enterprise hybrid cloud - data storage, converged, cloud · pdf fileenterprise hybrid cloud...

Enterprise Hybrid CloudSecurity ManagementVersion 4.1.2

February 2018

H16335.2

Solution Guide

Abstract

This solution guide provides information about the features and configuration optionsavailable for securing system operations for a hybrid cloud. The guide explains why,when, and how to use these security features.

Copyright © 2018 Dell Inc. or its subsidiaries. All rights reserved.

Published February 2018

Dell believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

THE INFORMATION IN THIS PUBLICATION IS PROVIDED “AS-IS.“ DELL MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH

RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS

FOR A PARTICULAR PURPOSE. USE, COPYING, AND DISTRIBUTION OF ANY DELL SOFTWARE DESCRIBED IN THIS PUBLICATION REQUIRES AN

APPLICABLE SOFTWARE LICENSE.

Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries. Other trademarks may be the property of their respective owners. Published

in the USA.

Dell EMCHopkinton, Massachusetts 01748-91031-508-435-1000 In North America 1-866-464-7381www.DellEMC.com

2 Enterprise Hybrid Cloud

Executive Summary 9Solution overview........................................................................................10Key benefits of Enterprise Hybrid Cloud..................................................... 10Document purpose...................................................................................... 10Audience......................................................................................................11Essential reading..........................................................................................11Terminology.................................................................................................11We value your feedback.............................................................................. 12

Public Key Infrastructure 13Public key infrastructure overview.............................................................. 14Enterprise PKI architecture.........................................................................14Enterprise PKI solution integration..............................................................16

Active Directory—LDAP over SSL/TLS certificates...................... 16VMware vCenter Platform Services Controller...............................17Dell EMC Avamar........................................................................... 18

Converged Authentication 19Security and authentication........................................................................20

Active Directory Domain Services.................................................. 21IWA and Microsoft SQL Server service accounts........................... 21

Active Directory integration........................................................................22VMware vRealize Automation: Tenant identity stores....................22

VMware Platform Services Controller........................................................ 23VMware vRealize Automation........................................................ 23

TACACS+ authentication integration..........................................................24VMware Identity Manager.......................................................................... 24

Centralized Log Management 25Log management overview.........................................................................26VMware vRealize Log Insight remote syslog architecture...........................27Centralized logging integration...................................................................29Content packs for VMware vRealize Log Insight......................................... 31Configuring alerts....................................................................................... 32

Network Security 37Network Security overview........................................................................ 38Solution architecture..................................................................................38

Physical connectivity.....................................................................39Logical network topology............................................................... 41Overlay networks with VXLAN.......................................................43Supporting infrastructure services................................................ 43Network environment for data protection..................................... 43Automation and provisioning..........................................................44

VMware NSX for vSphere.......................................................................... 44NSX Distributed Logical Router..................................................... 44NSX Distributed Firewall................................................................45

Chapter 1

Chapter 2

Chapter 3

Chapter 4

Chapter 5

CONTENTS

Enterprise Hybrid Cloud 3

NSX Flow Monitoring.................................................................... 45NSX Logical Load Balancer............................................................45NSX Service Composer................................................................. 45Security groups, policies, and tags................................................ 46

VMware NSX for vSphere extensibility with Palo Alto Networks firewalls....46VMware NSX firewall policy creation..........................................................47

Multiple firewall rule criteria...........................................................47Dynamic rules................................................................................ 47

N-tier application considerations................................................................ 48Traditional three-tier architecture................................................. 48Two-tier applications..................................................................... 49

Cross-vCenter NSX....................................................................................50Universal network objects.............................................................. 51Universal controller cluster.............................................................51Universal firewall rules................................................................... 51Universal security objects.............................................................. 51

Micro-segmentation use cases................................................................... 52Use case 1: On-demand with security tags.................................... 52Use case 2: N-tier virtual applications............................................54Use case 3: Converged N-tier virtual applications......................... 56Use case 4: App Isolation for component machines....................... 57

Configuration Management 59Configuration management overview......................................................... 60VMware vCenter Server host profiles........................................................ 60VMware vSphere Update Manager.............................................................63

Baselines....................................................................................... 64Baseline groups............................................................................. 66Audit compliance........................................................................... 67

VMware vRealize Configuration Manager...................................................68Configuration compliance.............................................................. 68Risk badge and compliance scores.................................................69Operational compliance................................................................. 70

Use case 1: Configuring a custom compliance standard...............................71Use case 2: Applying exceptions to compliance templates..........................73

Multitenancy 75Multitenancy overview............................................................................... 76Secure separation.......................................................................................76

Network segmentation.................................................................. 76Tenant and enterprise Edge routers...............................................77Tenant authentication....................................................................77

Role-based access control..........................................................................78vRealize Automation groups and roles........................................... 78Entitlements.................................................................................. 80

Data Security 81Data security overview............................................................................... 82CloudLink SecureVM.................................................................................. 82

Platform support........................................................................... 82Policy-based management..........................................................................83

Defining authorized IP addresses for virtual machines...................83Changing the global policy for virtual machine start up..................83

Chapter 6

Chapter 7

Chapter 8

CONTENTS


Encrypting virtual machine volumes...............................................83Decrypting virtual machine volumes.............................................. 84Changing the volume encryption policy for a Windows virtualmachine......................................................................................... 84

Integration with the service catalog........................................................... 84

Certificate Update Procedures for EHC Components 85Enterprise Hybrid Cloud certificate update overview .................................86

EHC Trusted PKI Hierarchy........................................................... 86EHC SSL component trust dependency........................................ 88Overview of certificate update procedures....................................88

Updating vCenter Platform Service Controller........................................... 92Replacing PSC Machine SSL certificates...................................... 93Replacing PSC Solution User SSL certificates...............................94

Updating VMware vCenter Server certificates...........................................95Replacing vCenter Server Machine SSL certificates..................... 96Replacing vCenter Server Solution User SSL certificates..............97Updating additional components after vCenter Server updates.....99

Updating Automation Pod Platform Services Controller............................ 101Updating SRM certificates........................................................................ 101Updating NSX certificates........................................................................ 104Updating ViPR certificates........................................................................105Updating the vRealize Automation Appliance............................................ 106Updating vRealize Automation Web IaaS certificates................................108Updating vRealize Automation Manager IaaS certificates..........................110Updating the active vRealize Automation Application Services certificate....111Updating vRealize Orchestrator certificates.............................................. 113Updating vRealize Operations certificates................................................. 114Updating vRealize Business certificates.....................................................114Updating Log Insight certificates............................................................... 116Updating Avamar certificates.................................................................... 116

Enabling encrypted server authentication..................................... 118Updating the Avamar Proxy certificate......................................... 118

Updating RecoverPoint for Virtual Machines certificates.......................... 118Updating CloudLink certificates................................................................ 120Updating ESXi certificates........................................................................ 120Updating the Data Protection Advisor (DPA) certificate...........................122Updating VAMI appliance certificates....................................................... 124Running EHC validation workflows............................................................126

Password Management 129Password management overview.............................................................. 130Service accounts.......................................................................................130

Changing the RecoverPoint for Virtual Machines Shadow Copy userservice account............................................................................ 137Removing a shadow user.............................................................. 138

SQL Server service accounts.................................................................... 138Changing the svc_iaas account and password............................. 138Changing the svc_sqlsvr account password................................. 140Changing the svc_sqlvragent account password.......................... 141Changing the svc_vcenter account password...............................141Changing the svc_vum account password....................................142Changing the svc_srm account password.................................... 143

Chapter 9

Chapter 10

CONTENTS


Changing the svc_vro account password..................................... 143Active Directory bind service accounts..................................................... 144

Changing the adbind_vra account password................................ 145Changing the adbind_vro account password................................ 145Changing the adbind_vrops account password............................ 146Changing the adbind_vipr account password............................... 147Changing the adbind_logi account password................................147Changing the adbind_dpa account password............................... 148Changing the adbind_sso account password................................148Changing the adbind_rp4vm account password........................... 149

Enterprise Hybrid Cloud application accounts........................................... 149Changing the app_vrb_vcenter account password...................... 150Changing the app_nsx_vcenter account password...................... 150Changing the app_logi_vcenter account password.......................151Changing the app_vro_vcenter account password....................... 151Changing the app_vrops_vcenter account password................... 152Changing the app_vrops_vra account password.......................... 152Changing the app_vipr_vcenter account password......................153Changing the app_avamar_vcenter account password................ 153Changing the app_avamar_soap account password..................... 154Changing the app_nsx_sso account password............................. 154Changing the app_vro_sso account password............................. 154Changing the app_logi_vrops account password......................... 155Changing the app_vro_vipr account password............................ 155Changing the app_vra_nsx account password............................. 156Changing the app_vra_vro account password............................. 156Changing the app_vro_iaas account password.............................157Changing the app_vipr_vplex account password..........................157Changing the app_vipr_rpa account password.............................158Changing the app_vro_dpa account password.............................158Changing the app_vro_srm account password.............................159Changing the app_vro_sql account password.............................. 159Changing the app_vro_nsx account password............................. 160Changing the app_vro_rest account password............................ 160Changing the app_vro_rp4vm account password......................... 161Changing the app_srm_vcenter account password...................... 161Changing the app_vum_vcenter account password......................161Changing the app_vrpa_vcenter account password.....................162

Enterprise Hybrid Cloud adapter accounts................................................ 162Changing adp_vrops_vcenter account password......................... 162Changing adp_vrops_vipr account password............................... 163

EHC interactive user accounts.................................................................. 164Changing the ehc_sysadmin account password........................... 165Changing the ehc_tenant_admin account password.................... 166

Enterprise Hybrid Cloud local accounts.....................................................166Changing the dd4avamar/av0xddboost account password.......... 166Changing the app_vipr_rp account password...............................167Changing the app_srm_rp account password...............................167Changing the app_vrb_vrops account password..........................168Changing the configurationAdmin account password...................168Changing the tenantAdmin account password............................. 169

Dell EMC ViPR physical resources............................................................ 169Changing the Cisco MDS account password ............................... 169Changing the Brocade account password.....................................170Changing the Vblock compute system account password............ 170Changing the storage provider account password........................170

CONTENTS


Changing the VNX account password........................................... 171Changing the EMC XtremIO account password............................ 171Changing the EMC VPLEX account password...............................171Changing the RecoverPoint password.......................................... 172

References 173Enterprise Hybrid Cloud documentation.................................................... 174Enterprise Hybrid Cloud security documentation...................................... 174Other documentation................................................................................ 177VMware Knowledge Base ......................................................................... 178

Enterprise Hybrid Cloud Security Data 179Security data............................................................................................ 180

Chapter 11

Appendix A

CONTENTS


CONTENTS


CHAPTER 1

Executive Summary

This chapter presents the following topics:

l Solution overview............................................................................................... 10l Key benefits of Enterprise Hybrid Cloud............................................................. 10l Document purpose............................................................................................. 10l Audience............................................................................................................. 11l Essential reading................................................................................................. 11l Terminology........................................................................................................ 11l We value your feedback......................................................................................12

Executive Summary 9

Solution overviewMany organizations are looking for ways to drive more business value, redefine theirbusiness models, and build an enhanced customer experience in an increasingly digitalworld. IT must deliver enterprise IT services and applications with greater speed andagility, while reducing costs and minimizing risks.

A hybrid cloud helps organizations innovate rapidly while still delivering enterprise-grade performance, resiliency, and security. Enterprise Hybrid Cloud 4.1.2 delivers thisby combining the control, reliability, and confidence of a private cloud with thesimplicity, flexibility, and cost efficiency of public clouds to transform delivery of ITservices. Enterprise Hybrid Cloud delivers automated infrastructure services fortraditional enterprise applications across private and public clouds with greater speed,scalability, and agility, while reducing costs and minimizing risks. Workflows andapplication blueprints transform what was once manual into automated, on-demandinfrastructure provisioning, with management insights and cost transparency. A self-service catalog empowers business users to procure traditional enterprise applicationsand IT services on demand, with service levels that align with workload and costobjectives. Built-in security and data protection allow you to run your hybrid cloudwith confidence.

Enterprise Hybrid Cloud 4.1.2 is the foundation for infrastructure as a service (IaaS).Enterprise Hybrid Cloud is designed to deliver IaaS to meet your specific businessneeds with add-on options for data protection, virtual machine encryption,applications, application-lifecycle automation for continuous delivery, ecosystemextensions, and more. IT can start delivering value to the business two times fasterwith Enterprise Hybrid Cloud when compared to building your own IaaS solution.

Key benefits of Enterprise Hybrid CloudThe key benefits of Enterprise Hybrid Cloud are agility, simplicity, and security.

l Agility—Transform your IT organization through automated delivery of IaaS withon-demand access to traditional enterprise applications and IT services.

l Simplicity—Pre-engineered, validated, and tested, Enterprise Hybrid Cloud is thefoundation for IaaS with add-on options to meet your specific business needs. Itintegrates best-of-class technologies, professional services, and single contactsupport into an easy-to-consume engineered solution.

l Security—Enterprise Hybrid Cloud 4.1.2 ensures that applications and businessdata are protected with options for virtual machine encryption, secure networkisolation, segmentation, and enhanced network security to minimize risk.

Document purposeThis solution guide provides information about the features and configuration optionsthat are available for securing system operations in an on-premises implementation ofEnterprise Hybrid Cloud 4.1.2. It explains why, when, and how to use these securityfeatures.

This guide does not address public key infrastructure (PKI) policies, registrationauthorities (RAs), validation authorities (VAs), or other components that are typicallyused in the PKI. Design considerations for these components are outside the scope ofthis solution guide.

Executive Summary


AudienceThis solution is intended for security architects, practitioners, and administratorsresponsible for the overall configuration and operation of the solution. Readers shouldbe familiar with the VMware vRealize Suite, storage technologies, hybrid cloudinfrastructure, and general IT functions.

Essential readingRead these documents for more information about various aspects of EnterpriseHybrid Cloud.

l Enterprise Hybrid Cloud 4.1.2 Reference Architecture Guide

l Enterprise Hybrid Cloud 4.1.2 Concepts and Architecture Guide

l Enterprise Hybrid Cloud 4.1.2 Administration Guide

l Enterprise Hybrid Cloud 4.1.2 Infrastructure and Operations Management Guide

TerminologyLearn about the terminology used in this guide.

Term Definition

CA Certificate Authority

CRL Certificate Revocation List—Contains a list of serial numbers for revokedcertificates

DFW VMware NSX Distributed Firewall

DLR VMware NSX Distributed Logical Router

ESR VMware NSX Edge Services Router

IIS MMC Internet Information Services Microsoft Management Console

LI An abbreviation for vRealize Log Insight used in diagrams in this solutionguide

PSC An abbreviation for Platform Services Controller

SAN Subject Alternative Name

SSL Secure Socket Layer

STS Security Token Service—A VMware vCenter Single Sign-On (SSO)authentication interface

vRCM An abbreviation for VMware vRealize Configuration Manager used indiagrams and code samples in this solution guide

vRO An abbreviation for VMware vRealize Orchestrator used in diagrams andcode samples in this solution guide

vRA An abbreviation for VMware vRealize Automation used in diagrams andcode samples in this solution guide

Executive Summary

Audience 11

Term Definition

vRB An abbreviation for vRealize Business used in diagrams and code samples inthis solution guide

vR Ops An abbreviation for VMware vRealize Operations Manager used in diagramsand code samples in this solution guide

vRealizeAutomationblueprint

A specification for a virtual, cloud, or physical machine that is published asa catalog item in the vRealize Automation service catalog

vRealizeAutomationbusiness group

A set of users, often corresponding to a line of business, department, orother organizational unit (OU), that can be associated with a set of catalogservices and infrastructure resources

vRealizeAutomationfabric group

A collection of virtualization compute resources and cloud endpoints that ismanaged by one or more vRealize Automation fabric administrators

vIDM An abbreviation for VMware Identity Manager used in diagrams in thissolution guide. vIDM is a service that extends on-premises directoryinfrastructure to provide a seamless SSO experience to web, mobile, SaaS,and legacy applications that may be consumed as a service or downloadedand installed on-premises. vIDM integrates with AirWatch EnterpriseMobility Management to enable industry-first, seamless SSO to nativemobile apps. vIDM is packaged with an enterprise app store, SAML identityprovider (IDP), application usage analytics, conditional access policyengine, and more.

We value your feedback

Dell EMC and the authors of this document welcome your feedback on the solutionand the solution documentation.

Contact Solution Feedback with your comments.

Authors: Jon Dupre, Sarang Chalikwar, Robert Porter, Donna Renfro

Executive Summary


mailto:[email protected]?subject=Feedback:%20EHC%204.1.2%20Security%20Management%20Solution%20Guide%20(H16335R)

CHAPTER 2

Public Key Infrastructure

This chapter provides an overview of integrating the Enterprise Hybrid Cloud platformstack and supporting infrastructure into an enterprise PKI hierarchy and includes thefollowing topics:

l Public key infrastructure overview......................................................................14l Enterprise PKI architecture................................................................................ 14l Enterprise PKI solution integration..................................................................... 16

Public Key Infrastructure 13

Public key infrastructure overviewThe solution stack required to deliver hybrid cloud services must provide simplecentralized management to securely manage services and enforce policies. You canintegrate an Enterprise Hybrid Cloud platform stack with an enterprise public keyinfrastructure (PKI) to ensure authenticity, strengthen authentication, and encryptadministrative communications.

A significant challenge in securing any environment is ensuring the authenticity of theinterfaces to which users and administrators submit their credentials and theconfidentiality of related network communications. Enterprise Hybrid Cloud uses PKIintegration to implement trusted certificates that enable administrators to secure datain-transit, verify the authenticity, protect from man-in-the-middle attack, and so on.

Always follow best practices when designing your organization's PKI infrastructureand take additional security measures to safeguard the private keys used by the CAs.In a virtualized environment, use network-based hardware security modules (HSMs)to store the CA private keys in a secure manner with tamper protection. HSMs canalso provide offloading of cryptographic processing for symmetric or asymmetricneeds where performance and speed is a requirement.

Note

Enterprise Hybrid Cloud implements Transport Layer Security (TLS)-compatibleconfigurations and certificates. All references to Secure Sockets Layer (SSL) in thissolution guide imply TLS compatibility.

Enterprise PKI architectureIntegrating a PKI into a multitenant hybrid cloud environment ensures that all thecomponents that use or rely on X.509 v3 certificates and technology are trusted.

By default, components are installed or factory-shipped with self-signed X.509 v3certificates that are untrusted, because you cannot verify the authenticity of whoissued or signed them. In such an environment, an attacker could impersonate a deviceor application to perform man-in-the-middle attacks or to harvest administrativecredentials for subsequent use in compromising other systems on the network. Theimpact of such an attack is serious because of the privileges that are usually given tosystems administrators to fulfill their duties. Certain regulated industries andgovernments require the use of trusted certificates only.

Integration with a trusted PKI addresses this problem by establishing a chain of trust-from the trusted X.509 v3 certificate received from the issuing certification authority(CA) and installed on the device or application, through to the root CA. In addition, thePKI provides a means to validate this trust by publishing Authority Information Access(AIA) locations and Certificate Revocation Lists (CRLs).

The PKI used in the solution is based on the deployment of Microsoft Active DirectoryCertificate Services. Part of hardening the enterprise hybrid cloud infrastructure is toreplace the self-signed X.509 v3 certificates with valid signed certificates from atrusted CA. Note that some organizations may choose to use an external entity forthis.

The following figure shows an example for which we configured an internal CA using ahierarchical structure with the root CA at the top level; the root CA can be eitheroffline or air-gapped. Note that an air-gapped root CA is removed from the network,



and AIA and CRL updates are transferred manually. Subordinate CAs are tiered in theActive Directory forest.

This figure shows the hierarchal architecture of the PKI environment with the rootself-signed certificate, the issuing CA certificate, and the end-entity certificates. Thearchitecture also shows the trust relationship between the end-entity certificates andthe end user.

Figure 1 PKI hierarchy for Enterprise Hybrid Cloud platform

The end-entity certificate and CA certificate contain CRL distribution points. DellEMC strongly recommends that the CRL Distribution point be accessible from theEnterprise Hybrid Cloud environment. Otherwise, the customer needs to manuallyimport the CRL periodically.

The subordinate CA usually issues the end-entity certificates. The end-entitycertificate subject should contain the fully qualified domain name (FQDN) as acommon Name (CN), and optionally, an IP address as part of the Subject AlternativeName (SAN).

In production environments, systems are commonly managed and accessed using thesystem IP address, hostname, or FQDN. When PKI is introduced, this behavior canresult in certificate validation errors that can cause the integration to fail. To resolvethis problem, you can issue a certificate that contains a SAN with one or more items ofsubject information. In distributed or highly available environments, load balancersmust be configured with multiple FQDNs and IP addresses. This requires use of thesubjectAltName extension in certificates.

When designing a PKI, it is important to consider the security implications of enablingthe subjectAltName extension. Your security policy may require certain controls andprocesses to be put in place that are beyond the scope of this solution guide. TheMicrosoft TechNet Library topic How to Request a Certificate with a Custom SubjectAlternative Name describes security best practices for enabling subject alternativenames in certificates.

Note

For security reasons, avoid using wildcard certificates and sharing private keys ondifferent VMs.


Enterprise PKI architecture 15

http://technet.microsoft.com/en-us/library/ff625722(v=ws.10).aspx

http://technet.microsoft.com/en-us/library/ff625722(v=ws.10).aspx

Enterprise PKI solution integrationThis section lists Enterprise Hybrid Cloud components that you should integrate intoyour enterprise PKI hierarchy and describes some advanced security features that usePKI for authentication.

The following solution components can be integrated into a PKI:

l VMware vRealize Log Insight

l VMware vRealize Orchestrator

l VMware vRealize Operations Manager

l VMware vRealize Automation (certificates)

l VMware vRealize Business for Cloud (certificates)

l VMware vSphere ESXi

l VMware vCenter Server

l VMware Platform Services Controller

l VMware Site Recovery Manager

l VMware NSX for vSphere

l Dell EMC Avamar™

l Dell EMC Data Protection Advisor™

l Dell EMC Data Domain™

l Dell EMC RecoverPoint™ for VMs

l Dell EMC Unisphere™

l Dell EMC ViPR™

l CloudLink SecureVM modular add-on for virtual machine encryption

Active Directory—LDAP over SSL/TLS certificatesYou can significantly strengthen the security of authentication and authorizationcommunications by encrypting the entire Lightweight Directory Access Protocol(LDAP) session with SSL/TLS, known as LDAP over SSL or LDAPS.

LDAP is the protocol by which many applications submit authentication orauthorization requests. LDAP introduces a significant security risk because usernamesand authorization requests are passed over the network unencrypted. This can quicklylead to credentials becoming compromised.

By default, Active Directory is not configured to support LDAPS, so certain steps mustbe taken to enable integration of Active Directory Domain Services (ADDS) with atrusted PKI to enable LDAPS. For more information, see the Microsoft TechNet article LDAP over SSL (LDAPS) Certificate.

The LDAPS certificate is issued by the subordinate CA and requested on eachparticipating domain controller using the Certificates snap-in in the MicrosoftManagement Console (MMC). The certificate is installed in the domain controllercertificate store and is applied by ADDS to LDAP communications to secureauthentication and authorization requests through TLS encryption.



http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

VMware vCenter Platform Services ControllerLearn about the services available from VMware vCenter Platform Services Controller(PSC).

In addition to providing SSO, VMware Platform Services Controller (PSC) for vSphere6.x includes the following platform services:

l Licensing Servicel Certificate Authority (VMCA)l Certificate Store (VECS)l Lookup Service for Component Registrations

Note

While designed to streamline certificate management in vSphere, VMCA does not yetpossess the feature-rich capabilities of an enterprise-grade PKI. Therefore, werecommend that you integrate vCenter services directly with your enterprise PKIusing the "custom" mode, as defined in VMware Certificate Authority overview, andusing VMCA Root Certificates in a browser.

The PSC includes a Security Token Service (STS) that enables administrators orapplications to authenticate within a defined security domain or identity source suchas Active Directory or OpenLDAP. After successful authentication, the PSC SSO STSexchanges the authentication credentials for a Security Assertion Markup Language(SAML) 2.0 token. The client uses this token to interact with the various vSphereplatform applications.

During interaction between components, the client verifies the authenticity of thecertificate that is presented during the TLS handshake phase. The verificationprotects against man-in-the-middle attacks.

Each PSC SSO-enabled component registers with SSO using the client end-entitycertificate and requires a unique certificate. vRealize Automation Application Servicesand VMware vRealize Business for Cloud integrate with SSO through vRealizeAutomation.

The subject Distinguished Name (DN) value is stored in the SSO database as theprimary key for each certificate, rather than the hash, thumbprint, or any otherattribute. This is important where multiple vCenter Server services are deployed in asingle virtual machine, as recommended by VMware. In this case, the Common Name(CN) and other attributes might be identical, which can lead to the same subject DNbeing used across services. To ensure that the new TLS certificate for each vCenterservice has a unique subject DN encoded within the certificate, specify an additionalattribute, such as a unique Organizational Unit (OU), for each certificate request.

Note

A unique OU ensures a unique subject DN, however, you can use other attributes, too.A unique OU is not mandatory because it is only part of the subject DN. For moreinformation about identifying the constituent components of a subject DN, see Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List(CRL) Profile.

Because of the changes in vSphere 6, the vCenter Certificate Automation Tool 5.5 isno longer needed to address the complexities of PSC SSO PKI requirements. VMwarehas simplified certificate management through the VMware Endpoint Certificate Store(VECS). The VECS serves as a local (client-side) repository for certificates, private


VMware vCenter Platform Services Controller 17

https://www.ietf.org/rfc/rfc3280.txt

https://www.ietf.org/rfc/rfc3280.txt

keys, and other certificate information that can be stored in a keystore. VECS must beused to store all vCenter certificates, keys, and so on. ESXi certificates are storedlocally on each host and not in VECS. See Manually reviewing certificates in VMwareEndpoint Certificate Store for vSphere 6.0 (2111411) for more information aboutmanaging certificates in VECS.

Dell EMC AvamarAvamar clients and Avamar servers use TLS certificates and PKI for authenticationand optional data-in-flight encryption. Avamar supports the X.509 v3 standard forformatting digital certificates.

Certificate acceptance workflowAvamar uses a specific workflow when a client validates a server certificate and whena server validates a client certificate. Avamar obtains the FQDN and compares it tothe CN field of the certificate. Avamar also checks for an IP address match in the listof IP addresses in the SAN field of the certificate. If there is no match (includingwildcards), then the certificate is rejected and the connection terminated.

One-way authenticationWith one-way authentication, the Avamar client requests authentication from theAvamar server, and the server sends the certificate to the client. The client thenvalidates the certificate using the certificate acceptance workflow. One-wayauthentication is also called server-to-client authentication.

Two-way authenticationWhen two-way authentication, also referred to as mutual authentication, is enabled,the Avamar server provides authentication to the Avamar client and the Avamar clientprovides authentication to the Avamar server:

l The Avamar client requests authentication from the Avamar server, and the serversends the certificate to the client. The client then validates the certificate, usingthe certificate acceptance workflow.

l The Avamar server requests authentication from the Avamar client, and the clientsends the certificate to the server. The server then validates the certificate, usingthe certificate acceptance workflow.

Usually, one-way authentication provides sufficient security. To provide an extra levelof security, set up two-way authentication. Both configurations support data-in-flightencryption.



https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2111411


CHAPTER 3

Converged Authentication

The infrastructure solutions stack required to deliver hybrid cloud services mustprovide an easy means of centralized management, so that the services can besecurely managed and policies enforced. You can achieve integration with a commondirectory to support LDAPS, Kerberos, vIDM, and TACACS+ authentication services,streamline administration and policy enforcement, and provide tighter control overadministrative and end-user authentication. This chapter presents the followingtopics:

l Security and authentication............................................................................... 20l Active Directory integration............................................................................... 22l VMware Platform Services Controller................................................................23l TACACS+ authentication integration................................................................. 24l VMware Identity Manager..................................................................................24

Converged Authentication 19

Security and authenticationSignificant challenges in securing any environment include managing different localauthentication mechanisms and differing account and password policies.

To address these challenges, Enterprise Hybrid Cloud uses Active Directory as acentralized identity management system for VMware and Dell EMC components. Thesolution also uses Kerberos, LDAPS, and Terminal Access Controller Access ControlSystem Plus (TACACS+) authentication protocols to integrate each solutioncomponent with Active Directory and ensure that all authentication and authorizationcommunications are encrypted.

Active Directory provides a single point of control for account management and policyenforcement. the following figure shows the hierarchy of authenticationcommunication paths used in Enterprise Hybrid Cloud.

Figure 2 Authentication relationships between the solution components



Active Directory Domain Services

Many of the systems and services that comprise an Enterprise Hybrid Cloud do notnatively integrate with Active Directory but do support LDAPS integration whendomain controllers are configured to enable such support. Active Directory exclusivelyuses a server authentication certificate in the ADDS certificate store for LDAPSconnections.

Before you implement LDAPS, ensure that you consider the following importantdetails:

l Automatic certificate enrollment (auto-enrollment) cannot be used withcertificates in the ADDS personal certificate store

l Current command-line tools do not allow certificate management of the ADDSpersonal certificate store

l Certificates must be imported into the store and not moved through thecertificates console

Installation of the server authentication certificate in the ADDS certificate store is onlyrequired on a server that has multiple certificates for server authentication in the localcomputer certificates store. If possible, the best solution is to have only onecertificate in the local computer personal certificate store.

IWA and Microsoft SQL Server service accountsIn a production environment, it is a security best practice to use service accounts totrack and control applications and to mitigate the impact of a potential systemscompromise.

The Integrated Windows Authentication (IWA) feature in Microsoft SQL Serverprovides better security than SQL Server authentication by taking advantage of ActiveDirectory user security and account mechanisms. Enterprise Hybrid Cloud uses IWAfor the SQL Server databases and service accounts for vCenter Server, vRealizeAutomation IaaS, and VMware vSphere Update Manager.

Integrated Windows AuthenticationWhen an application connects through an Active Directory user account, SQL Servervalidates the account name and password using the Active Directory principal token inthe operating system. This means that Active Directory confirms the user identity.SQL Server does not request the password and does not perform the identityvalidation.

Integrated Windows Authentication uses the Kerberos secure authentication protocoland provides a centralized mechanism for account management, including passwordpolicy enforcement, account lockout, and password expiration. Integrated WindowsAuthentication offers additional password policies that are not available for SQLServer logins.

Microsoft SQL Server service accountsMicrosoft recommends isolating each SQL Server service under a separate, low-rightsActive Directory or local user account. By using the principle of least privilege (POLP),this reduces the risk that one compromised service could be used to compromiseother services.

During installation of SQL Server, you can configure the service account for eachservice. You can later use SQL Server Configuration Manager to manage or replacethe accounts.

The hierarchy of accounts (from least privileged to most privileged) is:


Active Directory Domain Services 21

1. Domain user (non-administrative)

2. Local user (non-administrative)

3. Network service account

4. Local system account

5. Local user (administrative)

6. Domain user (administrative)

Account types 1 and 2 are preferred because they best encompass the principle ofleast privilege. Account type 3 is a shared account and any applications or servicesrunning under this account would potentially have access to each other's data. Localsystem is a built-in account with very high privileges; it has extensive privileges on thelocal system and acts as the persona of the computer on the network. Account types5 and 6 are less secure because they grant too many unneeded privileges. EnterpriseHybrid Cloud uses domain user (non-administrative) accounts.

Active Directory integrationThe solution components listed here can be directly integrated with Active Directory.



l VMware vRealize Automation: Tenant identity stores

l VMware vSphere ESXi hypervisor

l Dell EMC VMAX™

l Dell EMC Unity™ Hybrid Flash Array

l Dell EMC VNX™

l Dell EMC ScaleIO™

l Dell EMC VPLEX™

l Avamar

l Data Protection Advisor

l ViPR

l CloudLink SecureVM modular add-on for virtual machine encryption

We used Active Directory groups mapped to corresponding roles in each of thesecomponents. Membership of the Active Directory groups confers rights associatedwith the roles to administrative and end users.

Note

VPLEX does not currently support the mapping of roles to either Active Directory orLDAP directory-based groups.

VMware vRealize Automation: Tenant identity storesEnable LDAPS for higher security.

Enterprise Hybrid Cloud uses an Active Directory identity store to enable tenantintegration with Active Directory. By default, authentication and authorization occurover LDAP. To enable LDAPS, import the CA chain into the Java cacerts keystore onthe vRealize Automation virtual appliance. Use the ldaps: // protocol designatorwhen specifying the identity store's Active Directory URL.



Note

The protocol designator can be specified only when adding the identity store. Tochange from using ldap: // to ldaps: //, delete the identity store and re-createit with the correct designator.

VMware Platform Services ControllerVMware Platform Services Controller (PSC) is an authentication broker and securitytoken exchange solution that interacts with the enterprise identity store (ActiveDirectory or OpenLDAP) on behalf of registered solutions to authenticate users.

l The VMware vCenter Server can be directly integrated with the PSC.

l The VMware NSX for vSphere can be indirectly integrated with Active Directorythrough PSC SSO.

Dell EMC recommends using the PSC installed on Windows because it providesgreater visibility, ease of management, and the ability to use a single namespacethroughout the Enterprise Hybrid Cloud Automation Pod. The PSC also simplifiesdeployments at scale, and a dedicated PSC providing SSO services in the AutomationPod is mandatory for implementation of a disaster recovery architecture where amulti-site PSC architecture is required.

VMware vRealize AutomationLearn about the differences between default tenant and non-default tenant.

Default tenantThe PSC provides SSO capability for vRealize Automation users. The native ActiveDirectory identity store type:

l Uses Kerberos to authenticate with Active Directory

l Does not require a search base DN, making it easier to find the correct ActiveDirectory store

l Can be used only with the default tenant

When you have configured the default tenant's identity store, you can add tenantadministrators and infrastructure administrators. We recommend using ActiveDirectory groups to assign these roles to vRealize Automation administrative users.

