Information Security and Access Control Design for vRealize Suite Lifecycle Manager

You protect the vRealize Suite Lifecycle Manager deployment by configuring authentication and secure communication with the other components in the SDDC. You dedicate a service account to the communication between vRealize Suite Lifecycle Manager and vCenter Server.

You use a custom role in vSphere with permissions to perform life cycle operations on vRealize Suite components in the SDDC. A dedicated service account is assigned a custom role for communication between vRealize Suite Lifecycle Manager and the vCenter Server instances in the environment.

Identity Management

Users can authenticate to vRealize Suite Lifecycle Manager by using local administrator accounts or by using Workspace ONE Access

vRealize Suite Lifecycle Manager performs local authentication only for the default administrator account,vcfadmin@local. To ensure accountability on user access, you enable authentication with Workspace ONE Access. You can grant both users and groups access to vRealize Suite Lifecycle Manager to perform tasks and initiate orchestrated operations, such as deployment and upgrade of vRealize Suite components and content. See Workspace ONE Access Design.

Table 1. Design Decisions on Identity Management for vRealize Suite Lifecycle Manager
Decision ID	Design Decision	Design Justification	Design Implication
VCF-VRS-vRSLCM-SEC-001	Enable integration between vRealize Suite Lifecycle Manager and your corporate identity source by using the clustered Workspace ONE Access instance.	Enables authentication to vRealize Suite Lifecycle Manager by using your corporate identity source. Enables authorization through the assignment of organization and cloud services roles to enterprise users and groups defined in your corporate identity source.	You must deploy and configure Workspace ONE Access to establish the integration between vRealize Suite Lifecycle Manager and your corporate identity sources.
VCF-VRS-vRSLCM-SEC-002	Create corresponding security groups in your corporate directory services for vRealize Suite Lifecycle Manager roles: VCF Content Release Manager Content Developer	Streamlines the management of vRealize Suite Lifecycle Manager roles for users.	You must create the security groups outside of the SDDC stack. You must set the desired directory synchronization interval in Workspace ONE Access to ensure that changes are available within a reasonable period .

Service Accounts

Configure a service account for communication between vRealize Suite Lifecycle Manager and vCenter Server endpoint instances. You assign a service account with only the minimum set of permissions to perform inventory data collection and life cycle management operations for the instances defined in the data center.

Table 2. Design Decisions on Service Accounts for vRealize Suite Lifecycle Manager
Decision ID	Design Decision	Design Justification	Design Implication
VCF-VRS-vRSLCM-SEC-003	Define a custom vCenter Server role for vRealize Suite Lifecycle Manager that has the minimum privileges required to support the deployment and upgrade of vRealize Suite products.	vRealize Suite Lifecycle Manager accesses vSphere with the minimum set of permissions that are required to support the deployment and upgrade of vRealize Suite products. SDDC Manager automates the creation of the custom role.	You must maintain the permissions required by the custom role.
VCF-VRS-vRSLCM-SEC-004	Create a service account in vCenter Server for application-to-application communication from vRealize Suite Lifecycle Manager to vSphere. Assign global permissions using the custom role.	Provides the following access control features: vRealize Suite Lifecycle Manager accesses vSphere with the minimum set of required permissions. You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.	You must maintain the life cycle and availability of the service account outside of SDDC manager password rotation.

Password Management

To ensure continued access to the vRealize Suite Lifecycle Manager appliance, you must rotate the appliance root password on or before 365 days after deployment.

Table 3. Design Decisions on Password Management for vRealize Suite Lifecycle Manager
Decision ID	Design Decision	Design Justification	Design Implication
VCF-VRS-vRSLCM-SEC-005	Rotate the root password on or before 365 days after deployment by using SDDC Manager.	The password for the root user account expires 365 days after the initial deployment.	You must manage the password rotation schedule for the root user account in accordance with your organization policies and regulatory standards, as applicable.

Certificate Management

Access to all vRealize Suite Lifecycle Manager endpoint interfaces requires an SSL connection. By default, vRealize Suite Lifecycle Manager uses a self-signed certificate for the appliance. To provide secure access to the vRealize Suite Lifecycle Manager and between SDDC endpoints, replace the default self-signed certificate with a CA-signed certificate.

Table 4. Design Decisions on Certificate Management for vRealize Suite Lifecycle Manager
Decision ID	Design Decision	Design Justification	Design Implication
VCF-VRS-vRSLCM-SEC-006	Use SDDC Manager to replace the default self-signed certificate of vRealize Suite Lifecycle Manager with a CA-signed certificate.	Configuring a CA-signed certificate ensures that the communication to the externally facing Web UI and API for vRealize Suite Lifecycle Manager, and cross-product, is encrypted.	Replacing the default certificates with trusted CA-signed certificates from a certificate authority might increase the deployment preparation time as certificates requests are generated and delivered.
VCF-VRS-vRSLCM-SEC-007	Use a SHA-2 or higher algorithm when signing certificates.	The SHA-1 algorithm is considered less secure and has been deprecated.	Not all certificate authorities support SHA-2.