The operation of vRealize Application Remote Collector depends on certain services, ports, and external interfaces. Ensure that you secure them. vRealize Application Remote Collector virtual appliance uses Photon OS by VMware v1.0 as the the guest operating system.

vRealize Application Remote Collector Services

You must secure the following components of vRealize Application Remote Collector:

Component Description
Data Plane (Emqtt) The data plane used to exchange metrics and vRealize Application Remote Collector specific infra messages.
Ucpapi Runs the REST micro-services on top of the Xenon platform.
Control-plane Runs saltstack and is used to control actions like triggering the bootstrap on endpoints.
Nginx Runs the nginx service that is used to download options and support bundles.
Virtual Appliance (Deployed as an OVF) This is the OVF that is deployed as a virtual appliance. It comprises six containers running the Data Plane (Emqtt), Ucpapi, Control-plane and Nginx components. The operating system is Photon 1.0.
Endpoint Refers to one of the client machines that connects tvRealize Application Remote Collector.

Communication Ports

vRealize Application Remote Collector uses several communication ports:

Component Port
Data Plane (Emqtt) 8883 (TCP/SSL)
Ucpapi 9000 (HTTPS)
Control-plane 4505 (TCP/SSL), 4506 (TCP/SSL)
Nginx 8999 (HTTPS)
Virtual Appliance (Deployed as an OVF) NA
Endpoint NA
VMware Appliance Management Interface (VAMI) 5480
Communication Path Ports
From To
vRealize Operations Manager vRealize Application Remote Collector 9000, 8883
Endpoint VM vRealize Application Remote Collector 8999, 4505, 4506, 8883
Browser Access VMware Appliance Management Interface (VAMI) 5480

Third Party Services

Enable the following third party services for the vRealize Application Remote Collector components:

Component Service
Virtual Appliance (Deployed as an OVF)
  • Docker
  • Cron
  • Vami
  • Nginx, Data Plane (Emqtt), Salt-master, Nginx (core component services)
  • SSH (to login to the virtual appliance)
Endpoint
  • Ensure time-correction (Endpoints and vRealize Application Remote Collector virtual appliance are in time-sync)
  • Virtual Machines managed under vCenter
  • rpc

Location of Configuration Files

Configuration files used by the vRealize Application Remote Collector services are available in the following locations:

Component Path
Data Plane (Emqtt) /opt/vmware/share/htdocs/ucp/temp/Confs/emqtt/emq.conf
Ucpapi

/ucp/config/config.properties

/ucp/config/endpoint_config.properties

Control-plane

/ucp/salt/srv/salt/telegraf-conf/telegraf.emqtt.windows.conf

/ucp/salt/srv/salt/telegraf-conf/telegraf.emqtt.conf

Nginx /etc/nginx/nginx.conf
Virtual Appliance (Deployed as an OVF) /ucp/config/config-secrets.properties (Applicable to Virtual Appliances)
Endpoint /opt/vmware/ucp/salt-minion/etc/salt/grains

Default Passwords

The vRealize Application Remote Collector virtual appliance uses root user account as the service user. No other user is created. The default root password is vmware. The root password must be changed at first login to the vRealize Application Remote Collector console. SSH is disabled until the default root password is changed.

The root password must meet the following requirements:
  • Must be at least 8 characters long
  • Must contain at least one uppercase letter, one lowercase letter, one digit, and one special character
  • Must not repeat the same character four times

vRealize Application Remote Collector Log and Configuration Files

Some configuration files contain settings that affect the security of vRealize Application Remote Collector.

Component Path
Data Plane (Emqtt)

/data1/ucp-emqtt-logs/error <#>.log

/data1/ucp-emqtt-logs/crash <#>.log

Ucpapi /data1/ucpapis/ucpapi.log
Control-plane /data1/ucp-salt/master /data1/ucp-salt/api
Nginx /data1/ucp-nginx/access.log
Virtual Appliance (Deployed as an OVF) /ucp/support-bundle/Logs
Endpoint

/tmp/vmware-root/VMwareUCP_Bootstrap_Scriptsvmware*/uaf_bootstrap.log

/tmp/*/VMware-UCP_Bootstrap_Scripts*/

/tmp/vmware-root/VMware-UCP_Bootstrap_Scriptsvmware*/uaf_bootstrap.log

C:\Windows\Temp\VMware-UCP_Bootstrap_Scriptsvmware*/uaf_bootstrap.log

vRealize Application Remote Collector User Accounts

The following components do not have any user account created at the time of installation:
  • Data Plane (Emqtt)
  • Ucpapi
  • Control-plane
  • Nginx

The following accounts are created when you installvRealize Application Remote Collector:

Component User Account Created At Install Privileges Assigned
Virtual Appliance (Deployed as an OVF) The default root password is vmware. The root password must be changed at first login to the vRealize Application Remote Collector console The root user has superuser privileges
Endpoint NA

On Windows: LAU (UAC) should be disabled

On Linux: Non-admin users can use password-less sudo

Security Updates and Patches

For the following components, use vami-upgrade for patching and upgrading:

  • Data Plane (Emqtt)
  • Ucpapi
  • Control-plane
  • Nginx
  • Virtual Appliance (Deployed as an OVF)

For the endpoints, use the rpm install method for patching and upgrading.

Third-Party Components

vRealize Application Remote Collector use the following third-party components:

Component Third-Party Components
Virtual Appliance (Deployed as an OVF)
  • Openssl
  • Python-2.7.13
  • JRE 1.8
Endpoint
  • Python 2.7.15
  • Salt-minion
  • Telegraf
  • vCenter services

Public Key, Certificate, and Keystore

The public key, the certificate, and the keystore of vRealize Application Remote Collector are located in the virtual appliance.

Component Location
Data Plane (Emqtt) Certificates and keys are stored in pem files.
  • /ucp/ssl/emqtt/ca.cert.pem
  • /ucp/ssl/emqtt/emqtt.cert.pem
  • /ucp/ssl/emqtt/emqtt.key.pem
Ucpapi The following certificates and keys are stored in keydb:
  • /ucp/ssl/ucpapi/ca.cert.pem
  • /ucp/ssl/ucpapi/ucpapi.cert.pem
  • /ucp/ssl/ucpapi/ucpapi.key
Nginx
  • /ucp/ssl/nginx/ca.cert.pem
  • /ucp/ssl/nginx/nginx.cert.pem
  • /ucp/ssl/nginx/nginx.key
Endpoint
  • /opt/vmware/ucp/certkeys/ca.pem
  • /opt/vmware/ucp/certkeys/cert.pem
  • /opt/vmware/ucp/certkeys/key.pem
  • /etc/salt/pki/minion/minion.pem

Open Source Licenses

The open source license files are located on the vRealize Application Remote Collector virtual appliance. Details of the open source components and licenses are available in /ucp/open_source_licenses.txt file.