Tenant administrators are responsible for configuring tenant-specific branding, and formanaging identity stores, users, groups, entitlements, and shared blueprints within thecontext of their tenant. IaaS administrators are responsible for configuringinfrastructure source endpoints in IaaS, appointing fabric administrators, andmonitoring IaaS logs.

Non-default tenantvRealize Automation 7.1 allows the definition of multiple tenants, and each tenantmust be associated with at least one identity store. While identity stores can beOpenLDAP or Active Directory, Enterprise Hybrid Cloud uses Active Directory.

Optionally, you can configure the domain alias with a value that allows users to log inby using userid@domain-alias as a username instead of userid@identity-store-domain. This value must be a unique value across all identity stores.

Tenant and infrastructure administrators must be configured for each tenant that isconfigured in vRealize Automation. We used Active Directory groups to assign theseroles to hybrid cloud tenant administrative users.


VMware Platform Services Controller 23

TACACS+ authentication integration

TACACS+ provides an increased level of security through authentication,authorization, and accounting services and is a publicly documented TCP/IP protocol.TACACS+ encrypts credentials that are passed from the client device to the TACACS+ system and can be configured to use Active Directory as its authentication directoryto enable centralized authentication.

VMware Identity Manager

In vRealize Automation version 7, authentication is drastically simplified and improvedwith the integration of VMware Identity Manager. VMware Identity Manager is nolonger a separate identity appliance in the deployment topology. This means thatcustomers no longer have to worry about issues encountered with maintaining,upgrading, and being dependent on a separate identity virtual appliance. vRealizeAutomation and VMware Identity Manager use the same database instance, whichreduces deployment complexity and allows database scale solutions to work for bothsystems and lockstep.

VMware Identity Manager supports different authentication methods, such asusername/password, Kerberos, SAML authentication, smart card / certificate, RSASecurID, RADIUS, and so on.



CHAPTER 4

Centralized Log Management

VMware vRealize Log Insight provides administrators with a single point of visibilityinto the environment and with alert notifications through email or vRealize OperationsManager. Where an organization already has a Security Information and EventManagement (SIEM) system in place, Log Insight can act as an aggregator to forwardevents to the SIEM, providing the security team with a single integration point for theentire solution. This chapter presents the following topics:

l Log management overview................................................................................ 26l VMware vRealize Log Insight remote syslog architecture.................................. 27l Centralized logging integration.......................................................................... 29l Content packs for VMware vRealize Log Insight.................................................31l Configuring alerts...............................................................................................32

Centralized Log Management 25

Log management overview

Many key solution resources continuously record operational and security-relatedevents to a local log. When a security incident occurs, log files can help you trackdown the root cause. Without log file consolidation, investigating the root cause canbe laborious and time-consuming. Running a reliable and secure data center is acontinual process of planning, delivering, and operating. Without a consolidated viewof your infrastructure's system log data, your data center is incomplete and at risk.The risks include:

l Lack of central and holistic visibility into security-related events

l Inability to easily correlate events that would indicate a security breach

l Log files are overwritten causing you to lose log entries that are critical forsecurity, compliance, and troubleshooting

l Increased downtime for applications and servers, because more time is needed tolocate and search system log files when problems occur

l Security risks such as malicious attacks or unauthorized logins could be occurringwithout your knowledge

l Loss of historical system logs, leaving you unprepared to report localauthentications or maintain compliance

Consolidated system logging is a critical data center feature that is commonly notimplemented because of its complexity. Many IT organizations rely solely on datacenter monitoring tools, which, while useful, mostly focus on raw metrics-such asCPU utilization, memory consumption, and storage I/O-but completely ignore log filesand security events. When system log files are ignored, valuable security informationis overlooked.

Every component in Enterprise Hybrid Cloud, and every virtual machine, includingoperating system and applications, generates numerous log messages per day.Troubleshooting and finding root causes for issues in the environment is challengingunless the logs can be aggregated and queried.

To address these challenges, Enterprise Hybrid Cloud uses VMware vRealize LogInsight to deliver real-time log management and analysis, with machine learning-basedIntelligent Grouping and high-speed interactive search. vRealize Log Insight is apowerful security tool that consolidates logs across the entire Enterprise Hybrid Cloudand enables administrators to perform security auditing and compliance testing as wellas log querying, aggregation, correlation, and retention.

vRealize Log Insight is tightly integrated with vCenter Server and ESXi and includesbuilt-in knowledge and native support for vRealize Operations Manager. Alerts areconfigured to notify security administrators by email or through the vRealizeOperations Manager dashboards.

The following figure shows how vRealize Log Insight integrates with the componentsof Enterprise Hybrid Cloud for centralized logging.



Figure 3 Centralized logging of hybrid cloud components with vRealize Log Insight

Each component is configured to forward log messages to vRealize Log Insight usingremote syslog. vRealize Log Insight then enables you to search for security eventsacross all the consolidated data. For example, to search for logins across theinfrastructure, you can search across all the components that make up EnterpriseHybrid Cloud, and view the results in a chart, as shown in the following figure. Inaddition, you can create and save your own custom queries and custom securitydashboard.

Figure 4 Searching for security events with vRealize Log Insight

VMware vRealize Log Insight remote syslog architecture

For smaller instances of this platform, every device for which you want to collectevents is configured to send events directly to one or more vRealize Log Insightinstances, as shown in the following figure.


VMware vRealize Log Insight remote syslog architecture 27

Figure 5 vRealize Log Insight client/server architecture

This client/server architecture is suited to environments that:

l Are greenfield, with no syslog operations to date

l Use automation or configuration management

l Have fewer than 750 devices sending remote syslog data

For larger instances of this platform, you can implement a distributed vRealize LogInsight deployment, with a master node and up to five worker nodes deployed in acluster configuration, as shown in the following figure. With this configuration, if anynode goes down, the load balancer can redirect traffic to the remaining nodes.

Note

A worker node stores forwarded syslog events and processes queries against log datait stores on behalf of the master node.



Figure 6 Master node-worker node relationship

For information on sizing vRealize Log Insight for this platform, see the EnterpriseHybrid Cloud 4.1.2 Reference Architecture Guide.

Centralized logging integration

Many syslog implementations only support the User Datagram Protocol (UDP).vRealize Log Insight can receive syslog-formatted events over the UDP, TCP, and TLSprotocols. In high volume environments, TCP provides a significant performanceimprovement over UDP. TCP supports more events over fewer connections and,because TCP is a lossless protocol, it minimizes message loss. TLS ensures that eventdetails are transmitted over the network in a confidential manner.

vRealize Log Insight consolidates and archives all log data in Enterprise Hybrid Cloudand creates a historical record that enables:

l Storage of events in sufficient detail and with accuracy

l Retention of audit logs for a determined period consistent with the enterprisesecurity policy

l Identification of security incidents and policy violations as they occur

l Auditing and forensic analysis

l Establishment of baselines that can be used to detect future anomalous behavior

When data has been collected, you can use vRealize Log Insight to perform ad-hocsearches across all the event data. The following figure shows an example ofsuccessful logins by source query.


Centralized logging integration 29

Figure 7 Example vRealize Log Insight dashboard for vCenter Server

You can save queries you perform often as Favorites and use them to create charts,dashboard widgets, and alerts. In large environments with numerous log messages,you can use runtime field extraction with vRealize Log Insight to instantly locate andextract the most important data fields using regular expressions.

Configure the following components of the hybrid cloud management platform toforward the application logs to vRealize Log Insight:

l ViPR

l VMAX

l VNX

l Avamar

l Data Protection Advisor

l VMware vSphere ESXi hosts

l VMware vRealize Automation

l VMware vRealize Application Services


l VMware vRealize Configuration Manager

l VMware vRealize Business for Cloud

l VMware NSX for vSphere Manager



l VMware vRealize Orchestrator

l VMware vCenter Server


l All physical compute, fabric, and network devices

Content packs for VMware vRealize Log Insight

Analysis of forwarded events can be enhanced using pre-packaged VMware, DellEMC, partner, and community-provided content packs, which are available on the VMware Solution Exchange.

Content packs are read-only plug-ins to vRealize Log Insight that provide predefinedknowledge about specific types of events, such as log messages. A content packprovides knowledge about a specific set of events in a format that is easily understoodby security administrators, monitoring teams, and auditors. Each content pack isdelivered as a file, and can be imported through the vRealize Log Insight web UI.

The following content packs are available for components of Enterprise Hybrid Cloud:

l Avamar content pack

l VMAX content pack

l VNX content pack

l vRealize Automation 7.3 vRealize content pack for Log Insight

l vRealize Operations Manager content pack for vRealize Log Insight

l VMware vSphere content pack (bundled with vRealize Log Insight)

l Additional content packs for Microsoft Windows, Microsoft Active Directory, andother partner solutions

The content packs for Avamar, VNX, and VMAX provide dashboards and user-definedfields specifically for those products. They enable administrators to analyze problemson their VNX and VMAX arrays or backup infrastructure. Many of these content packsinclude dashboards with security-related charts and widgets that provide at-a-glancevisibility into security-related events.

Custom dashboards and widgets can be manually created for components for whichcontent packs do not exist. Each widget provided by a content pack can be cloned andadded to a personalized dashboard that contains only the views required by the user.

The following figure shows an example of a customized vRealize Log Insightdashboard that presents Avamar backup failures, vCenter and Windows authenticationfailures, and ESXi host firewall changes. This dashboard was created using widgetscloned from the content packs installed for Enterprise Hybrid Cloud.


Content packs for VMware vRealize Log Insight 31

https://solutionexchange.vmware.com/store/loginsight

Figure 8 Custom vRealize Log Insight dashboard

The following figure shows another customized dashboard created from multiplecontent packs.

Figure 9 Custom vRealize Log Insight security dashboard

Configuring alertsEnterprise Hybrid Cloud uses vRealize Operations Manager to monitor the cloudmanagement platform, compute resources, and tenant workloads used in production.

vRealize Log Insight integration with vRealize Operations Manager enables you toraise alerts for vRealize Log Insight queries and send notifications to OperationsManager based on a configurable threshold, as shown in the following figure.



Figure 10 vRealize Log Insight alert configured to send a notification to vRealize OperationsManager

You can also configure predefined alerts to be installed when content packs areimported to vRealize Log Insight. The following figure shows an example of a numberof security-related alerts imported by the Microsoft Active Directory content pack.

Figure 11 Examples of security alerts installed in vRealize Log Insight

In addition, the integration between vRealize Log Insight and vRealize OperationsManager enables a Launch in context menu in the vRealize Operations Manager


Configuring alerts 33

dashboard. You can use this menu to launch a vRealize Log Insight interactiveanalytics dashboard that displays events related to the selected vRealize OperationsManager object.

The example in the following figure uses the integration between Log Insight andvRealize Operations Manager: the Actions menu in vRealize Operations Managertriggers a search of all relevant Log Insight information on the selected item.

Figure 12 Search logs for the cloud management platform directly from vRealize OperationManager

The launch-in-context functionality filters the logs using the constraint hostnameequals each hostname, which displays only events that match the specifiedcriteria, as highlighted in the following figure.



Figure 13 vRealize Log Insight filtering logs for the management cluster components

For more information about vRealize Operations Manager and the role it plays inEnterprise Hybrid Cloud, see the Enterprise Hybrid Cloud 4.1.2 Reference ArchitectureGuide and the Enterprise Hybrid Cloud 4.1.2 Concepts and Architecture Guide.


Configuring alerts 35

CHAPTER 5

Network Security

Learn about the network architecture of Enterprise Hybrid Cloud, the designconsiderations for the network environment, and recommended security bestpractices. This chapter presents the following topics:

l Network Security overview................................................................................38l Solution architecture..........................................................................................38l VMware NSX for vSphere..................................................................................44l VMware NSX for vSphere extensibility with Palo Alto Networks firewalls..........46l VMware NSX firewall policy creation................................................................. 47l N-tier application considerations........................................................................48l Cross-vCenter NSX........................................................................................... 50l Micro-segmentation use cases...........................................................................52

Network Security 37

Network Security overviewUse this chapter as a reference to begin the networking and security planning anddesign process for your hybrid cloud and to set the stage for a successfulimplementation.

This chapter discusses the security aspects of Enterprise Hybrid Cloud networking,introduces VMware NSX for vSphere, and demonstrates the value of NSX networkand security integration in Enterprise Hybrid Cloud. Focusing on the networkinfrastructure and deployment options, the chapter describes the key elements forcreating a secure service offering and the processes required to implement and securethe network infrastructure. In addition, it includes common use cases for providingconnectivity and security to dynamically provisioned application workloads.

Solution architecture

Enterprise Hybrid Cloud requires architecture that:

l Is resilient to failure

l Provides distributed deployment with high availability

l Provides optimal throughput for workloads

l Ensures multitenancy and secure separation

The following figure shows a logical representation of the hybrid cloud environmentand highlights the management, network, and tenant compute pods and clusters.

Network Security


Figure 14 Enterprise Hybrid Cloud environment

Physical connectivityWhen designing the physical architecture, our main considerations were highavailability, performance, and scalability.

As shown in the example network topology, each layer of the physical architecture isfault-tolerant, with physically redundant connectivity throughout. The loss of any oneinfrastructure component or link does not result in loss of service to the tenant; if thearchitecture is scaled appropriately, the loss of a component or link does not affectservice performance.

The following figure also shows the connectivity between the physical storage,network, and converged fabric components deployed in Enterprise Hybrid Cloud.

Network Security

Physical connectivity 39

Figure 15 Physical topology of the network

Virtual link aggregation

The network design uses IEEE 802.1AX virtual link aggregation (vLAG) trunks toprovide seamless operation in the event of a hardware or link failure by enabling faulttolerance and high-speed links between the distribution, access, and converged layers.

Note

Link aggregation (LAG) is variously known across vendors' implementations as virtualport channels, split multi-link trunks, multi-chassis trunking, or multi-switch linkaggregation.

vLAG trunks bundle multiple physical Ethernet links between two or more devices intoa single logical link. If a physical link or switch fails, the traffic is automaticallyredistributed over the remaining physical links. Because multiple physical links areconsidered a single logical link in a vLAG trunk, physical link failures do not result inloops. If the status of a member link changes, vLAG prevents a service-interruptingspanning-tree recalculation and resulting convergence.

vLAG trunks also load balance traffic across all available links by using a load-balancingalgorithm to determine the physical port used. This provides an aggregate bandwidthequal to the sum of the bandwidth across all the physical links.

Configuring vLAGFor vLAG trunks to function, cross-connect one or more physical links between thedistribution and access switches, and between the access and converged layerswitches, as shown in Figure 15 on page 40. vLAG trunks are dedicated to carrying the

Network Security


virtual local area networks (VLANs) and corresponding data. Typically, you shouldensure that the 10 GbE ports used are in dedicated mode to avoid oversubscriptionissues and potential packet loss.

Depending on the vendor, a separate link that is not a member of the vLAG trunkmight be required between each switch pair to synchronize state and prevent anypacket duplication. This control link can be a Layer 2 or Layer 3 link between theswitches. While the link typically does not carry regular network traffic, it is critical tothe fault-tolerant operation of the design. The control link does not have to beconfigured as a LAG, but the LAG configuration provides fault tolerance. You canoptionally configure the control link to sit in its own virtual routing and forwarding(VRF) table to enable reuse of the same control-link IP addresses on every pair ofdevices.

Physical network connectivity to the compute layer is provided over a convergednetwork and Fibre Channel fabric to the fabric extenders on the compute bladechassis. Each link is capable of 10 Gb/s, which enables four 10 GbE network interfacesto be presented to each ESXi host.

Logical network topology

The logical network topology for Enterprise Hybrid Cloud is designed to address therequirements of multitenancy and secure separation of the tenant resources. Thetopology is also designed to align with security best practices from vendors such asVMware, that segment networks according to purpose or traffic type. For example,configuring an isolated network segment for VMware vSphere vMotion trafficbetween ESXi hosts helps prevent attacks in which the unencrypted transfer isintercepted by an attacker and reconstructed to gain access to potentially sensitivedata.

The following figure shows the logical topology of the solution's physical and virtualnetworks. We used VLANs to provide segmentation of the networks at Layer 2 in thecloud management pod (Automation Pod), because that environment is likely to bestatic and is an extension of existing management networks.

We configured the trunks on the physical network infrastructure to allow access byonly the VLANs and private VLANs (PVLANs) required for operations within the hybridcloud environment. This best practice helps to conserve valuable resources such asSpanning Tree Protocol (STP) logical interfaces. Each switch supports a limitednumber of STP logical interfaces, and this number can be depleted before the VLANlimit is reached, especially in a multitenant environment. Therefore, pruning andcarrying only the necessary VLANs can be of critical importance.

Network Security

Logical network topology 41

Figure 16 Logical topology with clusters, pods, and functional networks

We created a cloud management vSphere Distributed Switch (vDS) spanning theAutomation Pod and Network Edge Infrastructure (NEI) Pod. We created a separateresource vDS spanning the Workload Pods. By doing so, we created a logical andphysical boundary segmenting the management and tenant workload traffic flows andenabling a more focused approach to performance and security monitoring. Both vDSswere spanned to the NEI Pod to establish connectivity with the physical core.

Implementing a separate vDS for Workload Pods enables you to limit administrativeaccess to the cloud management vDS, which has comparatively few networks

Network Security


compared with possibly thousands of dynamic tenant networks. This configurationalso makes it easier to establish a baseline for management traffic and identify flowsthat fall outside expected characteristics. A number of port groups are defined withinthe cloud management vDS to provide Edge connectivity for services such as backupand Active Directory.

We configured the resource vDS with a single port group for Edge connectivity. Theremaining port groups on this vDS were created by NSX when the hosts wereprepared for network virtualization. The VMware Virtual Extensible LAN (VXLAN)network segments (also called logical switches) were configured by the administratorthrough the Network and Security view in the vSphere Web Client.

Overlay networks with VXLANVXLAN is an overlay technology for network virtualization that provides networkabstraction, elasticity, and scaling across the data center.

VXLAN provides an architecture for scaling your applications across clusters and podswithout any physical network reconfiguration. With VXLAN, physical switches do notneed to be reconfigured when a VXLAN network is created. Instead, VXLAN virtualwires or networks can be deployed over a single transit VLAN or multiple transitVLANs. The decoupling of virtual networks from physical networks provides greatflexibility and agility without affecting or requiring changes to the physical network.This enables rapid and dynamic provisioning of new networks at a theoretical scale ofmillions of VXLAN networks.

The fact that VXLAN overlays can be used to dynamically segment network traffic isof importance to the security posture of enterprise workloads. The scalabilitylimitations of VLANs are no longer an impediment to segmenting mission-criticalapplications and creating as many trust zones as necessary.

The VXLAN port groups all share the same VLAN. This is one of the key benefits ofimplementing VXLAN. You can use one VLAN as the physical transport for VXLANoverlay networks. This reduces the required configuration of the ESXi host and top ofrack (TOR) physical switches to a single VLAN and enables the virtual VXLANnetworks to scale to 6,500 (assuming static port groups) per vDS.

Supporting infrastructure servicesTo support infrastructure operations, Dell EMC recommends configuring networkingon each ESXi host throughout the environment to enable connectivity to the backupand vMotion networks.

Configure a VMkernel interface for NFS and vMotion on each ESXi host and create aport group for the Avamar proxy virtual machines on the cloud management vDS tocomplete the network connectivity.

Network environment for data protection

The high levels of deduplication and compression provided by the Avamar systemcontribute to minimal data being sent across the LAN. However, as a best practicedesign for performance, availability, and security, use a dedicated network for thebackup infrastructure, separate from the production networks, within which theAvamar server nodes and proxy virtual servers reside.

All Avamar proxy servers should be configured with an isolated PVLAN ID, with theresult that they can communicate only with the Avamar server nodes and not with anyother system on the backup network. The backup infrastructure resources are furtherprotected by the isolation of the backup network from other Layer 3 networks. By

Network Security

Overlay networks with VXLAN 43

separating production and backup data on the networks, an attacker who gains controlof a virtual machine cannot compromise additional systems by using the backupnetwork. Where communications must be allowed to enable the solution to functioncorrectly, a firewall mediates the access attempt and permits the connection ifauthorized-for example, for management of the Avamar system by backupadministrators, and for control communications with Data Protection Advisor, vRealizeAutomation, vRealize Operations Manager, and vCenter Server instances.

In Enterprise Hybrid Cloud, access between the production network and the backupnetwork is permitted only through a firewall policy that restricts access to the Avamarmanagement and control planes to authorized administrators and orchestrationprocesses only.

Automation and provisioning

With improvements in server virtualization, network configuration has become achokepoint of the provisioning process when new applications are being deployed.VXLAN overlay networks greatly simplify the configuration of physical networkingequipment, while increasing the scale and speed of deploying new networks and logicalswitches.

A virtual application can be deployed in minutes. Planning, designing, and configuringthe network and security elements to support the application often can take days orweeks. Using the automation capabilities of vRealize Automation, NSX cansignificantly reduce the time required for the provisioning, update, and removalprocesses. Multiple networks and a router, a firewall, and a load balancer can bedeployed dynamically with the virtual machine components of a blueprint. Thiscapability enables the delivery of an application stack and supporting services toproduction users within minutes, including all the necessary network and securityservices.

VMware NSX for vSphereVMware NSX offers additional functionality and improved performance.

The additional functionality includes distributed logical routing, distributed virtualfirewalling, logical load balancing, and support for routing protocols such as BorderGateway Protocol (BGP), Intermediate System to Intermediate System (IS-IS), andOpen Shortest Path First (OSPF). NSX also provides substantial performanceimprovements in throughput, with logical routing and firewalling providing line-rateperformance distributed across many hosts instead of being limited to a single virtualmachine or physical host.

NSX Distributed Logical RouterThe NSX Distributed Logical Router (DLR) performs all east-west workload trafficrouting at the hypervisor level.

DLR ensures that as long as the workloads are on the same host, even if they are ondifferent subnets, the traffic does not leave that host. If the workloads are onseparate hosts, the traffic takes the optimal path directly from one host to the other,again without having to take a hairpin route through a virtual appliance or physicalrouter in the data center core. This offers optimal traffic flows and significantperformance gains

Network Security


NSX Distributed FirewallThe NSX Distributed Firewall (DFW), which is implemented as a hypervisor kernelmodule, eliminates the need to route traffic through virtual or external physicalfirewalls for inspection.

Traffic is analyzed by the hypervisor when it leaves the source virtual machine virtualnetwork interface card (vNIC) and before it enters the vNIC of the destination virtualmachine. It is this enforcement at the vNIC level that enables East-West virtualmachine separation. For more information, see N-tier application considerations.

Because NSX is integrated with vCenter Server, it can use the vCenter inventory andfilter on more than just source and destination IP addresses or ports. Rules can beapplied to virtual machines, security groups, clusters, and data centers. Securitygroups can also have dynamic membership, which enables rules to be applied based onvirtual machine attributes such as guest operating system, virtual machine name, orsecurity tags. Because inspection is performed at the hypervisor level, traffic does nothave to be steered through and analyzed by another device or virtual machine on thenetwork.

NSX Flow MonitoringNSX Flow Monitoring provides a detailed view of historical and real-time traffic flows.

These flows can be shown in aggregate, by service, or by virtual machine. The datacan be used for troubleshooting performance issues, firewall misconfigurations, orrogue traffic on the network.

NSX Logical Load BalancerThe NSX Logical Load Balancer (LLB) enables load sharing across a pool of virtualmachines.

It provides intelligent application monitoring, so that if a virtual machine in the poolstops responding, it is automatically taken out of the pool and no traffic is sent to ituntil it becomes responsive again. The load balancer can either be deployed as aservice on an Edge appliance that acts as the network gateway, or in "one-arm" mode,where it has a single interface on the network and is not the gateway. It can supportthroughput of up to 9 Gb/s and 130 k connections per second. The load balancer canalso be deployed in High Availability (HA) mode.

NSX Service Composer

Inside NSX, the Service Composer is a built-in tool that defines a new model forconsuming network and security services; it enables you to provision and assignfirewall policies and security services to applications in real time in a cloud data center.Security policies are assigned to groups of virtual machines, and the policy isautomatically applied to new virtual machines as they are added to the group.

NSX Service Composer integrates with third-party security services. These servicescan identify virtual machines on the network that are infected with malware or withknown vulnerabilities and place them into a quarantine security group that restrictsthe virtual machines until the issue is resolved.

Network Security

NSX Distributed Firewall 45

Security groups, policies, and tags

Security groupsA security group is a collection of assets or grouping objects from the vSphereinventory. The grouping feature enables you to create custom containers to which youcan assign resources such as virtual machines and network adapters for distributedfirewall protection. After a group is defined, you can add the group as source ordestination to a firewall rule for protection.

The dynamic mapping capability of security groups allows you to define the criteriathat an object must meet for it to be added to a security group you are creating. Thisenables you to include virtual machines in a security group by defining a filter criterionthat can be selected from a range of attributes. For example, you might include acriterion to add all virtual machines that run a specific operating system such asMicrosoft Windows 2003.

Security policiesA security policy is a set of endpoint, firewall, and network introspection services thatcan be applied to a security group. During vRealize Automation data collection, thesecurity policies that have been defined in NSX appear in the Security tab. Fromthere, the tenant administrator or business group manager can assign security policiesto selected component machines. For example, you could apply a web security policyto a web component.

Security tagsSecurity tags are additional, customizable criteria that you can use to create securitypolicies. Tags can be manually created and assigned to virtual machines, or they canbe added to virtual machines dynamically. Certain third-party software programs thatintegrate with NSX can also consume and update these tags. For example, an anti-virus application could label a virtual machine with the tagANTI_VIRUS.VirusFound.threat=high. This tag could then be included in afirewall rule that automatically blocks all traffic to or from the tagged virtual machine.

VMware NSX for vSphere extensibility with Palo AltoNetworks firewalls

Because NSX for vSphere is a networking option with Enterprise Hybrid Cloud, youcan use the integration developed by VMware and Palo Alto Networks to expand yourcloud capabilities. Integrating VMware NSX and Palo Alto Networks VM-Seriesfirewalls with Enterprise Hybrid Cloud extends the protections offered by NSX forvSphere to your physical data center.

With the integrated VMware and Palo Alto Networks solution, you can access anadvanced security feature set that:

l Protects north-south and east-west traffic and offers software-definednetworking with VMware NSX and the Palo Alto Networks VM-Series

l Maintains dynamic context-based policies across:

n NSX security groups

n Palo Alto Networks dynamic address groups

l Addresses simplified security and compliance mandates with protection againstknown and unknown threats including exploits, viruses, spyware, malware, andadvanced persistent threats (APTs) as follows:

Network Security


n Reduces attack surface with application whitelisting

n Blocks known threats using an integrated Intrusion Prevention System (IPS)

n Blocks unknown threats by using Palo Alto Networks Wildfire

l Centralizes management and automation:

n Common firewall management with Palo Alto Networks Panorama

n Automated deployment with NSX and Panorama

For information on how to integrate the VM-Series from Palo Alto Networks with NSXfor vSphere, see the Next Generation Security with VMware NSX and Palo Alto NetworksVM-Series technical white paper on the VMware.com website.

VMware NSX firewall policy creation

Multiple firewall rule criteria

The traditional model of firewall rule creation is based on network traffic sources anddestinations defined using the IP addresses of relevant hosts (and virtual machines),groups of IP addresses, or the subnets containing groups of IP addresses. This modelcan require a significant amount of preparation and administration when IP addresseschange.

NSX goes beyond this model by providing multiple additional options for definingfirewall rule sources and destinations. Because NSX can understand virtual machineattributes, you can create rules based on criteria such as virtual machine names,virtual machine operating systems, and descriptive tags. These non-IP based rulessimplify the creation, organization, and maintenance of rules. They also enable a moresimplified set of security rules.

Here are some examples of rules you can create with NSX:

l The source of the network traffic is defined as all virtual machines where the guestOS is Windows, and the destination is a local patching/update server

l Virtual machines whose name contains the term application-server can be reachedonly from virtual machines whose name contains the term web-server

l Criteria are combined using the AND or OR condition. For example, the guest OSmust be Windows AND the virtual machine name must contain the termapplication-server

This method of rule creation directly supports the micro-segmentation modeldescribed in N-tier application considerations on page 48.

Dynamic rulesThe NSX model of rule creation is inherently dynamic, supporting the rapid elasticitythat is a main benefit of embracing the hybrid cloud.

As virtual machines that match the rule criteria are added, they automatically inheritthe correct security policies. When virtual machines are removed, you do not need toedit the security.

With the first rule example described in Multiple firewall rule criteria on page 47, anyvirtual machines created where Windows is the guest OS automatically match the ruleand can reach the patch server; no update of the policy is required to enable thatnetwork communication. With the second example, the groups of web server andapplication server virtual machines can be dynamically scaled up and down as capacityneeds dictate, and the correct network communications are inherited automatically.

Network Security

VMware NSX firewall policy creation 47

With NSX, any virtual machine can also be manually included or excluded with a rulethat also has defined virtual machine criteria.

N-tier application considerations

Traditional three-tier architecture

N-tier architecture is a technique used by software developers to split components ofan application to allow greater flexibility and modularity. A three-tier architecturetypically consists of a presentation layer, a logic layer, and a storage layer. Thisarchitecture is commonly used for web applications, with web servers in thepresentation layer, application and middleware components in the logic layer, anddatabases in the storage layer.

Security practitioners have adopted the three-tier model for best practices, because itfits well with the principle of least privilege. Granular security controls can be appliedto allow only the minimum required network traffic through to each tier. For the webapplication example, best practices allow end-user traffic to reach the web serversonly, using only required services such as HTTP/HTTPS. Network traffic to theapplication servers is similarly restricted to traffic from the web servers on specificports. Traffic to the database servers is allowed only from the application servers tothe ports used by the database servers. In a typical physical data center, theserestrictions are achieved through Layer 3 separation of the tiers. This requires adifferent subnet for each tier and firewalls between the tiers that allow only therequired traffic through, as shown in the following figure.

Figure 17 Traditional three-tier security architecture

The three-tier model is easily configured with NSX. However, because NSX firewallrules are enforced at the vNICs of each virtual machine, NSX provides increasedflexibility for segmenting virtual machines. With NSX, web servers, applicationservers, and database servers can sit next to each other within a flat Layer 2 subnet,yet still have granular rules segmenting them from each other. This model can simplifythe network organization of applications by, for example, providing a single class Csubnet for each application.

Another benefit of this NSX model is the ability to achieve full applicationcontainerization. In the physical world, often all web servers in a demilitarized zone(DMZ) can see and talk to each other, even if they are not part of the sameapplication. This is also true of application servers in a protected zone, and ofdatabase servers, which are often placed into an internal core network for licensing

Network Security


reasons (exposing the rest of the internal core network if a database server iscompromised from the outside). With NSX, all tiers of an application can be fullycontainerized to ensure that if an application is compromised by an attacker at anytier, the attacker cannot pivot beyond the application to attack other applications orhosts within the same network zone.

Two-tier applications

While the three-tier application model is prevalent, some applications are designed tobe split into only two tiers. These applications generally combine the presentation andlogic layers, while keeping the database tier separate. This model is becoming morecommon in applications developed using frameworks such as Ruby on Rails and certainPython frameworks. In other cases, a web server might only be used for specificcapabilities, such as SSO, because using a separate server or virtual machine would bewasteful.

Frequently, an enterprise security team forces an application into a three-tierarchitecture, often artificially creating a public-facing tier in a DMZ with a reverseproxy for web applications. This implementation can become a source of contentionbetween the security team, who is trying to ensure the best possible protection of thedata, and the development team, who is trying to deliver an application asinexpensively and efficiently as possible. Many two-tiered applications do not easilylend themselves to being forced to a three-tiered implementation. Inflating anapplication to three tiers, and using the web tier as a proxy for all traffic through to anapplication tier, does not offer significantly better security. However, applying extracontrols in the web proxy tier can help improve security further-for example, installingthe ModSecurity application on top of Apache for additional web traffic inspection.

In a physical data center where multiple applications are present across network tiers,and databases might be contained in an internal or private zone, the extra protectionprovided by a three-tier architecture is justified. In the cloud, however, the ability ofNSX to containerize applications and limit potential exposure in the event of acompromised application reduces the need to artificially inflate two-tier applications tothree tiers. While certain applications with sensitive data might still require the extraprotection of the three-tier model, NSX enables many applications to be run in twotiers as originally designed, without many of the risks associated with bridging networkzones. Often the operational issues introduced by the increased complexity of thethree-tier model far outweigh the enhanced security posture.

The following figure shows an example of a two-tiered security architecture applied toa virtual application.

Network Security

Two-tier applications 49

Figure 18 Two-tiered application secured with micro-segmentation

Cross-vCenter NSXEnterprise Hybrid Cloud permits the use of cross-vCenter NSX and universal objectsin all Site Recovery Manager-based disaster recovery protection services.

This feature allows multiple NSX managers to be joined in a primary/secondaryrelationship, as described in the Enterprise Hybrid Cloud 4.1.4 Concepts and ArchitectureGuide.

These cross-vCenter network and security components are referred to as "universal"and can only be managed on the primary manager. Non-universal network and securityobjects are referred to as standard or local objects and must be managed from theirassociated NSX manager. Replication of universal objects takes place from theprimary NSX managers to the secondary managers so that each manager has theconfiguration details for all universal objects. This allows a secondary NSX manager tobe promoted if the primary NSX manager fails.

The universal distributed logical router (UDLR) and the universal logical switch (ULS)are used to span networks and east-west routing across vCenters. There is a singleprimary NSX manager and a single universal controller cluster in a federated NSXenvironment, so the placement and protection of these components must beconsidered carefully. The primary NSX manager will be connected to one of the cloudvCenters in Enterprise Hybrid Cloud. The universal controller cluster can only bedeployed to clusters that are part of that cloud vCenter. When considering theplacement of the primary NSX manager and the universal controller cluster, ifEnterprise Hybrid Cloud uses VPLEX to support continuous availability single site

Network Security


protection, ensure that the primary NSX manager and the universal controller clusterare VPLEX protected.

