VMware

VMware vRealize Configuration Manager Release Notes

VMware vRealize Configuration Manager 5.7.3 | 9 December 2014 | Build 211

Last Document Update: 9 December 2014

Check frequently for additions and updates to these release notes.

What's in the Release Notes

The release notes cover the following topics:

What's New

vRealize Configuration Manager 5.7.3 provides several new features and resolves multiple product issues.

  • VCM Collector installation on Windows Server 2012 or on Windows Server 2012 R2 operating systems, and support for Microsoft SQL Server 2012 SP2

    You can now install VCM Collector on Windows Server 2012 or on Windows Server 2012 R2 operating systems on each machine for 2-tier and 3-tier VCM installation. VCM now also supports its database on Microsoft SQL Server 2012 SP2 version.

  • VCM Windows Agent and VCM Linux Agent are now Federal Information Processing Standards (FIPS) 140-2 Compliant

    To enhance the security, VCM agents on Windows, Linux, and Unix are now FIPS 140-2 compliant. By default, the FIPS mode is not enabled on the agents. Perform the following procedures to enable FIPS on Windows or Linux.

    To enable FIPS mode on the Windows Agent, perform the following procedure.

    1. Navigate to the registry path HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Configuresoft\CSI\5.0\Common\Settings.
      Note: Create a key Settings if it is not already present.
    2. Create a DWORD EnableFips under the key Settings, and enter the value 1 if you want to enable FIPS and 0 if you want to disable FIPS.
      Note: Create key Settings if it is not already present.
    3. To verify if FIPS is enabled or not, enable Info logging check box by navigating to Administration > Settings > Windows > Agent - General > Edit Setting and then initiate a request from the VCM collector.
    4. After the request is finished and if FIPS is enabled, you can see the message Turning FIPS mode on for the script only for vCenter Server, vCloud Director, and vShield Manager inspections and SRF actions on Windows because these inspections or actions use FIPS enabled Python, and all other inspections and actions use normal Windows calls, which are by default FIPS compliant.

    To enable FIPS mode on the Linux Agent, perform the following procedure.

    1. Add the <value>...<value> entry as follows to the Settings area of the <installation_path>/opt/CMAgent/CSIRegistry file, and save the file:
      ···
      <name>Settings</name>
      ···
      <value>
      <name>EnableFips</name>
      <type>1</type>
      <data>true</data>
      </value>
      ···
    2. To verify that FIPS mode is enabled on the Agent, initiate a request from the VCM Collector to the managed machine where the Agent is installed.
    3. When the request is completed, confirm whether the Agent DBE file includes the following warning message: FIPS mode on.

  • Additional Managed Machines Platform Support

    VCM 5.7.3 adds support for the following platforms. VCM can perform collection, patching, compliance, reporting, machine filters for these platforms.

    • Red Hat Enterprise Linux (RHEL) 7
    • CentOS 7
    • Oracle Enterprise Linux (OEL) 7
    • SUSE Linux Enterprise 11 Service Pack 3

  • Support of new Software Content Repository (SCR) Tool 6.1 on RHEL 7 Server (64-bit)

    If you need to patch your RHEL 7 target machines, then you must have a new SCR Tool 6.1 on RHEL 7 Server (64-bit). However, VCM continues to support SCR Tool on RHEL 6 Server (64-bit) for patching earlier platforms. For more information see, Software Content Repository Tool 6.1 Guide at http://www.vmware.com/support/pubs/vcm_pubs.html.

  • Patching Enhancements

    The following enhancements have been made to the patching feature.

    • An option to exclude superseded bulletins is available while creating Dynamic Templates.
    • An option to include latest superseding bulletins is available while creating Dynamic Templates.
    • A filter condition is added while creating Windows Dynamic Templates to filter the bulletins on the property Reboot Required. This property is available while editing the template as well.
    • The Dynamic Template is refreshed whenever new content is downloaded or if the dynamic template is edited.

  • Upgraded JRE to 1.7u65

    JRE has been upgraded to 1.7u65.

  • Option to hide SID and event lookup jobs from Running Jobs Window

    An option to hide SID and event lookup jobs, namely, Hide the SIDLookup, EventLookup and EventCategoryLookup, from the Running Jobs window has been added as configuration settings.

