You use a service account for authentication and authorization of vRealize Orchestrator to vCenter Server for orchestrating and creating virtual objects in the SDDC. You also have the objective to establish secure communication to vCenter Server by using CA-signed certificates.

Authentication and Authorization

Table 1. Design Decisions on Authorization and Authentication Management for vRealize Orchestrator

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-CMP-VRO-006

Configure a service account svc-vro in vCenter Server for application-to-application communication from vRealize Orchestrator with vSphere.

Introduces improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.

SDDC-CMP-VRO-007

Use local permissions when you create the svc-vro service account in vCenter Server.

Ensures that only the Compute vCenter Server instances are valid and accessible endpoints from vRealize Orchestrator.

If you deploy more Compute vCenter Server instances, you must assign the service account local permissions in each vCenter Server so that this vCenter Server is a viable endpoint in vRealize Orchestrator.

Encryption

The vRealize Orchestrator configuration interface uses a secure connection to communicate with vCenter Server, relational database management systems (RDBMS), LDAP, vCenter Single Sign-On, and other servers. You can import the required SSL certificate from a URL or file. You can import the vCenter Server SSL certificate from the SSL Trust Manager tab in the vRealize Orchestrator configuration interface.

Table 2. Design Decisions on Using CA-Signed Certificates in vRealize Orchestrator

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-CMP-VRO-008

Use the vRealize Automation appliance certificate.

Simplifies the configuration of the embedded vRealize Orchestrator instance.

None.