patch Assessment - Report to vCenter Operations Manager, and click Edit Setting. b. Click Yes to report the data. c. Click Next and click Finish. 4.
Configuring vCenter Operations Manager Integration Prerequisites n Verify that VCM is configured to collect data from the same vCenter Serverinstances thatvCenter Operations Managermanages. See "Configure vCenter Server Data Collections" on page 30. n Collect the required virtualization data types from the shared vCenter Server instances. The data types are vCenter Guests, vCenter Hosts, vCenter Inventory, vCenter Settings. See "Collect vCenter Server Virtual Machines Data" on page 35.
vCenter Configuration Manager Administration Guide Prerequisites n Use the Content Wizard tool to download compliance templates created by VMware,for example, the vSphere Hardening Guides and other standards. The Content Wizard is available from the Start menu on the Collector machine. n Create compliance templates that are specific to your environment to include in the mappings. The template names should not include the | character.
Configuring vCenter Operations Manager Integration Option Description Select Group Context Select compliance template context for which you are creating this mapping. n Machine Group Compliance: Select this option to add machine group templates to the mapping. The virtual machines and host machines must also be managed as virtual objects in VCM in order for the machine object IDs to correlate to the objects in vCenter Operations Manager.
vCenter Configuration Manager Administration Guide Review Mapping Scores in the Dashboard Report The roll up scores appear in the Compliance Badge Rollup dashboard. Review the dashboard to ensure that the scores are calculated as expected. The current roll up scores are also available in the Machine Group Compliance Badge Rollup Detail and Summary report. Prerequisites Run the Compliance Badge Mappings. See "Run Compliance Badge Mappings " on page 77. Procedure 1. Click Console. 2.
Configuring vCenter Operations Manager Integration What to do next View the mapped badges in vCenter Operations Manager. See "View Compliance Badges in vCenter Operations Manager" on page 79. View Compliance Badges in vCenter Operations Manager The standards compliance score in VCM contributes a compliance score to the Risk badge score in vCenter Operations Manager.
vCenter Configuration Manager Administration Guide Scoring Calculation Process The badge calculations are based on mapping options and standards compliance settings. The options and the settings interact in the following workflow: n Scoring based on mapping options. n Select the compliance standard badge to which the mapping contributes a score. n Select the roll up type that determines the initial score calculation.
Configuring vCenter Operations Manager Integration For the Weighted Percentage and Weighted Rule Percentage roll up types, you can apply a weighted value. The weighting is the value by which the result or rule is multiplied to give the different severity levels more or less weight when calculating the scores. The weighting of the severity levels is configured in the Standards Compliance Settings. The default values are Low=1, Moderate=2, Important=4, and Critical=8.
vCenter Configuration Manager Administration Guide You might choose scoring by rule rather than by results when some rule groups return significantly more rules than other rules in the same rule group. For example, a rule that checks user accounts returns one result per user account on an object, but a rule that checks a password policy returns only one result for an entire system.
Configuring vCenter Operations Manager Integration Template: To roll up at the template level means that each template's scores are averaged when rolled up to the badge level. n For example, Mapping 1 has three templates using the scores provided in the Scoring table. The score is calculated as (80+50+100)/3=77, where 77 is the score. Mapping: To roll up at the mapping level means that the score for each mapping associated with a badge is averaged when rolled up to the badge level.
vCenter Configuration Manager Administration Guide Detail Level Score Midpoint Magnitude Calculation Adjusted Score 70 50 80 70-50=20 86 20*80%=16 70+16=86 The adjusted score is the score that is pulled by the vCenter Operations Manager VCM Adapter and appears as part of the Risk badge score. You modify the midpoint and magnitude to give the Compliance subbadge scores a stronger or weaker influence on the Risk parent badge.
Auditing Security Changes in Your Environment 6 The VCM Auditing capability tracks all changes in the security aspects of VCM. Security-related events are written to the Windows Event Log, which is stored on the Collector, and is independent of the VCM application. The format of the event log prohibits any modifications to the recorded entries, which makes it a secure and tamper-proof auditing record of changes in security.
vCenter Configuration Manager Administration Guide 86 VMware, Inc.
7 Configuring Windows Machines To manage your virtual and physical Windows machines, you must verify domains and accounts, discover and license those machines, install the VCM Agent, and collect Windows data from those machines. You can also collect Windows Custom Information.
vCenter Configuration Manager Administration Guide 5. License Windows Machines To manage Windows machines, you must license them in VCM. 6. Install the VCM Windows Agent on Your Windows Machines Install the VCM Windows Agent on each Windows machine so that you can collect data and manage the virtual or physical machines. 7. Collect Windows Data Start managing the Windows machines by performing an initial collection, which adds Windows machine data to VCM.
Configuring Windows Machines Procedure 1. Click Administration. 2. Select Settings > Network Authority > Available Accounts. 3. To add a new domain account, click Add. 4. Type the domain name, user name, and password, and click Next. 5. Click Finish to add the account. What to do next Assign the network authority account to the domain so that VCM can access the Windows machines in the domain. See "Assign Network Authority Accounts" on page 89.
vCenter Configuration Manager Administration Guide NOTE You can use the Discovered Machines Import Tool (DMIT), which imports machines discovered by the Network Mapper (Nmap), to import many physical and virtual machines at one time into the VCM database. Download DMIT from the VMware Web site. The following procedure is based on Active Directory. Prerequisites Assign a Network Authority Account that VCM can use for access. See "Assign Network Authority Accounts" on page 89. Procedure 1.
Configuring Windows Machines Prerequisites Verify that the Windows machines you license are listed with a machine type of workstation or server in the Available Machines node. If the discovered or added type is not workstation or server, VCM cannot license the machines. Procedure 1. Click Administration. 2. Select Machines Manager > Available Machines. 3. Select the Windows machines to license. 4. Click License. 5. Verify that the Windows machines to license appear in the Selected list.
vCenter Configuration Manager Administration Guide Procedure 1. Click Administration. 2. Select Machines Manager > Licensed Machines > Licensed Windows Machines. 3. In the data grid, select one or more Windows machines on which to install the Agent and click Install. 4. On the Machines page, verify that the target machines appear in the Selected list and click Next. 5. On the Install Options page, select the installation options and click Next. Option Description Share Location to install the Agent.
Configuring Windows Machines Procedure 1. Locate the Enterprise Certificate .pem file in the Collector's c:\Program Files (x86) \VMware\VCM\CollectorData folder. 2. If the certificate files are not in the default location, you must confirm the path to the files. a. Click Administration. b. Select Settings > General Settings > Collector. c. Select Root directory for all collector files. d. Confirm the file path in the Value column.
vCenter Configuration Manager Administration Guide Procedure 1. On your VCM Collector, open Windows Explorer and navigate to the Agent files directory at C:\Program Files (x86)\VMware\VCM\AgentFiles. 2. Copy the CMAgentInstall.exe file from the Collector to the target machine or a shared network location. The CMAgentInstall.exe file is located in the path relative to the installed software on the Collector. 3.
Configuring Windows Machines Option Action the CERT=SKIP parameter to allow an HTTP Agent to operate without a valid CERT path. The CERT path cannot contain spaces, even when enclosed in quotes, so enter an 8.3 compatible path as in the preceding silent mode example. 4. On the target machine, in Windows Explorer run CMAgentInstall.exe. What to do next n To confirm that the job finished running, click Administration and select Job Manager > History > Other Jobs > Past 24 Hours.
vCenter Configuration Manager Administration Guide Option Action communication. When you include an option with CMAgent[Version].msi, you must follow these conventions: n Include optional parameters in any combination and order. n After the required /i parameter, use uppercase letters for optional parameters. n Use quotation marks when a path includes spaces in the source file location and the INSTALLDIR parameter. To see details about the options, select Start > Run > msiexec.
