Federation Software-Defined Data Center

(1)

Solution Guide

Federation Software-Defined Data

Center

Security Management Solution Guide

EMC Solutions

Abstract

This Solution Guide provides information about features and configuration options that are available for configuring secure system operations for a Federation Software-Defined Data Center. This document explains why, when, and how to use these security features.

(2)

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED

WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license.

EMC2_{, EMC, Avamar, Data Domain, Data Protection Advisor, Enginuity, PowerPath/VE,} RecoverPoint, Solutions Enabler, Symmetrix VMAX, Syncplicity, Unisphere, ViPR, EMC ViPR SRM, VNX, and the EMC logo are registered trademarks or trademarks of EMC Corporation in the United States and other countries. All other trademarks used herein are the property of their respective owners.

(3)

Contents

Chapter 1 Executive Summary

11

Document purpose ... 12

Audience ... 12

Cloud security challenges ... 13

EMC and VMware product security approach ... 14

Technology solution ... 14

Key components ... 15

Terminology... 18

Federation Software-Defined Data Center security documentation ... 20

Chapter 2 Software-Defined Data Center Overview

23

Overview ... 24

Automation and self-service provisioning ... 25

Multitenancy and secure separation ... 27

Workload-optimized storage ... 29

Elasticity and service assurance ... 29

Monitoring and resource management ... 29

Metering and chargeback ... 31

Modular add-on components ... 32

Data protection services ... 32

Disaster recovery ... 32

Public cloud services ... 32

EMC and VMware integration ... 33

Storage services ... 33

Orchestration ... 33

Operational management and monitoring ... 34

Metering ... 34

Summary ... 34

Chapter 3 Public Key Infrastructure

35

Overview ... 36

(4)

Contents

Subordinate (or issuing) CA ... 38

subjectAltName attributes in certificates ... 38

Enterprise PKI solution integration ... 39

Summary ... 44

Chapter 4 Converged Authentication

45

Overview ... 46

Security and authentication ... 46

Microsoft Active Directory—SSL certificates for LDAPS ... 47

Windows authentication and service accounts ... 49

Active Directory integration ... 50

VMware vCenter Log Insight ... 50

VMware vCenter Operations Manager and Active Directory users ... 52

VMware vCloud Automation Center: Tenant identity stores ... 52

VMware vSphere ESXi host integration with Active Directory ... 52

EMC Avamar integration ... 52

EMC DPA Active Directory support ... 52

EMC Unisphere authentication ... 52

EMC ViPR authentication... 55

VMware vCenter SSO ... 56

TACACS+ authentication integration ... 58

Summary ... 58

Chapter 5 Centralized Log Management

59

Overview ... 60

vCenter Log Insight remote syslog architecture ... 62

Centralized logging integration ... 64

Content packs for vCenter Log Insight ... 66

Configuring alerts ... 69

Summary ... 71

Chapter 6 Network Security

73

Overview ... 74

(5)

Contents

Supporting infrastructure services ... 82

Network environment for data protection ... 83

Automation and provisioning ... 84

NSX for vSphere ... 84

Introduction ... 84

Distributed logical router ... 84

Distributed firewall ... 85

NSX Edge ... 85

Logical load balancer ... 85

N-Tier application considerations ... 86

Traditional three-tier architecture ... 86

Two-tier applications ... 87

Use case 1: Micro-segmentation with N-Tier virtual applications ... 88

Configure pre-provisioned multimachine blueprint ... 92

Verify pre-provisioned deployment ... 93

Use case 2: Micro-segmentation with converged N-Tier virtual applications ... 94

Summary ... 95

Chapter 7 Configuration Management

97

Overview ... 98

vCenter host profiles ... 99

vSphere Update Manager ... 101

vCenter Configuration Manager ... 107

Use case 1: Configure a custom compliance standard ... 110

Custom compliance rules... 111

Custom compliance template ... 114

Use case 2: Apply exceptions to compliance templates ... 116

Summary ... 119

Chapter 8 Multitenancy

121

Overview ... 122 Secure separation ... 122 Network segmentation ... 122 Tenant authentication ... 124

Role-based access control ... 124

Solution infrastructure ... 124

(6)

Contents

Summary ... 127

Chapter 9 Conclusion

129

(7)

Contents

Figures

Figure 1. Federation Software-Defined Data Center key components ... 15

Figure 2. Federation Software-Defined Data Center features and functionality .... 25

Figure 3. Self-service provisioning through the vCAC portal ... 26

Figure 4. EMC ViPR Analytics with VMware vCenter Operations Manager ... 30

Figure 5. ITBM Suite overview dashboard for software-defined data center ... 31

Figure 6. EMC ViPR integration points with VMware components ... 33

Figure 7. PKI hierarchy for the Federation Software-Defined Data Center solution stack ... 37

Figure 8. Authentication relationships between the solution components ... 47

Figure 9. Log Insight authentication with Active Directory ... 51

Figure 10. Create a new group ... 51

Figure 11. Active Directory authentication providers ... 55

Figure 12. Active Directory role assignments ... 55

Figure 13. Centralized logging of software-defined data center components with vCenter Log Insight ... 61

Figure 14. Searching for security events with vCenter Log Insight ... 62

Figure 15. Log Insight client-server architecture ... 63

Figure 16. Log Insight distributed architecture ... 64

Figure 17. Sample vCenter Log Insight dashboard for vCenter Server ... 65

Figure 18. Customized software-defined data center security dashboard using multiple content packs ... 67

Figure 19. Custom Log Insight dashboard ... 68

Figure 20. Example of a Log Insight alert configured to send a notification to vC Ops ... 69

Figure 21. Examples of security alerts installed in Log Insight ... 70

Figure 22. Search logs for cloud management platform directly from vC Ops ... 70

Figure 23. vCenter Log Insight filtering logs for the management cluster components ... 71

Figure 24. EMC software-defined data center environment ... 75

Figure 25. Physical topology of the network ... 76

Figure 26. Logical topology with the cluster pod and functional networks ... 78

Figure 27. ESXi host networking vSwitch configuration ... 79

Figure 28. VLAN configuration of the cloud management vDS uplinks ... 80

Figure 29. VLAN configuration of the production vDS uplinks ... 80

Figure 30. Port group and VLAN configuration of the cloud management vDS ... 81 Figure 31. Production vDS port groups showing Edge connectivity and VXLAN port

(8)

Contents

Figure 33. Traditional three-tiered security architecture ... 86

Figure 34. Example of two-tiered application secured with micro-segmentation ... 88

Figure 35. Three-tiered application implemented with micro-segmentation ... 89

Figure 36. Networking & Security web client view of the security groups ... 90

Figure 37. View of the web, application, and database tier security policies ... 91

