vfabric AppInsight Security Reference

Similar documents
VMware vfabric AppInsight Installation Guide

VMware vfabric Data Director Installation Guide

VMware vfabric Data Director Installation Guide

VMware vsphere Replication Security Guide

VMware vrealize Configuration Manager SQL Migration Helper Tool User's Guide vrealize Configuration Manager 5.8

Multi-Tenancy in vrealize Orchestrator. vrealize Orchestrator 7.4

VMware vcenter AppSpeed Installation and Upgrade Guide AppSpeed 1.2

Installing and Configuring vcloud Connector

VMware vcenter Configuration Manager and VMware vcenter Application Discovery Manager Integration Guide

PostgreSQL Solution 1.1

Using VMware View Client for Mac

VMware vrealize Log Insight Security Guide

Workspace ONE UEM Integration with RSA PKI. VMware Workspace ONE UEM 1810

Site Recovery Manager Security

Installing and Configuring vcenter Multi-Hypervisor Manager

vsphere PowerCLI Installation Guide VMware vsphere PowerCLI 4.1 Update 1 EN

VMware Infrastructure 3 Primer Update 2 and later for ESX Server 3.5, ESX Server 3i version 3.5, VirtualCenter 2.5

Using the vcenter Orchestrator Perspectives Plug-In

vrealize Log Insight Developer Resources

Reconfiguring VMware vsphere Update Manager. Update 1 VMware vsphere 6.5 vsphere Update Manager 6.5

vcenter CapacityIQ Installation Guide

Integrating AirWatch and VMware Identity Manager

Request Manager User's Guide

VMware vrealize Log Insight Getting Started Guide

Installing and Configuring the Connector

Workspace ONE UEM Certificate Authority Integration with Microsoft ADCS Using DCOM. VMware Workspace ONE UEM 1811

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Reconfiguring VMware vsphere Update Manager. 17 APR 2018 VMware vsphere 6.7 vsphere Update Manager 6.7

Installing and Configuring vcloud Connector

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

Migrating vrealize Automation 6.2 to 7.2

Workspace ONE UEM Certificate Authentication for Cisco IPSec VPN. VMware Workspace ONE UEM 1810

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

vrealize Log Insight Developer Resources Update 1 Modified on 03 SEP 2017 vrealize Log Insight 4.0

vcloud Automation Center Reference Architecture vcloud Automation Center 5.2

Getting Started with ESXi Embedded

VMware Horizon JMP Server Installation and Setup Guide. 13 DEC 2018 VMware Horizon 7 7.7

Migrate to VMware Identity Manager 3.3 from AirWatch Installation (Windows) SEP 2018 VMware Identity Manager 3.3

vrealize Production Test Upgrade Assessment Guide

VMware AirWatch Integration with RSA PKI Guide

VMware vfabric Application Director Catalog Services

VMware Identity Manager Administration

Planning and Preparation. VMware Validated Design 4.0 VMware Validated Design for Remote Office Branch Office 4.0

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

VMware vcenter AppSpeed User s Guide AppSpeed 1.0 EN

VMware AirWatch Content Gateway for Linux. VMware Workspace ONE UEM 1811 Unified Access Gateway

VMware vrealize Operations for Horizon Security. 20 SEP 2018 VMware vrealize Operations for Horizon 6.6

Infrastructure Navigator User's Guide

VMware vcenter Discovered Machines Import Tool User's Guide Version for vcenter Configuration Manager 5.6

Getting Started with ESX Server 3i Installable Update 2 and later for ESX Server 3i version 3.5 Installable and VirtualCenter 2.5

vcloud Director Administrator's Guide

Tenant Administration. vrealize Automation 6.2

Developing and Deploying vsphere Solutions, vservices, and ESX Agents

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

Upgrading to VMware Identity Manager 2.7

vsphere Replication for Disaster Recovery to Cloud

VMware View Upgrade Guide

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

Dell Provisioning for VMware Workspace ONE. VMware Workspace ONE UEM 1902

Upgrade to VMware Identity Manager 3.3 (Windows) SEP 2018 VMware Identity Manager 3.3

vfabric AppInsight Installation and Users Guide

Upgrade Guide. vcloud Availability for vcloud Director 2.0

VMware App Volumes Installation Guide. VMware App Volumes 2.13

vsphere Replication for Disaster Recovery to Cloud vsphere Replication 6.5

IaaS Integration for HP Server Automation. vrealize Automation 6.2

Port Adapter Installation and Configuration Guide

Lifecycle Manager User's Guide

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

vshield Administration Guide

VMware vrealize Configuration Manager Backup and Disaster Recovery Guide vrealize Configuration Manager 5.8

