Information Security and Access Design in vRealize Suite Lifecycle Manager

You protect the vRealize Suite Lifecycle Manager deployment by configuring the authentication and secure communication with the other components in the SDDC. You dedicate a service account to the communication between vRealize Suite Lifecycle Manager and vCenter Server.

You use a custom role in vSphere with permissions to perform lifecycle operations on vRealize Suite components in the SDDC. A dedicated service account is assigned a custom role for communication between vRealize Suite Lifecycle Manager and the vCenter Server instances in the environment.

Encryption

Access to all vRealize Suite Lifecycle Manager endpoint interfaces requires an SSL connection. By default, vRealize Suite Lifecycle Manager uses a self-signed certificate for the appliance. To provide secure access to the vRealize Suite Lifecycle Manager and between SDDC endpoints, replace the default self-signed certificate with a CA-signed certificate.

Table 1. Design Decisions on vRealize Suite Lifecycle Manager Encryption
ID	Design Decision	Design Justification	Design Implication
SDDC-OPS-LCM-018	Replace the default self-signed certificate of the virtual appliance of vRealize Suite Lifecycle Manager with a CA-signed certificate.	Configuring a CA-signed certificate ensures that the communication to the externally facing Web UI and API for vRealize Suite Lifecycle Manager, and cross-product, is encrypted.	Replacing the default certificates with trusted CA-signed certificates from a certificate authority might increase the deployment preparation time as certificates requests are generated and delivered.

Authentication and Authorization

Users can authenticate to vRealize Suite Lifecycle Manager in the following ways:

Local Administrator Account
VMware Identity Manager

vRealize Suite Lifecycle Manager performs local authentication for the default administrator account only. You can also enable primary authentication by using VMware Identity Manager to ensure accountability on user access. You can grant both users and groups access to vRealize Suite Lifecycle Manager to perform tasks, and initiate orchestrated operations, such as, deployment and upgrade of vRealize Suite components and content.

Configure a service account for communication between vRealize Suite Lifecycle Manager and vCenter Server endpoint instances. You define a service account with only the minimum set of permissions to perform inventory data collection and lifecycle management operations for the instances defined in the data center.

Table 2. Design Decisions on Authentication and Authorization in vRealize Suite Lifecycle Manager
ID	Design Decision	Design Justification	Design Implication
SDDC-OPS-LCM-019	Use local authentication for vRealize Suite Lifecycle Manager.	vRealize Suite Lifecycle Manager supports only local authentication or authentication by using VMware Identity Manager. Although vRealize Suite Lifecycle Manager supports the use of VMware Identity Manager as an authentication source and access control, it is not used in this design.	The accountability in tracking user interactions between vRealize Suite Lifecycle Manager and the vRealize Suite components of the SDDC is limited. You must control the access to the administrator account for vRealize Suite Lifecycle Manager.
SDDC-OPS-LCM-020	Define a custom vCenter Server role for vRealize Suite Lifecycle Manager that has the minimum privileges required to support the deployment and upgrade of vRealize Suite products in the design.	vRealize Suite Lifecycle Manager accesses vSphere with the minimum set of permissions that are required to support the deployment and upgrade of vRealize Suite products in the design.	You must maintain the permissions required by the custom role.
SDDC-OPS-LCM-021	Configure a service account svc-vrslcm-vsphere in vCenter Server for application-to-application communication from vRealize Suite Lifecycle Manager to vSphere.	Provides the following access control features: vRealize Suite Lifecycle Manager accesses vSphere with the minimum set of required permissions. If there is a compromised account, the accessibility in the destination application remains restricted. You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.	You must maintain the lifecycle and availability of the service account outside of the SDDC stack.
SDDC-OPS-LCM-022	Assign permissions for the vRealize Suite Lifecycle Manager service account svc-vrslcm-vsphere in vCenter Server using the custom role at the cluster level to the management cluster in the management domain for each region.	vRealize Suite Lifecycle Manager accesses vSphere with the minimum set of permissions that are required to support the deployment and upgrade of VMware vRealize Suite products in the design.	You must maintain the assignment of the service account and the custom role at a cluster level for each management cluster instead of using global permissions.