You design management of access controls, certificates and accounts for VMware Cloud Foundation according to the requirements of your organization.

Access Management for VMware Cloud Foundation

You design access management for VMware Cloud Foundation according to industry standards and the requirements of your organization.

Component

Access Method

Additional Information

SDDC Manager

  • UI

  • API

  • SSH

SSH is active by default. root user access is not permitted.

NSX Local Manager

  • UI

  • API

  • SSH

SSH is deactivated by default.

NSX Edges

  • API

  • SSH

SSH is deactivated by default.

NSX Global Manager

  • UI

  • API

  • SSH

SSH setting is defined during deployment.

vCenter Server

  • UI

  • API

  • SSH

  • VAMI

SSH is active by default.

ESXi

  • Direct Console User Interface (DCUI)

  • ESXi Shell

  • SSH

  • VMware Host Client

SSH and ESXi shell are deactivated by default.

VMware Aria Suite Lifecycle

  • UI

  • API

  • SSH

SSH is active by default.

Workspace ONE Access

  • UI

  • API

  • SSH

SSH is active by default.

Account Management Design for VMware Cloud Foundation

You design account management for VMware Cloud Foundation according to industry standards and the requirements of your organization.

Password Management Methods

SDDC Manager manages the life cycle of passwords for the components that are part of the VMware Cloud Foundation instance. Multiple methods for managing password life cycle are supported.

Table 1. Password Management Methods in VMware Cloud Foundation

Method

Description

Rotate

Update one or more accounts with an auto-generated password

Update

Update password for a single account with a manually entered password

Remediate

Reconcile a single account with a password that has been set manually at the component.

Schedule

Schedule auto-rotation for one or more selected accounts.

Manual

Update a password manually directly in the component.

Account and Password Management

VMware Cloud Foundation comprises multiple types of interactive, local, and service accounts. Each account has different attributes and can be managed in the following ways:

For more information on password complexity, account lockout or integration with additional Identity Providers, refer to the Identity and Access Management for VMware Cloud Foundation.

Table 2. Account and Password Management in VMware Cloud Foundation

Component

User Account

Password Management

Additional Information

SDDC Manager

admin@local

  • Manual by using the SDDC Manager API

  • Default Expiry: Never

  • Local appliance account

  • API access (break-glass account)

vcf

  • Manual by using the OS

  • Default Expiry: 365 days

  • Local appliance account

  • OS level access

root

  • Manual by using the OS

  • Default Expiry: 90 days

  • Local appliance account

  • OS level access

backup

  • Rotate, update,remediate or schedule by using the SDDC Manager UI, SDDC Manager Plugin in vCenter or API

  • Default Expiry: 365 days

  • Local appliance account

  • OS level access

[email protected]

  • Rotate, update,remediate or schedule by using the SDDC Manager UI, SDDC Manager Plugin in vCenter or API

  • Default Expiry: 90 days

  • vCenter Single Sign-On account.

  • Application and API access.

  • Additional VMware Cloud FoundationAdmin account required to perform manual password rotation.

NSX Local Manager

admin

  • Rotate, update,remediate or schedule by using the SDDC Manager UI, SDDC Manager Plugin in vCenter or API

  • Default Expiry: 90 days

  • Local appliance account

  • OS level, API, and application access

root

  • Rotate, update,remediate or schedule by using the SDDC Manager UI, SDDC Manager Plugin in vCenter or API

  • Default Expiry: 90 days

  • Local appliance account

  • OS level access

audit

  • Rotate, update,remediate or schedule by using the SDDC Manager UI, SDDC Manager Plugin in vCenter or API

  • Default Expiry: 90 days

  • Local appliance account

  • OS level access

  • Read-only application level access

NSX Edges

admin

  • Rotate, update,remediate or schedule by using the SDDC Manager UI, SDDC Manager Plugin in vCenter, or API

  • Default Expiry: 90 days

  • Local appliance account

  • OS level, API, and application access

root

  • Rotate, update,remediate or schedule by using the SDDC Manager UI, SDDC Manager Plugin in vCenter or API

  • Default Expiry: 90 days

  • Local appliance account

  • OS level access

audit

  • Rotate, update,remediate or schedule by using the SDDC Manager UI, SDDC Manager Plugin in vCenter or API

  • Default Expiry: 90 days

  • Local appliance account

  • OS level access

  • Read-only application level access

NSX Global Manager

admin

  • Manual by using the NSX Global Manager UI or API

  • Default Expiry: 90 days

  • Local appliance account

  • OS level, API, and application access

root

  • Manual by using each NSX Global Manager appliance

  • Default Expiry: 90 days

  • Local appliance account

  • OS level access

audit

  • Manual by using the NSX Global Manager UI or API

  • Default Expiry: 90 days

  • Local appliance account

  • OS level access

  • Read-only application level access

vCenter Server

root

  • Rotate, update,remediate or schedule by using the SDDC Manager UI, SDDC Manager Plugin in vCenter or API

  • Default Expiry: 90 days

  • Local appliance account

  • OS level access

  • VAMI access

[email protected]

  • Rotate, update,remediate or schedule by using the SDDC Manager UI, SDDC Manager Plugin in vCenter or API

  • Default Expiry: 90 days

  • vCenter Single Sign-On account.

  • Application and API access.

  • Relevant to isolated workload domain

svc-sddc-manager-hostname-vcenter-server-hostname@vsphere.local
  • System managed.

