Information Security Design for VMware Cloud Foundation

You design management of access controls, certificates and accounts for VMware Cloud Foundation according to the requirements of your organization.

Access Management for VMware Cloud Foundation

You design access management for VMware Cloud Foundation according to industry standards and the requirements of your organization.


Component	Access Method	Additional Information
SDDC Manager	UI API SSH	SSH is active by default. root user access is deactivated.
NSX Local Manager	UI API SSH	SSH is deactivated by default.
NSX Edges	API SSH	SSH is deactivated by default.
NSX Global Manager	UI API SSH	SSH setting is defined during deployment.
vCenter Server	UI API SSH VAMI	SSH is active by default.
ESXi	Direct Console User Interface (DCUI) ESXi Shell SSH VMware Host Client	SSH and ESXi shell are deactivated by default.
VMware Aria Suite Lifecycle	UI API SSH	SSH is active by default.
Workspace ONE Access	UI API SSH	SSH is active by default.

Account Management Design for VMware Cloud Foundation

You design account management for VMware Cloud Foundation according to industry standards and the requirements of your organization.

Password Management Methods

SDDC Manager manages the life cycle of passwords for the components that are part of the VMware Cloud Foundation instance. Multiple methods for managing password life cycle are supported.

Table 1. Password Management Methods in VMware Cloud Foundation
Method	Description
Rotate	Update one or more accounts with an auto-generated password
Update	Update password for a single account with a manually entered password
Remediate	Reconcile a single account with a password that has been set manually at the component.
Schedule	Schedule auto-rotation for one or more selected accounts.
Manual	Update a password manually directly in the component.

Account and Password Management

VMware Cloud Foundation comprises multiple types of interactive, local, and service accounts. Each account has different attributes and can be managed in the following ways:

For more information on password complexity, account lockout or integration with additional Identity Providers, refer to the Identity and Access Management for VMware Cloud Foundation.

Table 2. Account and Password Management in VMware Cloud Foundation
Component	User Account	Password Management	Additional Information
SDDC Manager	admin@local	Manual by using the SDDC Manager API Default Expiry: Never	Local appliance account API access (break-glass account)
	vcf	Manual by using the OS Default Expiry: 365 days	Local appliance account OS level access
	root	Manual by using the OS Default Expiry: 90 days	Local appliance account OS level access
	backup	Rotate, update,remediate or schedule by using the SDDC Manager UI or API Default Expiry: 365 days	Local appliance account OS level access
	[email protected]	Rotate, update,remediate or schedule by using the SDDC Manager UI or API Default Expiry: 90 days	vCenter Single Sign-On account. Application and API access. Additional VMware Cloud FoundationAdmin account required to perform manual password rotation.
NSX Local Manager	admin	Rotate, update,remediate or schedule by using the SDDC Manager UI or API Default Expiry: 90 days	Local appliance account OS level, API, and application access
	root	Rotate, update,remediate or schedule by using the SDDC Manager UI or API Default Expiry: 90 days	Local appliance account OS level access
	audit	Rotate, update,remediate or schedule by using the SDDC Manager UI or API Default Expiry: 90 days	Local appliance account OS level access Read-only application level access
NSX Edges	admin	Rotate, update,remediate or schedule by using the SDDC Manager UI or API Default Expiry: 90 days	Local appliance account OS level, API, and application access
	root	Rotate, update,remediate or schedule by using the SDDC Manager UI or API Default Expiry: 90 days	Local appliance account OS level access
	audit	Rotate, update,remediate or schedule by using the SDDC Manager UI or API Default Expiry: 90 days	Local appliance account OS level access Read-only application level access
NSX Global Manager	admin	Manual by using the NSX Global Manager UI or API Default Expiry: 90 days	Local appliance account OS level, API, and application access
	root	Manual by using each NSX Global Manager appliance Default Expiry: 90 days	Local appliance account OS level access
	audit	Manual by using the NSX Global Manager UI or API Default Expiry: 90 days	Local appliance account OS level access Read-only application level access
vCenter Server	root	Rotate, update,remediate or schedule by using the SDDC Manager UI or API Default Expiry: 90 days	Local appliance account OS level access VAMI access
	[email protected]	Rotate, update,remediate or schedule by using the SDDC Manager UI or API Default Expiry: 90 days	vCenter Single Sign-On account. Application and API access. Relevant to isolated workload domain
	svc-`sddc-manager-hostname`-`vcenter-server-hostname`@vsphere.local	System managed. Automatically rotated every 30 days by default Default Expiry: None	Service account between SDDC Manager and vCenter Server
	svc-`nsx-manager-hostname`-`vcenter-server-hostname`@vsphere.local	System managed. Automatically rotated every 30 days by default Default Expiry: None	Service account between NSX Manager and vCenter Server
	svc-`vrslcm-hostname`-`vcenter-server-hostname`@vsphere.local	System managed Automatically rotated every 30 days by default Default Expiry: None	Service account between VMware Aria Suite Lifecycle and vCenter Server
ESXi	root	Rotate, update,remediate or schedule by using the SDDC Manager UI or API Default Expiry: 99999 (never)	Manual
ESXi	svc-vcf-`esxi-hostname`	Rotate, update,remediate or schedule by using the SDDC Manager UI or API Default Expiry: 99999 (never)	Service account between SDDC Manager and the ESXi host
VMware Aria Suite Lifecycle	vcfadmin@local	Rotate, update,remediate or schedule by using the SDDC Manager UI or API Default Expiry: Never	API and application access
VMware Aria Suite Lifecycle	root	Rotate, update,remediate or schedule by using the SDDC Manager UI or API Default Expiry: 365 days	Local appliance account OS level access
Workspace ONE Access	root	Rotate, update,remediate or schedule by using the SDDC Manager UI or API Default Expiry: 60 days	Local appliance account OS level access
	sshuser	Managed by VMware Aria Suite Lifecycle Default Expiry: 60 days	Local appliance account OS level access
	admin (port 8443)	Managed by VMware Aria Suite Lifecycle	System Admin
	Admin (port 443)	Rotate, update,remediate or schedule by using the SDDC Manager UI or API Default Expiry: Never	Default application administrator
	configadmin	You must use both Workspace ONE Access and VMware Aria Suite Lifecycle to manage the password rotation schedule of the configadmin user. Default Expiry: Never	Application configuration administrator

