Identity and Access Management for VMware Cloud Foundation PDF

Summary

This document provides a guide on Identity and Access Management for VMware Cloud Foundation, focusing on using Active Directory as an identity provider. It details the design, implementation and operation of this approach. The guide also touches upon password management and security policies.

Full Transcript

Identity and Access Management for
VMware Cloud Foundation

Modified on 23 JULY 2024
VMware Cloud Foundation services
Identity and Access Management for VMware Cloud Foundation

You can find the most up-to-date technical documentation on the VMware by Broadcom website at:

https://docs.vmware.com/

VMware by Broadcom
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com

©
Copyright 2023-2024 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc.
and/or its subsidiaries. For more information, go to https://www.broadcom.com. All trademarks, trade
names, service marks, and logos referenced herein belong to their respective companies.

VMware by Broadcom 2
 Contents

About Identity and Access Management for VMware Cloud Foundation 6

1 Design Objectives of Identity and Access Management for VMware Cloud
Foundation 16

2 Detailed Design of Identity and Access Management for VMware Cloud
Foundation 18
Logical Design of Identity and Access Management for VMware Cloud Foundation 18
Information Security and Access of Identity and Access Management for VMware Cloud
Foundation 20
Information Security and Access for ESXi for Identity and Access Management for VMware
Cloud Foundation 22
Information Security and Access for vCenter Server for Identity and Access Management for
VMware Cloud Foundation 28
Information Security and Access for NSX for Identity and Access Management for VMware
Cloud Foundation 42
Information Security and Access for SDDC Manager for Identity and Access Management for
VMware Cloud Foundation 51

3 Planning and Preparation of Identity and Access Management for VMware Cloud
Foundation 58

4 Implementation of Identity and Access Management for VMware Cloud
Foundation 59
Automated PowerShell Implementation of Identity and Access Management 60
User Interface Implementation of Identity and Access Management 63
Configure vCenter Server for Identity and Access Management for VMware Cloud
Foundation 64
Obtain the Active Directory Root Certificate for Identity and Access Management for
VMware Cloud Foundation 64
Add Active Directory as Identity Provider to the Management vCenter Server for Identity
and Access Management for VMware Cloud Foundation 64
Assign vCenter Server Roles to Active Directory Groups for Identity and Access
Management for VMware Cloud Foundation 65
Assign vCenter Single Sign-On Roles to Active Directory Groups for Identity and Access
Management for VMware Cloud Foundation 66
Configure SDDC Manager for Identity and Access Management for VMware Cloud
Foundation 66
Assign SDDC Manager Roles to Active Directory Groups for Identity and Access
Management for VMware Cloud Foundation 67
Configure NSX Manager for Identity and Access Management for VMware Cloud Foundation
67

VMware by Broadcom 3
Identity and Access Management for VMware Cloud Foundation

Configure an LDAP Identity Source in NSX Manager for Identity and Access Management
for VMware Cloud Foundation 68
Assign NSX Manager Roles to Active Directory Groups for Identity and Access
Management for VMware Cloud Foundation 69
Configure Service Account Privileges for NSX for Identity and Access Management for
VMware Cloud Foundation 69

5 Operational Guidance for Identity and Access Management for VMware Cloud
Foundation 74
Personas in Identity and Access Management for VMware Cloud Foundation 75
Operational Verification of Identity and Access Management for VMware Cloud Foundation
75
Operational Verification of vCenter Server for Identity and Access Management for VMware
Cloud Foundation 76
Verify the Authentication to vCenter Server by Using a Local System Account for Identity
and Access Management for VMware Cloud Foundation 76
Verify Authentication to vCenter Server by Using an Active Directory User Account for
Identity and Access Management for VMware Cloud Foundation 77
Operational Verification of SDDC Manager for Identity and Access Management for VMware
Cloud Foundation 78
Verify Authentication in SDDC Manager by Using a Local System Account for Identity and
Access Management for VMware Cloud Foundation 79
Verify Authentication to SDDC Manager by Using an Active Directory User Account for
Identity and Access Management for VMware Cloud Foundation 79
Operational Verification of NSX for Identity and Access Management for VMware Cloud
Foundation 80
Verify the Authentication to NSX by Using a Local System Account for Identity and
Access Management for VMware Cloud Foundation 81
Verify the Connection of NSX with Active Directory for Identity and Access Management
for VMware Cloud Foundation 81
Verify Authentication to NSX by Using an Active Directory User Account for Identity and
Access Management for VMware Cloud Foundation 82
Certificate Management for Identity and Access Management for VMware Cloud Foundation
83
Establish Trust with Active Directory for Identity and Access Management for VMware Cloud
Foundation 83
Establish Trust with Active Directory as Identity Provider in NSX for Identity and Access
Management for VMware Cloud Foundation 84
Establish Trust with Active Directory as Identity Provider in the Management vCenter
Server Instance for Identity and Access Management for VMware Cloud Foundation
85
Password Management for Identity and Access Management for VMware Cloud Foundation
85
Configuring Password Expiration for Identity and Access Management for VMware Cloud
Foundation 87
Configuring Password Complexity Policies for Identity and Access Management for VMware
Cloud Foundation 88
Configuring Account Lockout Policies for Identity and Access Management for VMware
Cloud Foundation 88

VMware by Broadcom 4
Identity and Access Management for VMware Cloud Foundation

Password Rotation and Remediation for Identity and Access Management for VMware Cloud
Foundation 89
Schedule Password Rotation for VMware Cloud Foundation Products 91
Update the Local User Password Using the Virtual Appliance Console for Identity and
Access Management for VMware Cloud Foundation 92
Rotate an Account Password Using SDDC Manager for Identity and Access Management
for VMware Cloud Foundation 92
Reconfigure vCenter Server Integration with Active Directory for Identity and Access
Management for VMware Cloud Foundation 93
Reconfigure NSX Integration with Active Directory for Identity and Access Management
for VMware Cloud Foundation 94
Password Remediation for Identity and Access Management for VMware Cloud
Foundation 94
Password Policy Configuration with PowerShell for Identity and Access Management for
VMware Cloud Foundation 95
Create a Password Policy Configuration File in PowerShell for Identity and Access
Management for VMware Cloud Foundation 96
Generate a Password Policy Configuration Drift Report with PowerShell for Identity and
Access Management for VMware Cloud Foundation 96
Configure Product Password Policies with PowerShell for Identity and Access
Management for VMware Cloud Foundation 97
Authentication Transition for Identity and Access Management for VMware Cloud Foundation
97
Remove Active Directory Group Assignments for Workspace ONE Access in NSX Manager
for Identity and Access Management for VMware Cloud Foundation 98
Remove Standalone Workspace ONE Access Integration with NSX Manager for Identity and
Access Management for VMware Cloud Foundation 99

