VMware VCM 5.3 - TRANSPORT LAYER SECURITY IMPLEMENTATION Guide d'installation télécharger pdf (Page 62)

Authorized Certificates in the Trust Chain

Agents maintain a store of trusted certificates used for authenticating Collectors. When a Collector sends

its certificate to the Agent during the TLS handshake, the Agent verifies the trust chain from the Collector

certificate back to a trust root, such as the Enterprise certificate.

VCM 5.5 extends the trust process to require that at least one of the certificates in the chain be marked as

authorized to communicate with the Agent. If there are no authorized certificates in the trust chain, the

TLS handshake fails even if the chain is otherwise valid.

This feature prevents multiple Collectors that share the same issuing root certificate from automatically

being able to communicate with each other’s Agents. By requiring an authorized certificate somewhere in

the chain, an administrator can configure which Collectors have access to which Agents. If you want all

Collectors to have access to each other's Agents, authorize the shared root certificate.

By default, the Enterprise certificate is authorized during the standard Agent installation from the

Collector. If you choose to add certificates to the Agent certificate store manually, make sure that at least

one of the certificates in the chain is authorized.

UNIX. At least one of the certificates added to the Agent certificate store using CSI_

ManageCertificateStore must be inserted using the -z option to mark the certificate as authorized. See

"CSI_ManageCertificateStore Options" on page 76.

Windows. Create Agent Registry entries in

HKEY_LOCAL_MACHINE\SOFTWARE\Configuresoft\CSI\5.0\Listener\Authorized

for manually imported certificates. See "Mark a Certificate as Authorized on Windows" on page 69.

Agent Certificates

Agent certificates are used in mutual authentication. A copy of the Agent's certificate is stored in the

Collector database and is viewable in the Certificates data grid in VCM. The Agent's private key must not

exist anywhere but on the Agent machine. The following sections provide additional detail about the

Agent certificate process.

Mutual Authentication by Default

In prior releases, VCM supported server authentication by default. Starting in VCM Version 5.5, new

Collector-Agent communication employs mutual authentication by default.

If you have existing Agents that were set up manually for mutual authentication, and that take advantage

of existing Enterprise certificates and trust chains, you do not need to change their configuration to use

them with a 5.5 Collector. Furthermore, older Agents that authenticated over server authentication can

continue to do so with a 5.5 Collector. New version 5.5 Agents, however, configure themselves to

mutually authenticate with 5.5 Collectors.

Version 5.5 Agents on DCOM communication still use server authentication, but they follow the new

process for generating their own certificate and private key pair. The certificate and private key pair allow

for the following practices:

Data to be encrypted as explained in "Encryption Between Collector and Agent" on page 63.

The protocol to be switched to HTTP for mutual authentication.

You can view the managed machine communication security level and protocol by selecting

Administration, and clicking Machines Manager > Licensed Machines > Licensed Windows or UNIX

Machines.

VCM Security Guide

VMware, Inc.

1 2 ... 57 58 59 60 61 62 63 64 65 66 67 ... 89 90

Commentaires sur ces manuels

Pas de commentaire

VMware VCM 5.3 - TRANSPORT LAYER SECURITY IMPLEMENTATION Guide d'installation Page 62

Commentaires sur ces manuels

Produits connexes et manuels pour Logiciel VMware VCM 5.3 - TRANSPORT LAYER SECURITY IMPLEMENTATION