Protect the vRealize Log Insight deployment by providing centralized role-based authentication and secure communication with the other components in the SDDC.

Authentication

Enable role-based access control in vRealize Log Insight by using the existing rainpole.local Active Directory domain.

Table 1. Design Decisions on Authorization and Authentication Management in vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

ROBO-OPS-LOG-010

Use Active Directory for authentication.

Provides fine-grained role and privilege-based access for administrator and operator roles.

You must provide access to the Active Directory from all Log Insight nodes.

ROBO-OPS-LOG-011

Configure a service account svc-vrli-vsphere on ROBO vCenter Server for application-to-application communication from vRealize Log Insight with vSphere.

Provides the following access control features:

  • vRealize Log Insight accesses vSphere with the minimum set of permissions that are required to collect vCenter Server events, tasks, and alarms and to configure ESXi hosts for syslog forwarding.

  • If there is a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.

ROBO-OPS-LOG-012

Use global permissions when you create the svc-vrli-vsphere service account in ROBO vCenter Server.

  • Simplifies and standardizes the deployment of the service account across all vCenter Servers in the same vSphere domain.

  • Provides a consistent authorization layer.

None.

Encryption

Replace default self-signed certificates with a CA-signed certificate to provide secure access to the vRealize Log Insight Web user interface.

Table 2. Design Decision on CA-Signed Certificates for vRealize Log Insight

Decision ID

Design Decision

Design Justification

Design Implication

ROBO-OPS-LOG-013

Replace the default self-signed certificates with a CA-signed certificate.

Configuring a CA-signed certificate ensures that all communication to the externally facing Web UI is encrypted.

The administrator must have access to a Public Key Infrastructure (PKI) to acquire certificates.