Information security and access design details the design decisions covering authentication and access controls for SDDC Manager in VMware Cloud Foundation.

Authentication to the SDDC Manager user interface uses the vCenter Single Sign-On authentication service. During the VMware Cloud Foundation bring-up, SDDC Manager uses the built-in or federated identity provider for the system. For example, once the vCenter Single Sign-On is configured to use Active Directory over LDAP as the identity source, SDDC Manager inherits the identity source configuration from the management domain vCenter Server instance. Users and groups from the identity source can then be assigned to roles in SDDC Manager.

In addition, SDDC Manager has the following local accounts:

  • A local account for accessing SDDC Manager APIs when the management domain vCenter Server is unavailable.

  • A local account used for the default backup configuration.

For more information, see the User and Group Management documentation for VMware Cloud Foundation.

Active Directory Integration for SDDC Manager

SDDC Manager provides delegation of permissions through the use of roles. Roles allow you to assign pre-defined set of permissions on a typical set of tasks that users perform.

This solution provides design and implementation guidance on configuring the SDDC Manager built-in roles to Microsoft Active Directory security groups.

In this solution, the following SDDC Manager built-in roles are used based on the target personas.
Table 1. Default SDDC Manager Roles and Example Security Group Assignments

Role

Description

Admins

A role with privileges to administer all SDDC Manager functionality through the UI and API.

Operators

A role with privileges to all SDDC Manager functionality through the UI and API with the exception of user management, password management, or backup configuration settings.

Viewers

A role with privileges to view SDDC Manager configuration with the exception of user management and password management.
Table 2. Design Decisions on Active Directory Integration for SDDC Manager

Decision ID

Design Decision

Design Justification

Design Implication

IAM-SDDC-SEC-001

Assign the Admin role in SDDC Manager to an Active Directory security group.

By assigning the Admin role to an Active Directory security group, you can simplify and manager user access with administrative rights to SDDC Manager.

  • An Active Directory security group must be created before assigning a role.

  • You must maintain the life cycle and availability of the security group in Active Directory.

IAM-SDDC-SEC-002

Assign the Operator role in SDDC Manager to an Active Directory security group.

By assigning the Operator role to an Active Directory security group, you can simplify and manage user access with operative rights to SDDC Manager.

  • An Active Directory security group must be created before assigning a role.

  • You must maintain the life cycle and availability of the security group in Active Directory.

IAM-SDDC-SEC-003

Assign the Viewer role in SDDC Manager to an Active Directory security group.

By assigning the Viewer role to an Active Directory security group, you can create user accounts that have read-only rights in SDDC Manager.

  • An Active Directory security group must be created before assigning a role.

  • You must maintain the life cycle and availability of the security group in Active Directory.

Password Policies for SDDC Manager

Within SDDC Manager, you can enforce password polices for access via the virtual appliance console and SSH. You can configure these password policies by using the pluggable authentication module (PAM) that is part of the operating system of the virtual appliance. The password policies apply only to local user accounts.

Password Expiration Policy for SDDC Manager

You manage the password expiration policy on a user basis. You can modify the configuration for a user to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.

Table 3. Default Password Expiration Policy for SDDC Manager

Setting

Default

Description

Notes

maxdays

90

Maximum number of days between password change

VMware Cloud Foundation 4.5 and later

365

VMware Cloud Foundation 4.4 and later

mindays

0

Minimum number of days between password change.

-

warndays

7

Number of days of warning before a password expires

-

Password Complexity Policy for SDDC Manager

You manage the password complexity policy by using the /etc/pam.d/system-password file. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.

Table 4. Default Password Complexity Policy for SDDC Manager

Setting

Default

Description

dcredit

-1

Maximum number of digits that generate a credit

ucredit

-1

Maximum number of uppercase characters that generate a credit

lcredit

-1

Maximum number of lowercase characters that generate a credit

ocredit

-1

Maximum number of other characters that generate a credit

minlen

8

Minimum password length (number of characters)

minclass

4

Minimum number of character types that must be used (for example, uppercase, lowercase, digits, and so on)

difok

4

Minimum number of characters that must be different from the old password

retry

3

Maximum number of reties

maxsequence

0

Maximum number of times a single character can be repeated

remember

5

Maximum number of passwords the system remembers

Account Lockout Policy for SDDC Manager

You manage the account lockout policy by using the /etc/pam.d/system-auth file. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.

Table 5. Default Account Lockout Policy for SDDC Manager

Setting

Default

Description

deny

3

Maximum number of authentication failures before the account is locked

unlock_time

86400

Amount of time in seconds that the account remains locked

root_unlock_time

300

Amount of time in seconds that the root account remains locked
Table 6. Design Decisions on Password Policies for SDDC Manager

Decision ID

Design Decision

Design Justification

Design Implication

IAM-SDDC-SEC-004

Configure the password expiration policy for the SDDC Manager appliance.

  • You configure the password expiration policy for the SDDC Manager appliance to align with the requirements of your organization which might be based on industry compliance standards.

  • The password expiration policy is applicable only to the following accounts for the SDDC Manager appliance:

    • root account

    • vcf account

    • backup account

You must manage the password expiration policy on the SDDC Manager appliance by using the virtual appliance console.

IAM-SDDC-SEC-005

Configure the password complexity policy for the SDDC Manager appliance.

  • You configure the password complexity policy for SDDC Manager to align with the requirements of your organization which might be based on industry compliance standards.

  • The policy is applicable only to the local SDDC Manager users.

You must manage the password complexity policy on the SDDC Manager appliance by using the virtual appliance console.

IAM-SDDC-SEC-006

Configure the account lockout policy for the SDDC Manager appliance.

  • You configure the account lockout policy for SDDC Manager to align with the requirements of your organization which might be based on industry compliance standards.

  • The policy is applicable only to the local SDDC Manager users.

You must manage the account lockout policy on the SDDC Manager appliance by using the virtual appliance console.

SDDC Manager Password Management

Changing the passwords periodically or when certain events occur, such as an administrator leaving your organization, increases the security posture and health of the system. You cannot update SDDC Manager appliance passwords through the SDDC Manager user interface or API. You use the appliance shell of SDDC Manager to update local account passwords. The process for updating the SDDC Manager passwords varies, depending on the account.

For more information, see the Password Management documentation for VMware Cloud Foundation.

Table 7. Design Decisions on Password Management for SDDC Manager

Decision ID

Design Decision

Design Justification

Design Implication

IAM-SDDC-SEC-007

Change the SDDC Manager virtual appliance root, vcf, and backup account passwords on a recurring or event-initiated schedule by using the appliance shell.

  • The passwords for the root, vcf, and backup accounts for the SDDC Manager virtual appliance expire based on the password expiration settings for each account.

  • You cannot update the SDDC Manager virtual appliance account passwords through the SDDC Manager user interface or API.

  • You must manage the password change for the virtual appliance root, vcf, and backup accounts by using the SDDC Manager virtual appliance console.

  • You must monitor the password expiration of the accounts.

IAM-SDDC-SEC-008

Change the SDDC Manager local administrative admin@local account password on a recurring or event-initiated schedule by using the API.

The password for the SDDC Manager local administrative admin@local account does not expire.

  • You must routinely perform the password change for the admin@local account by using API.