Configuring Windows Machines Option Action CERTIFICATEFILE="x:\[mypath]\[mycert].pem" or CERTIFICATEFILE=”SKIP” What to do next n To confirm that the job finished running, click Administration and select Job Manager > History > Other Jobs > Past 24 Hours. n Collect Windows data from VCM managed machines. See "Collect Windows Data" on page 97. Manually Uninstall the VCM Windows Agent When you no longer manage a Windows machine with VCM, you uninstall the Agent from that target machine.
vCenter Configuration Manager Administration Guide Prerequisites n Collect the Accounts and Groups data types from the primary domain controller (PDC) in each domain to increase the performance of initial collections that require a SID lookup. n To collect data from Windows XP SP2 or Vista machines that use DCOM communication, you must enable ICMP pings in the firewall settings or disable ICMP pings in VCM. n Verify that DCOM is enabled on the managed machine.
Configuring Windows Machines Option Reports Description n To run a compliance check, click Compliance and select Machine Group Compliance. n To create rule groups, rules, filters, and templates, see the online help. Runs preconfigured reports or you can create custom reports. VCM runs reports against the latest collected data. Depending on the data volume or complexity of the requested report, it might take time to generate the report. You can also schedule and disseminate reports.
vCenter Configuration Manager Administration Guide Figure 7–1. Windows Custom Information Collection Process To extend the data collected by VCM from managed Windows machines using other VCM data types, collect Windows Custom Information. Configure the prerequisites and create and validate your PowerShell script. Prerequisites n To collect Windows Custom Information from VCM managed machines, you must configure the prerequisites. See "Prerequisites to Collect Windows Custom Information" on page 100.
Configuring Windows Machines Prerequisites n Write your own PowerShell script to return data in a VCM compatible, element-normal XML format, or obtain PowerShell scripts from VMware Professional Services or another source. See "Using PowerShell Scripts for WCI Collections" on page 101. n Understand the script signing policies if you use PowerShell 2.0. See "PowerShell Script Signing Policies" on page 105. n Set the PowerShell execution policy on the VCM managed machine.
vCenter Configuration Manager Administration Guide Guidelines in PowerShell Scripting for WCI When you develop custom PowerShell scripts to collect the Windows Custom Information (WCI) data type from VCM managed Windows machines, follow these guidelines. n Make XML element names unique at the same level. For example, you can specify two child nodes that are not siblings. n Make attributes unique at the same level. n Use unique XML element names to generate valid VCM XML.
Configuring Windows Machines The split method of PowerShell strings in the $schtasks script separates the columns of the $schtasks rows into separate values in arrays. n Column names row provides the names to use for attributes. n Corresponding data from the scheduled task rows provides the values to use for these attributes. The top-level name of is an arbitrary name that you apply to distinguish the results of this script from other results.
vCenter Configuration Manager Administration Guide Column Names Include Spaces Running the schtasks command without any options displays a column name of Next Run Time. Because this name includes spaces, you cannot use it as an attribute name in an XML document. Running the schtasks command verbosely generates other column names that include spaces. Although you cannot use these invalid names as attribute names, you can preserve the names by using VCM encoding standards.
Configuring Windows Machines To preserve the user-friendly name, use the task name as the element name for the task rows. When you create a collection filter that uses your script, you must select the incremental duplicate handling option so that the collection process includes an incremental entry in the list of entries where the same task name appears multiple times. For example, in a sample test environment, many Windows machines had more than one task named GoogleUpdateTaskMachineCore.
vCenter Configuration Manager Administration Guide n In-line: The default WCI filter uses an in-line script to collect basic information about the PowerShell version, .NET version, and execution policy settings. The in-line option requires a collection script that is represented as a single line of PowerShell code. Because the filter runs an in-line script on the PowerShell command line, instead of using a file, the execution policy does not apply.
Configuring Windows Machines The schtasks command returns basic information about scheduled tasks. The data returned by schtasks includes multiple rows. PowerShell structures the $schtasks variable in an array. For example, $schtasks[0] represents the first row. To view the result set, use $schtasks[n], which displays the following status: n $schtasks[0] is blank. n $schtasks[1] contains column names. n $schtasks[2] is the first row of task data.
vCenter Configuration Manager Administration Guide function ToCMBase64String([string]$input_string) { return [string]("cmbase64-" + [System.Convert]::ToBase64String ([System.Text.Encoding]::UNICODE.GetBytes ($input_string))).
Configuring Windows Machines { $hostcol = $j++ } else { if (([string]$cols[$j]).toupper() -eq "TASKNAME") { $namecol = $j++ } else { $j++ } } } #save first column name, to check for repeated column rows $firstcol = $cols[0] #encode each column name for ($j=0;$j -lt $cols.count;$j++) { $cols[$j] = [string](ToCMBase64String($cols[$j])) } #loop through each row #start at $k+1, because the first row may blank, and the first populated row is column names for ($i=$k+1;$i -lt $schtasks.
vCenter Configuration Manager Administration Guide if ($task[0] -ne $firstcol) { #if we did not find a TaskName column, just tag each row as Task-n if ($namecol -gt -1) { $clTasks += "<" + [string](ToCMBase64String($task [$namecol])) + ">" } else { $clTasks += ("") } for ($j=0;$j -lt $task.
Configuring Windows Machines } #end row loop } $clTasks += ("") write-host $clTasks 5. After you generate your PowerShell script, perform the following steps: n Build a collection filter in VCM. n Paste the content of your script into the collection filter. n Collect data using the script-based collection filter. To view the collected WCI data in VCM, click Console and select Windows Operating System > Custom Information > List View.
vCenter Configuration Manager Administration Guide data reported. n Do not create two filters to collect data on the File Permission With Audit data type from different parts of a managed machine's file system. Collecting Windows Custom Information To collect Windows Custom Information (WCI) using script-based filters, you create and verify your custom PowerShell scripts, install PowerShell on the VCM managed machines, and use VCM to collect the WCI data. Procedure 1.
Configuring Windows Machines Create Your Own WCI PowerShell Collection Script Create or modify your Windows Custom Information (WCI) scripts to collect almost any data type that is accessible from VCM managed Windows machines. To return data in a VCM compatible, element-normal XML format, you create your own PowerShell script or obtain PowerShell scripts from VMware Professional Services or another source and modify them for your own collections.
vCenter Configuration Manager Administration Guide Procedure 1. On your VCM Collector or managed Windows machine, open a command prompt. 2. Run powershell.exe from the command line. 3. Paste your script into the PowerShell window. If your script does not run, press Enter. 4. Make sure that your script runs without errors. Errors appear in red in the PowerShell window. 5. If errors occur, resolve them.
Configuring Windows Machines Collect Windows Custom Information Data Use the Windows Custom Information (WCI) data type to perform user-defined, script-based collections on your VCM managed machines. To collect the custom data, you build a collection filter that includes a script with parameters to run the script and process the results.
vCenter Configuration Manager Administration Guide Run the Script-Based Collection Filter Use a collection filter and your PowerShell script to collect Windows Custom Information (WCI) from VCM managed Windows machines. Procedure 1. On your VCM Collector, click Collect. 2. On the Collection Type page, select Machine Data and click OK. 3. On the Machines page, select the managed machines from which to collect WCI data and click Next. 4. Click Select Data types to collect from these machines and click Next.
Configuring Windows Machines Procedure 1. On your VCM Collector, click Administration. 2. Select Job Manager > History > Instant Collections > Past 24 Hours. 3. In the Instant Collections pane, select a collection job that includes WCI data. 4. In the Job History Machine Detail pane, select View Details. A single row appears for each WCI filter that ran in the collection job. Information about the WCI script and the script results parsing appears in the row. 5.
vCenter Configuration Manager Administration Guide Procedure 1. On your VCM Collector, click Console. 2. Select Windows > Operating System > Custom Information. 3. Select a view of the collected WCI data. Option Description Tree View Standard Tree hierarchy view based on the data structure in your PowerShell script. Tree View Consolidated Tree hierarchy that displays data across multiple elements simultaneously with the data consolidated from one level of the tree.
Configuring Windows Machines Troubleshooting Custom PowerShell Scripts If you encounter problems when you run custom PowerShell scripts, run the script as a .ps1 file and correct any errors before you use the script with a VCM collection filter. Prerequisites n Verify that your script runs in PowerShell. See "Verify that Your Custom PowerShell Script is Valid" on page 113. n Understand the PowerShell script signing policies. See "PowerShell Script Signing Policies" on page 105. Procedure 1.
vCenter Configuration Manager Administration Guide 120 VMware, Inc.