When cross-vCenter NSX is used within an Enterprise Hybrid Cloud environment,vRealize Automation has some limitations when deploying and managing workloads inEnterprise Hybrid Cloud. These limitations are noted in the following section.

Universal network objects

The UDLR and the ULS span networks and east-west routing across vCenters. UDLRsoffer centralized administration and a routing configuration that can be customized atthe universal logical router, cluster, or host level. ULSs allow Layer 2 networks to spanmultiple sites.

When you create a universal logical router, choose whether to enable local egress, asthis cannot be changed after creation. Local egress allows you to control what routesare provided to ESXi hosts based on an identifier, the locale ID.

Note

When you create a logical switch in a universal transport zone, you create a universallogical switch. This switch is available on all clusters in the universal transport zone.The universal transport zone can include clusters in any vCenter in the cross-vCenterNSX environment.

Universal controller clusterEach cross-vCenter NSX environment has one universal controller cluster associatedwith the primary NSX Manager. Secondary NSX Managers do not have a controllercluster.

Universal firewall rulesThe distributed firewall in a cross-vCenter NSX environment allows centralizedmanagement of rules that apply to all vCenter Servers in your environment.

From the primary NSX Manager, you can create a distributed firewall rule section thatis marked for universal synchronization. You can create one universal Layer 2 rulesection and one universal Layer 3 rule section. These sections and their rules aresynchronized to all secondary NSX Managers. Rules in other sections remain local tothe NSX Manager.

Universal security objectsUniversal network and security objects can be created only from the primary NSXManager.

Universal security groups can contain only universal IP sets, universal MAC sets, anduniversal security groups. Membership is defined by included objects only. You cannotuse dynamic membership or excluded objects.

Universal security groups cannot be created from Service Composer. Security groupscreated from Service Composer are local to that NSX Manager.

Note

Because of these limitations and the version of vRealize Automation used in thisversion of Enterprise Hybrid Cloud, use of universal security objects is not supported.

Network Security

Universal network objects 51

Micro-segmentation use casesMicro-segmentation is a security technology that breaks the data center into logicalelements and manages them with high-level security policies. This section describessample use cases for enabling micro-segmentation.

The three-tier application use cases show both traditional and converged N-tierarchitectures, with micro-segmentation implemented to enhance the security posture.NSX and vRealize Automation enable flexible creation and deployment of workloadresources, while providing richer functionality and improved performance overtraditional solutions.

Use case 1: On-demand with security tagsIn a cloud environment, application workloads are provisioned, moved, and repurposedon demand.

With NSX Service Composer (available only in NSX for vSphere), security can beeasily organized by dissociating the assets you want to protect from the policies thatdefine how you want to protect them. NSX security groups define which assets toprotect; NSX security policies define how the assets are protected. You map asecurity policy to a security group to apply the security policy criteria to members ofthe security group.

The following figure shows the relationship between a security group and a securitypolicy.

Figure 19 Security group-security policy relationship

This use case shows how to use NSX security tags to configure dynamic membershipfor a security group and define IF/THEN workflows across security services. Bydefining a security tag and mapping it to a security group, any virtual machines withthat tag are immediately and automatically added to the security group.

For example, IF a user selects a Finance application, THEN the application virtualmachines are automatically added to the Finance security group, in real time. Theworkflow for implementing this example is as follows:

1. The security administrator predefines a security group (Finance) and a securitypolicy (Finance Policy) with dynamic membership based on a security tag(Finance), as shown in the following figure.

Network Security


Figure 20 Security Admin persona defines the Finance Policy

2. The cloud administrator creates a multimachine blueprint and sets the Finance tagfor one of the component blueprints (Finance App), as shown in the followingfigure. The cloud administrator needs no knowledge of security groups or securitypolicies.

Figure 21 Cloud Admin persona configures the Finance tag on the blueprint

3. In the service catalog, an end user requests the Finance App application, as shownin the following figure. The application is attached to the multimachine template.

Figure 22 Cloud consumer requests the protected Finance App

4. The application virtual machines are deployed. The virtual machine based on theFinance App blueprint is dynamically assigned to the Finance security group, asshown in the following figure. As a member of the Finance security group, thevirtual machine automatically inherits the security policies that are mapped to thatsecurity group.

Network Security

Use case 1: On-demand with security tags 53

Figure 23 Security tag relationship with security groups

Use case 2: N-tier virtual applicationsA three-tier application can be used to show the network and security provisioningcapabilities of NSX when integrated with vRealize Automation.

The web tier, serving web pages to users, is external-facing and load-balanced. Eachweb server communicates with the application server, and the application server inturn writes to and retrieves data from the database server.

The virtual machines are assigned to their respective security groups by the vRealizeAutomation blueprint. The security groups are associated with security policies(firewall rules) that are enforced by the NSX DFWs. The deployed virtual machines ineach tier inherit their specific security policy based on their security groupmembership. This ensures that applications are protected from the moment ofdeployment.

The following figure shows an example of a three-tiered application implemented withmicro-segmentation.

Figure 24 Three-tiered application implemented with micro-segmentation

Network Security


NSX security groups and security policies

In this example, we used Service Composer to create three security groups, one foreach application tier: Web Servers, Application Servers, and Database Servers.

We created the following security policies (firewall rules) for the security groups:

l The web-tier policy allows external connectivity on ports 80 and 443 to virtualmachines in the Web Servers security group.

l The application-tier policy allows connectivity from the virtual machines in theWeb Servers security group to the virtual machines in the Application Serverssecurity group.

l The database-tier policy allows connectivity from the virtual machines in theApplication Servers security group to the database virtual machines in theDatabase Servers security group.

We applied the security policies to their respective security groups. For example, weapplied the Web Server Security Policy to the Web Servers security group, as shownin the following figure.

Figure 25 Web Server Security Policy applied to Web Servers security group

The completed security policies allow:

l The virtual machines in the web-tier security group access over the HTTP andHTTPS protocols

l The web-tier virtual machines to communicate with the application-tier virtualmachines

l The application-tier virtual machines to store and retrieve data from the databasetier

The NSX firewall is a stateful firewall, so when a connection is allowed and acommunication session established, the response communication path is also allowed.All other inbound or outbound traffic is denied by the block rules at the end of the ruleset. Like a traditional firewall, rules are applied sequentially from top to bottom.

Pre-provisioned multimachine blueprint

For the use case, we created three single-machine blueprints, one for each componentof the three-tier application (web, application, and database), and combined them in apre-provisioned multimachine blueprint, as shown in the following figure.

Network Security

Use case 2: N-tier virtual applications 55

Figure 26 Pre-provisioned multimachine blueprint

We edited each component blueprint and mapped the network adapter to thecorresponding security groups, as shown in the following figure.

In this example, there is only one network adapter.

Figure 27 Blueprint network and security group configuration

We then published the blueprint and added it to the service catalog. From there, userscan select the blueprint to provision new application virtual machines. Based on theblueprint, vRealize Automation clones the virtual machines and attaches them to theirrespective logical switch network segments. It also adds the provisioned virtualmachines to the security groups.

For this use case, we did not assign any members to the groups and we did notconfigure any dynamic criteria for assigning members to the group. vRealizeAutomation automatically assigns the virtual machines, when provisioned, to thesecurity groups specified in the blueprint.

Use case 3: Converged N-tier virtual applications

Micro-segmentation enables significantly greater control and security in your network.Often, micro-segmentation removes the need for a network segment per tier;therefore you can implement a converged architecture, as shown in the followingfigure.

Network Security


Figure 28 Converged three-tiered application secured with micro-segmentation

You can use the process described in use case 2 to define the security groups andpolicies for the converged infrastructure. In fact, you can use the same groups andpolicies. The only difference in the multimachine blueprint configuration is that youassign the same network profile to the component machine network adapters. As aresult, the three tiers are provisioned to the same network segment.

Use case 4: App Isolation for component machines

vRealize Automation App Isolation uses the logical firewall to prevent all inbound andoutbound traffic to component workloads in a multimachine blueprint. When AppIsolation is enabled for a multimachine blueprint, the component machines in theblueprint can communicate with each other but cannot connect outside the firewall, asshown in the following figure.

Figure 29 Perimeter security enabled by App Isolation

When a multimachine service is provisioned with App Isolation, vRealize Automationcreates a security group corresponding to the multimachine service and assigns thecomponent machines as members of that security group. The NSX security policy

Network Security

Use case 4: App Isolation for component machines 57

called vRealize Automation App Isolation Policy is created and applied to the securitygroup. The firewall rules are defined in the security policy to allow only internal traffic.

The vRealize Automation App Isolation Policy has a lower precedence than othersecurity policies in NSX. For example, if a multimachine service contains a webcomponent machine and an App component machine, and the web componentmachine hosts a web service, then the service must allow inbound traffic on ports 80and 443. In this case, create a web-tier security policy in NSX with firewall rulesdefined to allow incoming traffic to these ports, and apply the security policy on theweb component of the multimachine blueprint. If the web component machine needsaccess to the App component machine using a load balancer on ports 8080 and 8443,the security policy must also include firewall rules to allow outbound traffic to theseports.

Application Isolation provides an optional first level of security. When enabled, allinbound and outbound application access is blocked, while inter-application traffic ispermitted. Component-level security policies are applied at a higher precedence topermit selected traffic.

Network Security


CHAPTER 6

Configuration Management

Configuration management is a vital element of implementing secure systemsconsistently and in accordance with your security policies. It comprises a collection ofsteps focused on establishing a configuration baseline to maintain the integrity ofEnterprise Hybrid Cloud and the resources it supports. This chapter presents thefollowing topics:

l Configuration management overview.................................................................60l VMware vCenter Server host profiles................................................................ 60l VMware vSphere Update Manager.................................................................... 63l VMware vRealize Configuration Manager.......................................................... 68l Use case 1: Configuring a custom compliance standard...................................... 71l Use case 2: Applying exceptions to compliance templates................................. 73

Configuration Management 59

Configuration management overviewLearn about the native configuration management and compliance capabilities ofEnterprise Hybrid Cloud. Configuration consistency can be achieved through theimplementation of vCenter host profiles, patch management using vSphere UpdateManager, and configuration compliance using vRealize Configuration Manager.

Enterprise Hybrid Cloud Security Management applies the recommendations in the vSphere 6.5 Security Configuration Guide as well as security configurationrecommendations from Dell EMC and other vendors. Integrating security guidancefrom multiple sources requires coordination. Dell EMC engineering has developedprocesses to manage this integration and provide a secure, seamless, experience forEnterprise Hybrid Cloud customers. The tools that underpin these processes ensurethat the relevant security configurations are in effect to assure adherence withelectronic governance, risk, and compliance (eGRC) requirements and with yourorganization's internal IT and security standards.

Many organizations' IT and security groups face a significant challenge in gainingvisibility into configuration management and compliance in their environments. Toaddress this challenge, Enterprise Hybrid Cloud uses a number of native capabilities,including:

l vCenter host profiles ensure that a baseline is applied consistently across all ESXihosts, and enable many vSphere hardening guidelines to be centrally applied. Theyalso provide a means to perform ad-hoc scans for host compliance with a profileand display alerts within the vSphere Web Client.

l vSphere Update Manager enables patch management across virtual appliancesand ESXi hosts and provides a means to install and update third-party software onESXi hosts. With Update Manager, you can establish a baseline and ensure auditcompliance.

l vRealize Configuration Manager extends the capabilities of vCenter host profilesand vSphere Update Manager to provide inventory and asset management,scheduled configuration and compliance scans, reports, and integration withvRealize Operations Manager. In addition, vRealize Configuration Manager enablesconfiguration management of Windows and Linux guest OS patches, and can auditthe entire virtualized environment against many industry or regulatory frameworksand standards.

VMware vCenter Server host profilesvCenter Server host profiles ensure that a consistent configuration is applied acrossall ESXi hosts when Enterprise Hybrid Cloud is initially deployed and as it is scaled outto meet future capacity requirements.

Specifically, host profiles:

l Ensure consistency for compliancel Reduce the deployment time for new hostsl Apply the same configuration changes to multiple hosts

To apply the same configuration settings to a group of ESXi hosts, you can create orimport a host profile. The host profile is associated with a single reference host. A newor updated profile is established through the reference host, and propagated to theother hosts in the environment through the host compliance tool.

When events occur that require storage, network, or security configuration changeson multiple hosts in a cluster-firmware upgrades, for example-you can edit the host



https://www.vmware.com/content/dam/digitalmarketing/vmware/en/files/xls/vmware-6.5-security-configuration-guide-ga-13-apr-17.xlsx

profile and apply it across the cluster for consistent configuration updates. In addition,you can exclude from the host profile any host configuration values that must beunique across your environment.

The following figure shows some of the parameters that can be configured in a hostprofile.

Figure 30 Host profile configuration parameters

When the host profile has been created and configured, you can attach it to one ormore vSphere hosts or clusters. The configuration of each host is then comparedagainst the host profile and any deviations are reported. For example, the followingfigure shows a non-compliant status for one of the hosts in one of the clusters in thetest environment.


VMware vCenter Server host profiles 61

Figure 31 Host compliance status with the host profile

The additional host profiles shown in the following figure correspond to other clustersin the test environment that have different vDS configurations and show that you canhave multiple host profiles according to your configuration requirements.



Figure 32 Compliance view of the clusters attached to the Resources Pods host profile

Note

You can associate ESXi hosts and clusters with a single host profile only.

You can configure new hosts that are added to vCenter Server by applying the hostprofile. This configuration management feature enables you to create a profile once,and then use it for rapid configuration of multiple vSphere hosts. This feature alsoeliminates the need to set up specialized scripts or to manually configure hosts.

You can create scheduled tasks that routinely check host compliance against a hostprofile, email the results, and log a vCenter Server event. You can view the compliancestatus in the vSphere Web Client by selecting the host profile and selecting Monitor,as shown in the previous figure. When compliance checks return a non-compliantstatus, a vCenter error event is generated and can be tracked in vRealize OperationsManager.

VMware vSphere Update ManagerCertain security compliance standards require that all system components andsoftware are protected from known vulnerabilities by having the latest vendor-supplied security patches installed.

The Payment Card Industry Data Security Standard (PCI DSS) is one such standard.Patch management is a core requirement of these standards. Organizations that areunable to patch systems effectively and efficiently are susceptible to compromisesthat are easily preventable. Consider patch management carefully in the context ofsecurity, because it is important in establishing and maintaining a solid securitybaseline.

Enterprise Hybrid Cloud uses VMware vSphere Update Manager to address patchmanagement and keep vSphere hosts and virtual appliances up to date. UpdateManager automates patch management and eliminates manual tracking and patchingof vSphere hosts and virtual appliances.


VMware vSphere Update Manager 63

vSphere Update Manager includes these core features:

l A compliance dashboard to provide visibility into the patch and upgrade status ofhosts and virtual appliances, for compliance to static or dynamic baselines

l Stage and schedule patching for remote sites and scheduled maintenancewindows

l Deployment of patches that are downloaded directly from a vendor website,including drivers, Common Information Models (CIMs), and other updates fromhardware vendors for vSphere hosts

Patching can lead to compatibility errors that require remediation. Update Managercan eliminate the most common patching problems before they occur, ensuring thatthe time you save in batch processing automation is not wasted later in performingrollbacks.

The benefits of vSphere Update Manager include:

l Storing snapshots for a user-defined period so that administrators can roll backthe virtual machine if required

l Securely patching offline virtual machines without exposing them to the network,reducing the risk of non-compliant virtual machines

l Ensuring the current version of a patch is applied with automatic notificationservices

Baselines

vSphere Update Manager compares the state of vSphere hosts with baselines, andcan then stage and apply patches to enforce compliance. Dynamic baselines updatedynamically as vendors release additional patches. Fixed baselines are staticallydefined and are used for upgrades. Extension baselines are statically defined.

The following figure shows examples of configured baselines.



Figure 33 Examples of baselines configured in vSphere Update Manager

A good example of a dynamic baseline is the Critical Host Patches baseline thatinclude vSphere Update Manager. We configured the inclusion criteria for this baselineto include any patch of severity Critical, from any vendor and for any product, asshown in the following figure.


Baselines 65

Figure 34 Example of patch inclusion criteria for an Update Manager baseline

The inclusion criteria are granular; you can include or exclude individual patches, givingyou the flexibility to define a custom baseline specific to your environment. In addition,you can include non-VMware extensions such as Dell EMC PowerPath™/VE extensionsin a custom baseline, as shown in the following figure.

Figure 35 PowerPath/VE extension added to a custom Update Manager baseline

Custom baselines enable you to deploy non-VMware extensions to all your ESXi hostsand ensure that consistent revision control is maintained throughout yourenvironment.

Baseline groups

Baselines can be grouped and included in a baseline group, as shown in the followingfigure.



Figure 36 Components of the EHC Hosts baseline group

Baseline groups are useful for applying multiple baselines to virtual appliances, hosts,clusters, or data center objects, and are especially useful when you audit compliance,because the compliance status can be viewed across the group of baselines instead ofindividually for each baseline.

Audit compliance

The vSphere Update Manager Host Compliance view in the vSphere Web Clientprovides a quick overview of your compliance status. For example, if 50 percent of thehosts in the selected group are out of compliance, the affected baseline group andindividual baselines are flagged as non-compliant, and the type of update is alsoflagged on the affected host.

To rectify this situation, click Remediate to start the Remediation wizard. From there,the baseline can be applied to the affected assets.

You can schedule the remediation for a later time and date. This is useful when you arerestricted to a maintenance window and want to combine a scheduled remediationwith the staging feature to ensure you meet your maintenance window requirements.

The Remediation wizard also enables you to select host remediation options, includingthe virtual machine power state and the disabling of any removable media mounted tovirtual machines on the hosts to be remediated.


Audit compliance 67

The Enable parallel remediation option significantly reduces the remediation time byrunning remediation tasks in parallel on clusters with two or more hosts and accordingto the resources in demand on the cluster at remediation time. When remediating avSphere cluster with DRS enabled, all workloads remain available throughout theremediation process.

VMware vRealize Configuration Manager

The security status of each cloud system changes dynamically. These changes mightbe caused by a cloud administrator operation introducing risk into the environment,cloud components that are susceptible to a vulnerability, or an external environmentchange such as a new attack method. It is important to continuously monitor thesecurity status of Enterprise Hybrid Cloud, mitigate or remediate the potential risks,and keep the system compliant to a security baseline.

In Enterprise Hybrid Cloud, we integrated VMware vRealize Configuration Manager tobuild a configuration compliance audit and management system.

Configuration compliance

vRealize Configuration Manager provides a unified dashboard for managingconfiguration compliance. It integrates with vSphere for configuration data collection,providing the means to audit. The vSphere infrastructure and its dependentcomponents flag exceptions to policy and perform remediation.

Preset rules and templates are available that enable you to begin monitoring systemcompliance to various standards, as shown in the following figure:

l Regulatory standards—for example, Sarbanes-Oxley (SOX), Health InsurancePortability and Accountability Act (HIPAA), Gramm-Leach-Bliley Act (GLBA),Federal Information Security Management Act (FISMA)

l Industry standards—for example, PCI DSS

l Microsoft standards

Figure 37 vRealize Configuration Manager compliance dashboards showing vSphere hardeningcompliance

Examples of elements that can be tracked for compliance are:

l Hypervisor configuration through vCenter Server host profiles



l Hypervisor and virtual appliance patch management through vSphere UpdateManager baselines

l Linux and Windows guest OS configurationl Regulatory and industry standards through default compliance toolkits

Configuration compliance can be maintained against internal standards, security bestpractices, vendor hardening guidelines, and regulatory mandates such as:

l Security best practices developed by the Defense Information Systems Agency(DISA STIGs), the National Institute of Standards and Technology (NIST), theCenter for Internet Security (CIS), and many more

l Hardening guidelines from VMware and Microsoftl Regulatory mandates such as SOX, the PCI standard, HIPAA, and FISMA

You can also use vRealize Configuration Manager to assess compliance with your owninternal IT standard to drive best practices in your environment.

Risk badge and compliance scores

The integration between vRealize Operations Manager and vRealize ConfigurationManager includes using compliance template results from Configuration Manager tocontribute to the Risk badge score in vRealize Operations Manager, as shown in thefollowing figure.

Figure 38 vRealize Operations Manager dashboard displaying Risk badge score

The compliance templates are included in badge mappings that are run inConfiguration Manager against objects in vCenter Server instances that are managedby both Configuration Manager and vRealize Operations Manager. These objectsinclude virtual machines, host systems, clusters, vCenter Server instances, and


Risk badge and compliance scores 69

datastores. The compliance mapping results determine the compliance score.Expanding the Why is Risk option shown in this figure displays the compliance statussummary shown in the following figure.

Figure 39 vRealize Operations Manager dashboard showing compliance status summary

vRealize Operations Manager pulls the compliance scores into the formulas used tocalculate the Risk badge scores. When you review the standards compliance invRealize Operations Manager, you can browse back to Configuration Manager to viewthe detailed results and identify any configuration changes made to bring a non-compliant object back into compliance.

Operational compliance

Operational compliance views enable you to proactively enforce configurationstandards, detect configuration drift early, and automatically remediate against ITpolicy violations. You can also harden the infrastructure for security and regulatoryrequirements. Preparing for and responding to an audit is no longer an intimidating andtime-consuming process because, with automated reporting, you can pinpoint criticalareas with ease. Compliance views are tightly integrated with the operationsdashboard for comprehensive visibility into the health, risk, and efficiency of theinfrastructure and applications, as shown in the following figure.



Figure 40 Risk dashboard showing compliance status in the environment

Use case 1: Configuring a custom compliance standardThis use case shows how to configure a custom compliance standard.

Configuring a custom compliance standard includes creating compliance rules, rulegroups, and templates. Compliance templates consist of one or more rule groups, eachof which contain one or more rules and filters. When you run compliance, you arerunning templates.

Compliance rules compare your virtual or physical machines (running Linux, UNIX,Mac OS X, or Windows) against configuration standards that you import or create, todetermine if the machines meet the standards. The results of the compliance runidentify which machines comply with or are in violation of the standards. In somecases, you can enforce certain settings on the machines that are not in compliance,initiating the changes from vRealize Configuration Manager.

For this use case, we created a rule group that checks whether VMware Tools isrunning in guest virtual machines that are included in the inventory of the two hybridcloud vCenter Server instances. We then created a compliance template and addedthe rule group to it. Follow these steps:

1. In the vRealize Configuration Manager console, create a rule group.

2. Add a compliance rule to the rule group with the following attributes, as shown inthe following figure.

l Rule type: Conditional

l IF criterion: Tools Version Status <> 'guestToolsNotInstalled'This excludes virtual machines that do not have VMware Tools installed.

l THEN criterion: Tools Running Status = 'guestToolsRunning'


Use case 1: Configuring a custom compliance standard 71

This checks whether VMware Tools is running.

l Severity: Moderate

Figure 41 Rule criteria for detecting the running state of VMware Tools

3. Add a filter to the rule group to exclude guests that are not in the inventory of oneor other of the two hybrid cloud vCenter Server instances. This filter has thefollowing attributes, as shown in the following figure.

l Data type: Basic

l Conditions:vCenter ='EPCIP-VC01'vCenter ='EPCMP-VC01'

Figure 42 Filter criteria for detecting the running state of hybrid cloud vCenter Serverinstances

4. Create a compliance template and add the rule group to it.

5. Run the template to view the compliance data results and verify the configuration.The following figure shows a results summary view.



Figure 43 Summary of the custom compliance template results

Use case 2: Applying exceptions to compliance templatesThis use case shows how to create compliance exceptions where a business needexists.

To override specific template results, you can use exceptions rather than explicitlyresolving non-compliant results. The exceptions are applied against the compliancetemplate results and indicate that a specific result is compliant or non-compliantalthough it does not match the rule requirements. Examples of where exceptions maybe necessary include:

l Avamar image-level backup and restore. Avamar uses the http feature in vCenterServer to backup or restore virtual machines-this feature is called http datastore.

l Cloud Foundry requires that the Managed Object Browser (MOB) is enabled onthe vCenter Server system or deployments of Cloud Foundry fail.

Disabling the http Datastore Browser and MOB features in accordance with vSpherehardening guidelines would break critical functionality. Exceptions are used so thatresults are not skewed. The template to which you want to apply an exception mustexist. For more information, see the VMware Security Hardening Guides for vSphere6.x.


Use case 2: Applying exceptions to compliance templates 73

https://www.vmware.com/security/hardening-guides.html


CHAPTER 7

Multitenancy

Learn how to segment the network infrastructure, storage, and authentication on atenant-by-tenant basis and how the solution implements RBAC to separate functionsand enforce the principle of least privilege. This chapter presents the following topics:

l Multitenancy overview....................................................................................... 76l Secure separation.............................................................................................. 76l Role-based access control................................................................................. 78

Multitenancy 75

Multitenancy overviewThis chapter introduces the mechanisms that Enterprise Hybrid Cloud uses to addressmultitenancy security.

Valid concerns exist around information leakage and unauthorized access on a sharedinfrastructure. Consumers of the provisioned resources need to operate in a dedicatedenvironment while still benefitting from infrastructure standardization. To addressconcerns around shared infrastructure, Enterprise Hybrid Cloud was designed forEnterprise multitenancy, with a "defense in-depth" perspective that is proventhrough:

l Secure separation

l Network segmentation and separation

l Tenant authentication

l Role-based access control

l Solution infrastructure

l Entitlements

Secure separationLearn about network segmentation, tenant and enterprise Edge routers, and tenantauthentication.

Network segmentationThe network infrastructure for the solution is designed to address the requirements ofmultitenancy and secure separation of the tenant resources.

It is also designed to align with security best practices from vendors such as VMwarefor segmenting networks according to the purpose or traffic type. For example,configuring an isolated network segment for vMotion traffic between ESXi hosts helpsprevent attacks where the unencrypted data transfer can be intercepted by anattacker and reconstructed to gain access to sensitive data.

We configured the trunks on the physical network infrastructure to carry only theVLANs and PVLANs required for operations within the hybrid cloud environment. Thefollowing figure shows the logical topology of the physical and virtual networksdefined in Enterprise Hybrid Cloud. We used VLANs to provide segmentation of thenetworks at Layer 2 in the cloud management pod, because that environment is likelyto be static and an extension of existing management networks.

Note

The architecture can be supplemented at the physical switch layer with PVLANs andVRF tables to provide segmentation at Layers 2 and 3. This approach is outside thescope of Enterprise Hybrid Cloud.

Multitenancy


Figure 44 Enterprise Hybrid Cloud network architecture

Tenant and enterprise Edge routersUse tenant and enterprise Edge routers to manage security policies from an singleinterface.

To enable connectivity between the physical network core and the tenant resources,we deployed an enterprise Edge router and a tenant Edge router in HA mode for eachtenant.

We implemented an NSX ESR to act as a perimeter gateway for the Enterprise HybridCloud tenants, and applied a perimeter security policy. Where more than one tenantwas required, we isolated each tenant by implementing an NSX ESR per tenant. Thisenabled us to manage security policies for the entire Enterprise Hybrid Cloudenvironment from a single interface.

Note

An existing Layer 3 core can provide the function of the enterprise Edge router.

Tenant authenticationTenants can use a common single directory with separation provided by dedicatedOUs. However, where secure multitenant authentication is required, a much morerobust solution is to use a dedicated directory for each tenant to provideauthentication for the tenant application owners and consumers.

VMware vRealize Automation identity storesEnterprise Hybrid Cloud uses a native Active Directory identity store for the defaulttenant in vRealize Automation. This identity store uses Kerberos authentication withActive Directory. Each newly created tenant must be associated with at least one

Multitenancy

Tenant and enterprise Edge routers 77

Active Directory or Open LDAP identity store. Configure each tenant identity storeusing one of the following options:

l In the same directory as other tenants

l In the same directory as other tenants, but using a dedicated OU per tenant

l In a separate and distinct directory

This configuration enables degrees of separation according to the risk profile of thebusiness assets provisioned and managed by the solution and the organization'sappetite for risk.

ViPR authentication providersEnterprise Hybrid Cloud maps tenants to ViPR Projects. Each ViPR Project must beassociated with an authentication provider. Authentication providers can beconfigured to use Active Directory or an LDAP directory. You can configure eachauthentication provider to use:

l The same directory for all projects

l A separate and distinct directory for each project

Each ViPR Project must be configured with an ACL that maps groups or users to theAll (read/write) or Backup (read/only) ViPR Project roles.

Role-based access controlLearn about vRealize Automation groups and roles and how entitlements work.

vRealize Automation groups and rolesThe integration of the solution components with Active Directory enables the mappingof each component's local roles to corresponding Active Directory groups for thepurposes of administration, operation, and auditing.

While access to the solution infrastructure components is limited to IT and securityadministrators, end users use vRealize Automation as a self-service catalog and tomanage their provisioned resources. User roles and responsibilities are defined andused in the structure of vRealize Automation. The administration of users andcompute resources in vRealize Automation is managed through the vRealizeAutomation portal.

The vRealize Automation roles are:

l Tenant administrator—The tenant administrator is responsible for configuringtenant-specific branding and user management, including:

n Creating business groups and assigning the business group manager, support,and user roles to Active Directory or OpenLDAP users and groups

n Managing and configuring catalog services, entitlements, approval policies, andshared blueprints within the context of their tenant

n Tracking resource usage by all the tenant's users and initiating reclamationrequests to decommission unused virtual machines

l Service architect—The service architect is responsible for authoring advancedservices such as service blueprints, custom resources, and resource actions. Theservice architect can also perform catalog management functions.

l Application architect—The application architect is responsible for creating,modifying, and deleting applications in Application Services.

Multitenancy


l System administrator—The system administrator ([email protected])is responsible for:

n Tenant creation, system defaults, branding, and tenant Simple Mail TransferProtocol (SMTP) relays

n Assigning the infrastructure administrator and tenant administrator roles toActive Directory users and groups

l Infrastructure administrator—The infrastructure administrator (IaaS Admin) is asystem-wide role that is responsible for:

n Discovery and management of the compute, network, and storage resourcesused to provision workloads

n Defining the vRealize Automation endpoints that are required to discover andinteract with the infrastructure resources in the physical, virtual, and publiccloud environments

n Creating and configuring the fabric groups, assigning the fabric administratorrole to Active Directory users and groups, and adding discovered computeresources to bring them under vRealize Automation control

l Fabric administrator—Fabric groups can be used to segregate the resourcesused by different organizational groups. Fabric administrators can manage cloudresources for their respective fabric groups, as defined by the IaaS administrator.Fabric group administrators are responsible for:

n Configuring resource reservations to be consumed by each business group

n Defining network, storage, compute, and cost profiles

n Defining approval groups and policies

l Business groups—Business group users are the consumers of the infrastructureprovided to the business group by a fabric group administrator:

n The Business Group Manager role can perform some of the same functions asthe tenant administrator, such as authoring new services, managingprovisioned virtual machines, managing approval requests, and working onbehalf of other users. However, the scope of their responsibility is limited totheir respective business groups.

n The Support User role can provision and manage resources on behalf of otherusers, but cannot author new services.

n The User role is assigned to those users who request and manage resourcesmade available to their business group. Users with the User role are the primaryconsumers of the vRealize Automation self-service portal, which they use toprovision and manage their virtual machines.

n The deployment of machine blueprints might be subject to approval by theBusiness Group Manager. The Business Group Manager sets this approvalpolicy per blueprint.

n Enterprise Hybrid Cloud also uses business groups to provision infrastructureservices and corporate application platforms (for example, Microsoft SQLServers, Exchange Servers, and Oracle Servers), and to provide access toservice blueprints that automate repetitive administrator tasks. Theseresources and functions are typically used by administrators and applicationsowners to meet their functional requirements.

Multitenancy

vRealize Automation groups and roles 79

Note

vRealize Automation is configured to use Active Directory (or OpenLDAP) as anidentity source. Therefore, vRealize Automation roles are mapped to Active Directorygroups that correspond to existing enterprise teams, as described in vRealizeAutomation Installation and Configuration. Additional user groups can be created inActive Directory and assigned to support the various roles in vRealize Automation.

EntitlementsEntitlements are a vRealize Automation construct, similar to access control lists(ACLs), designed to grant access to machine and service blueprints to specificbusiness group users or groups.

In addition, entitlements are the implementation point for approval policies. vRealizeAutomation entitlements can be used to restrict certain users to a defined view of theservice catalog, permitting them access only to the machine and service blueprintsthat they require to fulfill their function.

Multitenancy


https://pubs.vmware.com/vra-62/index.jsp?topic=%2Fcom.vmware.vra.install.doc%2FGUID-3CABD137-CC9A-41E4-BCB4-65A0D5919270.html

https://pubs.vmware.com/vra-62/index.jsp?topic=%2Fcom.vmware.vra.install.doc%2FGUID-3CABD137-CC9A-41E4-BCB4-65A0D5919270.html

CHAPTER 8

Data Security

Learn how to use CloudLink SecureVM with Enterprise Hybrid Cloud to enhanceprotection of your most sensitive data. CloudLink SecureVM allows you to control,monitor, and secure your Windows and Linux virtual machines everywhere in yourhybrid cloud. This chapter presents the following topics:

l Data security overview.......................................................................................82l CloudLink SecureVM..........................................................................................82l Policy-based management................................................................................. 83l Integration with the service catalog................................................................... 84

Data Security 81

Data security overviewThe protection of information assets, whether located in an on-premises or off-premises cloud, is of paramount concern to enterprises and their customers.

Many threats to the confidentiality and integrity of information could result in areputational, financial, or human impact through the disclosure of commerciallysensitive or personally identifiable information (PII) and other critical data. Thischapter discusses how you can use CloudLink SecureVM with Enterprise Hybrid Cloudto enhance protection of your most sensitive data.

CloudLink SecureVMCloud computing offers undeniable benefits in relation to deployment flexibility andagility, scaling, and cost-effective resource utilization.