6 Appendix: Design Decisions on Identity and Access Management for VMware
Cloud Foundation 101

7 Appendix: Default Password Policy Settings for Identity and Access Management
for VMware Cloud Foundation 121

VMware by Broadcom 5
About Identity and Access Management for
VMware Cloud Foundation

The Identity and Access Management for VMware Cloud Foundation validated solution provides
detailed design, implementation, configuration, and operation guidance on the use of Active
Directory as an identity provider and authentication source, and on the use of role-based
access control (RBAC) in VMware Cloud Foundation™ SDDC Manager™, VMware vCenter
®
Server , VMware ESXi™, and VMware NSX™. This document also provides guidance on
password management, password policies, and account lockout policies where applicable for
the components of the solution.

A VMware by Broadcom validated solution is a well-architected and validated implementation,
built and tested by VMware to help customers deliver common business use cases. VMware
validated solutions are operational, cost-effective, reliable, and secure. Each solution contains a
detailed design, implementation, and operational guidance.

Automation for This Design in VMware Cloud Foundation
®
VMware Cloud Foundation™ SDDC Manager automates the implementation tasks for some
design decisions. For the rest of the design decisions, as noted in the design implications, you
must perform the implementation steps manually.

To provide a fast and efficient path to automating the Identity and Access Management
for VMware Cloud Foundation implementation, this document provides Microsoft PowerShell
cmdlets using an open-source module as code-based alternatives to completing certain
procedures in each SDDC component's user interface.

For additional information, see PowerShell Module for VMware Validated Solutions.

Intended Audience
The Identity and Access Management for VMware Cloud Foundation documentation is intended
for cloud architects and administrators who are familiar with and want to use VMware software
and a role-based access control solution using a central identity provider for VMware Cloud
Foundation.

VMware by Broadcom 6
Identity and Access Management for VMware Cloud Foundation

Support Matrix
The Identity and Access Management for VMware Cloud Foundation validated solution is
compatible with certain versions of the VMware products that are used for implementing the
solution. Some of the solution-added products are in End of General Support (EOGS) lifecycle
phase.

For more information on product version interoperability and lifecycle phase, see VMware
Product Interoperability Matrix.

Table 1-1. Software Components in Identity and Access Management for VMware Cloud
Foundation
VMware Cloud
Foundation
Version Product Group Component Versions

5.2.1 Products part of VMware Cloud Foundation See VMware Cloud Foundation 5.2.1 Release Notes.

Solution-added products None

5.2.0 Products part of VMware Cloud Foundation See VMware Cloud Foundation 5.2.0 Release Notes.

Solution-added products None

5.1.1 Products part of VMware Cloud Foundation See VMware Cloud Foundation 5.1.1 Release Notes.

Solution-added products None

5.1.0 Products part of VMware Cloud Foundation See VMware Cloud Foundation 5.1.0 Release Notes.

Solution-added products None

Table 1-2. End of General Support Software Components in Identity and Access Management for
VMware Cloud Foundation
VMware Cloud
Foundation
Version Product Group Component Versions

5.0 Products part of VMware Cloud Foundation See VMware Cloud Foundation 5.0 Release Notes.
VMware Aria Suite Lifecycle 8.10.0 (EOGS)

Solution-added products None

4.5.2 Products part of VMware Cloud Foundation See VMware Cloud Foundation 4.5.2 Release Notes.
VMware Aria Suite Lifecycle 8.10.0 (EOGS)

Solution-added products None

4.5.1 Products part of VMware Cloud Foundation See VMware Cloud Foundation 4.5.1 Release Notes.
vRealize Suite Lifecycle Manager 8.8.2 (EOGS)

Solution-added products None

4.5.0 Products part of VMware Cloud Foundation See VMware Cloud Foundation 4.5.0 Release Notes.
vRealize Suite Lifecycle Manager 8.8.2 (EOGS)

VMware by Broadcom 7
Identity and Access Management for VMware Cloud Foundation

Table 1-2. End of General Support Software Components in Identity and Access Management for
VMware Cloud Foundation (continued)
VMware Cloud
Foundation
Version Product Group Component Versions

Solution-added products Workspace ONE Access 3.3.7

4.4.1 Products part of VMware Cloud Foundation See VMware Cloud Foundation 4.4.1 Release Notes.
vRealize Suite Lifecycle Manager 8.6.2 (EOGS)

Solution-added products Workspace ONE Access 3.3.7

4.4.0 Products part of VMware Cloud Foundation See VMware Cloud Foundation 4.4.0 Release Notes.
vRealize Suite Lifecycle Manager 8.6.2 (EOGS)

Solution-added products Workspace ONE Access 3.3.7

4.3.1 Products part of VMware Cloud Foundation See VMware Cloud Foundation 4.3.1 Release Notes.

Solution-added products Workspace ONE Access 3.3.5 (EOGS)

4.3.0 Products part of VMware Cloud Foundation See VMware Cloud Foundation 4.3.0 Release Notes.

Solution-added products Workspace ONE Access 3.3.5 (EOGS)

4.2.1 Products part of VMware Cloud Foundation See VMware Cloud Foundation 4.2.1 Release Notes.

Solution-added products Workspace ONE Access 3.3.4 (EOGS)

4.2.0 Products part of VMware Cloud Foundation See VMware Cloud Foundation 4.2.0 Release Notes.

Solution-added products Workspace ONE Access 3.3.4 (EOGS)

Note The software component versions in this table are in End of General Support (EOGS)
phase and are no longer generally supported by VMware. At the time of initial release and
during the General Support phase, the software component versions in this solution are actively
implemented, tested, and validated by VMware and VMware partners. See VMware Lifecycle
Policies.