8 Configuring Linux and UNIX Machines You configure your virtual and physical Linux and UNIX machines in VCM so that you can manage them to ensure functionality and compliance with standards.
vCenter Configuration Manager Administration Guide communication between the Collector and the managed UNIX/Linux machines. 4. "Collect UNIX/Linux Data" on page 131 When the UNIX/Linux machines are licensed and the Agent is installed, you collect data from those machines. Continuous machine management is based on the latest data you collect from target machines. You can view data and run actions, such as reports or compliance, based on the collected data. See "UNIX/Linux Collection Results" on page 132.
Configuring Linux and UNIX Machines a. Configure machine information. Option Action Machine Type the name of the machine. You can use NetBIOS or Fully-Qualified Domain Name (FQDN) notation for the name. If your Collector cannot resolve a host name with a DNS Server, use an IP address rather than a machine name. Domain Type or select the domain to which the machine belongs. Type Select the domain type. Machine Type Select the machine type. Port Type the port number.
vCenter Configuration Manager Administration Guide 6. On the Important page, click Finish. What to do next Install the Agent on the target machines. See "Install the Agent on UNIX/Linux Machines" on page 124. Install the Agent on UNIX/Linux Machines Install the appropriate version of the VCM Agent on each of your licensed target machines to enable communication between the Collector and the managed UNIX/Linux machines. Installing the Agent on UNIX/Linux machines is a manual operation.
Configuring Linux and UNIX Machines Procedure 1. Copy the appropriate Agent binary installation package from the Collector to the machine on which you will install the Agent. The Agent packages are located on the Collector in \Program Files (x86) \VMware\VCM\Installer\Packages. Operating System Version Agent Binary Red Hat (Enterprise) Linux Edition (Version 3.0, 4.0, 5.0, 5.1, 5.2, 5.3, 5.4, 5.5, 5.6, 5.7, 6, 6.1, 6.2). Red Hat 3.0 requires the CMAgent.5.4.0.Linux Agent.
vCenter Configuration Manager Administration Guide inflating: CSIInstall/scripts/AltSource_ftp.sh inflating: CSIInstall/scripts/AltSource_rcp.sh inflating: CSIInstall/scripts/AltSource_sftp.sh inflating: CSIInstall/scripts/AltSource_wget.sh extracting: CSIInstall/scripts/AltSourceCmd inflating: CSIInstall/InstallCMAgent inflating: CSIInstall/csi.config inflating: CSIInstall/CMAgent. creating: CSIInstall/.security/certificates/ inflating:CSIInstall/.
Configuring Linux and UNIX Machines Option Action command. Install the Agent using the interactive mode if you did not modify the csi.config and to respond to each prompt to accept or change each parameter in the csi.config file as it runs. As a result of your responses, the csi.config is modified. The preinstallation stage of interactive mode checks for a valid user, CSI_USER. If the user exists, you are not prompted for these configuration values.
vCenter Configuration Manager Administration Guide Installation Options for Linux or UNIX csi.config The installation options are variables you add or modify in the csi.config file used when you install the Agent. You can create several versions of this file based on operating system or specific settings, but do not change the file name. Installation Options with Default Values Description CSI_AGENT_RUN_OPTION You can install the Agent as a daemon process or installed to be run by inetd/xinetd/launchd.
Configuring Linux and UNIX Machines Installation Options with Default Values Description AVAILABLE_LOCAL_GID=Y to be the next available local Group ID over CSI_USER_PRIMARY_ GID. CSI_USER=csi_acct Keep the default value. The user assigned to the cfgsoft group. The CSI listener process runs under this user. CSI_CFGSOFT_GID=500 Keep the default value. The Group ID of the cfgsoft group. This value can change if the GID is already in use. This group is for highsecurity access.
vCenter Configuration Manager Administration Guide Installation Options with Default Values Description n Linux: /var/log n AIX, HP-UX, and Solaris: /var/adm CSI_KEEP_CSIINSTALL=N Recommend keeping the default value. After a successful installation, the temp installation directory CSIInstall is deleted. To keep this installation directory, set this parameter to Y. CSI_LOCALE= Keep the locale configuration option unspecified in the csi.config file when installing the Agent.
Configuring Linux and UNIX Machines Installation Options with Default Values Description added to the CSIRegistry, but the process logs and displays an i18n warning. If you interactively install the Agent, the Agent installation scripts use the previous precedence rules to evaluate and generate a default value that is displayed during the installation of the Agent. If you select a non-UTF-8 locale, the Agent installation uses the locale, but the process logs and displays a warning.
vCenter Configuration Manager Administration Guide Procedure 1. Click Collect. 2. On the Collection Type page, select Machine Data and click OK. 3. On the Machines page, select the machines from which you are collecting data and click Next. 4. On the Data Types page, configure the collection and click Next. a. Select the Select All check box. b. Select Use default filters. 5. On the Important page, verify that there are no conflicts with previously scheduled or running jobs, and click Finish.
Configuring Linux and UNIX Machines Option Description Compliance Determines if the collected data from target machines meets specified compliance values, and allows you to run compliance remediation actions. To run a compliance check, click Compliance and select Machine Group Compliance and follow the steps described in the online help to create rule groups, rules, filters, and templates. Patching Assesses target machines to determine if the machines have the most current patches.
vCenter Configuration Manager Administration Guide Procedure 1. Click Collect. 2. On the Collection Type page, select Machine Data and click OK. 3. On the Machines page, select the machines hosting the Oracle instances, select Do not limit collection to deltas, and click Next. 4. On the Data Types page, configure the collected data types. a. Expand the UNIX data type. b. Select Machines - General and Oracle - Management Views. c. Select Use default filters and click Next. 5.
Configuring Linux and UNIX Machines Procedure 1. Click Administration. 2. Select Machines Manager > Additional Components > VCM for Oracle. 3. Select the target instances and click Edit. 4. On the Select Machines page, verify that the target Oracle instance machines are in the selected machines list and click Next. 5. On the Configuration Values page, configure the missing or incorrect values. a. Type the configuration values.
vCenter Configuration Manager Administration Guide Prerequisites n Add, license, and install the Agent on Solaris machines hosting Oracle instances. See "Configure Linux and UNIX Machines" on page 121. n Collect from the target Solaris machines using the following data types. Machines - General Oracle - Management Views The collection process discovers Oracle instances from the oratab file on Solaris machines. See "Discover Oracle Instances" on page 133. Procedure 1. Click Administration. 2.
Configuring Linux and UNIX Machines What to do next n If your target Oracle instance is Oracle 10g, set user permissions. See "Grant Permissions for the Oracle Collection User Account on Oracle 10g" on page 137. n To begin managing your Oracle instances, collect data from the target instances. See "Collect Oracle Data" on page 138. Create the Oracle Collection User Account with the Config User Action You can create an OS-authenticated Oracle collection user account on target Oracle instances from VCM.
vCenter Configuration Manager Administration Guide Procedure 1. On the Oracle instance, run chmod o+rx to grant permission for the Oracle Collection User on the required Oracle directories. For example, /opt/oracle, /oracle, and so on. 2. Run chmod o+rx for every directory level from the top level install down to $ORACLE_HOME. For example, if the top level is /oracle and $ORACLE_HOME is /oracle/app/product/10.20.
Configuring Linux and UNIX Machines Prerequisites Verify that the Oracle instances are added to VCM and correctly configured. See "Edit Oracle Instances" on page 134. Procedure 1. On the toolbar, click Collect. 2. On the Collection Type page, select Machine Data and click OK. 3. On the Machines page, select the Solaris machines hosting the Oracle instances. 4. Select Do not limit collection to deltas and click Next. 5. On the Data Types page, configure the collected data type. a.
vCenter Configuration Manager Administration Guide Option Description Depending on the volume or complexity of the data requested in a report, it might take time to generate the report. See the online help for information about scheduling and disseminating reports. To create Oracle reports, click Reports and select Machine Group Reports. 140 VMware, Inc.
9 Configuring Mac OS X Machines You configure your virtual and physical Mac OS X machines in VCM so that you can manage them to ensure functionality and compliance with standards.
vCenter Configuration Manager Administration Guide Add Mac OS X Machines Add Mac OS X machines to the Available Machines list to make the machines available for licensing. If you add a large number of machines, you can use other methods to add the machines. See the online help for procedures to import machine information from a file or use IP Discovery.