The strengths and benefits of cloud computing must be balanced against the loss ofcontrol and visibility in cloud deployments. CloudLink SecureVM providesorganizations with the security controls necessary to run virtual machines in the cloudwith confidence.

SecureVM enables encryption of the entire virtualized server or desktop running in thecloud, independent of the cloud service provider. Protection of the entire virtualmachine enables organizations to define security policies to allow or disallow startupof a particular virtual machine, and to verify the integrity of the virtual machine. Thisprovides complete protection against potentially malicious tampering. SecureVMensures that only trusted and verified virtual machines have the ability to run and toaccess sensitive data residing in the cloud.

Platform supportSecureVM works in combination with native OS encryption technology such asMicrosoft BitLocker-a proven and high-performance volume encryption solution thatis widely implemented for physical machines.

SecureVM extends BitLocker functionality because BitLocker native authenticationmechanisms are not supported in cloud environments. The SecureVM functionality ofproven encryption key policy management enables BitLocker to be used for automatedencryption of boot volumes in the cloud, while enabling enterprise administrators tocontrol security policy and encryption keys. SecureVM also supports Linux nativeencryption, providing organizations with a single encryption management solution formultiple clouds and virtual machine operating systems.

SecureVM operates transparently to end users across virtually any private, public,hybrid, or multicloud environment. Fully integrated with leading hypervisor and cloudplatforms, it is easy to deploy with almost limitless scalability. CloudLink providescontrol, flexible policy- and key-management options, and reporting and monitoringcapabilities across different operating systems, virtual machines, and storageinfrastructures.

CloudLink can unlock and use the native encryption of Windows and Linux operatingsystems.

Data Security


Policy-based managementFrom CloudLink Center, you can define encryption policies and manage individualvirtual machines on which SecureVM Agent is deployed.

For example, you can configure the IP addresses from which virtual machines canstart automatically, or require interactive authorization to boot volumes, decryptvolumes, and block individual virtual machines from starting up automatically.

In addition to IP addresses, a number of other virtual machine attributes are verifiedby CloudLink Center-for example, the checksum of the pre-boot environment, whichmust match the previous known-good checksum to assure users that the software hasnot been tampered with while a virtual machine was not running. For informationabout deploying SecureVM Agent, see the CloudLink SecureVM Deployment Guide.

Defining authorized IP addresses for virtual machines

When a virtual machine starts up, CloudLink Center checks that certain conditions aremet before allowing the startup to continue. One of the conditions that CloudLinkCenter checks is that the virtual machine IP address has been identified as authorizedto CloudLink Center. You can view the current list of valid IP addresses in theApproved Networks list.

You can define IP addresses as authorized to CloudLink Center by:

l IP to specify a single IP address

l CIDR to specify a network of IP addresses using Classless Inter-Domain Routing

l IP Range to specify a range of consecutive IP addresses

Changing the global policy for virtual machine start up

When a virtual machine starts up, CloudLink Center checks if the virtual machine IPaddress has changed since the last startup process. By default, if the IP address haschanged, startup is not allowed to continue automatically, and the virtual machine isassigned the Pending status. Manually approve the virtual machine start up, eitherusing CloudLink Center or through the Enterprise Hybrid Cloud self-service interface.

In some circumstances, you might know that the IP addresses of virtual machinesmight change. For example, in some cloud environments, such as Microsoft Azure, thepublic IP address of a virtual machine might change when the machine shuts down andrestarts. A new IP address is assigned from the same subnet as the previous address.To avoid having to manually confirm startups in these circumstances, you can changethe global policy to approve automatically. You can also limit automatic approvals tovirtual machines with a new IP address that is on the same subnet as the previous IPaddress. At any time, you can change the global policy back to the default condition.The global policy applies only to virtual machines with IP addresses identified asauthorized.

Encrypting virtual machine volumes

For Windows and Linux virtual machines, you can encrypt the unencrypted bootpartition. You can also encrypt Windows virtual machine data disks or Linux virtualmachine mounted devices on an individual basis.

For example, when deploying SecureVM Agent to a Windows virtual machine, youmight have applied a volume encryption policy that encrypted only the boot partition.

Data Security

Policy-based management 83

After deployment, you can encrypt the virtual machine data disks individually. Afterinitiating encryption, you can monitor progress on the virtual machine in the virtualmachine console. You can also view progress in the virtual machine panel on theSecureVM tab of CloudLink Center.

Decrypting virtual machine volumes

You can decrypt a Windows or Linux virtual machine encrypted boot partition. You canalso decrypt Windows virtual machine data disks or Linux virtual machine mounteddevices on an individual basis.

For example, before removing a virtual machine that you no longer want to be underSecureVM control, decrypt the volumes if you want to continue using the virtualmachine. Otherwise, the volumes remain encrypted and therefore inaccessible.

You can decrypt volumes (boot partition and data disks) from the Enterprise HybridCloud self-service interface. After initiating decryption, monitor progress on thevirtual machine console. You can also view progress in the virtual machine panel on theSecureVM tab of CloudLink Center.

Changing the volume encryption policy for a Windows virtual machine

You can change the volume encryption policy that you selected during SecureVMAgent deployment. For more information, see the CloudLink SecureVM DeploymentGuide.

For example, if the volume encryption policy applied during SecureVM Agentdeployment was Boot and Manual Data, only the boot partition is encrypted. No datadisks are encrypted during deployment and any data disks added after deploymentmust be manually encrypted while the initial policy is in effect. You can change to theAll Data policy, so that data disks added to the virtual machine are automaticallyencrypted.

Changing the volume encryption policy does not affect the boot partition or anyexisting data disks. The new policy is applied only when data disks are added to thevirtual machine.

Integration with the service catalog

CloudLink SecureVM encryption is integrated with the service catalog, allowingencryption of both new and existing workloads. A catalog blueprint can easily becreated, cloned, or modified, whereby the CloudLink build profile is attached to createan encrypted catalog item. Day two operations are also available to apply encryptionto an existing virtual machine or workload. Virtual disk encryption policies are appliedprogrammatically based on workload location and requestor selection.

Data Security


CHAPTER 9

Certificate Update Procedures for EHCComponents

This chapter includes the tasks you must complete to update the security certificatesfor each Enterprise Hybrid Cloud component.

l Enterprise Hybrid Cloud certificate update overview ........................................ 86l Updating vCenter Platform Service Controller...................................................92l Updating VMware vCenter Server certificates...................................................95l Updating Automation Pod Platform Services Controller....................................101l Updating SRM certificates................................................................................ 101l Updating NSX certificates................................................................................ 104l Updating ViPR certificates............................................................................... 105l Updating the vRealize Automation Appliance....................................................106l Updating vRealize Automation Web IaaS certificates....................................... 108l Updating vRealize Automation Manager IaaS certificates................................. 110l Updating the active vRealize Automation Application Services certificate......... 111l Updating vRealize Orchestrator certificates......................................................113l Updating vRealize Operations certificates.........................................................114l Updating vRealize Business certificates............................................................ 114l Updating Log Insight certificates.......................................................................116l Updating Avamar certificates............................................................................ 116l Updating RecoverPoint for Virtual Machines certificates.................................. 118l Updating CloudLink certificates........................................................................120l Updating ESXi certificates................................................................................120l Updating the Data Protection Advisor (DPA) certificate.................................. 122l Updating VAMI appliance certificates............................................................... 124l Running EHC validation workflows................................................................... 126

Certificate Update Procedures for EHC Components 85

Enterprise Hybrid Cloud certificate update overviewThis chapter addresses certificate update procedures used by the EHC solution tointegrate the required components.

In a production environment, Enterprise Hybrid Cloud security best practice is to use2048-bit SSL leaf-certificates to secure authentication and authorization betweenEHC v4.1.2 foundation components. These SSL certificates generally have a two- tothree-year lifetime. When the lifetime expires, the leaf-certificates must be replacedto prevent an Enterprise Hybrid Cloud administration and orchestration outage. Thelifetime of any certificate can be investigated by opening the component certificateand reviewing the Valid from section under the General tab on the certificate.

Note

Enterprise Hybrid Cloud implements Transport Layer Security (TLS)-compatibleconfigurations and certificates. All references to Secure Sockets Layer (SSL) in thischapter imply TLS compatibility.

EHC Trusted PKI HierarchyIn a customer environment, the EHC v4.1.2 foundation components have leafcertificates applied. The leaf certificates are at the end of an implicit chain of trustdefined by the customer security organization.

The chain of trust is defined as:

1. Root CA

2. Subordinate CA (one or more layers of subordinates)

3. Leaf Certificate

Certificate Update Procedures for EHC Components


Figure 45 SSL certificate chain of trust

Note

If the root CA or subordinate CA are due to expire, the customer security organizationmust replace them before you can replace the EHC leaf certificate. This process goesbeyond the scope of this document.


EHC Trusted PKI Hierarchy 87

EHC SSL component trust dependencyUnderstand the SSL certificate interdependency among the EHC components.

Figure 46 EHC SSL certificate interdependency

Overview of certificate update proceduresEnsure that you follow the update order, fulfill the prerequisites, and adhere torecommendations and best practices.

Certificate update recommendationsAdhere to certificate update and security recommendations.

Certificate securityWhen creating and signing certificates, DELL EMC recommends that you:

l Properly secure the private key associated with the root certificate.

l In a high-risk environment, use a secure enclave or an air-gapped network forsigning operations and creating keys, CSRs, and other security-related artifacts.



(An air-gapped network is completely physically, electrically, andelectromagnetically isolated.)

l Use a hardware Random-number Generator (RNG) to efficiently and quicklygenerate random numbers with adequate characteristics for cryptographic use.

l For maximum security, use the OpenBSD operating system as the host for theOpenSSL key and certificate utilities.

Certification revocation listThe certificate update process replaces active certificates that are due to expire, butthe superseded certificates remain active within the Issued Certificates section on theCA. Dell EMC recommends that as a certificate is superseded, you mark eachcomponent certificate as revoked on the CA, which adds the certificate to therevoked certificates list on the CA server.

Certificate replacement orderThe EHC foundation component leaf certificate replacement procedure follows aspecific sequence.

Update the certificates in this order:

1. vCenter PSC

2. vCenter Server

3. Site Recovery Manager

4. NSX

5. ViPR

6. vRealize Automation Appliance

7. vRealize Automation Web

8. vRealize Automation Manager

9. vRealize Automation Application Service

10. vRealize Orchestrator

11. vRealize Operations

12. vRealize Business

13. vRealize Log Insight

14. Avamar

Additional components that might be considered for leaf certificate replacementinclude:

l ESXi

l Data Domain

l DPA

l VMware Appliance Management Interface (VAMI)

For each component whose certificates are to be replaced, record the:

l FQDN

l IP address

l Required administrative username and password


Overview of certificate update procedures 89

Updating multisite configurationsYou must follow a specific order when you update components in a multisiteconfiguration.

Note

The following steps refer to a Standard dual site/dual vCenter topology.

1. On Site A, replace the Machine and Solution Users SSL certificates on PSC01 andVC01.

2. On Site B, replace the Machine and Solution Users SSL certificates on PSC02 andVC02.

3. On the Automation Pod, replace the Machine and Solution Users SSL certificates.

Dell EMC recommends that you replace the SSL certificates on the protected siteSRM before replacing the SSL certificates on subsequent SRM recovery sites.

Note

Component leaf certificate expiration dates might be different on each site. Expirationdates depend on when the site was deployed as part of the customer EHC cloudplatform. If only one site requires certificate replacement, treat it as a single-sitecertificate update.

Certificate update prerequisitesPrepare for the certificate update procedures.

l Ensure that you have the following tools and documents available:

n EHC Buildscript

n EHC Build Guide

n NSX Administration Guide

l Plan a certificate update maintenance window.When you update certificates, some EHC components require a restart, whichdirectly affects the availability of EHC Orchestration and Administration. Dell EMCrecommends that you complete the certificate replacement procedure as a singleend-to-end consecutive process. The process will intermittently affect theavailability of EHC Orchestration and Administration. Before you start the process,plan a suitable maintenance window with the customer to cover the end-to-endtimeframe required to complete the entire EHC certificate replacement. Moreinformation about the interruption to EHC Orchestration and Automation isprovided in the component sections.

VMware Certificate Manager toolUse the VMWare Certificate Manager tool to replace the required machine andsolution user certificates in PSCs and vCenter Servers.

You use the Certificate Manager tool in each vCenter Server and on each PSC toreplace certificates.

By default, the Certificate Manager tool is located under the /usr/lib/vmware-vmca/bin/certificate-manager path.

The Certificate Manager tool can:



https://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf

l Help plan the required sequence to follow when you update your SSL certificates.

l Generate Certificate Signing Requests (CSR) for each of the EHC v4.1.2 vSphere6.x components that require an updated SSL certificate. When the CSR is created,each component's certificate files are stored in specific directories.

l Apply newly created certificates to each of the required EHC v4.1.2 vSphere 6.xcomponents as outlined by the Certificate Manager tool.

Running EHC validation workflowsAfter the end-to-end SSL certificate procedure has been completed, run EHCvRealize Automation workflows to validate that EHC orchestration and automation isfully functional.

Run validation tests for vRealize Orchestrator, vCenter, ViPR, Avamar and DPA toensure that each of these components is functioning correctly. Testing details areprovided in the associated sections.

Procedure

1. Perform validation tests on vRealize Orchestrator:

a. Connect to the vRealize Orchestrator console: https://vro-vip.domain:8283.

b. Select EHC > Foundation > Validation > tests and run the following tests inthe order listed:

l Pre-Test configuration elements

l TestAD

l TestCAFE

l TestVCAC

l TestVCenter

l TestViPR

l TestVRO

l VerifySiteAffinityBuildProfileAndCustomProperties

2. Validate that vCenter is functioning without issue by deploying a virtual machinefrom the vRealize Automation workflow:

a. Connect to vRealize Automation: https://vra-vip.domain/vcac/org/ehcTenantName/.

b. Select Catalog > All Services > DeployVMwithBackupCatalogItem.

3. Validate the provision of cloud storage with ViPR:


b. Select Catalog > Provision Cloud Storage > Run Provision cloud storage.

4. Validate that Avamar backup and restore is functioning:


b. Select Catalog > Data Protection Services > Create Backup ServiceLevel.


Overview of certificate update procedures 91

c. Select Catalog > Data Protection Services > Run Backup Service Level.

d. Select Catalog > Data Protection Services > On Demand Backup.

e. Select Catalog > Data Protection Services > On Demand Restore.

5. Validate that DPA is functioning:

a. Connect to vRealize Orchestrator: https://vro-vip.domain:8283.

b. Select EPC2 > EPC Data Protection > CalledByvCAC > GetBackupStatus.

Updating SSL Trust for SSOWhen the SSL certificates are updated, update SSL Trust for SSO in vRealizeOrchestrator by using Orchestrator Control Center.

Procedure

1. Connect to the vRealize Orchestrator Control Center (https://vRO-01.domain:8283/vco-controlcenter).

2. From Home > Manage, select Certificates.

3. From the Trusted Certificates tab, select Import and specify the URL/IP ofthe vCenter Server.

4. Click Import for the new certificate.

5. Confirm that the new certificate is populated in the Trusted SSL certificate list.

6. Delete the old certificate from the list.

7. On the secondary vRealize Orchestrator Configuration server (https://vRO-02.domain:8283/vco-controlcenter), repeat steps 1 to 5.

Updating vCenter Platform Service ControllerUse the VMware Certificate Manager tool to replace the SSL certificates on eachPlatform Service Controller (PSC).

Before you replace the certificates, do the following:

l Set up a maintenance window with the customer. Postpone virtual machineprovisioning during the maintenance window.

l Ensure that Enterprise Hybrid Cloud Automation and Orchestration are offline.

l Ensure that vRealize Automation workflows are not running.

The procedure to update certificates on the PSC includes:

l Replacing the Machine SSL certificate (see Replacing PSC Machine SSLcertificates on page 93).

l Replacing the Solution Users certificate (see Replacing PSC Solution User SSLcertificates on page 94).

l Updating the SSL Trust for SSO (see Updating SSL Trust for SSO on page 92 ).

After the PSC certificate replacement procedure is complete, replace the VMwarevCenter Server certificate associated with this site (see Updating VMware vCenterServer certificates on page 95) .



Note

Ensure that you replace site PSC and vCenter certificates before proceeding toanother site.

Replacing PSC Machine SSL certificatesReplace the active Machine SSL certificates on a VMware PSC.

Procedure

1. Use SSH to log in to the PSC virtual machine.

2. Create a local /tmp/ssl/ directory.

3. Change directory (CD) to /usr/lib/vmware-vmca/bin/.

4. Run certificate-manager.

5. Select Option 1: Replace Machine SSL certificate with Custom Certificatesand type a valid SSO and the user name and password of a user with vCenterprivileges.

6. Select Generate certificate signing request and key for Machine SSL cert.

l Output destination directory: /tmp/ssl/.

l Output machine_ssl.csr and machine_ssl.key

7. Generate a signed certificate:

a. Connect to CA Web-Enrollment: https://CA-Server_domain/certsrv.

b. Submit an advanced certificate request using Base64.

c. Paste the contents of the applicable CSR into the encoded section.

d. Use the following certificate template: vSphere 6.x (VMware KB 2112009)

e. Download the Base64 certificate.

f. Rename the Base64 certificate to machine_ssl.cer.

g. Copy the machine_ssl.cer file to the C:\Certs directory on thePSC virtual machine.

8. In the Certificate Manager tool, select Option 1: Continue to import customcerts and keys.

a. Type the path to machine_ssl.cer.

b. Type the path to machine_ssl.key.

c. Type the path to Root64.cer.

d. Type Y.

All required PSC services are stopped and started.

Note

The script's output includes VMware system process checks that are not validfor this VMware component. Therefore, you might see service checks forcomponents such as VSAN with a Don't update service message.


Replacing PSC Machine SSL certificates 93


9. When the status is 100% Complete, restart the control service on theassociated vCenter server to reflect the PSC updates.

a. Log in with SSH to the vCenter server virtual machine.

b. Run service-control - -stop - -all.

c. Run service-control - -start - -all.

10. Validate the PSC certificate:

a. Open your web browser and connect to the PSC web interface (https://psc<00>.domain/psc).

b. Log in as SSO Administrator ([email protected]).

c. Select Certificate Management, log in with the administrator account, andthen click Submit.

d. Verify that the certificate is present.

e. Verify that the validity dates have been updated for the certificate.

After you finish

Replace the Solution Users certificate (see Replacing PSC Solution User SSLcertificates on page 94).

Replacing PSC Solution User SSL certificatesReplace the active Solution User SSL certificates on a VMware PSC.

Before you begin

Ensure that the Machine SSL certificate has been replaced.

Procedure

1. Use SSH to log in to the PSC virtual machine.



4. Select Option 5: Replace Solution User certificate with Custom Certificatesand type a valid SSO and the user name and password for a user with vCenterprivileges.

5. Select Option 1: Generate certificate signing request and key for SolutionUser cert

l Output destination directory /tmp/ssl/.

l Output must be two different solution user CSRs and private keys:

n machinen vsphere_webclient










f. Rename the Base64 certificate to match the applicable solution user.(name.cer)

g. Copy the solution user certificates to C:\Certs directory on the PSCServer virtual machine.


a. Provide the path to machine.cer.

b. Provide the path to machine.key.

c. Provide the path to vsphere-webclient.cer.

d. Provide the path to vsphere-webclient.key.

e. Type the path to Root64.cer.

f. Type Y.


8. When the status is 100% Complete, restart the control service on theassociated vCenter server to reflect the PSC updates.

a. Log in with SSH to the vCenter server virtual machine.

b. Run service-control - -stop - -all.

c. Run service-control - -start - -all.

9. Validate the PSC certificate:

a. Open your web browser and connect to the PSC web interface (https://psc<00>.domain/psc).

b. Log in as SSO Administrator ([email protected]).

c. Select Certificate Management, log in with the administrator account, andthen click Submit.

d. Verify that the certificate is present.

e. Verify that the validity dates have been updated for the certificate.

After you finish

l Update the SSL Trust for SSO in vRealize Orchestrator. See Updating SSL Trustfor SSO on page 92.

l Replace the VMware vCenter Server certificate associated with this site. See Updating VMware vCenter Server certificates on page 95.

Updating VMware vCenter Server certificatesUse the VMware Certificate Manager tool to replace expiring SSL certificates on theVMware vCenter Server.

Before you replace the certificates, do the following:




Updating VMware vCenter Server certificates 95


l Replace the certificates for the PSC that is associated with this site (see UpdatingvCenter Platform Service Controller on page 92).

Note

Complete the vCenter server certificate replacement as soon as possible after theassociated PSC appliance SSL certificate replacement.

The procedure to update certificates on the vCenter Server includes:

l Replacing the Machine SSL certificate (see Replacing vCenter Server MachineSSL certificates on page 96).

l Replacing the Solution Users certificate (see Replacing vCenter Server SolutionUser SSL certificates on page 97).

l Updating additional components (see Updating additional components aftervCenter Server updates on page 99).

Replacing vCenter Server Machine SSL certificatesReplace the active Machine SSL certificates on a VMware vCenter Server appliance.

Before you begin

Ensure that the certificates for the PSC that is associated with this site have beenreplaced.

Procedure

1. Use SSH to log in to the vCenter Server virtual machine.

2. Create a local /tmp/ssl/ directory.



5. Select Option 1: Replace Machine SSL certificate with Custom Certificates

a. Type a valid SSO and user name and password for a user with vCenterprivileges.

b. Type the IP address of the associated PSC appliance (valid infrastructureserver IP).

6. Select Option 2 to start certificate replacement and respond to the prompts.

vSphere Certificate Manager prompts you for the following information:

l Password for [email protected] Valid Machine SSL custom certificate (.crt file)

l Valid Machine SSL custom key (.key file)

l Valid signing certificate for the custom machine SSL certificate (.crt file)

l IP address of the Platform Services Controller (If you are running thecommand on a management node in a multi-node deployment)

l (If prompted) output destination directory /tmp/ssl/l (If prompted) output machine_ssl.csr and machine_ssl.key









f. Rename the Base64 certificate to machine_ssl.cer.

g. Copy the machine_ssl.cer file to the C:\Certs directory on thePSC virtual machine.


a. Type the path to machine_ssl.cer.

b. Type the path to machine_ssl.key.

c. Type the path to Root64.cer.

d. Type Y.


Note

The script's output includes VMware system process checks that are not validfor this VMware component. Therefore, you might see service checks forcomponents such as VSAN with a Don't update service message.

9. Open your web browser to the following URLs and verify that the certificate ispresent:

l vCenter Server (https://vcs.domain.com:443)

l vSphere Web Client (https://vcs.domain.com:9443)

After you finish

Replace the Solution User SSL certificate (see Replacing vCenter Server SolutionUser SSL certificates on page 97).

Replacing vCenter Server Solution User SSL certificatesReplace the active Solution User SSL certificates on a vCenter Server.

Before you begin

Ensure that the Machine SSL certificate has been replaced (see Replacing vCenterServer Machine SSL certificates on page 96).

Procedure

1. Use SSH to log in to the vCenter Server virtual machine.



4. Select Option 5: Replace Solution User SSL certificate with CustomCertificates:


Replacing vCenter Server Solution User SSL certificates 97


a. Type a valid SSO and the user name and password of a user with vCenterprivileges.

b. Type the IP address of the associated PSC appliance, (valid infrastructureserver IP).

5. Select Option 2 to start certificate replacement and respond to the prompts.

l Output destination directory /tmp/ssl/l Output is four different solution user CSRs and private keys:

n machinen vsphere_webclientn vpxdn vpxd-extension








g. Copy four solution user certificates to the C:\Certs directory on thevCenter virtual machine.

7. In the Certificate Manager tool, select Option 1: Continue to import customcerts and keys:

a. Type the path to machine.cerb. Type the path to machine.keyc. Type the path to vsphere-webclient.cerd. Type the path to vsphere-webclient.keye. Type the path to vpxd.cerf. Type the path to vpxd.keyg. Type the path to vpxd-extension.cerh. Type the path to vpxd-extension.keyi. Type the path to Root64.cer.

j. Type Y.

All vCenter Server services are stopped and started.

8. Open your web browser to the following URLs and verify that the certificate ispresent:

l vCenter Server (https://vcs.domain.com:443)

l vSphere Web Client (https://vcs.domain.com:9443)




After you finish

Update additional components (see Updating additional components after vCenterServer updates on page 99)

Updating additional components after vCenter Server updatesWhen the vCenter Server active certificate replacement is complete, you must updatesome Enterprise Hybrid Cloud components with the new vCenter Server SSLcertificate.

Procedure

1. vRealize Orchestrator.

See Updating SSL Trust for SSO on page 92.

2. NSX Manager.

See Reestablishing the lookup service connection on page 99.

3. vRealize Operations Manager.

See Reestablish the collection process on vRealize Operations Manager on page99.

4. Avamar.

See Uploading vCenter SSL certificates to Avamar on page 100.

Reestablishing the lookup service connectionAfter you update the PSC and vCenter Server SSL certificates, reestablish the HTTPSconnection from NSX Manager to vCenter server and the lookup service.

Procedure

1. Connect to NSX Manager.

2. Go to Manage Appliance Settings > NSX Management Service > LookupService, and click Edit.

3. Type the PSC SSO administrator and password, and then click OK.

4. Accept the updated certificate thumb print.

5. Go to vCenter Server and click Edit.

6. Type the vCenter password and accept the updated certificate thumb print.

The vCenter Server shows a connected status.

Reestablish the collection process on vRealize Operations ManagerWhen vCenter Server SSL certificates are updated, the collection process on vRealizeOperations Manager needs to be re-established.

Procedure

1. Connect to vRealize Operations Manager.

2. Go to Certificates and remove expired/superseded vCenter certificates.

3. Go to Solutions and select VMware vSphere from list of current solutions.

4. Select the Configure option.

5. In the solution window for vSphere, click Test Connection and then click OKfor new certificate thumb print.


Updating additional components after vCenter Server updates 99

6. Click Save Settings, OK, and then Close.

7. Click Start Collecting to resume the vSphere collection process.

Uploading vCenter SSL certificates to AvamarWhen the vCenter Server SSL certificates are updated, the newly applied vCenterSSL certificate must be manually uploaded to your Avamar servers.

This procedure requires the Avamar server MCS process to be stopped. This will abortany running or scheduled backup/restore operations. Dell EMC recommends that youperform this procedure during a low backup activity or during a planned maintenancewindow.

Note

If the Avamar server protects more than one vCenter, perform the procedure on allvCenter servers.

Procedure

1. SSH as admin to Avamar utility-node (multi-node version) or to Avamar Server(single-node/AVE).

2. Copy rui.crt from the vCenter machine to the Avamar server

l a. vCenter location: C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx\ssl\rui.crt

Note

The Program Data directory is a hidden system directory.

l Avamar location: /tmp

3. To stop the MCS, type the dpnctl stop mcs command.

4. Switch user to root by typing su – and enter the root password.

5. To copy the MCS keystore to /tmp, type the cp /usr/local/avamar/lib/rmi_ssl_keystore /tmp/ command.

6. Add the vCenter certificate to the temporary MCS keystore by typing:

a. cd /tmpb. $JAVA_HOME/bin/keytool -import -file rui.crt -aliasalias -keystore rmi_ssl_keystore

where, alias is a user defined name for this certificate

7. Type the keystore password. (The default is changeme).

8. Type yes and press Enter to trust the certificate.

9. Back up the live MCS keystore by typing:

a. cd /usr/local/avamar/libb. cp rmi_ssl_keystore rmi_ssl_keystore.date

where date is today's date.

10. Copy the temporary MCS keystore to the live location by typing:

cp /tmp/rmi_ssl_key_store /usr/local/avamar/lib/



11. Exit the root subshell by typing exit.

12. To restart the MCS and scheduler:

a. Type dpnctl start mcsb. Type dpnctl start sched

13. Validate Avamar, following the vRealize Automation workflow:

a. Go to Catalog > Data Protection Services > Create Backup ServiceLevel.

b. Go to Catalog > Data Protection Services > Run Backup Service Level.

Updating Automation Pod Platform Services ControllerThe vCenter Automation Pod Platform Services Controller (Auto-PSC) manages andcontrols access to the vRealize suite of applications. The Auto-PSC also providesauthorization based on user privilege to allow various EHC workflows to run.

Before you begin




The procedures for updating the Automation Pod PSC certificates are similar to theprocedures for updating the PSC certificates. Use the VMware Certificate Managertool to replace the SSL certificates on each PSC.

Procedure

1. Replace the Machine SSL certificate (see Replacing PSC Machine SSLcertificates on page 93).

2. Replace the Solution Users SSL certificate (see Replacing PSC Solution UserSSL certificates on page 94)

3. Update the SSL Trust for SSO in vRealize Automation:

a. Connect to the Master vRealize Automation VAMI Appliance.

b. Click vRA Settings > SSO.

c. Update the SSO Admin User and Password and click Save Settings.

d. Click OK for the new SSL thumb print.

The SSO Info section now shows status = connected.

4. Update the SSL Trust for SSO in vRealize Orchestrator. See Updating SSLTrust for SSO on page 92.

Updating SRM certificatesReplace the current SRM SSL certificate.

Before you begin

l Ensure you have the correct SRM installer package that matches the SRM plug-inbuild number in vCenter.


Updating Automation Pod Platform Services Controller 101

l Make note of password for EHC svc_srm service account.

l Arrange a maintenance window with the customer so that no Test Failover, Re-Protect, or Failover operations are running during this maintenance window.

l Follow this pre-check:

1. Connect to the vCenter Server web client.

2. Go to Site Recovery Manager.

3. Check the status of each recovery plan.

Note

Check for ongoing Test Failover, Re-Protect, or Failover operations from the SRMConsole. If any of these tasks is pending or running, do not replace the certificate andwait for the task to complete.

If you are replacing certificates in a multisite environment, update the Protected Sitefirst and then update the recovery sites. When you complete the SSL certificatereplacement on each site SRM virtual machine, verify that recovery plan status isshowing as active and the destination site is accessible.For more information, see Requirements When Using Custom SSL/TLS Certificateswith Site Recovery Manager.

Procedure

1. Connect to the virtual machine where you want to generate the certificatesigning request (CSR) and Private Key. (The virtual machine must runOpenSSL.)

2. Create the C:\Certs\SRM output directory for new key files.

3. Create the srm.cfg configuration file, which is used to create the CSR.

Note

The SubjectAltName value includes a generic FQDN that covers both sites,as well as a per-site SRM FQDN.

[ req ]default_bits = 2048default_keyfile = rui.keydistinguished_name = req_distinguished_nameencrypt_key = noprompt = nostring_mask = nombstrreq_extensions = v3_req [ v3_req ]basicConstraints = CA:FALSEkeyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiationextendedKeyUsage = serverAuth, clientAuthsubjectAltName = DNS:srm.domain, DNS:srm01.domain [ req_distinguished_name ]countryName = 2-digit_country_codestateOrProvinceName = state/provincelocalityName = location0.organizationName = company_nameorganizationalUnitName = department_namecommonName = srm.domain



https://docs.vmware.com/en/Site-Recovery-Manager/6.0/srm-install-config-6-0.pdf%20

https://docs.vmware.com/en/Site-Recovery-Manager/6.0/srm-install-config-6-0.pdf%20

[ v3_ca ]subjectKeyIdentifier=hashauthorityKeyIdentifier=keyid:always,issuerbasicConstraints = CA:true [ req_attributes

4. Open the command prompt and browse to the directory where OpenSSL isinstalled.

5. To create the CSR and Private Key, run the following command:

openssl.exe req -new -nodes -out C:\Certs\SRM\srm.csr -keyout C:\Certs\SRM\srm-orig.key -config C:\Certs\SRM\srm.cfg

6. To convert the Private Key to RSA format, run the following command:

openssl.exe rsa -in c:\Certs\SRM\srm-orig.key -out c:\Certs\SRM\srm.key

7. Generate a CA-signed certificate from generated CSR:







8. To convert the certificate file to encrypted p12 format, run the followingcommand, where the variable values reflect the customer environment:

openssl.exe pkcs12 -export -in c:\Certs\SRM\srm.cer -inkeyc:\Certs\SRM\srm.key -name "srmprotected" -passout pass:password -out c:\Certs\SRM\srm.p12The password can be a maximum of 31 characters. For more information, seethe VMware topic, SRM Install and Configure.

9. Copy the new srm.p12 certificate request file (srm.p12) to the SRM virtualmachine.

10. RDP to the SRM virtual machine with the svc_srm user account.

11. Execute the previously downloaded SRM installer and select Modify.

12. Provide SSO administrative credentials ([email protected]) and click Next and Next again onvCenter server page.

13. On the SRM page, type the Admin email address and host to be used for theinstallation and click Next.

14. On the Certificate Type page, select Use a PKCS#12 certificate file and clickNext.

15. On the Certificate File page, go to the location of srm.p12 file and typePassword. Click Next and Next again on the External Database page.


Updating SRM certificates 103


HTTPS://PUBS.VMWARE.COM/SRM-60/TOPIC/COM.VMWARE.SRM.INSTALL_CONFIG.DOC/GUID-A5B0D636-157D-4601-A5EA-D0B1A533CE6D.HTML

16. On SRM Service Account page, enter the password for the svc_srm accountand click Next and then Finish.

17. Restart local SRM service on the SRM virtual machine.

a. Open the services.msc console.

b. Restart the VMware vCenter Site Recovery Manager Serverservice.

18. To validate the SRM virtual machine:

a. Open the MMC console and add in the Certificates snap-in:

Service Account > Local Computer > VMware vCenter Site RecoveryManager Server

b. Expand the snap-in and select vmware-dr\Personal > Certificates.

The newly updated certificate is listed. Note the certificate CA andexpiration date.

19. To validate vCenter:

a. Connect to vCenter Server web client.

b. Go to Site Recovery Manager.

c. Check status of each recovery plan.

After you finish

Update the SSL Trust for SSO (see Updating SSL Trust for SSO on page 92).

Updating NSX certificatesReplace the current SSL CA-signed certificate on NSX manager.