Figure 38. Web server security policy applied to the Web Servers security group .. 92

Figure 39. Multimachine blueprint showing single-machine components ... 92

Figure 40. Blueprint network and security group configuration ... 93

Figure 41. NSX service composer security groups membership view for the database-tier ... 93

Figure 42. Example of converged three-tiered application secured with micro-segmentation ... 94

Figure 43. View of some of the available host profile configuration parameters ... 99

Figure 44. View of host compliance status with host profile ... 100

Figure 45. Compliance view of the clusters attached to the Resource Pods host profile ... 101

Figure 46. Examples of baselines configured in vSphere Update Manager ... 102

Figure 47. Example of patch inclusion criteria for a vSphere Update Manager baseline ... 103

Figure 48. EMC PowerPath/VE extension added to vSphere Update Manager custom baseline ... 104

Figure 49. Components of the baseline group ... 104

Figure 50. View of compliance state for the Core Pod ... 105

Figure 51. Selection view of the vSphere Update Manager Remediation wizard.. 105

Figure 52. Cluster remediation options presented in the Remediation wizard .... 106

Figure 53. View of the VCM compliance dashboards showing vSphere Hardening compliance... 107

Figure 54. vC Ops dashboard displaying Risk badge score ... 108

Figure 55. vC Ops dashboard displaying compliance status summary... 109

Figure 56. Risk dashboard showing compliance status in environment ... 110

Figure 57. VCM custom rule creation view ... 111

Figure 58. Creating a custom compliance rule ... 111

(9)

Contents Figure 66. Graphical summary of the Custom Compliance Template results ... 116 Figure 67. Navigating to the Compliance Exception wizard ... 117 Figure 68. Exception rules for Http Datastore on vCenter Server ... 118 Figure 69. Exception rules for the managed object browser on vCenter server .... 118 Figure 70. Federation Software-Defined Data Center network architecture ... 123

Tables

Table 1. Terminology... 18 Table 2. Product security guides ... 20 Table 3. Certificates and keystore types for vCloud Suite 5.5 deployment ... 41

(10)

(11)

Chapter 1: Executive Summary

Chapter 1 Executive Summary

This chapter presents the following topics:

Document purpose ... 12

Audience ... 12

Cloud security challenges ... 13

EMC and VMware product security approach ... 14

Technology solution ... 14

Terminology ... 18

Federation Software-Defined Data Center security documentation ... 20

(12)

Document purpose

The EMC Federation of companies, EMC, VMware, Pivotal, and RSA, work together to research, develop, and validate leading-edge solutions to deliver superior, integrated solution stacks.

This Solution Guide provides information about features and configuration options that are available for configuring secure system operations in an on-premises implementation of this cloud solution. It explains why, when, and how to use these security features.

The Federation Software-Defined Data Center: Foundation Infrastructure Reference

Architecture and this Security Management Solution Guide describe the reference

architecture and implemented security that all the Federation Software-Defined Data Center add-on solutions build on.

Audience

This document is part of the solution documentation set and is intended for security architects, practitioners, and administrators responsible for the overall configuration and operation of the Federation Software-Defined Data Center. Readers should be familiar with VMware®_vCloud®_{Suite, storage technologies, and general IT functions} and requirements, and how they fit into a software-defined data center architecture. Table 2 on page 20 lists publications that are related to the features and functionality described in this document. A basic understanding of these features is important to understanding Federation Software-Defined Data Center security.

(13)

Cloud security challenges

While many organizations have successfully introduced virtualization as a core technology within their data center, end users and business units within customer organizations have not experienced many of the benefits of cloud computing, such as increased agility, mobility, and control. Many organizations are now under pressure to provide secure and compliant cloud services to address this need. As a result, IT departments need to create cost-effective alternatives to public cloud services— alternatives that do not compromise enterprise security and features such as data protection, disaster recovery, and guaranteed service levels.

Potential security threats must be addressed for organizations to maintain or improve their security posture while enabling the business to continue to operate. In a cloud environment, these threats must be addressed at both the underlying infrastructure and virtualized workload levels. The cloud infrastructure can be protected with restricted administration-level access, integration into authentication, logging, and monitoring systems, and system hardening in case of attack. As virtualized

applications are typically exposed to an internal or external user base, they remain the primary threat vector.

Web application vulnerabilities, OS configuration errors, and missing patches are still possibilities with virtualized workloads. Cloud security technologies allow protection against these vulnerabilities while offering enhanced containerization of workloads that can limit the potential exposure of a successful attack and keep an attacker from infiltrating other systems in the environment. Challenges addressed are:

 Lack of trust in cloud technology

 Disjointed authentication mechanisms

 Lack of coordinated event tracking

 Inconsistently applied configurations

 Difficulty in maintaining client or business unit multitenancy

 Difficulty in enforcing separation within a demilitarized zone (DMZ) and private network zones

The Federation Software-Defined Data Center implements a variety of security features to control user and network access, monitor system access and use, and support the transmission of encrypted data. The security features related to the Federation Software-Defined Data Center are implemented on the EMC and VMware solution components and include the following:

 Public key infrastructure integration

 Converged authentication

(14)

EMC and VMware product security approach

An increasingly interconnected world has created growth opportunities that are now accelerating with the rise of software-defined data centers. Organizations can now deploy information infrastructures more quickly and run them with greater efficiency, control, and choice. These advances foster business agility and connectivity, but they have also created pervasive dependencies among computing components that make problems and vulnerabilities difficult to contain.

Complex, interconnected electronic systems inevitably have software bugs and vulnerabilities. Even a “perfect” product can develop problems through linkages to flawed partner products or to subsequent changes in the technology environment that create new exposures.

EMC and VMware meet these product security challenges by applying industry best practices, as well as a flexible and standardized approach to prioritizing security throughout the product lifecycle, from inception through sustainment. Trusted IT requires that EMC products are developed so that the risks of vulnerabilities are minimized, and flaws that surface are assessed and resolved as quickly as possible. This end-to-end process is designed to protect customers and to provide what customers need to help protect themselves.

The Federation believes industry collaboration is invaluable for product security. Every company has something to teach and much to learn. Industry collaboration on product security has enabled EMC to help shape and quickly adopt best practices that raise everyone’s level of trust in technology. EMC is committed to comprehensive product security programs that are built-in, transparent, and trustworthy.

For more information on the EMC product security approach, refer to

http://www.emc.com/security.

Technology solution

This Federation Software-Defined Data Center solution integrates the best of EMC and VMware products and services and empowers IT organizations to accelerate

implementation and adoption of a software-defined data center, while still enabling customer choice for the compute and networking infrastructures within the data center. The solution caters to customers who want to preserve their investment and make better use of their existing infrastructure and to those who want to build out new infrastructures dedicated to a software-defined data center.

