Information Security and Access for Developer Ready Infrastructure for VMware Cloud Foundation

You design authentication access, controls, and certificate management for vSphere with Tanzu according to industry standards and the requirements of your organization.

vSphere with Tanzu Authentication and Access Control

You integrate vSphere with Tanzu with vCenter Single Sign-On for authentication. You can use the configured identity sources for vCenter Single Sign-On, such as Active Directory, in the Supervisor. You can assign permissions to users on a given Supervisor object, such as a Namespace.

You must configure vCenter Server to be able to use Active Directory as an identity source. The in-depth design and configuration guidance for Active Directory over LDAP as an identity provider for vCenter Server is part of the Identity and Access Management for VMware Cloud Foundation validated solution (see VMware Cloud Foundation Validated Solutions). It is not mandatory to implement the entire solution, but you must complete the minimum applicable design and implementation sections for vCenter Server.

Table 1. Design Decisions on Authentication and Access Control for Developer Ready Infrastructure for VMware Cloud Foundation
Decision ID	Design Decision	Design Justification	Design Implication
DRI-TZU-SEC-001	Create a security group in Active Directory for DevOps administrators. Add users who need edit permissions within a namespace to the group and grant Can Edit permissions to the namespace for that group. If you require different permissions per namespace, create additional groups.	Necessary for auditable role-based access control within the Supervisor and Tanzu Kubernetes clusters.	You must define and manage security groups, group membership, and security controls in Active Directory.
DRI-TZU-SEC-002	Create a security group in Active Directory for DevOps administrators. Add users who need read-only permissions in a namespace to the group, and grant Can View permissions to the namespace for that group. If you require different permissions per namespace, create additional groups.	Necessary for auditable role-based access control within the Supervisor and Tanzu Kubernetes clusters.	You must define and manage security groups, group membership, and security controls in Active Directory.

Certificate Management

By default, vSphere with Tanzu uses a self-signed Secure Sockets Layer (SSL) certificate. This certificate is not trusted by end-user devices or Web browsers.

As a best practice, replace self-signed certificates with certificates that are signed by a third-party or enterprise Certificate Authority (CA).

Table 2. Design Decisions on Certificate Management for Developer Ready Infrastructure for VMware Cloud Foundation
Decision ID	Design Decision	Design Justification	Design Implication
DRI-TZU-SEC-003	Replace the default self-signed certificate for the Supervisor management interface with a PEM-encoded, CA-signed certificate.	Ensures that the communication between administrators and the Supervisor management interface is encrypted by using a trusted certificate.	Replacing and managing certificates is an operational overhead as it must be done outside of SDDC Manager certificate automation.
DRI-TZU-SEC-004	Use a SHA-2 or higher algorithm when signing certificates.	The SHA-1 algorithm is considered less secure and has been deprecated.	Not all certificate authorities support SHA-2.