You can log in to NSX Manager using a local user account, a user account managed by VMware Identity Manager (vIDM), or a user account managed by a directory service such as Active Directory over LDAP or OpenLDAP. Starting in NSX 4.1.2, you can use VMware vCenter server as an external identity provider by connecting NSX to Workspace ONE Access Broker using VMware Cloud Foundation SDDC Manager. You can also assign roles to user accounts managed by vIDM, OpenID Connect, or a directory service to implement role-based access control.
NSX Manager recognizes only system-generated session identifiers and invalidates session identifiers upon administrator logout or other session termination. Upon successful login, the NSX Manager uses a random number generator to create a random session ID and stores that ID in memory. When clients make requests to the NSX Manager, it only allows clients to authenticate if the session ID they present matches one of the IDs generated by the server. When any user logs out of NSX Manager, the session identifier is immediately destroyed and cannot be reused.
Access to NSX Manager via UI, API and CLI is subject to authentication and authorization. In addition, such access will generate audit logs. This logging is enabled by default and cannot be disabled. Auditing of sessions is initiated at system startup. Audit log messages include the text audit="true"
in the structured data part of the log message.
Local user passwords on NSX appliances are secured using the default Linux/PAM libraries which store the hashed and salted representation in /etc/shadow. NSX Manager uses the SHA512 cryptographic hash algorithm to hash the local user passwords. During authentication, the password entered by the user is obfuscated. Other passwords are encrypted using a random key that is stored in the local file system. For more details, see the VMware Security Hardening Guides or review the SHA512 Ubuntu MAN pages and the Internet FAQ titled "Understanding /etc/shadow file format on Linux."