(15)

Chapter 1: Executive Summary environments remain secure, no longer dependent on hardware procurement or provisioning.

The traditional firewalling of North-South directed network traffic can easily be extended to enforce restrictions on East-West traffic as well, allowing true micro-segmentation of applications, application sub-tiers (web, middleware, and

database), and application environments (development, test/QA, and production). Newly provisioned virtual machines can inherit security postures based on their role. Host-based security controls can run as hypervisor kernel-level processes, allowing virtual machines to consume these services without requiring additional software to be installed in every guest virtual machine.

This solution takes advantage of the strong integration between EMC technologies and the VMware®_{vCloud Suite. The solution, developed by EMC and VMware product} and services teams includes EMC scalable storage arrays, integrated EMC and

VMware monitoring, VMware software-defined networking and security, and data protection suites to provide the foundation for enabling cloud services within the customer environment.

This section describes the key components of the solution, as shown in Figure 1.

Figure 1. Federation Software-Defined Data Center key components

Data center virtualization and cloud management

VMware vCloud Automation Center

VMware vCloud Automation Center™ (vCAC) enables customized, self-service provisioning and lifecycle management of cloud services that comply with established business policies. vCAC provides a secure portal where authorized administrators, developers, and business users can request new IT services and Key components

(16)

VMware vSphere ESXi and VMware vCenter Server

VMware vSphere ESXi™ is a virtualization platform for building cloud infrastructures. vSphere enables you to run your business-critical applications to meet your most demanding service level agreements (SLAs) at the lowest total cost of ownership (TCO). vSphere combines this virtualization platform with the award-winning management capabilities of VMware vCenter™ Server. This solution gives you operational insight into the virtual environment for improved availability, performance, and capacity utilization.

VMware vCenter Orchestrator

VMware vCenter Orchestrator™ (vCO) is an IT process automation engine that helps automate the cloud and integrates the vCloud Suite with the rest of your management systems. vCO enables administrators and architects to develop complex automation tasks within the workflow designer. The vCO library of pre-built activities, workflows, and plug-ins helps accelerate the customization of vCAC standard capabilities.

VMware NSX for vSphere

VMware NSX™ for vSphere is the next generation of software-defined network virtualization. Features include distributed logical routing, distributed firewalling, logical load balancing, and support for routing protocols such as Border Gateway Protocol (BGP), Intermediate System to Intermediate System (IS-IS), and Open Shortest Path First (OSPF). Where workloads on different subnets share the same host, the distributed logical router (DLR) optimizes traffic flows by routing locally. This enables substantial performance improvements in throughput, with distributed logical routing and firewalling providing line-rate performance distributed across many hosts instead of being limited to a single virtual machine or physical host. NSX also introduces Service Composer, which integrates with third-party security services.

VMware vCenter Configuration Manager

VMware vCenter Configuration Manager automates configuration and compliance management across your virtual, physical, and cloud environments, assessing them for operational and security compliance. It automates critical configuration and compliance management tasks, and supports configuration management across virtual and physical servers, VMware infrastructure, and multiple operating systems. In addition, vCenter Configuration Manager integrates with vSphere to deliver the fundamental capabilities that support VMware infrastructure hardening, including deep configuration data collection, change tracking, and compliance assessment. Visibility into your compliance posture is provided through access to compliance toolkits that cover a broad range of standards, including security best practices, vendor-hardening guidelines, and regulatory mandates.

(17)

Chapter 1: Executive Summary workflows to enable optimal resource utilization, operational efficiency, and

enforcement of configuration standards.

VMware vCenter Log Insight

VMware vCenter Log Insight™ delivers automated log management through log aggregation, analytics, and search. With an integrated cloud operations management approach, it provides the operational intelligence and enterprise-wide visibility needed to proactively enable service levels and operational efficiency in dynamic software-defined data center environments.

VMware IT Business Management Suite

VMware IT Business Management (ITBM) Suite™ provides transparency and control over the cost and quality of IT services. By providing a business context to the services that IT offers, ITBM helps IT organizations move from a technology orientation to a service-broker orientation, delivering a portfolio of IT services that aligns with the needs of business stakeholders.

EMC storage services

EMC ViPR

EMC ViPR®_{is a lightweight, software-only solution that transforms existing storage} into a simple, extensible, and open platform. ViPR extends current storage

investments to meet new cloud-scale workloads, and enables simple data and application migration out of public clouds and back under the control of IT (or vice versa). ViPR gives IT departments the ability to deliver on-premises, fully automated storage services at price points that are at or below public cloud providers.

EMC VNX and EMC Symmetrix VMAX

EMC VNX®_{and EMC Symmetrix}®_VMAX®_{are powerful, trusted, and smart storage array} platforms that provide the highest level of performance, availability, and intelligence in the software-defined data center. VNX and VMAX storage systems offer a broad array of functionality and tools, such as Fully Automated Storage Tiering for Virtual Pools (FAST™ VP), enabling multiple storage service levels to support ViPR-driven storage-as-a-service offerings in the software-defined data center environment.

EMC ViPR SRM

EMC ViPR SRM, storage resource management software, provides comprehensive monitoring, reporting, and analysis for heterogeneous block, file, and virtualized storage environments. It enables you to visualize applications to storage

dependencies, monitor and analyze configurations and capacity growth, and optimize your environment to improve return on investment.

(18)

Terminology

Table 1 lists the terminology used in the guide.

Table 1. Terminology

Term Definition

ACL Access control list

AD Active Directory

AIA Authority Information Access

API Application programming interface

Avamar MCCLI Avamar Management Console Command Line Interface

BGP Border Gateway Protocol

CA Certification authority

CBT Changed Block Tracking

CDP CRL Distribution Point

CNAME A canonical name record in DNS used to resolve an alias to an actual hostname

CRL Certificate Revocation List that contains a list of serial numbers of revoked certificates

CSR Certificate Signing Request

DHCP Dynamic Host Configuration Protocol

DFW NSX distributed firewall

DLR NSX distributed logical router

FQDN Fully qualified domain name

HSM Hardware security module

IaaS Infrastructure as a service

IIS Internet Information Services

IS-IS Intermediate System to Intermediate System

LAG Link aggregation that bundles multiple physical Ethernet links between two or more devices into a single logical link

(19)

Term Definition

PKI Public key infrastructure

PVLAN Private virtual LAN

SAML Security Assertion Markup Language is an open standard for exchanging authentication and authorization between an identity provider and a service provider

SSL Secure Sockets Layer, now superseded by Transport Layer Security (TLS) which offers better security

STP Spanning Tree Protocol

TLS Transport Layer Security

TACACS Terminal Access Controller Access Control System

vCAC blueprint A blueprint is a specification for a virtual, cloud, or physical machine and is published as a catalog item in the vCAC service catalog

vCAC business group A set of users, often corresponding to a line of business, department, or other organizational unit, that can be associated with a set of catalog services and infrastructure resources

vCAC fabric group A collection of virtualization compute resources and cloud endpoints and is managed by one or more vCAC fabric administrators

vDS Virtual distributed switch

VLAN Virtual local area network

VRF Virtual routing and forwarding

VSI Virtual Storage Integrator

(20)

Federation Software-Defined Data Center security documentation

This solution has been secured where appropriate by implementing the

recommendations in the product security guides from EMC and VMware listed in Table 2.