Before You Apply This Guidance
To design and implement the Identity and Access Management for VMware Cloud Foundation
validated solution, your environment must have a certain configuration.

VMware by Broadcom 8
Identity and Access Management for VMware Cloud Foundation

Table 1-3. Supported VMware Cloud Foundation Deployment

Workload Domain Deployment Details

Management domain Automated deployment using VMware Cloud Builder™
See the following VMware Cloud Foundation
Documentation:
n For information on designing the management
domain, see VMware Cloud Foundation Design Guide.
n For information on deploying the management
domain, see Getting Started with VMware
Cloud Foundation and VMware Cloud Foundation
Deployment Guide.
n For information on operating the management
domain, see VMware Cloud Foundation
Administration Guide and VMware Cloud Foundation
Operations Guide.

(Optional) One or more virtual infrastructure workload Automated deployment using SDDC Manager.
domains See the following VMware Cloud Foundation
Documentation:
n For information on designing a VI workload domain,
see VMware Cloud Foundation Design Guide.
n For information on deploying the VI workload
domains, see Getting Started with VMware
Cloud Foundation and VMware Cloud Foundation
Administration Guide.
n For information on operating the VI Workload
domain, see VMware Cloud Foundation Operations
Guide.

Overview of Identity and Access Management for VMware
Cloud Foundation
By applying the Identity and Access Management for VMware Cloud Foundation validated
solution, you implement centralized RBAC for the management components of VMware Cloud
Foundation, and configure password policies according to security best practices.

VMware by Broadcom 9
Identity and Access Management for VMware Cloud Foundation

Table 1-4. Implementation Overview of Identity and Access Management for VMware Cloud
Foundation

Stage Steps

1. Plan and prepare the VMware Work with the technology team of your organization on configuring the physical
Cloud Foundation environment servers, network, and storage in the data center. Collect the environment details
and write them down in the VMware Cloud Foundation Planning and Preparation
Workbook.

2. Activate role-based access 1 Connect the management domain vCenter Server to Active Directory.
control on vCenter Server and 2 Grant the required roles and permissions to Active Directory security groups
SDDC Manager and service accounts.
3 Configure password rotation and lockout policy for the local and service
accounts where applicable.

3. Activate role-based access 1 Connect each workload domain NSX Manager to Active Directory.
control on NSX 2 Grant the required roles and permissions to Active Directory security groups
and service accounts.
3 Configure password rotation and lockout policy for local and service accounts
where applicable.
4 Reconfigure the integration between NSX and vSphere to limit privileges and
scope of access of the NSX service accounts in the vCenter Server Single Sign-
On.

Frequently Asked Questions
For additional questions, see VMware Validated Solutions Frequently Asked Questions.

Update History
The Identity and Access Management for VMware Cloud Foundation validated solution is
updated when necessary.

VMware by Broadcom 10
Identity and Access Management for VMware Cloud Foundation

Revision Description

09 OCT 2024 n This validated solution now supports VMware Cloud
Foundation 5.2.1.
n The PowerValidatedSolutions PowerShell module
is now version 2.12.0.
n The VMware.PowerCLI PowerShell module is now
version 13.3.0.
n The ImportExcel PowerShell module is now version
7.8.9.

23 JUL 2024 n This validated solution now supports VMware Cloud
Foundation 5.2.0.
n This validated solution now uses the
PowerValidatedSolutions PowerShell module to
obtain the Microsoft CA root certificate. See Obtain
the Active Directory Root Certificate for Identity and
Access Management for VMware Cloud Foundation
n The PowerValidatedSolutions PowerShell module
is now version 2.11.0.

28 MAY 2024 n This validated solution now provides a single
procedure for PowerShell automation. See Automated
PowerShell Implementation of Identity and Access
Management
n The PowerValidatedSolutions PowerShell module
is now version 2.10.0.

26 MAR 2024 n This validated solution now supports VMware Cloud
Foundation 5.1.1.
n The PowerValidatedSolutions PowerShell module
is now version 2.9.0.
n The VMware.PowerCLI PowerShell module is now
version 13.2.1.

VMware by Broadcom 11
Identity and Access Management for VMware Cloud Foundation

Revision Description

30 JAN 2024 n This validated solution now updates the design,
the implementation, and the operational guidance
for the use of Active Directory over LDAP instead
of Workspace ONE Access for the authentication
provider in NSX. See the following:
n Note If you previously deployed this validated
solution using Workspace ONE Access for
authentication, to reconfigure the authentication
provider, see Authentication Transition for Identity
and Access Management for VMware Cloud
Foundation.
n Information Security and Access of Identity
and Access Management for VMware Cloud
Foundation
n Configure NSX Manager for Identity and Access
Management for VMware Cloud Foundation
n Operational Verification of NSX for Identity
and Access Management for VMware Cloud
Foundation
n The PowerValidatedSolutions PowerShell module
is now version 2.8.0.

07 NOV 2023 n This validated solution now supports VMware Cloud
Foundation 5.1.0, providing support for password
rotation for the NSX Manager audit account.
See Information Security and Access for NSX for
Identity and Access Management for VMware Cloud
Foundation
n This validated solution now
provides guidance on using the
VMware.CloudFoundation.PasswordManagement
PowerShell module for performing password
management. See the following updated sections:
n Password Management for Identity and Access
Management for VMware Cloud Foundation
n Password Policy Configuration with PowerShell
for Identity and Access Management for VMware
Cloud Foundation
n The PowerValidatedSolutions PowerShell module
is now version 2.7.0.
n The PowerVCF PowerShell module is now version
2.4.0.
n The following solution-added product names are
changing:
n VMware vRealize Log Insight is now VMware Aria
Operations for Logs
n VMware vRealize Operations is now VMware Aria
Operations
For more information on the VMware Aria rebranding, see
Multi-Cloud Management and VMware Aria.

VMware by Broadcom 12
Identity and Access Management for VMware Cloud Foundation

Revision Description

29 AUG 2023 n This validated solution now includes Chapter 7
Appendix: Default Password Policy Settings for
Identity and Access Management for VMware Cloud
Foundation for quick reference.
n This validated solution now supports VMware Cloud
Foundation 4.5.2.
n The VMware.PowerCLI PowerShell module is now
version 13.1.0.
n The ImportExcel PowerShell module is now version
7.8.5.
n The PowerValidatedSolutions PowerShell module
is now version 2.6.0.

