Integration with VMWare VSphere/ESXi
Background on VSphere/ESXi
VMWare's VSphere is a software suite that that runs on top of a host OS like Windows or Unixes (AIX or Linux), installed on baremetal (direct server hardware);
It contains:
ESXi (VMWare Hypervisor) is the virtualization software that is part of the VSphere software suite
VCenter Server, a VM managing interface (in AIX appliances it's installed as a VM on the ESXi hypervisor, but it can also be hosted elsewhere)
It is usually deployed in large environment where there are many ESXi hosts and virtual machines and require advanced enterprise features instead of using the cli commands available on ESXi to manage VMs,
It offers tools like vMotion, VMware High Availability, VMware Update Manager, VMware Distributed Resource Scheduler (DRS) etc., all designed to automate working with VMs for failover, maintenance and security;
VCenter Client, formerly an application that ran on a VM or baremetal operating system, and allows administrators to interact with VCenter Server - by default on port 902; this was replaced by a webUI that runs on the VSphere Server itself (v6.5, released in 2016) - by default, port 443
The
agtvsphereandagtesxiconnectors use this port to integrate with the VCenter's WSGI API.
Since ESXi and VCenter are guest platforms, they can be configured to read their accounts from an LDAP (AD in the case the host OS is Windows), and as such, they don't have "their own" accounts. If an account source directory is not configured, they import accounts from the system they're running on.
Connector availability for integration with Bravura Security Fabric
Connector Pack includes the following connectors:
agtesxi.exe can be used to manage local accounts that are native to the VMWare ESXi server;It can list, verify and reset passwords on these native accounts (regardless of where the server is configured to list them from). This connector is useful because there's no need to have different system templates for the account-source systems (AIX, Linux, etc).
Do not target ESXI servers directly with
agtssh,agtlinuxor any other connector, use onlyagtesxi.agtvsphere.exe can be used in:
Bravura Privilege to list VM's and act as a source of managed systems (not managed accounts)
Bravura Identity to manage permissions to Vsphere Roles
Accounts imported into vCenter from AD/LDAP can be listed directly by this connector
Roles created in vCenter are listed as groups
Users and roles can be added/removed as members of roles to grant and remove permissions
Integration suggestions
In most cases, Active Directory is the enterprise computer registrar, for servers and workstations, so using the virtualization software to list computers should not be required.
If VSphere is the only way to auto discover some systems in a specific solution, keep in mind:
VSphere/VCenter accounts are imported from external directories (e.g. LDAP/AD)
The accounts listed from these targets should not be managed for Bravura Privilege .
To change passwords on these accounts you must target the source directory/server and manage the accounts there.
The VSphere target allows for password resets on its accounts, but that operation doesn't actually do anything, so do not use the Manage with Bravura Privilege option on the target Administrator credential settings.
It is not possible to create accounts on ESXi with Bravura Identity , because it would double the work and cause failures and race conditions; accounts must be created on the host/source operating system.
Both VSphere agents use the VSphere client to make the actual connection.
That means that most issues with connectivity can be fixed by making the Vim25Service.dll library our agents use, fit the VSphere version.
Similarly, SSL connection issues due to protocol mismatch (e.g. TLS 1.1 vs TLS 1.2) can be fixed by upgrading that dll to one that allows the protocol enforced by the VSphere web servers.