Configuring Mac OS X Machines What to do next License the machine. See "License Mac OS X Machines" on page 143. License Mac OS X Machines License Mac OS X machines before you install the Agent and begin to manage them. You license the machines displayed in the Available Machines list. Prerequisites n Verify that you added the Mac OS X machines. See "Add Mac OS X Machines" on page 142. n Verify that the machines you are licensing have a specified Machine Type.
vCenter Configuration Manager Administration Guide n Select the method that you want to use to copy files to the target machines. You can use ftp, sftp, or cp using an NFS share. If you use ftp to copy the package to your machine, you must use binary mode. n If you are collecting non-ASCII information from the target machines, install a UTF-8 locale. To determine the locales installed on your operating system, use the locale -a command. Procedure 1.
Configuring Mac OS X Machines a. Run the chmod u+x csi.config command to add write file permissions if the file has only read permissions set. b. Modify the csi.config file options based on your local requirements and save the file. c. Copy the modified and saved csi.config file to the extracted location. For example, # cp //csi.config //CSIInstall/csi.config. 7. Run InstallCMAgent in either silent mode or interactive mode. Option Action Silent mode Run the # .
vCenter Configuration Manager Administration Guide were installed. /CSI_PARENT_DIRECTORY/CMAgent is the default directory. If you changed the directory name during installation, modify the ls -la command to display the custom directory name. drwxr-x--- 3 root cfgsoft 4096 Jul 2 17:34 Agent drwxr-x--- 3 root cfgsoft 4096 Jul 2 17:34 CFC -rw-rw---- 1 root cfgsoft 49993 Jul 2 17:34 CSIRegistry -rw-rw---- 1 root cfgsoft 0 Jul 2 17:34 .CSIRegistry.
Configuring Mac OS X Machines Installation Options with Default Values Description CSI_USER_NO_LOGIN_ SHELL=/bin/false Keep the default value. Indicates the no-login shell value to use when you create the user. CSI_USER_PRIMARY_GROUP=csi_ Keep the default value. Group name to use when you create a new acct user as the user’s primary group. This group is for low security access.
vCenter Configuration Manager Administration Guide Installation Options with Default Values Description contains that Collector’s Enterprise Certificate. CSI_PARENT_DIRECTORY=/opt Specifies the parent directory of the CM Agent. The root directory of CMAgent will be CSI_PARENT_DIRECTORY/CMAgent. CSI_PARENT_DATA_ DIRECTORY=/opt Specifies the parent directory of the CMAgent data directory. The data directory will be CSI_PARENT_DATA_DIRECTORY/ CMAgent/data.
Configuring Mac OS X Machines Installation Options with Default Values Description The UTF-8 locale is added to the CSIRegistry. 4. No default locales are specified on the target operating system. The Agent installation script runs the locale -a command and adds the first installed UTF-8 locale that it finds to the CSIRegistry. 5. The operating system is not configured for any internationalization.
vCenter Configuration Manager Administration Guide Collecting data from machines adds the collected machine information to the VCM database and makes the machine data available for reporting, running compliance, and other management options. The collection process for Mac OS X collection is similar to other collections, including Windows, except that you select Mac OS X data types during the collection instead of Windows data types. Prerequisites n License the target machines.
Configuring Mac OS X Machines n Security - Users > Current n Security - Users > Information n Security - Groups n Properties files (.plist) n System Logs > syslog events Mac OS X Collection Results Mac OS X data is displayed in VCM and is available for several management actions. The displayed data is only as current as the last time you collected the data. Option Description Console Displays dashboards and summary reports based on collected data.
vCenter Configuration Manager Administration Guide 152 VMware, Inc.
10 Patching Managed Machines VCM Patching is the VCM patch assessment, deployment, and verification capability, which ensures continuous security throughout your environment by proactive compliance of your IT infrastructure. VCM Patching ensures that your machines have the latest security patches and other software installed.
vCenter Configuration Manager Administration Guide to selected machines. Use these user-defined templates with Windows machines. n VCM Patching Administration: Configures email notifications, proxy server and logon information, machine group mapping for custom patching, and administration tasks for Windows, UNIX, and Linux machines. VCM Patching for UNIX and Linux Machines VCM Patching for UNIX and Linux machines helps you deploy patches to bring UNIX and Linux machines into compliance.
Patching Managed Machines Figure 10–1. UNIX and Linux Patch Assessment and Deployment Process To verify that VCM supports your UNIX and Linux machines for patch deployment, see the VCM Installation Guide. VCM provides patch assessment content in a new format for several Red Hat and SUSE versions. See "New UNIX Patch Assessment Content" on page 155. For the operating system versions supported, see the VCM Installation Guide.
vCenter Configuration Manager Administration Guide The .pls files use new names. Red Hat file names include Red Hat instead of RH, and SUSE file names include Novell SUSE instead of Novell Linux. Patch Assessment Content Private Repository The new patch assessment content architecture uses a private YUM repository to contain the VCM patch assessment content for Red Hat and SUSE machines. This content supports several Red Hat and SUSE versions that have the VCM 5.4.1 or later Agent installed. The VCM 5.4.
Patching Managed Machines Procedure 1. "Check for Updates to Bulletins" on page 157 Use VCM Patching to check the Web for updates to patch bulletins, which you can use in assessments of machines to enforce compliance. 2. "Collect Data from Windows Machines by Using the VCM Patching Filter Sets" on page 157 Collect data from Windows machines to obtain the current patch status.
vCenter Configuration Manager Administration Guide Procedure 1. On the toolbar, click Collect. 2. Select the Windows machines from which to collect data. 3. Select Select a Collection Filter Set to apply to these machines and click Next. 4. Select the Patching - Windows Security Bulletins filter set and click Next. This filter set gathers information for all available Windows security bulletins that you can use to patch Windows machines.
Patching Managed Machines 10. On the VCM toolbar, verify that the correct Machine Group is selected. 11. Click Patching and select Windows > Assessment Templates. 12. Select the template to run and click Assess. 13. When the assessment finishes, click the Refresh button on the toolbar and view the assessment results in the data grid. Review VCM Patching Windows Assessment Results View the assessed Windows machines.
vCenter Configuration Manager Administration Guide VCM Patching Actions The following actions are available. n Agent Install: VCM Patching installs the Agent component to a machine the first time a patch is deployed to that machine. n Agents using HTTP: If VCM Patching detects that the target machine has an VCM Agent using HTTP, VCM Patching will route the deployment through VCM as a remote command job. Prerequisites n Test all patches before you deploy them. n Back up critical systems.
Patching Managed Machines Machine Group Mapping When you define an alternate patch location for a particular machine group, you must select that machine group in VCM before you deploy the patches. If you do not select this machine group, VCM Patching will not acknowledge the alternate patch location and the patches will not be deployed. The alternate patch location is defined in machine group mapping. Click Administration and select Settings > General Settings > Patching > Machine Group Mapping.
vCenter Configuration Manager Administration Guide You must set the Machine Group mapping for VCM to the location of the patches during deployment. Setting the machine group mapping is especially important when patching in single-user mode because /tmp is not always available, and cannot be relied upon for patching with VCM. Machine Group mappings are not inherited.
Patching Managed Machines Deploy Patches to Windows Machines Deploy patches to Windows machines that are managed by VCM Patching. These machines appear in the Licensed Machines node. Click Administration and select Machines Manager > Licensed Machines. IMPORTANT If a failure occurs at any point in the patch deployment job, the System Administrator must check the status of the system, resolve any issues, and then reassess the machines. Prerequisites n Follow the guidelines.
vCenter Configuration Manager Administration Guide What to do next n To view the status of the deployment job, click Patching and select Job Management > Windows > Job Manager > Running . n If you scheduled the job to run later, to view the status of the scheduled deployment, click Patching and select Job Management > Windows > Job Manager > Scheduled > Deployments.