25 JUL 2023 The PowerValidatedSolutions PowerShell module is
now version 2.5.0.

27 JUN 2023 n This validated solution now supports VMware Cloud
Foundation 5.0.
n The PowerValidatedSolutions PowerShell module
is now version 2.4.0.

30 MAY 2023 n This validated solution now supports VMware Cloud
Foundation 4.5.1 and Workspace ONE Access 3.3.7.
n The PowerValidatedSolutions PowerShell module
is now version 2.3.0.

25 APR 2023 n This validated solution now updates the password
policy configuration guidance, providing a new
VMware.CloudFoundation.PasswordManagement
PowerShell module. See Password Management for
Identity and Access Management for VMware Cloud
Foundation
n The VMware.PowerCLI PowerShell module is now
version 13.0.0.
n The VMware.vSphere.SsoAdmin PowerShell module
is now version 1.3.9.
n The ImportExcel PowerShell module is now version
7.8.4.
n The PowerVCF PowerShell module is now version
2.3.0
n The PowerValidatedSolutions PowerShell module
is now version 2.2.0.

28 MAR 2023 The PowerValidatedSolutions PowerShell module is
now version 2.1.0.

28 FEB 2023 The PowerValidatedSolutions PowerShell module is
now version 2.0.1.

VMware by Broadcom 13
Identity and Access Management for VMware Cloud Foundation

Revision Description

31 JAN 2023 n This validated solution now updates the password
policy management design. See Information Security
and Access of Identity and Access Management for
VMware Cloud Foundation.
n This validated solution now provides guidance on
password policy management by product for the
following procedures.
n Configuring Password Expiration for Identity
and Access Management for VMware Cloud
Foundation
n Configuring Password Complexity Policies for
Identity and Access Management for VMware
Cloud Foundation
n Configuring Account Lockout Policies for Identity
and Access Management for VMware Cloud
Foundation
n Password Rotation and Remediation for Identity
and Access Management for VMware Cloud
Foundation
n The PowerValidatedSolutions PowerShell module
is now version 2.0.0, adding support for the following
procedure.
n Password Policy Configuration with PowerShell
for Identity and Access Management for VMware
Cloud Foundation

29 NOV 2022 n The VMware.PowerCLI PowerShell module is now
version 12.7.0.
n The VMware.vSphere.SsoAdmin PowerShell module
is now version 1.3.8.
n The PowerValidatedSolutions PowerShell module
is now version 1.10.0.

25 OCT 2022 n This validated solution now supports VMware Cloud
Foundation 4.5.0.
n The PowerValidatedSolutions PowerShell module
is now version 1.9.0.

27 SEPT 2022 n This validated solution now provides guidance
on automated password policy management for
specific SDDC components. See Password Policy
Configuration with PowerShell for Identity and Access
Management for VMware Cloud Foundation.
n The PowerValidatedSolutions PowerShell module
is now version 1.8.0.

31 MAY 2022 n This validated solution now supports VMware Cloud
Foundation 4.4.1.
n The PowerVCF PowerShell module is now version
2.2.0.
n The PowerValidatedSolutions PowerShell module
is now version 1.7.0.

VMware by Broadcom 14
Identity and Access Management for VMware Cloud Foundation

Revision Description

28 APR 2022 n The PowerValidatedSolutions PowerShell module
is now version 1.6.0.

29 MAR 2022 n The PowerValidatedSolutions PowerShell module
is now version 1.5.0.
n Removing the procedure Configure the vRealize Log
Insight Agent on the Standalone Workspace ONE
Access Appliance.

22 FEB 2022 n This validated solution now supports VMware Cloud
Foundation 4.4.0.
n This validated solution now requires installation of the
ImportExcel PowerShell module.
n The PowerValidatedSolutions PowerShell module
is now version 1.4.0.
n The VMware.PowerCLI PowerShell module is now
version 12.4.1.

25 JAN 2022 n The VMware.vSphere.SsoAdmin PowerShell module
is now version 1.3.7.
n The PowerValidatedSolutions PowerShell module
is now version 1.3.0, adding support for the following
implementation procedures.
n Assign NSX Manager Roles to Active Directory
Groups for Identity and Access Management for
VMware Cloud Foundation

30 NOV 2021 n The PowerValidatedSolutions PowerShell module
is now version 1.2.0.
n The PowerVCF PowerShell module is now version 2.1.7.

26 OCT 2021 n The PowerValidatedSolutions PowerShell module
is now version 1.1.0, adding support for the
Reconfigure the vSphere Role and Permissions
Scope for NSX Service Accounts for Identity and
Access Management for VMware Cloud Foundation
mplementation procedure.

05 OCT 2021 Added support:
n VMware Cloud Foundation 4.3.1 is now supported.
n VxRail is now supported.

24 AUG 2021 Initial release.

VMware by Broadcom 15
Design Objectives of Identity and
Access Management for VMware
Cloud Foundation
1
The Identity and Access Management for VMware Cloud Foundation validated solution has
objectives to deliver prescriptive content about the solution so that it is fast to deploy and is
suitable for use in production environments.

Objective Description

Main objective Provide role-based access control for VMware Cloud Foundation
infrastructure components through an organization's directory services
as the authentication source.

VMware Cloud Foundation architecture n vSAN ReadyNodes
support n Consolidated
n Standard
n Dell VxRail Nodes
n Consolidated
n Standard

Workload domain type support n Management Workload domain
n VI Workload domain

Scope of implementation n Configuration of role based access control for VMware Cloud
Foundation components:
n ESXi
n vCenter Server
n NSX
n SDDC Manager

Scope of guidance n Deployment and initial configuration of identity access and
management components for management and VI workload
domains.
n Operational guidance for the identity access and management
components such as operational and post-maintenance validation.
n Solution interoperability with solution components, such as
monitoring and alerting, logging, and life cycle management.

