Much of this guide is concerned with protecting vCloud Director itself, but overall system security also requires securing the infrastructure on which vCloud Director depends, including vSphere, NSX, the cell Linux platform, and the vCloud Director database.

Applying current security patches to each of these infrastructure components before installation is a key step and ongoing monitoring to keep these components at a current patch level is also crucial.

Securing Your VMware Infrastructure

Securing vSphere and NSX is a critical first step in securing vCloud Director. Administrators should review the checklists guides available on and also consult the more detailed security information available in the following documents:
vSphere security
vSphere Security.
NSX security
Securing VMware NSX for vSphere. and

Securing Your Cell Platforms

vCloud Director cells run on a Linux-based operating system as an unprivileged user (vcloud.vcloud) created during installation. The list of supported cell platform operating systems is included in the vCloud Director Release Notes. Securing the cell platform, whether it is physical or virtual, is a key part of securing vCloud Director.

Standard security hardening procedures should be applied to the cell platform, including disabling unnecessary network services, removing unnecessary packages, restricting remote root access, and enforcing strong password policies. Try to use a centralized authentication service such as Kerberos. Consider installation of monitoring and intrusion detection tools.

It is possible to install additional applications and provision additional users on the cell OS instance, but it is recommended that you do not do this. Widening access to the cell OS may decrease security.

Protecting Sensitive Files After Installation

During installation, vCloud Director writes installation data, including passwords, to files in the local file system of the cell Linux host. These files, and, both found under $VCLOUD_HOME/etc, contain sensitive information that you must reuse when you add more servers to a server group. The file contains responses provided by the administrator when running the configuration script. That file contains an encrypted version of the vCloud Director database password and system keystore passwords. Unauthorized access to that file could give an attacker access to the vCloud Director database with the same permissions as the database user specified in the configuration script. The file also contains encrypted credentials that should not be made accessible to anyone but a cell administrator.

At creation, the and files are protected by access controls on the $VCLOUD_HOME/etc folder and the files themselves. Do not change the permissions on the files or folder as it may either give too much access, reducing security, or restrict access too much, stopping the vCloud Director software from working. In order for the access controls to properly work, physical and logical access to the vCloud Director servers must be strictly limited to those with a need to log in and only with the minimal levels of access required. This involves limiting the use of the root account through sudo and other best practices that are outside the scope of this document. Moreover, any backups of the servers must be strictly protected and encrypted, with the keys managed separately from the backups themselves.

For more details, see Protecting and Reusing the Response File in the vCloud Director Installation and Upgrade Guide.

Administrative Credentials

Ensure that any credentials used for administrative access to the cell, vSphere, the vCloud Director database, to external firewalls and other devices, follow standards for adequate password complexity. Consider an expiration and rotation policy for passwords wherever possible. Please be aware, however, that an expired or changed database, vSphere, or NSX password will make part or all of the cloud infrastructure nonfunctional until vCloud Director is updated with the new passwords.

It is important from a "defense in depth" perspective to vary the administrative passwords for the different servers in the vCloud Director environment, including the vCloud Director cells, the vCloud Director DB, vSphere servers, and NSX manager. This is so that if one set of credentials is compromised (for example, through a disgruntled employee leaving the organization), other systems are not automatically compromised across the rest of the infrastructure.

For more information about account and credential management for administrators and tenants, see User Account Management