As a security best practice, you must secure the vRealize Operations console and manage Secure Shell (SSH), administrative accounts, and console access. Ensure that your system is deployed with secure transmission channels.
What to read next
Activating FIPS 140-2 FIPS 140-2 accreditation validates that an encryption solution meets a specific set of requirements designed to protect the cryptographic module from being cracked, altered, or otherwise tampered with. When FIPS 140-2 mode is activated, any secure communication to or from vRealize Operations 8.4 and above uses cryptographic algorithms or protocols that are allowed by the United States Federal Information Processing Standards (FIPS). FIPS mode turns on the cipher suites that comply with FIPS 140-2. Security related libraries that are shipped with vRealize Operations 8.4 and above are FIPS 140-2 certified. However, the FIPS 140-2 mode is not activated by default. FIPS 140-2 mode can be activated if there is a security compliance requirement to use FIPS certified cryptographic algorithms with the FIPS mode activated.
Secure the vRealize Operations Console After you install vRealize Operations , you must log in for the first time and secure the console of each node in the cluster.
Change the Root Password You can change the root password for any vRealize Operations primary or data node at any time by using the console.
Managing Secure Shell, Administrative Accounts, and Console Access For remote connections, all hardened appliances include the Secure Shell (SSH) protocol. SSH is deactivated by default on the hardened appliance.
Set Boot Loader Authentication To provide an appropriate level of security, configure boot loader authentication on your VMware virtual appliances. If the system boot loader requires no authentication, users with console access to the system might be able to alter the system boot configuration or boot the system to single user or maintenance mode, which can result in denial of service or unauthorized system access.
Monitor Minimal Necessary User Accounts You must monitor existing user accounts and ensure that any unnecessary user accounts are removed.
Monitor Minimal Necessary Groups You must monitor existing groups and members to ensure that any unnecessary groups or group access is removed.
Resetting the vRealize Operations Manager Administrator Password As a security best practice, you can reset the vRealize Operations admin password for vApp installations.
Configure NTP on vRealize Operations For critical time sourcing, deactivate host time synchronization and use the Network Time Protocol (NTP) on VMware appliances. You must configure a trusted remote NTP server for time synchronization. The NTP server must be an authoritative time server or at least synchronized with an authoritative time server.
Deactivate the TCP Timestamp Response on Linux Use the TCP timestamp response to approximate the remote host's uptime and aid in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP time stamps.
TLS for Data in Transit As a security best practice, ensure that the system is deployed with secure transmission channels.
Activating TLS on Localhost Connections By default, the localhost connections to the PostgreSQL database do not use TLS. To activate TLS, you have to either generate a self-signed certificate with OpenSSL or provide your own certificate.
Application Resources That Must be Protected As a security best practice, ensure that the application resources are protected.
Apache Configuration
Deactivate Configuration Modes As a best practice, when you install, configure, or maintain vRealize Operations , you can modify the configuration or settings to activate troubleshooting and debugging of your installation.
Managing Nonessential Software Components To minimize security risks, remove or configure nonessential software from your vRealize Operations Manager host machines.
Additional Secure Configuration Activities Block unnecessary ports on your host server that are not required.