The management of users and their credentials is important to the security of any system. Because all authentication to and within the vCloud Director system is by username and password, it is critical to follow best practices for managing users and their passwords.
This topic aims to define the capabilities and limitations of managing users and passwords in vCloud Director and provides recommendations on how to securely manage and use them given those constraints.
Limitations of Local User Accounts
While vCloud Director provides a self-contained identity provider for user accounts, which are created and maintained in the vCloud Director database. While not inherently vulnerable in a system configured with limited network access to the database (see Management Network Configuration), these accounts do not provide the kinds of password management features demanded by certain industries (such as the PCI Data Security Standard). To discourage brute-force attacks, local accounts should be subject to password re-try limits and account lockout rules.
Service providers should carefully weigh the benefits and risks of continuing to use local accounts for system administrators, and should carefully control which source IP addresses can authenticate to an organization's cloud URL if local system administrator accounts are configured. We strongly recommend eliminating, or at least limiting, the use of this identity provider for system administrator accounts.
- Create one or more accounts for your system administrators in the vSphere SSO service (a SAML IDP) or LDAP.
- Import those accounts account into the System organization.
- Run the cell management tool manage-config command to reconfigure the system so that no local system administrator accounts are required and no system administrator with a local account can authenticate to the system.
./cell-management-tool manage-config -n local.sysadmin.disabled -v trueNote that this does not disable local accounts for other organizations.Note: In a system that has no local system administrator accounts, cell management tool commands that require you to specify system administrator credentials must use the
-i --pidoption instead, supplying the cell's process ID in pid. See the Cell Management Tool Reference in the vCloud Director Administrator's Guide.
- You can undo this change with a similar cell management tool command line, which re-enables access for system administrators who have local accounts.
./cell-management-tool manage-config -n local.sysadmin.disabled -v false
Most LDAP, OAUTH, and SAML IDPs provide capabilities or integrate with systems to handle the situation where a user has forgotten their password. These are outside the scope of this document. The vCloud Director cell management tool includes a recover-password command that can be used to recover a lost system administrator password. There is no capability native to vCloud Director to handle this situation for other local users. It is recommended that all local account passwords be safely stored in a manner approved by your IT security department. Some organizations lock passwords in a vault. Others use commercially or freely available password storage programs. This document does not recommend a particular method.
The strength of IDP users' passwords is dependent on the controls provided by that IDP and/or the tools used to manage users within the directory. For example, if connecting vCloud Director to Active Directory, the typical Active Directory password length, complexity, and history controls associated with Microsoft Active Directory are enforced by the directory itself. Other IDPs tend to support similar capabilities. The details of password strength controls are directory specific and aren't covered here in more detail.
vCloud Director requires local users to have passwords of at least six characters in length. That requirement is not configurable, and no other password complexity or history controls are available. It is recommended that any users, especially system and organization administrators, take great care in choosing their passwords to protect against brute force attacks (see account lockout issues below).
User Password Protection
The credentials of users managed by an IDP are never stored in the vCloud Director database. They are transmitted using the method chosen by the IDP. See Configuring Identity Providers for more information about securing this information channel.
Local users' passwords are salted and hashed before storage in the vCloud Director database. The plain text password cannot be recovered from the database. Local users are authenticated by hashing the presented password and comparing it to the contents of their password field in the database.
In addition to credentials for local users, the vCloud Director database stores passwords for connected vCenter servers and NSX managers. Changes to those passwords are not automatically updated in the system. You will need to manually change them using the vCloud Director configuration script (for the vCloud Director database password) or the Web UI for the vCenter and NSX.
vCloud Director also maintains passwords for accessing the private keys associated with its TLS/SSL certificates as well as the passwords to the vCloud Director database, vCenter servers, and NSX manager servers as mentioned above. These passwords are encrypted using a unique key per vCloud Director installation and stored in the $VCLOUD_HOME/etc/global.properties file. As mentioned in Protecting Sensitive Files After Installation, carefully protect any backups that contain that file.