Cloud type Private cloud

Availability 99%

VMware by Broadcom 16
Identity and Access Management for VMware Cloud Foundation

Objective Description

Authentication, authorization, and access n Use of Microsoft Active Directory over LDAP as the identity provider.
control n Use of security groups and roles for least-privilege access control.
n Use of service accounts and least-privilege access control for
solution integration.
Support for other external identity providers is not in included in this
solution.

Certificate signing Certificates are signed by a certificate authority (CA) that consists of a
root and intermediate certificate authority layers.

VMware by Broadcom 17
Detailed Design of Identity and
Access Management for VMware
Cloud Foundation
2
The design considers the components of the Identity and Access Management for VMware Cloud
Foundation validated solution. It includes numbered design decisions, and the justification and
implications of each decision.

n Logical Design of Identity and Access Management for VMware Cloud Foundation
The logical design provides a high-level overview of the Identity and Access Management
for VMware Cloud Foundation solution design.
n Information Security and Access of Identity and Access Management for VMware Cloud
Foundation
Information security and access design details the design decisions covering authentication
and access controls for ESXi, vCenter Server, NSX, and SDDC Manager.

Logical Design of Identity and Access Management for
VMware Cloud Foundation
The logical design provides a high-level overview of the Identity and Access Management for
VMware Cloud Foundation solution design.

Figure 2-1. Logical Design of Identity and Access Management for VMware Cloud Foundation

Microsoft Active
LDAP over SSL Directory LDAP over SSL

vCenter Single
Sign-On
Management Domain VI Workload Domain
Enhanced Linked NSX Manager
vCenter Server vCenter Server
Mode

SDDC Manager

VMware by Broadcom 18
Identity and Access Management for VMware Cloud Foundation

vCenter Server
By default, the vCenter Single Sign-On built-in identity provider uses an embedded vsphere.local
domain and supports local accounts. The vCenter Server instances in a VMware Cloud
Foundation system are joined to the built-in identity provider and are required to participate
in an enhanced linked-mode configuration. Additional VMware Cloud Foundation instances may
be joined to the same vCenter Single Sign-On identity provider during bring-up or brought online
with a dedicated identity provider.

vSphere configuration limits apply to linked vCenter Server instances:

n The number of linked vCenter Servers

n The number of hosts in linked vCenter Servers

n The number of powered-on virtual machines in linked vCenter Servers

n The number of registered virtual machines in linked vCenter Servers

See VMware Configuration Maximums.

The vCenter Single Sign-On built-in identity provider can be configured to use Microsoft Active
Directory as its identity source using LDAP over SSL (LDAPS). The configuration is applicable
to all vCenter Server instances configured in enhanced linked mode. Active Directory security
groups and/or users can be assigned to default or custom roles in vSphere with the scope of
provisioned and managed permissions.

ESXi
This solution does not require ESXi hosts in a VMware Cloud Foundation system to join Active
Directory. SDDC Manager manages the commissioning, configuration, and life cycle of the ESXi
hosts.

If supplemental storage uses NFS version 4.1 with Kerberos authentication, you must join each
ESXi host to an Active Directory domain. To ensure the default security group is not used, the
default esxAdminsGroup group on each ESXi host can be configured to use a custom Active
Directory security group.

NSX
To provide identity management services to NSX, NSX Manager instances in a VMware Cloud
Foundation system are configured to use Microsoft Active Directory as its identity source using
LDAP over SSL (LDAPS). Active Directory security groups and/or users can be assigned to
default or custom roles in NSX.

SDDC Manager
SDDC Manager inherits the identity provider configuration from all vCenter Server instances in
enhanced linked-mode. Active Directory security groups and/or users can be assigned to default
roles in SDDC Manager.

VMware by Broadcom 19
Identity and Access Management for VMware Cloud Foundation

Information Security and Access of Identity and Access
Management for VMware Cloud Foundation
Information security and access design details the design decisions covering authentication and
access controls for ESXi, vCenter Server, NSX, and SDDC Manager.

Table 2-1. Design Decisions on Information Security

Decision ID Design Decision Design Justification Design Implication

IAM-VCF-SEC-001 Limit the use of Local accounts are not You must define and
local accounts for both specific to user identity manage service accounts,
interactive or API access and do not offer complete security groups, group
and solution integration. auditing from an endpoint membership, and security
back to the user identity. controls in Active Directory.

IAM-VCF-SEC-002 Limit the scope and The principle of least You must define and
privileges for accounts privilege is a critical aspect manage custom roles and
used for both interactive of access management security controls to limit the
or API access and solution and must be part of a scope and privileges used
integration. comprehensive defense-in- for interactive access or
depth security strategy. solution integration.

VMware by Broadcom 20
Identity and Access Management for VMware Cloud Foundation

Table 2-1. Design Decisions on Information Security (continued)

Decision ID Design Decision Design Justification Design Implication

IAM-VCF-SEC-003 Assign Active Directory Allows Active Directory You must define and
user accounts to security security groups to be manage security groups,
groups following your assigned to roles in group membership, and
organization's access SDDC components for security controls in Active
policies. streamlined management Directory.
of access and
administrative privileges.

IAM-VCF-SEC-004 Assign Active Directory n Using Active Directory n You must manage
security groups to default security group privileges assigned to
or custom roles, as membership provides custom roles.
applicable, for interactive greater flexibility in n You must manage the
or API access to solution granting access to assignment and scope
components based on your roles across solution of custom roles based
organization's business and components. on the business and
security requirements. n Ensuring that users security requirements.
n SDDC Manager log in with a n Additional Active
n ESXi (as applicable) unique Active Directory Directory security
user account provides groups must be created
n vCenter Servers
greater visibility for in advance to assigning
n NSX Managers
auditing. roles.
n Evaluate the needs n You must maintain
for additional role the life cycle and
separation in your availability of Active
organization and Directory security
implement mapping groups outside of the
from Active Directory SDDC stack.
users to Active n The principle of
Directory security least privilege is
groups and default or only one aspect of
custom roles. access management
and must be part
of a comprehensive
defense-in-depth
security strategy
aligned with
organization personas.

What to read next

n Information Security and Access for ESXi for Identity and Access Management for VMware
Cloud Foundation
Information security and access details the design decisions covering authentication and
access controls for ESXi in VMware Cloud Foundation.

n Information Security and Access for vCenter Server for Identity and Access Management for
VMware Cloud Foundation
Information security and access design details the design decisions covering authentication
and access controls for vCenter Server in VMware Cloud Foundation.