Patching Managed Machines Procedure 1. Click Patching. 2. Select UNIX/Linux Platform > Bulletins > By Bulletin. 3. Click Check for Update. 4. Select Check for Updates via the Internet and click Next. If VCM Patching finds updates, they are downloaded to the local machine. Alternately, you can load the updates from patch bulletin files on the local machine.
vCenter Configuration Manager Administration Guide The following procedure runs the assessment using patch bulletins. Procedure 1. On the toolbar, select the All UNIX Machines machine group. 2. Click Patching 3. Select UNIX/Linux Platform > Bulletins > By Bulletin. 4. Select Assess. 5. In the UNIX Patch Assessment wizard, select Default Filter or Filters. If you selected Filters, you must select a specific filter. 6.
Patching Managed Machines Procedure 1. Click Patching. 2. Select UNIX/Linux Platform > Assessment Results > All Bulletins to display the patch status of all of the machines that were assessed. 3. To display the assessment results for a single bulletin, select By Specific Bulletin and select a bulletin in the center pane. 4. Review the patch status for each machine. Icon Status Description Patched The patch is applied to the machine.
vCenter Configuration Manager Administration Guide Store the UNIX Patches Store the UNIX patches in a location that is available locally to the VCM managed machine, such as an NFS mount or a local hard drive. If you store the patches on an NFS mount, you must define the path in machine group mapping. Click Administration and select Settings > General Settings > Patching > Machine Group Mapping. You can use VCM remote commands or another available method to place the patches on the VCM managed machines.
Patching Managed Machines Procedure 1. Select Patching > UNIX/Linux platform > Assessment Results > All Bulletins. 2. Select the patches to deploy. 3. Select Deploy. 4. On the Machines & Bulletins page, review the Recommend Action and Data Age and select the machines and patches to deploy. 5. If you deploy multiple patches, on the Confirm Patch Deployment Order page confirm or reorder the patches in the sequence to be deployed. 6.
vCenter Configuration Manager Administration Guide Running VCM Patching Reports You can run patch status reports on UNIX and Windows machines based on trends, details, template summary, bulletins, affected software products, and patch deployment history. With real-time assessment reports you can generate SQL reports for machines assessed against bulletins and affected software products.
Running and Enforcing Compliance 11 Using the Compliance module, you define a standard configuration for all machines or multiple standards for different machine groups. Then, you compare machines against these configuration rules to see if the machines are in compliance. In some cases, you can enforce certain settings on the machines that are not in compliance.
vCenter Configuration Manager Administration Guide This release of VCM is compatible with the SCAP 1.0 validation program and is for Windows platforms only. Conduct SCAP Compliance Assessments You import a benchmark, run an SCAP assessment on the managed machines in your environment, review the results, and have the option to export the results. Procedure 1.
Running and Enforcing Compliance Prerequisite Import the benchmark. See "Import an SCAP Benchmark" on page 172. Procedure 1. Click Compliance. 2. Select SCAP Compliance > Benchmarks > benchmark name > profile name. 3. Click Run Assessment. 4. Highlight the machines to assess, and click the down arrow to select them. 5. Click Next and click Next again. 6. Click Next, review your selections, and click Finish. A collection job starts, and results are not available until the job finishes.
vCenter Configuration Manager Administration Guide Prerequisite Run the assessment. See "Run an SCAP Assessment" on page 172. Procedure 1. Click Compliance. 2. Select SCAP Compliance > Benchmarks > benchmark name > profile name. 3. Click Export. 4. Highlight the machine for which you want to export assessment results, and click the down arrow to select it. 5. Click Next. 6. Select the output and format for the export file, and click Finish. 174 VMware, Inc.
Provisioning Physical or Virtual Machine Operating Systems 12 Operating system (OS) provisioning is the process of installing operating systems to physical or virtual machines. As part of the provisioning process, you can add newly provisioned machines to VCM. OS provisioning enables you to quickly deploy one or more physical or virtual machines to meet expanding business needs. Some of these machines may have limited use and lifespan, and may be reprovisioned for other purposes.
vCenter Configuration Manager Administration Guide Figure 12–1. Relationship of OS Provisioning Components Patching the Operating System Provisioning Server Exclude the OS Provisioning Server instances from your automated patching in VCM. Patching the operating system will elevate the minor version and may leave the OS Provisioning Server in an unsupported state.
Provisioning Physical or Virtual Machine Operating Systems 4. Use VCM to collect the discovered target machines from the OS Provisioning Server. The discovered target machines appear in the Provisionable Machines data grid by MAC address. 5. Use VCM to send the command that includes the provisioning details to the OS Provisioning Server to provision the target machines. The OS Provisioning Server creates an installation session for the target machines based on the configured OS distribution settings. 6.
vCenter Configuration Manager Administration Guide 4. "Discover Provisionable Machines" on page 179 The OS Provisioning Server identifies provisionable physical or virtual machines in your environment when the target machines are set to network boot and attempt to PXE boot. 5. "Provision Machines with Operating System Distributions" on page 180 The OS provisioning process installs one Windows or Linux operating system distribution on one or more physical or virtual machines using OS provisioning.
Provisioning Physical or Virtual Machine Operating Systems Prerequisites Verify that your OS Provisioning Server instances are added as registered servers. See "Add Operating System Provisioning Servers" on page 178 Procedure 1. Click Administration. 2. Select Certificates. 3. Select the OS Provisioning Server machines and click Change Trust Status. 4. Add any additional OS Provisioning Server instances to trust to the lower data grid. 5.
vCenter Configuration Manager Administration Guide Prerequisites n Ensure that the target machines have a minimum of 1GB RAM and meet the minimum RAM requirements for the operating system you are installing. n Configure the primary network interface on the target machines with a connection to the OS Provisioning Server deployment network.
Provisioning Physical or Virtual Machine Operating Systems Prerequisites n Verify that the operating system you are installing is compatible with the hardware or configuration of the target physical or virtual machines. For example, the operating system must support the drivers required by the hardware. n Verify that the OS Provisioning Servers are registered. See "Add Operating System Provisioning Servers" on page 178.
vCenter Configuration Manager Administration Guide 7. On the Select OS Distribution page, select the Windows operating system that you are installing on the selected machines and click Next. 8. On the Settings page, configure the options required for your selected Window OS distribution and click Next. Option Description Product License Key (Optional for Windows 2008. Required for Windows 2003 and Windows 7.) Type a license matching the operating system you are installing.
Provisioning Physical or Virtual Machine Operating Systems Option Description License these machines for License the machines for VCM management. VCM 9. On the Machine-Specific Settings page, type the HostName and click Next. The HostName is limited to 15 characters. If you did not select Use DHCP to determine IP address on the Settings page, you must configure the IP Address, Subnet, Default Gateway, and DNS. 10.
vCenter Configuration Manager Administration Guide You can install one OS distribution on one or more target machines. To install a different OS distribution, configure a new OS provisioning action. Prerequisites n Verify that the operating system you are installing is compatible with the hardware or configuration of the target physical or virtual machines. For example, the operating system must support the drivers required by the hardware. n Verify that the OS Provisioning Servers are registered.
Provisioning Physical or Virtual Machine Operating Systems 7. On the Select OS Distribution page, select the a Linux operating system that you are installing on the selected machines and click Next. 8. On the Settings page, configure the options required for your selected Linux OS distribution and click Next. Option Description Product License Key Type the license to use when installing the operating system on the target machines. The license must match the operating system you are installing.
vCenter Configuration Manager Administration Guide Option Volume Name Description n Duplicate mount points are not allowed. n For a swap partition, the mount point and the file system type should be swap. n When naming mount points, you can use letters, digits, ., -, _, and +. Spaces are not allowed. Type the name of the logical partition. For example, LogVol00. The volume names must meet specific criteria. Volume Size n When naming volumes, you can use letters, digits, ., or _.
Provisioning Physical or Virtual Machine Operating Systems Option Volume Group Name Description Operating Supported swa- /boo- System File System p t / xfs, xfs, jfs jfs /home, /tmp, /usr, /var, /usr/local Type the name of the logical group. For example, VolGroup00. You can specify only one volume group on the target machines. You may add volume groups after the OS distribution is installed. The volume names must meet specific criteria.
vCenter Configuration Manager Administration Guide What to do next n Verify that the provisioning process has begun. Click Administration and select Machines Manager > OS Provisioning > Provisionable Machines. The machines appear in the appropriate Available Machines or Licensed Machines data grid with an OS provisioning status of OS Provisioning Queued. n Verify that the provisioning process is finished. Click Administration and select Machines Manager > OS Provisioning > Provisioned Machines.