Table 2. Product security guides Publication Description

EMC Product Security white paper

Part Number H13230

This white paper describes how EMC embeds security in the company’s product development, deployment, and

maintenance practices, as well as in its supply chain.

EMC VNX Series Security Configuration Guide for VNX

P/N 300-015-128 REV. 02

This document provides information about features and configuration options that are available for configuring secure system operation and storage processing. It explains why, when, and how to use these security features.

EMC Symmetrix Security Configuration Guide REV 02

This guide helps you to securely deploy, use, and maintain Solutions Enabler version 7.6 and Unisphere for VMAX version 1.6.

EMC ViPR Version 2.0.0 Security Configuration Guide

P/N 302-001-011 REV. 01

This guide provides an overview of security configuration settings available in EMC ViPR, secure deployment and usage settings, and secure maintenance and physical security controls needed to ensure secure operation of EMC ViPR.

EMC Avamar 7.0 Product Security Guide

P/N 300-015-223 REV 03

EMC Avamar is backup and recovery software with integrated data deduplication technology. This Product Security Guide provides an overview of the settings and security provisions that are available in Avamar to ensure secure operation of the product.

EMC Avamar 7.0 Extended Retention

Security Guide

P/N 300-015-244 REV 01

This document describes how to configure security features for the EMC Avamar extended retention feature.

EMC Data Domain Version 5.5

Product Security Guide 302-000-415 REV 01

This document describes the key security features of EMC Data Domain systems and provides the procedures required to ensure data protection and appropriate access control.

(21)

Publication Description

vSphere 5.5 Security

Hardening Guide This guide covers hardening the following components of vSphere:

 Virtual machines

 ESXi hosts

 Virtual network

 vCenter Server and its database and clients. Common vCenter and Windows-specific guidance is here.

 vCenter Web Client

 vCenter SSO Server

 vCenter Virtual Appliance (VCSA) specific guidance

 vCenter Update Manager

VMware vCenter Log

Insight Security Guide This guide provides a reference to the security features of Log Insight.

VMware vShield

Installation and Upgrade Guide

This guide describes how to install and configure the VMware vShield system by using the vShield Manager user interface, the vSphere Client plug-in, and command line interface (CLI). The information includes step-by-step configuration instructions, and suggested best practices.

VMware NSX Network Virtualization Design Guide

This guide provides an overview of VMware’s NSX network virtualization platform.

VMware NSX 6

Documentation Center This VMware NSX 6 documentation center provides information about installing, configuring, and using NSX.

Hardened Appliance

Operations Guide This guide addresses the site‐specific technical requirements required to meet Security Technical Information Guides (STIG).

(22)

(23)

Chapter 2: Software-Defined Data Center Overview

Chapter 2 Software-Defined Data Center

Overview

Overview ... 24 Automation and self-service provisioning ... 25 Multitenancy and secure separation ... 27 Workload-optimized storage ... 29 Elasticity and service assurance... 29 Monitoring and resource management... 29 Metering and chargeback ... 31 Modular add-on components ... 32 Public cloud services ... 32 EMC and VMware integration ... 33 Summary ... 34

(24)

Overview

The Federation Software-Defined Data Center solution enables a well-run software-defined data center by bringing new functionality to IT organizations, developers, end users, and line-of-business owners. In addition to delivering baseline infrastructure as a service (IaaS), built on the software-defined data center (SDDC) architecture, the Federation Software-Defined Data Center also delivers feature-rich capabilities to expand from IaaS to business-enabling IT as a service (ITaaS).

Backup as a service (BaaS) and disaster recovery as a service (DRaaS) are now policies that can be enabled with just a few clicks. End users and developers can quickly gain access to a marketplace of application resources from Microsoft, Oracle, SAP, EMC Syncplicity, and Pivotal, and they can add third-party packages as needed. All these resources can be deployed on private cloud or public cloud services from EMC-powered cloud service providers, including VMware vCloud Air.

This solution includes the following features and functionality, as shown in Figure 2.

 Automation and self-service provisioning

 Multitenancy and secure separation

 Workload-optimized storage

 Elasticity and service assurance

 Monitoring and resource management

 Metering and chargeback

(25)

Figure 2. Federation Software-Defined Data Center features and functionality

Automation and self-service provisioning

This solution provides self-service provisioning of automated cloud services to both end users and infrastructure-level administrators. It uses VMware vCloud Automation Center (vCAC), integrated with EMC ViPR and VMware NSX, to provide the compute, storage, network, and security virtualization platforms for the SDDC. These platforms enable you to rapidly deploy and provision business-relevant cloud services across your software-defined data center and physical infrastructure.

Cloud users can request and manage their applications and compute resources within established operational policies; this can reduce IT service delivery times from days or weeks to minutes. Features include:

 Cross-cloud storefront: Acts as a service governor that provisions workloads based on business and IT policies

 Role-based self-service portal: Delivers a user-appropriate catalog of IT services

 Resource reservations: Enable resources to be allocated for use by a specific group and ensure those resources are inaccessible to other groups

 Service levels: Define the amount and type of resources a specific service can receive either during the initial provisioning or as part of any configuration

(26)

 Build specifications: Contain the automation policies that specify the process for building or reconfiguring compute resources

In this solution, vCAC provides lines of business with the ability to rapidly deploy and provision applications and services to the cloud platform as and when their needs demand. vCAC provides the ability to take a shared infrastructure and divide it into logical units and capacities that can be assigned to different business units. Using role-based entitlements, business users can choose from their own self-service catalog of custom-defined services and blueprints. Each user’s catalog presents only the virtual machines, applications, and service blueprints they are entitled to, based on their assigned role within the business.

Service blueprints enable cloud infrastructure administrators to add services created by EMC that take advantage of ViPR for automated storage services, and Avamar®_and Data Domain®_{for data protection services.}

Virtual machine and application blueprints can be single machine or multimachine, covering both bare metal server deployments and virtual machine deployments. Multitier enterprise applications requiring multiple components (application, database, and web) and service levels can be deployed easily from predefined blueprints.

Figure 3 shows the Federation Software-Defined Data Center self-service portal in VMware vCAC.

