You design authentication access, controls, and certificate management for the NSX-T Data Center instance in the management domain according to industry standards and the requirements of your organization.

Identity Management

Users can authenticate to NSX-T Manager from several sources. Role-based access control is not available with local user accounts.

  • Local user accounts

  • Active Directory by using LDAP

  • Active Directory by using Workspace ONE Access

  • Principal identity

Table 1. Design Decisions on Identity Management in NSX-T Data Center

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-MGMT-VI-SDN-108

Limit the use of local accounts.

  • Local accounts are not user specific and do not offer complete auditing from solutions back to users.

  • Local accounts do not provide full role-based access control capabilities.

You must use Active Directory for user accounts.

SDDC-MGMT-VI-SDN-109

Enable NSX-T Manager integration with your corporate identity source by using the region-specific Workspace ONE Access instance.

  • Provides integration with Active Directory for role-based access control. You can introduce authorization policies by assignment of organization and cloud services roles to enterprise users and groups defined in your corporate identity source.

  • Simplifies deployment by consolidating the Active Directory integration for the SDDC in single component, that is, Workspace ONE Access.

You must have the region-specific Workspace ONE Access deployed before configuring role-based access in NSX-T Manager.

SDDC-MGMT-VI-SDN-110

Use Active Directory groups to grant privileges to roles in NSX-T Data Center.

  • Centralizes role-based access control by mapping roles in NSX-T Data Center to Active Directory groups.

  • Simplifies user management.

  • You must create the role configuration outside of the SDDC stack.

  • You must set the appropriate directory synchronization interval in Workspace ONE Access to ensure that changes are available within a reasonable period.

SDDC-MGMT-VI-SDN-111

Create an NSX-T Enterprise Admin group rainpole.io\ug-nsx-enterprise-admins in Active Directory and map it to the Enterprise Administrator role in NSX-T Data Center.

Provides administrator access to the NSX-T Manager user interface.

You must maintain the life cycle and availability of the Active Directory group outside of the SDDC stack.

SDDC-MGMT-VI-SDN-112

Create an NSX-T Auditor group rainpole.io\ug-nsx-auditors in Active Directory and map it to the Auditor role in NSX-T Data Center.

Provides read-only access account to NSX-T Data Center.

You must maintain the life cycle and availability of the Active Directory group outside of the SDDC stack.

SDDC-MGMT-VI-SDN-113

Create more Active Directory groups and map them to roles in NSX-T Data Center according to the business and security requirements of your organization.

Each organization has its own internal business processes. You evaluate the needs for role separation in your business and implement mapping from individual user accounts to Active Direcotry groups and roles in NSX-T Data Center.

You must maintain the life cycle and availability of the Active Directory group outside of the SDDC stack.

SDDC-MGMT-VI-SDN-114

Restrict end-user access to both NSX-T Manager user interface and its RESTful API endpoint.

The workloads in the management domain are not end-user workloads.

End users have access only to endpoint components.

Password Management and Account Lockout Behavior for NSX-T Manager and NSX-T Edge Nodes

By default you must include at least eight characters and passwords to expire after 90 days. You configure access to the NSX-T command line interface (CLI) and lockout behavior for the NSX-T Manager user interface and RESTful API separately.

Table 2. Design Decisions on Password Management and Account Lockout for NSX-T Data Center

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-MGMT-VI-SDN-115

Configure the passwords for CLI access to NSX-T Manager for the root, admin, and audit users, and account lockout behavior for CLI according to the industry standard for security and compliance of your organization.

Aligns with the industry standard across your organization.

You must run console commands on the NSX-T Manager appliances.

Some commands like "set auth-policy cli lockout-period <lockout-period> " and "set auth-policy cli max-auth-failures <auth-failures>" are usually part of implications

SDDC-MGMT-VI-SDN-116

Configure the passwords for access to the NSX-T Edge nodes for the root, admin, and audit users, and account lockout behavior for CLI according to the industry standard for security and compliance of your organization.

Aligns with the industry standard across your organization.

You must run console commands on the NSX-T Edge appliances.

SDDC-MGMT-VI-SDN-117

Configure the passwords for access to the NSX-T Manager user interface and RESTful API or the root, admin, and audit users, and account lockout behavior for CLI according to the industry standard for security and compliance of your organization.