Provisioning Physical or Virtual Machine Operating Systems Procedure 1. Configure the communication settings for the machines on which you installed one of the following operating using OS provisioning. n The Windows Agent is installed with DCOM as the communication protocol. To change the protocol, click Administration and then select Machines Manager > Licensed Machines > Licensed Windows Machines > Change Protocol.
vCenter Configuration Manager Administration Guide Prerequisites n Verify that the machine to be reprovisioned is listed in the Provisioned Machines data grid. Select Administration and click Machines Manager > OS Provisioning > Provisioned Machines. n Review the provisioning process for the OS distribution you are installing. See "Provision Machines with Operating System Distributions" on page 180. n On the target machine, set the BIOS to network boot. Procedure 1. Click Administration. 2.
Provisioning Physical or Virtual Machine Operating Systems n VMware, Inc. (Optional) Change the Agent communication protocol. See "Change Agent Communication" on page 188.
vCenter Configuration Manager Administration Guide 192 VMware, Inc.
13 Provisioning Software on Managed Machines Software provisioning is the process you use to create software packages, publish the packages to repositories, and then install packages on one or more target machines. To support the provisioning process, the VCM Software Provisioning components consist of VMware vCenter Configuration Manager Package Studio, software package repositories, and Package Manager.
vCenter Configuration Manager Administration Guide If you are using the software provisioning components in conjunction with VMware vCenter Configuration Manager (VCM), you can use VCM to add and remove sources, and to install and remove packages. Software Provisioning Component Relationships The following diagram displays the general relationship between Package Studio, repositories, and Package Manager in a working environment. Figure 13–1.
Provisioning Software on Managed Machines n Software Repository for Windows: Installed on at least one Windows machine in your environment, and installed on the same machine with Package Studio. Install the repository before installing Package Studio. n VMware vCenter Configuration Manager Package Studio: Installed on the same machine as your software repository. n Package Manager: Installed on all Windows machines on which you are managing software provisioning.
vCenter Configuration Manager Administration Guide Procedure 1. Double-click Repository.msi. 2. On the Welcome page, click Next. 3. Review the license agreement, select the appropriate options to continue, and click Next. 4. On the Installation Folder page, use the default path or click Change to modify the path, and click Next. 5. On the Virtual Directory page, use the default name or type a new name in the text box, and click Next. 6. On the Ready to Install page, click Install. 7.
Provisioning Software on Managed Machines Procedure 1. Double-click PackageStudio.msi. 2. On the Welcome page, click Next. 3. Review the license agreement, select the appropriate options to continue, and click Next. 4. On the Installation Folder page, use the default path or click Change to modify the path, and click Next. 5. On the Repository Root Folder page, verify the path is to your installed repository files. If the path is not accurate, click Change. When the path is correct, click Next. 6.
vCenter Configuration Manager Administration Guide The Package Studio is installed to the location specified during installation. The default location is C:\Program Files\VMware\VCM\Tools\Package Studio (on 32-bit machines) or C:\Program Files (x86)\VMware\VCM\Tools\Package Studio (on 64-bit machines). To start Package Studio, click Start and select All Programs > VMware vCenter Configuration Manager > Tools > Package Studio, or open the Package Studio folder and double-click PackageStudio.exe.
Provisioning Software on Managed Machines Verifying the Installation of the Agent Extensions for Provisioning If you do not know whether the machines are ready to use provisioning, you can verify the version of the Agent Extensions for Provisioning. The Agent Extensions for Provisioning include the Package Manager. 1. Select Administration > Machines Manager > Licensed Machines > Licensed Windows Machines. 2.
vCenter Configuration Manager Administration Guide 3. Click Package Signing and sign the package with a signing certificate. a. Click Open to select a package (*.crate file). b. Click Sign and select a certificate from the certificate store or from a file. 4. Click Manage Repositories and select the platforms and sections to which you are publishing the package. a. Click Add Platforms to add a platform. b. Select a platform, and then click Add Sections. c. Select a section, and then click Publish Package.
Provisioning Software on Managed Machines Using VCM Software Provisioning for Windows Using VCM Software Provisioning, you collect and view Repository and Package Manager data, and then install or remove packages on target machines. Prerequisites Software packages are created and published to the repository. See "Creating Packages" on page 199. Procedure 1.
vCenter Configuration Manager Administration Guide 6. On the Confirmation page, review the information, resolve any conflicts, and click Finish. You can monitor the process in the Jobs Manager. See "Viewing Provisioning Jobs in the Job Manager" on page 205. What to do next n When the collection is finished, view the collected data. Click Console and select Windows tab > Operating System > Software Provisioning > Package Managers. The data grid displays the packages and their current status.
Provisioning Software on Managed Machines Adding a source gives the Package Manager on the selected machines access to the packages available in specified section. The sources are numbered in priority order. When you add a new one, you can specify whether to add it to the beginning or to the end of the list. You can also remove sources. Prerequisites n Verify that you collected Package Manager data from the target machines. See "Collect Package Manager Information from Machines" on page 201.
vCenter Configuration Manager Administration Guide Prerequisites Verify that you added the repository sources to the Package Managers. See "Add Repository Sources to Package Managers" on page 202. Procedure 1. Click Console. 2. Select Windows tab > Operating System > Software Provisioning > Package Managers. 3. Click Install Package. 4. On the Select Machines page, verify that the machines displayed in the lower pane are the machines to which you want to install the package and click Next. 5.
Provisioning Software on Managed Machines Related Software Provisioning Actions You can use the following management options in VCM when working with software provisioning. Option Description Console All Software Provisioning are available for auditing as part of Change Management. Click Console and select Change Management > VCM Initiated or Non VCM Initiated to view the data. Software Provisioning actions are not eligible for rollback through Change Management.
vCenter Configuration Manager Administration Guide Create Compliance Rules Based on Software Provisioning Data A Compliance rule based on software provisioning data detects any packages or sources that are out of compliance. You can configure remediation actions to bring the machines back into compliance. In this example the Compliance rule checks whether the source, where the values are platform=Any and section=Release, was added to selected Package Managers as a source.
Provisioning Software on Managed Machines What to do next Add the rule to your template. When the Compliance Template is run, it checks the target machines to determine if the repository source is added as a source. If it is not, the source is added to the machines Package Manager.
vCenter Configuration Manager Administration Guide latest version. g. Specify the Security Options. Determine whether a package is installed or removed based on the state of the signature. Option Description Install secure signed The package must be signed and the public key of the signing certificate you package only used to sign the package is available on all the machines on which you are installing or removing the package.
Configuring Active Directory Environments 14 VCM for Active Directory collects Active Directory objects across domains and forests, and displays them through a single console. The information is consolidated and organized under the Active Directory slider, allowing you to view your Active Directory structure, troubleshoot issues, detect change, and ensure compliance. You can filter, sort, and group Active Directory data to pinpoint the specific area of interest.
vCenter Configuration Manager Administration Guide 5. "License Domain Controllers" on page 212 To manage domain controllers, you must license them in VCM. 6. "Install the VCM Windows Agent on Your Domain Controllers" on page 213 Install the VCM Windows Agent on each domain controller so that you can collect data and manage the virtual or physical machines. 7. Collect Domain Controller Data Start managing the domain controllers by performing an initial collection, which adds domain controller data to VCM.
Configuring Active Directory Environments Procedure 1. Click Administration. 2. Select Settings > Network Authority > Available Accounts. 3. To add a new domain account, click Add. 4. Type the domain name, user name, and password, and click Next. 5. Click Finish to add the account. What to do next Assign the network authority account to the domain so that VCM can access the domain controllers in the domain. See "Assign Network Authority Accounts" on page 211.
vCenter Configuration Manager Administration Guide NOTE You can use the Discovered Machines Import Tool (DMIT), which imports machines discovered by the Network Mapper (Nmap), to import many physical and virtual machines at one time into the VCM database. Download DMIT from the VMware Web site. Prerequisites Assign a Network Authority Account that VCM can use for access. See "Assign Network Authority Accounts" on page 211. Procedure 1. Click Administration. 2. Select Machines Manager > Discovery Rules.