(27)

Chapter 2: Software-Defined Data Center Overview virtual machines, and generation of backup reports, all from the vCAC self-service portal.

As part of the vCAC provisioning process, NSX virtual routing can be used to provide an on-demand deployment model for creating custom networks, which support NSX edge routers and logical switches. This enables a custom configuration to be built as part of a multimachine provisioning process.

This solution is built to work with new and existing infrastructures. It supports the differing requirements of an enterprise’s many business units, and integrates with a wide variety of existing IT systems and best practices.

Multitenancy and secure separation

Multitenancy requirements in a cloud environment can range from shared, open resources to completely isolated resources, secure from any access. This solution provides the ability to enforce physical and virtual separation for multitenancy, offering different levels of security to meet business, security policy, and/or regulatory compliance requirements. This separation can encompass network, compute, and storage resources, to ensure appropriate security and performance for each tenant.

The solution supports secure multitenancy through vCAC role-based access control (RBAC), enabling vCAC roles to be mapped to Active Directory groups. vCAC uses existing authentication and business groupings. The self-service portal shows only specific views, functions, and operations based on the role within the business. Physical resource separation can be achieved in vCAC to isolate tenant resources or to isolate and contain compute resources for licensing purposes, for example, Oracle. Virtual resource separation can be achieved between and within resource groups, depending on the level of separation required.

Virtualized compute resources within the software-defined data center are objects inherited from the vSphere endpoint, most commonly representing VMware vSphere ESXi hosts, host clusters, or resource pools. Compute resources can be configured at the vSphere layer to ensure physical and logical separation of resources between functional environments such as Production or Test and Development (Test/Dev). Valid concerns exist around information leakage and “nosy neighbors” on a shared network infrastructure. Consumers of the provisioned resources need to operate in an isolated environment and benefit from infrastructure standardization. To address these concerns, this solution has been designed for multitenancy. We1_approached this from a defense-in-depth perspective, which is demonstrated through:

 Implementing virtual local area networks (VLANs) to enable isolation at Layer 2 in the cloud management platform and where the solution intersects with the physical network

(28)

 Using VXLAN overlay networks to segment tenant and business group traffic flows

 Integrating with firewalls functioning at the hypervisor level to protect virtualized applications and enabling security policy enforcement in a consistent fashion throughout the solution

 Deploying provider and business group edge firewalls to protect the business group and tenant perimeters

Security

This solution enables customers to enhance security by establishing a hardened security baseline across the hardware and software stacks that support their

Federation Software-Defined Data Center infrastructure. The solution helps to reduce concerns around the complexities of the underlying infrastructure by demonstrating how to tightly integrate an as-a-service solution stack with public key infrastructure (PKI) and a common authentication directory to provide centralized administration and tighter control over security.

The solution addresses the challenges of securing authentication and configuration management to aid compliance with industry and regulatory standards through:

 Securing the infrastructure by integrating with a PKI to provide authenticity, non-repudiation, and confidentiality

 Converging the various authentication sources into a single directory to enable a centralized point of administration and policy enforcement

 Using configuration management tools to generate infrastructure reports for audit and compliance purposes

VMware NSX for vSphere

NSX for vSphere can be used in the Federation Software-Defined Data Center to enable a rich networking and security feature set. Enhanced networking and security features in NSX include:

 NSX logical routing and firewalls: Provide line-rate performance distributed across many hosts instead of being limited to a single virtual machine or physical host.

 Distributed logical routers: Contain East-West traffic and North-South traffic within the hypervisor where workloads reside on the same host.

 Logical load balancer: Enables load sharing across a pool of virtual machines with configurable health-check monitoring and application-specific rules for

(29)

Chapter 2: Software-Defined Data Center Overview dynamic workloads and shifting environments to be automatically assigned appropriate security policies.

Workload-optimized storage

This solution enables customers to take advantage of the proven benefits of EMC storage in a software-defined data center environment. Using EMC ViPR storage services and the capabilities of VNX and VMAX, this solution provides software-defined storage-policy-based management of block- and file-based virtual storage. With a scalable storage architecture that uses the latest flash and tiering

technologies, VNX and VMAX storage arrays enable customers to meet any workload requirements with maximum efficiency and performance in the most cost-effective way. With ViPR, the storage configuration is abstracted and presented as a single storage control point, enabling cloud administrators to access all heterogeneous storage resources within a data center as if they were a single large array.

Storage administrators are able to maintain control of their storage resources and policies, while the cloud administrator is able to automatically provision storage resources into the cloud infrastructure.

Elasticity and service assurance

This solution uses a combination of tools to provide the intelligence and visibility required to proactively ensure service levels in virtual and cloud environments. Using vCAC and tools provided by the Federation, administrators and end users can

dynamically add resources as needed, based on their performance requirements. Infrastructure administrators can add storage, compute, and network resources to their resource pools, while end users can expand the resources of their own virtual machines to achieve the service levels they expect for their application workloads. Cloud users can select from a range of service levels of compute, storage, and data protection for their applications to achieve the most efficient use of the resources within their software-defined data center environment.

Monitoring and resource management

This solution features automated monitoring capabilities that provide IT

administrators with a comprehensive view of the cloud environment to enable smart decision making for resource provisioning and allocation. These capabilities are based on a combination of vC Ops dashboards, alerts, and analytics, using extensive additional storage detail provided by EMC analytics adapters for ViPR, VNX, and VMAX.

(30)

performance problems. Installing the EMC ViPR Analytics adapter on vC Ops enables full end-to-end visibility of the entire infrastructure, from virtual machine to LUN and every point in between.

The ViPR Analytics and EMC Storage Analytics (ESA) packs are presented through the vC Ops custom interface. This enables administrators to quickly recognize the health of EMC ViPR virtual arrays and physical EMC VMAX and VNX block and file arrays using customized EMC dashboards for vC Ops, such as the EMC ViPR dashboard shown in Figure 4.

Figure 4. EMC ViPR Analytics with VMware vCenter Operations Manager

Capacity analytics in vC Ops identify over-provisioned resources so they can be right-sized for the most efficient use of virtualized resources. What-if scenarios eliminate the need for spreadsheets, scripts, and rules of thumb.

EMC ViPR SRM offers comprehensive monitoring and reporting for this software-defined data center solution that helps IT visualize, analyze, and optimize their software-defined storage infrastructure. Cloud administrators can use ViPR SRM to understand and manage the impact that storage has on their applications and view their storage topologies in their software-defined data center from application to

(31)

Chapter 2: Software-Defined Data Center Overview dashboards and user-defined fields specifically for those EMC products, which enable administrators to conduct problem analysis and analytics on the storage array and backup infrastructure.