TECHNICAL WHITE PAPER AUGUST 2017 REVIEWER S GUIDE FOR VIEW IN VMWARE HORIZON 7: INSTALLATION AND CONFIGURATION. VMware Horizon 7 version 7.

VMware vsphere Update Manager PowerCLI Installation and Administration Guide Update Manager PowerCLI 6.0 EN

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

Using vrealize Operations Tenant App as a Service Provider

Upgrading VMware Identity Manager Connector

PROVIDING SECURE ACCESS TO VMWARE HORIZON 7 AND VMWARE IDENTITY MANAGER WITH THE VMWARE UNIFIED ACCESS GATEWAY REVISED 2 MAY 2018

Installing and Configuring vcenter Support Assistant

VMware AirWatch Integration with Microsoft ADCS via DCOM

vcenter CapacityIQ Installation Guide

vrealize Code Stream Trigger for Gerrit

vcenter Update Manager PowerCLI Installation and Administration Guide vcenter Update Manager PowerCLI 4.1 EN

Getting Started with VMware View View 3.1

VMware Skyline Collector User Guide. VMware Skyline 1.4

VMware HealthAnalyzer Collector Installation and User Guide

Horizon Workspace Administrator's Guide

vcloud Director User's Guide

vrealize Code Stream Trigger for Git

Using VMware vfabric Application Director

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

vsphere Upgrade Update 2 Modified on 4 OCT 2017 VMware vsphere 6.0 VMware ESXi 6.0 vcenter Server 6.0

VMware Workspace Portal End User Guide

VMware Horizon Migration Tool User Guide

Administering vrealize Log Insight. September 20, 2018 vrealize Log Insight 4.7

vrealize Infrastructure Navigator Installation and Configuration Guide

Guide to Deploying VMware Workspace ONE with VMware Identity Manager. SEP 2018 VMware Workspace ONE

Microsoft Intune App Protection Policies Integration. VMware Workspace ONE UEM 1811

VMware vrealize Operations for Horizon Security. VMware vrealize Operations for Horizon 6.5

VMware Horizon Client for Windows 10 UWP User Guide. Modified on 21 SEP 2017 VMware Horizon Client for Windows 10 UWP 4.6

Transcription:

vfabric AppInsight 5.0 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs. EN-001059-00

You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright 2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.

Contents 1 AppInsight Security 5 2 vfabric AppInsight Security Reference 7 Protecting Security-Relevant Configuration Files 7 Required Open Ports for AppInsight 10 vfabric AppInsight Log Files 11 Index 13 VMware, Inc. 3

4 VMware, Inc.

AppInsight Security 1 Draft comment filepath: GUID-31AF80E4-D772-44B5-B372-E252960FB432.xml VMware vfabric AppInsight Security provides a concise reference to the security features of vfabric AppInsight. Configuration options and settings that have security implications. Resources that must be protected, such as security-relevant configuration files and passwords, and the recommended access controls for secure operation. Location of log files and their purpose. External interfaces, ports, and services that must be open or enabled for the correct operation of VMware AppInsight. This information is intended for IT decision makers, architects, administrators, and others who must familiarize themselves with the security components of vfabric AppInsight. VMware, Inc. 5

