A customer recently asked me “How do I replace the “external” SSL certificate of vCenter but still use VMCA in default mode?” Ever curious, I asked “Why?”. His security team required that any “externally” facing management web pages needed to have a custom certificate that chained up to the corporate PKI. But behind that, they were totally cool with using VMCA in default mode (with the self-generated root certificate) for things like ESXi servers and solution users.
Category Archives: Security
It’s time to release the vSphere 6.0 Hardening Guide! As I mentioned back in April, there are a lot of changes that have been made. In talking with customers and auditors in detail for the past year, the conclusion was reached that the Hardening Guide was
- Difficult to understand
- Contained a mix of
- Operational Guidance - How you use the product in your environment
- Programmatic Guidance - What settings should be applied OR audited
Basically, it was NOT easy to implement. And if security is too difficult to implement, people will either not do it or will do it poorly.
If you’ve ever tried to watch a product demo video, or tried to use it to show a product to someone else, often times you find yourself trying to pause the video at the exact right moment, and then having scrub backwards or forwards because you missed the timing. At VMware we’ve created an alternative way ot showing demos, which we call Product Walkthroughs. These are web-based demos that let you walk through a scenario screen-by-screen, at your own pace. Each screen has annotations to explain what’s going on and markups that highlight important parts of the screen, both of which can be turned off if you want a clean view.
Although we have created Product Walkthroughs for numerous products and solutions, the ones I want to focus on are for vSphere 6 and vSphere with Operations Management. Both of these provide a great way to learn about these products and their features at your own pace, as well as to show how something works to your colleagues (or bosses). The one on vSphere 6 highlights the features in this major new release, with sections on:
- vSphere FT (now with ability to protect VMs with up to 4 vCPUs)
- new vMotion capabilities: cross vSwitch, cross vCenter Server, and Long Distance
- Content Library
- vSphere HA VM component protection
The vSphere with Operations Management product walkthrough provides an in-depth look at all the features of its two major components, vSphere and vRealize Operations, including
- Performance and Health Monitoring
- Understanding, Analyzing and Forecasting Capacity
- Resource Management and Optimization
- Security and Compliance
So, check them out and let us know what you think!
Not yet on vSphere 6? Join us for a webcast to learn why you should be. Starting June 2nd, 2015 and recurring every other Tuesday at 9AM, join the vSphere product experts to learn what’s new and exciting about vSphere 6! A different topic will be covered each session and time will be allocated at the end of each webcast for Q&A.
Please always check the latest schedule each week as topics may change and sessions may be added or removed.
Recently I was asked by the vBrownbag community to present on vSphere 6 security. vBrownbag is a community-lead podcast series that features online webinars covering various Virtualization and VMware Certification topics, all led by members of the community. It’s an outstanding resource if you are looking to achieve certification or are just in the mood to learn. Read on to see how this webinar went and view for yourself.
I’m happy to announce that the vSphere 6 Hardening Guide Public Beta 1 is now available.
The guide is being provided as Excel spreadsheet. I’m also making a PDF doc available for easier viewing. In addition, I've also included an Excel spreadsheet of the guidelines that have moved out of the guide and into documentation. THIS IS INCOMPLETE. We are still working on some of that content. (that's why this is a beta!)
Please read the blog on the changes that have happened to the guide. LOTS of changes and the blog will explain.
In vSphere 6.0 we now have a new concept called Exception Users. The intent of Exception Users is that they are not general admin users. I would consider them more of a “Service Account” type of access.
As a matter of fact, just the other day I got an email from someone internal at VMware that brought up a great use case for Exception Users. They were talking to a customer that wanted to access ESXi via a PowerCLI cmdlet (Get-VMHostAccount) to list out the local accounts on an ESXi server as part of their normal security reporting.
But they also wanted to enable Lockdown Mode and were finding it difficult to comply with both things. In vSphere 6.0 this is now much easier to address. Let’s get started.
Lockdown mode has been around in various forms for many releases. The behaviors have changed a few times since 5.1 with varying levels of usability success. For vSphere 6.0 we are trying to address some of these issues. Personally, what I’d love to see happen with all customers running V6.0 is that you run at a minimum the “Normal” Lockdown Mode.
With vSphere 6.0 the vCenter Virtual Server Appliance (VCSA), now has a component called the Platform Services Controller (PSC). The PSC handles things like SSO and the License Server and ships with its own Certificate Authority called VMware Certificate Authority (VMCA). In this blog post we’ll quickly go over some of the modes of VMCA operation and how to download and install the VMCA root certificate into your browser.