Account Management Design Recommendations

In your account management design, you can apply certain best practices.

Table 3. Design Requirements for Account and Password Management for VMware Cloud Foundation
Recommendation ID	Design Recommendation	Justification	Implication
VCF-ACTMGT-REQD-SEC-001	Enable scheduled password rotation in SDDC Manager for all accounts supporting scheduled rotation.	Increases the security posture of your SDDC. Simplifies password management across your SDDC management components.	You must retrieve new passwords by using the API if you must use accounts interactively.
VCF-ACTMGT-REQD-SEC-003	Establish operational practice to rotate passwords using SDDC Manager on components that do not support scheduled rotation in SDDC Manager.	Rotates passwords and automatically remediates SDDC Manager databases for those user accounts.	None.
VCF-ACTMGT-REQD-SEC-003	Establish operational practice to manually rotate passwords on components that cannot be rotated by SDDC Manager.	Maintains password policies across components not handled by SDDC Manager password management.	None.

Certificate Management for VMware Cloud Foundation

You design certificate management for VMware Cloud Foundation according to industry standards and the requirements of your organization.

Access to all management component interfaces must be over a Secure Socket Layer (SSL) connection. During deployment, each component is assigned a certificate from a default signing CA. To provide secure access to each component, replace the default certificate with a trusted enterprise CA-signed certificate.

Table 4. Certificate Management in VMware Cloud Foundation
Component	Default Signing CA	Life cycle for Enterprise CA-Signed Certificates
SDDC Manager	Management domain VMCA	Using SDDC Manager
NSX Local Manager	Management domain VMCA	Using SDDC Manager
NSX Edges	Not applicable	Not applicable
NSX Global Manager	Self Signed	Manual
vCenter Server	Local workload domain VMCA	Using SDDC Manager
ESXi	Local workload domain VMCA	Manual*
VMware Aria Suite Lifecycle	Management domain VMCA	Using SDDC Manager

Note:

* To use enterprise CA-Signed certificates with ESXi, the initial deployment of VMware Cloud Foundation must be done using the API providing the Trusted Root certificate.

Table 5. Certificate Management Design Recommendations for VMware Cloud Foundation
Recommendation ID	Design Recommendation	Justification	Implication
VCF-SDDC-RCMD-SEC-001	Replace the default VMCA or signed certificates on all management virtual appliances with a certificate that is signed by an internal certificate authority.	Ensures that the communication to all management components is secure.	Replacing the default certificates with trusted CA-signed certificates from a certificate authority might increase the deployment preparation time because you must generate and submit certificate requests.
VCF-SDDC-RCMD-SEC-002	Use a SHA-2 algorithm or higher for signed certificates.	The SHA-1 algorithm is considered less secure and has been deprecated.	Not all certificate authorities support SHA-2 or higher.
VCF-SDDC-RCMD-SEC-003	Perform SSL certificate life cycle management for all management appliances by using SDDC Manager.	SDDC Manager supports automated SSL certificate lifecycle management rather than requiring a series of manual steps.	Certificate management for NSX Global Manager instances must be done manually.