Metering and chargeback

The solution uses ITBM Suite to provide cloud administrators with metering and cost information across all business groups in the enterprise. ITBM indicates the cost of a virtual machine and blueprints based on business units and application groups across the software-defined data center environment.

VMware ITBM Standard Edition uses its own reference database, which has been preloaded with industry-standard and vendor-specific data to generate the base cost of virtual CPU (vCPU), RAM, and storage values. These prices, which default to cost of CPU, RAM, and storage, are automatically consumed by vCAC, where the cloud administrator can change them as appropriate. This eliminates the need to manually configure cost profiles in vCAC and assign them to compute resources.

ITBM is integrated into the vCAC portal for the cloud administrator and presents a dashboard overview of the software-defined data center infrastructure, as shown in Figure 5.

Figure 5. ITBM Suite overview dashboard for software-defined data center

ITBM is also integrated with VMware vCenter and can import existing resource hierarchies, folder structures, and vCenter tags to associate software-defined data center resource usage with business units, departments, and projects.

(32)

Modular add-on components

Using vCenter Orchestrator workflows customized by the Federation, administrators can quickly and easily set up multitier data protection policies and enable users to select an appropriate policy when provisioning their virtual machines. The backup infrastructure takes advantage of Avamar and Data Domain features such as deduplication, compression, and VMware integration.

Avamar provides scalable backup and restore capabilities with integrated data deduplication, which reduces total disk storage by up to 50 times and enables cost-effective, long-term retention on Avamar Data Store servers. Avamar can alternatively use a Data Domain appliance as the backup target.

Using the vCAC application program interface (API) and extensibility toolkits, this solution implements custom functionality to provide Avamar-based, image-level backup services for applications and file systems within a single organization or multiorganization software-defined data center environment.

With this solution, enterprise administrators can offer IaaS with EMC backup to end users who want a flexible, on-demand, automated backup infrastructure without having to purchase, configure, or maintain it.

The Federation Software-Defined Data Center enables cloud administrators to select disaster recovery (DR) protection for their applications and virtual machines when deploying from the vCAC self-service catalog. EMC ViPR automatically places these systems on storage that is protected remotely by EMC RecoverPoint. VMware vCenter Site Recovery Manager, through tight integration with the EMC RecoverPoint Storage Replication Adapter (SRA), can automate the recovery of all virtual storage and virtual machines at a recovery or failover site.

Public cloud services

This Federation Software-Defined Data Center solution enables IT organizations to broker public cloud services. This solution has been validated with VMware vCloud Air as a public cloud option that can be accessed directly from the solution's self-service portal by administrators and users. End users can provision virtual machines, while IT administrators can use VMware vCloud Connector to perform virtual machine migration (offline) from the on-premises component of their software-defined data center to vCloud Air.

Data protection services

(33)

EMC and VMware integration

This Federation Software-Defined Data Center solution contains many integration points between EMC and VMware products. This section highlights some of the key integration points and how they fit into the overall solution.

Some of the integration points between VMware components and EMC ViPR are shown in Figure 6.

Figure 6. EMC ViPR integration points with VMware components

While being managed by ViPR, VNX and VMAX storage arrays both support VMware vSphere®_{Storage APIs – Array Integration (VAAI), which offloads virtual machine} operation to the array to optimize server performance.

The ViPR Storage Provider integrates ViPR with VMware vSphere Storage APIs – Storage Awareness (VASA). This enables vCenter administrators to view the storage capabilities of ViPR provisioned storage and manage association of these file systems and volumes or LUNs with their ViPR virtual pools. This service runs on the ViPR appliance and a connection is configured in vCenter for communications.

All VMware vSphere ESXi servers in this solution run EMC PowerPath/VE for automatic path management and load balancing in the SAN. EMC PowerPath/VE automates failover and recovery and optimizing load balancing of data paths in virtual environments to ensure availability, performance, and the ability to scale-out mission-critical applications.

The ViPR plug-in for VMware vCenter Orchestrator (vCO) provides an orchestration interface to the EMC ViPR software platform. The EMC ViPR plug-in has pre-packaged workflows used through the vCO client and other clients that support vCO integration. The pre-packaged workflows contain sets for common ViPR operations and sets of building block workflows intended for detailed ViPR operations. The EMC ViPR plug-in is installed in the vCO configuration interface.

Storage services

(34)

The EMC ViPR Analytics pack for vC Ops provides advanced metrics for virtual resources at the EMC ViPR virtual array and virtual pool level. The ESA adapter for EMC VNX and VMAX provides preconfigured dashboards for VMware vC Ops users to view storage metrics and topologies of the individual storage components beneath EMC ViPR.

EMC also provides storage and data protection content packs for use with VMware vCenter Log Insight. EMC content packs for Avamar, VNX, and VMAX provide

dashboards and user-defined fields specifically for those EMC products that enable administrators to conduct problem analysis.

EMC ViPR Storage Provider plays a key role in this solution in identifying the

capabilities of the storage presented to ESXi servers managed by vCenter. A storage profile is created in vCenter for each class, or tier, of storage presented by ViPR. These storage profiles are used by VMware ITBM to classify and charge for each tier of storage presented and consumed in vCAC.

Summary

This solution enables enterprise customers to build an enterprise-class, scalable, multitenant platform for complete management of their compute service lifecycle. It provides on-demand access and control of compute resources and security while enabling enterprise customers to maximize asset use. Specifically, this solution integrates all of the key functionality that customers demand, and provides a framework and foundation for adding other services.

This solution supports a VMware vCloud Suite stack with EMC storage and data protection services, providing customers with the flexibility to deliver cloud-based services with the functionality to which they are accustomed.

Operational management and monitoring

(35)

Chapter 3: Public Key Infrastructure

Chapter 3 Public Key Infrastructure

Overview ... 36 Enterprise PKI architecture ... 37 Enterprise PKI solution integration ... 39 Summary ... 44

(36)

Overview

Integrating a PKI infrastructure in a multitenant software-defined data center environment ensures that all the components that use or rely on X.509 certificates and technology are trusted. By default, components are installed or factory shipped with self-signed X.509 certificates that are untrusted, because you cannot verify the authenticity of who issued or signed them. In such an environment, an attacker could impersonate a device or application to perform man-in-the-middle attacks or harvest administrative credentials for subsequent use in compromising other systems on the network. The impact of such an attack is more serious because of the privileges usually given to systems administrators to fulfill their duties. Certain regulated industries and governments require the use of trusted certificates only.

Integration with a trusted PKI addresses this problem by establishing a chain of trust from the trusted X.509 certificate installed on the device or application and through the issuing certification authority (CA) to the root CA. In addition, it provides a means to validate this trust by publishing Authority Information Access (AIA) and Certificate Revocation Lists (CRLs).