Before you begin

Review information about SSL certification in the NSX Administration Guide.

Note

You must reboot NSX Manager when the certificate replacement is complete.

Procedure

1. Log in to the NSX Manager virtual appliance.

2. Select Manage Appliance Settings > SSL Certificates > Generate CSR.

3. Provide data for the following fields, and then click OK.

l Algorithm—Select RSA.

l Key Size—Select the key length used in the selected algorithm.

l Common Name—Type the IP address or fully qualified domain name(FQDN) of the NSX Manager. VMware recommends that you enter theFQDN.

l Remaining fields—Complete according to customer requirements.

4. Click Download CSR.

Using this method, the private key never leaves the NSX Manager.



https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.2/nsx_62_admin.pdf

5. Generate CA-signed certificates:





e. Download the DER encoded certificate. The default filenameiscertnew.cer.

f. Download the DER encoded certificate chain, and extract the Root and theappropriate subordinate certificates in to the Root64.cer file

6. Convert the certificate to PEM format:

a. Run the openssl x509 -inform der -in certnew.cer -out 4-nsx-signed.pem command.

b. Concatenate Root and subordinate certificates in the 4-nsx-signed.pemfile.

Additional root and subordinate certificates are placed below existing leafcertificates in the 4-nsx-signed.pem file.

7. In the NSX manager UI, click Import and select 4-nsx-signed.pem.

8. When the import is successful, the server certificate and all the CA certificatesare listed on the SSL certificates page.

9. Click the settings icon in the top left and click Reboot Appliance.

10. To validate the new certificates, check the SSL certificate contents on the NSXManager web page address bar. The SSL certificate Valid from field under theGeneral tab indicates the period of time for which the new certificate is valid.

After you finish

Update the SSL Trust for SSO (see Updating SSL Trust for SSO on page 92).

Updating ViPR certificatesReplace the ViPR active SSL certificate.

Before you begin

An Enterprise Hybrid Cloud Buildscript is required for scripted creation of CSR anddownload of ViPR controller SSL certificate.

Use the Enterprise Hybrid Cloud buildscript to create and submit the component CSRand download the ViPR controller SSL certificate. Plan to restart ViPR Manager afterthe certificate replacement is complete.

Procedure

1. Run the Enterprise Hybrid Cloud Buildscript.

2. Select Option 4 ViPR Tasks.

3. Select Option 1 Create & Submit CSR & Download ViPR SSL Cert.

Updated SSL certificate component files are stored locally in C:\Certs\ViPR_Controller.


Updating ViPR certificates 105


4. Connect to the ViPR Web UI at https://ViPR-FQDN.

5. Select Security > Keystoreand upload the new private key and certificate chainfile.

6. Click Save.

The ViPR controller restarts.

7. Validate the new certificate details and dates from the ViPR Web UI addressbar, https://ViPR-FQDN.

After you finish

Update the SSL Trust for SSO. See Updating SSL Trust for SSO on page 92

Updating the vRealize Automation ApplianceUpdate the existing SSL certificates on the vRealize Automation Appliance.

Before you begin




l Confirm that up-to-date backups exist for the vRealize Automation Appliancevirtual machines and the VMware vCloud Automation Center (VCAC) database.

l Connect to the Appliance Web UI, https://vra01.domain:5480/ and confirmall valid services on each appliance are showing as Registered and none areshowing as Failed. Resolve failed services before attempting certificatereplacement.

Note

l Completing the process on the Master vRealize Automation appliance replicatesthe certificate to the secondary appliance.

l Replace only one vRealize Automation appliance component certificate at a timeto ensure that environment trust is maintained.

Procedure

1. Prepare the environment using the Prepare the environment topic in VMware KBarticle 2090090.

2. Prepare the configuration file for the master appliance, vRA01.

For example (variables are specific to the customer environment):

[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE



https://kb.vmware.com/s/article/2090090?r=2&Quarterback.validateRoute=1&KM_Utility.getArticleData=1&KM_Utility.getGUser=1&KM_Utility.getArticleLanguage=2&KM_Utility.getArticle=1

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:vra01, DNS:vra01.domain,DNS:vra02, DNS:domain, DNS:vra-vip, DNS:vra-vip.domain [ req_distinguished_name ] countryName = 2-digit_code stateOrProvinceName = state/provincelocalityName = locality0.organizationName = org_nameorganizationalUnitName = unitcommonName = vra-vip.domain

3. Run the following commands to create a certificate signing request:

a. openssl req -new -nodes -out c:\certs\vra01\rui.csr -keyout c:\certs\vra01\rui-orig.key -config c:\certs\vra01\vra01.cfg(Input - vra01.cfg, Output - rui.csr; rui.orig.key)

b. openssl rsa -in c:\certs\vra01\rui-orig.key -out c:\certs\vra01\rui.keyConverts rui.orig.key to rui.key

4. Generate certificate:





e. Download Base64 encoded certificate. (default filename, certnew.cer)

f. Rename the downloaded signed certificate to rui.crt.

5. Generate the pfx and create the PEM files:

a. openssl pkcs12 -export -in C:\certs\vra01\rui.crt -inkeyC:\certs\vra01\rui.key -certfile c:\certs\Root64.cer -name "rui" -passout pass: CREATEPASSWORD -out C:\certs\vra01\rui.pfx

b. openssl pkcs12 -in c:\certs\vra01\rui.pfx -inkey c:\certs\vra01\rui.key -out c:\certs\vra01\rui.pem -nodes

6. From the Appliance Web UI https://vra01.domain:5480/ select vRASettings > Host Settings.

7. Select SSL Configuration > Importand paste the contents of the relevantrui.key, rui.pem, and pass phrase.

8. Click Save Settings.

vRealize Automation Appliance services restart. The status is displayed in theServices tab.

Note

It could take 10 to 15 minutes for all services to restart and show as Registered.


Updating the vRealize Automation Appliance 107


9. Ignore the Sign the IaaS certificates section. This will be completed later.

10. From the vRealize Automation Appliance portal, https://vra01.domain:5480, select vRA Settings > Host Settings and confirm that the certificateinformation is identical on the master and secondary vRealize Automationappliance certificates.

11. Connect to the vRealize Automation VIP https://vra-vip.domain andverify the new certificate status from the portal address bar and confirm thatthe certificate expiration date has been updated.

After you finish

l Update vRealize Business:

1. Connect to vRealize Business Web VAMI, https://vRBAppliance.domain:5480.

2. Under vRealize, type vRealize Automation VIP details.

3. Select Accept vRealize Automation certificate.

4. Click Register.

l Update the SSL Trust for SSO. See Updating SSL Trust for SSO on page 92

Updating vRealize Automation Web IaaS certificatesRenew the Master and Secondary vRealize Automation Web IaaS certificates.

Before you begin




l Perform a backup of the vRealize Automation Appliance virtual machines.

Update the Master vRealize Automation Web IaaS certificate, and then update theSecondary certificate.

Procedure

1. RDP to the Web server virtual machine.

2. Open IIS, select the web server Web01 and select Server Certificates > CreateCertificate Request.

a. Under Distinguished Name Properties, provide values for the fieldsaccording to the customer environment. For Common Name, use web-vip.domain.

b. Under Service Provider properties select 2048 bit RSA certificate.

c. Type a name for the file, select the location, and click Finish.







d. Use the following certificate template: VMware SSL

e. Additional attributes: Specify san for all Web DNS.

For example, san:=web-vip&dns=web01&dns=web01.vlab.local&dns= web02&dns= web02.vlab.local

f. Download the Base64 certificate.

4. From the Master web virtual machine IIS, select Complete certificate request.

The new certificate is listed under Server Certificates.

5. Go to Default Web Site, right-click Edit Bindings and edit https port 443to assign the new SSL certificate.

6. Select the IIS server and select Manage Server > Restart to restart the IISservice.

7. Connect to vRealize Automation https://vRA Web01.domain. to confirm thatthe certificate valid from date has been updated.

8. Update the secondary vRealize Automation Web IaaS certificate:

a. On Master Web01 IIS, right click the valid server certificate and selectExport as .pfx.

b. Set the password.

c. Copy the PFX file to the secondary Web02 virtual machine.

d. On Web02, select IIS > Server Certificates.

e. Select Import and import the PFX file from Web01.

The new certificate is listed under Server Certificates in IIS MMC.

f. Right click Default Web Site, select Edit Bindings > https port 443 >Edit > Assign new SSL certificate, select the appropriate certificate, andclick OK.

g. Restart the IIS service.

9. Validate that the certificate status and valid from dates have been updated onthe following:

l vRA Web02 https://web02.domain.

l vRA Web VIP https://web-vip.domain.

10. Connect to vRealize Automation Appliance Management page, https://vra01.domain:5480/ to confirm that all services are showing as Registered.

If any services show as Failed, refer to Updating vRealize AutomationCertificates for information about rebuilding the trust relationship betweenvRealize Automation components.

After you finish

Update the SSL Trust for SSO. See Updating SSL Trust for SSO on page 92.


Updating vRealize Automation Web IaaS certificates 109

https://docs.vmware.com/en/vRealize-Automation/7.3/com.vmware.vra.prepare.use.doc/GUID-F493819D-D4FB-4854-BEC4-295388BB6EF7.html


Updating vRealize Automation Manager IaaS certificatesRenew expiring Master and Secondary vRealize Automation Manager IaaScertificates.

Before you begin





Update the Master vRealize Automation Manager IaaS certificate, and then updatethe Secondary certificate.

Procedure

1. RDP to the Manager server virtual machine.

2. Open IIS, select the web server Manager01 and select Server Certificates >Create Certificate Request.

l Common Name: manager-vip.domainl Service Provider properties: 2048 bit RSA certificate.






e. Additional attributes: Use SAN for all Manager DNS.

For example, san:=manager-vip&dns=manager01&dns=manager01.vlab.local&dns= manager02&dns=manager02.vlab.local


4. From the Master manager virtual machine IIS, select Complete certificaterequest.


5. Go to Default Web Site, right-click Edit Bindings and edit port 443 to assignthe new SSL certificate.

6. Restart the IIS service.

7. Connect to vRealize Automation https://vRA_Web01.domain to confirmthat the certificate valid from date has been updated.

8. Update the secondary vRealize Automation Manager IaaS certificate:

a. On Master Manager01 IIS, right click the valid server certificate and selectExport as .pfx.



b. Set the password

c. Copy the PFX file to the secondary Manager02 virtual machine.

d. On Manager02, select IIS > Server Certificates.

e. Select Import and import the PFX file from Manager01.


f. Go to Default Web Site, right-click and select Edit Bindings.

g. Edit https port 443 to assign the new SSL certificate.

h. Restart the IIS service.

9. Validate that the certificate status and valid from dates have been updated onthe following:

l vRA Manager02 https://manager02.domain.

l vRA Manager VIP https://manager-vip.domain.

10. Connect to vRealize Automation Appliance Management page, https://vra01.domain:5480/ to confirm that all services are showing as Registered.

If any services show as Failed, refer to Updating vRealize AutomationCertificates for information about rebuilding the trust relationship betweenvRealize Automation components.

Updating the active vRealize Automation ApplicationServices certificate

Replace an expiring CA signed SSL certificate on the vRealize Automation ApplicationServices (vRAAS) server.

Before you begin





Note

If the customer vRAAS does not currently use CA signed certificates and thecustomer wants to start using CA signed certificates, complete the Update Serversection of KB 2065009.

Procedure

1. Prepare the environment using the Prepare the environment topic in VMware KBarticle 2090090.

2. Prepare configuration file for Master Appliance, vRA01.

For example (variables are specific to the customer environment):

[ req ] default_bits = 2048


Updating the active vRealize Automation Application Services certificate 111



HTTPS://KB.VMWARE.COM/SELFSERVICE/MICROSITES/SEARCH.DO?LANGUAGE=EN_US&CMD=DISPLAYKC&EXTERNALID=2065009

default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:vra01, DNS:vra01.domain,DNS:vra02, DNS:domain, DNS:vra-vip, DNS:vra-vip.domain [ req_distinguished_name ] countryName = 2-digit_code stateOrProvinceName = state/provincelocalityName = locality0.organizationName = org_nameorganizationalUnitName = unitcommonName = vra-vip.domain

3. Run the following commands to create a certificate signing request:

a. openssl req -new -nodes -out c:\certs\vraas\rui.csr -keyout c:\certs\vraas\rui-orig.key -config c:\certs\vraas\vraas.cfg(Input - vraas.cfg, Output - rui.csr; rui.orig.key)

b. openssl rsa -in c:\certs\vraas\rui-orig.key -out c:\certs\vraas\rui.keyConverts rui.orig.key to rui.key

4. Generate certificate:





e. Download Base64 encoded certificate and save as rui.crt.

5. Combine private key and certificate in to one PKCS 12 file: openssl pkcs12-export -in C:\certs\vraas\rui.crt -inkey C:\certs\vraas\rui.key -passout pass:password -out C:\certs\vraas\rui.p12

6. Copy the generated rui.p12 to the vRAAS appliance. (WinSCP file to /tmp).

7. Use SSH to log in to the vRAAS appliance and change directory to /tmp.

8. Create the JKS Keystore file required by the vRealize Application Servicesserver by running the command: keytool -v -importkeystore -deststorepass 'password' -destkeystore appdui.jks -srckeystore /tmp/rui.p12 -srcstoretype PKCS12 -srcstorepass 'password' -destalias ssl -alias 1 -deststoretype JKS.

9. Backup active Keystore appdui.ks in /home/Darwin/keystore.

10. Copy the generated appdui.ks keystore file from /tmp to /home/Darwin/keystore.



This will overwrite keystore file already in this directory.

11. Update file permissions on Keystore:

a. #chown darwin /home/darwin/keystore/appdui.jksb. #chmod 400 /home/darwin/keystore/appdui.jks

12. Stop and restart the vRealize Application Services server:

a. Stop: #service vmware-darwin-tcserver stopb. Restart: #service vmware-darwin-tcserver restart

Note

It could take 10 to 15 minutes for all services to restart and show as Registered.

13. Connect to vRealize Application Services server https://vRAAS.domain:8444/darwin to confirm that the certificate expiration date has been updated.

Results

Completing the process on the Master vRealize Automation appliance replicates thecertificate to the secondary appliance.

Updating vRealize Orchestrator certificatesReplace expiring vRealize Orchestrator SSL certificates.

Before you begin

Plan for a restart of the vRealize Orchestrator hosts.

To reestablish trust between vRealize Orchestrator and each solution component itcommunicates with, SSL Trust for SSO must be updated in vRealize Orchestrator byusing Orchestrator Control Center. Perform these steps on the first orchestratornode.

The following table lists the vRealize Orchestrator touchpoints for SSL.

EHC Component Example URL

ViPR https://vipr.domain.local

vRealize Automation virtualappliance VIP

https://vra-vip.domain.local

vRealize Automation web serverVIP

https://web-vip.domain.local

Cloud Center Server https://cloud-vc01.domain.local

Cloud Center SDK https://cloud-vc01.domain.local/sdk

NSX Manager https://nsx-mgr.domain.local

Data Protection Advisor (DPA) https://dpa.domain.local:9002

SRM Primary Site https://srm01.domain.local:9086

SRM Recovery Site https://srm02.domain.local:9086

The EHCBuildGuideScript includes an option to generate and install the SSLcertificate for vRealize Orchestrator automatically.


Updating vRealize Orchestrator certificates 113

Procedure

1. Run EHCBuildGuideScript.ps1, select Option 6 vRealize OrchestratorTasks, and then select option 1.

2. Follow the onscreen instructions.

The script:

l Creates and submits the CSR

l Downloads the vRealize Orchestrator certificates to the local store

l Imports the certificates directly on to each vRealize Orchestrator instance

l When the certificates have been applied, automatically reboots eachvRealize Orchestrator host

3. To validate the new certificates, check the certificate settings from thevRealize Orchestrator control center (https://vRO.domain:8283/vco-controlcenter).

Updating vRealize Operations certificatesReplace expiring vRealize Operations SSL certificates.

Before you begin

For more information, see Configure a certificate for use with vRealize OperationsManager (2046591).

You can use the EHC Buildscript to create and submit the component CSR anddownload the vRealize Operations Manager SSL certificate.

Procedure

1. Log in to the vRealize Operations Admin console (https://vrops.domain/admin) as an administrator.

2. At the top right, click the SSL Certificate icon.

3. Click Install New Certificate and upload the chain.pem file.

4. Click Install to apply the new certificate.

The admin web page reloads with the new certificate,

5. Validate that new certificate from web page address bar (https://vrops.domain/admin), which includes the expected expiration date.

Updating vRealize Business certificatesReplace vRealize Business for Cloud SSL certificate, change from self-signedcertificate to Certifying Authority (CA) signed certificate, and import the certificateprivate key and the certificate issued by a CA.

Before you begin

l Backup the existing key store from /usr/local/tcserver/vfabric-tc-server-standard/sharedconf/ssl.keystore.

l Verify that your certificate matches the following requirements:

n Keysize: 2048

n Algorithm: RSA





n The distinguished name provided in the certificate is reachable over network.

Procedure

1. Log in to the vRealize Business for Cloud Web console, https://vRealize_Business_for_Cloud_IP_address:5480.

2. Unregister vRealize Business for Cloud from vRealize Automation or VMwareIdentity Manager.

3. Select Administration > SSL.

4. Under Choose Mode, select the certificate type. If you are using a PEMencoded certificate, select Import PEM encoded certificate.

Note

Using a self-signed certificate is not recommended for productionenvironments.

The following actions are available:

l Generate a self-signed certificate—Type a common name for thecertificate in the Common Name box.You can use the fully qualified domain name of the virtual appliance(hostname.domain.name) or a wildcard, such as *.mycompany.com. Donot accept a default value, unless it matches the host name of the virtualappliance.

Type the following information in the appropriate boxes:

n Organization—Your organization or company name.

n Organizational Unit—Your department name or location.

n Country—Your two-letter ISO 3166 country code, such as US.

l Insert PEM encoded certificate:

n Copy the certificate values from BEGIN PRIVATE KEY to ENDPRIVATE KEY, including the header and footer, and paste them in theRSA Private Key box.

n Copy the certificate values from BEGIN CERTIFICATE to ENDCERTIFICATE, including the header and footer, and paste them in theCertificate(s) (.pem) box.

n (Optional) If your certificate uses a pass phrase to encrypt the certificatekey, copy the pass phrase and paste it in the Passphrase box.

5. Click Replace Certificate.

6. Re-register vRealize Business for Cloud with vRealize Automation or VMwareIdentity Manager.

Note

If you are using VMware Identity Manager, restart the data collection servicesmanually by running the monit start itbm-data-collector command.


Updating vRealize Business certificates 115

Updating Log Insight certificatesReplace expiring Log Insight SSL certificates.

Before you begin

Plan for a brief service restart of Log Insight service.

For more information, see Install a Custom SSL Certificate by Using the vRealize LogInsight Web Interface.

You can use the EHC Buildscript to create and submit the component CSR anddownload the Log Insight Manager SSL certificate.

Procedure

1. Connect to the Log Insight web portal (https://vRLI.domain).

2. Select Configuration > Administration > SSL Certificate.

3. Under Custom SSL Certificate, browse to and select the newly createdchain.pem file, and then click Save.

4. When the file is uploaded, click Management > Cluster, select a cluster node,and then select Restart vRealize Log Insight.

The Log Insight service restarts. This command does not provide a full reboot ofthe appliance. For more information, see the VMware topic, Restart Process.

The updated SSL certificate components are stored locally in C:\Certs.

5. Validate the new certificates:

a. Check the SSL certificate fingerprint on the Log Insight web portal(https://logi.domain).

b. Open the secure SSL certificate and review the certificate and the updatedcertificate validity period.

Updating Avamar certificatesInstall certificates in the Avamar system by copying the certificates to the correctlocation on each node.

Before you begin

l Ensure that you have arranged a maintenance window with the customer, becausethis procedure requires that the Avamar server process (mcs) is stopped.

l Pause all scheduled or running backups until the process is complete.

l Ensure that OpenSSL is installed on the system that generates the CSR.

By default Avamar is installed using self-signed certificates. This procedure updatesself-signed Avamar certificates.

Procedure

1. On each Avamar server, generate a CA signed certificate:

a. Run openssl req -new -newkey rsa:2048 -keyform PEM -keyout avamarFQDNkey.pem -nodes -outform PEM -outavamarFQDNreq.pem.



https://pubs.vmware.com/log-insight-30/topic/com.vmware.log-insight.administration.doc/GUID-93E0A9FA-9C72-47AE-9E54-9982F4604FE1.html%20

https://pubs.vmware.com/log-insight-30/topic/com.vmware.log-insight.administration.doc/GUID-93E0A9FA-9C72-47AE-9E54-9982F4604FE1.html%20

https://pubs.vmware.com/log-insight-36/index.jsp?topic=%2Fcom.vmware.log-insight.administration.doc%2FGUID-F76F5B0B-B1BF-4465-83E1-B2FB05AE7330.html

b. Provide the appropriate CSR information at the prompts.

c. Connect to CA_Web_Enrollment https://CA.domain/certsrv andsubmit an advanced certificate request using Base64.

d. Open the VMware SSL certificate template.

e. Paste the contents of avamarFQDNreq.pem into the encoded section.


g. Rename the CA signed certificate certnew.cer to cert.pem.

h. Rename the key file avamarFQDNkey.pem to key.pem.

2. Use SSH to log in:

l For a single-node server, log in to the server as admin.

l For a multi-node server, log in to the utility node as admin.

3. Type dpnctl stop gsan to stop the Avamar server.

4. Copy the certificate to the locations specified for the type of Avamar system:

l Single-node system:

n Copy the certificate to /data01/home/admin/cert.pem.

n Copy the certificate to /usr/local/avamar/etc/cert.pem.

l Multi-node system

n On each storage node, copy the certificate generated for that node to: /data01/home/admin/cert.pem.

n On the utility node, copy the certificate generated for that node to: /usr/ local/avamar/etc/cert.pem.

5. Copy the key associated with the certificate to the locations specified for thetype of Avamar system:

l Single-node system

n Copy the key to: /data01/home/admin/cert.pem.

n Copy the key to: /usr/local/avamar/etc/cert.pem.

l Multi-node system

n On each storage node, copy the key generated for that node to: /data01/home/admin/cert.pem.

n On the utility node, copy the key generated for that node to: /usr/local/avamar/etc/cert.pem.

6. Restart the Avamar server by typing gsan dpnctl start.

7. Type avmaint config verifypeer=yes –avamaronly to enable clientauthentication.

After you finish

If this is the first time the customer has applied CA signed certificates to their Avamarenvironment, proceed to Enabling encrypted server authentication on page 118.


Updating Avamar certificates 117

Enabling encrypted server authenticationConfigure Avamar to use a CA-signed certificate for encrypted communication if CA-signed certificates have been assigned to the Avamar environment for the first time.

Procedure

1. Use SSH to log in:

l Single node: log in to the server as admin.

l Multi-node: log in to he utility node as admin.

2. Open /usr/local/avamar/var/mc/server_data/prefs/mcserver.xml

3. In mcserver.xml, locate the encrypt_server_authenticate preferenceand change it to encrypt_server_authenticate=true.

4. Save and close the file.

5. Stop and restart the Avamar server.

Updating the Avamar Proxy certificateApplying the root certificate of the CA to the Avamar proxy enables authentication ofthe Avamar server certificate for trusted communication between server and proxy.The Avamar proxy requires an update only if the Root CA certificate has been replacedand the Avamar server certificate has also been updated.

Before you begin

Ensure that you have arranged a suitable maintenance window with the customer,because a restart is required for each proxy. This process must be completed for eachAvamar proxy.

Procedure

1. Connect to CA_Web_Enrollment https://CA.domain/certsrv.

2. Download the CA root certificate in Base64 format. (Root64.cer)

3. Rename the root certificate file to chain.pem.

4. Copy the chain.pem file to the Avamar proxy and place it in thedirectory /usr/local/avamar/etc/.

5. Reboot the Avamar proxy to re-establish encrypted communications betweenthe Avamar server and the proxy.

Updating RecoverPoint for Virtual Machines certificatesUpdate expiring RecoverPoint for Virtual Machines certificates.

Before you begin

It is a best practice to configure vCenter Server to require a certificate, because onceRecoverPoint has read the certificate, it does not need further access to the location.The default certificate locations are:

Windows 2003Server

C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\SSL\rui.crt



Windows 2008Server

C:\Users\All Users\Application Data\VMware\VMware VirtualCenter\SSL\rui.crt

Replacing vCenter Server Certificates in VMware vSphere 5.0, 5.5 and 6.0, available onthe VMware website, provides more information about the location of the securitycertificate.

Procedure

1. In the vSphere Web Client home page, select RecoverPoint for VMsManagement > Administration.

2. Use one of the following methods to access the vCenter Registrationinformation:

l To manage the registration of all vCenter servers in a RecoverPoint for VMssystem, select vCenter Servers > Registration, and use the Edit button toedit the vCenter settings. Use this option to:

n Edit the vCenter server information, upload a new vCenter certificate ordelete an existing certificate.

n Propagate your changes to the specified vCenter server at the specifiedvRPA cluster using the Apply button.

n Propagate your changes to all vRPA clusters in your system using theApply changes to all clusters button.

l To manage the registration of a vCenter server at a specific RPA cluster,select vRPA Clusters > vCenter Servers, select a vRPA cluster.

n Click the Edit button to edit the registration details of an existingvCenter server at the selected vRPA cluster.

n Click the Add button to register a new vCenter server at the selectedvRPA cluster.

3. In the Register vCenter Server dialog box, type the following information:

Setting Description

vCenter Server IP IP address of the vCenter Server. This is also the displayname of the vCenter Server in RecoverPoint.

Port Port number of the vCenter Server. Default = 443(HTTPS).

Username vCenter Server username.

Password vCenter Server password.

Certificate To specify a certificate, browse to and select thecertificate file.

4. Click OK.

Results

The specified vCenter Server is registered at the specified vRPA clusters with thespecified details.


Updating RecoverPoint for Virtual Machines certificates 119

https://www.vmware.com/

Updating CloudLink certificatesUpdate expiring CloudLink certificates.

By default, the CloudLink Center uses a self-signed certificate. When you connect toCloudLink Center, security warnings are displayed if self-signed certificates do nothave the same level of trust as certificates issued and signed by a trusted certificationauthority (CA). Two options exist for providing a certificate that has been signed forCloudLink by a trusted CA:

l Generate a certificate signing request for a private key generated by CloudLinkCenter.

l Upload an externally generated certificate and private key. CloudLink supports twoformats for externally generated keys and certificates:

n Privacy-Enhanced Electronic Mail format—Certificates using this format areprovided in files with the filename extension .pem. You must upload the privatekey file along with the certificate file.

n PKCS#12 format—Certificates using this format are provided in files with thefilename extension .p12. Along with the certificate file, the CA provides youwith a password that is required to access the contents of the .p12 file. The filecontains both the certificate and the private key.

Procedure

1. openssl.exe req -new -nodes -out c:\Certs\CloudL\CloudL.csr -keyout c:\Certs\CloudL\CloudL-orig.key -config c:\Certs\CloudL\CloudL.cfg

2. openssl.exe rsa -in c:\Certs\CloudL\CloudL-orig.key -outc:\Certs\CloudL\CloudL.key

3. openssl.exe pkcs12 -export -in c:\Certs\CloudL\CloudL.cer-inkey c:\Certs\CloudL\CloudL.key -name "cloudlink" -passout pass:cloudlink -out c:\Certs\CloudL\cloudlink.p12

4. Upload the p12 file from the Administration web page.

Updating ESXi certificatesReplace the active leaf certificate on a single ESXi vSphere host.

Before you begin

Before replacing the ESXi SSL certificate:

l For the customer EHC 4.1.2 environment, determine on how many ESXi hosts youmust renew the SSL certificate.

l Ensure that vCenter Server has the CA root and subordinate certificate chainalready in place (see Updating VMware vCenter Server certificates on page 95).

l Create the required certificates according to the following reference KB articles:

n Replacing default certificates with CA signed SSL certificates in vSphere 6.x(2111219)

n Configuring CA signed certificates for ESXi 6.0 hosts (2113926)





https://kb.vmware.com/s/article/2113926

Procedure

1. Connect to the virtual machine on which you want to generate the CSR and thePrivate Key.

Note

The virtual machine must be running OpenSSL.

2. Create output directory C:\Certs\esx for the new key files.

3. Create the openssl.cfg configuration file, which is used to create the CSR.

Note

The value forSubjectAltName includes the short name, the full FQDN, andthe IP address of the ESXi host. These values resolve any inconsistentconnection issues with the vSphere Web Client.

[ req ]default_bits = 2048default_keyfile = rui.keydistinguished_name = req_distinguished_nameencrypt_key = noprompt = nostring_mask = nombstrreq_extensions = v3_req [ v3_req ]basicConstraints = CA:FALSEkeyUsage = digitalSignature, keyEncipherment, dataEnciphermentextendedKeyUsage = serverAuth, clientAuthsubjectAltName = DNS:esxi, IP:x.x.x.x, DNS:esxi.domain [ req_distinguished_name ]countryName = 2-digit_country_codestateOrProvinceName = state/provincelocalityName = location0.organizationName = company_nameorganizationalUnitName = department_namecommonName = srm.domain

4. Open a command prompt and browse to the directory where OpenSSL isinstalled.

5. Create the CSR and Private Key:

openssl.exe req -new -nodes -out C:\Certs\esx\rui.csr -keyout C:\Certs\esx\rui-orig.key -config C:\Certs\esx/openssl.cfg

6. Convert the Private Key to RSA format:

openssl.exe rsa -in c:\Certs\esx\rui-orig.key -out c:\Certs\esx\rui.key





Updating ESXi certificates 121




f. Rename the Base64 certificate to rui.crt.

8. Connect to vCenter Server and put the ESXi host in to Maintenance Mode.

9. SSH to the ESXi host console.

Note

Ensure SSH access is enabled to the host.

10. Backup the contents of the /etc/vmware/ssl directory, and then deleterui.crt and rui.key from the directory.

11. Copy the newly created rui.crt and rui.key files to /etc/vmware/ssl.

12. From the vCenter Server host console, select Troubleshooting Options >Restart Management Agents > F11

13. When the agents restart, in vCenter Server, take the host out of MaintenanceMode.

14. Reboot the host.

15. Connect to the ESXi host (https://esx-hostname).

16. From the browser, determine the validity and status of the new certificate.Note the certificate "thumb print" under the Details section of the certificate.

17. Open SQL Server Management Studio and connect to the vCenter database(VCDB).

18. Query VCDB for dbo.VPX_Host.

The vCenter-aware HOST_SSL_THUMBPRINT matches the ESXi host SSLthumb print.

Updating the Data Protection Advisor (DPA) certificateBy default DPA is installed using self-signed certificates. If the customer haspreviously replaced the self-signed DPA certificates, the CA signed certificates mustbe renewed.

Procedure

1. Connect to the remote desktop of the DPA virtual machine.

2. Create a copy of the following files:

l C:\Program Files\EMC\DPA\services\standalone\configuration\apollo.keystore

l C:\Program Files\EMC\DPA\services\standalone\configuration\standalone.xml

3. Generate a new alias and private key to a temporary keystore:

a. Open PowerShell and go to the following directory:

C:\Program Files\EMC\DPA\services\_jre\bin\




b. Run the following command:

./keytool -genkey -keyalg RSA -alias alias name -keysize2048 -keystore C:\new.keystore

c. Type the password for the new keystore.

d. For the What is your first and last name? prompt, type the FQDN of theDPA server. For example, dpa.domain.local.

e. Provide the requested information and type the signing key password.

4. Create a certificate signing request from the alias/temp keystore:

a. Open PowerShell and go to the directory C:\Program Files\EMC\DPA\services\_jre\bin\.


./keytool -certreq -alias alias name -keystore C:\new.keystore -file C:\dpa.csrUse the same alias name as used in step 3b.

c. Type the previously set keystore password.

5. Generate a CA signed certificate:







g. Download PKCS Base64 certificate chain.

h. Extract the root and subordinate certificates from the chain into a new filecalled Root64.cer.

i. Place the name.cer and Root64.cer on the DPA virtual machine.

6. Import the Root CA and subordinates (if applicable) in the new key store:

a. ./keytool -import -trustcacerts -alias insert new aliasname for root or subordinates -keystore C:\new.keystore-file C:\Root64.cer

b. Review the imported Root and subordinate certificates and click Yes toTrust this certificate.

7. Import the certificate for the server into the new keystore.

a. ./keytool -import -trustcacerts -alias insert alias name-keystore C:\new.keystore -file C:\aliasname.cer

b. Type the previously set keystore password.

8. Import the new complete keystore:

a. Go to the C:\Program Files\EMC\DPA\services\bin\ directory.


Updating the Data Protection Advisor (DPA) certificate 123


./dpa.bat app impcert -kf C:\new.keystore -al alias name-pw alias passwordThe apollo keystore has the alias and certificates from the new keystore, butthe certificates are associated with the alias from the temp keystore.

9. Modify the standalone.xml file to point to the new alias, so when it readsapollo keystore on startup it can find the certificates:

a. Open C:\ProgramFiles\EMC\DPA\services\standalone\configuration\standalone.xml.

b. Open standalone.xml with a text editor and find the following line:

keyalias="${ apollo.keystore.alias:apollokey}

c. Change apollokey to the alias you used when you created the tempkeystore 10.

10. Restart the DPA Application service.

11. Confirm that the certificate is active:

a. Open the DPA web UI at https://dpa.domain.

b. Review the active certificate contents to confirm new expiration dates.

c. Run the following vRealize Orchestrator workflow: EPC2 > EPC DataProtection > CalledByvCAC > GetBackupStatus.

After you finish

Update the SSL Trust for SSO. See Updating SSL Trust for SSO on page 92.

Updating VAMI appliance certificatesReplace the vRealize Automation Appliance VAMI SSL certificate.