Configuring Active Directory Environments Procedure 1. Click Administration. 2. Select Machines Manager > Available Machines. 3. Select the domain controllers to license. 4. Click License. 5. Verify that the domain controllers to license appear in the Selected list. Use the arrows to move the domain controllers. 6. Click Next to view your Product License Details. The licensed domain controller count increases by the number of licensed machines. 7. Click Next.
vCenter Configuration Manager Administration Guide Procedure 1. Click Administration. 2. Select Machines Manager > Licensed Machines > Licensed Windows Machines. 3. In the data grid, select one or more domain controllers on which to install the Agent and click Install. 4. On the Machines page, verify that the target machines appear in the Selected list and click Next. 5. On the Install Options page, select the default installation options and click Next. 6.
Configuring Active Directory Environments Procedure 1. On the VCM toolbar, click Collect. 2. On the Collection Type page, select Machine Data and click OK. 3. On the Machines page, select the domain controllers from which to collect data and click Next. To move all visible domain controllers to the selection window, use the double arrow. 4. Select the Do not limit collection to deltas check box. This option ensures that a full collection occurs during the initial set up of VCM for Active Directory. 5.
vCenter Configuration Manager Administration Guide Prerequisites n Discover, license, and install the VCM Windows Agent on your domain controllers. See "Configure Domain Controllers" on page 209. n Verify that jobs have finished running. Click Administration and select Job Manager > History > Other Jobs > Past 24 Hours. Procedure 1. Click Administration. 2. Select Machines Manager > Additional Components > VCM for Active Directory. 3. Click Install. 4.
Configuring Active Directory Environments Run the Domain Controller Setup Action VCM for Active Directory collects your Active Directory schema and structure as part of the domain controller setup action. During setup, you select a Forest Data Source (FDS) and Replication Data Source (RDS). Select machines that have reliable connections and availability. The same domain controller is allowed to serve as both FDS and RDS.
vCenter Configuration Manager Administration Guide Prerequisites n Install VCM for Active Directory. See "Configure VCM for Active Directory as an Additional Product" on page 215. n Verify that jobs have finished by clicking Administration and selecting Job Manager > History > Other Jobs > Past 24 Hours. Procedure 1. From the toolbar, click Collect. 2. On the Collection Type page, select Active Directory and click OK. 3.
Configuring Active Directory Environments Option Description From the data grid view, you can enable or disable the summary to view the details immediately. Reports Provides Active Directory information by running preconfigured or custom reports against the latest collected data. The time needed for a report to generate depends on the volume or complexity of the data requested. n Compliance VMware, Inc. To use the reporting options, click Reports and expand Active Directory Reports.
vCenter Configuration Manager Administration Guide 220 VMware, Inc.
Configuring Remote Machines 15 The VCM Remote client is the communication and management mechanism that you use to manage mobile Windows machines as they connect to and disconnect from the network. For Windows machines that are not continuously connected to the network, the VCM Remote client listens for network events indicating it has access to the VCM Remote-related components on the VCM Internet Information Services (IIS) server.
vCenter Configuration Manager Administration Guide Using Certificates With VCM Remote The use of certificates with VCM Remote ensures secure communication between VCM and the VCM Remote client when they are communicating outside your internal network. The communication between the Collector and the VCM Remote client is secured using Transport Layer Security (TLS) certificates. You can use the VCM certificate or you can use an existing Enterprise certificate.
Configuring Remote Machines Procedure 1. "Create Custom Collection Filter Sets" on page 223 You create custom collection filter sets for Dial-up, Broadband, or LAN connections to efficiently manage mobile machines using the VCM Remote client. To optimize results, create a different filter set for each connection type. 2. "Specify Custom Filter Sets in the VCM Remote Settings" on page 224 VCM Remote supports three connection types: broadband, dial-up, and LAN.
vCenter Configuration Manager Administration Guide What to do next n Repeat the procedure for all the connection types for which you configure filter sets. n Assign the filter sets to the appropriate VCM Remote settings. See "Specify Custom Filter Sets in the VCM Remote Settings" on page 224. Specify Custom Filter Sets in the VCM Remote Settings VCM Remote supports three connection types: broadband, dial-up, and LAN.
Configuring Remote Machines Procedure 1. Click Administration. 2. Select Settings > General Settings > VCM Remote. 3. On the VCM Remote Settings data grid, select each setting separately and click Edit Settings. Option Configuration Should Remote automatically install an Agent to the client (if required)? Click Yes. Allows VCM to install the Agent when contacted by the VCM Remote client the first time. Should Remote automatically upgrade an Agent to the Click Yes.
vCenter Configuration Manager Administration Guide n "Install the VCM Remote Client Manually" on page 226 The manual installation of the VCM Remote client is a wizard-based process that you use when you have direct access to the target machines. This process is a useful way to install the client if you are creating an image to install on other machines.
Configuring Remote Machines 5. On the VCM Remote Client Information page, configure the options and click Next. Option Description Collector Machine Name Name of the Windows machine on which the VCM Collector and Microsoft IIS are installed. Path to ASP Page Path for the IIS default VCM Remote Web site. The must match the virtual directory name as it appears in the Collector's IIS. The default value is VCMRemote. 6.
vCenter Configuration Manager Administration Guide Procedure 1. On the target machine, create a folder and copy the files from the Collector to the target folder. File Description CM Remote Client.msi Located on the Collector at [install path] \VMware\VCM\AgentFiles. CM_Enterprise_Certificate_ xxx.pem (Optional) Located on the Collector at [install path] \VMware\VCM\CollectorData.
Configuring Remote Machines What to do next Connect the remote machine to the network to ensure that VCM completes the installation process. See "Connect VCM Remote Client Machines to the Network" on page 232 Install the VCM Remote Client Using Windows Remote Commands You use the Windows remote commands to deploy the VCM Remote client to multiple machines in your environment. The VCM Agent must be installed on the target machines.
vCenter Configuration Manager Administration Guide bInstallCert = 1 'If the value is 1, the Enterprise Certificate is installed. If the value is set to 0, the installation of the certificate is skipped and it is assumed that the certificate is already present. The Remote Client will NOT function until the Enterprise Certificate is installed as specified in Step 2 sCertFile = "EnterpriseCert" 'The filename of your enterprise certificate (.pem file) as identified in Step 2 sVirDir = "VCMRemote/EcmRemoteHttp.
Configuring Remote Machines Sub CheckVars() If sCollName = "" Then WScript.Quit Else sCollName = Trim(sCollName) End If If sVirDir = "" Then sVirDir = "vcmremote/ecmremotehttp.asp" Else sVirDir = Trim(sVirDir) End If If sInstallDir = "" Then sInstallDir = "c:\vcm remote client" Else sInstallDir = Trim(sInstallDir) End If If sAddRemove <> 0 And sAddRemove <> 1 Then sAddRemove = 1 'Set whether or not VCM Remote appears in the Add/Remove programs list.
vCenter Configuration Manager Administration Guide d. Click Next. 7. On the Files page, move the CM Remote Client.msi file and the .pem file to the list on the right, and click Next. 8. On the Important page, review and summary and click Finish. VCM saves and adds the command to Windows Remote Commands list. 9. In the Windows Remote Commands data grid, select your VCM Remote installation remote command and click Run. 10.
Configuring Remote Machines Option VMware, Inc. Description n To view the installed Remote client version, click Administration and select Machines Manager > Licensed Machines > Licensed Windows Machines. The Remote Client Version appears in the data grid. n To view the status of remote collection jobs, click Administration and select Job Manager > History > VCM Remote.
vCenter Configuration Manager Administration Guide 234 VMware, Inc.
16 Tracking Unmanaged Hardware and Software Asset Data VCM management extensions for assets integrates and manages hardware and software asset data that is not gathered through the automated managed machine collection processes of VCM. n Hardware: VCM for assets stores supplemental information (data that is not automatically collected) about physical and virtual machines that are managed by VCM.
vCenter Configuration Manager Administration Guide Changing the order of the VCM for assets data field list changes the order of columns when you view asset data in the VCM Console. 6. "Refresh Dynamic Asset Data Fields" on page 239 You can force VCM for assets to refresh the values in all fields that are configured to populate dynamically. Review Available Asset Data Fields VCM for assets is populated with a short list of data fields to get you started.
Tracking Unmanaged Hardware and Software Asset Data 4. Click Add. 5. Type a name and description for the new asset data field and click Next. The name is the column heading that appears when users view the data in the VCM Console. 6. Specify properties about the new data. a. Select the way to populate the data. Manually: type free-form text Lookup: select from a fixed or query-based list of values Dynamically: query from other data b. Select the data type.
vCenter Configuration Manager Administration Guide 6. Change the name or description for the data field and click Next. The name is the column heading that appears when users view the data in the VCM Console. 7. Click Next. You cannot change the data properties. 8. Click Next. 9. Select the roles that are allowed to edit the data. Only users assigned to these roles can edit the data using the VCM Console. 10. Review the settings and click Finish. What to do next Remove unwanted fields.
Tracking Unmanaged Hardware and Software Asset Data Procedure 1. Click Administration. 2. Select Settings > Asset Extensions Settings. 3. Select one of the following nodes. Hardware Configuration Items > Other Devices Hardware Configuration Items > VCM Devices Software Configuration Items In the data grid, each row, in order, becomes a column in the asset data display in the VCM Console. 4. Click Column Order. 5. Select entries, use the arrow buttons to move rows up or down, and click Next. 6.
vCenter Configuration Manager Administration Guide Procedure 1. Click Console. 2. Select Asset Extensions > Hardware Configuration Items > VCM Devices. 3. In the data grid, select the VCM machine. 4. Click Edit Values. 5. Verify that the machine you want is in the Selected list and click Next. Use the arrow buttons to move entries to or from the Selected list. 6. Move the data fields that you want to edit into the Selected list and click Next.
Tracking Unmanaged Hardware and Software Asset Data Prerequisites n Have an administrator configure the asset data fields that you need. See "Configure Asset Data Fields" on page 235. n Log in to VCM with a role that has edit permission for asset configuration data. Procedure 1. Click Console. 2. Select Asset Extensions > Hardware Configuration Items > Other Devices. 3. Click Add. 4. Select or type the details that identify the device, such as its name and model, and click Next. 5.
vCenter Configuration Manager Administration Guide Procedure 1. Click Console. 2. Select Asset Extensions > Hardware Configuration Items > Other Devices. 3. In the data grid, select the asset. 4. Click Edit. 5. Change the details that identify the device, such as its name and model, and click Next. 6. Change the values for the asset data associated with the device and click Next. The fields can vary depending on how the administrator configured your data for other hardware devices. 7. Click Finish.
Tracking Unmanaged Hardware and Software Asset Data Configure Asset Data for Software A user with a role that has permission to edit asset data can use VCM for assets to gather information about the software on machines that are discovered and managed by VCM. Procedure n "Add Software Assets" on page 243 Manage your software assets by having VCM for assets detect what is installed on the physical and virtual machines in your environment.
vCenter Configuration Manager Administration Guide n Software Inventory (Windows): Select a product from the software inventory (SI) list. n Registry (Windows): Type or select a Windows Registry path, key, and value. n File System - Known Files (Windows): Type or select a filename and version. n Software Inventory - Packages (UNIX): Select a product from the SI list. n Software Inventory - Utilities (UNIX): Select a product from the SI list.
Tracking Unmanaged Hardware and Software Asset Data Edit Asset Data for Software Use VCM for assets to change your software asset records as your enterprise changes. Prerequisites Log in to VCM with a role that has edit permission for asset configuration data. Procedure 1. Click Console. 2. Select Asset Extensions > Software Configuration Items. 3. In the data grid, select the software asset. 4. Click Edit. 5. Change the name or description and click Next. 6.
vCenter Configuration Manager Administration Guide Procedure 1. Click Console. 2. Select Asset Extensions > Software Configuration Items. 3. In the data grid, select the software asset. 4. Click Edit Values. 5. Move the data fields that you want to edit into the Selected list and click Next. Use the arrow buttons to move entries to or from the Selected list. 6. Select or type the new values and click Next. 7. Review the new values and click Finish.
17 Managing Changes with Service Desk Integration VCM Service Desk Integration tracks planned and unplanned changes to managed machines in your organization, and integrates change requests with your change management process. Service Desk Integration works by temporarily holding requested changes to managed machines while VCM integrates with your service desk application in order to pass the requests through your change management process or workflow.
vCenter Configuration Manager Administration Guide Procedure 1. Click Console. 2. Select Service Desk. 3. Under the Service Desk node, select any subnode. For example, click By RFC to view the data according to request for change (RFC). Under the By RFC sub-node, select an RFC to view the data for that item. Your subnodes and data views might differ from the defaults or from other organizations based on your requirements and specific implementation. What to do next Look at the status of change jobs.
Index % %Systemroot% environment variable 94, 96 A About Patching 153 about this book 9 access by user 11 accessing compliance content 21 active directory (AD) 209 collection results 218 configuration 215 data collection 217 getting started 209 installing VCM for active directory 215 run determine forest action 216 run domain controller setup action 217 AD (active directory) 209 add vCenter Server 30 vCloud Director 37 vShield Manager 47 add servers provisoning, operating system 178 adding asset data fiel
vCenter Configuration Manager Administration Guide uninstalling agent 97 collect domain controllers 214 ESX logs 50, 55 ESX service console operating system 50 hosts, virtual machine 51 package managers 201 repositories 202 vCenter Server 32 vCenter Server virtual machines 35 vCloud Director 37, 39 vCloud Director vApp 41 virtual machine hosts 51 vShield Manager 46, 49 collect distributions provisioning, operating system 179 collecting WCI data 112 collection filter for WCI 116 collection results active di
Index domain controllers add network authority 210 assign network authority 211 available domains 210 collect 214 collecting 214 discover 211 discover, license, install 209 discovering 211 domain discovery 210 license 212 licensing 212 run setup action 217 domain discovery domain controllers 210 Windows machines 88 domains active directory 209 download settings patch assessment content 156 E editing asset data field 237 hardware asset data 241 hardware asset data values 242 software asset data 245 softwar
vCenter Configuration Manager Administration Guide J job manager 19 service desk integration 248 job status reporting WCI 116 jobs history provisioning 205 L launch an assessment 158 license domain controllers 212 licensing domain controllers 209, 212 Mac OS X 143 UNIX/Linux machines 123 Windows machines 87, 90 Linux and UNIX install agent 124 patching 164-165 patching filters 166 upgrade 122 lock request, submit from collector 94 logs ESX 55 M Mac OS X adding 142 agent installation 143 agent, uninstall
Index signing scripts for WCI 106 WCI getting started 101 Windows Custom Info 115 PowerShell script verifying 113 prerequisites patching deployement 159 preview compliance rule groups 64 Product Overview 153 provision machines operating systems 180, 183 provisioning compliance 207 compliance rule 206 jobs History 205 provisioning, operating system 175 add servers 178 agent communication 188 collect distributions 179 components 175 discovery 179 provision machines 180, 183 re-provision machines 189 results
vCenter Configuration Manager Administration Guide job manager 248 set server trust status provisoning, operating system 178 settings remote 222 vCloud Director 38 vShield Manager 47 setup action running for active directory 217 signing policies, PowerShell scripts 105 PowerShell scripts 106 sliders in portal 15 software provisioning 193, 201 create packages 199 install package manager 198 install package studio 196 install repository 195 installation 194 sources repository sources 202 SQL*Plus Oracle 137
Index VCM summary tab troubleshooting 59 verify PowerShell script 113 virtual environments managing agent 29 virtual environnments managing agent 26 managing agent collection 27 managing agent enabled 28 managing agent HTTPS bypass 28 managing agent trust status 27 virtual machine manage operating system 36 virtual machines vCloud Director vApp 41 virtual objects compliance exceptions 68 compliance filters 64 compliance rule groups 62 compliance rules 63 compliance templates 61, 65 run compliance 66 virtua
vCenter Configuration Manager Administration Guide 256 VMware, Inc.