Aligns with the industry standard across your organization.

You must run console commands on the NSX-T Manager appliances.

Password Management and Account Lockout Behavior for NSX-T Global Manager

The version of SDDC Мanager in this design does not support password rotation for the NSX-T Global Manager appliances. All password change operations must be done manually.

Table 3. Design Decisions on Password Management and Account Lockout for NSX-T Global Manager

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-MGMT-VI-SDN-118

For a dual-region SDDC, add the NSX-T Global Manager to the lockout_immune_addresses list on all NSX-T Local Manager it is connected to.

If repeated authentication failures on the NSX-T Local Manager occur, such as password mismatch after a password change, the NSX-T Local Manager denies requests from that IP address for a period of time even after the administrator provides the correct password. Adding the NSX-T Global Manager to the lockout_immune_addresses list on an NSX-T Local Manager minimizes disruption in communication caused by a password mismatch or update.

You must call the NSX-T Manager API to add the IP address of the NSX-T Global Manager on the NSX-T Local Manager.

SDDC-MGMT-VI-SDN-119

For dual-region SDDC, establish an operations practice to capture and update the admin password on the NSX-T Global Manager appliance every time you perform rotation of the admin password on the NSX-T Local Manager appliance.

Because the NSX-T Global Manager communicates with the NSX-T Local Manager by using the admin account, ensures connectivity between the NSX-T Global Manager and the connected NSX-T Local Manager instances b

If an authentication failure between the NSX-T Global Manager and NSX-T Local Manager occurs, objects that are created from the NSX-T Global Manager will not be propagated on to the SDN.

The administrator must establish and follow an operational practice by using a runbook or automated process to ensure that the admin password is updated.

Certificate Management

Access to all NSX-T Manager interfaces must use an Secure Sockets Layer (SSL) connection. By default, NSX-T Manager uses a self-signed SSL certificate. This certificate is not trusted by end-user devices or Web browsers.

As a best practice, replace self-signed certificates with certificates that are signed by a third-party or enterprise Certificate Authority (CA).

Table 4. Design Decisions on Certificate Management in NSX-T Manager

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-MGMT-VI-SDN-120

Replace the default self-signed certificate of the NSX-T Manager instance for the management domain with a certificate that is signed by a third-party certificate authority.

Ensures that the communication between NSX-T administrators and the NSX-T Manager instance is encrypted by using a trusted certificate.

Replacing the default certificates with trusted CA-signed certificates from a certificate authority might increase the deployment preparation time because you must generate and submit certificates requests.

SDDC-MGMT-VI-SDN-121

Use a SHA-2 algorithm or stronger when signing certificates.

The SHA-1 algorithm is considered less secure and has been deprecated.

Not all certificate authorities support SHA-2.

Certificate Management in a Multi-Region SDDC

The version of SDDC Manager in this design does not support certificate replacement for NSX-T Global Manager appliances. When the certificate of the NSX-T Local Manager cluster is replaced, you must update the thumbprint of the new certificate on the connected NSX-T Global Manager.

Table 5. Design Decisions on Certificate Management in NSX-T Global Manager

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-MGMT-VI-SDN-122

For a dual-region SDDC, replace the default self- signed certificate of the NSX-T Global Manager instance for the management domain with a certificate that is signed by a third- party certificate authority.

Ensures that the communication between NSX-T administrators and the NSX-T Global Manager instance is encrypted by using a trusted certificate.

Replacing the default certificates with trusted CA- signed certificates from a certificate authority might increase the deployment preparation time because you must generate and submit certificates requests.

SDDC-MGMT-VI-SDN-123

For a dual-region SDDC, establish an operations practice to capture and update on the NSX-T Global Manager the thumbprint of the NSX-T Local Manager certificate every time the certificate is updated by using SDDC Manager.

Ensures secured connectivity between the NSX-T Manager instances.

Each certificate has its own unique thumbprint. The NSX-T Global Manager stores the unique thumbprint of the NSX-T Local Manager instances for enhanced security.

If an authentication failure between the NSX-T Global Manager and NSX-T Local Manager occurs, objects that are created from the NSX-T Global Manager will not be propagated on to the SDN.

The administrator must establish and follow an operational practice by using a runbook or automated process to ensure that the thumbprint up-to-date.