This chapter provides an overview of integrating the Federation Software-Defined Data Center solution stack and supporting infrastructure into an enterprise PKI hierarchy. This does not cover PKI policies, registration authorities (RAs), validation authorities (VAs), or other components typically used in the PKI. Design

considerations for these components should be taken into account when

implementing PKI with your organization and are outside the scope of this guide. The private keys used by the CAs should be safeguarded. Use network-based hardware security modules (HSMs) in a virtualized environment to store the CAs’ private keys in a secure manner with tamper protection. HSMs can also provide offloading of certain cryptographic processing for symmetric or asymmetric needs where performance and speed is a requirement.

Note: Transport Layer Security (TLS) is a standard for a cryptographic protocol that is closely

related to Secure Sockets Layer (SSL). Both use X.509 certificates and asymmetric

authentication between the client and server to exchange the symmetric key used to encrypt the communication session between the endpoints. TLS has supplanted SSL as the protocol used to provide security for client-server encryption as it offers significantly improved security. Throughout this guide there may be references to SSL; however. TLS compatible configurations and certificates have been implemented.

(37)

Enterprise PKI architecture

Figure 7 shows the hierarchal relationship of the PKI environment with the root self-signed certificate, the issuing CA certificate, and the end-entity-issued certificates. Figure 7 also shows the trust relationship between the end-entity certificates used in this solution and the end user.

Figure 7. PKI hierarchy for the Federation Software-Defined Data Center solution stack

All issuing CA and end-entity certificates contain the Authority Information Access (AIA) extension, which contains URLs pointing to where the root and subordinate CA certificates in the certificate chain are located. The issuing CA and end-entity certificates also contain the CRL Distribution Point (CDP) extension, which contains URLs pointing to the location of the CRL for the CAs. The end-entity certificates were issued by the subordinate CA and requested with a subject alternative name (subjectAltName, also abbreviated to SAN) that consists of a fully qualified domain name (FQDN), hostname, and IP address.

(38)

In this solution, we installed the root CA (ESG lab root certificate authority) on a dedicated Microsoft Windows 2012 Server standalone virtual machine.

For this environment, the validity period for both the certificates and CRL issued by the root CA was set to five years. After the periods were set, we configured the

location of a copy of the root CA certificate and CDPs for the root CA. Because the root CA is typically offline, it is important that the AIAs and CRLs are available on systems other than the root CA, and the root certificate is configured with the location of the AIA and CDPs. In this solution, these are published on the issuing CA. After you have configured the root CA, back it up using the certificate services CA backup utility. This enables you to create a backup of the root CA’s private key, CA certificate, certificate database, and certificate database log.

Also, it is important that you install the root CA certificate on the system-wide certificate stores on all systems in this environment.

As a prerequisite to starting the subordinate CA configuration, the root CA certificate must be installed on the system-wide certificate store on the Microsoft Windows Server that is used as the subordinate CA. After the root CA certificate is installed, and after joining the domain, the necessary Active Directory Certificate Services and Internet Information Services (IIS) roles can be installed. Because we joined the server to the Active Directory domain, we can deploy this subordinate CA as an enterprise-type installation that enables integration with Active Directory and the auto-enrollment of clients. After the subordinate CA certificate signing request (CSR) is submitted to the root CA and issued, install it on the subordinate CA and start the CA service.

The certificate and CRL for the root CA are published to Active Directory and to a folder on the server that is web accessible. We configured the subordinate CA AIA and CDP extensions to use the same locations for the subordinate CA certificate and CRLs.

In production environments, it is common for systems to be managed and accessed using the system IP address, hostname, or FQDN. However, when PKI is introduced, this behavior can result in certificate validation errors that can cause integration to fail.

You can issue a certificate that contains one or more Subject Alternative Name attributes (subjectAltName), in addition to the subject name (also known as the common name). However, this is not enabled by default in Active Directory Certificate Services. Root certificate authority Subordinate (or issuing) CA subjectAltName attributes in certificates

(39)

Enterprise PKI solution integration

Part of hardening the infrastructure is to replace the self-signed X.509 certificates with valid signed certificates from a trusted CA. Some organizations may choose to use an external entity for this.

In this solution, we configured an internal CA using a hierarchical structure, as shown in Figure 7. This shows the CA architecture with the root at the top level, which is either offline or air-gapped. Subordinate CAs are tiered in the Active Directory forest. The PKI used in this solution is based on the deployment of the Active Directory Certificate Services. Follow best practices when designing your organization’s PKI infrastructure and take additional security measures to ensure protection of the private keys in use by the CAs.

Note: Hardware security modules (HSMs) can provide increased randomness and private key protection, but were not used in this solution.

Microsoft Active Directory—LDAP over SSL certificates

Lightweight Directory Access Protocol (LDAP) is the protocol by which many applications submit authentication or authorization requests. LDAP introduces a significant security risk because credentials (username and password) are passed over the network unencrypted. This can quickly lead to credentials becoming compromised.

We can significantly strengthen the security of these authentication and authorization communications by encrypting the entire LDAP session with SSL, known as LDAP over SSL or LDAPS. By default, Active Directory is not configured to support LDAPS so certain steps must be taken to enable integrate Active Directory with a trusted PKI to enable LDAPS.

The Active Directory LDAP over SSL (LDAPS) certificate is issued by the subordinate CA and requested on each participating domain controller using the Certificates snap-in added to the Microsoft Management Console (MMC). The certificate is installed in the domain controller certificate store and is used by Active Directory Domain Services to apply to LDAP communications to secure authentication and authorization requests. VMware vCenter Log Insight

To update the trusted CA certificate stores for vCenter Log Insight, add the trusted CA chain to both the OpenSSL certificate store and Java CA certificate (cacerts) keystore. When you have established trust with the root and issuing CAs, you can generate the private key and CSR using OpenSSL and combine the resulting signed certificate with the private key and convert it to a PEM-formatted certificate. Install it through the https://vcenter-log-insight_fqdn/admin/ssl/ web interface.

