Which two statements are correct regarding vSphere certificates? (Choose two.)
A.
ESXi host upgrades do not preserve the SSL certificate and reissue one from the VMware Certificate Authority (VMCA).
B.
ESXi host upgrades preserve the existing SSL certificate.
C.
ESXi hosts have assigned SSL certificates from the VMware Certificate Authority (VMCA) during install.
D.
ESXi hosts have self-signed SSL certificates by default.
Explanation:
Explanation/Reference:
B and C are correct:
https://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.security.doc/GUID-3D0DE463-D0EC-442E-B524-64759D063E25.html?resultof=%2522%2556%254d%2577%2561%2572%2565%2520%2543%2565%2572%2574%2569%2566%2569%2563%2561%2574%2565%2520%2541%2575%2574%2568%256f%2572%2569%2574%2579%2522%2520
0
0
B & D. ESXi hosts have self-signed certificates by default. This can change if VMCA is installed but that isn’t part of this question.
0
0
No, B & C is correct in version 6 and up when using vSphere:
“In vSphere 6.0 and later, the VMware Certificate Authority (VMCA) provisions each ESXi host and each vCenter Server service with a certificate that is signed by VMCA by default.”
https://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.security.doc/GUID-779A011D-B2DD-49BE-B0B9-6D73ECF99864.html
https://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.security.doc/GUID-3AF7757E-A30E-4EEC-8A41-28DA72102520.html
0
0
The B and C are correct, below another valid document:
http://pubs.vmware.com/vsphere-65/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-32AD28E1-53C3-48E6-96A9-FD9E4015D0B2.html
0
0
ESXi Provisioning and VMCA
When you boot an ESXi host from installation media, the host initially has an autogenerated certificate. When the host is added to the vCenter Server system, it is provisioned with a certificate that is signed by VMCA as the root CA.
If you read carefully in your link above, you will find this paragraph. The standalone ESXi installation is done outside the vCenter and therefore it cannot be assigned a certificate from VMCA. So the ESXi hosts don’t get a VMCA certificate druing install, only after they are added.
0
0
I agree with B and C.
0
0
Answer C says they are given VMCA certificates at install time, this is incorrect, they have self signed until they are “provisioned” aka added to vCenter. It says so in all of the linked articles.
Therefore I go with B & D.
0
0
Question states “vSphere” (not just ESXi). vSphere = vCenter so it’s B & C.
0
1
Bertie, ESXi is part of the vSphere suite, so your point is irrelevant. This is not a question about semantics. ‘C’ cannot be correct because during the ESX install and as long as an ESX host is not added to vCenter via “Add Host”, it cannot get SSL cert from VMCA. As such, the correct answers are B and D.
1
0
B&D makes a lot of sense, but if VMware is expecting a literal answer you should check this link, which has this comment “Provisioning happens when the host is added to vCenter Server explicitly or as part of installation or upgrade to ESXi 6.0 or later”,… http://pubs.vmware.com/vsphere-65/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-32AD28E1-53C3-48E6-96A9-FD9E4015D0B2.html
0
0
D
https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-32AD28E1-53C3-48E6-96A9-FD9E4015D0B2.html
When you boot an ESXi host from installation media, the host initially has an autogenerated certificate. When the host is added to the vCenter Server system, it is provisioned with a certificate that is signed by VMCA as the root CA.
A
https://pubs.vmware.com/vsphere-60/index.jsp#com.vmware.vsphere.security.doc/GUID-5D8D20A1-F79B-49DA-BC90-73FF9AC2ADA0.html
If you upgrade an ESXi host to ESXi 6.0 or later, the upgrade process replaces self-signed certificates with VMCA-signed certificates. The process retains custom certificates even if those certificates are expired or invalid.
1
0
B and C ..agreed
0
0
B, D are correct
Check wording of answer c not the same as in th wording of the VMware vSphere 6.0 Documentation Center
In vSphere 6.0 and later, the VMware Certificate Authority (VMCA) provisions each ESXi host and each vCenter Server service with a certificate that is signed by VMCA by default – It does not state on install!!!!!!!!!!!!!!!
