VMware vRealize Configuration Manager Administration Guide vRealize Configuration Manager 5.8 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
vRealize Configuration Manager Administration Guide You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com © 2006–2015 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws.
Contents About This Book Getting Started with VCM Understanding User Access Running VCM as Administrator on the Collector Supported Browsers Log In to VCM Getting Familiar with the Portal General Information Bar Toolbar Navigation Sliders Customizing VCM for your Environment Installing and Getting Started with VCM Tools Install the VCM Tools Only VCM Import/Export and Content Wizard Tools Run the Import/Export Tool Run the Content Wizard to Access Additional Compliance Content Run the Deployment Utility P
vRealize Configuration Manager Administration Guide vCloud Director Collection Results Configure vCloud Director vApp Virtual Machines Collections Network Address Translation and vCloud Director vApp Discovery Rules Discover vCloud Director vApp Virtual Machines Configure vShield Manager Collections Configure ESX Service Console OS Collections Configure the Collector as an Agent Proxy Configure Virtual Machine Hosts Copy Files to the ESX/ESXi Servers Collect ESX Logs Data Virtualization Collection Results
Contents Guidelines in PowerShell Scripting for WCI Challenges in PowerShell Scripting for WCI PowerShell Script Signing Policies Create an Example PowerShell Script for Scheduled Tasks Windows Custom Information Change Management Collecting Windows Custom Information Create Your Own WCI PowerShell Collection Script Verify that Your Custom PowerShell Script is Valid Install PowerShell Collect Windows Custom Information Data Run the Script-Based Collection Filter View Windows Custom Information Job Status D
vRealize Configuration Manager Administration Guide Deploying Patches with Automated Patch Assessment and Deployment Configure VCM for Automatic Event-Driven Patch Assessment and Deployment Generate a Patch Assessment Template Run a Patch Assessment on Managed Machines Add Exceptions for Patching Managed Machines Configure the VCM Administration Settings Generate a Patch Deployment Mapping Configure VCM for Automatic Scheduled Patch Assessment and Deployment How the Linux and UNIX Patch Staging Works How t
Contents Edit Asset Data for Other Hardware Devices Edit Asset Data Values for Other Hardware Devices Delete Other Hardware Devices Configure Asset Data for Software Add Software Assets Add Multiple Similar Software Assets Edit Asset Data for Software Edit Asset Data Values for Software Delete Software Data Managing Changes with Service Desk Integration Configure Service Desk Integration View Service Desk Integration in the Console View Service Desk Integration in Job Manager Index VMware, Inc.
vRealize Configuration Manager Administration Guide 8 VMware, Inc.
About This Book The VCM Administration Guide describes the steps required to configure VCM to collect and manage data from your virtual and physical environment. Read this document and complete the associated procedures to prepare for a successful implementation of the components.
vRealize Configuration Manager Administration Guide Technical Support and Education Resources The following technical support resources are available to you. To access the current version of this book and other books, go to http://www.vmware.com/support/pubs. Online and Telephone To use online support to submit technical support requests, view your Support product and contract information, and register your products, go to http://www.vmware.com/support.
1 Getting Started with VCM When you use VCM, you must understand user access and how to start VCM from any physical or virtual machine. You must also familiarize yourself with the VCM Web Console features. This chapter includes the following topics: Understanding User Access 11 Supported Browsers 12 Log In to VCM 12 Getting Familiar with the Portal 13 Customizing VCM for your Environment 16 Understanding User Access User access determines who has access to VCM and with what roles.
vRealize Configuration Manager Administration Guide n Remote command execution n Change actions against target managed machines n Change rollback n Compliance enforcement n Patch deployment n Machine reboots All VCM user accounts must have the following rights on the VCM Collector machine. n Ability to log on locally to access IIS n Read access to the System32 folder n Write access to the CMFiles$\Exported_Reports folder to export reports n If default permissions have been changed, read
Getting Started with VCM Prerequisites n Verify that the physical or virtual machines from which you are accessing VCM have a supported version of Internet Explorer installed. For supported platforms, see the VCM Installation Guide. n Configure the Internet Explorer Pop-up Blocker settings to add your Collector to your list of allowed Web sites, or disable Pop-up Blocker.
vRealize Configuration Manager Administration Guide General Information Bar The general information bar displays the VCM Collector’s active SQL Server name, your VCM user name and active Role, and the following buttons. n Log Out: Exits the Web Console. The Web Console closes and the VCM Logon screen appears. n About: Displays information about how to contact VMware Technical Support and version information for VCM and all of its components.
Getting Started with VCM Navigation Sliders The navigation sliders on the left side of the Web Console include the items listed and described in the following table. The individual items that you see in VCM vary depending on the components that you have licensed. n Active Directory and AD objects based on your role. n Patching options are available based on your role. n Administration is visible only to users who have Administrative rights to VCM as part of their VCM role.
vRealize Configuration Manager Administration Guide Slider Action Active Directory n View, export, or print enterprise-wide, summary information for Active Directory objects. n Review alert notifications for the selected AD location. n Review Active Directory-related changes that occurred from one collection to the next. n View collected information about Active Directory objects such as Users, Groups, Contacts, Computers, Printers, Shares, and Organizational Units.
Getting Started with VCM Create a machine group structure that matches the organization of the machines in your environment. With these machine groups, you can manage specific machines in your environment such as all SQL Servers in a particular location. You can apply specific changes or create roles and rules for those machines independently from other machines in your environment. This approach ensures that you can restrict access to critical machines to the appropriate users with rights to VCM.
vRealize Configuration Manager Administration Guide 18 VMware, Inc.
Installing and Getting Started with VCM Tools 2 VCM Installation Manager installs several VCM components and tools on the Collector machine during the installation. This chapter includes the following topics: Install the VCM Tools Only 19 VCM Import/Export and Content Wizard Tools 20 Run the Deployment Utility 21 Package Studio 21 Foundation Checker 22 Install the VCM Tools Only You can install the VCM tools on a non-Collector Windows machine.
vRealize Configuration Manager Administration Guide c. To install a subset of tools, clear the Tools check box and select only the individual tools to install. 4. Click Next. 5. Complete the remaining instructions and click Next. 6. On the Installation Complete page, click Finish. 7. On the Installation Manager page, click Exit. VCM Import/Export and Content Wizard Tools Use the Import/Export Tool and the Content Wizard Tool to move or update VCM business objects.
Installing and Getting Started with VCM Tools Run the Content Wizard to Access Additional Compliance Content Use the Content Wizard to import additional VMware content such as VCM Compliance Content Packages. These packages are not available in VCM until you download and import them. Check the VCM Compliance Content Packages to determine if you need to import them. Prerequisites Install the Content Wizard. See "Installing and Getting Started with VCM Tools" on page 19. Procedure 1.
vRealize Configuration Manager Administration Guide Foundation Checker Use the Foundation Checker tool to verify that a Windows machine designated as a VCM Collector meets all of the prerequisites necessary to install VCM. Installation Manager uses VCM Foundation Checker to check a machine’s viability for a successful VCM deployment.
3 Configuring VMware Cloud Infrastructure VCM collects information from your instances of vCenter Server, vCloud Director, and vShield Manager so that you can then use the information to manage and maintain your virtual environment. The collected data appears in the Console under the Virtual Environments node. The information is organized in logical groupings based on the information sources, including vCenter Server, vCloud Director, and vShield Manager.
vRealize Configuration Manager Administration Guide Figure 3–1. Virtual Environments Configuration Diagram Managing Agents Virtual Environments The Managing Agent machines must have the 5.5 Agent or later installed. They must also be configured to manage the secure communication between the vCenter Server, vCloud Director, and vShield Manager instances and the Collector.
Configuring VMware Cloud Infrastructure Managing Instances of vCloud Director and vApp Virtual Machines You collect data from vCloud Director instances regarding their configurations, resources managed by vCloud Director, and to identify and manage the vApp virtual machine guest operating systems. To fully manage the guest machines, you install the VCM Agent on the virtual machines and manage their operating system.
vRealize Configuration Manager Administration Guide Linux data type and ESX log data from the ESX service console operating system. 9. "Configure the vSphere Client VCM Plug-In" on page 57 The vSphere Client VCM Plug-In provides contextual access to VCM change, compliance, and management functions. It also provides direct access to collected vCenter Server, virtual machine host, and virtual machine guest data.
Configuring VMware Cloud Infrastructure Prerequisites Verify that the Windows machine that you designated as the Managing Agent is licensed and that it has the VCM Agent 5.6 or later installed. See "Configure Windows Machines" on page 89. Procedure 1. Click Administration. 2. Select Machines Manager > Licensed Machines > Licensed Windows Machines. 3. Select the target machines and click Collect on the VCM toolbar. 4. Select Machine Data and click OK. 5.
vRealize Configuration Manager Administration Guide What to do next n If your Collector is not configured to use HTTPS, set the HTTPS bypass. See "Configure HTTPS Bypass Setting for Virtual Environments " on page 28. n Identify the Windows machines as Managing Agents. See "Enable Managing Agent Machines for Virtual Environments" on page 28.
Configuring VMware Cloud Infrastructure What to do next n To maintain secure communication, you need the SSL certificates from your instances of vCenter Server, vCloud Director, and vShield Manager. See "Obtain the SSL Certificate Thumbprint" on page 29. n Configure the collections from your instances of vCenter Server, vCloud Director, and vShield Manager. n See "Configure vCenter Server Data Collections" on page 29. n See "Configure vCloud Director Collections" on page 38.
vRealize Configuration Manager Administration Guide Procedure 1. "Add vCenter Server Instances" on page 30 Add the vCenter Server instances to VCM so that you can license and collect vCenter Server data using the Managing Agent. 2. "Configure the vCenter Server Settings" on page 31 Configure the Managing Agent, communication, and vCenter Server access options so that VCM can collect host and guest data from the vCenter Server instances. 3.
Configuring VMware Cloud Infrastructure The machine information is added to the list. 7. (Optional) Add other vCenter Server instances as needed. 8. When all your vCenter Server are added to the list, click Next. 9. On the Information page, review the summary and click Finish. What to do next n Configure the vCenter Server settings. See "Configure the vCenter Server Settings" on page 31. n Manage the Windows operating systems on which vCenter Server instances are running.
vRealize Configuration Manager Administration Guide 5. On the Managing Agent and Communication Settings page, configure the settings that are applied to all selected vCenter Server instances and click Next. Option Description Managing Agent Select the Windows machine to manage communication between the Collector and the vCenter Server instances. This Windows machine must have the 5.5 Agent or later installed. You can use the Collector as your managing agent.
Configuring VMware Cloud Infrastructure Procedure 1. Click Administration. 2. Select Machines Manager > Licensed Machines > Licensed Virtual Environments. 3. Select the vCenter Server instances and click Collect on the VCM toolbar. 4. On the Collection Type page, select Machine Data and click OK. 5. On the Machines page, verify that the Selected list includes all the vCenter Server instances from which you are collecting and click Next. 6.
vRealize Configuration Manager Administration Guide 1. Creating a new python sub-class from VciFilter class would yield the auto-connection to work. 2. Incorporate custom collection logic by implementing runDataCollection method in the new sub-class. 3. For more information refer the canned filter code "Principles and Roles - Python". This filter is selfexplanatory. Useful information about the data that is being collected 1.
Configuring VMware Cloud Infrastructure Configure vCenter Server Scheduled Collections Configure VCM to regularly collect vCenter Server data from your vCenter Server machine groups to ensure that you are using current results when you are viewing the data and when running reports or compliance. This action is not required, but scheduling your collections improves your configuration management efficiency. Procedure 1.
vRealize Configuration Manager Administration Guide Procedure 1. Click Administration. 2. Select Job Manager > Scheduled. 3. Click Add. 4. Select Collection and click Next. 5. Type a job name and description and click Next. For example, vCenter Server Collections. 6. Select Default filter set and click Next. 7. Select your vCenter Server machine group and click Next. For example, vCenter Server Instances. 8. Configure when the collection job runs and click Next.
