A security scan turned up two user accounts created by vCM install -
CSI_COMM_PROXY_USR
ECMSRSUser
We are being requested to have these accounts comply with password policy but my concern is that this would break vCM. Can anyone confirm this?
jddias,
You can delete the CSI_COMM_PROXY_USR account. I have replaced it successfully with a domain account. Here are the steps I go through to make my domain account work. Note, this is for a stand-alone Agent Proxy machine, you'll need to adjust accordingly if you are doing this on your collector:
This will take care of your CSI_COMM_PROXY_USR account.
The ECMSRSUser account is a different story. This account is hard coded in VCM. I found this documented in the release notes for both 5.3 & 5.4. Here's the link for the 5.3 release notes: http://www.vmware.com/support/vcm/doc/vcm_53_release_notes.html. Just search for ECMSRSUser on that page. This hard coded account is still used in 5.4.1, but, it's not in the release notes any longer.
In our case, we have a security policy against local accounts on servers, so, this causes us an issue. I worked with support on this when this account was first added to VCM. While it's not supported, you can delete this account. You just need to make sure to add appropriate permissions into SSRS on your collector into the ECM Reports folder. You can use a domain group, authenticated users, or domain accounts, whichever works for your environment. You'll need to grant content manager permissions. This solution "works" for us. Note, you will get security events anytime a SRS page is access from within VCM, as VCM will still try to use the ECMSRSUser account, but, as long as the SSRS permissions are in place, everything still works. I have not fully validated this continues to work with 5.4.1, so, make sure to test this. I did find the ECMSRSUser account must exist if if you want to use the Import/Export gui tool to export reports (the command line ecmie.exe tool doesn't have this dependency).
I have submitted an enhancement request to resolve this. It can only help if others do the same . We should be given the option to specify domain accounts for both of these at install times. At the very minimum, the password for the ECMSRSUser account should not be hard coded.
I hope this this helps.
jddias,
You can delete the CSI_COMM_PROXY_USR account. I have replaced it successfully with a domain account. Here are the steps I go through to make my domain account work. Note, this is for a stand-alone Agent Proxy machine, you'll need to adjust accordingly if you are doing this on your collector:
This will take care of your CSI_COMM_PROXY_USR account.
The ECMSRSUser account is a different story. This account is hard coded in VCM. I found this documented in the release notes for both 5.3 & 5.4. Here's the link for the 5.3 release notes: http://www.vmware.com/support/vcm/doc/vcm_53_release_notes.html. Just search for ECMSRSUser on that page. This hard coded account is still used in 5.4.1, but, it's not in the release notes any longer.
In our case, we have a security policy against local accounts on servers, so, this causes us an issue. I worked with support on this when this account was first added to VCM. While it's not supported, you can delete this account. You just need to make sure to add appropriate permissions into SSRS on your collector into the ECM Reports folder. You can use a domain group, authenticated users, or domain accounts, whichever works for your environment. You'll need to grant content manager permissions. This solution "works" for us. Note, you will get security events anytime a SRS page is access from within VCM, as VCM will still try to use the ECMSRSUser account, but, as long as the SSRS permissions are in place, everything still works. I have not fully validated this continues to work with 5.4.1, so, make sure to test this. I did find the ECMSRSUser account must exist if if you want to use the Import/Export gui tool to export reports (the command line ecmie.exe tool doesn't have this dependency).
I have submitted an enhancement request to resolve this. It can only help if others do the same . We should be given the option to specify domain accounts for both of these at install times. At the very minimum, the password for the ECMSRSUser account should not be hard coded.
I hope this this helps.
HI Jddis ,
Welcome to vmware fourm.,
yes you can modify for that please follow below steps if need more please get back to us
😎 Activate the agent from the UI
Yours, Abbie