You design authentication access, controls, and certificate management for the NSX-T Data Center instance in a VI workload domain in VMware Cloud Foundation according to industry standards and the requirements of your organization.
Identity Management
Users can authenticate to NSX Manager from several sources. Role-based access control is not available with local user accounts.
Local user accounts
Active Directory by using LDAP
Active Directory by using Workspace ONE Access
Principal identity
For more information about identity and access management, see Identity and Access Management for VMware Cloud Foundation.
Password Management and Account Lockout Behavior for NSX Manager and NSX Edge Nodes
Set passwords for the NSX-T Data Center components according to the requirements of your organization for security and compliance. Changing the passwords for the NSX-T Data Center components periodically or when certain events occur, such as an administrator leaving your organization, reduces the likelihood of security vulnerabilities.
VMware Cloud Foundation applies the default password policy for NSX-T Data Center. For more information about password management and account lockout behavior according to security best practices, see Identity and Access Management for VMware Cloud Foundation.
Password Management and Account Lockout Behavior for NSX Global Manager
The version of SDDC Manager in this design does not support password rotation for the NSX Global Manager appliances. All password change operations must be done manually.
For more information about password management and account lockout behavior according to security best practices, see Identity and Access Management for VMware Cloud Foundation.
Certificate Management
Access to all NSX Manager interfaces must use a Secure Sockets Layer (SSL) connection. By default, NSX Manager uses a self-signed SSL certificate. This certificate is not trusted by end-user devices or Web browsers.
As a best practice, replace self-signed certificates with certificates that are signed by a third-party or enterprise Certificate Authority (CA).
Decision ID |
Design Decision |
Design Implication |
Design Justification |
---|---|---|---|
VCF-WLD-NSX-SEC-001 |
Replace the default self-signed certificate of the NSX Manager instance for the VI workload domain with a certificate that is signed by a third-party certificate authority. |
Ensures that the communication between NSX-T Data Center administrators and the NSX Manager instance is encrypted by using a trusted certificate. |
Replacing the default certificates with trusted CA-signed certificates from a certificate authority might increase the deployment preparation time because you must generate and submit certificates requests. |
VCF-WLD-NSX-SEC-002 |
Use a SHA-2 algorithm or stronger when signing certificates. |
The SHA-1 algorithm is considered less secure and has been deprecated. |
Not all certificate authorities support SHA-2. |
Certificate Management for Multiple VMware Cloud Foundation Instances
The version of SDDC Manager in this design does not support certificate replacement for NSX Global Manager appliances. When the certificate of the NSX Local Manager cluster is replaced, you must update the thumbprint of the new certificate on the connected NSX Global Manager.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-WLD-NSX-SEC-FED-001 |
Replace the default self- signed certificate of the NSX Global Manager instance for the VI workload domain with a certificate that is signed by a third- party certificate authority. |
Ensures that the communication between NSX-T Data Center administrators and the NSX Global Manager instance is encrypted by using a trusted certificate. |
Replacing the default certificates with trusted CA- signed certificates from a certificate authority might increase the deployment preparation time because you must generate and submit certificates requests. |
VCF-WLD-NSX-SEC-FED-002 |
Establish an operations practice to capture and update on the NSX Global Manager the thumbprint of the NSX Local Manager certificate every time the certificate is updated by using SDDC Manager. |
Ensures secured connectivity between the NSX Manager instances. Each certificate has its own unique thumbprint. The NSX Global Manager stores the unique thumbprint of the NSX Local Manager instances for enhanced security. If an authentication failure between the NSX Global Manager and NSX Local Manager occurs, objects that are created from the NSX Global Manager will not be propagated to the SDN. |
The administrator must establish and follow an operational practice by using a runbook or automated process to ensure that the thumbprint up-to-date. |