  • Rebranded vCenter Configuration Manager to vRealize Configuration Manager

    vCenter Configuration Manager has been rebranded to vRealize Configuration Manager. Also, VCM will integrate and support vCenter Operations Manager and vRealize Operations Manager in the same manner.

  • Other Enhancements

    • Under VE Compliance rules, Bus Adapter is now listed under "iSCSI" and "Others" instead of " " and "Non iSCSI".
    • Host Detail column is provided for each job in the Jobs Running page.
    • You can now create the collection filters by using logical operators (AND, OR). vCenter Server collections triggered by using the logical operators might minimize the size of the data that is generated by an agent.
      An example of host collection filter:
      HostName like '10.25%'
      OR HostName like '10.112%'
      The data is collected from all the hosts with names starting with 10.25% and 10.112%.

Updated Documentation

In this release, new features are documented in the VCM online help, the Software Content Repository Tool 6.1 Guide, and these release notes.

The new Software Content Repository Tool 6.1 Guide includes support for CentOS 7, Red Hat Enterprise Linux (RHEL) 7, Oracle Enterprise Linux (OEL) 7, and SUSE Linux Enterprise 11 Service Pack 3 platforms including new properties file.

You can access the Software Content Repository Tool 6.1 Guide and the VCM 5.7.3 online help on the VMware Web site at http://www.vmware.com/support/pubs/vcm_pubs.html.

Upgrades to This Release

To upgrade your version of VCM to the current version, you must be running VCM 5.4.0 or later. To migrate your environment to the current version of VCM, you must be running VCM 5.3, EMC Ionix SCM 5.0 or later, or Configuresoft ECM 4.11.1 or later.

  • Upgrades
    An upgrade installs the new version of VCM on the 64-bit Windows machines in single-tier, two-tier, or three-tier installation configurations.

    In this release, the upgrade process verifies your VCM certificates and gives you the option to select or generate new certificates. You must select or generate new certificates if the current certificates are expired.

  • Migrations
    A migration to VCM 5.7.3 requires that you install VCM in a 64-bit environment and migrate your 32-bit database to the 64-bit database. Before you perform the migration, update your environment to include the Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 operating system; SQL Server 2008 R2 or SQL Server 2012, SQL Server 2012 SP2, and SQL Server Reporting Services, and then migrate your existing VCM, SCM, or ECM data to the 64-bit environment.

For more information about upgrading an existing instance of VCM, see the VCM Advanced Installation Guide on the VMware Web site at http://www.vmware.com/support/pubs/vcm_pubs.html.

Open Source Components for vRealize Configuration Manager

The copyright statements and licenses applicable to the open source software components distributed in vRealize Configuration Manager 5.7.3 are available at Download VMware vRealize Configuration Manager, on the Open Source tab. You can also download the source files for any GPL, LGPL, or other similar licenses that require the source code or modifications to source code to be made available for the most recent generally available release of vSphere.

Internationalization

The VCM 5.7.3 release addresses and resolves internationalization defects that affected how VCM processes and displays non-ASCII characters and various date formats.

Resolved Issues

The following issues are resolved in the VCM 5.7.3 release.

  • VCM installation or upgrade from VCM 5.7.1 or later fails if the Agent certificate already exists on the VCM Collector
    When you install a VCM Collector 5.7.2, or upgrade from VCM 5.7.1, when you click Select button in the Select Certificate window to select the Enterprise Certificate, if the Agent certificate already exists on the Collector, the installation stops responding. Although you might see the available certificates listed in this window the first time you attempt to run the installation or upgrade, if you view the Select Certificate window again, the certificates do not appear, and the installation stops responding.

    This issue is resolved in this release.

  • vCenter Server specific data filters appear in Windows instead of Virtualization
    When you create a new Collection filter, all the vCenter Server specific data filters appear in Windows instead of Virtualization.
  • This issue is resolved in this release.