VMware by Broadcom 21
Identity and Access Management for VMware Cloud Foundation

n Information Security and Access for NSX for Identity and Access Management for VMware
Cloud Foundation
Information security and access design details the design decisions covering authentication
and access controls for NSX in VMware Cloud Foundation.

n Information Security and Access for SDDC Manager for Identity and Access Management for
VMware Cloud Foundation
Information security and access design details the design decisions covering authentication
and access controls for SDDC Manager in VMware Cloud Foundation.

Information Security and Access for ESXi for Identity and Access
Management for VMware Cloud Foundation
Information security and access details the design decisions covering authentication and access
controls for ESXi in VMware Cloud Foundation.

By default, you can log in to an ESXi host using only the root account. Direct access to an ESXi
host is available and most commonly used for troubleshooting purposes. You can access an ESXi
host using one of the following methods.

Access Method Description

Direct Console User Interface (DCUI) A text-based interface on the ESXi host console. Provides
basic administrative controls and troubleshooting options.

ESXi Shell A local Linux-style shell accessed by using Alt+F1 on the
ESXi host console.

Secure Shell (SSH) A remote command-line access to the ESXi Shell using
SSH.

Host Client An HTML5-based client for managing ESXi hosts
individually. You use the Host Client for emergency
management when vCenter Server is temporarily
unavailable.

vSphere Client An HTML5-based client included with vCenter Server.
You use the vSphere Client is the primary interface for
connecting to and managing vCenter Server instances.

Active Directory Integration for ESXi Hosts
Generally, it is not required to join ESXi hosts in a VMware Cloud Foundation system to Active
Directory. SDDC Manager manages the commissioning, configuration, and life cycle of the ESXi
hosts. In the event that direct access to an ESXi host is required, the Cloud Administrator can
obtain the root or SERVICE account credentials to troubleshoot any issues with the ESXi host.
However, there are circumstances when you must add Active Directory as the identity provider
by joining each ESXi host to an Active Directory domain.

VMware by Broadcom 22
Identity and Access Management for VMware Cloud Foundation

VMware Cloud Foundation supports the use of NFS version 4.1 as supplemental storage. With
NFS version 4.1, ESXi supports the RPCSEC_GSS Kerberos authentication service. It allows the
built-in NFS 4.1 client for ESXi to prove its identity to an NFS server before mounting an NFS
share. The Kerberos security uses cryptography to work across an insecure network connection.
To use Kerberos authentication, each ESXi host, that mounts an NFS 4.1 datastore, must join the
required Active Directory domain and the NFS Kerberos credentials must be set on each host.

The ESXi implementation of Kerberos for NFS 4.1 provides two security models, krb5 and krb5i,
that offer different levels of security.

n Kerberos for authentication only (krb5) supports identity verification.

n Kerberos for authentication and data integrity (krb5i), in addition to identity verification,
provides data integrity services.

When you use Kerberos authentication, the following considerations apply:

n You must add Active Directory as the authentication system by joining each ESXi host to an
Active Directory domain.

n You must specify the Active Directory credentials to provide access to NFS version 4.1
Kerberos datastores. A single set of credentials is used to access all Kerberos datastores
mounted on an ESXi host.

n You must use the same Active Directory credentials for all ESXi hosts that access the shared
datastore.

n You cannot use two security mechanisms, AUTH_SYS and Kerberos, for the same NFS
version 4.1 datastore shared by multiple hosts.

When an ESXi host is added to an Active Directory domain to support NFS version 4.1 with
Kerberos authentication, you must configure the administrative access by defining a non-default
Active Directory security group for privileged access to the ESXi host. Thus, you ensure that
only the designated Active Directory security group membership has administrative access to the
ESXi host.

VMware by Broadcom 23
Identity and Access Management for VMware Cloud Foundation

Table 2-2. Design Considerations on the Integration of ESXi Hosts with Active Directory

Design Consideration Justification Implications

If NFS version 4.1 with Kerberos Ensures greater visibility for auditing n Adding ESXi hosts to the domain
authentication is used for by enforcing that users log in with adds administrative overhead,
supplemental storage, add Active user accounts in the Active Directory which can be automated.
Directory as the authentication domain. n You must manage the placement
service by joining each ESXi host to of the computer object for each
the Active Directory domain. ESXi host in the Active Directory
domain.
n You must maintain the access,
life cycle, and availability for
the associated Active Directory
objects outside of the SDDC
stack.

If NFS version 4.1 with n Changing the Active Directory n An Active Directory security
Kerberos authentication is used security group removes the use group must be created in
for supplemental storage, change of a default security group advance of changing the
the default esxAdminsGroup membership. assignment.
configuration on each ESXi host n Using an Active Directory n You must maintain the life cycle
to use a custom Active Directory security group name allows you and availability of an Active
security group in the Active Directory to use a designated security Directory security group outside
domain. group across management and of the SDDC stack.
workload domains, if required. n You must make changes to the
ESXi hosts' advanced settings.

If NFS version 4.1 with Kerberos ESXi hosts are joined to the Active n You must maintain the life
authentication is used for Directory domain using an account cycle and availability of the
supplemental storage, use an Active with the minimum set of required service account in your directory
Directory user account with the directory permissions. services.
minimum privileges to join a ESXi host n Account Operators group n If the computer objects in Active
to the Active Directory domain. Directory are not created in
n Join Computers to Domain
delegation. advance, you must ensure that
the user account has permissions
to create objects in the default or
the target organizational unit.

Password Policies for ESXi Hosts
For an ESXi host, you can enforce password policies for access to the DCUI, the ESXi Shell, SSH,
or the Host Client. You can configure these password policies by using the advanced system
settings for each ESXi host. The password policies apply only to local user accounts.

Password Expiration Policy for ESXi Hosts
You manage the password expiration policy on a per-host basis by using the advanced system
settings in the vSphere Client or the Host Client. You can modify the configuration settings on
each ESXi host to refine the settings and adhere to the policies and regulatory standards of your
organization. The default configuration is shown in the following table.