Configuring VMware Cloud Infrastructure Procedure 1. Click Administration. 2. Select Machines Manager > Available Machines > Licensed Virtual Environments. 3. Select the vCenter Servers and click Collect on the VCM toolbar. 4. On the Collection Type page, select Machine Data and click OK. 5. On the Machines page, verify that the Selected list includes all the vCenter Servers from which you are collecting and click Next. 6. On the Data Types page select Virtualization > vCenter Guests and click Next. 7.
vRealize Configuration Manager Administration Guide What to do next n For Windows operating system guest machines on which you installed the Agent, collect from the Windows virtual machines. See "Collect Windows Data" on page 95. If you did not install the Agent, see "Install the VCM Windows Agent on Your Windows Machines" on page 93. n For Linux or UNIX operating system guest machines you must install the Agent. See "Configure Collections from Linux, UNIX, and Mac OS X Machines" on page 122.
Configuring VMware Cloud Infrastructure Procedure 1. Click Administration. 2. Select Machines Manager > Available Machines. 3. Click Add Machines. 4. On the Add Machines page, select Basic: Name, Domain, Type, Automatically license machines, and click Next. 5. On the Manually Add Machines - Basic page, configure these options to identify the instances of vCloud Director. Option Description Machine Name of the vCloud Director instance. Domain Domain to which the vCloud Director instance belongs.
vRealize Configuration Manager Administration Guide Procedure 1. Click Administration. 2. Select Machines Manager > Licensed Machines > Licensed Virtual Environments. 3. Select the vCloud Director instances and click Configure Settings. 4. On the Virtual Environment page, verify that the vCloud Director instances appear in the lower pane and click Next. 5. On the Managing Agent and Communication Settings page, configure the settings that are applied to all selected vCloud Director instances and click Next.
Configuring VMware Cloud Infrastructure Prerequisites Configure the vCloud Director settings. See "Configure the vCloud Director Settings" on page 39. Procedure 1. Click Administration. 2. Select Machines Manager > Licensed Machines > Licensed Virtual Environments. 3. Select the vCloud Director instances and click Collect on the VCM toolbar. 4. On the Collection Type page, select Machine Data and click OK. 5.
vRealize Configuration Manager Administration Guide Option Description Reports Run a configured vCloud Director report. Click Reports and select Machine Group Reports > Virtual Environments > vCloud Director Managed VMs. The report includes the vCloud Director Instance, Organization, Organization virtual datacenter, vApp Name, the VC Machine Name, and the related networking data. Create reports based collected vCloud Director objects. Click Reports and select Virtual Object Reports.
Configuring VMware Cloud Infrastructure vCloud Director 1.0 and 1.5 support a variety of vApp network configurations. VCM supports these scenarios. n VCM is located in the vApp with the virtual machines that it is managing. n The vApp has a direct connection to the org network. n The vApp has a direct connection to the external network. n The vApp has a one-to-one IP address NAT connection to the organization network with direct connection to the external network.
vRealize Configuration Manager Administration Guide In a NAT mapped network environment, your best practice is to install the Agent on the vApp template machines. You must manually install the Agent with the HTTP mode enabled, but you must not collect data from these template machines. Collecting from the template machines generates machine-specific information that will cause the virtual machines created from the template to run incomplete collections.
Configuring VMware Cloud Infrastructure Option Description Machine Name Format Select the format used to display the virtual machine name. You can select the vCenter name for the virtual machine or select a combination of names for the virtual machine that includes the vApp that contains the virtual machine, the vCloud Director organization, and the vCloud Director instance. With these formats, you can easily sort, group, and display the data in VCM. The composite name is limited to 128 characters.
vRealize Configuration Manager Administration Guide Option Description Use a proxy server Select Yes if you use a proxy server for communication between the Collector and the Agents on the virtual Windows machines. Select No if you do not use a proxy server or if you are managing Linux or UNIX machines.
Configuring VMware Cloud Infrastructure Option Description vDC Name To run the query against a virtual datacenter in a vCloud Director instance, type Filter the name of the virtual datacenter. SQL wildcard expressions are allowed. Discovers all virtual machines in the virtual datacenter. vApp Name Filter To run the query against a vApp, type the name of the vApp. VM Name Filter To run the query to add a specific virtual machine, type the name of the machine. SQL wildcard expressions are allowed.
vRealize Configuration Manager Administration Guide Configure vShield Manager Collections Configure collections from your vShield Manager instances so that you can run reports on the collected data. Prerequisites n Configure your Managing Agent machines. See "Configure Managing Agent Machines for Virtual Environment Management" on page 26. n To maintain secure communication, you need the SSL certificates from your instances of vShield Manager. See "Obtain the SSL Certificate Thumbprint" on page 29.
Configuring VMware Cloud Infrastructure Option Description Machine Name of the instance of vShield Manager. Domain Domain to which the instance of vShield Manager belongs. Type Domain type. Machine Type Select vShield. 6. Click Add. The machine information is added to the list. 7. (Optional) Add other instances of vShield Manager as needed. 8. When all your instances of vShield Manager are added to the list, click Next. 9. On the Information page, review the summary and click Finish.
vRealize Configuration Manager Administration Guide 5. On the Managing Agent and Communication Settings page, configure the settings that are applied to all selected vShield Manager instances and click Next. Option Description Managing Agent Select the Windows machine to manage communication between the Collector and the vShield Manager instances. This Windows machine must have the 5.5 Agent or later installed. You can use the Collector as your managing agent.
Configuring VMware Cloud Infrastructure Procedure 1. Click Administration. 2. Select Machines Manager > Licensed Machines > Licensed Virtual Environments. 3. Select the vShield Manager instances and click Collect on the VCM toolbar. 4. On the Collection Type page, select Machine Data and click OK. 5. On the Machines page, verify that the Selected list includes all the vShield Manager instances from which you are collecting and click Next. 6.
vRealize Configuration Manager Administration Guide 1. "Configure the Collector as an Agent Proxy" on page 52 The Agent Proxy machine is a Windows machine configured to communicate with ESX and ESXi servers and to remotely collect data from those servers. The Collector automatically meets the Agent Proxy requirements. You license the Collector and then collect the Machines data type. 2.
Configuring VMware Cloud Infrastructure 4. License the Collector. a. Select Machines Manager > Available Machines. b. Select the Collector in the data grid and click License c. On the Machines page of the Available Machines License wizard, verify that the Collector machine name appears in the Selected list and click Next. d. Review the Product License Details page and click Next. e. Review the Important page and click Finish. f.
vRealize Configuration Manager Administration Guide Procedure 1. Click Administration. 2. Select Machines Manager > Licensed Machines > Licensed ESX/ESXi Hosts. 3. Select the ESX host and click Configure Settings. 4. Add the machines to be configured to the lower grid and click Next. The selected machines will use the same Agent Proxy and the same SSH and Web Services settings. 5. Configure the settings on the Agent Proxy and Communication Setting page.
Configuring VMware Cloud Infrastructure What to do next Copy the copy SSH public key file, the csiprep.py file, and the csiprep.config file to the target ESX machines. See "Copy Files to the ESX/ESXi Servers" on page 55. Copy Files to the ESX/ESXi Servers To import target machine information and copy the required files from VCM, you use the UNIX/ESX/vSphere Deployment Utility on your Agent Proxy machines.
vRealize Configuration Manager Administration Guide 8. (Optional) Configure the default server location. The following settings are automatically configured to the default server locations. If you need to change the paths, click the ellipsis button. n SSH Public Key file (ESX 3.x only) n Log Files Location n csiprep.py File (ESX 3.x only) n csiprep.config File (ESX 3.x only) 9. (Optional) Configure the VCM user name and password.
Configuring VMware Cloud Infrastructure Virtualization Collection Results You have several options for reviewing and using ESX Logs data in VCM. The data used is only as current as the last collection, and the amount of time it takes for the data to display is based on the volume or complexity of the data requested. Option Description Console View ESX logs. Click Console and select Virtual Environments > ESX Logs.
vRealize Configuration Manager Administration Guide Prerequisites n Verify that you are using VMware vCenter 4 Server. n Verify that the VMware vSphere Client is installed. n Verify that the VMware Tools is installed on the virtual machines. Procedure 1. On the VCM Collector, browse to [path]\VMware\VCM\Tools\vSphere Client VCM Plugin\bin and double-click VCVPInstaller.exe. 2. In the VCVP Plug-in Registration dialog box, configure the following options.
Configuring VMware Cloud Infrastructure Prerequisites Verify that the vSphere Client VCM Plug-In is registered. See "Register the vSphere Client VCM Plug-In" on page 57. Procedure 1. Select Administration > Settings > Integrated Products > VMware > vSphere Client VCM Plug-In. 2. Select the setting that you want to configure and click Edit Settings. 3. On the Settings Wizard page for each setting, configure the options.
vRealize Configuration Manager Administration Guide 60 VMware, Inc.
Running Compliance for the VMware Cloud Infrastructure 4 Compliance templates evaluate the virtual environment object data to determine if the objects meet the criteria in the rules. If the property values on an object do not meet the criteria, and if there is no exception defined, then the object is flagged as noncompliant. When an object is non compliant, the template results provide the details of the settings or configurations that do not match the rules.
vRealize Configuration Manager Administration Guide The example used in this procedure is whether VMware Tools is running on guest virtual machines on all vCenter Server instances, but excluding vCenter_Dev. Prerequisites Collect virtual environments data. See "Configure Virtual Environments Collections" on page 25. Procedure 1. "Create Virtual Environment Compliance Rule Groups" on page 62 Rule groups contain compliance rules and filters.
Running Compliance for the VMware Cloud Infrastructure What to do next Add a rule to the rule group. See "Create and Test Virtual Environment Compliance Rules" on page 63. Create and Test Virtual Environment Compliance Rules You create rules that define the ideal values that objects should have to be considered compliant. The data types correspond to the collected virtual environments data that is displayed in the Console.
vRealize Configuration Manager Administration Guide Create and Test Virtual Environment Compliance Filters You can create filters that limit the objects on which the templates run to only the objects that meet the filter criteria.If filters are not defined, the rules are run against all objects in the selected virtual objects group. The example used in this procedure is whether VMware Tools is running on guest virtual machines on all vCenter Server instances, but excluding vCenter_Dev.
Running Compliance for the VMware Cloud Infrastructure The example used in this procedure is whether VMware Tools is running on guest virtual machines on all vCenter Server instances, but excluding vCenter_Dev. Prerequisites n Create a rule group. See "Create Virtual Environment Compliance Rule Groups" on page 62. n Create a rule. See "Create and Test Virtual Environment Compliance Rules" on page 63. n Create compliance filters. See "Create and Test Virtual Environment Compliance Filters" on page 64.
vRealize Configuration Manager Administration Guide Prerequisites Create a rule group. See "Create and Test Virtual Environment Compliance Rules" on page 63. Procedure 1. Click Compliance. 2. Select Virtual Environment Compliance > Templates. 3. Click Add. 4. Type the Name and Description in the text boxes and click Next. For example, Tools Running Not vCenter_Dev and a description. 5. Move the rule group, for this example, Guest Tools Running, to the list on the right and click Next. 6.
Running Compliance for the VMware Cloud Infrastructure What to do next n If you find results that you want to temporarily make compliant or noncompliant, create an exception. See "Create Virtual Environment Compliance Exceptions" on page 70. n Evaluate the results and resolve any issues on the noncompliant objects. Create Virtual Environment Compliance Exceptions To temporarily or permanently override the specific template results, use exceptions rather than explicitly resolve noncompliant results.
vRealize Configuration Manager Administration Guide 8. To define the exception values, modify, delete, or add to the properties, operators, and values for the selected results. In this example, you are specifying the RHEL_60_ProdDev as the exception. a. Click Add. b. In the properties drop-down menu, select Object. c. Select = as the rule operator. d. Click the ellipsis button and select RHEL_60_ProdDev in the property values dialog box and click OK. 9. Click Finish. What to do next n Run the template.