The procedure to replace the vRealize Automation Appliance VAMI SSL certificate issimilar to replacing the vRealize Automation Appliance certificate (see Updating thevRealize Automation Appliance on page 106).

Note

There is no interruption to service during this procedure.

Procedure

1. Prepare the environment as described in Signing vRA certificates using aninternal Microsoft CA signing authority (2090090).

2. Create the configuration file for the appliance.

The following example uses vRA01. The variable values reflect the customerenvironment.

[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no





string_mask = nombstrreq_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:vra01, DNS:vra01.domain [ req_distinguished_name ] countryName = IE stateOrProvinceName = MUNSTER localityName = CORK 0.organizationName = HOOLI organizationalUnitName = HCE commonName = vra01.domain

3. Run the following commands to create the certificate signing request:

l openssl req -new -nodes -out c:\certs\vra01\rui.csr -keyout c:\certs\vra01\rui-orig.key -config c:\certs\vra01\vra01.cfg Input is vra01.cfg and output is rui.csr and rui.orig.key

l openssl rsa -in c:\certs\vra01\rui-orig.key -out c:\certs\vra01\rui.keyThis command converts rui.orig.key to rui.key.

4. Sign the certificates.

Note

Use the custom VMware SSL Certificate Template.

5. Run the following commands to generate the .pfx and create the .pem files:

l openssl pkcs12 -export -in C:\certs\vra01\rui.crt -inkeyC:\certs\vra01\rui.key -certfile c:\certs\Root64.cer -name “rui” -passout pass:CREATEPASSWORD -out C:\certs\vra01\rui.pfx

l openssl pkcs12 -in c:\certs\vra01\rui.pfx -inkey c:\certs\vra01\rui.key -out c:\certs\vra01\rui.pem –nodes

6. SSH to the appliance.

7. Back up the current /opt/vmware/etc/lighttpd/server.pem certificatefile.

8. Copy the contents of new .pem file to overwrite the server.pem file on theappliance.

9. To restart the lighttpd service, run the service vami-lighttpdrestart command.

10. Use HTTPS to connect to the appliance and confirm that the new certificate isin place.

11. Repeat this procedure for the secondary appliance in the HA pair.


Updating VAMI appliance certificates 125

Running EHC validation workflowsAfter the end-to-end SSL certificate procedure has been completed, run EHCvRealize Automation workflows to validate that EHC orchestration and automation isfully functional.

Run validation tests for vRealize Orchestrator, vCenter, ViPR, Avamar and DPA toensure that each of these components is functioning correctly. Testing details areprovided in the associated sections.

Procedure

1. Perform validation tests on vRealize Orchestrator:

a. Connect to the vRealize Orchestrator console: https://vro-vip.domain:8283.

b. Select EHC > Foundation > Validation > tests and run the following tests inthe order listed:

l Pre-Test configuration elements

l TestAD

l TestCAFE

l TestVCAC

l TestVCenter

l TestViPR

l TestVRO

l VerifySiteAffinityBuildProfileAndCustomProperties

2. Validate that vCenter is functioning without issue by deploying a virtual machinefrom the vRealize Automation workflow:


b. Select Catalog > All Services > DeployVMwithBackupCatalogItem.

3. Validate the provision of cloud storage with ViPR:


b. Select Catalog > Provision Cloud Storage > Run Provision cloud storage.

4. Validate that Avamar backup and restore is functioning:


b. Select Catalog > Data Protection Services > Create Backup ServiceLevel.

c. Select Catalog > Data Protection Services > Run Backup Service Level.

d. Select Catalog > Data Protection Services > On Demand Backup.

e. Select Catalog > Data Protection Services > On Demand Restore.

5. Validate that DPA is functioning:



a. Connect to vRealize Orchestrator: https://vro-vip.domain:8283.

b. Select EPC2 > EPC Data Protection > CalledByvCAC > GetBackupStatus.


Running EHC validation workflows 127

CHAPTER 10

Password Management

This topic presents the following topics:

l Password management overview......................................................................130l Service accounts.............................................................................................. 130l SQL Server service accounts............................................................................138l Active Directory bind service accounts............................................................. 144l Enterprise Hybrid Cloud application accounts...................................................149l Enterprise Hybrid Cloud adapter accounts....................................................... 162l EHC interactive user accounts......................................................................... 164l Enterprise Hybrid Cloud local accounts............................................................ 166l Dell EMC ViPR physical resources.................................................................... 169

Password Management 129

Password management overviewIn a production environment, using service accounts to track and control applicationsand to mitigate the impact of a potential systems compromise is a security bestpractice.

This chapter provides a comprehensive list of service accounts, the default names forthe Active Directory groups, and the usernames required by Enterprise Hybrid Cloud.You may use your own naming schema for these groups if required, but you must havea comparable username for each of the roles. If you choose to use non-default names,ensure that you comprehensively document the mapping between your chosen namesand the default names. This information is required to assist support introubleshooting your environment if the need arises.

Local root or administrator accountsThe Enterprise Hybrid Cloud solution does not use root user accounts or passwordsfor any components. The reconfiguration or update of passwords for root useraccounts is outside the scope of this document.

Supported versionsPassword management applies to:

l Enterprise Hybrid Cloud 4.1

l Enterprise Hybrid Cloud 4.1.x

l VMware vSphere 6.0

l VMware vSphere 6.5

Service accountsThe following table lists the Enterprise Hybrid Cloud solution service accounts.

Account type Account name Group membership Description

Service svc_iaas SQL_Admins Service account forIaaS Services.Permissions aregranted on theinfrastructure-as-a-service (IaaS) SQLServer database.SQL Server adminprivileges may berevoked after theIaaS installationprocess.

Service svc_sqlsvr Local Administrator onSQL Server VM

Service account forSQL ServerServices.

Service svc_sqlsvragent Local Administrator onSQL Server VM

Service account forSQL Server Agent.

Service svc_vcenter VC_App_Logins_RW Service account forvCenter.

Password Management



Permissions aregranted on thevCenter SQLServer database.

Service svc_vum VC_App_Logins_RW Service account forUpdate Manager.Permissions aregranted on thevSphere UpdateManager SQLServer database.

Service svc_srm VC_App_Logins_RW Service account forVMware SRM.Permissions aregranted on theSRM SQL Serverdatabase.

Service svc_vro Connects vRealizeOrchestrator toSQL Server(vRealizeOrchestrator HAonly). Permissionsare granted on thevRealizeOrchestrator SQLServer database.

AD Bind adbind_vra User account tobind vRealizeAutomation toActive Directory.

AD Bind adbind_vro User account tobind vRealizeOrchestrator toActive Directory.

AD Bind adbind_vrops User account tobind vRealizeOperations toActive Directory.

AD Bind adbind_vipr User account tobind ViPR to ActiveDirectory.

AD Bind adbind_logi User account tobind Log Insight toActive Directory.

AD Bind adbind_dpa User account tobind DataProtection Advisor

Password Management

Service accounts 131


(DPA) to ActiveDirectory.

AD Bind adbind_sso User account tobind SSO to ActiveDirectory.

AD Bind adbind_rp4vm User account tobind RecoverPointfor VirtualMachines to ActiveDirectory.

Application app_vrb_vcenter VC_App_Logins_RO User account toconnect vRealizeBusiness Standardto vCenter.

Application app_nsx_vcenter VC_App_Logins_RW User account toconnect NSX tovCenter.

Application app_logi_vcenter VC_App_Logins_RW User account toconnect Log Insightto vCenter.

Application app_vra_vcenter VC_App_Logins_RW User account toconnect vRealizeAutomation tovCenter.

Application app_vro_vcenter VC_App_Logins_RWVRO_Admins

User account toconnect vRealizeOrchestrator tovCenter.

Application app_vrops_vcenter VC_App_Logins_RW User account toconnect vRealizeOperations tovCenter.

Application app_vrops_vra EHC_IaaS_AdminsEHC_Tenant_Admins

User account forvRealize OperationsvRealizeAutomationmanagement pack.

Application app_vipr_vcenter VC_App_Logins_RW User account toconnect ViPR tovCenter.

Application app_avamar_vcenter VC_App_Logins_RW User account toconnect Avamar tovCenter.

Application app_avamar_soap Avamar_Admins User account forSOAP connectionsto Avamar.

Password Management



Application app_nsx_sso User account toconnect NSX toSSO.

Application app_vro_sso VRO_Admins User account toconnect vRealizeOrchestrator toSSO.

Application app_logi_vrops VROPS_App_Logins_RW

User account toconnect Log Insightto vRealizeOperations.

Application app_vro_vipr VC_App_Logins_RWViPR_System_Monitors

User account toconnect the ViPRplug-in for vRealizeOrchestrator toViPR.

Application app_vra_nsx NSX_Ent_Admins User account forNSX endpointcredential invRealizeAutomation.

Application app_vra_vro VC_App_Logins_RWVRO_Admins

User account forboth vRealizeOrchestratorendpoint andvRealizeOrchestrator serverconfiguration invRealizeAutomation.

Application app_vro_iaas Local Administrator onIaaS VM

Domain account forEnterprise HybridCloud workflows toconnect to IaaS.Permissions aregranted on the IaaSSQL Serverdatabase.

Application app_vipr_vplex VPLEX_Admins User account toconnect ViPR toVPLEX.

Application app_vipr_rpa RP_Admins User account toconnect ViPR toRecoverPoint.

Application app_vro_dpa DPA_Users User account toconnect vRealizeOrchestrator toDPA.

Password Management



Application app_vro_srm SRM_Admins User account toconnect vRealizeOrchestrator toVMware SRM.

Application app_vro_sql SQL_App_Logins_RO User account toconnect vRealizeOrchestrator toSQL Server.

Application app_vro_nsx NSX_Ent_Admins User account toconnect vRealizeOrchestrator toNSX.

Application app_vro_rest VRO_Admins User account tocreate a vRealizeOrchestrator RESThost.

Application app_vro_rp4vm RP4VM_Admins User account toconnect vRealizeOrchestrator toRecoverPoint forVirtual Machines.

Application app_srm_vcenter VC_App_Logins_RW User account topair SRM sites.

Application app_vum_vcenter VC_App_Logins_RW User account toconnect vSphereUpdate Manager tovCenter.

Application app_vrpa_vcenter VC_App_Logins_RW User account toconnect vRPAs tovCenter.

Adapter adp_vrops_vcenter VC_App_Logins_RO User account to setup the ESA adapterfor vRealizeOperations.

Adapter adp_vrops_vipr ViPR_System_Monitors User account to setup ViPR adapter forvRealizeOperations.

Interactive ehc_sysadmin EHC_System_AdminsDPA_AdminsDPA_Users

Enterprise HybridCloud SuperUser.

Interactive ehc_fabric_admin EHC_Fabric_Admins vRealizeAutomation FabricAdministrator.

Interactive ehc_iaas_admin EHC_IaaS_Admins vRealizeAutomation IaaSAdministrator.

Password Management



Interactive ehc_nsx_ent_admin NSX_Ent_AdminsVC_ReadOnly

NSX EnterpriseAdministrator.

Interactive ehc_storage_admin EHC_Storage_ServicesViPR_System_Monitors

StorageAdministrator.

Interactive ehc_backup_admin EHC_Backup_Services User executingbackup catalogitems from vRealizeAutomation.

Interactive ehc_config_admin EHC_Config_Services User withpermissions to theEnterprise HybridCloud configurationservices.

Interactive ehc_tenant_admin EHC_Tenant_Admins vRealizeAutomation TenantAdministrator.

Interactive ehc_app_admin EHC_App_Admins User withapplication andinfrastructureadministrator rolefor creatingblueprints.

Interactive ehc_vc_admin VC_Admins vCenterAdministrator.

Interactive ehc_vipr_admin ViPR_Admins ViPR Administrator.

Interactive ehc_vro_admin VRO_Admins vRealizeOrchestratorAdministrator.

Interactive ehc_logi_admin Log_insight_Admins Log InsightAdministrator.

Interactive ehc_vrops_admin VROPS_Admins vRealize OperationsAdministrator.

Interactive ehc_vsrm_admin ViPR_SRM_Admins ViPR SRMAdministrator.

Interactive ehc_dpa_admin DPA_Admins DPA Administrator.

Interactive ehc_avamar_admin Avamar_Admins AvamarAdministrator.

Interactive ehc_dd_admin DD_Admins Data DomainAdministrator.

Interactive ehc_sql_admin SQL_Admins SQL ServerAdministrator.

Interactive ehc_bg_admin Tenant_BG_Managers vRealizeAutomationBusiness GroupAdministrator.

Password Management



Interactive ehc_cloudlink_admin CloudLink_Admins CloudLink CenterAdministrator.

Interactive ehc_rp4vm_admin RP4VM_Admin RecoverPoint forVirtual MachinesAdministrator.

Local av0xddboost Local Data Domainuser account withDD Boost userprivileges, used byAvamar to connectto Data Domain.Create one of theseuser accounts forevery instance ofAvamar in theenvironment,replacing x with anappropriatenumeral.

Local app_vipr_rp Local RecoverPointadmin account toconnect ViPR toRecoverPoint.

Local app_srm_rp Local RecoverPointadmin account toconnect VMwareSRM toRecoverPoint.

Local replicate Local user onvRealizeAutomationappliances for usein the postgresdatabase. Createdduring postgresdatabase setup.

Local app_vrb_vrops Local user onvRealize Operationswith read only rolefor vRealizeBusinessconnection.

Local app_logi_vrops Local user onvRealize Operationswith read-only rolefor Log Insightconnection.

Local configurationAdmin Local vRealizeAutomation

Password Management



account formanaging tenantconfiguration.

Local tenantAdmin Local vRealizeAutomationaccount formanaging tenants.

Changing the RecoverPoint for Virtual Machines Shadow Copy user serviceaccount

The RecoverPoint for Virtual Machines Shadow Copy user service account is a serviceaccount for RecoverPoint for Virtual Machines Shadow Copy services.

Before you begin

l Ensure that vRealize Automation has fewer than 100 services.Check the inactive services from vRealize Automation > Administration >Catalog Management > Services. If vRealize Automation has more than 100services, reinitiation of the RecoverPoint for Virtual Machines module fails.Manually delete the oldest inactive Enterprise Hybrid Cloud services until there arefewer than 100 services.

l Rerun the RP4VM Initialize Main task with the new shadow user.

Enterprise Hybrid Cloud permits only one current shadow user. If you are changing theshadow user, change all deployments and VMs that the previous shadow user owned.If the original shadow user owns any deployments or VMs, RecoverPoint for VirtualMachines post-failover tasks fail for those deployments and VMs.

Note

When you run the initialize main configuration, all vRealize Automation catalog itemicon brandings are overwritten. Re-apply them to complete the process of restoringthe configuration back to the previous version.

Procedure

1. To provide the new shadow user with access to the business group, go toAdministration > Users & Groups > Business Groups.

2. Highlight the row and select Edit.

3. Go to Members and add the user.

4. Click Finish.

5. Change the owner of the shadow VMs using vRealize Automation.

a. Select Items > Deployments.

b. In the Owned by menu, select the business group to show all the currentdeployments, including the shadow deployments namedvm_nameshadowrandom_number.

c. Select the shadow deployments and select Actions > Change Owner.

This action sets the shadow deployment, and its VMs, to the owner youchoose.

Password Management

Changing the RecoverPoint for Virtual Machines Shadow Copy user service account 137

Removing a shadow userIf you no longer want the previous shadow user to have access to the business group,remove the user from the user role.

Note

This is an optional procedure.

Procedure

1. Go to Administration > Users & Groups > Business Groups.

2. Highlight the row and select Edit.

3. Go to Members.

4. Select the row of the shadow user that you want to remove from the user role.

5. Click the red X.

6. Click Finish.

SQL Server service accounts

The SQL Server service accounts are:

l svc_iaas

l svc_sqlsvr

l svc_sqlsvragent

l svc_vcenter

l svc_vum

l svc_srm

l svc_vro

Changing the svc_iaas account and passwordThe svc_iaas account and password are used for login as a service for a number ofservices on multiple vRealize Automation IaaS machine types.

The svc_iass account is a service account for IaaS services. Permissions for thisaccount are granted on an IaaS SQL Server database. SQL Server admin privilegescan be revoked after the IaaS installation process. This service account applies to:

l vRealize Automation IaaS Manager servers

l vRealize Automation IaaS Web servers

l vRealize Automation IaaS DEM Worker servers

l vRealize Automation IaaS Agent servers

Password Management


Note

Deployed instances of vRealize Automation that are configured for high availability(HA) or that are in a distributed mode enable the vRealize Automation portal forEnterprise Hybrid Cloud to remain accessible except during vRealize AutomationManager failover. As other services are restarted, brief delays in provisioning mightoccur.

Procedure

1. Change the password of svc_iaas in Active Directory.

2. Update the vRealize Automation services on each IaaS Manager server.

a. Log in to each manager node and open the Services MMC.

b. Update the login password in the service properties for each of the followingservices:

l VMware DEM-Orchestrator —manager71-01.vlab.local DEO (assumingthe DEM Orchestrator was installed on the manager server according tothe build guide).

l VMware vCloud Automation Center Management Agent

l VMware vCloud Automation Center Service

c. Restart the services.

3. Update the vRealize Automation services on each IaaS DEM Worker server.

a. Log in to each DEM worker node and open the Services MMC.


l VMware vCloud Automation Center Agent (vCenter endpoint name)



4. Update the vRealize Automation services on each IaaS Agent server.

a. Log in to each web node and open the Services MMC.


l VMware vCloud Automation Center Agent (vCenter endpoint name)


5. Update the vRealize Automation services on each IaaS Web server.

a. Log in to each web node and open the Services MMC.

b. Update the login password in the service properties for the VMware vCloudAutomation Center Management Agent service.


Password Management

Changing the svc_iaas account and password 139

Changing the svc_iaas password in the IIS configurationChange the svc_iaas password in the IIS configuration of the IaaS Web Servers.

Procedure

1. Log in to the IaaS Web server Windows machine.

2. Launch the IIS Manager.

3. Go to Start > Administrative tool > Internet Information Service (IIS)Manager.

4. Select Auto-Web-XX in the left-most menu.

Note

Auto-Web-XX might be different in your environment.

5. Go to Content View > Applications Pools.

6. Configure the RepositoryAppPool, vACCAppPool, and WapiAppPool applicationpools:

a. Right-click the application pool and select Advanced Settings.

b. Scroll down to and select Identity, and click the ellipsis button (... ) on theright.

c. Click Set, and then type the credentials, using the existing username withthe new password.

7. Restart the IIS manager:

a. Open an elevated command prompt.

b. Type the following command:

iisreset

8. Repeat the preceding steps for each web server node.

9. Restart the vRealize Automation application.

Changing the svc_sqlsvr account passwordThe svc_sqlsvr account is the service account for SQL Server service running onWindows virtual machines. Change the password that is used by the SQL Server(Database Engine) service by updating it in Active Directory.

This procedure applies to:

l auto-sql01

l cloud-sql01

l cloud-sql02

l Any others in customer environments that host Enterprise Hybrid Cloud databases

Note

There is no impact when you perform this procedure. The password takes effectimmediately. A restart of SQL Server is not required.

Password Management


Procedure

1. In SQL Server Configuration Manager, select SQL Server Services.

2. Right-click SQL Server, and then select Properties.

3. Select Log On.

4. Update the password in the Password field and the Confirm password field.

5. Repeat the preceding steps for each SQL Server service.

Changing the svc_sqlvragent account passwordThe svc_sqlvragent account is the service account for the SQL Server Agent servicerunning on Windows virtual machines. Change the password that is used by the SQLServer (Database Engine) service by updating it in Active Directory.


l auto-sql01

l cloud-sql01

l cloud-sql02

l Any others in customer environments that host Enterprise Hybrid Cloud databases

Note

There is no impact when you perform this procedure. The password takes effectimmediately. A restart of SQL Server is not required.

Procedure

1. In the SQL Server Configuration Manager, select the SQL Server Agent service.

2. Update the password entry.

3. Repeat the preceding steps for each SQL Server service.

Changing the svc_vcenter account passwordThe svc_vcenter account is the Windows-based vCenter service account. Thepassword is used by the vCenter Server services and for database connections to theSQL Server database. Permissions for this account are granted on a vCenter SQLServer database.

Note

This procedure is relevant for upgrades only from pre-4.1 instances of EnterpriseHybrid Cloud. All greenfield installations of Enterprise Hybrid Cloud 4.1 and 4.1.x usethe appliance version to which this procedure does not apply.


l Core vCenter Server (where it exists and is deployed as part of Enterprise HybridCloud)

l Cloud vCenter Server

l All vCenter Server instances that are managed by Enterprise Hybrid Cloud

Password Management

Changing the svc_sqlvragent account password 141

Note

vCenter is offline for the duration of the services restart. You cannot provision newmachines or other infrastructure services that are dependent on the affected vCenterServer.

Procedure

1. Change the password for svc_vcenter in Active Directory.

2. Log in to vCenter Server via RDP using the svc_vcenter account with the newpassword.

3. Open vCenter Server Services using Start > Run, and then type services.msc.

4. Stop vCenter Server services.

5. Open the VMware VirtualCenter Server properties.

6. On the Log On tab, update the password, confirm the change, and then clickOK.

7. At a command prompt, go to the following path:

%SYSTEMDRIVE%\ Program Files\VMware\vCenter Server\vpxd8. Run vpxd.exe -p.

9. Open DSN for vCenter Server and click Next to save the password to DSN.

10. Start vCenter Server services.

Changing the svc_vum account passwordThe svc_vum account is the Update Manager service account. Permissions for thisaccount are granted on the vSphere Update Manager SQL Server database.

Note

This applies only to Windows-based deployments of Update Manager.

This procedure applies to all vSphere Update Manager instances that are integratedwith vCenter Server in Enterprise Hybrid Cloud.

Note

During this procedure, there is no operational impact to Enterprise Hybrid Cloud.However, the patch management and ESXi upgrade capability of vSphere UpdateManager is interrupted.

Procedure

1. Update the password of the svc_vum service account in Active Directory.

2. Log in to VMware vCenter Update Manager server and stop the vSphereUpdate Manager service.

3. Open Services, and change the password of the Log-On svc_vum account ofthe vCenter Update Manager service.

4. Run VMwareUpdateManagerUtility.exe as an administrator.

This file usually runs on C:\Program Files (x86)\VMware\Infrastructure\Update Manager\.

Password Management


5. On the Database Setting tab, type the updated svc_vum password.

6. Re-register to vCenter Server with the updated credentials.

7. Restart the vCenter Update Manager service.

8. Repeat steps 2 through 7 for each vSphere Update Manager in the EnterpriseHybrid Cloud environment.

Changing the svc_srm account passwordThe svc_srm account is the service account for VMware Site Recovery Manager.Permissions for this account are granted on the Site Recovery Manager SQL Serverdatabase. Change the password for the svc_srm account by updating it in ActiveDirectory.

This procedure applies to all Site Recovery Manager servers that Enterprise HybridCloud manages.

Note

During this procedure, data protection functions to create or modify protection plansor groups and protect or unprotect machines are not operational.

Procedure

1. Log in to the SRM Server via RDP using the svc_srm account.

2. Open services using Start > Run and type services.msc.

3. Stop the SRM services.

4. Open the VMware SRM properties.

5. On the Log On tab, update the svc_srm password and confirm. Click OK.

6. Start SRM services.

7. Repeat the preceding steps for every Site Recovery Manager server in theEnterprise Hybrid Cloud environment.

Changing PowerShell credentialsIf Site Recovery Manager-based Enterprise Hybrid Cloud disaster recovery isimplemented, change the PowerShell credentials object.

Procedure

1. Log in to each <SRM> Server via RDP using the svc_srm account.

2. Run a PowerShell window as an administrator, and follow these steps, replacingthe username with the environment equivalent:

a. Start the powershell.exe process with the credentials DOMAIN\svc_srm.

b. Type the password for the service account and click OK.

A new instance of PowerShell opens.

3. Go to the C:\EHC folder and run the credentials.ps1 script.

4. When prompted, type the vRealize Orchestrator username and password forSite Recovery Manager to use for the network convergence scripts.

Changing the svc_vro account passwordThe svc_vro service account connects vRealize Orchestrator to SQL Server (vRealizeOrchestrator HA only). Permissions for this account are granted on the vRealize

Password Management

Changing the svc_srm account password 143

Orchestrator SQL Server database. Change the password for the svc_vro account byupdating it in Active Directory.

This procedure applies to all vRealize Orchestrator clusters in the Enterprise HybridCloud environment.

Note

During this procedure, all Enterprise Hybrid Cloud service catalog items and blueprintsthat call vRealize Orchestrator workflows do not function.

Procedure

1. Browse to the Orchestrator Configuration interface of the vRealizeOrchestrator node, for example, https://vro1.domain.local:8283/vco-controlcenter/.

2. Log in as root vmware, using the password configured during installation.

3. Under Database, click Configure Database, set the password parameter forthe svc_vro user, and click Save Settings.

The vRealize Orchestrator server prompts you to restart the server. A restart isoptional.

4. Export the configuration from the vRealize Orchestrator node:

a. On the home page, under Manage, click Export/Import Configuration.

b. Click the Export Configuration tab.

c. Save the configuration Zip file to a shared location.

5. Import the configuration to the vRealize Orchestrator node:

a. Browse to the orchestrator configuration interface of the vRealizeOrchestrator node, for example, https://vro2.domain.local:8283/vco-controlcenter/.

b. On the home page, under Manage, click Export/Import Configuration.

c. Click the Import Configuration tab.

d. Browse to the saved configuration Zip file.

e. Wait until the configuration is successfully imported.

6. Repeat the preceding steps for all other vRealize Orchestrator clusters in theEnterprise Hybrid Cloud environment.

Active Directory bind service accounts

The Active Directory bind service accounts are:

l adbind_vra

l adbind_vro

l adbind_vrops

l adbind_vipr

l adbind_logi

l adbind_dpa

l adbind_sso

Password Management


l adbind_rp4vm

Changing the adbind_vra account passwordChange the database password for the adbind_vra bind service account by updating itin Active Directory.

The adbind_vra account is a service account to bind VMware vRealize Automation toActive Directory. This account is used to configure the identity source on newlycreated vRealize Automation tenants and enumerate Active Directory user accountsand groups. It applies to vRealize Automation tenants' directory configuration.

Note

Until the password has been changed, the previously synchronized accounts continueto work, but a new synchronization will not begin.

Procedure

1. Log in to the Enterprise Hybrid Cloud vRealize Automation tenant as a user withTenant Administrator privileges.

2. Go to Administration > Directory Management > Directories, and select thedirectory name to be updated.

3. Under the Bind User Details, update Bind DN Password.

4. Click Test Connection to validate the change and click Save.

5. Click Sync Now.

6. Repeat the preceding steps for every vRealize Automation tenant and directoryname that uses adbind_vra.

Changing the adbind_vro account passwordChange the Active Directory bind password for the adbind_vro bind service accountby updating it in Active Directory.

The adbind_vro account is a service account to bind VMware vRealize Automation toActive Directory. This account is used to configure the identity source on newlycreated vRealize Automation tenants and enumerate Active Directory user accountsand groups.

Note

This account was known as adbind_vco in previous releases of Enterprise HybridCloud. Long term customers may continue to use adbind_vro due to in-placeupgrades.

It applies to vRealize Orchestrator Active Directory plug-in.

Note

It is not known if Active Directory users can log in to the vRealize Automation portalduring or after this procedure.

Procedure

1. Log in to the vRealize Orchestrator VIP or primary vRealize Orchestrator usingthe vRealize Orchestrator client as a user with vRealize Automation TenantAdministrator privileges, for example, ehc_tenant_admin.

Password Management

Changing the adbind_vra account password 145

2. Go to Inventory > Active Directory, right-click the LDAP server, and selectRun Workflow.

3. Right-click and select Update.

4. Type the new password for the adbind_vro user.

5. Click Submit.

6. Repeat the preceding steps for each vRealize Orchestrator cluster in theEnterprise Hybrid Cloud environment.

Updating the Enterprise Hybrid Cloud Object ModelUpdate the Enterprise Hybrid Cloud object model to include the new adbind_vroaccount password.

Enterprise Hybrid Cloud uses an object model that provides the framework for storingand referencing metadata that is related to infrastructure and compute resources. Allmodel data is stored in a Microsoft SQL Server database on the Automation Pod SQLServer instance, and can be referenced by all vRealize Orchestrator nodes. After youchange the adbind_vro account password, update it in the EHC Object Model tomaintain the connection between vRealize Orchestrator and Active Directory.

Procedure

1. Log in to the Enterprise Hybrid Cloud tenant portal as a user with vRealizeAutomation Tenant Administrator privileges that include entitlements to theEHC Connection Maintenance catalog item.

2. Go to Catalog > EHC Configuration and select Connection Maintenance.

3. Select ActiveDirectoryConnection and click Next.

4. Type the new password for the adbind_vro user.

5. Click Submit.

6. Repeat the preceding steps for each vRealize Orchestrator cluster in theEnterprise Hybrid Cloud environment.

Changing the adbind_vrops account passwordChange the Active Directory bind password for the adbind_vrops bind service accountby updating it in Active Directory.

The adbind_vrops account is a service account to bind VMware vRealize Operations toActive Directory. This account is used to enumerate Active Directory user accountsand groups. It applies to vRealize Operations Active Directory configuration on thevRealize Operations admin interface.

Note

Active Directory users can connect during and after the adbind account passwordchange. If the password is not changed within vRealize Operations, authenticationfails if the prevailing Active Directory policy enforces password aging.

Procedure

1. Log in to the vRealize Operations UI, for example, https://vrops-FQDN/,using the admin account and password provided during installation.

2. Go to Administration > Authentication Sources and select the LDAPauthentication source.

Password Management


3. Click the pencil icon to edit the LDAP source, and type the updated passwordfor the adbind_vrops Active Directory bind user account.

4. Click Test to validate the new settings, and click OK if the validation issuccessful.

Changing the adbind_vipr account passwordChange the Active Directory bind password for the adbind_vipr bind service accountby updating it in Active Directory.

The adbind_vipr account is a service account to bind Dell EMC ViPR to ActiveDirectory. This account is used to configure the authentication provider on ViPR andenumerate Active Directory user accounts and groups. It applies to the ViPRauthentication provider.

Note

Active Directory users can access ViPR during and after the adbind account passwordchange. If the password is not changed within ViPR, authentication fails if theprevailing Active Directory policy enforces password aging.

Procedure

1. Log in to the ViPR UI/cluster, for example, https://vipr-cluster-ip/,with the Security Administrator role, for example, root.

2. Go to Security > Authentication Providers.

3. Click the existing Authentication Provider.

4. In the Password field, type the new password for the adbind_vipr user asconfigured in the Manager DN field.

5. Click Save.

Changing the adbind_logi account passwordChange the Active Directory bind password for the adbind_logi bind service accountby updating it in Active Directory.

The adbind_logi account is a service account to bind VMware Log Insight to ActiveDirectory. This account is used to configure Log Insight to enumerate Active Directoryuser accounts and groups.

Note

Active Directory users can log in during and after the password change. If thepassword is not changed in Log Insight, authentication fails if the prevailing ActiveDirectory policy enforces password aging.

Procedure

1. Verify that you are logged in to the vRealize Log Insight Web user interface, forexample, https://log-insight-host, as a user with the Edit Adminpermission, that is, admin.

2. Go to Configuration > Administration.

3. Under Configuration, click Authentication.

4. On the Authentication Configuration page, do the following:

Password Management

Changing the adbind_vipr account password 147

a. Click the checkbox to edit the password.

b. In the Password field, type the new password for the adbind_logi useraccount and click Test Connection.

5. If the test is successful, click Save.

Changing the adbind_dpa account passwordChange the Active Directory bind password for the adbind_dpa bind service accountby updating it in Active Directory.

The adbind_dpa Active Directory bind service account is a service account to bindData Protection Advisor to Active Directory. This account is used to configure DataProtection Advisor to enumerate Active Directory user accounts and groups.

Note

It is not known if Active Directory users can log in to the Log Insight portal during orafter this procedure.

Procedure

1. Browse and connect to the DPA Server over HTTPS on port 9002, for example,https://dpaAppServer-FQDN:9002. Ensure that all pop-up blockers aredisabled.

2. Type the username and password.

3. In the main DPA console's navigation pane, select Admin and then select Users& Security.

4. Select Manage External Authentication.

5. In the User Properties section, in the Password field, type the new passwordfor the adbind_dpa user.

6. Click Validate.

7. Click Test User.

8. Click OK.

Changing the adbind_sso account passwordChange the Active Directory bind password for the adbind_sso bind service accountby updating it in Active Directory.

The adbind_sso account is a service account to bind VMware SSO to Active Directory.This account is used to configure the identity source to enumerate Active Directoryuser accounts and groups.

Note

Active Directory users can access vRealize Automation and vCenter during and afterthe adbind account password change. If the password is not changed within vRealizeAutomation and vCenter, authentication fails if the prevailing Active Directory policyenforces password aging.

Procedure

1. Using the vSphere Client, go to Administration > Single Sign-On >Configuration > Identity Sources.

Password Management


2. Edit the Active Directory identity source.

3. Type the new password and click Test Connection to validate.

4. If the validation is successful, click OK.

5. Repeat steps 2 through 4 for each Active Directory type identity source thatuses adbind_sso.

Changing the adbind_rp4vm account passwordChange the Active Directory bind password for the adbind_rp4vm bind serviceaccount by updating it in Active Directory.

The adbind_rp4vm account is a service account to bind RecoverPoint for VirtualMachines to Active Directory.

Note

Active Directory users can log in to the RecoverPoint Appliance portal during or afterthis procedure.

Procedure

1. Log in to Unisphere for RecoverPoint using the security-admin user id and thepassword that is provided during installation.