VMware by Broadcom 24
Identity and Access Management for VMware Cloud Foundation

Table 2-3. Default Password Expiration Policy for ESXi Hosts

Setting Default Description

Security.PasswordMaxDays 99999 (never) Maximum number of days before
password expiration

Password Complexity Policy for ESXi Hosts
You manage the password complexity policy on a per-host basis by using the advanced system
settings in the vSphere Client or the Host Client. You can edit and modify the configuration to
refine the settings and adhere to the policies of your organization and regulatory standards. The
default configuration is shown in the following table.

Table 2-4. Default Password Complexity Policy for ESXi Hosts

Setting Default Description

Security.PasswordQualityControl retry=3 n Maximum number of retries
min=disabled,disabled,disabled n Required character classes
,7,7
n Minimum password length
(characters)

Security.PasswordHistory 0 Maximum number of passwords that
the system remembers

For more detailed information, see the ESXi Passwords and Account Lockout documentation for
VMware vSphere.

Account Lockout Policy for ESXi Hosts
ESXi account lockout is supported for SSH and API. If a user attempts to log in with incorrect
local account credentials using SSH or API, the account is locked. The DCUI and the ESXi Shell do
not support account lockout.

You manage the account lockout policy on a per-host basis by using the advanced system
settings in the vSphere Client or the Host Client. You can edit and modify the configuration to
refine the settings and adhere to the policies of your organization and regulatory standards. The
default configuration is shown in the following table.

Table 2-5. Default Account Lockout Policy for ESXi Hosts

Setting Default Description

Security.AccountLockFailures 5 Maximum number of authentication failures
before the account is locked

Security.AccountUnlockTime 900 Amount of time in seconds that the account
remains locked

For more detailed information, see the ESXi Passwords and Account Lockout documentation for
VMware vSphere.

VMware by Broadcom 25
Identity and Access Management for VMware Cloud Foundation

Design Decisions on Password Policies for ESXi Hosts
Table 2-6. Design Decisions on Password Policies for ESXi Hosts

Decision ID Design Decision Design Justification Design Implication

IAM-ESXI-SEC-001 Configure the password n You configure the You must manage the local
expiration policy for each password expiration for user password expiration
ESXi host. ESXi hosts to align policy on each ESXi host by
with the requirements using the advanced system
of your organization settings in the vSphere
which might be based Client or the Host Client.
on industry compliance
standards.
n The password
expiration policy is
applicable to the
following default
accounts for a
commissioned ESXi
host:
n root account
n SERVICE account
n The policy is applicable
only to the local ESXi
host users.

IAM-ESXI-SEC-002 Configure the password n You configure the You must manage the local
complexity policy for each password complexity user password complexity
ESXi host. policy for ESXi hosts policy on each ESXi host by
to align with the using the advanced system
requirements of your settings in the vSphere
organization which Client or the Host Client.
might be based on
industry compliance
standards.
n The password
complexity policy is
applicable only to the
local ESXi host users.

IAM-ESXI-SEC-003 Configure the account n You configure the You must manage the local
lockout policy for each account lockout policy user account lockout policy
ESXi host. for ESXi hosts to align on each ESXi host by
with the requirements using the advanced system
of your organization settings in the vSphere
which might be based Client or the Host Client.
on industry compliance
standards.
n The policy is applicable
only to the local ESXi
host users.

VMware by Broadcom 26
Identity and Access Management for VMware Cloud Foundation

ESXi Host Password Management
SDDC Manager provides the ability to perform life cycle management for the local accounts used
by each ESXi host. Changing the passwords periodically or when certain events occur, such as an
administrator leaving your organization, increases the security posture and health of the system.
SDDC Manager provides the ability to rotate, update, and remediate most of these component
passwords. Unlike password rotation, which generates a randomized password, updates allow
you provide the desired password for the selected account.

For more information, see the Password Management documentation for VMware Cloud
Foundation.

You can activate or deactivate normal lock down mode on an ESXi host to increase the security
of the hosts. To activate or deactivate normal lock down mode, you must perform the operation
through the vSphere Client. SDDC Manager creates service accounts that can be used to access
the ESXi hosts over SSH. The service accounts are added to the Exception Users list during the
bring-up process or host commissioning workflow. You can rotate the passwords for the service
accounts using the password management functionality in SDDC Manager.

For more information, see the Host Management documentation for VMware Cloud Foundation.

VMware by Broadcom 27
Identity and Access Management for VMware Cloud Foundation

Table 2-7. Design Decisions on Password Management for ESXi Hosts

Decision ID Design Decision Design Justification Design Implication

IAM-ESXI-SEC-004 Change the root user n The password for n You must manage the
password for each ESXi the ESXi host's root password update or
host on a recurring or user does not expire password rotation for
event-initiated schedule by based on the default the root account by
using SDDC Manager. password expiration using SDCC Manager.
policy. n An automated
n SDDC Manager password rotation
manages each ESXi schedule can not be
host in the system. activated for ESXi hosts
The ESXi root user in SDDC Manager.
password must be
known and managed
by SDDC Manager.

IAM-ESXI-SEC-005 Rotate the SERVICE n SDDC Manager creates n You must manage
account password for each a SERVICE account the password rotation
ESXi host on a recurring or on each ESXi host to for the SERVICE
event-initiated schedule by provide the access to account by using SDDC
using SDDC Manager. the ESXi host over Manager.
SSH in the context n An automated
of an exception user password rotation
in normal lock down schedule can not be
mode. activated for ESXi hosts
n The password for the in SDDC Manager.
ESXi host's SERVICE
account does not
expire based on
the default password
expiration policy.
n SDDC Manager
manages each ESXi
host in the system.
The ESXi root user
password must be
known and managed
by SDDC Manager.

Information Security and Access for vCenter Server for Identity and
Access Management for VMware Cloud Foundation
Information security and access design details the design decisions covering authentication and
access controls for vCenter Server in VMware Cloud Foundation.

You can log in to a vCenter Server instance based on the configuration of vCenter Single Sign-
On. vCenter Single Sign-On allows vSphere components to communicate with each other through
a secure token mechanism.

