Proxy v1.0.0.1 Guide VMware Application...The VMware Application Proxy Guide 4 1 Introduction 5 ......

VMware ApplicationProxy v1.0.0.1 GuidevRealize Operations Manager 6.7

VMware Application Proxy v1.0.0.1 Guide

VMware, Inc. 2

You can find the most up-to-date technical documentation on the VMware website at:

https://docs.vmware.com/

If you have comments about this documentation, submit your feedback to

[email protected]

Copyright © 2018 VMware, Inc. All rights reserved. Copyright and trademark information.

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

https://docs.vmware.com/

mailto:[email protected]

http://pubs.vmware.com/copyright-trademark.html

Contents

The VMware Application Proxy Guide 4

1 Introduction 5

Introduction to VMware Application Proxy 5

2 Deploy VMware Application Proxy 6

Supported Platforms 6

Sizing Reference Data 7

Deploy VMware Application Proxy 7

Supported Versions of vSphere 9

Supported Application Services 10

Configuring HTTP/HTTPS Proxy Server in VMware Application Proxy 17

3 Upgrade 19

Upgrade an Existing Installation 19

4 Post Installation 20

Configure Network Time Protocol Settings 20

5 Troubleshooting your Deployment 22

Troubleshoot Incorrect Plugin Activation Status 22

Troubleshoot Incorrect Collection Status and Data Receiving Issue 23

Troubleshoot Agent Installation and Metric Collection Issues 23

Agent Status Messages 24

Troubleshoot Wavefront Dashboard Metrics Display 25

Download Support Bundles 25

6 Security Reference 26

VMware Application Proxy Security Information 26

VMware, Inc. 3

The VMware Application Proxy Guide

The VMware Application Proxy Guide describes the steps to deploy VMware Application Proxy fromVMware vSphere.

Intended AudienceThe information in this guide is intended for VMware vSphere administrators andvRealize Operations Manager administrators and operations engineers.

VMware Technical Publications GlossaryVMware Technical Publications provides a glossary of terms that might be unfamiliar to you. Fordefinitions of terms as they are used in VMware technical documentation, go to http://www.vmware.com/support/pubs.

VMware, Inc. 4

http://www.vmware.com/support/pubs

Introduction 1Introduction to VMware Application ProxyVMware Application Proxy enables virtual infrastructure administrators and application administrators todiscover applications running in provisioned Guest operating systems at a scale and to collect run-timemetrics of the operating system and application for monitoring and troubleshooting respective entities.The monitoring and troubleshooting workflows are enabled from vRealize Operations Manager whichinclude the configuration of Wavefront account as well as life cycle management of the agents on theVirtual Machines.

VMware Application Proxy is delivered as a standalone Photon OS OVA file. You must deploy the OVAfile using a vSphere client. The OVA is available for download from vRealize Operations Manager afteryou log in.

VMware, Inc. 5

DeployVMware Application Proxy 2This chapter includes the following topics:

n Supported Platforms

n Sizing Reference Data

n Deploy VMware Application Proxy

n Supported Versions of vSphere

n Supported Application Services

n Configuring HTTP/HTTPS Proxy Server in VMware Application Proxy

Supported PlatformsVMware Application Proxy supports monitoring for the following platforms and app combinations with APIsupport.

Platforms supported by VMware Application Proxy

Platform Version Architecture Application

RedHat 7.x 64-bit OS Metrics and all supportedapplications forVMware Application Proxy

CentOS 7.x 64-bit OS Metrics and all supportedapplications forVMware Application Proxy

Windows 2008 R2

2012

2012 R2

2016

64-bit OS Metrics and all supportedapplications forVMware Application Proxy

OEL 7.x 64-bit OS Metrics and all supportedapplications forVMware Application Proxy

VMware, Inc. 6

Sizing Reference DataThe sizing reference data helps you select a deployment configuration during the deployment of the OVAfile. The sizing reference data is based on testing for small and medium node sizes.

Node Size Small Medium

vCPU 4 8

Memory (GB) 8 16

Disk Space (GB) 40 40

Swap (GB) 8 8

No of VMs 500 1500

Deploy VMware Application ProxyUse a vSphere client to deploy VMware Application Proxy. You can deploy the VMware Application ProxyOVA template from a URL or from a file.

Prerequisites

You must have the URL to the VMware Application Proxy OVA template before you proceed. Alternately,you can download the VMware Application Proxy OVA file after you log in tovRealize Operations Manager. Navigate to the Application Monitoring with VMware Wavefront pagefrom the Quick Start page and click the download link in step 2.

For critical time sourcing, use the Network Time Protocol (NTP). You must ensure time synchronizationbetween the endpoint VMs, vCenter Server, ESX Hosts and vRealize Operations Manager.

Procedure

1 Right-click any inventory object that is a valid parent object of a virtual machine, such as a datacenter, folder, cluster, resource pool, or host, and select Deploy OVF Template.

The Deploy OVF Template wizard opens.

2 Select Deploy OVF Template.

The Deploy OVF Template wizard opens.

3 On the Deploy OVF template page do one of the following and click Next:

u If you have a URL to the OVA template which is located on the Internet, type the URL in the URLfield. Supported URL sources are HTTP and HTTPS

u If you have downloaded the VMware Application Proxy OVA file, click Local file and browse tothe location of the file and select it.


VMware, Inc. 7

4 On the Select a name and folder page, enter a unique name for the virtual machine or vAPP, selecta deployment location, and click Next.

The default name for the virtual machine is the same as the name of the selected OVF or OVAtemplate. If you change the default name, choose a name that is unique within each vCenter Servervirtual machine folder.

The default deployment location for the virtual machine is the inventory object where you started thewizard.

5 On the Select a resource page, select a resource where to run the deployed VM template, and clickNext.

6 On the Review details page, verify the OVF or OVA template details and click Next.

Option Description

Product VMware Application Proxy.

Version Version number of the VMware Application Proxy.

Vendor VMWare.

Publisher Publisher of the OVF or OVA template, if a certificate included in the OVF or OVAtemplate file specifies a publisher.

Download size Size of the OVF or OVA file.

Size on disk Size on disk after you deploy the OVF or OVA template.

7 On the Accept license agreements page, click Accept and then Next.

8 In the Select configuration page, select the size of the deployment.

9 On the Select storage page, define where and how to store the files for the deployed OVF or OVAtemplate.

a Select a VM Storage Policy.

This option is available only if storage policies are enabled on the destination resource.

b (Optional) Enable the Show datastores from Storage DRS clusters check box to chooseindividual datastores from Storage DRS clusters for the initial placement of the virtual machine.

c Select a datastore to store the deployed OVF or OVA template.

The configuration file and virtual disk files are stored on the datastore. Select a datastore largeenough to accommodate the virtual machine or vApp and all associated virtual disk files.

10 On the Select networks page, select a source network and map it to a destination network. ClickNext. The source network must have a static FQDN name or static DNS.

The Source Network column lists all networks that are defined in the OVF or OVA template.


VMware, Inc. 8

11 In the Customize template page, provide inputs to configure the VMware Application Proxydeployment.

Configuration Description

API Admin User's Password Enter a password for the VMware Application Proxy API admin. The username [email protected]. This password should be used when configuring thisApplication Proxy in vRealize Operations Manager.

Networking Properties Verify the networking properties.

12 On the Ready to complete page, review the page and click Finish.

13 After the OVA deployment is complete, you can log in to the virtual appliance from vCenter Server.Right click the virtual appliance that you installed. Click Open Console. Use the following credentialsto log in:

Log In Details Value

Username root

Password vmware

14 Change the root user password.

15 Start the sshd service to access the virtual machine through ssh.

What to do next

n Perform the post-installation tasks.

n Log in to vRealize Operations Manager and configure the agents to connect to Wavefront.

.

Supported Versions of vSphereVMware Application Proxy supports vSphere versions 6.5 and above. The VMs where you install theagents must be deployed in any of these versions of vSphere.

Supported vSphere Versionsn vSphere 6.5

n vSphere 6.5U1

n vSphere 6.5U2

n vSphere 6.7

VMware tools from version 10.1.0 till 10.2.5 is supported.


VMware, Inc. 9

Supported Application ServicesVMware Application Proxy supports 18 application services in Wavefront. You must configure themandatory properties when you activate an application service in vRealize Operations Manager. After youconfigure the properties, VMware Application Proxy starts collecting data.

Apache HTTPD

Name Mandatory? Comment

Status Page URL Yes http://localhost/server-status?auto

User name No User name for Apache HTTPD service.Example:root

Password No Password

SSL CA No Path to the SSL CA file on the Endpoint

SSL Certificate No Path to the SSL Certificate file on theEndpoint

SSL Key No Path to the SSL Key file on the Endpoint.

Skip SSL Verification No Use SSL but skip chain & hostverification. Expected: True/False.

Apache Solr


Server URL Yes http://localhost:8983

ConsulNone

Elastic Search



SSL CA No Path to the SSL CA file on the Endpoint.

SSL Certificate No Path to the SSL Certificate file on theEndpoint.




VMware, Inc. 10

JBoss


Base URL Yes http://localhost:8080

Installed Path Yes The path on the Endpoint where JBoss isinstalled.





MongoDB


Port Yes The port where MongoDB is running.Example:27017

Hostname No Optional hostname for the MongoDBService.

Username No User name for MongoDB. Example: Root






MS SQL


Port Yes The port where MongoDB is running.Example:27017

Hostname No Optional hostname for the MongoDBService.

Username No User name for MongoDB. Example: Root




VMware, Inc. 11





MS ExchangeNone

MS IISNone

MySQL


Port Yes The port where MySQL is running.Example:3306

User name Yes User name for MySQL service. Example:Root

password Yes Password




Hostname No Optional hostname for the MySQLService

Databases No Comma separated list of databases tomonitor. Each of the database names tobe monitored must be enclosed in singlequotes and the databases themselvesshould be comma separated. Forexample'database1','database2','database3'

TLS Connection No Allowed values are true, false, skip-verify

Nginx


Status Page URL Yes http://localhost/nginx_status



VMware, Inc. 12





Pivotal Server



Installed Path Yes The path on the Endpoint where Pivotalserver is installed.





Postgres


Port Yes The port where PostgreSQL is running.Example:5432

User name Yes User name for PostgreSQL service.Example: Root

Password Yes Password

SSL Connection No Allowed values are disable, verify-ca,verify-full.




Skip SSL Verification No Use SSL but skip chain & hostverification. Expected: true/false.

Hostname No Optional hostname for the PostgreSQLService.

Default Database No The database for initiating connectionwith the server


VMware, Inc. 13


Databases No Comma separated list of databases tomonitor. Each of the database names tobe monitored must be enclosed in singlequotes and the databases themselvesshould be comma separated for example'database1','database2','database3'

Ignored Databases No Comma separated list of databases thatneed not be monitored. Each of thedatabase names to be excluded frommonitoring need to be enclosed in singlequotes and the databases themselvesshould be comma separated for example'database1','database2','database3'

Riak



RabbitMQ


Management Plugin URL Yes http://localhost:15672

User name No User name for RabbitMQ. Example:Guest






Nodes No Each of the RabbitMQ data collectionnodes should be in single quotes and thenodes themselves should be commaseparated. The list of nodes needs to beenclosed in square brackets. Forexample['rabbit@node1','rabbit@node2',.....]


VMware, Inc. 14

Tomcat



Installed Path Yes The path on the Endpoint where Tomcatis installed.





Varnish


Varnishstat Binary Path Yes /usr/bin/varnishstat

Weblogic



Installed Path Yes The path on the Endpoint whereWebLogic is installed.

User name Yes User name for WebLogic. Example:admin

Password Yes Password





Pre-Requirements for Application ServicesFor telegraf agent to collect metrics for some of the application services, you must make modifications inthe endpoint VMs. After you make these modifications, the agent will start collecting metrics. You mustSSH to the virtual machine where you have deployed the agent and modify the configuration files.


VMware, Inc. 15

PostgresIn the configuration file available in the /var/lib/pgsql/data/pg_hba.conf, change the value oflocal all postgres peer to local all postgres md5 and restart the service with the followingcommand:

sudo service postgresql restart

Apache HTTPDModify the conf file available in /etc/httpd/conf.modules.d/status.conf and enable the mod statusfor the HTTPD plugin for the agent to collect metrics.

<IfModule mod_status.c>

<Location /server-status>

SetHandler server-status

</Location>

ExtendedStatus On

</IfModule>

If the conf file is not available, you must create one. Restart the HTTPD service after modifying the conffile with the following command:

systemctl restart httpd

NginxAdd the following lines to the conf file available in /etc/nginx/nginx.conf:

http {

server {

location /status {

stub_status on;

access_log off;

allow all;

}

}

}

Restart the Nginx service with the following command:

systemctl restart nginx


VMware, Inc. 16

Configuring HTTP/HTTPS Proxy Server inVMware Application ProxyVMware Application Proxy requires a working Internet connection to connect to Wavefront to send OSand application metrics.

If a direct Internet connection is not available, a working HTTP/HTTPS proxy must be available throughwhich VMware Application Proxy can connect to the Internet. VMware Application Proxy uses pureHTTPS connections to connect to Wavefront. As a result, the HTTP/HTTPS proxy must be configured tosupport HTTPS connections. HTTPS ensures that the connection between VMware Application Proxyand the Wavefront server is fully encrypted and prevents man-in-the middle attacks.

There are two ways in which the HTTP/HTTPS proxy servers handle HTTPS connections.

n Pass-thru Mode. In this mode, the HTTP/HTTPS proxy server forwards the HTTPS requests directlyto the web server and does not attempt to inspect the content transferred between the client and theserver. The SSL connection is established directly between the client and the server.

n Intercept Mode. In this mode, the HTTP/HTTPS proxy server acts as a man-in-the middle andestablishes two different SSL connections. One connection between the client and the HTTP/HTTPSproxy and the other between the HTTP/HTTPS proxy and the web server. So, the client does nothave a direct SSL connection to the web server and the client identifies this as a man-in-the middleattack and terminates the connection. In this mode, the CA certificate must be added to the trustedcertification authorities of the client so that it accepts the SSL connection with the HTTP/HTTPS proxyserver.

Procedure

1 Add the HTTP/HTTPS proxy details in /ucp/config/config.properties and in /ucp/wavefront-proxy/config/wavefront.conf.

a proxyHost. The IP or FQDN of the HTTP/HTTPS proxy server.

b proxyPort. The port of the HTTP/HTTPS proxy server.

c proxyUser. The user name. If the HTTP/HTTPS proxy server needs authentication, you canprovide the user name.

d proxyPassword. The password. If the HTTP/HTTPS Proxy server needs authentication, you canprovide the password.

Note For authentication, if the proxy server requires a user name and password, do not useBasic Authentication as the authentication method. Basic Authentication is not supportedbecause the password is transmitted in clear text over the network and is not secure.


VMware, Inc. 17

2 Add the HTTP/HTTPS proxy server's CA certificate to the VMWare application proxy's trust store.

a Export the CA certificate from the HTTP/HTTPS proxy server. You can refer to the HTTP/HTTPSProxy server's documentation for information about how to export the CA certificate.

b Copy the exported CA certificate to the VMware Application Proxy.

c To import the CA certificate into the trust store of VMware Application Proxy, run the followingcommand:

n keytool -import -alias charles -keystore /usr/java/jre-

vm^Cre/lib/security/cacerts –file PATH_TO_CERT

n Enter the password when prompted. The password is changeit.

3 Restart the VMware Application Proxy API server and the Wavefront proxy components.

a docker restart ucp-apis.

b docker restart wavefront-proxy.

The Wavefront proxy components do not run if you have not configured Wavefront details invRealize Operations Manager. In such a scenario, you do not have to restart the Wavefront proxycomponents.


VMware, Inc. 18

Upgrade 3Upgrade an Existing InstallationYou must upgrade an existing installation of VMware Application Proxy to ensure enhanced compatibilitywith vRealize Operations Manager and Wavefront. You must log in to your existingVMware Application Proxy VAMI portal to perform the upgrade.

Prerequisites

You must have VMware Application Proxy 1.0 installed. You must have the root credentials to log in to theVAMI portal before you perform the upgrade:

Procedure

1 Log in to VAMI using the root credentials. The URL to log in to VAMI is:

https://<IP>:5480

2 Click the Update tab.

3 Click the Status tab, click Check Updates under Actions.

4 Click Install Updates.

5 After the updates have installed, click Reboot in the System tab.

VMware Application Proxy is successfully installed. You can check the version number in Update tabunder Status in VAMI.

What to do next

n Re-install the agents that you have previously installed. For details, see Install an Agent in thevRealize Operations Manager documentation.

n Start the sshd service to access the virtual machine through ssh.

n Perform the post-installation tasks.

VMware, Inc. 19

https://docs.vmware.com/en/vRealize-Operations-Manager/6.7/com.vmware.vcom.core.doc/GUID-0610FA99-1F01-47DF-ACF7-22B74F0296E7.html

Post Installation 4Configure Network Time Protocol SettingsYou must set up accurate timekeeping as part of the VMware Application Proxy deployment. If the timesettings between VMware Application Proxy and vRealize Operations Manager are not synchronized, youwill face agent installation and metric collection issues. Ensure time synchronization between theendpoint VMs, vCenter Server, ESX Hosts and vRealize Operations Manager using the Network TimeProtocol (NTP).

Procedure

1 Log in to the VMware Application Proxy VM and modify the ntp.conf file available in /etc/ntp.confby adding following in the following format:

server time.vmware.com

Note Replace time.vmware.com with a suitable time server setting. You can use the FQDN or IP ofthe time server.

2 Enter the following command to start the NTP daemon:

systemctl start ntpd

3 Enter the following command to enable the NTP daemon:

systemctl enable ntpd

4 Run the following command to verify if NTP is configured correctly:

ntpstat

VMware, Inc. 20

If NTP is synchronized correctly, you will see a message similar to the following:

synchronised to NTP server (10.113.60.176) at stratum 3

time correct to within 50 ms

polling server every 64 s


VMware, Inc. 21

Troubleshooting yourDeployment 5This chapter includes the following topics:n Troubleshoot Incorrect Plugin Activation Status

n Troubleshoot Incorrect Collection Status and Data Receiving Issue

n Troubleshoot Agent Installation and Metric Collection Issues

n Agent Status Messages

n Troubleshoot Wavefront Dashboard Metrics Display

n Download Support Bundles

Troubleshoot Incorrect Plugin Activation StatusThe plugin activation status shows green even when the plugin activation has failed in the endpoint VMs

Problem

After you have installed an agent in a VM, you can view the status of agent installation from the AgentStatus column in the Agent Management tab. Sometimes even if the status of the agent is green, theagent does not collect metrics.

Cause

The agent status does not display the metric collection status correctly.

Solution

1 Check the log files to see if the agent activation is successful. The log file is in the followinglocation: /data1/ucpapis/ucpapi.log

2 If the agent activation is successful, but the agent is not collecting metrics, deactivate the agent andactivate it again.

3 Check the logs once again. The agent should start collecting metrics.

VMware, Inc. 22

Troubleshoot Incorrect Collection Status and DataReceiving IssueThe collection state and the collection status of the VMware Application Proxy Adapter instance showsCollecting and Data Receiving even if the Objects are not receiving data from the adapter instance.

Problem

The status of the VMware Application Proxy adapter in vRealize Operations Manager displays themessage, Objects are not receiving data from adapter instance. But the collection state and the collectionstatus of the VMware Application Proxy Adapter instance shows Collecting and Data Receiving.

To check the status of the VMware Application Proxy adapter, go to Environment > Inventory in theEnvironment Overview page. Filter on VAP and click the adapter name. View the messages in the Alertstab of the object summary page.

Cause

This issue occurs when the ucp-dataplane-emqttserver container in the of VMware Application Proxy VMstops running.

Solution

1 Log in to the VM using a SSH client such as Putty.

2 Run the following command to check if the ucp-dataplane-emqttserver container is running

docker ps -a | grep ucp-dataplane-emqttserver

3 Look for the status of the container in the output that the command displays. The status will be in thefollowing format:

Exited some X hours/minutes/seconds ago

4 Run the following command to restart the ucp-dataplane-emqttserver container:

docker start ucp-dataplane-emqttserver

5 Repeat step 2 to check if the ucp-dataplane-emqttserver container is running.

Troubleshoot Agent Installation and Metric CollectionIssuesIf the time settings between VMware Application Proxy and vRealize Operations Manager are notsynchronized, you will face agent installation and metric collection issues. Eventually, you may not seeany metrics in the Wavefront dashboards.


VMware, Inc. 23

Problem

You may notice the following issues in vRealize Operations Manager and Wavefront:

n You cannot add VMware Application Proxy to vRealize Operations Manager

n You cannot install an agent in the Windows and Linux target VMs

n You cannot see the monitored metrics in Wavefront

Cause

Time synchronization is a prerequisite of the TLS/SSO communication between client and server.

If the vRealize Operations Manager and VMware Application Proxy are not time synchronized, the testconnection fails while configuring VMware Application Proxy in the Application Monitoring with VMwareWavefront page in vRealize Operations Manager.

If the Windows and Linux target VMs are not time synchronized with vRealize Operations Manager,communication between VMware Application Proxy and agents will break after installing the agents.Hence monitored metrics will not be not sent to Wavefront.

Solution

1 Check the vRealize Operations Manager support bundle in the following path:COLLECTOR/adapters/APPOSUCPAdapter/ for errors.

2 Check the VMware Application Proxy support bundle, ucpapi.log, for errors.

3 Ensure time synchronization between VMware Application Proxy, vRealize Operations Manager andthe Windows and Linux target VMs.

Agent Status MessagesAfter you have configured the VMware Application Proxy and mapped it to a vCenter Server, you canmanage the agents on the VMs from the Agent Management tab in the Application Monitoring withVMware Wavefront page in vRealize Operations Manager. You can view the last operation status of theagents from the Last Operation Status Column in the data grid

Last Operation Status Column

Message in the UI Message Details

No Operation No operation was performed on this VM

Install in Progress Agent install is in progress on the VM

Install Failed Agent install has failed on the VM

Uninstall in Progress Agent uninstall is in progress on the VM

Uninstall Failed Agent uninstall has failed on the VM

Start in Progress Agent start is in progress

Start Failed Agent start has failed


VMware, Inc. 24

Message in the UI Message Details

Stop in Progress Agent stop is in progress

Stop Failed Agent stop has failed

Uninstall Success Agent uninstall was a success

Install Success Agent install was a success

Start Success Agent start was a success

Stop Success Agent stop was a success

Troubleshoot Wavefront Dashboard Metrics DisplayYou cannot view metrics for any of the application plugins in Wavefront.

Problem

Metrics do not flow into the Wavefront dashboard for any application plugin. Stop and restart the agent toresolve this issue.

Solution

1 Log in to vRealize Operations Manager.

2 To stop the agent, go to Home, and then from the left pane select Application Monitoring(Wavefront). From the right pane, select the Agent Management tab.

3 Select the VM in which the agent that you need to stop is deployed.

4 From the Manage Agent drop down menu, select Stop. Click OK in the confirmation dialog box.

5 View the status of the agent in the Agent Status and Last Operation Status columns.

6 After you have successfully stopped the agent, you must restart it. From the Manage Agent dropdown menu, select Start. Click OK in the confirmation dialog box.