6 VMware, Inc.

vfabric AppInsight Security 2 Reference Draft comment filepath: GUID-D40F529C-76C5-4E4F-8A94-07F1113420B9.xml When you are configuring a secure AppInsight environment, you can change settings and make adjustments in several areas to protect your systems. Protecting Security-Relevant Configuration Files on page 7 You can make security changes in AppInsight server and code agent configuration files to control access to security operations. You can also upgrade the encryption alogorithm. Required Open Ports for AppInsight on page 10 You must have the following open ports for the AppInsight server virtual machine and the network probe. vfabric AppInsight Log Files on page 11 AppInsight software creates log files that record the installtaion and operation of its components Protecting Security-Relevant Configuration Files Draft comment filepath: GUID-470B40CE-A2A7-4141-85C8-20893DC7B040.xml You can make security changes in AppInsight server and code agent configuration files to control access to security operations. You can also upgrade the encryption alogorithm. Upgrading Encryption Algorithms on page 7 It is good practice to use the strongest algorithms to protect your data. You can use this procedure to update the algorithms for the AppInsight server and network probe. Changing Code Agent Security Settings on page 8 Use this procedure to make changes to security settings such as passwords and access control for security operations related to the code agent. Changing AppInsight Security Settings on page 9 Use this procedure to make changes to security settings such as passwords and access control for security operations related to AppInsight. Upgrading Encryption Algorithms Draft comment filepath: GUID-4216E67F-365C-4A19-84BE-C5A54C40DC0D.xml It is good practice to use the strongest algorithms to protect your data. You can use this procedure to update the algorithms for the AppInsight server and network probe. You reference the algorithm in the AppInsight server and the network probe, then create a key in the server. VMware, Inc. 7

Procedure 1 In the console, open conmanage.py. 2 Type stop_appinsight to stop the AppInsight server, then quit to exit the configuration manager. 3 At the command prompt, type cd /etc/openvpn to open the Open VPN directory. 4 Open the appropriate configuration file. Command vi server.conf vi client.conf Description Open the AppInsight server configuration file. Open the network probe configuration file. 5 Add the following properties to the file. Property cipher auth Value AES-128-CBC SHA512 6 In AppInsight server, locate dh1024.pem and change it to dh2048.pem. For example, dh /usr/share/openvpn/easy-rsa/2.0/keys/dh1024.pem changes to dh /usr/share/openvpn/easy-rsa/2.0/keys/dh2048.pem. 7 Save the file and exit. 8 In AppInsight server, register the key for the algorithm. a b c d e Open cd /usr/share/openvpn/easy-rsa/2.0. Type. vars. Type export KEY_SIZE=2048. Type./build-dh. Verify that the key file /usr/share/openvpn/easy-rsa/2.0/keys/dh2048.pem is created. 9 Type service openvpn restart to restart the service. 10 Open conmanage.py. 11 Type stop_appinsight to stop the AppInsight server, then quit to exit the configuration manager. Changing Code Agent Security Settings Draft comment filepath: GUID-A8E524E3-2815-4264-AE58-127F1EADCBCD.xml Use this procedure to make changes to security settings such as passwords and access control for security operations related to the code agent. You make changes in the insight.properties file. Prerequisites You must have application owner user privileges with read/write permissions for the file. 8 VMware, Inc.

Chapter 2 vfabric AppInsight Security Reference Procedure 1 Open the console and access the configuration directory. Operating System Unix/Linux Windows Command cd server install path/insight/conf cd server install path\insight\conf 2 Change the owner. Operating System Unix/Linux Windows Command chown owner user[:group] insight.properties icacls insight.properties /setowner owner user 3 For Linux or Unix users, type chmod 600 insight.properties to set owner-only permissions. 4 For Windows users, type icacls insight.properties /inheritance:d to revoke any inheritance permissions. 5 For Windows users, type icacls insight.proprties /remove:g user name. to revoke all permissions granted to another user with access to this file. You can type icacls insight.properties to view a list of all users who have permissions on this file. Changing AppInsight Security Settings Draft comment filepath: GUID-D379A0F9-16AC-481F-B985-6A92C5179F37.xml Use this procedure to make changes to security settings such as passwords and access control for security operations related to AppInsight. You make changes in the files listed in AppInsight Virtual Appliance Files that Store Passwords, on page 10. Prerequisites You must have application owner user privileges with read/write permissions for the file. Procedure 1 Open the console and type cd server install path/insight/file.name to access the configuration directory.. 2 Type chown owner user[:group] file.name to change the owner. 3 Type chmod 600 file.name to set owner-only permissions. Example: Changing Permissions in rabbitmq.config Draft comment filepath: GUID-D379A0F9-16AC-481F-B985-6A92C5179F37.xml This example increases security by changing the owner and permissions in rabbitmq.config. cd /etc/rabbitmq/rabbitmq.config chown rabbitmq rabbitmq.config chmod 600 rabbitmq.config VMware, Inc. 9