Running Compliance for the VMware Cloud Infrastructure For a list of enforceable data types, see one of the following lists: n Enforceable Compliance Windows Data Types and Properties n Enforceable Compliance UNIX Data Types and Properties n Enforceable Compliance Virtual Environment Data Types and Properties If the rule is configured for automatic enforcement, VCM changes the noncompliant setting to the compliant value on the affected machine or object after the compliance assessment runs.
vRealize Configuration Manager Administration Guide Procedure 1. Click Compliance. 2. Select Virtual Environments Compliance > Templates > {template name}. 3. In the Status column, identify the rule results that are noncompliant. 4. Identify the affected physical or virtual machines or virtual objects, and determine the expected value of the property. For example, click and drag the Status column heading and the Rule column heading to the filter.
Running Compliance for the VMware Cloud Infrastructure To create an exception in this example, a virtual machine, RHEL_60_ProdDev, is approved to be excluded from the noncompliant results because you never require VMware Tools to be running on this machine. Prerequisites Create a template. See "Create Virtual Environment Compliance Templates" on page 65. Procedure 1. Click Compliance. 2. Select Virtual Environment Compliance > Templates > template name. 3.
vRealize Configuration Manager Administration Guide Prerequisites Create at least on virtual environments compliance template. See "Create and Run Virtual Environment Compliance Templates" on page 61. Procedure 1. "Create Virtual Environment Compliance Alert Rules" on page 72 Alert rules are the conditions you define that determine when an alert is generated. Virtual environment alert rules are based on virtual environment compliance templates. 2.
Running Compliance for the VMware Cloud Infrastructure Prerequisites n Verify that you have virtual environment alert rules. See "Create Virtual Environment Compliance Alert Rules" on page 72. n Review the automated response options, which you configure in this procedure, in the online Help. Procedure 1. Click Administration. 2. Select Alerts > Virtual Environments Configurations. 3.
vRealize Configuration Manager Administration Guide Procedure 1. Click Administration. 2. Select Job Manager > Scheduled. 3. Click Add. 4. Select Compliance and click Next. 5. Type a name and description in the text boxes and click Next. 6. Select the virtual environment template and click Next. 7. Select the virtual objects against which to run the template assessment and click Next. 8. Configure frequency, time of day, and duration for the job and click Finish. 9.
5 Configuring vCenter Operations Manager Integration Integration of VCM with vRealize Operations Manager reports VCM configuration change events and standard compliance results in vRealize Operations Manager.
vRealize Configuration Manager Administration Guide Procedure 1. In VCM, click Administration. 2. Select Settings > Integrated Products > VMware > vRealize Operations Manager > Change Events. 3. Configure VCM to report a UNIX data type, such as UNIX Patch Assessment, to vRealize Operations Manager. a. Select UNIX Patch Assessment - Report to vRealize Operations Manager, and click Edit Setting. b. Click Yes to report the data. c. Click Next and click Finish. 4.
Configuring vCenter Operations Manager Integration Prerequisites n Ensure that the VCM adapter is registered with the correct user account in vRealize Operations Manager. See "VCM Registration in vRealize Operations Manager for Integration" on page 75. n Verify that VCM is configured to collect data from the same vCenter Server instances thatvRealize Operations Manager manages. See "Configure vCenter Server Data Collections" on page 29.
vRealize Configuration Manager Administration Guide Prerequisites n Use the Content Wizard tool to download compliance templates created by VMware,for example, the vSphere Hardening Guides and other standards. The Content Wizard is available from the Start menu on the Collector machine. n Create compliance templates that are specific to your environment to include in the mappings. The template names should not include the | character.
Configuring vCenter Operations Manager Integration Option Description Roll Up Type Select the method used to calculate how the score for the templates in a mapping is determined. Scores are always between 0 and 100. A score of 0 indicates the that all the rules are noncompliant. A score of 100 indicates that all the rules are compliant. Select Group Context n Simple Percentage: Percentage of the template results that are compliant.
vRealize Configuration Manager Administration Guide Procedure 1. Click Compliance. 2. Select vRealize Operations Manager Badge Mapping > Mappings. 3. Select a mapping and click Run. 4. Click OK. All templates included in the mapping are run and the score calculated. The template results are in the individual template results data grid and the score is available in the vRealize Operations Manager Compliance Rollup dashboard.
Configuring vCenter Operations Manager Integration Procedure 1. Click Administration. 2. Select Job Manager > Scheduled and click Add. 3. Select vRealize Operations Manager Compliance Badge Mapping Run and click Next. 4. Type a name and description and click Next. 5. Select one mapping and click Next. 6. Use the scheduling options to schedule when the mapping runs. Schedule the job to run at the frequency at which you want refreshed results to be available to pull into vRealize Operations Manager.
vRealize Configuration Manager Administration Guide What to do next Resolve the noncompliant results. See "Resolve Noncompliant Virtual Environments Template Results" on page 68. Scoring Badges for vRealize Operations Manager Standards Compliance Badge scores are values that appear in a vRealize Operations Manager Compliance badge, and which also contribute to the dashboard values for the Risk badge.
Configuring vCenter Operations Manager Integration Compliance mappings should include templates that evaluate your environment in a way that helps to identify performance issues. For example, you have an object setting that should be addressed if it is found to be noncompliant from the configuration standard, but it does not require immediate attention. n VCM Only scores are available only in VCM. The VCM Only mapping scores are not pulled into vRealize Operations Manager.
vRealize Configuration Manager Administration Guide Severity Severity Weight Compliant Results Weighting Calculations Total Weighted Compliant Results Noncompliant Results Weighting Calculations 27 Weighted Noncompliant Results 32 Simple Rule Percentage is the percentage of compliance rules in the templates that passed as compliant. If any of the results are non-compliant, the rule is non-compliant. This option does not weight the rules based on severity.
Configuring vCenter Operations Manager Integration Use the Standards Compliance badge settings to select the level of detail at which to roll up the scores, and the midpoint and magnitude used to adjust the scores that are reported in vRealize Operations Manager. Table 5–5.
vRealize Configuration Manager Administration Guide Detail Level Score Midpoint Magnitude Calculation Adjusted Score 70 50 10 70-50=20 72 20*10%=2 70+2=72 100 50 10 100-50=50 100 50*10%=5 100+5=105 Table 5–7.
Auditing Security Changes in Your Environment 6 The VCM Auditing capability tracks all changes in the security aspects of VCM. Security-related events are written to the Windows Event Log, which is stored on the Collector, and is independent of the VCM application. The format of the event log prohibits any modifications to the recorded entries, which makes it a secure and tamper-proof auditing record of changes in security.
vRealize Configuration Manager Administration Guide Procedure 1. To view the VCM Auditing settings, click Administration. 2. Select Settings > General Settings > Auditing. 3. To change an auditing setting, highlight a setting and click Edit Setting. When you change an auditing setting, the VCM Auditing data grid displays the user’s name in the Last Modified By column. What to do next For details about the Auditing settings and the Windows Event Log, see the online help. 88 VMware, Inc.
7 Configuring Windows Machines To manage your virtual and physical Windows machines, you must verify domains and accounts, discover and license those machines, install the VCM Agent, and collect Windows data from those machines. You can also collect Windows Custom Information.
vRealize Configuration Manager Administration Guide Procedure 1. Verify Available Domains Allow VCM access to each domain so that the VCM Collector can interact with the Windows machines in your environment. 2. Check the Network Authority Verify that at least one domain account with administrator privileges is available to act as a network authority account for VCM. 3.
Configuring Windows Machines What to do next Verify that a network authority account is available and create other necessary domain accounts. See "Check the Network Authority" on page 91. Check the Network Authority Verify that at least one domain account with administrator privileges is available to act as a network authority account for VCM.
vRealize Configuration Manager Administration Guide Discover Windows Machines In your network, identify the Windows machines that you are managing with VCM. To discover the available Windows machines, VCM uses general discovery rules to identify many Windows machines or uses specific discovery rules to identify particular Windows machines. The time required to perform an initial discovery depends on the size and composition of your network.
Configuring Windows Machines The number of discovered Windows, UNIX, or Linux machines might exceed the number of your available licenses. If that happens, the number available goes negative and appears in red to indicate that you do not have enough licenses. For servers and workstations, exceeding the limit on your license key produces warnings but does not restrict VCM operation. License key counts that are over the limit are recorded and maintained for auditing purposes.
vRealize Configuration Manager Administration Guide Locking the VCM Agent on VCM managed machines is typically done in environments that have multiple VCM Collectors, to help prevent these Agents from being unintentionally upgraded or removed. The VCM Agent on the VCM Collector is locked, because it is installed as part of the VCM installation and is required for VCM Collector operations. The version of the VCM Agent on the Collector must also match the version of VCM installed.
Configuring Windows Machines Option Description Install using a proxy server For Windows Proxies and Windows Agents only. If the target machine is separated from the Collector by a proxy server, this option instructs the installation process to check for available proxy servers. Lock the machine after installation Ensures that VCM will not uninstall the Agent or replace it with a different version. Reinstall Agent Overwrites an installed Agent. 6.
vRealize Configuration Manager Administration Guide A delta collection includes only the differences between the data on the target machine and the data stored in the VCM database. If you need a full collection, you can specify that VCM collect all data again. A full collection can take a significant amount of time depending on the number of VCM managed Windows machines from which you are collecting.
Configuring Windows Machines After the initial discovery is finished, perform a weekly discovery to update the list of available Windows machines. To schedule a VCM discovery job, click Administration, select Job Manager > Scheduled, and follow the wizard. Option Description Console Displays dashboards and reports based on collected data. Use the Console to view data that is relevant to day-to-day operations, troubleshooting, and analysis.
vRealize Configuration Manager Administration Guide Figure 7–1. Windows Custom Information Collection Process To extend the data collected by VCM from managed Windows machines using other VCM data types, collect Windows Custom Information. The example used to get you started collecting WCI data is for Powershell. Follow the same basic procedures to configure and run Python scripts. Configure the prerequisites and create and validate your script.
Configuring Windows Machines Prerequisites n Write your own PowerShell script to return data in a VCM compatible, element-normal XML format, or obtain PowerShell scripts from VMware Professional Services or another source. See "Using PowerShell Scripts for WCI Collections" on page 99. n Understand the script signing policies if you use PowerShell 2.0. See "PowerShell Script Signing Policies" on page 103. n Set the PowerShell execution policy on the VCM managed machine.
vRealize Configuration Manager Administration Guide Guidelines in PowerShell Scripting for WCI When you develop custom PowerShell scripts to collect the Windows Custom Information (WCI) data type from VCM managed Windows machines, follow these guidelines. n Make XML element names unique at the same level. For example, you can specify two child nodes that are not siblings. n Make attributes unique at the same level. n Use unique XML element names to generate valid VCM XML.
Configuring Windows Machines The split method of PowerShell strings in the $schtasks script separates the columns of the $schtasks rows into separate values in arrays. n Column names row provides the names to use for attributes. n Corresponding data from the scheduled task rows provides the values to use for these attributes. The top-level name of is an arbitrary name that you apply to distinguish the results of this script from other results.
vRealize Configuration Manager Administration Guide Column Names Include Spaces Running the schtasks command without any options displays a column name of Next Run Time. Because this name includes spaces, you cannot use it as an attribute name in an XML document. Running the schtasks command verbosely generates other column names that include spaces. Although you cannot use these invalid names as attribute names, you can preserve the names by using VCM encoding standards.
