You design management of access controls, certificates and accounts for VMware Cloud Foundation according to the requirements of your organization.
Access Management for VMware Cloud Foundation
You design access management for VMware Cloud Foundation according to industry standards and the requirements of your organization.
Component |
Access Method |
Additional Information |
---|---|---|
SDDC Manager |
|
SSH is active by default. root user access is not permitted. |
NSX Local Manager |
|
SSH is deactivated by default. |
NSX Edges |
|
SSH is deactivated by default. |
NSX Global Manager |
|
SSH setting is defined during deployment. |
vCenter Server |
|
SSH is active by default. |
ESXi |
|
SSH and ESXi shell are deactivated by default. |
VMware Aria Suite Lifecycle |
|
SSH is active by default. |
Workspace ONE Access |
|
SSH is active by default. |
Account Management Design for VMware Cloud Foundation
You design account management for VMware Cloud Foundation according to industry standards and the requirements of your organization.
Password Management Methods
SDDC Manager manages the life cycle of passwords for the components that are part of the VMware Cloud Foundation instance. Multiple methods for managing password life cycle are supported.
Method |
Description |
---|---|
Rotate |
Update one or more accounts with an auto-generated password |
Update |
Update password for a single account with a manually entered password |
Remediate |
Reconcile a single account with a password that has been set manually at the component. |
Schedule |
Schedule auto-rotation for one or more selected accounts. |
Manual |
Update a password manually directly in the component. |
Account and Password Management
VMware Cloud Foundation comprises multiple types of interactive, local, and service accounts. Each account has different attributes and can be managed in the following ways:
For more information on password complexity, account lockout or integration with additional Identity Providers, refer to the Identity and Access Management for VMware Cloud Foundation.
Component |
User Account |
Password Management |
Additional Information |
---|---|---|---|
SDDC Manager |
admin@local |
|
|
vcf |
|
|
|
root |
|
|
|
backup |
|
|
|
|
|
||
NSX Local Manager |
admin |
|
|
root |
|
|
|
audit |
|
|
|
NSX Edges |
admin |
|
|
root |
|
|
|
audit |
|
|
|
NSX Global Manager |
admin |
|
|
root |
|
|
|
audit |
|
|
|
vCenter Server |
root |
|
|
|
|
||
svc-sddc-manager-hostname-vcenter-server-hostname@vsphere.local |
|
Service account between SDDC Manager and vCenter Server | |
svc-nsx-manager-hostname-vcenter-server-hostname@vsphere.local |
|
Service account between NSX Manager and vCenter Server |
|
svc-vrslcm-hostname-vcenter-server-hostname@vsphere.local |
|
Service account between VMware Aria Suite Lifecycle and vCenter Server |
|
ESXi |
root |
|
Manual |
svc-vcf-esxi-hostname |
|
Service account between SDDC Manager and the ESXi host |
|
VMware Aria Suite Lifecycle |
vcfadmin@local |
|
API and application access |
root |
|
|
|
Workspace ONE Access |
root |
|
|
sshuser |
|
|
|
admin (port 8443) |
Managed by VMware Aria Suite Lifecycle |
System Admin |
|
Admin (port 443) |
|
Default application administrator |
|
configadmin |
|
Application configuration administrator |
Account Management Design Recommendations
In your account management design, you can apply certain best practices.
Recommendation ID |
Design Recommendation |
Justification |
Implication |
---|---|---|---|
VCF-ACTMGT-REQD-SEC-001 |
Enable scheduled password rotation in SDDC Manager for all accounts supporting scheduled rotation. |
|
You must retrieve new passwords by using the API if you must use accounts interactively. |
VCF-ACTMGT-REQD-SEC-003 |
Establish operational practice to rotate passwords using SDDC Manager on components that do not support scheduled rotation in SDDC Manager. |
Rotates passwords and automatically remediates SDDC Manager databases for those user accounts. |
None. |
VCF-ACTMGT-REQD-SEC-003 |
Establish operational practice to manually rotate passwords on components that cannot be rotated by SDDC Manager. |
Maintains password policies across components not handled by SDDC Manager password management. |
None. |
Certificate Management for VMware Cloud Foundation
You design certificate management for VMware Cloud Foundation according to industry standards and the requirements of your organization.
Access to all management component interfaces must be over a Secure Socket Layer (SSL) connection. During deployment, each component is assigned a certificate from a default signing CA. To provide secure access to each component, replace the default certificate with a trusted enterprise CA-signed certificate.
Component |
Default Signing CA |
Life cycle for Enterprise CA-Signed Certificates |
---|---|---|
SDDC Manager |
Management domain VMCA |
|
NSX Local Manager |
Management domain VMCA |
|
NSX Edges |
Not applicable |
Not applicable |
NSX Global Manager |
Self Signed |
Manual |
vCenter Server |
Local workload domain VMCA |
|
ESXi |
Local workload domain VMCA |
Manual* |
VMware Aria Suite Lifecycle |
Management domain VMCA |
|
* To use enterprise CA-Signed certificates with ESXi, the initial deployment of VMware Cloud Foundation must be done using the API providing the Trusted Root certificate.
Recommendation ID |
Design Recommendation |
Justification |
Implication |
---|---|---|---|
VCF-SDDC-RCMD-SEC-001 |
Replace the default VMCA or signed certificates on all management virtual appliances with a certificate that is signed by an internal certificate authority. |
Ensures that the communication to all management components is secure. |
Replacing the default certificates with trusted CA-signed certificates from a certificate authority might increase the deployment preparation time because you must generate and submit certificate requests. |
VCF-SDDC-RCMD-SEC-002 |
Use a SHA-2 algorithm or higher for signed certificates. |
The SHA-1 algorithm is considered less secure and has been deprecated. |
Not all certificate authorities support SHA-2 or higher. |
VCF-SDDC-RCMD-SEC-003 |
Perform SSL certificate life cycle management for all management appliances by using SDDC Manager or SDDC Manager Plugin in vCenter. |
SDDC Manager supports automated SSL certificate lifecycle management rather than requiring a series of manual steps. |
Certificate management for NSX Global Manager instances must be done manually. |