You design authentication access, controls, and certificate management for the NSX-T Data Center instance in the management domain in VMware Cloud Foundation according to industry standards and the requirements of your organization.
Identity Management
Users can authenticate to NSX Manager from several sources. Role-based access control is not available with local user accounts.
Local user accounts
Active Directory by using LDAP
Active Directory by using Workspace ONE Access
Principal identity
For more information on identity and access management, see Identity and Access Management for VMware Cloud Foundation.
Password Management and Account Lockout Behavior for NSX Local Manager and NSX Edge Nodes
Set passwords for the NSX-T Data Center components according to the requirements of your organization for security and compliance. Changing the passwords for the NSX-T Data Center components periodically or when certain events occur, such as an administrator leaving your organization, reduces the likelihood of security vulnerabilities.
For more information on password management and account lockout behavior, see Identity and Access Management for VMware Cloud Foundation.
Password Management and Account Lockout Behavior for NSX Global Manager
The version of SDDC Manager in this design does not support password rotation for the NSX Global Manager appliances. All password change operations must be done manually.
For more information on password management and account lockout behavior, see Identity and Access Management for VMware Cloud Foundation.
Certificate Management
Access to all NSX Manager interfaces must use an Secure Sockets Layer (SSL) connection. By default, NSX Manager uses a self-signed SSL certificate. This certificate is not trusted by end-user devices or Web browsers.
As a best practice, replace self-signed certificates with certificates that are signed by a third-party or enterprise Certificate Authority (CA).
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-MGMT-NSX-SEC-001 |
Replace the default self-signed certificate of the NSX Manager instance for the management domain with a certificate that is signed by a third-party certificate authority. |
Ensures that the communication between administrators and NSX Manager is encrypted by using a trusted certificate. |
Replacing the default certificates with trusted CA-signed certificates from a certificate authority might increase the deployment preparation time because you must generate and submit certificates requests. |
VCF-MGMT-NSX-SEC-002 |
Use a SHA-2 algorithm or stronger when signing certificates. |
The SHA-1 algorithm is considered less secure and has been deprecated. |
Not all certificate authorities support SHA-2. |
Certificate Management for Multiple VMware Cloud Foundation Instances
The version of SDDC Manager in this design does not support certificate replacement for NSX Global Manager appliances. When the certificate of the NSX Local Manager cluster is replaced, you must update the thumbprint of the new certificate on the connected NSX Global Manager.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-MGMT-NSX-SEC-FED-001 |
Replace the default self-signed certificate of the NSX Global Manager instance for the management domain with a certificate that is signed by a third- party certificate authority. |
Ensures that the communication between administrators and the NSX Global Manager instance is encrypted by using a trusted certificate. |
Replacing the default certificates with trusted CA- signed certificates from a certificate authority might increase the deployment preparation time because you must generate and submit certificates requests. |
VCF-MGMT-NSX-SEC-FED-002 |
Establish an operational practice to capture and update the thumbprint of the NSX Local Manager certificate on NSX Global Manager every time the certificate is updated by using SDDC Manager. |
Ensures secured connectivity between the NSX Manager instances. Each certificate has its own unique thumbprint. NSX Global Manager stores the unique thumbprint of the NSX Local Manager instances for enhanced security. If an authentication failure between NSX Global Manager and NSX Local Manager occurs, objects that are created from NSX Global Manager will not be propagated on to the SDN. |
The administrator must establish and follow an operational practice by using a runbook or automated process to ensure that the thumbprint up-to-date. |