As a security best practice, you must secure the vRealize Operations console and manage Secure Shell (SSH), administrative accounts, and console access. Ensure that your system is deployed with secure transmission channels.
Enabling FIPS 140-2 FIPS 140-2 accreditation validates that an encryption solution meets a specific set of requirements designed to protect the cryptographic module from being cracked, altered, or otherwise tampered with. When FIPS 140-2 mode is enabled, any secure communication to or from vRealize Operations 8.4 and above uses cryptographic algorithms or protocols that are allowed by the United States Federal Information Processing Standards (FIPS). FIPS mode turns on the cipher suites that comply with FIPS 140-2. Security related libraries that are shipped with vRealize Operations 8.4 and above are FIPS 140-2 certified. However, the FIPS 140-2 mode is not enabled by default. FIPS 140-2 mode can be enabled if there is a security compliance requirement to use FIPS certified cryptographic algorithms with the FIPS mode enabled.
Secure the vRealize Operations Console After you install vRealize Operations , you must log in for the first time and secure the console of each node in the cluster.
Change the Root Password You can change the root password for any vRealize Operations primary or data node at any time by using the console.
Managing Secure Shell, Administrative Accounts, and Console Access For remote connections, all hardened appliances include the Secure Shell (SSH) protocol. SSH is disabled by default on the hardened appliance.
Set Boot Loader Authentication To provide an appropriate level of security, configure boot loader authentication on your VMware virtual appliances. If the system boot loader requires no authentication, users with console access to the system might be able to alter the system boot configuration or boot the system to single user or maintenance mode, which can result in denial of service or unauthorized system access.
Monitor Minimal Necessary User Accounts You must monitor existing user accounts and ensure that any unnecessary user accounts are removed.
Monitor Minimal Necessary Groups You must monitor existing groups and members to ensure that any unnecessary groups or group access is removed.
Resetting the vRealize Operations Manager Administrator Password As a security best practice, you can reset the vRealize Operations admin password for vApp installations.
Configure NTP on VMware Appliances For critical time sourcing, disable host time synchronization and use the Network Time Protocol (NTP) on VMware appliances. You must configure a trusted remote NTP server for time synchronization. The NTP server must be an authoritative time server or at least synchronized with an authoritative time server.
Disable the TCP Timestamp Response on Linux Use the TCP timestamp response to approximate the remote host's uptime and aid in further attacks. Additionally, some operating systems can be fingerprinted based on the behavior of their TCP time stamps.
TLS for Data in Transit As a security best practice, ensure that the system is deployed with secure transmission channels.
Enabling TLS on Localhost Connections By default, the localhost connections to the PostgreSQL database do not use TLS. To enable TLS, you have to either generate a self-signed certificate with OpenSSL or provide your own certificate.
Application Resources That Must be Protected As a security best practice, ensure that the application resources are protected.
Apache Configuration
Disable Configuration Modes As a best practice, when you install, configure, or maintain vRealize Operations , you can modify the configuration or settings to enable troubleshooting and debugging of your installation.
Managing Nonessential Software Components To minimize security risks, remove or configure nonessential software from your vRealize Operations Manager host machines.
Additional Secure Configuration Activities Block unnecessary ports on your host server that are not required.