Book Image

VMware vCloud Security

Book Image

VMware vCloud Security

Overview of this book

Security is a major concern, in particular now that everything is moving to the cloud. A private cloud is a cloud computing platform built on your own hardware and software. The alternative is to deploy the services you need on a public cloud infrastructure provided by an external supplier such as Amazon Web Services, Rackspace Cloud, or HP Public Cloud. While a public cloud can afford greater flexibility, a private cloud gives you the advantage of greater control over the entire stack. "VMware vCloud Security" focuses on some critical security risks, such as the application level firewall and firewall zone, virus and malware attacks on cloud virtual machines, and data security compliance on any VMware vCloud-based private cloud. Security administrators sometimes deploy its components incorrectly, or sometimes cannot see the broader picture and where the vCloud security products fit in. This book is focused on solving those problems using VMware vCloud and the vCloud Networking and Security product suite, which includes vCloud Networking and Security App, vShield Endpoint, and vCloud Networking and Security Data Security. Ensuring the security and compliance of any applications, especially those that are business critical, is a crucial step in your journey to the cloud. You will be introduced to security roles in VMware vCloud Director, integration of LDAP Servers with vCloud, and security hardening of vCloud Director. We'll then walk through a hypervisor-based firewall that protects applications in the virtual datacenter from network-based attacks. We'll create access control policies based on logical constructs such as VMware vCenter Server containers and VMware vCloud Networking and Security security groups but not just physical constructs, such as IP addresses. You'll learn about the architecture of EPSEC and how to implement it. Finally, we will understand how to define data security policies, run scans, and analyze results.
Table of Contents (13 chapters)
VMware vCloud Security
About the Author
About the Reviewers

vCloud Director installation prerequisites

Even before you start the installation of the vCloud, you should remember that this is a complex system and thus requires proper planning for the installation. If you choose the correct steps and choices, you can save a lot of time during the installation.

For installing vCloud Director, there are lots of prerequisites that have to be in place before you can proceed further. Let us look at those:

  • vCenter Server for the resource cluster should set HA, DRS, and Storage DRS.

  • vCenter Server should trust their ESXi hosts.

  • Use proper vSphere licenses. If you use vSphere Distributed Switch, the Enterprise Plus license is necessary. If not, you need to use the Enterprise license for DRS. For the private or public cloud, the Enterprise Plus license is a must to provide cloud-level scaling.

  • vCloud Networking and Security Manager needs to be installed before installing vCloud. The vCloud Networking and Security Manager can be downloaded as an OVF appliance and can be easily deployed as a VM in your management network. The vCloud Networking and Security Manager manages the vCloud Networking and Security Edge appliances and Virtual Extensible LAN (VXLAN) (software-defined Layer 2 networking) for providing redundancy and isolation of the network inside your cluster. In other components, vShield also provides the Endpoint and Data Security components for your VMs. vCloud Networking and Security Manager should be properly licensed. A basic license for the vCloud Networking and Security is included with vCloud Director 5.1, but it does not include advanced features. If you would like to know more, take a look at this article:

  • VMware strongly recommends that vCenter Server 5.1 and ESXi 5.1 be used with vCloud Director 5.1. Although earlier versions are supported, some features are not available if these earlier versions are used.

  • Check the supported operating system for the vCloud Director cell. vCloud Director Server requires Linux OS. Red Hat Enterprise Linux 5 (64 bit), update 4, 5, or 6 is supported. In addition, Red Hat Enterprise Linux 6 (64 bit), update 1 or 2 is supported.

  • The minimum hardware requirement for a vCloud Director cell requires 950 MB free on disk and 1 GB of memory (RAM). For better performance, 2 GB of RAM is recommended as with 1 GB RAM, it sometimes becomes irresponsive.

  • The minimum Java version required for the cell is Java Runtime Environment (JRE) 1.6.0 update 10 or later. Only the 32-bit version is supported.

  • vCloud Director requires Adobe Flash Player version.

  • The database that will be used by vCloud Director must be created before installing the first vCloud Director cell.

  • Before configuring vCloud Director, you must install security certificates.

  • You must use the JRE keytool command to create your certificate requests.

  • Transfer Server Storage is used as a temporary storage for uploads and downloads. It must be mounted at $VCLOUD_HOME/data/transfer.

  • On the internal networks, only a few ports should be open for vCloud Director servers. See the VMware knowledge base article 1030816 at

For more information, please see the VMware vCloud Director 5.1 Documentation Center at

Preparing for installation

vCloud Director uses both Microsoft SQL Server and Oracle Database. In this section, we will consider SQL Server only. VMware suggests that a database server configured with 16 GB of memory, 100 GB of storage, and four CPUs should be adequate for most vCloud Director clusters.

SQL Server databases have specific configuration requirements when you use them with vCloud Director. Install and configure a database instance, and create the vCloud Director database user account before you install vCloud Director.

