2.5.1 For VMware
When the virtual environment to be monitored is VMware, you can use SSL#1 to encrypt communications between PFM - RM for Virtual Machine and the virtual environment. To use SSL for communication with a virtual environment, you need to set up the VMware with trusted certificate as following:
-
A CA-signed certificate must be installed in VMware ESX.
-
A CA certificate must be installed on the PFM - RM for Virtual Machine host.
This subsection describes the procedure for installing a trusted certificate. Note that this procedure must be performed for each monitoring target. If the host name of a monitoring target is changed, you must publish a new certificate and re-install it.
- #1
-
The SSL communication protocol is using the Internet Options of the user account set for HostUserID in the instance environment settings.
If you change the settings, log in to the PFM - RM for Virtual Machine host by using the user account set for HostUserID in the instance environment settings, in the Internet Options dialog box, click the Advanced tab, and then change the settings in the Security category. If you do not use SSL 3.0, uncheck Use SSL 3.0 and check Use TLS 1.0, Use TLS 1.1, and Use TLS 1.2 in the Security category.
- Important note
-
If you choose to use a default certificate of VMware ESX 4.0 or after that is not signed by a CA for operation, the following precautions need to be taken. Make sure that your environment is appropriate, given these precautions. You cannot use the default certificate of VMware ESX 4.0 or after as a trusted certificate, so you don't need the procedures (1) threw (3) describing below.
-
For an environment that cannot communicate with the Windows Update site
The Update Root Certificates function works for communications that use a certificate. When the Update Root Certificates function verifies the certificate, the function does so by downloading the latest information from the Windows Update site. When the Update Root Certificates function is enabled, if the environment does not allow the host that runs PFM - RM for Virtual Machine to communicate with the Windows Update site, verifying the certificate might take a long time. In this case, modify the network environment so that the Update Root Certificates function can run normally, or change the Windows settings (the security policy settings of the OS) so that the Update Root Certificates function does not communicate with the Windows Update site.
If certificate verification takes too much time, the KAVL20014-W warning message is output to the common message log and the monitoring cannot be performed.
-
Ignore the KAVL20205-W warning message that is output to the common message log
A certificate that is not signed by a CA is not a valid certificate and, therefore, the KAVL20205-W warning message is output to the common message log. Make sure that the message can be safely ignored for normal operation.
-
Operation using a certificate that cannot be trusted
The default certificate of VMware is determined to be a certificate that cannot be trusted by certificate verification. Make sure that a certificate that cannot be trusted does not cause problems that affect operation.
-
- Organization of this subsection
(1) Updating the certificate for VMware ESX
In VMware ESX 4.0 or later, the certificate created by default is not signed by a CA. Replace the default certificate by a CA-signed certificate, by referring to the appropriate VMware documentation (indicated below).
In VMware ESX 3.5, the certificate created by default is signed by a CA. Therefore, you do not need to perform the above operation.
- In VMware ESX 4.0:
-
-
VMware vSphere 4.0 Technical Note
Replacing vCenter Server Certificates
-
- In VMware ESX 4.1:
-
-
VMware vSphere 4.1 Technical Note
Replacing vCenter Server Certificates
-
- In VMware ESX 5:
-
-
vSphere Security on the vSphere 5 Documentation Center webpage
Replace a Default Host Certificate with a CA-Signed Certificate
-
- Note:
-
The above listed documentation names might be changed without a prior notice. For the latest information, contact the VMware support center.
(2) How to obtain the certificate
If the version of VMware ESX is 4.0 or later, obtain a CA certificate as described in (1) above.
If the version of VMware ESX is 3.5, obtain a certificate by using the procedure described below.
This subsection explains how to use Internet Explorer 7 to obtain a certificate.
The same procedure can be used with Internet Explorer 8 or Internet Explorer 9 or Internet Explorer 10 or Internet Explorer 11.
-
From Internet Explorer 7, access https://vmhost.