0
0
B, C are correct according to below link..
https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-3AF7757E-A30E-4EEC-8A41-28DA72102520.html
” ESXi certificates are provisioned when the host is first added to vCenter Server and when the host reconnects. ”
BUT !!!!
B, D are correct according to below link..
http://pubs.vmware.com/vsphere-65/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-32AD28E1-53C3-48E6-96A9-FD9E4015D0B2.html
” Provisioning happens when the host is added to vCenter Server explicitly or as part of installation or upgrade to ESXi 6.0 or later”
Which one to believe :).
0
0
sorry vice versa
0
0
So it is BC for 20V-621 (VCP6!) and BD for 2V0-622 (VCP65!!) – you can se it in the URL provided!
0
0
BC is correct for the exam this is the answer vmware expect.
Badly wored question IMO.
0
0
What is the source for this? According to VMware’s documentation, it would be B and D. Well, or A and D, depending on what kind of cert was on the host in the firstplace.
I hate these questions sometimes. 😛
0
0
D must be correct. If you are installing the first ESXi server in the environment, where would it get the certificate from? Or if you have a couple of hosts but no vcenter in place?
Without having access to a VMCA, there is no way an ESXi server can obtain a certificate from it.
Now, in regards to A and B, both answers are correct as well. If you upgrade a host from 5.x versions to 6.x, the certificate would be replaced by one generated on the VMCA. If the upgrade is from 6.0 to 6.5, then the SSL would be the same.
0
0
2017-7-25 New 2V0-621D Exam Questions:
QUESTION 31
Which group in the vsphere.local domain will have administrator privileges for the VMware Certificate Authority (VMCA)?
A. SolutionUsers
B. CAAdmins
C. DCAAdmins
D. SystemConfiguration.Administrators
Answer: B
Explanation:
Members of the CAAdmins group have administrator privileges for VMCA. Adding members to these groups is not usually recommended.
Reference: https://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-87DA2F34-DCC9-4DAB-8900-1BA35837D07E.html
QUESTION 32
Which Platform Service Controller Password Policy determines the number of days a password can exist before the user must change it?
A. Maximum Lifetime
B. Password Age
C. Maximum Days
D. Password Lifetime
Answer: A
Explanation:
You can configure the following parameters for password policy:
Description ¬- Password policy description. Required.
Maximum lifetime -¬ Maximum number of days that a password can exist before it has to be changed.
Restrict re-use -¬ Number of the user’s previous passwords that cannot be set again.
Maximum length ¬- Maximum number of characters that are allowed in the password.
Minimum length ¬- Minimum number of characters required in the password.
Character requirements ¬- Minimum number of different character types required in the password.
Identical adjacent characters ¬- Maximum number of identical adjacent characters allowed in the password.
Reference: http://www.vladan.fr/vcp6-dcv-objective-1-3-enable-sso-and-active-directory-integration/
QUESTION 33
An administrator is configuring the clock tolerance for the Single Sign-On token configuration policy and wants to define the time skew tolerance between a client and the domain controller clock.
Which time measurement is used for the value?
A. Milliseconds
B. Seconds
C. Minutes
D. Hours
Answer: A
Explanation:
The time skew tolerance between a client and the domain controller clock is measured in milliseconds.
QUESTION 34
Which VMware Single Sign-On component issues Security Assertion Markup Language (SAML) tokens?
A. VMware Security Token Service
B. Administration Server
C. VMware Directory Service
D. Identity Management Service
Answer: A
Explanation:
The security token service issues Security Assertion Markup Language (SAML) tokens. These security tokens pass information about a system user between an identity provider and a web service. This service enables a user who has logged on through vCenter Single Sign-On to use multiple web-service delivered applications without authenticating to each one.
Reference: https://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.upgrade.doc%2FGUID-90C1E3DC-4397-4BF0-808E-DF3802E56BC6.html
QUESTION 35
Which two are valid Identity Sources when configuring vCenter Single Sign-On? (Choose two.)
A. Radius
B. NIS
C. OpenLDAP
D. LocalOS
Answer: CD
Explanation:
Active Directory (Integrated Windows Authentication) Use this option for native Active Directory implementations. The machine on which the vCenter Single Sign-Onservice is running must be in an Active Directory domain if you want to use this option.
See Active Directory Identity Source Settings.