  • Automatically rotated every 30 days by default

  • Default Expiry: None

Service account between SDDC Manager and vCenter Server

svc-nsx-manager-hostname-vcenter-server-hostname@vsphere.local

  • System managed.

  • Automatically rotated every 30 days by default

  • Default Expiry: None

Service account between NSX Manager and vCenter Server

svc-vrslcm-hostname-vcenter-server-hostname@vsphere.local

  • System managed

  • Automatically rotated every 30 days by default

  • Default Expiry: None

Service account between VMware Aria Suite Lifecycle and vCenter Server

ESXi

root

  • Rotate, update,remediate or schedule by using the SDDC Manager UI, SDDC Manager Plugin in vCenter or API

  • Default Expiry: 99999 (never)

Manual

svc-vcf-esxi-hostname

  • Rotate, update,remediate or schedule by using the SDDC Manager UI, SDDC Manager Plugin in vCenter or API

  • Default Expiry: 99999 (never)

Service account between SDDC Manager and the ESXi host

VMware Aria Suite Lifecycle

vcfadmin@local

  • Rotate, update,remediate or schedule by using the SDDC Manager UI, SDDC Manager Plugin in vCenter or API

  • Default Expiry: Never

API and application access

root

  • Rotate, update,remediate or schedule by using the SDDC Manager UI, SDDC Manager Plugin in vCenter or API

  • Default Expiry: 365 days

  • Local appliance account

  • OS level access

Workspace ONE Access

root

  • Rotate, update,remediate or schedule by using the SDDC Manager UI, SDDC Manager Plugin in vCenter or API

  • Default Expiry: 60 days

  • Local appliance account

  • OS level access

sshuser

  • Managed by VMware Aria Suite Lifecycle

  • Default Expiry: 60 days

  • Local appliance account

  • OS level access

admin (port 8443)

Managed by VMware Aria Suite Lifecycle

System Admin

Admin (port 443)

  • Rotate, update,remediate or schedule by using the SDDC Manager UI, SDDC Manager Plugin in vCenter, or API

  • Default Expiry: Never

Default application administrator

configadmin

  • You must use both Workspace ONE Access and VMware Aria Suite Lifecycle to manage the password rotation schedule of the configadmin user.

  • Default Expiry: Never

Application configuration administrator

Account Management Design Recommendations

In your account management design, you can apply certain best practices.

Table 3. Design Requirements for Account and Password Management for VMware Cloud Foundation

Recommendation ID

Design Recommendation

Justification

Implication

VCF-ACTMGT-REQD-SEC-001

Enable scheduled password rotation in SDDC Manager for all accounts supporting scheduled rotation.

  • Increases the security posture of your SDDC.

  • Simplifies password management across your SDDC management components.

You must retrieve new passwords by using the API if you must use accounts interactively.

VCF-ACTMGT-REQD-SEC-003

Establish operational practice to rotate passwords using SDDC Manager on components that do not support scheduled rotation in SDDC Manager.

Rotates passwords and automatically remediates SDDC Manager databases for those user accounts.

None.

VCF-ACTMGT-REQD-SEC-003

Establish operational practice to manually rotate passwords on components that cannot be rotated by SDDC Manager.

Maintains password policies across components not handled by SDDC Manager password management.

None.

Certificate Management for VMware Cloud Foundation

You design certificate management for VMware Cloud Foundation according to industry standards and the requirements of your organization.

Access to all management component interfaces must be over a Secure Socket Layer (SSL) connection. During deployment, each component is assigned a certificate from a default signing CA. To provide secure access to each component, replace the default certificate with a trusted enterprise CA-signed certificate.

Table 4. Certificate Management in VMware Cloud Foundation

Component

Default Signing CA

Life cycle for Enterprise CA-Signed Certificates

SDDC Manager

Management domain VMCA

  • SDDC Manager

  • SDDC Manager Plug-in in vCenter

NSX Local Manager

Management domain VMCA

  • SDDC Manager

  • SDDC Manager Plug-in in vCenter

NSX Edges

Not applicable

Not applicable

NSX Global Manager

Self Signed

Manual

vCenter Server

Local workload domain VMCA

  • SDDC Manager

  • SDDC Manager Plug-in in vCenter

ESXi

Local workload domain VMCA

Manual*

VMware Aria Suite Lifecycle

Management domain VMCA

  • SDDC Manager

  • SDDC Manager Plug-in in vCenter

Note:

* To use enterprise CA-Signed certificates with ESXi, the initial deployment of VMware Cloud Foundation must be done using the API providing the Trusted Root certificate.

Table 5. Certificate Management Design Recommendations for VMware Cloud Foundation

Recommendation ID

Design Recommendation

Justification

Implication

VCF-SDDC-RCMD-SEC-001

Replace the default VMCA or signed certificates on all management virtual appliances with a certificate that is signed by an internal certificate authority.

Ensures that the communication to all management components is secure.

Replacing the default certificates with trusted CA-signed certificates from a certificate authority might increase the deployment preparation time because you must generate and submit certificate requests.

VCF-SDDC-RCMD-SEC-002

Use a SHA-2 algorithm or higher for signed certificates.

The SHA-1 algorithm is considered less secure and has been deprecated.

Not all certificate authorities support SHA-2 or higher.

VCF-SDDC-RCMD-SEC-003

Perform SSL certificate life cycle management for all management appliances by using SDDC Manager or SDDC Manager Plugin in vCenter.

SDDC Manager supports automated SSL certificate lifecycle management rather than requiring a series of manual steps.

Certificate management for NSX Global Manager instances must be done manually.