You protect the vRealize Suite Lifecycle Manager deployment by configuring authentication and secure communication with the other components in the SDDC. You dedicate a service account to the communication between vRealize Suite Lifecycle Manager and vCenter Server.
You use a custom role in vSphere with permissions to perform life cycle operations on vRealize Suite components in the SDDC. A dedicated service account is assigned a custom role for communication between vRealize Suite Lifecycle Manager and the vCenter Server instances in the environment.
Identity Management
Users can authenticate to vRealize Suite Lifecycle Manager by using local administrator accounts or by using Workspace ONE Access
vRealize Suite Lifecycle Manager performs local authentication only for the default administrator account,vcfadmin@local. To ensure accountability on user access, you enable authentication with Workspace ONE Access. You can grant both users and groups access to vRealize Suite Lifecycle Manager to perform tasks and initiate orchestrated operations, such as deployment and upgrade of vRealize Suite components and content. See Workspace ONE Access Design.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-vRSLCM-SEC-001 |
Enable integration between vRealize Suite Lifecycle Manager and your corporate identity source by using the Workspace ONE Access instance. |
|
You must deploy and configure Workspace ONE Access to establish the integration between vRealize Suite Lifecycle Manager and your corporate identity sources. |
VCF-VRS-vRSLCM-SEC-002 |
Create corresponding security groups in your corporate directory services for vRealize Suite Lifecycle Manager roles:
|
Streamlines the management of vRealize Suite Lifecycle Manager roles for users. |
|
Service Accounts
Configure a service account for communication between vRealize Suite Lifecycle Manager and vCenter Server endpoint instances. You assign a service account with only the minimum set of permissions to perform inventory data collection and life cycle management operations for the instances defined in the data center.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-vRSLCM-SEC-003 |
Define a custom vCenter Server role for vRealize Suite Lifecycle Manager that has the minimum privileges required to support the deployment and upgrade of vRealize Suite products. |
vRealize Suite Lifecycle Manager accesses vSphere with the minimum set of permissions that are required to support the deployment and upgrade of vRealize Suite products. SDDC Manager automates the creation of the custom role. |
You must maintain the permissions required by the custom role. |
VCF-VRS-vRSLCM-SEC-004 |
Create a service account in vCenter Server for application-to-application communication from vRealize Suite Lifecycle Manager to vSphere. Assign global permissions using the custom role. |
|
|
Password Management
To ensure continued access to the vRealize Suite Lifecycle Manager appliance, you must rotate the appliance root password on or before 365 days after deployment.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-vRSLCM-SEC-005 |
Rotate the root password on or before 365 days after deployment by using SDDC Manager. |
The password for the root user account expires 365 days after the initial deployment. |
You must manage the password rotation schedule for the root user account in accordance with your organization policies and regulatory standards, as applicable. |
Certificate Management
Access to all vRealize Suite Lifecycle Manager endpoint interfaces requires an SSL connection. By default, vRealize Suite Lifecycle Manager uses an appliance certificate signed by VMware Certificate Authority (VMCA). To provide secure access to the vRealize Suite Lifecycle Manager and between SDDC endpoints, replace the default VMCA-signed certificate with a CA-signed certificate.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
VCF-VRS-vRSLCM-SEC-006 |
Use SDDC Manager to replace the default VMCA-signed certificate of vRealize Suite Lifecycle Manager with a CA-signed certificate. |
Configuring a CA-signed certificate ensures that the communication to the externally facing Web UI and API for vRealize Suite Lifecycle Manager, and cross-product, is encrypted. |
Replacing the default certificates with trusted CA-signed certificates from a certificate authority might increase the deployment preparation time as certificates requests are generated and delivered. |
VCF-VRS-vRSLCM-SEC-007 |
Use a SHA-2 or higher algorithm when signing certificates. |
The SHA-1 algorithm is considered less secure and has been deprecated. |
Not all certificate authorities support SHA-2. |