Configuring Windows Machines To preserve the user-friendly name, use the task name as the element name for the task rows. When you create a collection filter that uses your script, you must select the incremental duplicate handling option so that the collection process includes an incremental entry in the list of entries where the same task name appears multiple times. For example, in a sample test environment, many Windows machines had more than one task named GoogleUpdateTaskMachineCore.
vRealize Configuration Manager Administration Guide n In-line: The default WCI filter uses an in-line script to collect basic information about the PowerShell version, .NET version, and execution policy settings. The in-line option requires a collection script that is represented as a single line of PowerShell code. Because the filter runs an in-line script on the PowerShell command line, instead of using a file, the execution policy does not apply.
Configuring Windows Machines The schtasks command returns basic information about scheduled tasks. The data returned by schtasks includes multiple rows. PowerShell structures the $schtasks variable in an array. For example, $schtasks[0] represents the first row. To view the result set, use $schtasks[n], which displays the following status: n $schtasks[0] is blank. n $schtasks[1] contains column names. n $schtasks[2] is the first row of task data.
vRealize Configuration Manager Administration Guide function ToCMBase64String([string]$input_string) { return [string]("cmbase64-" + [System.Convert]::ToBase64String ([System.Text.Encoding]::UNICODE.GetBytes ($input_string))).
Configuring Windows Machines { $hostcol = $j++ } else { if (([string]$cols[$j]).toupper() -eq "TASKNAME") { $namecol = $j++ } else { $j++ } } } #save first column name, to check for repeated column rows $firstcol = $cols[0] #encode each column name for ($j=0;$j -lt $cols.count;$j++) { $cols[$j] = [string](ToCMBase64String($cols[$j])) } #loop through each row #start at $k+1, because the first row may blank, and the first populated row is column names for ($i=$k+1;$i -lt $schtasks.
vRealize Configuration Manager Administration Guide if ($task[0] -ne $firstcol) { #if we did not find a TaskName column, just tag each row as Task-n if ($namecol -gt -1) { $clTasks += "<" + [string](ToCMBase64String($task [$namecol])) + ">" } else { $clTasks += ("") } for ($j=0;$j -lt $task.
Configuring Windows Machines } #end row loop } $clTasks += ("") write-host $clTasks 5. After you generate your PowerShell script, perform the following steps: n Build a collection filter in VCM. n Paste the content of your script into the collection filter. n Collect data using the script-based collection filter. To view the collected WCI data in VCM, click Console and select Windows Operating System > Custom Information > List View.
vRealize Configuration Manager Administration Guide Collecting Windows Custom Information To collect Windows Custom Information (WCI) using script-based filters, you create and verify your custom PowerShell scripts, install PowerShell on the VCM managed machines, and use VCM to collect the WCI data. VCM supports PowerShell and Python to create WCI collections. These procedures use PowerShell as the example. Procedure 1.
Configuring Windows Machines WCI internally stores data in a hierarchy, so your collection script must provide the complete data structure in the standard tree view. The root element in the XML result data set becomes a top-level root element in the WCI data type node. Child elements appear in the same locations in VCM as the locations they populate in the XML document returned by the script. Prerequisites n Understand how to write and run PowerShell scripts.
vRealize Configuration Manager Administration Guide What to do next Install PowerShell on your VCM managed machines. See "Install PowerShell" on page 112. Install PowerShell Verify that PowerShell 2.0 is installed on each VCM managed Windows machine used to collect Windows Custom Information (WCI). PowerShell 2.0 is supported on all platforms that support PowerShell 1.0. n PowerShell is installed by default on Windows Server 2008 R2, 2012, and 2012 R2 and Windows 7, 8, and 8.1 machines.
Configuring Windows Machines CAUTION Do not limit collections to deltas when you select a data type in the Collect wizard. If you limit collections to deltas, VCM purges all existing WCI data from the managed machine's master file and from the VCM database, and replaces the WCI data with newly collected data. You must select the option in the Collect wizard so that VCM does not purge WCI data during collections. Prerequisites See "Prerequisites to Collect Windows Custom Information" on page 98.
vRealize Configuration Manager Administration Guide Procedure 1. On your VCM Collector, click Collect. 2. On the Collection Type page, select Machine Data and click OK. 3. On the Machines page, select the managed machines from which to collect WCI data and click Next. 4. Click Select Data types to collect from these machines and click Next. VCM runs a default collection filter for the data type you select. 5. Select Do not limit collection to deltas and click Next.
Configuring Windows Machines Procedure 1. On your VCM Collector, click Administration. 2. Select Job Manager > History > Instant Collections > Past 24 Hours. 3. In the Instant Collections pane, select a collection job that includes WCI data. 4. In the Job History Machine Detail pane, select View Details. A single row appears for each WCI filter that ran in the collection job. Information about the WCI script and the script results parsing appears in the row. 5.
vRealize Configuration Manager Administration Guide Procedure 1. On your Collector, click Console. 2. Select Windows > Operating System > Custom Information. 3. Select a view of the collected WCI data. Option Description Tree View Standard Tree hierarchy view based on the data structure in your PowerShell script. Tree View Consolidated Tree hierarchy that displays data across multiple elements simultaneously with the data consolidated from one level of the tree.
Configuring Windows Machines Troubleshooting Custom PowerShell Scripts If you encounter problems when you run custom PowerShell scripts, run the script as a .ps1 file and correct any errors before you use the script with a VCM collection filter. Prerequisites n Verify that your script runs in PowerShell. See "Verify that Your Custom PowerShell Script is Valid" on page 111. n Understand the PowerShell script signing policies. See "PowerShell Script Signing Policies" on page 103. Procedure 1.
vRealize Configuration Manager Administration Guide 118 VMware, Inc.
Configuring Linux, UNIX, and Mac OS X Machines 8 To manage machines running Linux, UNIX, and Mac OS X operating systems, you must license the machines, install the VCM Agent on the machines, and begin collecting data. The Agent manages the communication between the VCM Collector and the Linux, UNIX, and Mac OS X machines. You can use VCM to install the Agent on the target machines, or you can install the Agent using a manual process. For the manual Agent installation process, see the online Help.
vRealize Configuration Manager Administration Guide Figure 8–1. Linux, UNIX, and Mac OS X Managed Machines Diagram Installation Delegates for Linux, UNIX, and Mac OS X Agent Installations The Installation Delegate machines run a supported Windows operating system and must have the 5.5 Agent or later installed. They must also be configured to manage the secure communication between the target Linux, UNIX, or Mac OS X machines and the Collector.
Configuring Linux, UNIX, and Mac OS X Machines Linux, UNIX, or Mac OS X Installation Credentials The installation credentials required to install the VCM Agent on Linux, UNIX, or Mac OS X machines must have sufficient privileges to copy the Agent files to the target machines and run the installation process. You have several options for providing the credentials, including during installation process at a job or object level, or configuring the credentials as administrative parameters.
vRealize Configuration Manager Administration Guide 1. Installation wizard Object level credentials 2. Installation wizard Job level credentials 3. Administrative parameter Machine context credentials 4. Administrative parameter Machine Group context credentials 5. Administrative parameter Domain context credentials 6. Administrative parameter SRF Action Script Global context credentials Credential Processing Scenarios The following scenarios further demonstrates how the credentials are processed.
Configuring Linux, UNIX, and Mac OS X Machines 5. "Install the VCM Agent on Linux, UNIX, and Mac OS X Operating Systems" on page 127 To enable communication between the Collector and the managed machines, install the VCM Agent on Linux, UNIX, or Mac OS X machines. 6. "Collect Linux, UNIX, and Mac OS X Data" on page 134 To begin managing the machine on which you installed the VCM Agent, you must perform an initial collection, which adds the data to VCM.
vRealize Configuration Manager Administration Guide Prerequisites Verify that the Installation Delegate machine is licensed and that it has the VCM Agent 5.6 or later installed. See "Configure Windows Machines" on page 89. Procedure 1. Click Administration. 2. Select Machines Manager > Licensed Machines > Licensed Windows Machines. 3. Select the target machines and click Collect on the VCM toolbar. 4. Select Machine Data and click OK. 5.
Configuring Linux, UNIX, and Mac OS X Machines Enable Installation Delegate Machines for Linux Agent Installation Installation Delegate machines must be enabled to perform the necessary communication between the VCM Collector and your target Linux, UNIX, and Mac OS X machines. Prerequisites Ensure that the Installation Delegate machines are trusted machines. See "Set the Trust Status for Linux Agent Installation Delegate Machines" on page 124. Procedure 1. Click Administration. 2.
vRealize Configuration Manager Administration Guide When you use VCM to install the Agent, the installation process uses SSH to copy the Agent files from the Installation Delegate machine to the target machines using ordinary user credentials, and then installs the Agent as root user. Sensitive administration passwords are stored using the Local Data Protection Service API.
Configuring Linux, UNIX, and Mac OS X Machines Procedure 1. Click Administration. 2. Select Machines Manager > Licensed UNIX Machines. 3. Click Add Machines. 4. Select Basic, select Automatically license machines, and click Next. 5. Add the Linux, UNIX, or Mac OS X machines to the list. a. Configure machine information. Option Action Machine Type the name of the machine. You can use NetBIOS or Fully-Qualified Domain Name (FQDN) notation for the name.
vRealize Configuration Manager Administration Guide On the Collector, the Agent files are located in \VMware\VCM\Installer\Packages. If you use the Collector as your managing Agent, the Agent files are copied to \VMware\VCM\Installer\Content\CMAgent.{version}.{Linux, Solaris, AIX, HP-UX, or Darwin (Mac OS X)}. If you use another Windows machine as an Installation Delegate, the Agent files are copied to\WINDOWS\CMAgent\CMAgent{Linux, Solaris, AIX, HPUX, or Darwin}.
Configuring Linux, UNIX, and Mac OS X Machines Procedure 1. Click Administration. 2. Select Machines Manager > Licensed Machines > Licensed UNIX Machines. 3. Select one or more target machines and click Install. 4. Add or remove target machines from the lower list and click Next. 5. If you must change a default parameter value, add one or more optional parameters to the lower list and click Next. The options, which are configured on the following wizard pages, apply to all the selected target machines.
vRealize Configuration Manager Administration Guide Agent Installation Parameters for Linux, UNIX, or Mac OS X Machines The installation parameters are variables that you modify as needed when you install the VCM Agent on Linux, UNIX, or Mac OS X target machines. Installation Options with Default Values Description CSI_AGENT_RUN_OPTION You can install the Agent as a daemon process or installed to be run by inetd/xinetd/launchd.
Configuring Linux, UNIX, and Mac OS X Machines Installation Options with Default Values Description CSI_USER_PRIMARY_GROUP=csi_ Keep the default value. Group name to use when you create a acct new user as the user’s primary group. This group is for low security access. Most inspections are executed with the lowest possible privileges using this group while also preventing access by way of this group to the high security group privileges. CSI_CREATE_USER_PRIMARY_ GROUP=Y Keep the default value.
vRealize Configuration Manager Administration Guide Installation Options with Default Values Description CSI_CERTIFICATE_PATH= Specifies the path to Collector Certificates. The certificates specified at this path are copied to the Agent. If your Collector Certificates are stored in an accessible location on this machine, you use this option to put the certificates in the Agent location.
Configuring Linux, UNIX, and Mac OS X Machines Installation Options with Default Values Description CSI_LOCALE= Keep the locale configuration option unspecified in the csi.config file when installing the Agent. If you configure the value, it supercedes the data encoding locale on the target operating system. The locale, which should be a UTF-8 locale, affects the internal data conversions on non-ASCII data performed by VCM, but the setting does not affect how the collected data is displayed in VCM.
vRealize Configuration Manager Administration Guide Installation Options with Default Values Description scripts use the previous precedence rules to evaluate and generate a default value that is displayed during the installation of the Agent. If you select a non-UTF-8 locale, the Agent installation uses the locale, but the process logs and displays a warning.