VMware by Broadcom 28
Identity and Access Management for VMware Cloud Foundation

vCenter Single Sign-On uses the following services.

n Authentication of users through the vCenter Server built-in identity provider or external
identity provider federation.

n Authentication of solution users through certificates.

n Security Token Service (STS).

n SSL for secure traffic.

vCenter Server includes a built-in identity provider. By default, the vCenter Server built-in
identity provider uses an embedded vsphere.local domain and supports local accounts. You
can configure the vCenter Server built-in identity provider to use Microsoft Active Directory as
its identity source using LDAP(S) or use OpenLDAP. These configurations allow you to log in to
vCenter Server using Active Directory user accounts assigned to vCenter Server roles.

You can also configure vCenter Server to use an external identity provider. Using federated
authentication, you replace vCenter Server as the identity provider with an external identity
provider.

The configuration of an external identity provider is not in scope of this solution.

Active Directory Integration for vCenter Server
This solution provides design and implementation guidance on configuring the vCenter Server
built-in identity provider to use Microsoft Active Directory over LDAP.

VMware by Broadcom 29
Identity and Access Management for VMware Cloud Foundation

Table 2-8. Design Decisions on the Identity Provider for vCenter Server

Decision ID Design Decision Design Justification Design Implication

IAM-VCS-SEC-001 Configure the vCenter n Provides the ability n In a multi-domain
Server instances to use for vCenter Server to forest, where the
Active Directory over LDAP connect to an Active vCenter Server instance
with SSL (LDAPS) as the Directory using LDAP. connects to a
identity source. n Ensures that LDAP child domain, Active
traffic between a Directory security
vCenter Server instance groups must have
and the Active global scope. Therefore
Directory is encrypted. members added to the
Active Directory global
Microsoft recommends security group and user
a hardened accounts for solution
configuration for integration must reside
LDAP channel binding within the same Active
and LDAP signing Directory domain.
on Active Directory
n If multiple VMware
domain controllers.
Cloud Foundation
For more information,
instances are deployed
see Microsoft Security
to separate Active
Advisory ADV190023.
Directory domains (for
example, child domains
in a multi-domain
forest), the instances
can not be in enhanced
linked-mode.
n A certificate is required
to establish trust for the
Active Directory LDAPS
endpoints. You must
obtain a CA-signed
certificate that can
be used for server
authentication.
n You must remove
and reconfigure the
integration between
the identity provider
and vCenter Server
when replacing the
certificates used by
Active Directory over
LDAP with SSL.

IAM-VCS-SEC-002 Use an Active Directory Provides the following You must manage the
user account with minimum access control features: password life cycle of
read-only access as Base this Active Directory use
DN for users and groups account.
to server as the service
account for the Active
Directory bind.

VMware by Broadcom 30
Identity and Access Management for VMware Cloud Foundation

Table 2-8. Design Decisions on the Identity Provider for vCenter Server (continued)

Decision ID Design Decision Design Justification Design Implication

n Each vCenter Server
instance connects to
the Active Directory
domain with the
minimum permissions to
bind and query the
directory.
n Improves the visibility
in tracking request-
response interactions
between the vCenter
Server instances and
Active Directory.

vCenter Server provides precise control over authorization by using permissions and roles. Each
object in the vCenter Server object hierarchy has associated permissions. When you assign
permissions to an object in the vCenter Server object hierarchy, you specify the privileges and
access for each user or group on that object.

You can assign privileges only to authenticated users or groups of authenticated users. Users are
authenticated through vCenter Single Sign-On. Users and groups must be defined in the identity
source that vCenter Single Sign-On uses. Define users and groups using the tools in your identity
source, for example, Active Directory.

To specify the privileges for users or groups, you use roles, which are sets of privileges. Roles
allow you to assign permissions on an object based on a typical set of tasks that users perform.
Default roles, such as Administrator, are predefined in vCenter Server and cannot be changed.
Other roles, such as Resource Pool Administrator, are predefined sample roles. vCenter Server
offers predefined roles, which combine frequently used privilege sets. You can create custom
roles either from scratch or by cloning and modifying sample roles.

vSphere supports several models with control for determining whether a user is allowed to
perform a task. A user's role on an object or the user's global permission determines whether
that user is allowed to perform other tasks in vSphere.

For more information, see the vSphere Permissions and User Management Tasks documentation
for VMware vSphere.

VMware by Broadcom 31
Identity and Access Management for VMware Cloud Foundation

Table 2-9. Design Decisions on Identity and Access Management for vCenter Server

Decision ID Design Decision Design Justification Design Implication

IAM-VCS-SEC-003 Assign the default By assigning the n An Active Directory
Administrator role in Administrator role to an security group must be
vCenter Server to an Active Active Directory security created in advance to
Directory security group. group, you can simplify assigning a role.
and manage user access n You must maintain
with administrative rights the life cycle and
in vCenter Server based availability of the
on your organization's security group in Active
personas. Directory.

IAM-VCS-SEC-004 Assign vCenter Server By assigning the global None.
global permissions for the permissions to an Active
Active Directory security Directory security group
groups assigned the with the Administrator
Administrator role. role , you can manage
user access with
administrative rights across
all management and
workload domain vCenter
Servers instances which
participate in enhanced
linked-mode and use the
same identity provider.

IAM-VCS-SEC-005 Assign the default Read- By assigning the Read- n An Active Directory
Only role in vCenter Server only role to an Active security group must be
to an Active Directory Directory security group, created in advance to
security group. you can simplify and assigning a role.
manage user access with n You must maintain
read-only rights in vCenter the life cycle and
Server based on your availability of the
organization's personas. security group in Active
Directory.

VMware by Broadcom 32
Identity and Access Management for VMware Cloud Foundation

Table 2-9. Design Decisions on Identity and Access Management for vCenter Server (continued)

Decision ID Design Decision Design Justification Design Implication

IAM-VCS-SEC-006 Assign vCenter Server By assigning global None.
global permissions for the permissions to an Active
Active Directory security Directory security group
groups assigned the Read- with the Read-only role,
Only role. you can manage user
access with read-only
privileges across all
management and workload
domain vCenter Servers
instances which participate
in enhanced linked-mode
and use the same identity
provider.

IAM-VCS-SEC-007 Add an Active Directory By adding an Active n An Active Directory
security group as Directory security group security group must be
a member of the as a member of the cre