Use this list of requirements and recommendations for reference related to the management of access controls, certificates and accounts in a VMware Cloud Foundation environment.
For full design details, see Information Security Design for VMware Cloud Foundation.
Recommendation ID |
Design Recommendation |
Justification |
Implication |
---|---|---|---|
VCF-ACTMGT-REQD-SEC-001 |
Enable scheduled password rotation in SDDC Manager for all accounts supporting scheduled rotation. |
|
You must retrieve new passwords by using the API if you must use accounts interactively. |
VCF-ACTMGT-REQD-SEC-003 |
Establish operational practice to rotate passwords using SDDC Manager on components that do not support scheduled rotation in SDDC Manager. |
Rotates passwords and automatically remediates SDDC Manager databases for those user accounts. |
None. |
VCF-ACTMGT-REQD-SEC-003 |
Establish operational practice to manually rotate passwords on components that cannot be rotated by SDDC Manager. |
Maintains password policies across components not handled by SDDC Manager password management. |
None. |
Recommendation ID |
Design Recommendation |
Justification |
Implication |
---|---|---|---|
VCF-SDDC-RCMD-SEC-001 |
Replace the default VMCA-signed certificate on all management virtual appliances with a certificate that is signed by an internal certificate authority. |
Ensures that the communication to all management components is secure. |
Replacing the default certificates with trusted CA-signed certificates from a certificate authority might increase the deployment preparation time because you must generate and submit certificate requests. |
VCF-SDDC-RCMD-SEC-002 |
Use a SHA-2 algorithm or higher for signed certificates. |
The SHA-1 algorithm is considered less secure and has been deprecated. |
Not all certificate authorities support SHA-2 or higher. |
VCF-SDDC-RCMD-SEC-003 |
Perform SSL certificate life cycle management for all management appliances by using SDDC Manager. |
SDDC Manager supports automated SSL certificate lifecycle management rather than requiring a series of manual steps. |
Certificate management for NSX Global Manager instances must be done manually. |