2V0-621 VMware Certified Professional 6 – Data Center Virtualization
What are two sample roles that are provided with vCenter Server by default? (Choose two.)
A. Virtual machine User
B. Network Consumer
C. Content Library Administrator
D. Storage Administrator
Correct Answer: AB
Which three services can be enabled/disabled in the Security Profile for an ESXi host? (Choose three.)
A. CIM Server
B. Single Sign-On
C. Direct Console UI
D. Syslog Server
E. vSphere Web Access
Correct Answer: ACD
An administrator would like to use the VMware Certificate Authority (VMCA) as an Intermediate Certificate Authority (CA). The first two steps performed
Replace the Root Certificate
Replace Machine Certificates (Intermediate CA)
Which two steps would need to be performed next? (Choose two.)
A. Replace Solution User Certificates (Intermediate CA)
B. Replace the VMware Directory Service Certificate (Intermediate CA)
C. Replace the VMware Directory Service Certificate
D. Replace Solution User Certificates
Correct Answer: AC
Use VMCA as an Intermediate Certificate Authority
You can replace the VMCA root certificate with a third-party CA-signed certificate that includes VMCA in the certificate chain. Going forward, all
certificates that VMCA generates include the full chain. You can replace existing certificates with newly generated certificates. This approach combines
the security of third-party CA-signed certificate with the convenience of automated certificate management.
1 Replace the Root Certificate (Intermediate CA)
The first step in replacing the VMCA certificates with custom certificates is generating a CSR and adding the certificate that is returned to VMCA as a
2 Replace Machine SSL Certificates (Intermediate CA)
After you have received the signed certificate from the CA and made it the VMCA root certificate, you can replace all machine SSL certificates.
3 Replace Solution User Certificates (Intermediate CA)
After you replace the machine SSL certificates, you can replace the solution user certificates.
4 Replace the VMware Directory Service Certificate
If you decide to use a new VMCA root certificate, and you unpublish the VMCA root certificate that was used when you provisioned your environment,
you must replace the machine SSL certificates, solution user certificates, and certificates for some internal services.
5 Replace the VMware Directory Service Certificate in Mixed Mode Environments
During upgrade, your environment might temporarily include both vCenter Single Sign-On version 5.5 and vCenter Single Sign-On version 6.0, you have
to perform additional steps to replace the VMware Directory Service SSL certificate if you replace the SSL certificate of the node on which the vCenter
Single Sign-On service is running.
Which three options are available for ESXi Certificate Replacement? (Choose three.)
A. VMware Certificate Authority mode
B. Custom Certificate Authority mode
C. Thumbprint mode
D. Hybrid Deployment
E. VMware Certificate Endpoint Authority Mode
Correct Answer: ABC
ESXi Certificate Replacement
For ESXi hosts, you can change certificate provisioning behavior from the vSphere Web Client.
Lockdown Mode has been enabled on an ESXi 6.x host and users are restricted from logging into the Direct Console User Interface (DCUI).
Which two statements are true given this configuration? (Choose two.)
A. A user granted administrative privileges in the Exception User list can login.
B. A user defined in the DCUI.Access without administrative privileges can login.
C. A user defined in the ESXi Admins domain group can login.
D. A user set to the vCenter Administrator role can login.
Correct Answer: AB
In normal lockdown mode the DCUI service is not stopped. If the connection to the vCenter Server is lost and access through the vSphere Web Client is
no longer available, privileged accounts can log in to the ESXi host’s Direct Console Interface and exit lockdown mode. Only these accounts can access
the Direct Console User Interface:
Accounts in the Exception User list for lockdown mode who have administrative privileges on the host. The Exception Users list is meant for service
accounts that perform very specific tasks. Adding ESXi administrators to this list defeats the purpose of lockdown mode.
Users defined in the DCUI.Access advanced option for the host. This option is for emergency access to the Direct Console Interface in case the connection to vCenter Server is lost. These users do not require administrative privileges on the host.