Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
 HP Integrity Virtual Machines Manager Version 4.0 Getting Started Guide > Chapter 2 Installing VM Manager

Setting Security Credentials
» 

Technical documentation

Complete book in PDF
» Feedback
Content starts here

 » Table of Contents

 » Glossary

 » Index

spacerspacerspacer
spacer
spacer
  		 
 

To display the full range of data about each virtual machine in VM Manager, you must have WBEM-recognized credentials for each virtual machine. A user name and password are required to collect resource utilization and other data, such as the status of the installed operating system. This data is available only from a WBEM provider on the VM Host or virtual machine. The WBEM providers are the tools used to gather data about the virtual machine and the VM Host. The user interface uses this information to show various kinds of system status.

You can set credentials by specifying a default user name and password combination for any or all virtual machines. You can also override the default user name or password on a case-by-case basis.

NOTE:

  • For a given virtual machine, if no user name or password is specified, the default is used.

  • If a password is specified but a user name is not, the default user name is used with the password override. This allows a system administrator to use the same user name but different passwords for each virtual machine.

When running VM Manager through VSE Management Software under HP SIM, HP SIM is responsible for managing the credentials needed for using WBEM providers on the VM Host and on virtual machines. When running VM Manager under HP SMH, HP SMH manages credentials and access for the VM Host on which HP SMH is running; credentials for each virtual machine are managed by VM Manager.

The method for setting WBEM credentials depends on whether you are using HP SIM or HP SMH.

Setting WBEM Credentials in HP SIM

Any virtual machines that are not managed nodes do not have any credentials available, and VM Manager cannot contact them. These machines are displayed, but some of the information that can be gathered from the managed nodes is not displayed for non-managed nodes.

You can set credentials in HP SIM for a global configuration across multiple systems by selecting Options->Protocol Settings->Global Protocol Settings...; for a single managed node, set credentials by selecting Options->Protocol Settings->System Protocol Settings.... VM Manager requires that the proper WBEM credentials (a valid user name and password) be set in those option pages. Without WBEM, the Virtualization Manager and HP Capacity Advisor functionality will not be available; only HP Global Workload Manager (gWLM) is functional.

With HP SIM, you can set the credentials when you first launch HP SIM after installation by using the HP SIM First Time Wizard. For information about setting credentials, see the HP VSE Management Software Version 4.1 Installation and Update Guide for HP-UX.

Setting WBEM Credentials in HP SMH

You must set WBEM credentials for virtual machines in HP SMH. This allows VM Manager to collect utilization data and operating system information on the virtual machine. Stored credentials are specific to the user logged in to HP SMH. Two users who are logged in with different user names do not share credentials.

When you log into SMH without having already set the WBEM credentials and saving them in the file system, the Set WBEM Credentials for Virtual Machines page is displayed. When you create a new virtual machine, you must add credentials for that virtual machine by selecting Modify->WBEM Credentials... from the VM Manager menu bar, which displays the same page. Figure 2-1 shows an example of the Set WBEM Credentials for Virtual Machines page.

Figure 2-1 HP SMH: Set WBEM Credentials Page

HP SMH: Set WBEM Credentials Page

On this page, you can set one user name and password combination for all virtual machines, or you can set them individually for one or more virtual machines. If you set the credentials for some but not all of the individual systems, VM Manager does not collect utilization data and operating system information for the excluded systems.

You can also save the user name and password entries in obscured format in the file system. This allows you to use the same setting each time you enter VM Manager through HP SMH. To save these entries, select the Save user name and password settings in the file system check box, and then click OK. This information is obfuscated before being stored.

If you do not want to provide this security information for the current session, click Cancel. VM Manager continues without collecting this data. If you do not want to provide this additional data for subsequent uses of VM Manager, and you do not want to be prompted for it on each entry into VM Manager, make sure all entries on the page are blank, select the check box to save the credentials to file, and click OK. Empty credentials are stored, and this prevents the WBEM credentials page from being displayed on subsequent entries into VM Manager.

If you require the additional security provided by certificate validation, you can turn on SSL certificate validation by checking the Require trusted certificates check box. If this box is checked, you must store the valid certificates for the virtual machines in a keystore on the VM Host to indicate that connections to those virtual machines are trusted; otherwise, some information is not displayed by VM Manager. For example, if a certificate is missing, utilization meters are labeled No Data. For more information about trusted certificates and how to store them in a keystore on the VM Host, see “Trusted Certificates”.

You can use the basic features of the HP SMH version of VM Manager without exposing user credentials or configuration data on the local network. In this case, you see a subset of the potential information that the VM Manager can display. To have all data displayed, the following steps are required.

NOTE: Displaying all the information about the virtual machines' configuration exposes the credentials of a connecting user.

  1. Create a nonlogin, nonprivileged account on each virtual machine to which VM Manager might connect and whose credentials can be intercepted on the network. Although these credentials are restricted to nonlogin capabilities, they can also be used to gain access to other data or actions available using WBEM and other nonlogin services, including those from additional providers that are registered on the system.

  2. Optional, for additional security: If local policy is to avoid exposure of any account credentials on your network, or if you do not want to expose the virtual machine configuration data, then configure an SSH or IPSec tunnel from the VM Host system to each virtual machine for port 5989 (HP WBEM Services).

