For orchestrating and creating virtual objects in the SDDC, you use a service account for authentication and authorization of vRealize Automation to vCenter Server and vRealize Operations Manager.

Authentication and Authorization

Users can authenticate to vRealize Automation in the following ways:

Import users or user groups from an LDAP database
Users can use their LDAP credentials to log in to vRealize Automation.
Create local user accounts in vRealize Operations Manager
vRealize Automation performs local authentication using account information stored in its global database.

vRealize Automation also authenticates to the following systems:

  • Compute vCenter Server and NSX for workload provisioning
  • vRealize Operations Manager for workload reclamation
Table 1. Design Decisions on Authorization and Authentication Management for vRealize Automation

Decision ID

Design Decision

Design Justification

Design Implication

CSDDC-CMP-012

Join vRealize Automation IaaS VMs to Active Directory.

Active Directory access is a hard requirement for vRealize Automation.

Active Directory access must be provided using dedicated service accounts .

CSDDC-CMP-013

Configure a service account svc-vra in vCenter Server and NSX for application-to-application communication from vRealize Automation with vSphere and NSX.

Provides the following access control features:

  • The proxy agents in vRealize Automation access vSphere and NSX with the minimum set of permissions that are required to collect metrics about vSphere inventory objects.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.

CSDDC-CMP-014

Use local permissions when you create the svc-vra service account in vCenter Server.

Supports future expansion to a dual-region environment.

If you deploy more vCenter Server instances, you must ensure that the service account has been assigned local permissions in each vCenter Server so that this vCenter Server is a valid endpoint in vRealize Automation.

CSDDC-CMP-015

Configure a service account svc-vra-vrops on vRealize Operations Manager for application-to-application communication from vRealize Automation for collecting health and resource metrics for tenant workload reclamation.

  • vRealize Automation accesses vRealize Operations Manager with the minimum set of permissions that are required for collecting metrics to determine the workloads that are potential candidates for reclamation.

  • In the event of a compromised account, the accessibility in the destination application remains restricted.

  • You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.

Encryption

Access to all vRealize Automation Web applications requires an SSL connection. By default, vRealize Automation uses a self-signed certificate. To provide secure access to the vRealize Automation user interfaces and between the IaaS components interacting with each other by using Web applications, replace the default self-signed certificates with a CA-signed certificate.

Table 2. Design Decision on Using CA-Signed Certificates in vRealize Automation

Decision ID

Design Decision

Design Justification

Design Implication

CSDDC-CMP-016

Replace the default self-signed certificates with a CA-signed certificate.

Ensures that all communication to the externally facing Web UI and between the IaaS components is encrypted.

You must contact a certificate authority.