You protect the vRealize Suite Lifecycle Manager deployment by configuring the authentication and secure communication with the other components in the SDDC. You dedicate a service account to the communication between vRealize Suite Lifecycle Manager and vCenter Server.

You use a custom role in vSphere with permissions to perform lifecycle operations on vRealize Suite components in the SDDC. A dedicated service account is assigned a custom role for communication between vRealize Suite Lifecycle Manager and the vCenter Server instances in the environment.

Encryption

Access to all vRealize Suite Lifecycle Manager endpoint interfaces requires an SSL connection. By default, vRealize Suite Lifecycle Manager uses a self-signed certificate for the appliance. To provide secure access to the vRealize Suite Lifecycle Manager and between SDDC endpoints, replace the default self-signed certificate with a CA-signed certificate.

Authentication and Authorization

Configure a service account for communication between vRealize Suite Lifecycle Manager and vCenter Server endpoint instances. You define a service account with only the minimum set of permissions to perform inventory data collection and lifecycle management operations for the instances defined in the data center.

Table 1. Design Decisions on Authentication and Authorization in vRealize Suite Lifecycle Manager

ID

Design Decision

Design Justification

Design Implication

ROBO-OPS-LCM-008

Assign permissions for the vRealize Suite Lifecycle Manager service account svc-vrslcm-vsphere in vCenter Server using the custom role at the cluster level to the cluster in each ROBO,

vRealize Suite Lifecycle Manager accesses vSphere with the minimum set of permissions that are required to support the deployment and upgrade of VMware vRealize Suite products in the ROBO.

You must maintain the assignment of the service account and the custom role at a cluster level instead of using global permissions.