2. Click Admin.

3. Click Users and Roles.

4. Go to Manage User Authentication.

5. Specify the new password for the adbind_rp4m account.

6. To change additional account passwords, repeat the preceding steps for allUnisphere and RecoverPoint portal accounts.

Enterprise Hybrid Cloud application accounts

The following table lists the Enterprise Hybrid Cloud application accounts.

app_vrb_vcenter app_vra_vro

app_nsx_vcenter app_vro_iaas

app_logi_vcenter app_vipr_vplex

app_vro_vcenter app_vipr_rpa

app_vrops_vcenter app_vro_dpa

app_vrops_vra app_vro_srm

app_vipr_vcenter app_vro_sql

app_avamar_vcenter app_vro_nsx

app_avamar_soap app_vro_rest

app_nsx_sso app_vro_rp4vm

app_vro_sso app_srm_vcenter

app_logi_vrops app_vum_vcenter

Password Management

Changing the adbind_rp4vm account password 149

app_vro_vipr app_vrpa_vcenter

app_vra_nsx

Changing the app_vrb_vcenter account passwordChange the password for the app_vrb_vcenter EHC application account by updating itin Active Directory.

The app_vrb_vcenter EHC application account is a user account to connect vRealizeBusiness Standard to vCenter. The account applies to the Enterprise Hybrid Cloudtenant portal.

Note

This procedure interrupts connectivity between vRealize Business Standard andvCenter.

Procedure

1. Log in to the vRealize Automation Enterprise Hybrid Cloud tenant portal as theEnterprise Hybrid Cloud tenant administrator.

2. Click the Administration tab.

3. Click Business Management.

4. Click the General link, which is selected by default.

5. Expand Manage Private Cloud Connections and click the icon under ManagevCenter Server Connections.

6. Edit the password for app_vrb_vcenter and click Save.

7. Repeat the preceding steps for all vRealize Automation Enterprise Hybrid Cloudtenant portals.

Changing the app_nsx_vcenter account passwordChange the password for the app_nsx_vcenter EHC application account by updatingit in Active Directory.

The app_nsx_vcenter EHC application account is a user account to connect NSX tovCenter. The account applies to NSX Manager and vCenter Registration.

Note

This procedure interrupts connectivity between NSX and vCenter.

Procedure

1. Browse to NSX Manager, for example, https://nsxmgrIP, and log in as anadmin with the password provided during deployment.

2. Select Manage vCenter Registration.

3. Under vCenter Server click Edit.

4. In the Password field, type the new password for the app_nsx_vcenteraccount, and click OK.

5. Click Yes to accept the certificate if requested.

6. Log out of NSX Manager.

Password Management


Changing the app_logi_vcenter account passwordChange the password for the app_logi_vcenter EHC application account by updatingit in Active Directory.

The app_logi_vcenter EHC application account is a user account to connect vRealizeAutomation to vCenter. The account applies to the Enterprise Hybrid Cloud tenantportal.

Note

This procedure interrupts connectivity between vRealize Automation and vCenter.

Procedure

1. Log in to the Enterprise Hybrid Cloud tenant portal with an account that hasinfrastructure administrator privileges, for example, ehc_iaas_admin/ehc_sysadmin.

2. Select the Infrastructure tab, click Endpoints, and then click Credentials.

3. On the page that is associated with the vra-vcenter credentials, click the Editbutton at top of the credentials list.

4. In the Password field, type the new password.

5. Click the green check mark icon to save the credential configuration.

6. Log out of vRealize Automation.

7. Repeat the preceding steps for each vCenter managed by Enterprise HybridCloud.

Changing the app_vro_vcenter account passwordChange the password for the app_vro_vcenter EHC application account by updating itin Active Directory.

The app_vro_vcenter EHC application account is a user account to connect vRealizeOrchestrator to vCenter. The account applies to the vCenter plug-in for vRealizeOrchestrator.

Note

This procedure interrupts vCenter plug-in instances that are configured in vRealizeOrchestrator.

Procedure

1. Log in to vRealize Orchestrator.

2. Go to Library > vCenter > Configuration.

3. Update a vCenter Server instance, which can be used for the password update.

4. Repeat steps 2 and 3 on all instances of vRealize Orchestrator.

Password Management

Changing the app_logi_vcenter account password 151

Changing the app_vrops_vcenter account passwordChange the password for the app_vrops_vcenter EHC application account byupdating it in Active Directory.

The app_vrops_vcenter EHC application account is a user account to connectvRealize Orchestrator to vCenter. The account applies to the VMware vRealizeOperations Manager UI.

Note

This procedure interrupts connectivity between vRealize Operations and vCenter.

Procedure

1. Browse to the vRealize Operations Manager UI, for example, https://vrops-FQDN, and log in as admin, using the password provided duringdeployment.

2. Go to Administration > Solutions > VMware vSphere and click Configure.

3. Under Basic Settings, click the pencil icon to edit the vCenter Servercredentials.

4. Update the password for the app_vrops_vcenter account.

5. Click OK.

6. Click Test Connection.

7. Click Save Settings, and then click Close.

8. Repeat steps 4 through 7 for all instances of vCenter.

9. Log out of the vRealize Operations Manager UI.

Changing the app_vrops_vra account passwordChange the password for the app_vra_vcenter EHC application account by updating itin Active Directory.

The app_vra_vcenter EHC application account is a user account for vRealizeAutomation management pack for vRealize Operations.

Note

There is no impact when you perform this procedure.

Procedure

1. Browse to the vRealize Operations Manager UI, for example, http://vrops-FQDN, and log in as an administrator.

2. Go to Administration > Solutions > VMware vRealize AutomationManagement Pack and click Configure.

3. Under Basic Settings, click the pencil icon to edit the credentials for thevRealize Automation Appliance URL.

4. Click OK.


6. Log out of the vRealize Operations Manager UI.

7. Repeat the preceding steps for all instances.

Password Management


Changing the app_vipr_vcenter account passwordChange the password for the app_vipr_vcenter EHC application account by updatingit in Active Directory.

The app_vipr_vcenter EHC application account is a user account to connect Dell EMCViPR to VMware vCenter.

Note

This procedure interrupts connectivity between ViPR and vCenter.

Procedure

1. Browse to the ViPR UI, for example, https://vipr-cluster-fqdn/, andlog in with root privileges.

2. Go to Physical Assets > VMware vCenters and click the vCenter entry.

3. In the Password field, type the new password for the app_vipr_vcenteraccount.

4. Click Save.

5. Repeat the preceding steps for all VMware vCenter instances that are managedby Enterprise Hybrid Cloud.

6. Log out of the ViPR UI.

7. Repeat the preceding steps for all ViPR UIs.

Changing the app_avamar_vcenter account passwordChange the password for the app_avamar_vcenter EHC application account byupdating it in Active Directory.

The app_avamar_vcenter EHC application account is a user account to connect DellEMC Avamar to vCenter.

Note

This procedure interrupts connectivity between Avamar and vCenter.

Procedure

1. Launch Avamar Administrator and log in using the root account and thepassword that is provided during installation.

2. Go to Navigation > Administration.

3. Select the vCenter Domain, for example, vc01.domainName.local.

4. In the Inventory pane, scroll down to and select the vCenter Client, for example,vcs01.domain.local.

5. Right-click the vCenter Client and select Edit Client.

6. In the Root User panel, type the new password for the app_avamar_vcenteraccount.

7. Type the new password in the Verify Password field.

8. Click OK.

9. Repeat the preceding steps for all Enterprise Hybrid Cloud-managed vCenterinstances that are integrated with Avamar.

Password Management

Changing the app_vipr_vcenter account password 153

Changing the app_avamar_soap account passwordChange the password for the app_avamar_soap EHC application account by updatingit in Active Directory.

The app_avamar_soap EHC application account is a user account for SOAPconnection to Avamar.

Note


Procedure

1. Browse to the Enterprise Hybrid Cloud tenant portal, for example,[email protected], and log in as the system administratorwith entitlements to the EHC Connection Maintenance catalog item.


3. Select SOAP Connection and click Next.

4. Type the new password for the app_avamar_soap user.

5. Click Submit.

Changing the app_nsx_sso account passwordChange the password for the app_nsx_sso EHC application account by updating it inActive Directory.

The app_nsx_sso EHC application account is a user account to connect VMware NSXto SSO. This account applies to VMware NSX Manager Appliances.

Note

Active Directory users and groups cannot log in to NSX. The SSO server authenticatesthe credentials, and if the role is assigned, NSX allows the login. In the case of groupsto which this user belongs, it fetches group information from the SSO server and usesthe information to determine the role that is assigned on NSX.

Procedure

1. Browse to NSX Manager, for example, https://nsxmgrIP, and log in as anadministrator with the password provided during deployment.

2. Select Manage vCenter Registration.

3. Under Lookup Service URL, click Edit.

4. In the Password field, type the new password for the app_nsx_sso account,and click OK.

5. Log out of NSX Manager.

6. Repeat the preceding steps for all NSX Manager instances.

Changing the app_vro_sso account passwordChange the password for the app_vro_sso EHC application account.

The app_vro_sso EHC application account is a user account to connect VMwarevRealize Orchestrator to SSO. This account applies to VMware vRealize OrchestratorAppliances.

Password Management


Note

Active Directory users cannot log in to the vRealize Orchestrator Client.

Procedure

1. Update the password for app_vro_sso in Active Directory.

Changing the app_logi_vrops account passwordChange the password for the app_logi_vrops EHC application account by updating itin Active Directory.

The app_logi_vrops EHC application account is a user account to connect VMwareLog Insight to VMware vRealize Operations. This account applies to vRealizeOperations and Log Insight Appliances in an Enterprise Hybrid Cloud environment.

Note

The impact of this procedure includes:

l The vRealize Operations Manager feature "Launch in Context" no longer showsactions that are related to Log Insight.

l The vRealize Operations Manager no longer issues alerts that are triggered by LogInsight.

Procedure

1. Browse to the vRealize Log Insight web UI, for example, https://log-insight-host, and then log in as a user with the Edit Admin permissions, forexample, admin.

2. Go to Configuration > Administration.

3. Under Integration, click vRealize Operations.

4. In the Password field, select the Update Password checkbox, and type thenew password for the app_logi_vrops account.


6. Click Save.

7. Repeat the preceding steps for all vRealize Log Insight instances.

Changing the app_vro_vipr account passwordChange the password for the app_vro_vipr EHC application account by updating it inActive Directory.

The app_vro_vipr EHC application account is a user account to connect the ViPRvRealize Orchestrator plug-in to ViPR. The account applies to the Dell EMC ViPRplug-in for vRealize Orchestrator

Note

During this procedure, Enterprise Hybrid Cloud STaaS workflows (datastoreprovisioning) fail to complete.

Procedure

1. Update the password in Active Directory.

Password Management

Changing the app_logi_vrops account password 155

2. Run the Configure Dell EMC ViPR and tenant workflow in the vRealizeOrchestrator client.

Changing the app_vra_nsx account passwordChange the password for the app_vra_nsx EHC application account by updating it inActive Directory.

The app_vra_nsx EHC application account is a user account for NSX endpointcredential in vRealize Automation.

Note

Until the password change is complete, connectivity between vRealize Automationand NSX is unavailable.

Procedure

1. Browse to the Enterprise Hybrid Cloud tenant portal, for example, https://vra71-vip.vlab.local/vcac/org/ehc, and log in with an account thathas infrastructure administrator privileges, for example, ehc_iaas_admin.

2. Select the Infrastructure tab, and click Endpoints, and then click Credentials.

3. On the left side of the page, click the pencil link that is associated with the vra-nsx credentials.

4. In the Password field, type the new password.

5. Click the green check mark icon to save the credentials configuration.

6. Log out of vRealize Automation.

7. Repeat the preceding steps for all vRealize Automation instances.

Changing the app_vra_vro account passwordChange the password for the app_vra_vro EHC application account by updating it inActive Directory.

The app_vra_vro EHC application account is a user account to connect vRealizeAutomation to vCenter Orchestrator. This account applies to vRealize Automationinfrastructure resource allocation for tenant clusters.

Note

During this procedure, completion of vCenter compute provisioning for tenantendpoints fails.

Procedure

1. Log in to the Enterprise Hybrid Cloud tenant portal with an account that hasinfrastructure administrator privileges, for example, ehc_iaas_admin oradministrator.

2. Select the Infrastructure tab, click Endpoints, and then click Credentials.

3. On the left side of the page, click the pencil link that is associated with the vra-vro credentials.

4. In the Password field, type the new password for the app_vra_vco account.

5. Click the green check mark icon to save the credentials configuration.

6. Log out of the Enterprise Hybrid Cloud tenant portal.

Password Management


7. Commit these changes:

a. SSH to the vRealize Automation appliance at, for example, http://vRA-FQDN:5480.

b. Restart the VMware vCloud Automation Center services with the servicevcacserver restart command.

8. Repeat the preceding steps for all vRealize Automation instances.

Changing the app_vro_iaas account passwordChange the password for the app_vro_iaas EHC application account by updating it inActive Directory.

The app_vro_iaas EHC application account is a domain account for Enterprise HybridCloud workflows to connect to IaaS. Permissions for this account are granted on anIaaS SQL Server database. This account is also used in the Enterprise Hybrid Cloudtenant portal.

Note

Until the password change is complete, connection between the Enterprise HybridCloud tenant portal and the SQL Server database is disrupted.

Procedure

1. Log in to the Enterprise Hybrid Cloud tenant portal as the system administratorwith entitlements to the Enterprise Hybrid Cloud Connection Maintenancecatalog item, for example, [email protected].


3. Select IAASC, and then click Next.

4. Type the new password for the app_vro_iaas user.

5. Click Submit.

Changing the app_vipr_vplex account passwordChange the password for the app_vipr_vplex EHC application account by updating itin Active Directory.

The app_vipr_vplex EHC application account is a user account to connect Dell EMCViPR to Dell EMC VPLEX. This procedure applies to CA dual-site/single vCentertopologies

Note

During this procedure, you are unable to provision new CA-protected storage.

Procedure

1. Browse to the Dell EMC ViPR UI and log in with root privileges.

2. Go to Physical Assets > Storage Providers, and click the VPLEX entry.

3. In the Password field, type the new password for the app_vipr_vplex account.

4. In the Confirm Password field, type the new password.

5. Click Save.

6. Select the VPLEX entry and run Rediscover.

Password Management

Changing the app_vro_iaas account password 157


8. Repeat the preceding steps for all ViPR UIs.

Changing the app_vipr_rpa account passwordChange the password for the app_vipr_rpa EHC application account by updating it inActive Directory.

The app_vipr_rpa EHC application account is a user account to connect Dell EMCViPR to Dell EMC RecoverPoint. It applies to access credentials for Dell EMCRecoverPoint (disaster recovery only).

Note

During this procedure:

l Connectivity to EMC RecoverPoint is lost.

l The RP_Admins Active Directory group has admin privileges within RecoverPoint.

Procedure

1. Browse to the Dell EMC ViPR UI/cluster and log in with root privileges, forexample, root.

2. Go to Physical Assets > Storage Providers and select the RecoverPoint entry.

3. In the Password field, type the new password for the app_vipr_rpa account.

4. In the Confirm Password field, type the new password.

5. Click Save.

6. Select the RecoverPoint entry and run Rediscover.

7. Repeat the preceding steps for all RecoverPoint entries.


9. Repeat the preceding steps for all ViPR UI instances.

Changing the app_vro_dpa account passwordChange the password for the app_vro_dpa EHC application account by updating it inActive Directory.

The app_vro_dpa EHC application account is a user account to connect VMwarevRealize Orchestrator to Dell EMC Data Protection Advisor. This account is also usedin the Enterprise Hybrid Cloud tenant portal.

Note

During this procedure, backup reports cannot be issued.

Procedure

1. Browse to the Enterprise Hybrid Cloud tenant portal, for example,[email protected], and log in as the system administratorwith entitlements to the EHC Connection Maintenance catalog item.


3. Select DPAConnection and click Next.

4. Type the new password for app_vro_dpa user.

Password Management


5. Click Submit.

6. Repeat the preceding steps for all Enterprise Hybrid Cloud tenant portals.

Changing the app_vro_srm account passwordChange the password for the app_vro_srm EHC application account.

The app_vro_sso EHC application account is a user account to connect VMwarevRealize Orchestrator to VMware Site Recovery Manager. This account applies toVMware SRM plug-in for vRealize Orchestrator.

Note

During the procedure, disaster recovery failover or failback fails.

Procedure

1. Update the password for app_vro_srm in Active Directory.

Changing the app_vro_sql account passwordChange the password for the app_vro_sql EHC application account by updating it inActive Directory.

Note

This procedure is applicable only for the Enterprise Hybrid Cloud SRM disasterrecovery environment. For a non-Enterprise Hybrid Cloud SRM disaster recoveryenvironment, log in to VMware vRealize Orchestrator and run the following workflow:EHC/Foundation/Initialization/Initialize EHC Foundation plug-in.

The app_vro_sql EHC application account is a user account to connect vRealizeOrchestrator to SQL Server. This account is also used in the Enterprise Hybrid Cloudtenant portal.

Note

This account is used to connect to the SQL Server database from vRealizeOrchestrator for Enterprise Hybrid Cloud object model changes. Enterprise HybridCloud object model provisioning fails.

Procedure

1. Log in to the Enterprise Hybrid Cloud tenant portal as the system administratorwith entitlements to the EHC Connection Maintenance catalog item, forexample, [email protected].

2. Go to Catalog > EHC Configuration, and then select ConnectionMaintenance.

3. Select SQLConnection, and click Next.

4. Type the new password for the app_vro_sql user.

5. Click Submit.

Password Management

Changing the app_vro_srm account password 159

Changing the app_vro_nsx account passwordChange the password for the app_vro_nsx EHC application account by updating it inActive Directory.

Note

This procedure is applicable only for Enterprise Hybrid Cloud SRM disaster recoveryenvironments. For non-Enterprise Hybrid Cloud SRM disaster recovery environments,users must log in to vRealize Orchestrator and run the following workflow: EHC/Foundation/Initialization/Initialize EHC Foundation plug-in.

The app_vro_nsx EHC application account is a user account to connect VMwarevRealize Orchestrator to NSX. This account is also used in the Enterprise HybridCloud tenant portal. It applies to vRealize Automation network infrastructure resourceallocation for tenant clusters.

Note

During this procedure, NSX network provisioning for tenant endpoints fails tocomplete.

Procedure


2. Go to Catalog > EHC Configuration, and select Connection Maintenance.

3. Select NSXConnection, and click Next.

4. Type the new password for app_vro_nsx user.

5. Click Submit.

Changing the app_vro_rest account passwordChange the password for the app_vro_rest EHC application account by updating it inActive Directory.

The app_vro_rest EHC application account is a user account to create a VMwarevRealize Orchestrator REST host. This account is also used in the Enterprise HybridCloud tenant portal.

Note

Until the password change is complete, the connection between the Enterprise HybridCloud tenant portal and vRealize Orchestrator is disrupted.

Procedure


2. Go to Catalog > EHC Configuration, and select Connection Maintenance.

3. Select vROConnection, and then click Next.

4. Type the new password for app_vro_rest user.

Password Management


5. Click Submit.

Changing the app_vro_rp4vm account passwordChange the password for the app_vro_rp4vm EHC application account by updating itin Active Directory.

The app_vro_rp4vm EHC application account is a user account to connect VMwarevRealize Orchestrator to RecoverPoint for Virtual Machines.

Note

Until the password change is complete, the connection between RecoverPoint forVirtual Machines and vRealize Orchestrator is disrupted.

Procedure

1. Log in to VMware vRealize Orchestrator.

2. Click the workflow icon.

3. Open the Update vRPA Cluster Credential workflow by clicking EHC >Recovery Point for VMs > Configuration > Site Topology > Update vRPACluster.

4. Click Start workflow.

5. Type the username and new password.

Changing the app_srm_vcenter account passwordChange the password for the app_srm_vcenter EHC application account by updatingit in Active Directory.

The app_srm_vcenter EHC application account is a user account to pair vCenter SiteRecovery Manager sites.

Note

Until the password change is complete, the connection between vCenter Site RecoverManager and the hosted virtual machines is disrupted.

Procedure

1. Launch the vSphere Web Client on one of the sites, and select Site Recovery >Sites.

2. From the Objects tab, right-click one of the sites and select ReconfigurePairing.

3. Click Next and then type the username and updated password.

4. Click Finish.

Changing the app_vum_vcenter account passwordChange the password for the app_vum_vcenter EHC application account by updatingit in Active Directory.

The app_vum_vcenter EHC application account is a user account to connect vSphereUpdate Manager to VMware vCenter. This account applies to VMware vCenter.

Password Management

Changing the app_vro_rp4vm account password 161

Note

Until the password change is complete, the connection between vCenter Site RecoverManager and the hosted virtual machines is disrupted.

Procedure

1. Log in to the Update Manager VM as the update manager service account(svc_vum).

2. Change the password for the app_vum_vcenter account.

Changing the app_vrpa_vcenter account passwordChange the password for the app_vrpa_vcenter EHC application account by updatingit in Active Directory.

The app_vrpa_vcenter EHC application account is a user account to connect vRPAsto VMware vCenter. This account applies to RecoverPoint.

Note

Until the password change is complete, the connection between RecoverPoint andvCenter is interrupted.

Procedure

1. Log in to Unisphere for RecoverPoint

2. Select RPA Clusters.

3. In the left panel, select vCenter Servers.

4. Select Registered vCenter Servers and then click Edit.

5. Specify a new password for app_vrpa_vcenter, and then click OK.

6. Repeat the preceding steps for all RPA clusters.

Enterprise Hybrid Cloud adapter accounts

The Enterprise Hybrid Cloud adapter accounts are:

l adp_vrops_vcenter

l adp_vrops_vipr

Changing adp_vrops_vcenter account passwordChange the password for the adp_vrops_vcenter account by updating it in ActiveDirectory.

The adp_vrops_vcenter account is a user account to set up VMware vRealizeOperations for the Dell EMC ESA adapter. It applies to the Dell EMC ESA adapter forVMware vRealize Operations connections to cloud vCenter Servers.

Note

This procedure impacts the ability to view health trees for the storage environmentfrom the virtual environment.

Password Management


Procedure

1. Browse to the vRealize Operation Manager UI, for example, http://vrops-FQDN, and log in with an account with administrator privileges, for example,admin, using the password provided during installation.

2. Go to Home > Administration > Solutions.

3. Select the Dell EMC adapter and click Configure.

4. Select the instance name for the cloud vCenter.

5. Under Instance Settings, click the pencil icon to edit the credentials.

6. In the Manage Credential window, type the new password for theadp_vrops_vcenter account.



9. Repeat steps 4 to 8 for all Cloud vCenter instances.

10. Click Close.

11. Repeat the preceding steps in all vRealize Operation Manager UIs.

Changing adp_vrops_vipr account passwordChange the password for the adp_vrops_vipr account by updating it in ActiveDirectory.

The adp_vrops_vipr account is a user account to set up a vRealize Operations ViPRadapter. It applies to monitoring of Dell EMC ViPR from VMware vRealize Operations.

Note

This procedure impacts the ability to view ViPR-related dashboards within VMwarevRealize Operations.

Procedure

1. Browse to the vRealize Operation Manager UI, for example, http://vrops-FQDN, and log in with an account with administrator privileges, for example,admin, using the password provided during installation.

2. Go to Home > Administration > Solutions.

3. Select the Dell EMC adapter and click Configure.

4. Select the adapter instance name, for example, EHC ViPR Adapter.

5. On the Instance Setting tab, edit the credential.



8. Click Close.

9. Repeat the preceding steps in all vRealize Operation Manager UIs.

Password Management

Changing adp_vrops_vipr account password 163

EHC interactive user accountsChange a password in any of the following interactive user accounts by updating it inActive Directory.

Account Description Applies to Impact

ehc_fabric_admin User account for the vRealizeAutomation fabric administrator.

VMware vRealizeAutomation fabricadministrator.

None

ehc_iass_admin User account for the vRealizeAutomation IaaS administrator

VMware vRealizeAutomation IaaSadministrator

None

ehc_nsx_ent_admin User account for NSX enterpriseadministration

VMware NSX enterpriseadministrators use theaccount to log in to VMwarevCenter to configure NSX

None

ehc_storage_admin User account for storageadministration

EHC Storage Services andViPR System Monitor

None

ehc_backup_admin User account for executingbackup catalog items fromvRealize Automation

Dell EMC Avamaradministration, gridmaintenance, catalog items,and Dell EMC DataProtection Advisor

l Data protection backup andrestore scenarios unable tocomplete

l Avamar administration - Gridmaintenance and failovers

ehc_config_admin User account with entitlementsto the Enterprise Hybrid Cloudconfiguration services.

Enterprise Hybrid Cloud day2 operations, ability to runsite maintenance,connection maintenance,hardware islandmaintenance, and so on

None

ehc_app_admin User account with applicationand infrastructure administratorrole for creating blueprints

vRealize Automation None

ehc_vc_admin User account for VMwarevCenter administrator

vCenter None

ehc_vipr_admin User account for ViPRadministrator

Dell EMC ViPR None

ehc_vro_admin User account for vRealizeOrchestrator administrator

vRealize Orchestrator None

ehc_logi_admin User account for Log Insightadministrator

VMware Log Insight None

ehc_vrops_admin User account for vRealizeOperations administrator

VMware vRealizeOperations

None

ehc_vsrm_admin User account for ViPR SRMadministrator

Dell EMC ViPR SRM None

Password Management


Account Description Applies to Impact

ehc_dpa_admin User account for DataProtection Advisor administrator

Dell EMC Data ProtectionAdvisor

None

ehc_avamar_admin User account for Avamaradministration

Dell EMC Avamar None

ehc_dd_admin User account for Data Domainadministrator

Dell EMC Data Domain None

ehc_sql_admin User account for SQL Serveradministrator

Microsoft SQL Server None

ehc_bg_admin User account for vRealizeAutomation business groupadministrator

VMware vRealize Business None

ehc_rp4vm_admin User account for RecoverPointfor Virtual Machinesadministrator

Dell EMC RecoverPoint forVirtual Machines

None

ehc_cloudlink_admin User account for CloudLinkCenter administrator

Dell EMC CloudLink None

Changing the ehc_sysadmin account passwordChange the password for the ehc_sysadmin account by updating it in ActiveDirectory.

The ehc_sysadmin account is a user account to set up an Enterprise Hybrid Cloudsuper-user. It applies to Enterprise Hybrid Cloud super-user account that is usedduring installation and upgrade of the Enterprise Hybrid Cloud solution. This account isalso used in the Enterprise Hybrid Cloud tenant portal.

Note

This procedure impacts cloud administration and RecoverPoint for Virtual Machinesblueprint provisioning.

Procedure

1. Browse to the Enterprise Hybrid Cloud tenant portal, and log in as the systemadministrator with entitlements to the EHC Connection Maintenance catalogitem, for example, [email protected].


3. Select vRAConnection and click Next.

4. Type the new password for the ehc_sysadmin user.

5. Click Submit.

After you finish

For future Enterprise Hybrid Cloud upgrades, ensure that you type the newehc_sysadmin password where requested during the installation of the EnterpriseHybrid Cloud main package.

Password Management

Changing the ehc_sysadmin account password 165

Changing the ehc_tenant_admin account passwordChange the password for the ehc_tenant_admin account by updating it in ActiveDirectory.

The ehc_tenant_admin account is a user account for the VMware vRealizeAutomation tenant administrator.

Note


Procedure



3. Select SMTPConnection and click Next.

4. Type the new password for the ehc_sysadmin user.

5. Click Submit.

Enterprise Hybrid Cloud local accounts

The Enterprise Hybrid Cloud local accounts are:

l dd4avamar/av0xddboost

l app_vipr_rp

l app_srm_rp

l app_vrb_vrops

l configurationAdmin

l tenantAdmin

Changing the dd4avamar/av0xddboost account passwordThe dd4avamar/av0xddboost account is the local Data Domain user account with DDBoost user privileges.

Dell EMC Avamar uses the dd4avamar/av0xddboost account to connect to DataDomain. There must be one of these accounts for every instance of Avamar in theenvironment, with x replaced by a numeral. This account applies to Avamar.

Note

This procedure impacts:

l The connection between Data Domain and Avamar

l Backup/restore

Password Management


Procedure

1. Browse to Data Domain, for example, http://data-domain-ip-addr/ddem/login, and log in using the sysadmin account and password providedduring installation.

2. Go to Administration > Access and select Local users.

3. Select dd4avamar/av0xddboost, and click Change password.

This account is also used in Avamar administration.

4. Log in to the Avamar administrator client using the root account and thepassword specified during installation.

5. Click Server, and then select Data Domain.

6. Click Actions.

7. Under Account, type the current password and the new password.

Changing the app_vipr_rp account passwordChange the password for the app_vipr_rp account by updating it in Active Directory.

The app_vipr_rp Enterprise Hybrid Cloud local account is the user account to connectDell EMC ViPR to EMC RecoverPoint. The account applies to Dell EMC ViPR.

Note

This procedure:

l Impacts the ViPR UI

l Interrupts connectivity between ViPR and RecoverPoint.

Procedure

1. Browse to the ViPR UI /cluster, for example, https://vipr-cluster-fqdn), and log in with root privileges.

2. Go to Physical Assets > Data Protection Systems and select theRecoverPoint entry.

3. In the Password field, type the new password for the app_vipr_rp account.

4. Type the new password in the Confirm Password field.

5. Click Save.

6. Select the RecoverPoint entry and run Rediscover.


Changing the app_srm_rp account passwordChange the password for the app_srm_rp account by updating it in Active Directory.

The app_srm_rp Enterprise Hybrid Cloud local account is the RecoverPointadministrator account that is used to connect VMware SRM to RecoverPoint (ArrayManager). This account is used by VMware SRM to connect to RecoverPoint andcontrol storage failover.

Note

This procedure impacts connectivity for VMware SRM to RecoverPoint.

Password Management

Changing the app_vipr_rp account password 167

Procedure

1. Launch the vSphere Web Client, and select Site Recovery > Sites.

2. Select the first SRM site, and click Related Objects.

3. Under Array Based Replication, select and edit the Array Manager (ViPRSRA).

4. Click Next, and continue to complete the discovery process.

5. Repeat steps 2 through 4 for the second SRM site.

Changing the app_vrb_vrops account passwordChange the password for the app_vrb_vrops account by updating it in ActiveDirectory.

The app_vrb_vrops Enterprise Hybrid Cloud local account is the user account toconnect VMware vRealize Business Standard to VMware vRealize Operations. Thisaccount applies to vRealize Business Standard.

This procedure interrupts the connectivity between vRealize Business Standard andvRealize Operations.

Procedure

1. Log in to vRealize Operations.

2. Go to Administration > Access Control.

3. Change the password for app_vrb_vrops.

Changing the configurationAdmin account passwordThe configurationAdmin account is the local vRealize Automation account formanaging tenant configuration.

Note

This procedure impacts tenant configuration.

Procedure

1. Browse to the vRealize Automation console, https://vraappliance/vcac/, and log in with the default system administrator username andpassword.

2. Click the tenant name.

For example, for the default tenant, click vsphere.local.

3. On the Local users tab, select the configurationAdmin user.

4. Type the new password, and then click OK.

5. Repeat the preceding steps for all tenants.

Password Management


Changing the tenantAdmin account passwordThe tenantAdmin account is the local vRealize Automation account for managingtenants.

Note

This procedure impacts tenant management.

Procedure

1. Browse to the vRealize Automation console, https://vraappliance/vcac/, and log in with the default system administrator username andpassword.

2. Click the tenant name.

For example, for the default tenant, click vsphere.local.

3. On the Local users tab, select the tenantAdmin user.

4. Type the new password, and then click OK.

5. Repeat the preceding steps for all tenants.

Dell EMC ViPR physical resources

The Dell EMC ViPR physical resources are:

l Fabric Manager

n If the Enterprise Hybrid Cloud solution is on a VCE platform, then it uses CiscoMDS switches.

n If this is a "bring-your-own" (BYO) Enterprise Hybrid Cloud instance, thenBrocade switches may be used.

l Cisco MDS password in the ViPR UI

l Brocade password in the ViPR UI

l Dell EMC Vblock compute system password in the ViPR UI

l Storage provider password in the ViPR UI

l Dell EMC VNX password in the ViPR UI

l Dell EMC XtremIO password in the ViPR UI

l Dell EMC VPLEX password in the ViPR UI

l Dell EMC RecoverPoint password in the ViPR UI

Changing the Cisco MDS account passwordChange the password for the Cisco MDS account in the ViPR UI.

Procedure

1. Log in to the ViPR UI as a system administrator.

2. Go to Physical Assets > Fabric Managers.

3. For each MDS switch, do the following:

a. Select the switch.

Password Management

Changing the tenantAdmin account password 169

b. Type and confirm the new password.

c. Click Save.

4. If the ViPR software does not automatically begin a rediscovery of the MDSswitches, then select the checkbox next to each MDS item and clickRediscover.

Changing the Brocade account passwordChange the password for the Brocade account in the ViPR UI.

Procedure

1. Log in to the ViPR UI with system administrator privileges.

2. Go to Physical Assets > Fabric Managers.

3. Select SMI-S Host (CMCNE).

4. Type and confirm the new password.

5. Click Save.

6. If the ViPR software does not automatically begin a rediscovery of the SMI-Shost, then select the checkbox next to the SMI-S host item and clickRediscover.

Changing the Vblock compute system account passwordChange the password for the Vblock compute system account in the ViPR UI.

Dell EMC ViPR can manage the Cisco UCS through Vblock Compute Systems underViPR Physical Assets.

Procedure

1. Log in to the ViPR UI with system administrator privileges.

2. Go to Physical Assets > Vblock compute systems.

3. Select the Vblock/UCS item.


Keep the default settings for all other fields.

5. Click Save.

6. If the ViPR software does not automatically begin a rediscovery of the UCS,then select the UCS host item and click Rediscover.

Changing the storage provider account passwordChange the password for the storage provider account in the ViPR UI.

Procedure

1. Log in to the ViPR Controller UI as a system administrator user.

2. Go to Physical Assets > Storage Provider, and then click Storage Provider.



4. Click Save.

Password Management


5. If the ViPR software does not automatically begin a rediscovery of the storageprovider, then select the storage provider and click Rediscover.