  • Unable to change CA signed certificates after installation
    An exception SmartIfICsiColCertificateFunctions->UpdateCertificates() failed HRESULT 0x80004005 = Unspecified error; is displayed when you attempt to change the CA signed certificates after installation. Now, for Linux Agents, a common name in Enterprise Certificate is not mandatory for mutual authentication.
  • This issue is resolved in this release.

  • Organizational Unit name does appear correctly in Active Directory slider after renaming
    If you rename the Organizational Unit, the new name does not appear under ellipsis for discovery rules. The list displays the old name.
  • This issue is resolved in this release.

  • Templates that are present in vCenter Server are categorized as Guest VMs in the VCM console
    The templates that are present in vCenter Server are displayed as Guest VMs in the VCM console. Because these templates are displayed as Guest VMs in the VCM console, any attempt to create a snapshot fails because you cannot take a snapshot of a template.
  • This issue is resolved in this release.

  • Unable to change User Properties
    If you attempt to change the User Properties by navigating to Console > UNIX > Security > Users > Information, the job fails and an error message ERROR: No module named SRFActionMain is displayed.
  • This issue is resolved in this release.

  • Scheduled jobs do not display the next scheduled dates correctly
    If you create new scheduled jobs, the Next Scheduled (Collector) and Next Scheduled (Local) do not display the correct date. Also, you are not notified when the job runs the next time around.
  • This issue is resolved in this release.

  • Editing administrator role removes service accounts from ecm_sysdat_login_roles
    If you edit the administrator role and add another user to the role by navigating to Admin > User Manager > VCM Access > Roles > Admin Row > Edit > Add a user, the SQL agent service account is removed from ecm_sysdat_login_roles. As a result, auto assessments fail.
  • This issue is resolved in this release.

  • vSphere data classes and associated actions are delegated to the managing agent instead of vCenter Server
    If you perform SRF Action on vCenter Server, which is configured by using managing agent, all the SRF Action is routed to managing agent instead of vCenter Server.
  • This issue is resolved in this release.

  • VCM 5.7.3 installation, or an upgrade from VCM 5.7.1 or 5.7.2 HTTPS to VCM 5.7.3 HTTP, cannot run a remote command to upgrade the UNIX Agent
    During VCM 5.7.3 installation of the Web console and SSRS with HTTPS, or during upgrade of VCM 5.7.2 or 5.7.2 HTTPS installation to a VCM 5.7.2 HTTP installation, the installation process cannot run the remote command to upgrade the UNIX Agent.

    After you add Linux and UNIX machines and license them, when you select a Linux or UNIX machine, and click Remote Command on the main toolbar, and click UNIX Agent Upgrade on the Remote Commands Folder page in the Run Remote Command wizard, the remote command fails because an unwanted port is appended to the host name in the remote command file path when the Web console and SSRS are installed in HTTPS mode.

  • This issue is resolved in this release.

  • Machine details are not displayed properly when the discovery job is running
    While the discovery job is running, if you attempt to examine machine detail No detail available for this job message is displayed. The same message is displayed if you attempt to view details after the job is finished.
  • This issue is resolved in this release.

  • Some port group properties do not display the port group name
    Some of the properties defined for a port group in a host profile appear in VCM without the port group name.
  • This issue is resolved in this release.

  • Active Directory collections fail on Windows Server 2012 R2 domain controllers
    If you attempt to perform Active Directory collection on Windows Server 2012 R2 domain controllers, the collection operation fails.
  • This issue is resolved in this release.

  • Machine Group Mapping page does not list users properly and displays error when machine name filter is used
    Machine Group Mapping page does not list all the machines. The error Object reference not set to an instance of an object appears on the Machine Group Mapping page when machine name filter is used.
  • This issue is resolved in this release.

  • Listener service does not start after agent upgrade
    After upgrading an agent by using VCM Web console, the listener service does not start. Additionally, the name is not updated.
  • This issue is resolved in this release.

  • Deploy Patches wizard selects 5x copies of each patch for each machine and the remote command job does not clear from the Job Manager
    After you select patches to be deployed from the Machines & Patches section of the Deploy Patches wizard, VCM displays 5x copies of the same patch for each machine selected. If you continue, the job fails and the remote command job does not clear from the Job Manager. If you manually remove the 4x copies of the patch, the patch deployment is successful.
  • This issue is resolved in this release.

