You perform the procedure on all vCenter Server instances to configure password policies, lockout policies, alarms, proxy, login banners, LDAP, and other configurations.
Procedure
- In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting
Value
URL
https://management-domain-vcenter-server-fqdn/ui
User name
- Configure the password policies.
- From the Home menu of the vSphere Client, click Administration.
- Under Single Sign-On, click Configuration.
- On the Local accounts tab, under Password policy, click Edit.
- In the Edit password policies dialog box, configure the settings and click Save.
Configuration ID
Setting
Value
VMW-VC-00421
Maximum lifetime
60
VMW-VC-00410
Minimum Length
15
- Configure the lockout policies.
- On the Local accounts tab, under Lockout policy, click Edit.
- In the Edit lockout policies dialog box, configure the settings and click Save.
Configuration ID
Setting
Value
VMW-VC-00436
Maximum number of failed login attempts
3
VMW-VC-00434
Time interval between failures
900 seconds
VMW-VC-00435
Unlock time
0 seconds
VMW-VC-01219
Configure an alert for the appropriate personnel about SSO account actions- In the Hosts and clusters inventory, select the vCenter Server that manages the ESXi host you configure.
- Click the Configure tab, select Alarm definitions under Security.
- Click Add.
The New alarm definition wizard opens.
- On the Name and targets page, enter the settings and click Next.
Setting
Value
Alarm name
SSO account actions - com.vmware.sso.PrincipalManagement
Target type
vCenter Server
- On the Alarm rule 1 page, under If, enter com.vmware.sso.PrincipalManagement as a trigger and press Enter.
- Configure the remaining settings for the alarm, click Next, and follow the prompts to finish the wizard.
Setting
Value
Trigger the alarm and
Show as warning
Send email notifications
Off
Send SNMP traps
On
Run script
Off
VMW-VC-00418
Configure a proxy for the download of the public Hardware Compatibility List.- In the Hosts and Clusters inventory, select the vCenter Server that you configure.
- Click the Configure tab and under vSAN, click Internet connectivity.
- On the Internet connectivity page, click Edit.
- Select the Configure the proxy server if your system uses one check box.
- Enter the proxy server details and click Apply.
VMW-VC-01236
Remove the privilege to use the virtual machine console for the standard virtual machine user role.- On the Home page of the vSphere Client, click Administration , and click Roles.
- From the Roles provider drop-down menu, select the vCenter Server that you configure.
- Select the Virtual machine user (sample) role and click Edit role action.
- In the Edit role dialog box, select the Virtual machine group and under Interaction, deselect the Console interaction check box.
- Click Next and click Finish.
VMW-VC-01209
Configure a login message.- From the Home menu of the vSphere Client, click Administration.
- Navigate to Single sing-on > Configuration.
- Click the Login message tab and click Edit.
- Activate the Show login message toggle.
- In the Login message text box, enter the login message.
- Activate the Consent checkbox toggle.
- In the Details of login message text box, enter the site-specific banner text and click Save.
VMW-VC-01212
Configure Mutual CHAP for vSAN iSCSI targets.- In the Hosts and Clusters inventory, select the vSAN-enabled cluster.
- Click the Configure tab and under vSAN, click Services.
- In the vSAN iSCSI target service tile, click Enable.
- Activate the service from the toggle switch.
- From the Authentication drop-down menu, select Mutual CHAP
- Configure the incoming and outgoing users and secrets appropriately and click Apply.
- Set SDDC deployment details on the vCenter Server instances.
- In the Global inventory lists inventory, click vCenter Servers.
- Click the vCenter Server object and click the Configure tab in the central pane.
- Under Settings, click Advanced settings and click Edit settings.
- In the Edit advanced vCenter Server settings dialog box, enter the settings and click Add.
Setting
Value
Name
config.SDDC.Deployed.ComplianceKit
Value
VCF-NIST-800-53
VMW-VC-00422
vCenter Server must terminate vSphere Client sessions after 10 minutes of inactivity.- From the Home menu of the vSphere Client, click Administration.
- Under Deployment, click Client configuration.
- Click Edit, for Session timeout , enter 10 minutes, and click Save.