Information Security Design for vCenter Server for a Virtual Infrastructure Workload Domain

You design authentication access, controls, and certificate management for the VI workload domain vCenter Server according to industry standards and the requirements of your organization.

Identity Management

Users can log in to vCenter Server only if they are in a domain that was added as a vCenter Single Sign-On identity source or using local accounts that are defined in the local Single Sign-On domain. vCenter Single Sign-On administrator users can add identity sources, or change the settings for identity sources that they added. An identity source can be a native Active Directory (Integrated Windows Authentication) domain or an OpenLDAP directory service. For backward compatibility, Active Directory as an LDAP server is also available.

For more information on identity and access management, see Identity and Access Management for VMware Cloud Foundation.

Password Management and Account Lockout Behavior

vCenter Server enforces password requirements for access to the vCenter Server Management Interface. By default, you must include at least six characters, which should not be any of your previous five passwords. Account locking is supported for access to the vCenter Server Management Interface. By default passwords are set to expire after 90 days.

VMware Cloud Foundation applies the default password policy for vCenter Server. For more information on configuring a password policy and account lockout behavior according to security best practices, see Identity and Access Management for VMware Cloud Foundation.

Certificate Management

Access to all vCenter Server interfaces must be over an SSL connection. By default, vCenter Server uses a self-signed certificate for the appliance which is signed by the VMware Certificate Authority (VMCA). To provide secure access to the vCenter Server appliance, replace the default VMCA-signed certificate with a CA-signed certificate.

Table 1. Design Decisions on Certificate Management for a VI Workload Domain vCenter Server
Decision ID	Design Decision	Design Justification	Design Implication
VCF-WLD-VCS-SEC-001	Replace the default VMCA-signed certificate of the appliance of the VI workload domain vCenter Server with a CA-signed certificate.	Ensures that the communication to the externally facing Web user interface and API to vCenter Server, and between vCenter Server and other management components is encrypted.	Replacing the default certificates with trusted CA-signed certificates from a certificate authority might increase the deployment preparation time because you must generate and submit certificates requests.
VCF-WLD-VCS-SEC-002	Use a SHA-2 algorithm or higher when signing certificates.	The SHA-1 algorithm is considered less secure and has been deprecated.	Not all certificate authorities support SHA-2.
VCF-WLD-VCS-SEC-003	Perform SSL certificate life cycle management for vCenter Server by using SDDC Manager.	SDDC Manager provides automated SSL certificate life cycle management rather than requiring a series of manual steps to be performed.	None.