Active Directory as an LDAP Server
This option is available for backward compatibility. It requires that you specify the domain controller and other information. See Active Directory LDAP Server and OpenLDAP Server Identity Source Settings.
OpenLDAP
Use this option for an OpenLDAP identity source. See Active Directory LDAP Server and OpenLDAP Server Identity Source Settings.
LocalOS
Use this option to add the local operating system as an identity source. You are prompted only for the name of the local operating system. If you select this option, all users on the specified machine are visible to vCenter Single Sign-On, even if those users are not part of another domain.
Reference: http://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.security.doc%2FGUID-B23B1360-8838-4FF2-B074-71643C4CB040.html
QUESTION 36
An administrator needs to create an Integrated Windows Authentication (IWA) Identity Source on a newly deployed vCenter Server Appliance (VCSA).
Which two actions will accomplish this? (Choose two.)
A. Use a Service Principal Name (SPN) to configure the Identity Source.
B. Use a Domain administrator to configure the Identity Source.
C. Join the VCSA to Active Directory and configure the Identity Source with a Machine Account.
D. Create a computer account in Active Directory for the VCSA and configure the Identity Source.
Answer: AC
Explanation:
Using a machine account when configuring an Active Directory identity source for vCenter Server requires that the Windows system be joined to the domain. If the system is not joined to the domain, SSO cannot leverage the machine account to create the identity source and perform its function as the secure token service user.
To resolve this issue in VCVA 5.5, use only the Use SPN option.
Reference:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC &externalId=2058919
QUESTION 37
An administrator wants to reduce the memory overhead for a 3D graphics enabled virtual machine (VM).
What advanced feature can be added to the VM configuration file to reduce memory overhead?
A. vga.vgaOnly=TRUE
B. vga.svgaEnable=FALSE
C. svgaEnabled=FALSE
D. svgaDisable=TRUE
Answer: A
Reference: http://pubs.vmware.com/vsphere-60/index.jsp?topic=%2Fcom.vmware.vsphere.vm_admin.doc%2FGUID-FAB0E2C3-3474-461D-99BC-549F7E21FE85.html
QUESTION 38
An administrator is building a large virtual machine that will require as many vCPUs as the host can support.
An ESXi 6.x host has these specifications:
– Six 32-core Intel Xeon Processors
– 256 GB of Memory
– 512 GB Local disk space using VMFS5
What is the maximum number of virtual CPUs that the virtual machine can be allocated?
A. 64
B. 128
C. 192
D. 256
Answer: B
Reference:
http://www.intel.com/content/dam/www/public/us/en/documents/white-papers/virtualization-xeon-core-count-impacts-performance-paper.pdf
QUESTION 39
Which two features are available for virtual machines configured with DirectPath I/O? (Choose two.)
A. Fault Tolerance
B. Suspend and Resume
C. Virtual Symmetric Multi-Processing (vSMP)
D. Virtual Non-Uniform Memory Access (vNUMA)
Answer: CD
Explanation:
VMs configured with DirectPath I/O have vSMP and vNUMA.
QUESTION 40
An administrator is creating a new Content Library. It will subscribe to another remote Content Library without authentication enabled.
What information from the published library will they need in order to complete the subscription ?
A. Subscription URL
B. A security password from the publishing Content Library
C. Publisher’s Items.json file
D. Username from the publishing Content Library
Answer: A
Explanation:
Subscription URL from the published library is needed to complete the subscription.
More new questions:https://drive.google.com/drive/folders/0B75b5xYLjSSNN0M4cTJyOXZySk0?usp=sharing
0
0
Hello, write exam 2V0-622D yesterday and finally passed! failed at the first time…
Got some new questions but not difficult, so don’t need worry!
It takes me 2 months to prepare for it, did many practice questions, used braindump2go 97Q&As PDF and VCE, read all VMware exam details, collect many history questions…..
Thanks God, i finally passed successfully!
I think braindump2go has many good study materials, maybe you guys also can have a look and try to use:
https://www.braindump2go.com/2v0-622d.html
0
0
A and D
ESXi host upgrade do NOT preserve the SSL certificate.
ESXi hosts have self-signed SSL certificates by default (after install), but get a SSL certificate from VMCA when added to a vCenter.
0
0