  • Old compliance contents is displayed in Scheduled Jobs
    The old compliance template is displayed under Scheduled Jobs even after all the contents are removed from the filter sets, dashboards, and rule groups.
  • This issue is resolved in this release.

  • Settings for Advanced Console Access does not function properly
    When setting up Access Rules, the customized settings does not function properly. After you configure the customized settings, the settings are reverted if you navigate back to the settings.
  • This issue is resolved in this release.

  • VCM does not use SSL v3 protocol for communication purpose with the external entities, such as vCloud Director or vShield Manager.

Performance

The following performance related issues are fixed in VCM 5.7.3.

  • The Scheduled Job wizard stops responding for a long time on the Parameters section for Virtual Object Compliance Results Object Group Details and Trends Details Reports. Sometimes the job window causes VCM to stop responding and can only be closed by stopping Internet Explorer from the Task Manager.

  • When you attempt to add or edit compliance exceptions, or edit scheduled jobs, the VCM user interface stops responding.

  • In large-scale environments, Virtual Environment Dashboards take more than 20 minutes to display the Host summary.

  • VCM takes a long time to display results and sort views in Change Management.

  • vCenter Server compliance assessment job takes more than two days to run. As a result vCenter Server Port Group Security Policy rule compliance takes more than two days to run.

  • NTFS file permissions for HIPAA rules groups are slow and take hours to complete or they stop responding.

  • Badge Rollup collections and All Patches assessments are slow, causing VCM user interface to become unresponsive.

Reports

The following reports related issues are fixed in VCM 5.7.3.

  • Compliance results in exportable PDF format has overlap of characters.

  • VCM stops responding when you attempt to schedule or select compliance report.

  • Full data collection result does not have any information under IP Address column.

  • Unix assessment reports display incorrect values when user defined permanent and temporary patching exceptions are enabled.

  • Machine accounts added or removed for the past 30 days display No data is available at this time if the rules become outdated or are written in a wrong manner.

  • Some parts of Virtual Environments Compliance template listing layout in scheduled report goes into the second page.

Patching

The following patching issue is fixed in VCM 5.7.3.

  • Inconsistent behavior is observed for Unix patch assessment when selecting different machine groups.

Known Issues

The following issues are known to occur in the VCM 5.7.3 release. Known issues not previously documented are marked with the * symbol.

  • Errors appear in DBE file while opening the Settings registry key*
    When you start an Unix agent installation from VCM or launch vCloud Director, vCenter Server, or vShield Manager collections from VCM, an error Error while opening the registry key - Settings is displayed in the DBE file. This error does not have any impact on the functionality.
    Workaround: Create the registry key Settings under HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Configuresoft\CSI\5.0\Common\Settings and create a DWORD EnableFips under this key. This also helps in performing operations in FIPS mode.

  • Collections from vCloud Director with vCenter Single Sign-On fail because VCM cannot authenticate the user*
    When VCM collects data from a vCloud Director instance that is configured with vCenter Server Single Sign On, the collection fails, because VCM requires the user name to be in the form username@SYSTEM or username@<OrganizationName>.
    If you navigate to Administration > Machines manager > Licensed Machines > Licensed Virtual Environments, click Configure Settings, and provide the user credentials of the SSO user, the collection fails because VCM cannot authenticate the user.
    Workaround: None.

  • Manage Guests option under Console > Virtual Environments > vCenter > Guests > Summary creates duplicate machines of same guest name if the guest is already managed*
    Manage Guests option on any guest machine under Console > Virtual Environments > vCenter > Guests > Summary is allowed multiple times. This causes the duplicate guest machines to be created if the guest is already managed.
    Workaround: None.

  • Double-byte characters are not recognized while adding accounts with double-byte full name and description in a high ASCII environment. High ASCII characters are not recognized while adding accounts with high ASCII full name and description in a double-byte environment*
    In a double-byte environment, when you create user accounts having full name and description in high ASCII characters, the high ASCII characters are not recognized. Similarly, in a high ASCII environment, if the accounts are created in double-byte characters, then the double-byte characters are not recognized.
    Workaround: None.