Configuring Linux, UNIX, and Mac OS X Machines What to do next n Review the collected data from the managed machines. See "Linux, UNIX, and Mac OS X Collection Results" on page 135. n (Optional) Schedule regular data collections from managed machines. See "Configure Scheduled Linux, UNIX, and Mac OS X Collections" on page 135. Linux, UNIX, and Mac OS X Collection Results Collected Linux, UNIX, and Mac OS X data appears in the VCM data grids and is available for several management actions.
vRealize Configuration Manager Administration Guide This action is not required, but scheduling your collections improves your configuration management efficiency. Prerequisites Verify that your Linux, UNIX, and Mac OS X machines are managed machines. See "Configure Collections from Linux, UNIX, and Mac OS X Machines" on page 122. Procedure 1.
Configuring Linux, UNIX, and Mac OS X Machines 12. To add more than one operating system to your filter, select or for the Connect the conditions below with option. 13. Click Add, configure the filter, and click Next. a. In the data property drop-down list, select OS Name. b. In the operator drop-down list, select like. c. In the property value text box, type or select the operating systems. You can use % as a wild card.
vRealize Configuration Manager Administration Guide Procedure 1. Click Administration. 2. Select Job Manager > Scheduled. 3. Click Add. 4. Select Collection and click Next. 5. Type a job name and description and click Next. For example, Dynamic Linux Collection. 6. Select Default filter set and click Next. 7. Select your Linux machine group and click Next. For example, Dynamic Linux Group. 8. Configure when the collection job runs and click Next. For example, every four hours starting today. 9.
Configuring Linux, UNIX, and Mac OS X Machines Action Description To extract data from Linux and UNIX shell scripts and return the data to VCM, use the Sh parser. The Sh parser extracts data such as environment variables, exported variables, and umask settings from Linux and UNIX shell scripts. n Environmental Variables: The Sh parser extracts settings of environmental variables in the form of variable=value, and handles multiple variables on a line (such as variable1=value1; variable2=value2).
vRealize Configuration Manager Administration Guide Parser Directives When you create, edit, or clone a custom information type in VCM, you can select from a list of built-in templates. For example, if you have a file that conforms to the structure of the krb5.conf template, you enter an identification expression to identify the file, and select the krb5.conf template. Then, to populate the parser directive code pane, you select an existing template.
Configuring Linux, UNIX, and Mac OS X Machines Parser Directive Type Parser Directive Mandatory FILTER (Optional) Specifies a filter command used to process the file before the general parser parses the file. LINEENDCOMMENTSTRING (Optional) Sets the regular expression used to identify comments at the end of data lines. You can specify multiple regular expressions separated by the / character. You encode white space as “[[:blank:]]”. OFS Sets the output field separator.
vRealize Configuration Manager Administration Guide Parser Directive Type Parser Directive Description The INI parser (key/value data) handles all types of Windowsstyle configuration files, key/value files, and some files that contain blocks of data. The key/value files can use any delimiter, including white space. The delimiter is a regular expression. Any value other than the delimiter is allowed in the value and data blocks. INI Parser Directives 142 Mandatory ALLOWBLOCKS Advanced directive.
Configuring Linux, UNIX, and Mac OS X Machines Parser Directive Type Parser Directive Mandatory STANDALONEPAT Advanced directive. In most cases, use the INITYPE directive instead. The Sh parser extracts data such as environment variables, exported variables, and umask settings from Linux and UNIX shell scripts. Sh Parser EXPR Specifies the list of regular expressions used to extract specific strings from a shell script. Each regular expression is separated by the / character.
vRealize Configuration Manager Administration Guide Parser Directive Type Parser Directive Mandatory FIELDSONFIRSTLINE Yes Controls whether the first line of the data contains the PLIST value. When the value is 1, the first line of the input data (either command output or a configuration file) that contains data is used to set the names of the columns. FS Yes Sets the field separator. PLIST Yes Identifies the column names. Multiple columns are separated by the / character.
Configuring Linux, UNIX, and Mac OS X Machines Parser Directive Type Parser Directive Mandatory Description The Well Formed Formulae (WFF) parser handles well formed formulae, such as XML, but can be defined to handle any well-structured document. WFF Parser AELEMENT Name for the element that wraps attributes. ATTRRS Separates records in an attribute value. CDATARS Separates records in a CDATA section. CLOSEREGEX Regular expression that recognizes a CLOSE.
vRealize Configuration Manager Administration Guide Prerequisites n Understand parser types and how they work. n Determine which files to have VCM monitor and parse. n Determine which parser is required to parse the configuration file types. Procedure 1. Create a custom information type to identify the information for VCM to parse in the file. a. Select Administration, click Settings > UNIX > Custom Information Types, and click Add. b. Type a name and meaningful description. c.
Configuring Linux, UNIX, and Mac OS X Machines 2. Create a collection filter for Linux and UNIX custom information so that VCM can locate the file that the CIT represents. a. Select Administration, click Collection Filters > Filters, and click Add Filter. b. Type a name and meaningful description. c. On the Data Type page, select UNIX/Linux and click Custom Information. d. On the Path page, provide the path information.
vRealize Configuration Manager Administration Guide and click Next. g. Click View Selected Filter Details to confirm the type, path, and depth, and click Finish. h. To view the collected data, select Console and click UNIX > Operating System > Custom Information. 4. Create a compliance rule to have VCM report on compliance based on the content of the file on the managed Linux and UNIX machines. a. Select Compliance, expand Machine Group Compliance, and click Rule Groups. b.
Configuring Linux, UNIX, and Mac OS X Machines Option Action Template Name and Description Type a name and a meaningful description for the compliance template. Rule Groups Select the compliance rule that you created, and click the arrow to move the compliance rule to the Selected pane. Template Options Select the results for VCM to return. n To have VCM return only the compliance results that do not conform to the conditions in your compliance rule, select Return non-compliant results only.
vRealize Configuration Manager Administration Guide Actions You can perform the following actions. n Add: Create a new information type. n Edit: Edit the selected information type, except for those that are locked. n Delete: Delete the selected information type, except for those that are locked. n Clone: Create a copy of the selected information type to modify for your own use. n Enable: Enable the selected information type to match against files on the managed Linux and UNIX machines.
Configuring Linux, UNIX, and Mac OS X Machines Linux and UNIX CITs reported from delta collections to the change log Linux and UNIX CITs not reported from delta collections to the change log .rhosts_.shosts btmp_files pam sendmail pamd sudoers passwd vmx_files php.ini wtmpx_files profile xinetd ptrc zones_config_xml RcConfigNetconf zones_index Mac OS X CITs RcConfigSnmp resolv.
vRealize Configuration Manager Administration Guide Column Definition Identification Expression A regular expression that identifies the file. Directives Description of the parser method. Created By Indicates who created the custom information type. Creation Date Indicates when the user created the custom information type. Last Modified By Indicates the last user who modified the custom information type. Last Modified Date Indicates when the user last modified the custom information type.
Configuring Linux, UNIX, and Mac OS X Machines Option Description Parser Directive Configures the parser directives for the file.
vRealize Configuration Manager Administration Guide Column Description Property Name Typically matches a name in the file, but in other cases the property name is an accepted name for a property designation in the file. The accepted name is usually derived from a man page. For example, a passwd file consists of tabular entries that resemble va1:va2:va3, but each position also has an accepted name, such as gid. Property Value Value associated with the property.
Configuring Linux, UNIX, and Mac OS X Machines 3. Define the path and an optional file name to include or exclude, using a maximum of 440 characters, which is a limit of SQL Server. n Include: VCM collects the specified directory path. n Exclude: VCM does not collect the specified directory path. When you select this option, you must also have an Include collection filter to use with this collection filter.
vRealize Configuration Manager Administration Guide 156 VMware, Inc.
9 Patching Managed Machines VCM patch assessment, deployment, and verification ensures continuous security in your environment through proactive compliance of your IT infrastructure. VCM ensures that your managed machines have the latest security patches and other software installed.
vRealize Configuration Manager Administration Guide Deploying patches to Linux, UNIX, or Windows managed machines requires the use of a patch assessment template. After you patch Linux, UNIX, or Windows managed machines, VCM runs a delta collection on the patching data for the managed machines to ensure that the next assessment provides the correct patch status. VCM retains the Linux and UNIX patching change actions in the change log. These actions are available in VCM Compliance and VCM Reports.
Patching Managed Machines n You must manage your own patch repository. A temporary expansion of the patches occurs in the /tmp directory. For single-user mode, patches are extracted to /var/tmp. If you do not use the machine group mapping to define an alternate location for the patches, VCM uses the default location of /tmp. n Store the Linux and UNIX patches in a location that is available locally to the VCM managed machine, such as an NFS mount or a local hard drive.
vRealize Configuration Manager Administration Guide If you encounter problems during automatic or manual patch deployment, see the VCM Troubleshooting Guide. Requirements to Patch Solaris Machines in Single-User Mode VCM can deploy patches to Solaris machines in single-user mode (run level 1). In this mode, only the system administrator uses the managed machine, and minimal system services are running, such as logins.
Patching Managed Machines Procedure 1. Store the patches in a local location on the target managed machine. You can extract the patches in this location, if desired. On Solaris machines, do not use the location of /tmp, because reboots initiated by the patches clear the content in this directory. 2. Verify that adequate disk space exists on the managed machines for VCM to extract the patches. n For Linux and UNIX machines other than Solaris, verify that adequate space exists in /tmp.
vRealize Configuration Manager Administration Guide Figure 9–1. Manually Patching Managed Machines with VCM To manually patch Linux and UNIX machines, you can use a Red Hat Linux 6, 64-bit patching repository machine with the Software Content Repository (SCR) Tool installed. You configure the communication protocols on the patching repository machine, download and configure the Software Content Repository (SCR) Tool, and download the patches.
Patching Managed Machines Getting Started with VCM Manual Patching You can use VCM to manually assess the patching state of Linux, UNIX, and Windows managed machines, and manually deploy patches to those machines. n "Getting Started with VCM Manual Patching for Linux and UNIX Managed Machines" on page 163 n "Getting Started with VCM Manual Patching for Windows Managed Machines" on page 170 To configure your environment for automated patching with VCM 5.
vRealize Configuration Manager Administration Guide What to do next Run patch status reports on Linux, UNIX, and Windows managed machines. See "Running Patching Reports" on page 200. Configuring the Patching Repository for Manual Patching To manually patch Linux and UNIX machines, you can use a Red Hat Linux 6, 64-bit patching repository machine with the Software Content Repository (SCR) Tool installed.
Patching Managed Machines Procedure 1. Click Patching. 2. Select Linux or UNIX platform > Bulletins > By Bulletin. 3. Click Check for Update, select an update option, and click Next. VCM locates the bulletins and copies them to your local file system. What to do next Identify the patch bulletins collection criteria. See "Create Linux and UNIX Patch Assessment Filters" on page 165.
vRealize Configuration Manager Administration Guide Linux and UNIX patch assessments require you to collect new patch status data from managed machines. These patch assessments operate differently from VCM patch assessments on Windows managed machines, which run on previously collected data. If you did not collect machine data, the patch assessment results might not appear and the managed machine might not be available for deployment, which would result in a patch-machine mismatch status.
Patching Managed Machines 8. To view the patch assessment results, click Linux or UNIX platform and click Assessment Results > All Bulletins. What to do next Review the results of the patch assessment and obtain the required patches. See "Review Patch Assessment Results" on page 167. Review Patch Assessment Results You can view the results of the patch assessment of Linux and UNIX managed machines.
vRealize Configuration Manager Administration Guide Icon Status Incorrect MD5 Description MD5 Hash generated from the patch signature (PLS) file, which contains the content and signature, does not match the expected value on the Linux or UNIX managed machine. Be aware that MD5 is NOT validated against the vendor MD5 hash data. Patch Patch status of the managed machine cannot be determined.