For vmhost, enter the host name of the monitored host. This explanation uses vmhost as an example.
![[Figure]](GRAPHICS/ZU0A021.GIF)
-
Click the
![[Figure]](GRAPHICS/ZU0A018.GIF)
icon (SSL certificate) displayed to the right of the address bar.
The Website Identification pull-down menu is displayed.
![[Figure]](GRAPHICS/ZU0A022.GIF)
-
Click View certificates.
The Certificate dialog box opens.
![[Figure]](GRAPHICS/ZU0A023.GIF)
-
Choose the Details tab and click Copy to File.
The Certificate Export Wizard dialog box opens.
![[Figure]](GRAPHICS/ZU0A024.GIF)
-
Click Next.
![[Figure]](GRAPHICS/ZU0A025.GIF)
-
Select DER encoded binary X.509 (.CER), and then click Next.
![[Figure]](GRAPHICS/ZU0A027.GIF)
-
In the File name text box, enter the file name under which to save the certificate, and then click Next.
Here, C:\VM_Host.cer is entered as an example.
![[Figure]](GRAPHICS/ZU0A028.GIF)
-
Click Finish.
![[Figure]](GRAPHICS/ZU0A029.GIF)
-
Click OK.
(3) Importing the default certificate for VMware
After you have prepared a CA certificate for VMware as described in (2) above, import the certificate onto the PFM-VM host. To import the certificate:
-
In Windows, choose Start and then Run.
The Run dialog box opens.
![[Figure]](GRAPHICS/ZU0A030.GIF)
-
In the Run dialog box, enter mmc and click OK.
Management Console starts.
![[Figure]](GRAPHICS/ZU0A031.GIF)
-
In Console1, choose File and then Add/Remove Snap-in.
The Add/Remove Snap-in dialog box opens.
![[Figure]](GRAPHICS/ZU0A032.GIF)
-
Click Add.
The Add Standalone Snap-in dialog box opens.
![[Figure]](GRAPHICS/ZU0A033.GIF)
-
From Available Standalone Snap-ins, choose Certificates and then click Add.
The Certificates snap-in dialog box opens.
![[Figure]](GRAPHICS/ZU0A034.GIF)
-
Choose Computer account and then click Next.
The Select Computer dialog box opens.
![[Figure]](GRAPHICS/ZU0A035.GIF)
-
Choose Local computer and click Finish.
![[Figure]](GRAPHICS/ZU0A036.GIF)
-
In the Add Standalone Snap-in dialog box, click Close.
![[Figure]](GRAPHICS/ZU0A037.GIF)
-
In the Add/Remove Snap-in dialog box, click OK.
![[Figure]](GRAPHICS/ZU0A038.GIF)
-
In Console1, choose Console Root from the left pane and then Certificates (Local computer).
![[Figure]](GRAPHICS/ZU0A039.GIF)
-
In the right pane of Console1, right-click Trusted Root Certification Authorities, then All Tasks and Import.
The Certificate Import Wizard dialog box opens.
![[Figure]](GRAPHICS/ZU0A040.GIF)
-
Click Next.
![[Figure]](GRAPHICS/ZU0A041.GIF)
-
In the File name text box, enter the file name under which to save the certificate, and then click Next.
![[Figure]](GRAPHICS/ZU0A042.GIF)
-
Choose Place all certificates in the following store, and then click Next.
![[Figure]](GRAPHICS/ZU0A043.GIF)
-
Click Finish.
![[Figure]](GRAPHICS/ZU0A044.GIF)
-
Click OK.
- Important note
-
If a problem occurs due to a certificate that has been installed as described in the above procedure, check whether the obtained certificate is valid. Whether the certificate is valid can be determined from the following items:
-
Validity period
-
Where it is being published to (whether the same host name as the name of the host that runs VMware is set)
If there is a problem with the certificate, re-create a certificate on the VMware side, and then re-install the certificate by using the procedure described above. For details about how to create a certificate, see the VMware documentation.
-