  • Unable to deploy patches from imported templates*
    After you create an imported template with appropriate patching format, if you click Deploy to deploy the patches, the operation fails and the warning message There are no assessment items to deploy. The deployment is applicable to a machine licensed for Unix patching and with a patch status of 'Not patched'. The wizard will be closed is displayed.
    Workaround: None.

  • Check boxes do not work on Report data page while creating an Active Directory Report in Internet Explorer 10 or 11*
    Some checkboxes cannot be selected or do not appear in the Report data page while creating Active Directory Reports in Internet Explorer 10 or 11.
    Workaround: Click Back and return to the Data Type wizard. The check boxes appears correctly.

  • Patch deployment fails for some Linux managed machines, such as CentOS and OEL, when SELinux is enabled on the managed machine*
    VCM installs the Linux Agent in inetd or xinetd mode by default. When SELinux is enabled on the managed machine, and the Linux Agent on the managed machine is running in inetd mode, patch deployment fails and VCM displays an error similar to the following error: install: %pre scriptlet failed (2), skipping <PACKAGE>. For more information, see KB 2079311
    Workaround: Redeploy the Linux Agent to the managed machine in daemon mode.

  • IIS might use SSL v3 protocol for communication purpose*
    IIS is used to access VCM user interface and IIS might use SSL v3 protocol for communication purpose. You need to disable SSL v3 communication in Windows Server.
    Workaround: To disable SSL v3 in Windows Server, see 3009008 article.

  • Unable to import Microsoft SQL Reporting Service Report*
    You cannot import Microsoft SQL Reporting Service Report when you log in to VCM with a domain user that is added into VCM by a domain user with VCM administrator role. The error message Unable to save one or more reports is displayed.
    Workaround: None.

  • Collector is set as a patching repository after upgrade*
    If you upgrade from VCM 5.4, 5.4.1, 5.5, 5.5.1, or 5.6 to 5.7.2 version, collector is set as a patching repository.
    Workaround: Perform the following procedure to disable collector as patching repository.

    1. Log in to VCM.
    2. Navigate to Administration > Certificates.
    3. Select the Collector machine.
    4. Click Patching Repository.
    5. Select Disable – do not allow the selected machines(s) to be used as patch repository.
  • Software Content Repository (SCR) 6.1.6 fails to download the patches if more than one channels value are specified in properties file*
    For SCR 6.1.6, if you specify more than one channels value in the properties file, SCR fails to download the patches. For example, if you define channels=orae5,orae6, SCR 6.1.6 downloads only for orae6 and fails to download for orae5. This behavior applies to RHEL, OEL, and CentOS platforms.
    Workaround: Define separate properties file for each of the channels. For example:
    properties file name: oracle5.properties
    Channels=orae5
    properties file name: oracle6.properties
    Channels=orae6
    properties file name: oracle7.properties
    Channels=orae7

  • Incorrect registry path for AreResultsSaved in VCM 5.7 troubleshooting guide*
    Incorrect registry path HKEY_LOCAL_MACHINE\Software\Configuresoft\ECM\4.0\Collector for AreResultsSaved is mentioned in the VCM 5.7 troubleshooting guide.
    Workaround: The correct registry path is HKEY_LOCAL_MACHINE\Software\WOW6432Node\Configuresoft\ECM\4.0\Collector.

  • VCM installation in an LDAP and NIS+ environment fails to obtain the primary Group ID from /etc/passwd
    When you install VCM in an environment that includes LDAP and the NIS+ directory service, and you create a user account and group in NIS+, include the proper UIDs and GIDs in the csi.config file, and set the flags to create the user and group to N (No), when you run the VCM installation, the /ECMu/1.0/package.py script cannot obtain the primary GID from /etc/passwd, because the GID does not exist. As a result, VCM fails to set the group permissions on $CSI_ROOT_DIRECTORY/ECMu/1.0/bin/RunLow, and the installation fails.
    Workaround: None

  • You cannot set Network Authority to the CMDelegate account when the protocol of a Windows machine is unknown
    When you use VCM Remote before an Agent is installed on the managed machine, or when you use an earlier version of VCM Remote, then manually install an HTTP Agent, the protocol setting is empty in Administration > Machines Manager > Licensed Machines > Licensed Windows Machines, and does not change when you run the Change Protocol action. You cannot set the Network Authority to the CMDelegate account, because the Network Authority requires HTTP as the protocol.
    Workaround: Wait 2 to 5 minutes for VCM Remote to update the protocol to HTTP in the user interface, then set the Network authority to the CMDelegate account.