The vCloud Director database performance is an important factor in the overall vCloud Director performance and scalability. vCloud Director uses the SQL Server tempdb file when storing large result sets, sorting data, and managing data that is being concurrently read and modified. This file can grow significantly when vCloud Director experiences a heavy concurrent load. It is a good practice to create the tempdb file on a dedicated volume that has fast read/write performance. To do so, follow the given steps:

  1. Create the master instance.

    • The following script creates the database and log files, specifying the proper collation sequence:

      USE [master]
      (NAME = N'vcloud', FILENAME = N'C:\vcloud.mdf', SIZE =
      100MB, FILEGROWTH = 10%)
      LOG ON
      (NAME = N'vcdb_log', FILENAME = N'C:\vcloud.ldf', SIZE =
      1MB, FILEGROWTH = 10%)
      COLLATE Latin1_General_CS_AS
    • The values shown for SIZE are suggestions. You might need to use larger values.

  2. Set the transaction isolation level.

    • The following script sets the database isolation level to READ_COMMITTED_SNAPSHOT:

      USE [vcloud]
  3. Create the vCloud Director database user account.

    • The following script creates the database username vcloud with the password vcloudpas:

      USE [vcloud]
      CREATE LOGIN [vcloud] WITH PASSWORD = 'vcloudpass',
      DEFAULT_DATABASE =[vcloud],
      CREATE USER [vcloud] for LOGIN [vcloud]
  4. Assign permissions to the vCloud Director database user account.

    • The following script assigns the db_owner role to the database user created in step 3:

      USE [vcloud]
      sp_addrolemember [db_owner], [vcloud]

Installing vCloud Director

The vCloud Director installer verifies that the target server meets all the platform prerequisites and installs the vCloud Director software on it. The vCloud Director software is distributed as a digitally signed Linux-executable file named vmware-vcloud-director-5.1.0-nnnnnn.bin, where nnnnnn represents a build number. You should first upload this bin file to the vCloud Director VM. Let's get started:

  1. Log in to the target server using SSH as the root user.

  2. Change the folder where you have uploaded the bin file with the following command:

    # cd <Path>
  3. Enable the installation file for execution as this installation file requires permission to execute:

    # chmod u + x installation-file
  4. Run the installation file:

    # ./vmware-vcloud-director-5.1.0-810718.bin
  5. After the software is installed, the installer prompts you to run the configuration script, which configures the server's network and database connections.

  6. For the question Would you like to run the script now (y/n)?, answer n. We will first need to create the SSL certificates for vCloud Director 5.1.

At this time, we need to create the SSL/TLSv1 certificates. Cloud computing has become one of the hottest technologies today. It is being used by service providers and enterprises alike. As more and more people have been accessing cloud services via the Internet or within their corporate environments, traffic passing through the cloud has multiplied. Along with this growth and proliferation have come heightened security risks and resulting attacks to the information being shared. Security has become a paramount concern, because authenticity, confidentiality, and integrity of the information are vital and must be guaranteed.

Network security leverages numerous techniques to aid in the protection of transmitted information. Traditionally, it relies on the principles of cryptology to provide the foundation of security. This involves the conversion of information into an incomprehensible form factor that is usable only to selected recipients capable of transforming the information back into a usable form. Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) are cryptographic protocols commonly used today to aid in network security.

Complex infrastructures such as cloud computing involve multiple connections between various hosts and external communication channels. The use of TLSv1/SSL certificates is an important tool to encrypt those connections to provide data privacy.

TLSv1/SSL certificates also provide for two-way authentication. This enables a host to validate that it is connected to the intended recipient. This decreases the ability of an imposter to intercept the information transmitted.

vCloud Director requires SSL to secure communications between clients and servers. Before you install and configure a vCloud Director Server group, you must create two certificates for each member of the group and import the certificates into the host keystores. This certificate installation requires that you create a Java keystore file using the keytool utility for certificate installation. The resulting keystore file will contain two SSL certificates along with the necessary certificates.

Each vCloud Director Server that you intend to use in a vCloud Director cluster requires two SSL certificates we just mentioned, one for each of its IP addresses. Self-signed certificates can provide a convenient way to configure SSL for vCloud Director in environments where trust concerns are minimal.


Each vCloud Director Server requires two SSL certificates, one for each of its IP addresses, in a Java keystore file. The vCloud Director installer places a copy of a keytool in /opt/vmware/vcloud-director/jre/bin/keytool.

The console proxy and the HTTP alias use the same hierarchy of certificates. Because this one keystore file contains both certificates, you can use this single file wherever it is needed after it has been created.


Because this file contains private keys and is protected by a single password, it is strongly recommended that you do not keep copies of this file in unsecured locations. You should maintain a copy of a keystore file only where absolutely needed.


