Protect the vRealize Log Insight deployment by providing centralized role-based authentication and secure communication with the other components in the Software-Defined Data Center (SDDC).

Authentication

Enable role-based access control in vRealize Log Insight by using the existing rainpole.local Active Directory domain.

Table 1. Design Decisions about Authorization and Authentication Management for vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-OPS-LOG-013

Use Active Directory for authentication.

Provides fine-grained role and privilege-based access for administrator and operator roles.

You must provide access to the Active Directory from all Log Insight nodes.

SDDC-OPS-LOG-014

Configure a service account svc-vrli on vCenter Server for application-to-application communication from vRealize Log Insight with vSphere.

Provides the following access control features:

  • vRealize Log Insight accesses vSphere with the minimum set of permissions that are required to collect vCenter Server events, tasks and alarms and to configure ESXi hosts for syslog forwarding.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.

SDDC-OPS-LOG-015

Use global permissions when you create the svc-vrli service account in vCenter Server.

  • Simplifies and standardizes the deployment of the service account across all vCenter Servers in the same vSphere domain.

  • Provides a consistent authorization layer.

All vCenter Server instances must be in the same vSphere domain.

SDDC-OPS-LOG-016

Configure a service account svc-vrli-vrops on vRealize Operations Manager for application-to-application communication from vRealize Log Insight for a two-way launch in context.

Provides the following access control features:

  • vRealize Log Insight and vRealize Operations Manager access each other with the minimum set of required permissions.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.

Encryption

Replace default self-signed certificates with a CA-signed certificate to provide secure access to the vRealize Log Insight Web user interface.

Table 2. Design Decision about CA-Signed Certificates for vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-OPS-LOG-017

Replace the default self-signed certificates with a CA-signed certificate.

Configuring a CA-signed certificate ensures that all communication to the externally facing Web UI is encrypted.

The administrator must have access to a Public Key Infrastructure (PKI) to acquire certificates.