  • VCM does not update the list of snapshots after you delete a snapshot
    After you collect data from a vCenter Server instance that includes multiple hosts, guests, and snapshots, when you navigate to Console > Virtual Environments > vCenter > Guests > Snapshot, select one or more snapshots, and click Delete Snapshot, when you view the list of snapshots in Console > Virtual Environments > vCenter > Guests > Snapshot, VCM does not update the list of snapshots, even though the snapshots are deleted. This behavior also occurs if you use the Virtual Environment Compliance remediation action to delete a snapshot.
    Workaround: Collect the vCenter Server Guests data from the managed machines, and view the updated list of snapshots.

  • Patch deployment fails for some Linux and UNIX managed machines, such as CentOS and OEL, when SELinux is enabled on the managed machine
    VCM installs the Linux Agent with inetd or xinetd by default. When SELinux is enabled on the managed machine, and the Linux Agent on the managed machine is running in inetd mode, patch deployment fails and VCM displays an error similar to the following:

    error: install: %pre scriptlet failed (2), skipping <PACKAGE>

    For example, when deployment of an RPM fails, VCM displays an error message such as:

    error: install: %pre scriptlet failed (2), skipping nfs-utils-1:1.2.3-15.el6_2.1

    When a Linux or UNIX managed machine has the Linux Agent installed with inetd, and has SELinux enabled, Package Manager on the managed machine cannot access a patch repository machine. If the managed machine must access a patch repository machine when Package Manager installs a package, such as an RPM, SELinux does not entitle Package Manager to proceed with the installation, because the Package Manager process runs in the Linux Agent and inherits the inetd context from the Linux Agent.
    Workaround: Redeploy the Linux Agent to the managed machine in daemon mode.

  • McAfee Solidifier blocks the VCM installation
    When you attempt to install VCM on a machine that has McAfee Solidifier installed, the installation fails.
    Workaround: To install VCM on a machine that has McAfee Solidifier installed, either put McAfee Solidifier in update mode, add an exception rule in McAfee Solidifier, or disable McAfee Solidifier until VCM is installed, and then enable it again.

  • VCM Collector is not trusted as a Managing Agent after upgrade from VCM 5.4
    On a VCM Collector that has VCM 5.4 installed and data collected from managed machines, when you upgrade the Collector to VCM 5.7.3, neither the Trust status or the Managing Agent status are enabled for the Collector machine.
    Workaround: After you upgrade the Collector to VCM 5.7.3, restart the Collector service, then navigate to Administration > Settings > Certificates on the Collector, and verify that the Trust status and Managing Agent status are enabled for the Collector.

  • VCM Installation Manager should set the principal account in a split installation or VCM upgrade
    In a two-tier or three-tier split installation that is not using a Built-in account, or for a VCM upgrade, VCM Installation Manager should set the principal account for the VCM Collector to the Collector Service account, or to an existing domain and user account, so that WebSubmit can function and VCM can handle scheduled activities.
    Workaround: To manually set the principal account for the VCM Collector, in VCM click Admin > Settings > General Settings > Collector, edit the Collector default principal setting, and specify a domain name and user account name. The user account must already be available in Administration > User Manager > VCM Logins.

  • VCM displays incorrect results for a virtual environment conditional compliance rule on vCenter Server advanced configuration settings if you use the greater than (>) operator or the greater than or equal to (>=) operator in the conditional rule properties for the compliance check
    When you create a conditional compliance rule for vCenter Server advanced configuration settings, if you use the > or >= operator in the conditional properties for the compliance check in the rule, and specify a number that is greater than or equal to the existing value, after you run the respective compliance template, and the value found is less than the expected value, VCM displays the result as compliant instead of noncompliant.
    Workaround: None