The vCenter Server appliance handles the authentication between Site Recovery Manager and vCenter Server at the vCenter Single Sign-On level.
All communications between Site Recovery Manager and vCenter Server instances take place over transport layer security (TLS) connections.
Service Account Authentication
Site Recovery Manager uses service account authentication to establish a secure communication to remote services, such as the vCenter Server. A service account is a security principal that the Site Recovery Manager configuration service generates. The service account authenticates with a token or a user name and a password.
The service account is for internal use by Site Recovery Manager, vCenter Server, and vCenter Single Sign-On.
During operation, Site Recovery Manager establishes authenticated communication channels to remote services by using token-based authentication to acquire a holder-of-key SAML token from vCenter Single Sign-On. Site Recovery Manager sends this token in a cryptographically signed request to the remote service. The remote service validates the token and establishes the identity of the service account.
Service Accounts and Site Recovery Manager Site Pairing
When you pair Site Recovery Manager instances across vCenter Single Sign-On sites that do not use Enhanced Linked Mode, Site Recovery Manager creates an additional service account for the remote site at each site. This service account for the remote site allows the Site Recovery Manager Server at the remote site to authenticate to services on the local site.
When you pair Site Recovery Manager instances in a vCenter Single Sign-On environment with Enhanced Linked Mode, Site Recovery Manager at the remote site uses the same service account to authenticate to services on the local site.
Site Recovery Manager SSL/TLS Server Endpoint Certificates
Site Recovery Manager requires an SSL/TLS certificate for use as the endpoint certificate for all TLS connections established to Site Recovery Manager. The Site Recovery Manager server endpoint certificate is separate and distinct from the certificate that is used by Site Recovery Manager to obtain holder-of-key SAML token with the service account.
For information about the Site Recovery Manager SSL/TLS endpoint certificate, see Creating SSL/TLS Server Endpoint Certificates for Site Recovery Manager.