AppInsight Virtual Appliance Files that Store Passwords Draft comment filepath: GUID-40CCA454-8499-4CFD-B6A4-D25B987F5EF1.xml To maximize security, VMware recommends that the following owner and permission settings are applied. RabbitMQ Draft comment filepath: GUID-40CCA454-8499-4CFD-B6A4-D25B987F5EF1.xml For RabbitMQ, change the following owner and permission settings. Table 2-1. RabbitMQ Files that Store Passwords in Clear Text Filename Required Owner Required Permission /etc/rabbitmq/rabbitmq.config rabbitmq 600 /opt/vmware/apm/conf/am-amqp-configuration.properties root 600 /opt/vmware/appinsight/metric-store/conf/metric-inserter.properties root 600 /var/setup-conductor/cfg/amqp.cxml root 600 Postgres Draft comment filepath: GUID-40CCA454-8499-4CFD-B6A4-D25B987F5EF1.xml For Postgres, change the following owner and permission settings. Table 2-2. Postgres Files that Store Passwords in Clear Text Filename Required Owner Required Permission /opt/vmware/apm/conf/am-db.properties root 600 /opt/vmware/appinsight/metric-store/conf/metric-store-persister.properties root 600 Truststore Draft comment filepath: GUID-40CCA454-8499-4CFD-B6A4-D25B987F5EF1.xml For Truststore, change the following owner and permission settings. Table 2-3. Truststore Files that Store Passwords in Clear Text Filename Required Owner Required Permission /opt/vmware/apm/conf/am-common-ssl.properties root 600 Required Open Ports for AppInsight Draft comment filepath: GUID-850CD3B3-9E38-4765-95A1-0E6A9F22BE59.xml You must have the following open ports for the AppInsight server virtual machine and the network probe. Table 2-4. Open Ports Requirement for AppInsight Name Port Number Protocol Usage DNS 53 UDP DNS NTP 123 UDP Time Server Open VPN 1194 UDP, TCP Open VPN HTTP 80 TCP HTTP 10 VMware, Inc.

Chapter 2 vfabric AppInsight Security Reference Table 2-4. Open Ports Requirement for AppInsight (Continued) Name Port Number Protocol Usage ATM_TC_SERVER_SSL 8443 TCP tcserver SSL Connector RABBIT 5671 TCP RabbitMQ INSIGHT 21234 TCP Code Agent vfabric AppInsight Log Files Draft comment filepath: GUID-2C7F0AAD-6A7D-4451-B974-8F71FF718B95.xml AppInsight software creates log files that record the installtaion and operation of its components NOTE AppInsight log files are intended for use by VMware Support. Table 2-5. vfabric AppInsight Log Files AppInsight Component AppInsight metrics server AppInsight application server Code Agent RabbitMQ Conductor File Path /opt/vmware/appinsight/metric-store/metric-store-tcserver-instance/logs /opt/vmware/apm/tcserver-instance/logs /opt/vmware/apm/insight-dashboard/logs /var/log/rabbitmq /var/conductor/log VMware, Inc. 11

12 VMware, Inc.

Index A algorithms, updating 7 appinsight, security settings 9 C change security settings 7 code agent, security settings 8 config files, protecting security 7 F files that store clear text passwords 10 L log files 11 O open ports requirements 10 P passwords Postgres 10 RabbitMQ 10 stored in clear text 10 Truststore 10 ports 10 S security settings appinsight 9 code agent 8 VMware, Inc. 13

14 VMware, Inc.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback