If you do not have Internet or direct connectivity to the AppDefense Manager, then you can install the AppDefense Host Module manually. You can download the VIBs from AppDefense Manager, or from the VMware Downloads page. You can then go to the ESXi host to install host module manually. When you install VIBs on the host, the VIB enables the host to enforce guest integrity and inspect the guest behavior.

Prerequisites

Configuration variables for the ESXi host are set.

Procedure

  1. Download the zip file containing the latest host module VIBs.
    • If you have access to AppDefense Service (SaaS), follow these steps.
      1. Log in to the AppDefense Manager, and click the settings () icon.
      2. Click Downloads, and then click the Host Module tab.
      3. Download the zip file containing the latest host module VIB to any location.
    • You can also download the host module zip from the VMware Downloads page at https://my.vmware.com/web/vmware/downloads.

      AppDefense is listed under Datacenter & Cloud Infrastructure > VMware vSphere > Platinum or under Networking & Security.

  2. Move the zip file to the required ESXi host.
  3. Log into the ESXi host.
  4. Install the host module using the following command.
     
    esxcli software vib install -d <path-to-zip>
    The host module starts automatically after installed.
  5. Use the /etc/init.d/glxhostuwd status command to verify.
  6. Use the ESXi command line to set up the host configuration variables (glxHostId, glxAppIP, and glxAppPort).
    AppDefense uses ESXi advanced configuration variables to pass configuration settings to the AppDefense Host Module.
    Note: Enable Secure Shell (SSH) and ESXi Shell for the ESXi hosts from the vCenter Server.
    1. Setting glxHostId:
      • Log in to the ESXi host by SSH using the root user
      • Set the AppDefense Host Identifier (Host MoRef ID from vCenter Server) using the esxcfg-advcfg /UserVars/glxHostId -s <host-id> command. AppDefense Host Identifier is used while sending host heartbeat messages.
      • Find the MOID value from the vCenter Server Operations Manager Dashboard available at https://<vcenter-ip>/vod/index.html?page=hosts. MOID is used by vCenter Server to identify the hosts (for example: “host-10”).
      • Replace <host-id> with the current host MOID from the vCenter Server.
    2. Setting glxAppIP:
      • Replace the <ip-address> with the IP address of the AppDefense Appliance using the esxcfg-advcfg /UserVars/glxAppIP -s <ip-address> command.

        If you do not know the IP address of the appliance, you can get it through vCenter Server.

    3. Setting glxAppPort:
      • Set the AppDefense Appliance port number using the esxcfg-advcfg /UserVars/glxAppPort -s 443 command.

        Port number is configurable, but must be set to port 443.

    4. After the appliance is ready, you can perform the following steps to get the public certificate of the appliance (glxAppCert).
      1. To get the public certificate of the appliance, run the openssl s_client -connect <Appliance IP>:443 | openssl x509 -text command. The certificate appears.
      2. Copy the certificate printed at the bottom starting from "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
      3. Remove all newline characters in the certificate, and replace newline with \n after the -----BEGIN CERTIFICATE----- line and before the -----END CERTIFICATE-----" line.
      4. As you cannot enter a command more than 1024 characters directly at the command prompt, create a bash script (.sh file).
      5. In the bash file, set the certificate value on the Host in the glxAppCert variable using the esxcfg-advcfg /UserVars/glxAppCert -s "<Appliance Public Certificate>" command.
      6. Run the bash script.
      The public certificate of the appliance is exported.

Results

You can verify if the values are configured correctly using the following commands:
 esxcfg-advcfg /UserVars/glxHostId -g
#(Output example: Value of glxHostId is host-10)
 
esxcfg-advcfg /UserVars/glxAppIP -g
#(Output example: Value of glxAppIP is 192.168.201.67)

esxcfg-advcfg /UserVars/glxAppPort -g
#(Output example: Value of glxAppPort is 443)