Before beginning the procedures, the following prerequisites must be fulfilled:

  • Obtain the IP addresses for the vCloud Director Server and the fully qualified domain name (FQDN) for each. The configured IP addresses on the vCloud Director host can be identified through the use of the ifconfig –a command. The FQDN for the IP addresses can be displayed using the nslookup_<ip address> command, where <ip address> equates to a configured IP address.

    Note the FQDN names for each IP address because this name will be used for the HTTP server and console proxy service SSL certificates. Noting the IP addresses will assist in the installation of the SSL certificate.

  • Access the keytool utility. This utility is installed with vCloud Director by default. It is possible to use the keytool utility on another computer that has the Java Runtime Environment (JRE) version 6 or later installed, and then import the created Java keystore file onto your vCloud Director Server.

This assumes you are using the keytool installed on your vCloud Director Server as in the following example:

  1. Create an untrusted certificate for the HTTP service:

     # /opt/vmware/vcloud-director/jre/bin/keytool -keystore certificates.ks -storetype JCEKS -storepass vmware123 -genkey -keyalg RSA -alias http
  2. Create an untrusted certificate for the proxy service console:

    # /opt/vmware/vcloud-director/jre/bin/keytool -keystore certificates.ks -storetype JCEKS -storepass vmware123 -genkey -keyalg RSA -alias consoleproxy
  3. At this time, we can go back and configure vCloud Director. To run the configuration script, we now need to run the following script:

    # /opt/vmware/vcloud-director/bin/configure

    The required information is as follows:

    HTTP service IP Address: 
    Remote Console Proxy IP Address: 
    Java Keystore path: 
    Java Keystore password:
  4. Now you will be asked to configure the Syslog server. Specify the IP address and press Enter.

  5. Enter 2 for a Microsoft SQL Server database type.

    The required database information is as follows:

    Database host:
    Database Port:
    Database Name:
    Database Instance:
    Database Username:
    Database Password:

It will connect to the database through JDBC and database script will run.

Once the scripts have been completed, you will be presented with the link to the vCloud Director cell. You will also be asked to start the vCloud Director service; answer Y to start the service, and the vCloud Director service will be started.

vCloud Director setup

Once you have completed with the vCloud Director configuration, you can use the vCloud Director Web Console to complete the initial provisioning of your cloud. However, before you use the vCloud Director Web Console, you have to go through the setup wizard. The setup wizard gathers the information that the Web Console requires before it can start. Thus, once the wizard is finished, the web console starts and displays the login screen. The vCloud Director Web Console provides a set of tools for provisioning and managing a cloud environment. It includes a quickstart feature as well that guides you through steps such as attaching vCloud Director to vCenter and creating an organization.

Open a web browser and connect to https://<FQDN>/cloud. (This is the web IP address.)

Follow the prompts to complete the setup:

  1. Accept the terms of the license agreement.

  2. Enter the license key.

  3. Enter the administrative account username, password, full name, and e-mail address.

  4. Specify the system name and the installation ID. A vCloud Director installation ID is used to ensure the network addressing uniqueness and network traffic separation between distinct vCloud Director instances that happen to utilize the same Layer 2 network.


    The installation ID permeates the vCloud Director system seeding the network identity of various components as mentioned in the preceding steps. For example, the MAC addresses that vCloud Director assigns VM NICs will have IID embedded. vCloud Director Network Isolation also uses this.

  5. At this time, you will get a login prompt. Log in to this vCloud Director using the system admin credentials just created.

  6. You will see the first screen asking you to attach a vCenter Server as shown in the following screenshot:

  7. Click on Attach a vCenter.

    • You will be presented with the following screen where you have to input the vCenter Server information:

  8. Specify the vCenter connection information and click on Next.

  9. You will be presented with the following screen where you have to put the vCloud Networking and Security Manager information:

  10. Specify the vCloud Networking and Security Manager server connection information and click on Next.

  11. On the final screen, click on Finish.

  12. Once you add the vCenter Server, you can see it under the Manage & Monitor tab.

  13. Go to the Manage & Monitor tab and under the vSphere Resources section, click on vCenters. You will see a similar screen as follows:


As a prerequisite, vCenter Server has to be registered with your vCloud Networking and Security Manager. If not, you will see an error, vShield Manager is not registered with the VC <VC Name>. Perform VC registration in vShield Manager and retry. Open the vCloud Networking and Security Manager URL in a supported browser.

If you get this error, follow the given steps to register your vCenter Server with the vCloud Networking and Security Manager:

  1. Log in to the cloud as the administrator. This should have been done as part of the initial configuration.

  2. In the main Settings and Reports section, find the vCenter Server section, and you will see there is no vCenter Server registered with the vCloud Networking and Security Manager.

  3. Click on the Edit button.

  4. Specify the vCenter Server information and its credentials.

  5. Click on OK.

  6. Click on Yes on the security warning.

  7. vCenter Server should now be configured.