VMware Tanzu Application Service Compliance

It is a deployer responsibility to define all cryptographic key management policies and procedures. Tanzu Application Service (TAS for VMs) satisfies all implied technical control requirements. For all VMware Tanzu Application Service releases, all certificates and keys in the environment can be rotated by the deployer, including the “non-configurable” certificates in VMware Tanzu Operations Manager. Procedures exist explaining how to rotate keys for Tanzu Operations Manager and IPsec.

Rotation of the Cloud Controller mysql database key is supported in releases after v2.2.

More information on cryptographic key management is available on the following pages:

• IPsec credential management
• Tanzu Operations Manager credential management
• CredHub in TAS for VMs
• CredHub in Operations Manager

Control Description

The organization establishes and manages cryptographic keys for required cryptography employed within the information system in accordance with [Assignment: organization-defined requirements for key generation, distribution, storage, access, and destruction].

Supplemental Guidance

Cryptographic key management and establishment can be performed using manual procedures or automated mechanisms with supporting manual procedures. Organizations define key management requirements in accordance with applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance, specifying appropriate options, levels, and parameters. Organizations manage trust stores to ensure that only approved trust anchors are in such trust stores. This includes certificates with visibility external to organizational information systems and certificates related to the internal operations of systems.