The following types of information require credentials for each virtual machine for which information is to be gathered:

  • Operating System: If the required credentials are not set for a virtual machine, VM Manager cannot contact the machine. VM Manager displays the expected operating system (if the operating system was set during configuration of the virtual machine, or if the guest operating system on the virtual machine has been booted). If the credentials are set and the virtual machine is running with the proper provider, VM Manager displays the operating system and version number.

  • Utilization: If the required credentials are not set for a virtual machine, the utilization meters for virtual machine-specific items are dimmed. (Meters specific to a virtual machine are located on such VM Manager pages as the VM Host Virtual Machines tab, the VM Properties Network and VM Properties Storage tabs, and the VM Properties General tab. For more information about these tabs, see Chapter 3.) Meters for the VM Host and host resources are still available if the VM Host's WBEM Utilization provider is running.

    The data is a 5-minute average that is calculated and updated on 5-minute boundaries.

    When a utilization meter is dimmed, a label next to the meter indicates the probable cause. These labels and status indicators are described in “Utilization Meter Status/Error Information”.

    Virtual LAN interface I/O utilization on the VM Properties Network tab: For a virtual machine with invalid credentials, either the No Perm. or No Data label appears next to the meter. The page still displays whatever information is available from the VM Host, such as the status and the bus, device, and function numbers for a virtual LAN interface. For a virtual machine with valid credentials, VM Manager displays I/O utilization data for each virtual LAN interface and for VM aggregated LAN interfaces.

    Virtual storage device I/O utilization on the VM Properties Storage tab: For a virtual machine with invalid credentials, either the No Perm. or No Data label appears next to the meter. The page still displays whatever information is available from the VM Host, such as the virtual device type and the bus, device, and target numbers for the virtual storage device. For a virtual machine with valid credentials, VM Manager displays I/O utilization data for each virtual storage device and for VM aggregated storage interfaces.

  • Virtual LAN (VLAN) interface name and status on the Network tab: This status is displayed for a virtual machine with valid credentials, but invalid credentials will return an unknown LAN status and utilization. It might display whatever information is available, for example, the bus, dev, or the fcn number for the VLAN interface.

To change the WBEM credentials settings for virtual machines, return to the Set WBEM Credentials for Virtual Machines page by selecting Modify->WBEM Credentials.... You do not need to select a virtual machine before setting credentials.

IMPORTANT: After you enter the data, save it by clicking OK. Otherwise, the data is cleared when the session ends.

Trusted Certificates

If you require the additional security provided by certificate validation you can turn on SSL certificate validation by selecting the Require trusted certificates check box on the VM Manager Set WBEM Credentials for Virtual Machines page. With this setting turned on, the client Certificate Trust Store must include the server certificates from the virtual machines; otherwise, VM Manager cannot obtain certain information from the virtual machines. If your environment does not require the additional security provided by certificate validation, you can leave certificate validation turned off.

To enable SSL certificate validation in VM Manager, you must export the server certificates from the WBEM services providers on the virtual machines, and import those certificates into the keystore on the VM Host where VM Manager is running. This keystore is shared between Partition Manager and VM Manager. Certificates in this keystore are trusted by both Partition Manager and VM Manager.

To get the certificate file from the WBEM services provider, follow these steps:

  1. Locate the WBEM services provider certificate file (cert.pem) on the virtual machine to which you want to connect. To find the correct file, open the WBEM services Provider configuration file, which can be found in the following locations:

    • For Windows:

      %PEGASUS_HOME%\cimserver_current.conf

    • For HP-UX:

      $PEGASUS_HOME/cimserver_current.conf

      (The default value for PEGASUS_HOME on HP-UX is /var/opt/wbem.)

    The location of the server certificate file is configured by the sslCertificateFilePath setting. If this value is not set in the configuration file, the default values are as follows:

    • For Windows:

      %PEGASUS_HOME%\server.pem

    • For HP-UX:

      /etc/opt/hp/sslshare/cert.pem

  2. Copy the certificate file (cert.pem or server.pem) to the VM Host where VM Manager is running.

    NOTE: Copy the certificate file to a temporary directory (not to the sslshare directory) on the VM Host. Do not overwrite the existing cert.pem or server.pem file in the sslshare directory on the VM Host.

  3. To import the certificate file, enter the following command on the VM Host:

    $ JAVA_HOME/bin/keytool -import -alias server_hostname \
-file cert.pem \ -keystore /etc/opt/hp/sslshare/parmgr.keystore

Discovering Data When Setting New WBEM Credentials

When you set new WBEM credentials from the VM Manager Modify menu and click OK, the page to which you return is updated using the new credentials. However, especially when VM Manager must retrieve data from a large number of virtual machines, some of the data might not yet be updated when the page displays in full (instead, the old data is still displayed). With the exception of data displayed by utilization meters, the new data (such as the virtual machine guest OS version) is not seen until the page refreshes again. The utilization meters update immediately after VM Manager retrieves the utilization data; refreshing the page is not required for updating that data.



Licensing Requirements
  		 


Chapter 3 Using VM Manager  
Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 2006–2009 Hewlett-Packard Development Company, L.P.