Patching Managed Machines IMPORTANT If a failure occurs at any time during the patch deployment job, the System Administrator must check the status of the system, resolve any issues, then reassess the managed machines. In a job chain, a failure in any step of the job breaks the job chain, which causes all subsequent job steps to not run. Prerequisites n Verify that your Linux and UNIX managed machines and operating systems are supported for patch deployment. See the VCM Installation Guide.
vRealize Configuration Manager Administration Guide a. Select Stage patches manually, and set the time and date for patch staging. b. Select whether to have VCM deploy the patches to target managed machines immediately or later, and set the time and date for patch deployment. 10. Set the reboot schedule options and click Next. a. Select whether to reboot the managed machine after VCM installs the patches. b. If you have VCM reboot the machine, set the reboot message and delay. 11.
Patching Managed Machines 3. "View Windows Bulletin Details" on page 172 You can view detailed information about Windows patch bulletins, including technical details, recommendations, and whether a reboot of the managed machine is required. 4. "Collect Data from Windows Machines by Using the VCM Patching Filter Sets" on page 173 To obtain the current patch status of Windows managed machines, collect patch data from those machines.
vRealize Configuration Manager Administration Guide Download Patches for Windows Patch Deployment You can download patches for deployment to Windows managed machines based on the bulletins included in a patch assessment template. When you download patches, VCM first determines whether the patches exist on the VCM Collector, then checks the download Web site. If VCM finds the patches, you can download them.
Patching Managed Machines What to do next Use filter sets to collect data from Windows managed machines. See "Collect Data from Windows Machines by Using the VCM Patching Filter Sets" on page 173. Collect Data from Windows Machines by Using the VCM Patching Filter Sets To obtain the current patch status of Windows managed machines, collect patch data from those machines. VCM requires that you collect current information about the File System, Hotfixes, Registry, and Services Windows data types.
vRealize Configuration Manager Administration Guide Procedure 1. Click Patching and select Windows > Bulletins > By Bulletin. 2. Select a bulletin. 3. Click Details, read the technical details for the affected products and vendor recommendations, and read the deployment summary to identify any issues that might interfere with the distribution of the bulletin. 4. Click On the Web to link to vendor information about the bulletin. 5. Review all of the bulletins to include in the assessment template. 6.
Patching Managed Machines The Not Patched column displays machines that require a patch or a reboot for an applied patch. From the Summary view, you can navigate to the affected managed machines. What to do next Deploy patches. See "Deploy Patches to Windows Machines" on page 175. Deploy Patches to Windows Machines You can deploy patches to Windows machines that are managed by VCM. These machines appear in the Licensed Machines node in VCM Administration Machines Manager.
vRealize Configuration Manager Administration Guide 11. Click Next again to either schedule the deploy job or to instruct VCM to run the job immediately. 12. On the Reboot Options page, select to not reboot the machine and click Next. 13. On the confirmation page, click Finish to deploy the patch. When the deployment finishes, VCM runs a delta collection of the Patching Security Bulletins filter set to update the assessment information. 14.
Patching Managed Machines Figure 9–2. Automatic Patching of Linux and UNIX Managed Machines with VCM Prerequisites Understand the patch assessment and deployment actions, and perform the prerequisite tasks. See "Prerequisite Tasks and Requirements" on page 158. Procedure 1.
vRealize Configuration Manager Administration Guide To ensure that Linux, UNIX, and Windows managed machines always include the latest patches, you can have VCM deploy patches to the managed machines when certain events occur in your environment. After you perform the initial configuration for the automatic deployment, no intervention is required to deploy patches to managed machines. 5.
Patching Managed Machines Procedure 1. Download and install the latest version of Java and the Oracle Java Cryptography Extension (JCE), which is used for Software Content Repository (SCR) Tool password encryption. 2. Install the latest VCM Linux Agent on the patching repository machine. See the VCM online help. 3. Install and configure the service that supports the desired communication method used by the managed machines. 4. Configure the communication protocol.
vRealize Configuration Manager Administration Guide Prerequisites Verify that you can access the VCM documentation page at https://www.vmware.com/support/pubs/vcm_pubs.html. Procedure 1. On the VCM documentation page, click Current Product Download. 2. On the Download VMware vRealize Configuration Manager Web site, click Drivers & Tools. 3. Expand VMware vRealize Configuration Manager Tools. 4. For your VCM version, click Go to Downloads. 5.
Patching Managed Machines Procedure 1. On the patching repository machine, download the runtime properties files tarball from the same Web site where you downloaded the SCR Tool tarball or zip file. 2. Extract the contents of the runtime properties tarball into the appropriate /conf directory that you established when you installed the SCR Tool. The properties files must be named as follows: n AIX-rt.properties n CENTOS-rt.properties n HPUX-rt.properties n MAC-rt.properties n ORACLELINUX-rt.
vRealize Configuration Manager Administration Guide Prerequisites n When you set up a patching repository machine and alternate location machines, you must ensure that users have proper permissions and protocols configured to read patches from the patching repository machine and write patches to the alternate location machines. See "Configuring Protocols to Stage and Deploy Linux and UNIX Patches" on page 179.
Patching Managed Machines Figure 9–3. Staging Linux and UNIX Patches on VCM Managed Machines To simplify the configuration for how Linux and UNIX managed machines obtain and extract patches during patch staging and deployment, you map machine groups and network locations. To stage and deploy the patches to target managed machines, you select a patching repository or an alternate location machine. See the VCM online help.
vRealize Configuration Manager Administration Guide n Verify that the machine groups to be used for Linux and UNIX patching are defined in VCM, and add any new machine groups for VCM to patch specific groups of managed machines. See the VCM online help. n (Optional) If your VCM Collector is not configured to use HTTPS, before you add a patch staging configuration you must allow the Collector to bypass the HTTPS setting. Select Administration > Settings > General Setting > Collector.
Patching Managed Machines Procedure 1. On the VCM Collector, to set the repository status for the patching repository machine, click Administration and click Certificates. 2. If the patching repository status is set for a different patching repository machine, disable the patching repository status to stop using that machine as the patching repository. a. In the Certificates data grid, click the existing Red Hat Linux machine that has the Patching Repository Status enabled. b. Click Patching Repository. c.
vRealize Configuration Manager Administration Guide Procedure 1. In VCM, click Administration. 2. Click Settings > General Settings > Patching > UNIX > Patch Staging. 3. Click Add. 4. Type a unique name for the patching repository, type a description, and click Next. 5. Select the staging method for the Linux and UNIX managed machines to obtain the patch files for deployment, and click Next.
Patching Managed Machines 8. (Optional) If you selected Obtain patches from an Alternate Location, you must provide the path and connection information to copy the patches from the alternate location machine to the target managed machines. a. (Optional) If necessary, change the path where the patches reside. VCM populates this path from the previous screen to match it to the patching repository file structure. b.
vRealize Configuration Manager Administration Guide Procedure 1. Click Administration and select Settings > General Settings > Patching > Machine Group Mapping. 2. Select a machine group and click Edit. 3. Select a deployment type. Option Description Standard VCM deploys the Linux and UNIX patches from a standard predefined patch Deployment directory, such as /tmp, on the target managed machines. The standard path for deployment is defined in UNIX Additional Settings.
Patching Managed Machines The base path directory contains directories for the SCR Tool binary files, configuration files, logs. Prerequisites Configure the machine group mapping for VCM to use to patch the target managed machines. See "Configure the Machine Group Mapping to Use the Patch Staging Configuration" on page 187. Procedure 1. In VCM, click Administration. 2. Select Settings > General Settings > Patching > UNIX > Additional Settings. 3.
vRealize Configuration Manager Administration Guide You can also use VCM's automatic event-driven and scheduled patching for managed Windows machines. For a list of supported machines for VCM patching, see the VCM Installation Guide. To configure VCM for automatic, event-driven patch deployment, see "Configure VCM for Automatic Event-Driven Patch Assessment and Deployment" on page 190.
Patching Managed Machines Procedure 1. "Generate a Patch Assessment Template" on page 191 To configure VCM for automatic, event-driven patch deployment, you must generate a patch assessment template to use with the automatic patch deployment mapping. 2. "Run a Patch Assessment on Managed Machines" on page 192 You must run the patch assessment template to collect patch status data from the managed machines. 3.
vRealize Configuration Manager Administration Guide Procedure 1. To generate a static or dynamic patch assessment template and include the relevant patch bulletins, click Patching and select All UNIX/Linux Platforms > Assessment Templates. 2. Click Add to add a patch assessment template. a. To add a static patch assessment template, add available patch bulletins to the template. b. To add a dynamic patch assessment template, define a filter with one or more filter rules.
Patching Managed Machines Procedure 1. To add patching exceptions for VCM to apply during the automatic deployment of patches to a group of managed machines, click Patching. 2. Select All UNIX/Linux Platforms > Exceptions. 3. Click Add and name the patching exception. 4. Select the machine group to which the patching exception applies. 5. Set the patching exception override options and expiration date. 6. Add one or more rules for the patch exception.
vRealize Configuration Manager Administration Guide Procedure 1. To modify the automatic patching settings, click Administration. 2. Click Settings > General Settings > Patching > UNIX > Additional Settings. 3. According to your patch assessment and deployment strategy, click Edit Setting for each of the automatic patch deployment settings, then modify and save the setting.
Patching Managed Machines What to do next n Generate a patch deployment mapping. See "Generate a Patch Deployment Mapping" on page 195. n (Optional) You can schedule an automatic patch deployment. When you schedule VCM to run an automatic patch deployment later, and collected patch data or scheduled the patch data collection after you created the automatic deployment but before the scheduled time to run the automatic deployment. VCM begins the automatic patch deployment at the scheduled time.
vRealize Configuration Manager Administration Guide What to do next n After VCM triggers a patch assessment, view the patch assessment results. See the VCM online help. n (Optional) You can schedule an automatic patch deployment. When you schedule VCM to run an automatic patch deployment later, and collected patch data or scheduled the patch data collection after you created the automatic deployment but before the scheduled time to run the automatic deployment.
Patching Managed Machines How the Linux and UNIX Patch Staging Works As a patch administrator, you can stage patches on target Linux and UNIX managed machines for VCM to deploy. With patch staging, the patches are available in a directory on the target managed machines in preparation for deployment. Target managed machines copy the patches from either the patching repository machine or an alternate location machine.
vRealize Configuration Manager Administration Guide Related Topics n For steps to stage Linux and UNIX patches for deployment, see "Configuring VCM to Work with the Patching Repository and Alternate Locations" on page 182 and "Configure How Managed Machines Stage Patches for Deployment" on page 185. n For a description of events that VCM uses to trigger an automatic patch deployment, see "Configure VCM for Automatic Event-Driven Patch Assessment and Deployment" on page 190.
Patching Managed Machines The patch assessment and deployment process for Linux and UNIX does not use remote commands. If you deploy a patch using a user-created remote command, the patch is not assessed until you run another assessment. When VCM deploys patches to managed machines, a job is created for each machine. When a reboot of the managed machine is required, VCM creates a deployment job and a reboot job for the machine. The deployment occurs either immediately or when scheduled.
vRealize Configuration Manager Administration Guide Running Patching Reports VCM uses trends, details, template summaries, bulletins, affected software products, and patch deployment history to generate patch status reports for Linux, UNIX, and Windows managed machines. With real-time patch assessment reports, you can generate SQL reports for managed machines that are assessed against bulletins and affected software products.
Running and Enforcing Compliance 10 Compliance compares your virtual or physical machines running Linux, UNIX, Mac OS X, or Windows operating systems against configuration standards that you download, or that you create, to determine if the machines meet the standards. The results of the compliance run notify you which machines meet configuration settings meet the standards and which ones do not meet the standards.
vRealize Configuration Manager Administration Guide To assist you with managing your environment, you can download compliance templates from the VMware Center for Policy and Compliance. The available templates include, for example, SOX, HIPAA, PCI DSS, and VMware vSphere hardening and other regulatory compliance templates. Download and Import Compliance Content You can use the Content Wizard Tool to download and install selected compliance templates directly to theVCM database.
Running and Enforcing Compliance You can create your own compliance templates or modify templates that you downloaded from the Center for Policy and Compliance. Prerequisites n Collect data from your virtual and physical machines for the data types against which your compliance templates and filter sets run. See "Collect Linux, UNIX, and Mac OS X Data" on page 134 and "Collect Windows Data" on page 95.
vRealize Configuration Manager Administration Guide The collection filter set that is selected is used when calculating data age for the rules in the compliance templates. The filter set must collect the same data types that are included in the rules in the rule group. If the filter set does not collect the same data types, no data age is calculated. This procedure demonstrates how to check whether your Linux machines, except those running 64-bit operating systems, have at least a 5GB hard drive capacity.
Running and Enforcing Compliance Procedure 1. Click Compliance. 2. Select Machine Group Compliance > Rule Groups > rule group name > Rules. 3. Click Add. 4. Type the name and description in the text boxes and click Next. For example, Linux and UNIX Disk Cap > 5 GB. 5. Expand Linux, select Disk Info - Hard Drive, and click Next. 6. Select Basic and click Next. 7. Click Add and configure the rules with the ideal values. a. In the properties drop-down menu, select Total Capacity (MB). b.
vRealize Configuration Manager Administration Guide Procedure 1. Click Compliance. 2. Select Machine Group > Rule Groups > rule group name > Filters. 3. Click Add. 4. Type the name and description in the text boxes and click Next. For example, Architecture not x86_64. 5. Expand Linux, select Machines - General, and click Next. The collected data for this data type includes machine architecture. 6. Select Basic and click Next. 7.
Running and Enforcing Compliance Procedure 1. Click Compliance. 2. Select Machine Group Compliance > Rule Groups. Capacity 5GB - Linux and UNIX is the example in this procedure. 3. Select your new rule group and click Preview. 4. Select Do not apply machine filters to preview and click OK. When you test a rule, test first without the filter to ensure that the rule returns the expected results. 5. Review the data in the Non-compliant results window to verify that your rule is behaving as expected. 6.
vRealize Configuration Manager Administration Guide Procedure 1. Click Compliance. 2. Select Machine Group Compliance > Templates. 3. Click Add. 4. Type the name and description in the text boxes and click Next. For example, Disk Cap > 5 GB not 64bit. 5. Move the rule group to the list on the right and click Next. For example, Capacity 5GB - Linux and UNIX. 6. Select Return both compliant and non-compliant and click Next.
Running and Enforcing Compliance What to do next n Evaluate the results and resolve any issues on the noncompliant objects. "Resolve Noncompliant Compliance Template Results" on page 209. n If you find results that you want to temporarily make compliant or noncompliant, create an exception. See "Create Machine Group Compliance Exceptions" on page 211. Resolve Noncompliant Compliance Template Results The results for the compliance templates indicate whether the rules were compliant or noncompliant.
vRealize Configuration Manager Administration Guide For this example, you are working with a Windows or Linux machine, either a physical machine or a virtual machine. This example assumes that you are not auto-enforcing the noncompliant results during the compliance run. Procedure 1. Click Compliance. 2. Select the compliance template. For example, Machine Groups Compliance > Templates > {template name}. 3.
Running and Enforcing Compliance 6. Select the machines or objects that you identified as noncompliant, and click the applicable action button on the data grid. For example, select the virtual machine snapshots that are older than the compliance date and click Delete Snapshot. 7. Follow the prompts to configure the options, select Run action now, and click Finish. After enforcing compliance, VCM performs another data collection.
vRealize Configuration Manager Administration Guide 6. Select the machine group to which you are applying the exception and click Next. For this example, select All UNIX Machines. 7. Select the override options and the expiration date. a. Select Override non-compliant results to compliant. b. Select No Expiration. c. Click Next. 8. To define the exception values, modify, delete, or add to the properties, operators, and values for the selected results.
Running and Enforcing Compliance Procedure 1. Click Administration. 2. Select Alerts > Rules. 3. Click Add. 4. Type the alert name and description in the text boxes and click Next. 5. Select Compliance Results Data and click Next. 6. Select a compliance template and click Next. 7. Review the configured actions and click Finish. What to do next Create a virtual environments configuration that includes this rule. See "Create Machine Group Compliance Alert Configurations" on page 213.
vRealize Configuration Manager Administration Guide Schedule Machine Group Compliance Template Runs You can schedule a regular run of your machine group compliance templates to ensure that the collected data is regularly assessed for adherence to the defined compliance rules. Compliance templates are run against collected data, so you should also schedule collections for the data types and machine groups that you are assessing.
Running and Enforcing Compliance n Common Platform Enumeration (CPE). Standard identifiers and a dictionary for platform and product naming n Extensible Configuration Checklist Description Format (XCCDF). A standard for specifying checklists and reporting results n Common Vulnerability Scoring System (CVSS).
vRealize Configuration Manager Administration Guide Procedure 1. Copy the bundle ZIP file to the following folder. \\machine-name\CMFiles$\SCAP\Import 2. Click Compliance. 3. Select SCAP Compliance > Benchmarks. 4. Click Import. 5. Highlight the bundle, and click the right arrow to select it for import. 6. Click Next. 7. Review your selections and click Finish. Run an SCAP Assessment Run an SCAP assessment that compares your managed machine configuration against a profile in a standard SCAP benchmark.
Running and Enforcing Compliance Procedure 1. Click Compliance. 2. Select SCAP Compliance > Benchmarks > benchmark name > profile name. 3. In the data grid, find the row for the machine for which you generated an assessment. 4. In the row, click the ellipsis button for the result format that you generated. The following format options are available on the data grid. OVAL HTML OVAL XML XCDDF HTML XCDDF XML 5.
vRealize Configuration Manager Administration Guide 218 VMware, Inc.
11 Configuring Active Directory Environments VCM for Active Directory collects Active Directory objects across domains and forests, and displays them through a single console. The information is consolidated and organized under the Active Directory slider, allowing you to view your Active Directory structure, troubleshoot issues, detect change, and ensure compliance. You can filter, sort, and group Active Directory data to pinpoint the specific area of interest.
vRealize Configuration Manager Administration Guide 5. "License Domain Controllers" on page 222 To manage domain controllers, you must license them in VCM. 6. "Install the VCM Windows Agent on Your Domain Controllers" on page 223 Install the VCM Windows Agent on each domain controller so that you can collect data and manage the virtual or physical machines. 7.
Configuring Active Directory Environments Procedure 1. Click Administration. 2. Select Settings > Network Authority > Available Accounts. 3. To add a new domain account, click Add. 4. Type the domain name, user name, and password, and click Next. 5. Click Finish to add the account. What to do next Assign the network authority account to the domain so that VCM can access the domain controllers in the domain. See "Assign Network Authority Accounts" on page 221.
vRealize Configuration Manager Administration Guide NOTE You can use the Discovered Machines Import Tool (DMIT), which imports machines discovered by the Network Mapper (Nmap), to import many physical and virtual machines at one time into the VCM database. Download DMIT from the VMware Web site. Prerequisites Assign a Network Authority Account that VCM can use for access. See "Assign Network Authority Accounts" on page 221. Procedure 1. Click Administration. 2. Select Machines Manager > Discovery Rules. 3.
Configuring Active Directory Environments Procedure 1. Click Administration. 2. Select Machines Manager > Available Machines. 3. Select the domain controllers to license. 4. Click License. 5. Verify that the domain controllers to license appear in the Selected list. Use the arrows to move the domain controllers. 6. Click Next to view your Product License Details. The licensed domain controller count increases by the number of licensed machines. 7. Click Next.
vRealize Configuration Manager Administration Guide Procedure 1. Click Administration. 2. Select Machines Manager > Licensed Machines > Licensed Windows Machines. 3. In the data grid, select one or more domain controllers on which to install the Agent and click Install. 4. On the Machines page, verify that the target machines appear in the Selected list and click Next. 5. On the Install Options page, select the default installation options and click Next. 6.
Configuring Active Directory Environments Procedure 1. On the VCM toolbar, click Collect. 2. On the Collection Type page, select and click OK. 3. On the Machines page, select the domain controllers from which to collect data and click Next. To move all visible domain controllers to the selection window, use the double arrow. 4. Select the Do not limit collection to deltas check box. This option ensures that a full collection occurs during the initial set up of VCM for Active Directory. 5.
vRealize Configuration Manager Administration Guide Install VCM for Active Directory on the Domain Controllers To use VCM to collect Active Directory data from your environment, install VCM for Active Directory on your domain controllers. VCM for Active Directory will operate with only a single domain controller configured with VCM for Active Directory, which will serve as both the forest data source (FDS) and replication data source (RDS).
Configuring Active Directory Environments Procedure 1. Click Administration. 2. Select Machines Manager > Additional Components > VCM for Active Directory. 3. Click Determine Forest. 4. Move the domain controllers on which to determine the forest to the lower pane. Determine the forest for all available domain controllers. 5. Click Next. 6. Click Finish. What to do next Run the domain controller setup action and identify your FDS and RDS. See "Run the Domain Controller Setup Action" on page 227.
vRealize Configuration Manager Administration Guide n Active Directory schema collection n Active Directory specifier collection n Active Directory structure collection The information obtained from the third collection identifies the organizational unit (OU) structure that supports the use of VCM for Active Directory. To view information, click Administration, and select Machines Manager > Additional Components > VCM for Active Directory. What to do next Collect Active Directory data.
Configuring Active Directory Environments Option Description Active Directory Dashboard Provides summary and day-to-day information about your Active Directory environment in a graphical format. n To view the dashboard, click Active Directory and select Dashboards > Managed Objects. Several Active Directory Dashboards are available. Active Directory Object Summary Provides summary information about your Active Directory environment in a textual format.
vRealize Configuration Manager Administration Guide 230 VMware, Inc.
Configuring Remote Machines 12 The VCM Remote client is the communication and management mechanism that you use to manage mobile Windows machines as they connect to and disconnect from the network. For Windows machines that are not continuously connected to the network, the VCM Remote client listens for network events indicating it has access to the VCM Remote-related components on the VCM Internet Information Services (IIS) server.
vRealize Configuration Manager Administration Guide Using Certificates With VCM Remote The use of certificates with VCM Remote ensures secure communication between VCM and the VCM Remote client when they are communicating outside your internal network. The communication between the Collector and the VCM Remote client is secured using Transport Layer Security (TLS) certificates. You can use the VCM certificate or you can use an existing Enterprise certificate.
Configuring Remote Machines Procedure 1. "Create Custom Collection Filter Sets" on page 233 You create custom collection filter sets for Dial-up, Broadband, or LAN connections to efficiently manage mobile machines using the VCM Remote client. To optimize results, create a different filter set for each connection type. 2. "Specify Custom Filter Sets in the VCM Remote Settings" on page 234 VCM Remote supports three connection types: broadband, dial-up, and LAN.
vRealize Configuration Manager Administration Guide What to do next n Repeat the procedure for all the connection types for which you configure filter sets. n Assign the filter sets to the appropriate VCM Remote settings. See "Specify Custom Filter Sets in the VCM Remote Settings" on page 234. Specify Custom Filter Sets in the VCM Remote Settings VCM Remote supports three connection types: broadband, dial-up, and LAN.
Configuring Remote Machines Procedure 1. Click Administration. 2. Select Settings > General Settings > VCM Remote. 3. On the VCM Remote Settings data grid, select each setting separately and click Edit Settings. Option Configuration Should Remote automatically install an Agent to the client (if required)? Click Yes. Allows VCM to install the Agent when contacted by the VCM Remote client the first time. Should Remote automatically upgrade an Agent to the Click Yes.
vRealize Configuration Manager Administration Guide 1. "Install the VCM Remote Client Manually" on page 236 The manual installation of the VCM Remote client is a wizard-based process that you use when you have direct access to the target machines. This process is a useful way to install the client if you are creating an image to install on other machines. 2.
Configuring Remote Machines 5. On the VCM Remote Client Information page, configure the options and click Next. Option Description Collector Machine Name Name of the Windows machine on which the VCM Collector and Microsoft IIS are installed. Path to ASP Page Path for the IIS default VCM Remote Web site. The must match the virtual directory name as it appears in the Collector's IIS. The default value is VCMRemote. 6.
vRealize Configuration Manager Administration Guide Procedure 1. On the target machine, create a folder and copy the files from the Collector to the target folder. File Description CM Remote Client.msi Located on the Collector at [install path] \VMware\VCM\AgentFiles. CM_Enterprise_Certificate_ xxx.pem (Optional) Located on the Collector at [install path] \VMware\VCM\CollectorData.
Configuring Remote Machines Option Description /l*v [path\]filename.log Error messages added to the log file in the specified path. If the path is not specified, the log file is saved in the directory from which the msiexec.exe was run. What to do next Connect the remote machine to the network to ensure that VCM completes the installation process.
vRealize Configuration Manager Administration Guide Dim sCollName, sInstallDir, sVirDir, sAddRemove, sCertFile, bInstallCert Sub DoWork() Set WshShell = CreateObject("WScript.Shell") sCollName = "YourCollectorName" 'Name of your VCM Collector machine in quotes bInstallCert = 1 'If the value is 1, the Enterprise Certificate is installed. If the value is set to 0, the installation of the certificate is skipped and it is assumed that the certificate is already present.
Configuring Remote Machines AppToRun = AppToRun & "SKIP_CERTIFICATE_FILE=1" End If EcmScriptRuntime.CmdExecute Chr(34) & AppToRun & Chr(34), 10000 End Sub Sub CheckVars() If sCollName = "" Then WScript.Quit Else sCollName = Trim(sCollName) End If If sVirDir = "" Then sVirDir = "vcmremote/ecmremotehttp.asp" Else sVirDir = Trim(sVirDir) End If If sInstallDir = "" Then sInstallDir = "c:\vcm remote client" Else sInstallDir = Trim(sInstallDir) End If If sAddRemove <> 0 And sAddRemove <> 1 Then sAddRemove =
vRealize Configuration Manager Administration Guide sAddRemove = Trim(sAddRemove) End Sub c. Select the Certain file(s) are required to be on the target machine for this remote command check box. d. Click Next. 7. On the Files page, move the CM Remote Client.msi file and the .pem file to the list on the right, and click Next. 8. On the Important page, review and summary and click Finish. VCM saves and adds the command to Windows Remote Commands list. 9.
Configuring Remote Machines VCM Remote Collection Results The VCM Remote client-specific data is limited to administrative details. All other data collected from the remote machine appears in VCM as Windows machine data. See "Windows Collection Results" on page 96. The displayed data is only as current as the last time you collected from the remote machines. Option Description Administration View administrative details about the VCM Remote client. VMware, Inc.
vRealize Configuration Manager Administration Guide 244 VMware, Inc.
13 Tracking Unmanaged Hardware and Software Asset Data VCM management extensions for assets integrates and manages hardware and software asset data that is not gathered through the automated managed machine collection processes of VCM. n Hardware: VCM for assets stores supplemental information (data that is not automatically collected) about physical and virtual machines that are managed by VCM.
vRealize Configuration Manager Administration Guide Changing the order of the VCM for assets data field list changes the order of columns when you view asset data in the VCM Console. 6. "Refresh Dynamic Asset Data Fields" on page 249 You can force VCM for assets to refresh the values in all fields that are configured to populate dynamically. Review Available Asset Data Fields VCM for assets is populated with a short list of data fields to get you started.
Tracking Unmanaged Hardware and Software Asset Data 4. Click Add. 5. Type a name and description for the new asset data field and click Next. The name is the column heading that appears when users view the data in the VCM Console. 6. Specify properties about the new data. a. Select the way to populate the data. n Manually: type free-form text n Lookup: select from a fixed or query-based list of values n Dynamically: query from other data b. Select the data type.
vRealize Configuration Manager Administration Guide 5. Click Edit. 6. Change the name or description for the data field and click Next. The name is the column heading that appears when users view the data in the VCM Console. 7. Click Next. You cannot change the data properties. 8. Click Next. 9. Select the roles that are allowed to edit the data. Only users assigned to these roles can edit the data using the VCM Console. 10. Review the settings and click Finish. What to do next Remove unwanted fields.
Tracking Unmanaged Hardware and Software Asset Data Prerequisites n Log in to VCM using an account with the Administrator role. n Identify the asset data that you want to store about your hardware or software. Procedure 1. Click Administration. 2. Select Settings > Asset Extensions Settings. 3. Select one of the following nodes.
vRealize Configuration Manager Administration Guide Configure Asset Data Values for VCM Machines Although the asset data for machines that are managed by VCM is collected, you can customize some data through VCM for assets. Prerequisites Log in to VCM with a role that has edit permission for asset configuration data. Procedure 1. Click Console. 2. Select Asset Extensions > Hardware Configuration Items > VCM Devices. 3. In the data grid, select the VCM machine. 4. Click Edit Values. 5.
Tracking Unmanaged Hardware and Software Asset Data Add Other Hardware Devices Use VCM for assets to keep track of your non-VCM managed hardware by adding information about the hardware devices directly to VCM. Prerequisites n Have an administrator configure the asset data fields that you need. See "Configure Asset Data Fields" on page 245. n Log in to VCM with a role that has edit permission for asset configuration data. Procedure 1. Click Console. 2.
vRealize Configuration Manager Administration Guide Prerequisites Log in to VCM with a role that has edit permission for asset configuration data. Procedure 1. Click Console. 2. Select Asset Extensions > Hardware Configuration Items > Other Devices. 3. In the data grid, select the asset. 4. Click Edit. 5. Change the details that identify the device, such as its name and model, and click Next. 6. Change the values for the asset data associated with the device and click Next.
Tracking Unmanaged Hardware and Software Asset Data Procedure 1. Click Console. 2. Select Asset Extensions > Hardware Configuration Items > Other Devices. 3. In the data grid, select the asset. 4. Click Delete. 5. Click OK. Configure Asset Data for Software A user with a role that has permission to edit asset data can use VCM for assets to gather information about the software on machines that are discovered and managed by VCM. Procedure 1.
vRealize Configuration Manager Administration Guide Procedure 1. Click Console. 2. Select Asset Extensions > Software Configuration Items. 3. Click Add Software. 4. Type a name and description and click Next. 5. Select the data type that VCM for assets will look for to detect the installed software and click Next. The options take you to custom wizard pages where you type or select what VCM for assets will look for in the database.
Tracking Unmanaged Hardware and Software Asset Data 6. Change the data type that VCM for assets will look for to detect the installed software and click Next. The options take you to custom wizard pages where you type or select what VCM for assets will look for in the database. n Software Inventory (Windows): Select a product from the software inventory (SI) list. n Registry (Windows): Type or select a Windows Registry path, key, and value.
vRealize Configuration Manager Administration Guide Edit Asset Data Values for Software You can change the details about a specific copy of software when the long term information, such as the application name or version, is going to remain the same. Prerequisites Log in to VCM with a role that has edit permission for asset configuration data. Procedure 1. Click Console. 2. Select Asset Extensions > Software Configuration Items. 3. In the data grid, select the software asset. 4. Click Edit Values. 5.
Managing Changes with Service Desk Integration 14 VCM Service Desk Integration tracks planned and unplanned changes to managed machines in your organization, and integrates change requests with your change management process. Service Desk Integration works by temporarily holding requested changes to managed machines while VCM integrates with your service desk application in order to pass the requests through your change management process or workflow.
vRealize Configuration Manager Administration Guide Procedure 1. Click Console. 2. Select Service Desk. 3. Under the Service Desk node, select any subnode. For example, click By RFC to view the data according to request for change (RFC). Under the By RFC sub-node, select an RFC to view the data for that item. Your subnodes and data views might differ from the defaults or from other organizations based on your requirements and specific implementation. What to do next Look at the status of change jobs.
Index A about this book 9 access by user 11 compliance content 21 active directory collection results 228 configuration 225 data collection 228 getting started 219 install 226 run determine forest action 226 run domain controller setup action 227 adding asset data field 246 hardware asset data 251 Linux machines 126 Mac OS X machines 126 multiple hardware asset data 251 multiple software asset data 254 service desk integration 257 software asset data 253 UNIX machines 126 vCenter Server 30 vCloud Director
vRealize Configuration Manager Administration Guide bulletin details manual patching for Windows 172 bulletin updates manual patching for Linux and UNIX 164 manual patching for Windows 171 bulletins dynamic membership 191 C certificates remote client 232 change log custom information types 152-154 change management WCI 109 checking network authority account 91, 220 collect domain controllers 224 ESX logs 51, 56 ESX service console operating system 51 hosts, virtual machine 53 installation delegate 123 Lin
Index asset data field 245 event-driven patch assessment 190 event-driven patch deployment 190 hardware data 250 machine group mapping 187 managed machines patch staging 185 patching administration settings 193 patching repository 164, 178 protocols for patch staging 179 scheduled patch assess and deploy 196 software data 253 VCM with alternate locations 182-183 VCM with patching repository 182-183 vSphere Client Plug-in 58 console service desk integration 257 content compliance 21 content for compliance w
vRealize Configuration Manager Administration Guide ESX logs collect 51, 56 event-driven patch deployment 189 assessment template 191 exploring Remote collection results 243 exporting SCAP assessment 217 F filter for WCI collections 113 filter sets remote 233 remove client 233 forest active directory 219 run determine forest action 226 foundation checker 19 installation 22 G getting started active directory 219 assets 245 auditing 87 launching 12 logging on 12 manual patch deployment for Linux and UNIX 1
Index logs ESX 57 M Mac OS X add machines 126 agent installation 119 collect data 134 collecting schedule 137 scheduled collection 135 collection results 135 custom information types 149 installing agent 127 machine group, create 136 Mac OS X agent enable installation 125 machine group mapping 183 configuring for patching 187 machine groups compliance 201 alerts 212 alerts, add 212 alerts, configure 213 download content 202 filters 205 resolve noncompliant results 209 resolve noncompliant results, enforce
vRealize Configuration Manager Administration Guide how it works 197 Linux and UNIX 197 patches SCR Tool 179 patching 192 administrator privileges 158 AIX machines 161 alternate location 159 applicability of patches for deployment 194 assessment and deployment 157 assessment templates 162 assessments for Windows 173 bulletin details for Windows 172 bulletins dynamic membership 191 collections for Windows assessments 173 configuring event-driven assessments 190 configuring event-driven deployment 190 config
Index requirements for patching 158 results collection, active directory 228 ESX logs 57 SCAP 216 vCloud Director 41 virtualization 57 vShield Manager 51 reviewing asset data field 246 run compliance vCenter Server 66 vCloud Director 66 virtual objects 66 running determine forest action 226 domain controller setup 227 patching reports 200 runtime properties files for patching 180 S SCAP assessment 215-217 benchmark 215 exporting assessment 217 importing benchmark 215 overview 214 results 216 schedule coll
vRealize Configuration Manager Administration Guide collect 32 compliance exceptions 67, 70, 211 compliance filters 64 compliance rule groups 62 compliance rules 63 compliance templates 61, 65 data collections 29 run compliance 66 vCenter Server virtual machines collect 36 vCloud Director add 38 collect 38, 40 collection results 41 compliance exceptions 67, 70, 211 compliance filters 64 compliance rule groups 62 compliance rules 63 compliance templates 61, 65 run compliance 66, 208 settings 39 vApp collect
