ESX Configuration Guide
4Enter the <readTimeoutMs> value in milliseconds.
For example, to set the Read Timeout to 20 seconds, enter the following command.
<readTimeoutMs>20000</readTimeoutMs>
5Enter the <handshakeTimeoutMs> value in milliseconds.
For example, to set the Handshake Timeout to 20 seconds, enter the following command.
<handshakeTimeoutMs>20000</handshakeTimeoutMs>
6Save your changes and close the file.
7Enter the following command to restart the vmware-hostd process. service mgmt-vmware restart
Example: Configuration File
The following section from the file /etc/vmware/hostd/config.xml shows where to enter the SSL timeout settings.
<vmacore>
...
<http>
<readTimeoutMs>20000</readTimeoutMs>
</http>
...
<ssl>
...
<handshakeTimeoutMs>20000</handshakeTimeoutMs>
...
</ssl>
</vmacore>
Modifying ESX Web Proxy Settings
When you modify Web proxy settings, you have several encryption and user security guidelines to consider.
NOTE Restart the vmware-hostd process after making any changes to host directories or authentication mechanisms by entering the command service mgmt-vmware restart.
nDo not set up certificates using pass phrases. ESX does not support pass phrases, also known as encrypted keys. If you set up a pass phrase, ESX processes cannot start correctly.
nYou can configure the Web proxy so that it searches for certificates in a location other than the default location. This capability proves useful for companies that prefer to centralize their certificates on a single machine so that multiple hosts can use the certificates.
CAUTION If certificates are not stored locally on the host—for example, if they are stored on an NFS share —the host cannot access those certificates if ESX loses network connectivity. As a result, a client connecting to the host cannot successfully participate in a secure SSL handshake with the host.
nTo support encryption for user names, passwords, and packets, SSL is enabled by default for vSphere Web Access and vSphere Web services SDK connections. To configure these connections so that they do not encrypt transmissions, disable SSL for your vSphere Web Access connection or vSphere Web Services SDK connection by switching the connection from HTTPS to HTTP.
186 |
VMware, Inc. |
Chapter 13 Authentication and User Management
Consider disabling SSL only if you created a fully trusted environment for these clients, where firewalls are in place and transmissions to and from the host are fully isolated. Disabling SSL can improve performance, because you avoid the overhead required to perform encryption.
nTo protect against misuse of ESX services, such as the internal Web server that hosts vSphere Web Access, most internal ESX services are accessible only through port 443, the port used for HTTPS transmission. Port 443 acts as a reverse proxy for ESX. You can see a list of services on ESX through an HTTP welcome page, but you cannot directly access these services without proper authorization.
You can change this configuration so that individual services are directly accessible through HTTP connections. Do not make this change unless you are using ESX in a fully trusted environment.
nWhen you upgrade vCenter Server and vSphere Web Access, the certificate remains in place. If you remove vCenter Server and vSphere Web Access, the certificate directory is not removed from the service console.
Configure the Web Proxy to Search for Certificates in Nondefault Locations
You can configure the Web proxy so that it searches for certificates in a location other than the default location. This is useful for companies that centralize their certificates on a single machine so that multiple hosts can use the certificates.
Procedure
1 Log in to the service console and acquire root privileges.
2Change to the /etc/vmware/hostd/ directory.
3Use a text editor to open the proxy.xml file and find the following XML segment.
<ssl>
<!-- The server private key file --> <privateKey>/etc/vmware/ssl/rui.key</privateKey> <!-- The server side certificate file --> <certificate>/etc/vmware/ssl/rui.crt</certificate> </ssl>
4Replace /etc/vmware/ssl/rui.key with the absolute path to the private key file that you received from your trusted certificate authority.
This path can be on the ESX host or on a centralized machine on which you store certificates and keys for your company.
NOTE Leave the <privateKey> and </privateKey> XML tags in place.
5Replace /etc/vmware/ssl/rui.crt with the absolute path to the certificate file that you received from your trusted certificate authority.
CAUTION Do not delete the original rui.key and rui.crt files. The ESX host uses these files.
6Save your changes and close the file.
7Enter the following command to restart the vmware-hostd process. service mgmt-vmware restart
VMware, Inc. |
187 |
ESX Configuration Guide
Change Security Settings for a Web Proxy Service
You can change the security configuration so that individual services are directly accessible through HTTP connections.
