You design authentication access, controls, and certificate management for the NSX-T Data Center instance in the workload domain according to industry standards and the requirements of your organization.

Identity Management

Users can authenticate to NSX-T Manager from several sources. Role-based access control is not available with local user accounts.

  • Local user accounts

  • Active Directory by using LDAP

  • Active Directory by using Workspace ONE Access

  • Principal identity

Table 1. Design Decisions on Identity Management in NSX-T Data Center

Decision ID

Design Decision

Design Justification

Design Implication

VCF-WLD-VI-SDN-055

Limit the use of local accounts.

  • Local accounts are not user specific and do not offer complete auditing from solutions back to users.

  • Local accounts do not provide full role-based access control capabilities.

You must use Active Directory for user accounts.

VCF-WLD-VI-SDN-056

Enable NSX-T Manager integration with your corporate identity source by using the region-specific Workspace ONE Access instance.

  • Provides integration with Active Directory for role-based access control. You can introduce authorization policies by assignment of organization and cloud services roles to enterprise users and groups defined in your corporate identity source.

  • Simplifies deployment by consolidating the Active Directory integration for the SDDC in single component, that is, Workspace ONE Access.

You must have the region-specific Workspace ONE Access deployed before configuring role-based access in NSX-T Manager.

VCF-WLD-VI-SDN-057

Use Active Directory groups to grant privileges to roles in NSX-T Data Center.

  • Centralizes role-based access control by mapping roles in NSX-T Data Center to Active Directory groups.

  • Simplifies user management.

  • You must create the role configuration outside of the SDDC stack.

  • You must set the appropriate directory synchronization interval in Workspace ONE Access to ensure that changes meet your recoverability SLAs.

VCF-WLD-VI-SDN-058

Create an NSX-T Enterprise Admin group rainpole.io\ug-nsx-enterprise-admins in Active Directory and map it to the Enterprise Administrator role in NSX-T Data Center.

Provides administrator access to the NSX-T Manager user interface.

You must maintain the life cycle and availability of the Active Directory group outside of the SDDC stack.

VCF-WLD-VI-SDN-059

Create an NSX-T Auditor group rainpole.io\ug-nsx-auditors in Active Directory and map it to the Auditor role in NSX-T Data Center.

Provides read-only access account to NSX-T Data Center.

You must maintain the life cycle and availability of the Active Directory group outside of the SDDC stack.

VCF-WLD-VI-SDN-060

Create more Active Directory groups and map them to roles in NSX-T Data Center according to the business and security requirements of your organization.

Each organization has its own internal business processes. You evaluate the role separation needs in your business and implement mapping from individual user accounts to Active Directory groups and roles in NSX-T Data Center.

You must maintain the life cycle and availability of the Active Directory group outside of the SDDC stack.

VCF-WLD-VI-SDN-061

Grant administrators access to both the NSX-T Manager user interface and its RESTful API endpoint.

Administrators interact with NSX-T Data Center by using its user interface and API.

None.
Table 2. Design Decisions on Password Management and Account Lockout for NSX-T Data Center

Decision ID

Design Decision

Design Justification

Design Implication

VCF-WLD-VI-SDN-062
Configure the passwords for CLI access to NSX-T Manager for the root, admin, and audit users, and account lockout behavior for CLI according to the industry standard for security and compliance of your organization.

Aligns with the industry standard across your organization.

You must run console commands on the NSX-T Manager appliances.
VCF-WLD-VI-SDN-063

Configure the passwords for access to the NSX-T Edge nodes for the root, admin, and audit users, and account lockout behavior for CLI according to the industry standard for security and compliance of your organization.

Aligns with the industry standard across your organization.

You must run console commands on the NSX-T Edge appliances.

VCF-WLD-VI-SDN-064

Configure the passwords for access to the NSX-T Manager user interface and RESTful API or the root, admin, and audit users, and account lockout behavior for CLI according to the industry standard for security and compliance of your organization.

Aligns with the industry standard across your organization.

You must run console commands on the NSX-T Manager appliances.

Certificate Management

Access to all NSX-T Manager interfaces must use a Secure Sockets Layer (SSL) connection. By default, NSX-T Manager uses a self-signed SSL certificate. This certificate is not trusted by end-user devices or Web browsers.

As a best practice, replace self-signed certificates with certificates that are signed by a third-party or enterprise Certificate Authority (CA).

Table 3. Design Decisions on Certificate Management in NSX-T Manager

Decision ID

Design Decision

Design Implication

Design Justification

VCF-WLD-VI-SDN-065

Replace the default self-signed certificate of the NSX-T Manager instance for the workload domain with a certificate that is signed by a third-party certificate authority.

Ensures that the communication between NSX-T administrators and the NSX-T Manager instance is encrypted by using a trusted certificate.

Replacing the default certificates with trusted CA-signed certificates from a certificate authority might increase the deployment preparation time because you must generate and submit certificates requests.

VCF-WLD-VI-SDN-066

Use a SHA-2 algorithm or stronger when signing certificates.

The SHA-1 algorithm is considered less secure and has been deprecated.

Not all certificate authorities support SHA-2.

VCF-WLD-VI-SDN-067

Use SDDC Manager for NSX-T Manager certificate life cycle management.

Ensures consistent life cycle management across management components in the SDDC.

None