(40)

VMware vCenter Orchestrator

vCO has two elements that use signed certificates by default. Replace the self-signed certificates used for both the vCO server engine and the vCO management web server to protect the applications communications with other components and the web management interface.

vCO Server certificate

In preparation, import the root and issuing CA certificates using the vCO Certificates Manager tool in the vCO client. The CSR can be generated using the Server Certificate UI of the vCO Configurator and submitted to the issuing CA. The resulting signed certificate is then imported using the Server Certificate UI.

vCO web server certificate

Replacing the vCO web server self-signed certificate protects the management

interface. In preparation, import the root and issuing CA certificates to the jssecacerts keystore using the vCO-installed Java keytool utility. The Java keytool utility is then used to regenerate the “dunes” private key and CSR that can be submitted to the issuing CA. The resulting signed certificate is imported to the jssecacerts keystore. VMware vCenter Operations Manager

To establish the certificate validation chain, add the trusted CA chain to both the OpenSSL certificate store and Java cacerts keystore. Then generate a private key and CSR using OpenSSL that can be submitted to the issuing CA. The resulting signed certificate is combined with the private key and converted to a PEM-formatted

certificate that is then installed through the https://vcops_fqdn/admin web interface. VMware vCenter Single Sign-On

The certificate requirements of vSphere 5.5 differ significantly from vSphere 5.0 because of the introduction of vCenter Single Sign-On (SSO) as a mandatory pre-requisite to installing VMware vCenter Server. vCenter SSO provides an

authentication interface called Security Token Service (STS) that enables

administrators or applications to authenticate with a defined security domain or identity source such as Active Directory or OpenLDAP. If successful, the credentials are exchanged for a SAML 2.0 token that is then used to interact with the various vSphere platform applications. During the interaction between components, the client verifies the authenticity of the certificate presented during the TLS handshake phase, before encryption, which protects against “man-in-the-middle” attacks. Each VMware SSO-enabled component registers with SSO using the client end-entity certificate and requires a unique certificate, as detailed in Table 3. The exceptions are

(41)

Table 3. Certificates and keystore types for vCloud Suite 5.5 deployment

Component Keystore Private key Full certificate chain

vCenter Single Sign-On N/A Y Y

vCenter Inventory Service N/A Y Y

vCenter Server N/A Y Y

vCenter Log Browser N/A Y Y

vCenter Log Insight N/A Y N

vCenter Operations Manager N/A Y N

vCenter Orchestrator N/A Y Y

vSphere Web Client N/A Y Y

vSphere Update Manager N/A Y Y

vSphere ESXi N/A Y Y

In this context, what distinguishes a vSphere component certificate is the subject Organizational Unit (OU) value. This is important because vCenter SSO looks

exclusively at this attribute to determine if the vSphere service is already registered or not. The subject Distinguished Name (DN) value is stored in the SSO database as the primary key for each certificate, rather than the hash, thumbprint, or any other attribute. This is important where multiple vCenter services are deployed, as

recommended, in a single virtual machine. In this case, the common name and other attributes may be identical, leading to the possibility of the same subject DN being used across services. Ensure that the new SSL certificate for each vSphere

component has a unique subject DN encoded within the certificate. You can achieve this by specifying an additional attribute such as a unique OU for each certificate request.

Note: Having a unique OU is one way to achieve a unique subject DN, but other attributes

can be used. A unique OU is not mandatory as it is only part of the subject DN. For more details on identifying the constituent components of a subject DN, refer to Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (RFC 5280). To address some of these complexities, VMware released the vCenter Certificate Automation Tool 5.5. It can automatically generate the certificate-signing requests, update, or replace existing certificates, and establish trust between the VMware components, but it does not handle the replacement of ESXi certificates or have certificate requests signed or renewed by a trusted CA.

(42)

VMware vCloud Automation Center

Identity appliance

Ideally, the self-signed certificate should be replaced immediately after the appliance is deployed and before SSO is instantiated or solutions registered. SSO uses the configured SSL certificate to establish trust with the subsequent registration of solution components. Performing this as a first step avoids potential issues and re-registration.

Generate the private key and CSR on a system with OpenSSL installed. Combine the resulting signed PEM-formatted certificate with the issuing and root CA certificates and import it through the appliance web UI with the PEM-formatted private key.

vCAC appliance

Generate the private key and CSR on a system with OpenSSL installed. Combine the resulting signed PEM-formatted certificate with the issuing and root CA certificates and import it through the appliance web UI with the PEM-formatted private key.

Infrastructure as a service (IaaS)

VMware recommends using a domain certificate for vCAC that can be requested using the IIS management console, and the request is then submitted to the issuing CA. You can also generate a CSR from the IIS management console if you want to include subjectAltName attributes. When the certificate is issued, use the IIS management console to install it and configure the binding on port 443 to use the trusted

certificate. This is repeated on all vCAC components using IIS. When the certificate is replaced, re-register the IaaS endpoints to vCAC.

VMware NSX for vSphere

Generate a private key and CSR using OpenSSL that can be submitted to the issuing CA. The resulting signed certificate is combined with the private key and CA chain and converted to a PKCS#12 keystore. The keystore is then imported using the SSL

Certificates configuration page through the Manage Appliance Settings UI in NSX Manager.

VMware vSphere ESXi

Generate a PEM-formatted private key and CSR for each ESXi host on a system with OpenSSL installed. Place the host in maintenance mode and transfer the private key and signed PEM-formatted certificate. Reboot the ESXi host for the new certificate to take effect.

(43)

Chapter 3: Public Key Infrastructure Before you can create a certificate-signing request, you must delete the default tomcat alias from the keystore and generate a new key with the server-specific data. When this is done, and the CSR is created and submitted to the issuing CA, import the root CA, issuing CA, and trusted certificates into the keystore using the root,

intermediate, and tomcat aliases respectively. Restart the ems and dtlt services for the changes to take effect.

EMC Data Protection Advisor

The Data Protection Advisor (DPA) application server provides a management web interface that uses a self-signed digital certificate for identification and encryption. To use a certificate that is signed by your own CA, create a certificate-signing request using the DPA-installed Java keytool utility and submit it to the issuing CA. You must also install the root and issuing chain certificates to the Java cacerts keystore. When it is issued, import the signed Base64-encoded X.509 certificate into the cacerts keystore and restart the application server.

EMC Unisphere

Unisphere for VMAX

EMC Solutions Enabler must be deployed in your environment to manage an EMC VMAX array. In addition, to encrypt the management traffic, replace the default SSL certificate that is installed when Solutions Enabler is deployed.

For this solution, we installed Unisphere for VMAX on the same system on which Solutions Enabler was installed. This can be installed on a separate system and connected to the SYMAPI interface of Solutions Enabler over the network using SSL connections.

Notes:

 The common name must contain storsrvd, followed by a space and the FQDN, as detailed in the EMC Solutions Enabler Version 7.5 Security Configuration Guide. We have also supplemented this with Subject Alternative Name values for the FQDN, short name, and IP address.

 Additional security features can be set based on your governing rules or regulations for security compliance. For more information, refer to the Client/Server security settings

section in the EMC Solutions Enabler Version 7.5 Installation Guide.

VNX Unisphere—Storage processor

The configuration must meet a number of conditions for this process to work correctly:

 Common name (domain name) must be the storage processor hostname, not FQDN.

 Common name (alias) must be blank.

 Both the common name (domain name) and common name (IPv4) must be populated.