Procedure
1 Log in to the service console and acquire root privileges. 2 Change to the /etc/vmware/hostd/directory.
3Use a text editor to open the proxy.xml file.
The contents of the file typically appears as follows.
<ConfigRoot>
<EndpointList> <_length>10</_length>
<_type>vim.ProxyService.EndpointSpec[]</_type> <e id="0"> <_type>vim.ProxyService.LocalServiceSpec</_type> <accessMode>httpsWithRedirect</accessMode> <port>8309</port> <serverNamespace>/</serverNamespace>
</e>
<e id="1"> <_type>vim.ProxyService.LocalServiceSpec</_type> <accessMode>httpAndHttps</accessMode> <port>8309</port> <serverNamespace>/client/clients.xml</serverNamespace> </e>
<e id="2"> <_type>vim.ProxyService.LocalServiceSpec</_type> <accessMode>httpAndHttps</accessMode> <port>12001</port> <serverNamespace>/ha-nfc</serverNamespace>
</e>
<e id="3"> <_type>vim.ProxyService.NamedPipeServiceSpec</_type> <accessMode>httpsWithRedirect</accessMode> <pipeName>/var/run/vmware/proxy-mob</pipeName> <serverNamespace>/mob</serverNamespace>
</e>
<e id="4"> <_type>vim.ProxyService.LocalServiceSpec</_type> <accessMode>httpAndHttps</accessMode> <port>12000</port> <serverNamespace>/nfc</serverNamespace>
</e>
<e id="5"> <_type>vim.ProxyService.LocalServiceSpec</_type> <accessMode>httpsWithRedirect</accessMode> <port>8307</port> <serverNamespace>/sdk</serverNamespace>
</e>
<e id="6"> <_type>vim.ProxyService.NamedPipeTunnelSpec</_type>
188 |
VMware, Inc. |
Chapter 13 Authentication and User Management
<accessMode>httpOnly</accessMode> <pipeName>/var/run/vmware/proxy-sdk-tunnel</pipeName> <serverNamespace>/sdkTunnel</serverNamespace>
</e>
<e id="7"> <_type>vim.ProxyService.LocalServiceSpec</_type> <accessMode>httpsWithRedirect</accessMode> <port>8308</port> <serverNamespace>/ui</serverNamespace>
</e>
<e id="8"> <_type>vim.ProxyService.LocalServiceSpec</_type> <accessMode>httpsOnly</accessMode> <port>8089</port> <serverNamespace>/vpxa</serverNamespace>
</e>
<e id="9"> <_type>vim.ProxyService.LocalServiceSpec</_type> <accessMode>httpsWithRedirect</accessMode> <port>8889</port> <serverNamespace>/wsman</serverNamespace>
</e>
</EndpointList>
</ConfigRoot>
4Change the security settings as required.
For example, you might want to modify entries for services that use HTTPS to add the option of HTTP access.
ne id is an ID number for the server ID XML tag. ID numbers must be unique within the HTTP area.
n_type is the name of the service you are moving.
naccessmode is the forms of communication the service permits. Acceptable values include: n httpOnly – The service is accessible only over plain-text HTTP connections.
n httpsOnly – The service is accessible only over HTTPS connections.
n httpsWithRedirect – The service is accessible only over HTTPS connections. Requests over HTTP are redirected to the appropriate HTTPS URL.
n httpAndHttps – The service is accessible both over HTTP and HTTPS connections.
nport is the port number assigned to the service. You can assign a different port number to the service.
nserverNamespace is the namespace for the server that provides this service, for example /sdk or /mob. 5 Save your changes and close the file.
6 Enter the following command to restart the vmware-hostd process:
service mgmt-vmware restart
VMware, Inc. |
189 |
ESX Configuration Guide
Example: Setting Up vSphere Web Access to Communicate Through an Insecure Port
vSphere Web Access normally communicates with an ESX host through a secure port (HTTPS, 443). If you are in a fully trusted environment, you might decide that you can almost permit an insecure port (for example, HTTP, 80). To do so, change the accessMode attribute for the Web server in proxy.xml file. In the following result, the access mode is changed from httpsWithRedirect to httpAndHttps.
<_type>vim.ProxyService.LocalServiceSpec</_type> <accessMode>httpAndHttps</accessMode> <port>8080</port> <serverNamespace>/ui</serverNamespace>
190 |
VMware, Inc. |