Download Support BundlesDownload the support bundles from the virtual machines where you deployed VMware Application Proxy.Support bundles are required to troubleshoot any problem related to VMware Application Proxy.

Procedure

1 Access the VAMI page by entering https://<VMware Application Proxy hostname>:5480

2 Login with root credentials.

3 Click the Support Bundle tab. Click the Generate Logs for VA button.

VMware Application Proxy creates the support bundles which you can download.


VMware, Inc. 25

Security Reference 6VMware Application Proxy Security InformationThe operation of VMware Application Proxy depends on certain services, ports, and external interfaces.Ensure that you secure them. VMware Application Proxy virtual appliance uses Photon OS by VMwarev1.0 as the the guest operating system.

VMware Application Proxy ServicesYou must secure the following components of VMware Application Proxy:

Component Description

WavefrontProxy Proxy service to communicate with Wavefront.

Forwarder Forwards the intended data from VMware Application Proxy toWavefront.

Data Plane (Emqtt) The data plane used to exchange metrics andVMware Application Proxy specific infra messages.

Ucpapi Runs the REST micro-services on top of the Xenon platform.

Control-plane Runs saltstack and is used to control actions like triggering thebootstrap on endpoints.

Nginx Runs the nginx service that is used to download options andsupport bundles.

Virtual Appliance (Deployed as an OVF) This is the OVF that is deployed as a virtual appliance. Itcomprises six containers running the WavefrontProxy,Forwarder, Data Plane (Emqtt), Ucpapi, Control-plane andNginx components. The operating system is Photon 1.0.

Endpoint Refers to one of the client machines that connects toVMware Application Proxy to data to Wavefront. The clientmachines can run the operating systems supported byVMware Application Proxy.

Communication PortsVMware Application Proxy uses several communication ports:

VMware, Inc. 26

Component Port

WavefrontProxy All ports are blocked

Forwarder All ports are blocked

Data Plane (Emqtt) 8883 (TCP/SSL)

Ucpapi 9000 (HTTPS)

Control-plane 4505 (TCP/SSL), 4506 (TCP/SSL)

Nginx 8999 (HTTPS)

Virtual Appliance (Deployed as an OVF) NA

Endpoint NA

Third Party ServicesEnable the following third party services for the VMware Application Proxy components:

Component Service

Virtual Appliance (Deployed as an OVF) n Dockern Cronn Vamin Nginx, Forwarder, Data Plane (Emqtt), Salt-master, Nginx

(core component services)n SSH (to login to the virtual appliance)

Endpoint n Ensure time-correction (Endpoints andVMware Application Proxy virtual appliance are in time-sync)

n Virtual Machines managed under vCentern rpc

Location of Configuration FilesConfiguration files used by the VMware Application Proxy services are available in the following locations:

Component Path

WavefrontProxy /ucp/WavefrontProxy-

proxy/config/WavefrontProxy.conf /ucp/config/confi

g.properties

Forwarder /ucp/forwarder/config/config.properties /ucp/confi

g/config.properties

Data Plane (Emqtt) /etc/Data Plane (Emqtt)d/emq.conf

Ucpapi /ucp/config/config.properties

Control-plane /var/srv/salt/telegraf-conf/telegraf.Data Plane

(Emqtt).windows.conf /var/srv/salt/telegraf-

conf/telegraf.Data Plane (Emqtt).conf /

var/srv/salt/collectd-conf/collectd.conf


VMware, Inc. 27

Component Path

Nginx /etc/nginx/nginx.conf

Virtual Appliance (Deployed as an OVF) /ucp/config/config-secrets.properties (Applicable toVirtual Appliances)

Endpoint NA

Default PasswordsThe VMware Application Proxy virtual appliance uses root user account as the service user. No otheruser is created. The default root password is vmware. The root password must be changed at first login tothe VMware Application Proxy console. SSH is disabled until the default root password is changed.

