VCF-ACTMGT-REQD-SEC-001

Enable scheduled password rotation in SDDC Manager for all accounts supporting scheduled rotation.

• Increases the security posture of your SDDC.

• Simplifies password management across your SDDC management components.

You must retrieve new passwords by using the API if you must use accounts interactively.

VCF-ACTMGT-REQD-SEC-003

Establish operational practice to rotate passwords using SDDC Manager on components that do not support scheduled rotation in SDDC Manager.

Rotates passwords and automatically remediates SDDC Manager databases for those user accounts.

None.

VCF-ACTMGT-REQD-SEC-003

Establish operational practice to manually rotate passwords on components that cannot be rotated by SDDC Manager.

Maintains password policies across components not handled by SDDC Manager password management.

None.

VCF-SDDC-RCMD-SEC-001

Replace the default VMCA or signed certificates on all management virtual appliances with a certificate that is signed by an internal certificate authority.

Ensures that the communication to all management components is secure.

Replacing the default certificates with trusted CA-signed certificates from a certificate authority might increase the deployment preparation time because you must generate and submit certificate requests.

VCF-SDDC-RCMD-SEC-002

Use a SHA-2 algorithm or higher for signed certificates.

The SHA-1 algorithm is considered less secure and has been deprecated.

Not all certificate authorities support SHA-2 or higher.

VCF-SDDC-RCMD-SEC-003

Perform SSL certificate life cycle management for all management appliances by using SDDC Manager or SDDC Manager Plugin in vCenter.

SDDC Manager supports automated SSL certificate lifecycle management rather than requiring a series of manual steps.

Certificate management for NSX Global Manager instances must be done manually.