Use this list of requirements and recommendations for reference related to the management of access controls, certificates and accounts in a VMware Cloud Foundation environment.

For full design details, see Information Security Design for VMware Cloud Foundation.

Table 1. Design Requirements for Account and Password Management for VMware Cloud Foundation

Recommendation ID

Design Recommendation

Justification

Implication

VCF-ACTMGT-REQD-SEC-001

Enable scheduled password rotation in SDDC Manager for all accounts supporting scheduled rotation.

  • Increases the security posture of your SDDC.

  • Simplifies password management across your SDDC management components.

You must retrieve new passwords by using the API if you must use accounts interactively.

VCF-ACTMGT-REQD-SEC-003

Establish operational practice to rotate passwords using SDDC Manager on components that do not support scheduled rotation in SDDC Manager.

Rotates passwords and automatically remediates SDDC Manager databases for those user accounts.

None.

VCF-ACTMGT-REQD-SEC-003

Establish operational practice to manually rotate passwords on components that cannot be rotated by SDDC Manager.

Maintains password policies across components not handled by SDDC Manager password management.

None.

Table 2. Certificate Management Design Recommendations for VMware Cloud Foundation

Recommendation ID

Design Recommendation

Justification

Implication

VCF-SDDC-RCMD-SEC-001

Replace the default VMCA or signed certificates on all management virtual appliances with a certificate that is signed by an internal certificate authority.

Ensures that the communication to all management components is secure.

Replacing the default certificates with trusted CA-signed certificates from a certificate authority might increase the deployment preparation time because you must generate and submit certificate requests.

VCF-SDDC-RCMD-SEC-002

Use a SHA-2 algorithm or higher for signed certificates.

The SHA-1 algorithm is considered less secure and has been deprecated.

Not all certificate authorities support SHA-2 or higher.

VCF-SDDC-RCMD-SEC-003

Perform SSL certificate life cycle management for all management appliances by using SDDC Manager or SDDC Manager Plugin in vCenter.

SDDC Manager supports automated SSL certificate lifecycle management rather than requiring a series of manual steps.

Certificate management for NSX Global Manager instances must be done manually.