The root password must meet the following requirements:

n Must be at least 8 characters long

n Must contain at least one uppercase letter, one lowercase letter, one digit, and one special character

n Must not repeat the same character four times

VMware Application Proxy Configuration FilesSome configuration files contain settings that affect the security of VMware Application Proxy.

Component Path

WavefrontProxy /data1/WavefrontProxy-proxy/WavefrontProxy.log

Forwarder /data1/ucp-forwarder/forwarder.log

Data Plane (Emqtt) /data1/ucp-Data Plane (Emqtt)-

logs/error.log /data1/ucp-Data Plane (Emqtt)-

logs/crash.log

Ucpapi /data1/ucpapis/ucpapi.log

Control-plane /data1/ucp-salt/master /data1/ucp-salt/api

Nginx /data1/ucp-nginx/access.log

Virtual Appliance (Deployed as an OVF) /ucp/support-bundle/Logs

Endpoint /tmp/vmware-root/VMware-

UCP_Bootstrap_Scriptsvmware102/uaf_bootstrap.log

VMware Application Proxy User AccountsThe following components do not have any user account created at the time of installation:

n WavefrontProxy

n Forwarder

n Data Plane (Emqtt)


VMware, Inc. 28

n Ucpapi

n Control-plane

n Nginx

The following accounts are created when you install VMware Application Proxy:

Component User Account Created At Install Privileges Assigned

Virtual Appliance (Deployed as anOVF)

The default root password isvmware. The root password mustbe changed at first login to theVMware Application Proxy console

The root user has superuser privileges

Endpoint NA On Windows: LAU (UAC) should be disabled

On Linux: Non-admin users can use password-lesssudo

Security Updates and PatchesFor the following components, use vami-upgrade for patching and upgrading:

n WavefrontProxy

n Forwarder

n Data Plane (Emqtt)

n Ucpapi

n Control-plane

n Nginx

n Virtual Appliance (Deployed as an OVF)

For the endpoints, use the rpm install method for patching and upgrading.

Third-Party ComponentsVMware Application Proxy use the following third-party components:

Component Third-Party Components

Virtual Appliance (Deployed as an OVF) n Openssln Python-2.7.13n JRE 1.8

Endpoint n Python 2.7.5n Salt-minionn Telegrafn vCenter services


VMware, Inc. 29

Public Key, Certificate, and KeystoreThe public key, the certificate, and the keystore of VMware Application Proxy are located in the virtualappliance.

Component Location

Forwarder n /ucp/ssl/UCP-Forwarder/ca.cert.pem

n /ucp/ssl/UCP-Forwarder/UCP-Forwarder.cert.pem

n /ucp/ssl/UCP-Forwarder/UCP-Forwarder.key

Data Plane (Emqtt) Certificates and keys are stored in pem files.n /ucp/ssl/emqtt/ca.cert.pem

n /ucp/ssl/emqtt/emqtt.cert.pem

n /ucp/ssl/emqtt/emqtt.key.pem

Ucpapi The following certificates and keys are stored in keydb:n /ucp/ssl/ucpapi/ ca.cert.pem

n /ucp/ssl/ucpapi/ ucpapi.cert.pem

n /ucp/ssl/ucpapi/ucpapi.key

Nginx n /ucp/ssl/nginx/ca.cert.pem

n /ucp/ssl/nginx/nginx.cert.pem

n /ucp/ssl/nginx/nginx.key

Endpoint n /opt/vmware/ucp/certkeys/ca.pem

n /opt/vmware/ucp/certkeys/cert.pem

n /opt/vmware/ucp/certkeys/key.pem

n /etc/salt/pki/minion/minion.pem

Open Source LicensesThe open source license files are located on the VMware Application Proxy virtual appliance. Details ofthe open source components and licenses are available in /ucp/open_source_licenses.txt file.


VMware, Inc. 30

Proxy v1.0.0.1 Guide VMware Application...The VMware Application Proxy Guide 4 1 Introduction 5 ......

Documents

Transcript of Proxy v1.0.0.1 Guide VMware Application...The VMware Application Proxy Guide 4 1 Introduction 5 ......