Changing the VNX account passwordChange the password for the VNX storage account in the ViPR UI.

Procedure

1. Log in to the ViPR Controller UI as a system administrator user.

2. Go to Physical Assets > Storage Provider, and then click the storage provider.



4. Click Save.


Changing the EMC XtremIO account passwordChange the password for the XtremIO storage provider account in the ViPR UI.

Procedure

1. Log in to the ViPR UI as a system administrator user.

2. Go to Physical Assets > Storage Systems, and then click Storage Provider.



4. Click Save.


Changing the EMC VPLEX account passwordChange the password for the EMC VPLEX account in ViPR UI by updating it in ActiveDirectory.

Dell EMC ViPR software should use the app_vipr_vplex account to discover the DellEMC VPLEX system. The account user should be a member of the VPLEX_AdminsActive Directory group, which should be assigned admin privileges in VPLEX.

Procedure

1. Log in to the ViPR UI as a system administrator user.

2. Go to Physical Assets > Storage Providers, and then click VPLEX StorageProvider.



4. Click Save.

5. If the ViPR software does not automatically begin a rediscovery of the VPLEXstorage provider, and then select the checkbox next to the VPLEX storageprovider, and click Rediscover.

Password Management

Changing the VNX account password 171

Changing the RecoverPoint passwordChange the password for the Dell EMC RecoverPoint account in the Dell EMC ViPR UIby updating it in Active Directory.

ViPR software must use the app_vipr_rpa account to discover the RecoverPointAppliances. The account user must be a member of the RP_Admins Active Directorygroup, which must be assigned admin privileges in RecoverPoint.

Procedure

1. Log in to the ViPR UI with administrative privileges.

2. Go to Physical Assets > Data Protection Systems, and then click theRecoverPoint item to edit it.



4. Click Save.

5. If the ViPR software does not automatically begin a rediscovery of theRecoverPoint system, then select the checkbox next to the RecoverPointsystem and click Rediscover.

Password Management


CHAPTER 11

References

This chapter presents the following topics:

l Enterprise Hybrid Cloud documentation........................................................... 174l Enterprise Hybrid Cloud security documentation.............................................. 174l Other documentation........................................................................................ 177l VMware Knowledge Base .................................................................................178

References 173

Enterprise Hybrid Cloud documentationThe following documentation on EMC.com or Online Support provides additional andrelevant information. Access to these documents depends on your login credentials. Ifyou do not have access to a document, contact your Dell EMC representative.

l Enterprise Hybrid Cloud 4.1.2 Reference Architecture Guide

l Enterprise Hybrid Cloud 4.1.2 Concepts and Architecture Guide

l Enterprise Hybrid Cloud 4.1.2 Administration Guide

l Enterprise Hybrid Cloud 4.1.2 Infrastructure and Operations Management Guide

Enterprise Hybrid Cloud security documentationFind Dell EMC and VMware documentation related to Enterprise Hybrid Cloudsecurity, as well as hardening guides for Enterprise Hybrid Cloud components.

Enterprise Hybrid Cloud has been secured by implementing the recommendations inthe following product security guides from Dell EMC and VMware.

Table 1 Dell EMC documentation

Publication Description

Product Security: Enhancing thetrustworthiness of EMC Solutions

Describes how Dell EMC embeds security inthe company's product development,deployment, and maintenance practices, aswell as in its supply chain.

Dell EMC Symmetrix Security ConfigurationGuide

Describes how to securely deploy, use, andmaintain Solutions Enabler version 7.6 andUnisphere for VMAX version 1.6.

Dell EMC ViPR Controller Version 3.6 SecurityConfiguration Guide

Provides an overview of securityconfiguration settings available in ViPR,secure deployment and usage settings, andsecure maintenance and physical securitycontrols needed to ensure secure operation ofViPR.

Dell EMC Avamar Product Security Guide Provides an overview of the settings andsecurity provisions that are available inAvamar to ensure secure operation of theproduct.

Dell EMC Avamar 7.2 Extended RetentionSecurity Guide

Describes how to configure security featuresfor the Avamar Extended Retention feature.

Table 2 VMware documentation


VMware Product Security: An Overview ofVMware's Security Programs and Practices

Describes VMware's approach to security forvirtualization software products and solutions.

References


HTTP://WWW.EMC.COM/

HTTPS://SUPPORT.EMC.COM/

https://www.emc.com/collateral/white-papers/product-security.pdf

https://www.emc.com/collateral/white-papers/product-security.pdf

https://www.emc.com/collateral/TechnicalDocument/docu46991.pdf




https://support.emc.com/search/?text=Avamar%20Product%20Security&resource=DOC_LIB&searchLang=en_US

https://korea.emc.com/collateral/TechnicalDocument/docu59601.pdf

https://korea.emc.com/collateral/TechnicalDocument/docu59601.pdf

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/VMware-Product-Security.pdf

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/VMware-Product-Security.pdf

Table 2 VMware documentation (continued)


VMware vSphere Security Management Guide Provides information about securing yourvSphere environment for VMware vCenterServer and VMware ESXi.

VMware NSX for vSphere NetworkVirtualization Design Guide

Provides an overview of the VMware NSXnetwork virtualization platform.

VMware NSX for vSphere 6.2 DocumentationCenter

Provides information about installing,configuring, and using NSX.

VMware Hardened Virtual ApplianceOperations Guide

Addresses the site‐specific technicalrequirements to meet Security TechnicalInformation Guides (STIG).

NSX Administration Guide

All components that comprise the Enterprise Hybrid Cloud platform are listed in thefollowing table, along with the associated security configuration guides, if applicable.This list is based on the products described in the Enterprise Hybrid Cloud EMCSimple Support Matrix (ESSM).

Table 3 Hardening guides

Component Security Guide Notes

VMAX Dell EMC VMAX All Flash and VMAX3Family Security Configuration Guide

VNX Dell EMC VNX Series Version VNX1,VNX2 Security Configuration Guide forVNX

Provides information aboutfeatures and configurationoptions that are availablefor configuring securesystem operation andstorage processing. Theguide explains why, when,and how to use thesesecurity features.

ScaleIO Dell EMC ScaleIO Security ConfigurationGuide

VPLEX Contact your EMCrepresentative for accessto this document.

Unity Hybrid FlashArray

Dell EMC Unity Family, Unity All Flash,Unity Hybrid, Unity VSA Version 4.2Security Configuration Guide

XtremIO Dell EMC XtremIO Storage Array XIOSVersions 4.0.2, 4.0.4, 4.0.10, and 4.0.15;XMS Versions 4.2.0 and 4.2.1 SecurityConfiguration Guide

References

Enterprise Hybrid Cloud security documentation 175

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/files/xls/vmware-6.5-security-configuration-guide-ga-13-apr-17.xlsx

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/nsx/vmw-nsx-network-virtualization-design-guide.pdf

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/nsx/vmw-nsx-network-virtualization-design-guide.pdf

https://docs.vmware.com/en/VMware-NSX-for-vSphere/index.html

https://docs.vmware.com/en/VMware-NSX-for-vSphere/index.html

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmware-hardened-appliance-operations-guide-white-paper.pdf

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/techpaper/vmware-hardened-appliance-operations-guide-white-paper.pdf

https://pubs.vmware.com/NSX-62/topic/com.vmware.ICbase/PDF/nsx_62_admin.pdf

https://support.emc.com/docu86149_Enterprise-Hybrid-Cloud-4.1.2-Simple-Support-Matrix.pdf?language=en_US

https://support.emc.com/docu86149_Enterprise-Hybrid-Cloud-4.1.2-Simple-Support-Matrix.pdf?language=en_US






https://community.emc.com/docs/DOC-45006

https://community.emc.com/docs/DOC-45006




https://www.scribd.com/document/351278605/Docu71061-XtremIO-XIOS-4-0-2-and-4-0-4-and-4-0-10-and-4-0-15-With-XMS-4-2-0-and-4-2-1-Storage-Array-Security-Configuration-Guide




Table 3 Hardening guides (continued)


Connectrix ManagerConverged NetworkEdition

No additional guidancelisted for this component.

PowerPath / VE No additional guidancelisted for this component.

SE/SMI-S for VMAX No additional guidancelisted for this component.

SE/SMI-S for VNX No additional guidancelisted for this component.

ViPR Dell EMC ViPR Controller Version 3.6Security Configuration Guide

ViPR SRM Dell EMC ViPR SRM Version 3.5.1.0Security Configuration Guide

Avamar Dell EMC Avamar Version 7.3 ProductSecurity Guide

Data Domain Dell EMC Data Domain Security Guide Describes the key securityfeatures of Data Domainsystems and provides theprocedures required toensure data protection andappropriate access control.

Data ProtectionAdvisor

Dell EMC Data Protection AdvisorSecurity Configuration Guide

Microsoft SQLServer 2012 SP2

Microsoft SQL Server 2012 Security BestPractice Whitepaper - Microsoft

Microsoft WindowsServer 2012R2

See the Microsoft WindowsSCW.

VMware NSX forvSphere

VMware NSX Security Hardening Guide

VMware vSphereESX

VMware vSphere 6.5 Hardening Guide

VMware vSpherevCenter forWindows


VMware vSpherevCenter ServerAppliance


VMware vRealizeAutomation

VMware vRealize Automation HardeningGuide

VMware vRealizeBusiness for Cloud


References




https://support.emc.com/docu55069_ViPR-SRM-3.5-SP1-Security-Configuration-Guide.pdf?language=en_US

https://support.emc.com/docu55069_ViPR-SRM-3.5-SP1-Security-Configuration-Guide.pdf?language=en_US

https://support.emc.com/docu69635_Avamar-7.3-Product-Security-Guide.pdf?language=en_US

https://support.emc.com/docu69635_Avamar-7.3-Product-Security-Guide.pdf?language=en_US


https://support.emc.com/products/829_Data-Protection-Advisor/Documentation/?source=promotion

https://support.emc.com/products/829_Data-Protection-Advisor/Documentation/?source=promotion

HTTP://DOWNLOAD.MICROSOFT.COM/DOWNLOAD/8/F/A/8FABACD7-803E-40FC-ADF8-355E7D218F4C/SQL_SERVER_2012_SECURITY_BEST_PRACTICE_WHITEPAPER_APR2012.DOCX

HTTP://DOWNLOAD.MICROSOFT.COM/DOWNLOAD/8/F/A/8FABACD7-803E-40FC-ADF8-355E7D218F4C/SQL_SERVER_2012_SECURITY_BEST_PRACTICE_WHITEPAPER_APR2012.DOCX





https://docs.vmware.com/en/vRealize-Automation/index.html#com.vmware.ICbase/PDF/ic_pdf.html

https://docs.vmware.com/en/vRealize-Automation/index.html#com.vmware.ICbase/PDF/ic_pdf.html

Table 3 Hardening guides (continued)


VMware vRealizeConfigurationManager

VMware vRealize Configuration ManagerSecurity Guide

Describes how to hardenvRealize ConfigurationManager for secure use.

VMware vRealizeLog Insight

VMware vRealize Log Insight SecurityGuide

Provides a reference to thesecurity features ofvRealize Log Insight.

VMware vRealizeOperations Manager

VMware Secure Configuration vRealizeOperations Manager

VMware vRealizeOrchestrationAppliance


VMware SiteRecovery Manager

VMware Site Recovery Manager 6.5

Dell EMCRecoverPoint for VirtualMachines

Dell EMC RecoverPoint for VirtualMachines Security Configuration Guide

Python No additional guidancelisted for this component.

CloudLink SecureVM Cloudlink SecureVM 5.5 SecurityConfiguration Guide

Dell EMC VxBlock Contact your Dell EMCrepresentative for accessto this document.

Dell EMC VxRackFlex

Contact your Dell EMCrepresentative for accessto this document.

Dell EMC VxRail Contact your Dell EMCrepresentative for accessto this document.

Other documentation

l VCE Foundation Upgrade from 3.1 to 3.5 Process

l VCE Foundation for EMC Enterprise Hybrid Cloud Addendum

l VMware vRealize Automation Installation and Configuration

l Next Generation Security with VMware NSX and Palo Alto Networks VM-Series

l CloudLink SecureVM Version 5.5 Deployment Guide for Enterprise

l Internet X.509 Public Key Infrastructure Certificate and Certificate RevocationList (CRL) Profile (RFC 5280)

l How to Request a Certificate With a Custom Subject Alternative Name (MicrosoftTechNet)

References

Other documentation 177



https://pubs.vmware.com/log-insight-30/topic/com.vmware.ICbase/PDF/log-insight-30-security-guide.pdf

https://pubs.vmware.com/log-insight-30/topic/com.vmware.ICbase/PDF/log-insight-30-security-guide.pdf

https://www.vmware.com/pdf/vRealize-Operations-Manager-Secure-Configuration-Guide.pdf

https://www.vmware.com/pdf/vRealize-Operations-Manager-Secure-Configuration-Guide.pdf

https://docs.vmware.com/en/Site-Recovery-Manager/6.5/srm-security-6-5.pdf



https://support.emc.com/docu80021_CloudLink-SecureVM-5.5-Security-Configuration-Guide.pdf?language=en_US

https://support.emc.com/docu80021_CloudLink-SecureVM-5.5-Security-Configuration-Guide.pdf?language=en_US

https://mylearn.vmware.com/mgrreg/courses.cfm?ui=www_edu&a=one&id_subject=71194

https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/nsx/vmware-nsx-palo-alto-networks.pdf

https://support.emc.com/docu70588_CloudLink-SecureVM-5.5-Deployment-Guide-for-Enterprise.pdf?language=en_US

https://tools.ietf.org/html/rfc5280

https://tools.ietf.org/html/rfc5280

https://technet.microsoft.com/en-us/library/ff625722(v=ws.10).aspx

https://technet.microsoft.com/en-us/library/ff625722(v=ws.10).aspx

l LDAP over SSL (LDAPS) Certificate (Microsoft TechNet)

VMware Knowledge BaseThe VMware Knowledge Base provides support for VMware products.

The following VMware Knowledge Base topics provide information about how tomanage certificates

l How to use vSphere 6.x Certificate Manager (2097936)

l Replacing a vSphere 6.x Machine SSL certificate with a Custom CertificateAuthority Signed Certificate (2112277)

l Replace Solution User Certificates with Custom Certificates

l How to replace the vSphere 6.0 Solution User certs with CA signed certs(2112278)

l Creating a Microsoft Certificate Authority Template for SSL certificate creation invSphere 6.x (2112009)

l Replacing default certificates with CA signed SSL certificates in vSphere 6.x(2111219)

l Certificate troubleshooting, supportability, and trust requirements for vRealizeAutomation (2106583)

l Signing vRA certificates using an internal Microsoft CA signing authority(2090090)

l Repairing or updating the trust between all components within vRealizeAutomation 6.x environment (2110207)

l Applying a CA Signed SSL Certificate to a VMware vRealize Application Servicesserver (2065009)

l Configure a certificate for use with vRealize Operations Manager (2046591)

l Configuring CA signed certificates for ESXi 6 hosts (2113926)

l Implementing CA signed SSL certificates with vSphere 5.x (2034833)

l Creating certificate requests and certificates for vCenter Server 5.5 components(2061934)

l Set up Your System to Use Custom Certificates from the Platform ServicesController

l Configuring CA signed certificates for ESXi 6.0 hosts (2113926)

l Managing Certificates with vSphere Certificate Manager Utility

l Requirements When Using Custom SSL/TLS Certificates with Site RecoveryManager

l Updating vRealize Automation Certificates

l Change or Replace the SSL Certificate of vRealize Business for Cloud

l Install a Custom SSL Certificate (using the vRealize Log Insight Web Interface)

References


https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx




https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.psc.doc/GUID-0133D240-CD49-400C-92D7-8E6AB69B3BC0.html















https://kb.vmware.com/s/global-search/2046591





https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.psc.doc/GUID-FEEAB88E-D888-403F-AA62-1074585F7FEB.html

https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.psc.doc/GUID-FEEAB88E-D888-403F-AA62-1074585F7FEB.html


https://docs.vmware.com/en/VMware-vSphere/6.5/com.vmware.psc.doc/GUID-E1D35792-ED03-468A-966B-362BED18021A.html

https://docs.vmware.com/en/Site-Recovery-Manager/6.5/com.vmware.srm.install_config.doc/GUID-A5B0D636-157D-4601-A5EA-D0B1A533CE6D.html

https://docs.vmware.com/en/Site-Recovery-Manager/6.5/com.vmware.srm.install_config.doc/GUID-A5B0D636-157D-4601-A5EA-D0B1A533CE6D.html


https://docs.vmware.com/en/vRealize-Business/7.3/com.vmware.vRBforCloud.install.doc/GUID-5F3AB760-9B78-4593-9693-9CD7EDE8A2CE.html

https://pubs.vmware.com/log-insight-43/index.jsp?topic=%2Fcom.vmware.log-insight.administration.doc%2FGUID-93E0A9FA-9C72-47AE-9E54-9982F4604FE1.html

APPENDIX A

Enterprise Hybrid Cloud Security Data

The appendix presents the following topic:

l Security data.................................................................................................... 180

Enterprise Hybrid Cloud Security Data 179

Security dataThe tables in this chapter provide information on security data for Enterprise HybridCloud.

Table 4 Application and management interface APIs

Product API Document Part number or location

Data Protection Advisor REST Data Protection Advisor REST API Reference P/N 302-003-608

ViPR REST ViPR Controller REST API Developer Guide 302-000-496

VMware NSX-V REST NSX vSphere API Guide EN-001545-06

VMware vRealizeOrchestrator

REST vSphere Web Services SDK Programming Guide EN-002095-01

VMware Site RecoveryManager

REST Site Recovery Manager API Developer's Guide EN-001733-00

VMware SSO SDK REST vCenter Single Sign-On Programming Guide EN-001413-00

VMware vRealizeOrchestrator

REST Using the vCenter Orchestrator REST API VMware vSphere 6.5Documentation Center

VMware vRealize OperationsManager

vSphere VMware vSphere Management SDK VMware vSphere 6.5Documentation Center

VMware vRealize Automation REST Using Application Services REST APIs EN-001652-00

VMware vRealize Automation REST Programming Guide VMware Docs

VMware vRealize Log Insight REST VMware vRealize Log Insight Developer's Guide

VMware ESXi vSphere VMware vSphere Management SDK VMware vSphere 6.5Documentation Center

VMware vSphere WebServices SDK

REST Developer's Setup Guide

Note

CloudLink SecureVM includes a comprehensive setof REST APIs. For documentation about these APIs,

see About > REST Documentation in theCloudLink Center contents pane.

VMware Docs

Table 5 Authentication mechanisms and integration

Enterprise Hybrid Cloud component ActiveDirectory

Exceptions

Avamar Y MCCLI

Data Domain Y

Data Protection Advisor Y

Storage Analytics Y

ViPR Y



HTTPS://SUPPORT.EMC.COM/DOCU52074_VIPR-1.1-CONTROLLER-REST-API-DEVELOPER-GUIDE.PDF?LANGUAGE=EN_US

https://docs.vmware.com/en/VMware-NSX-for-vSphere/6.2/nsx_62_api.pdf

https://www.vmware.com/support/developer/vc-sdk/

https://www.vmware.com/support/developer/srm-api/srm_58_api.pdf

https://www.vmware.com/support/developer/vc-sdk/sso-sdk/

https://docs.vmware.com/en/vRealize-Orchestrator/7.2/com.vmware.vrealize.orchestrator-develop-web-services.doc/GUID-E767F363-6FEA-4998-8119-9C51C5A9C73A.html

https://code.vmware.com/web/sdk/65/vsphere-management

https://docs.vmware.com/en/vRealize-Automation/7.3/vrealize-automation-73-programming-guide.pdf

HTTP://PUBS.VMWARE.COM/LOG-INSIGHT-43/TOPIC/COM.VMWARE.ICBASE/PDF/LOG-INSIGHT-DEVELOPERS-GUIDE.PDF

https://code.vmware.com/web/sdk/65/vsphere-management

https://www.vmware.com/support/developer/vc-sdk/

Table 5 Authentication mechanisms and integration (continued)

Enterprise Hybrid Cloud component ActiveDirectory

Exceptions

ViPR Analytics Y

Microsoft SQL Server Y

Microsoft Windows Server Y

VMware vSphere ESXi Y

VMware vRealize Log Insight Y

VMware vCenter Server (for Windows) Y

VMware vRealize Operations Manager Y

VMware vRealize Automation Application Services Y

Table 6 Log capability matrix for vRealize Log Insight or similar solution (such as Q-Radar)

Enterprise Hybrid Cloud component Format

Avamar syslog/file

Data Domain syslog/file

Data Protection Advisor API/WinRM/file

Enterprise Hybrid Cloud modules with vCenter vRealize Orchestrator

RecoverPoint syslog/file

ViPR syslog/file

ViPR SRA (for Windows) API/WinRM/file

Microsoft SQL Server API/WinRM/file

Microsoft Windows Server API/WinRM/file

VMware vRealize Business for Cloud syslog/file

VMware NSX-V Syslog

VMware vCenter Server (for Windows) API/WinRM/file

VMware Site Recovery Manager API/WinRM/file

VMware vRealize Automation syslog/file

VMware vRealize Log Insight syslog/file

VMware vRealize Operations Manager syslog/file

VMware vRealize Operations Manager Adapters with vRealize Operations Manager

VMware vRealize Orchestrator syslog/file

VMware vRealize Orchestrator Plugins with vRealize Orchestrator

VMware vSphere ESXi syslog/file


Security data 181

Table 7 Operating systems in use in Enterprise Hybrid Cloud CMP

System component Operating system OS type

Avamar Proxy SLES 11 SP3 Bare metal

Avamar Server SLES 11 SP3 Bare metal

Data Domain DDOS 6.0.0.30 Bare metal

Data Protection Advisor Windows Server 2012 R2 Guest

ViPR SLES 11 SP3 Appliance

Microsoft SQL Server Windows Server 2012 R2 Guest

VMware vCenter Server (for Windows) Windows Server 2012 R2 Guest

VMware vRealize Automation Application Services SLES 11 SP3 Appliance

VMware vRealize Automation SLES 11 SP3 Appliance

VMware vRealize Business for Cloud SLES 11 SP2 Appliance

VMware vRealize Log Insight SLES 11 SP3 Appliance

VMware vRealize Operations Manager SLES 11 SP2 Appliance

VMware vRealize Orchestrator SLES 11 SP3 Appliance

VMware vSphere ESXi ESXi 6.5U1 Bare metal

Table 8 Ports in use in Avamar Server

Application and services Protocol Port Direction

ECHO TCP/UDP 7 Both

FTP TCP 21 (optional) Inbound

SSH TCP 22 Both

Telnet TCP 23 (optional) Inbound

EMC DD Boost/Port Mapper TCP 111 Inbound

NTP TCP/UDP 123 Both

LDAP TCP 389 Outbound

Client downloads/DTLT TCP 80 (optional) /443 Inbound

CIFS (Netbios name services) UDP 137 Inbound

CIFS (Datagram services) UDP 138 Inbound

CIFS (Netbios session services) UDP 139 Inbound

CIFS (Microsoft DS) TCP 445 Inbound

SNMP TCP/UDP 161 (optional) Inbound

EMC DD Boost/NFS TCP 2049 Inbound

Replication TCP 2051 (optional) Inbound

NFS (mountd) TCP/UDP 2052 Inbound



Table 8 Ports in use in Avamar Server (continued)


DDMC TCP 3009 (optional) Inbound

SMTP TCP 25 Outbound

SNMP UDP 162 (optional) Outbound

Syslog UDP 514 (optional) Outbound

Avamar Installer (TLS) TCP 8543 Both

GSAN TCP/UDP 19000-19500




Avamar Server TCP 27000 Inbound

Avamar Server TLS TCP 29000 Inbound

avagent TCP 28002

Secure Utility Node/Storage Node TCP 30001 Both

Avamar System/Client TCP 30002 Both

Secure Utility Node/Storage Node TCP 30003 Both

Data Protection Advisor Agent TCP 3741 Inbound

Data Protection Advisor Application Server TCP 9002 Inbound

Data Protection Advisor Datastore Server TCP 9003 Inbound

HTTP TCP 9004 Inbound

HTTPS TCP 9002 Inbound

MANAGEMENT_NATIVE TCP 9999 Inbound

MANAGEMENT_HTTP TCP 9005 Inbound

MESSAGING TCP 5445 Outbound

MESSAGING_THROUGHPUT TCP 5455 Outbound

OSGI TCP 8090 Outbound

REMOTING TCP 4447 Outbound

TXN_RECOVERY TCP 4712 Outbound

TXN_STATUS TCP 4713 Outbound



MANAGEMENT_NATIVE TCP 57600 Inbound

MANAGEMENT_HTTP UDP 5445 Inbound

MESSAGING UDP 7500 Outbound


Security data 183

Table 8 Ports in use in Avamar Server (continued)


MESSAGING_THROUGHTPUT UDP 9876 Outbound

OSGI UDP 45700 Outbound

REMOTING UDP 45688 Outbound

TXN_RECOVERY UDP 45689 Outbound

Table 9 Ports in use in PowerPath/VE licensing appliance


SSH TCP 22 Both


DNS UDP 53 Outbound

License Reporting TCP 443 or 8443 Inbound

Table 10 Ports in use SMI-S_ECOM


Solutions Enabler TCP 2707 Inbound

Event daemon TCP Dynamic Inbound

VNX TCP 443 or 2163 Inbound

SMI-S Provider TCP 5988 Inbound

SMI-S Provider (TLS) TCP 5989 Inbound

Table 11 Ports in use in Unisphere for VMAX


Storage management server TCP 80, 443, 2162, 2163 Inbound

Host agent TCP 6389 Outbound

SMTP TCP 25, 465, or 587 Outbound

Storage processor agent TCP 6389 Outbound

RemotelyAnywhere Host TCP 9519, 22 Outbound

LDAP Server TCP 389 Outbound

LDAP over SSL/TLS Server TCP 636 Outbound

iSNS Server TCP 3205 Outbound

VNX OE for Block TCP 3260 Inbound

Storage management server UDP 2162 Outbound

Unisphere Storage System Initialization Utility UDP 2163 Outbound

NTP Server UDP 123 Both



Table 11 Ports in use in Unisphere for VMAX (continued)


SMTP Traps UDP 162 Outgoing

ESXi or Virtual Center Server TCP 443 Outbound

Table 12 Ports in use in ViPR


ECHO UDP 7 Inbound

SSH TCP 22 Both


NTP UDP 123 Both

SNMP UDP 162 Outbound

HTTPS TCP 443 Both

Domain Controller TCP/UDP 88 Outbound

LDAP TCP 389 (optional) Outbound

Secure LDAP TCP 636 Outbound

Keystone (openstack auth provider) TCP 35357 (optional) Outbound

IPSec UDP 500 (optional) Both

Connect FTPS 990 Outbound

Coordinator Service TCP 5181, 2889 Both

Hitachi TCP 2001 (optional) Outbound

Zookeeper peers TCP 2888 (optional) Both

Reverse Proxy – Rest API TCP 4443 Both

IPSec UDP 4500 (optional) Both

CIM adapter for internal nodes UDP 5000 (optional) Inbound

Windows WinRM HTTP TCP 5985, 5986 (optional) Both

SMI-S Provider TCP 5988 Outbound

SMI-S Provider (TLS) TCP 5989 Outbound

ViPR Controller user interface TCP 6443 Inbound

CIM adapter TCP 7012 Inbound

VDC to VDC communication TCP 7100 Both

RecoverPoint API (TLS) TCP 7125 Outbound

DB Service TCP 7199, 7200 (optional) Both

JMX Server TCP 7299 (optional) Both

Coordinator Service TCP 7399, 7400 (optional) Both


Security data 185

Table 12 Ports in use in ViPR (continued)


Authentication service TCP 7443 Inbound

Isilon TCP 8080 (optional) Outbound

API service TCP 8443 Outbound

SA service TCP 8444 (optional) Outbound

Nginx TCP 8543 (optional) Both

Cinder – Rest API TCP 8776 (optional) Both

VASA TCP 9083 Inbound

GEO DB Service TCP 9160 (optional) Both

sys service TCP 9993 Both

syssvc CLI download (unauthenticated) TCP 9998 Both

Controller Service TCP 10099, 40201 Both

Table 13 Ports in use in Microsoft SQL Server


SQL Server TCP 1433 Both

Dedicated Admin Connection TCP 1434 Inbound

SQL Server named instance UDP 1434 Both

SQL Server Analysis Service TCP 2383 Inbound

Connection request to a named instance of Analysis Services TCP 2383 Both

Transact-SQL debugger and SQL Server Integration Services TCP 135 Both

Table 14 Ports in use in VMware NSX Manager



HTTP TCP 80 Inbound

Messaging TCP 1234 Inbound

Messaging UDP 56711 Outbound

SSH TCP 22 Both


Syslog TCP/UDP 514 (optional) Both

Table 15 Ports in use in VMware vRealize Operations Manager


SSH TCP 22 Both



Table 15 Ports in use in VMware vRealize Operations Manager (continued)


HTTP TCP 80 Inbound


Table 16 Ports in use in VMware vRealize Orchestrator




Web configuration HTTPS access port TCP 8283 Inbound

Messaging port TCP 8286 Inbound

Messaging port TCP 8287 Inbound


LDAP over SSL/TLS TCP 636 Outbound

Platform Services Controller TCP 443 Outbound

SQL Server TCP 1433 Outbound

SMTP Server TCP 25 Outbound

vCenter Server API TCP 443 Outbound

Lookup port TCP 8230 Inbound

Command port TCP 8240 Inbound

Message port TCP 8250 Inbound

Data port TCP 8244 Inbound

Web configuration HTTP access port TCP 8282 Inbound


LDAP over SSL/TLS TCP 636 Outbound

LDAP using Global Catalog TCP LDAP on 3268LDAPS on 3269

Outbound

Table 17 Ports in use in VMware vRealize Automation Application Services


RPC TCP 111 Inbound

Access to vRealize Automation console TCP 443 Inbound

VAMI TCP 5480, 5488, 5489 Inbound

Internal vCenter TCP 8230, 8280, 8281 Inbound

SMTP TCP/UDP 25, 587 Outbound

DNS TCP/UDP 53 Both


Security data 187

Table 17 Ports in use in VMware vRealize Automation Application Services (continued)


DHCP TCP/UDP 67, 68, 546, 547 Outbound

Software updates TCP 80 Inbound

POP TCP/UDP 110, 995 Outbound

IMAP TCP/UDP 143, 993 Outbound


IaaS Manager Service over HTTPS TCP 443 Inbound

PostgreSQL database TCP/UDP 5433 Outbound

SSO service over HTTPS TCP 443 Outbound

vRealize Orchestrator instance TCP 8281 Outbound

Manager Service TCP 80 Inbound

proxy agents TCP 80 Inbound

guest agents TCP 80 Inbound

Virtualization host TCP 80 Inbound

DEMs TCP 443 Inbound

vFabric, RabbitMQ TCP 5671 Inbound

Table 18 Ports in use in VMware vRealize Automation


vRealize Automation Appliance TCP 443, 8444 (for the Remote Consolecapability)

Inbound

vRealize Automation Application Services TCP 8443 Inbound

SSH TCP 22 Inbound

VAMI TCP 5480 Inbound

Platform Services Controller TCP 443 Outbound

VMware vSphere ESXi (for the Remote Consolecapability)

TCP 902 Outbound

vSphere Endpoint TCP 443 Outbound

Table 19 Ports in use in VMware vRealize Automation IaaS


Manager Service TCP 443 Inbound

DNS TCP/UDP 53 Outbound


Manager Service TCP 443 Outbound



Table 19 Ports in use in VMware vRealize Automation IaaS (continued)


Website TCP 443 Outbound

Distributed Execution Managers TCP 443 Outbound

Manager Service, Website TCP 1433 Outbound

Manager Service (optional) TCP 80 Outbound

Table 20 Ports in use in VMware vRealize Business for Cloud


HTTPS (for VAMI) TCP 5480 Inbound


SSH TCP 22 Inbound

vPostgres TCP 5432 Inbound

Table 21 Ports in use in VMware vRealize Log Insight


SSH TCP 22 Both

HTTP (optional) TCP 80 Inbound


Syslog TCP 514 Inbound

Syslog UDP 514 Inbound

Syslog-TLS TCP 1514 Inbound

Syslog TCP 6514 Outbound

vRealize Log Insight Ingestion API TCP 9000 Inbound

Thrift RPC TCP 16520 through16580

Inbound

log4j Server TCP 59778 Inbound

Database Server TCP 12543 Inbound

Table 22 Ports in use in VMware vSphere vCenter


SSH TCP 22 Both


DNS UDP 53 Both

HTTP TCP/UDP 80 Inbound

Kerberos TCP/UDP 88 Outbound


Security data 189

Table 22 Ports in use in VMware vSphere vCenter (continued)


NTP UDP 123 Both

LDAP TCP 389 (optional) Outbound

Secure LDAP TCP 636 (optional) Outbound

Web Access TCP 443 Inbound

vSphere Syslog Collector TCP/UDP 514 Both

vCenter Server/VMware Infrastructure Client TCP/UDP 902 Inbound

vSphere Syslog Collector TLS TCP/UDP 1514 Both

Control Interface RPC (SSO) TCP 2012 Both

RPC for VMCA TCP 2014 Both

DNS Management TCP 2015 Both

Authentication Framework Management TCP/UDP 2020 Both

Appliance Management Interface TCP 5480 Both

ESXi dump collector TCP 6500 Inbound

Auto Deploy Service TCP 6501 Outbound

Auto Deploy management TCP 6502 Inbound

Secure Token Service TCP 7444 Both

vSphere Update Manager TCP 8084, 9084, 9087 (not allnecessarily used)

Inbound

vSphere Web Client TCP 9443 Both

vCenter Server Appliance - AD TCP 135 (optional) Outbound

SNMP UDP 161 (optional) Outbound

VMware Syslog collector TCP 8109 (optional) Outbound

Migration Assistant Port TCP 9123 (optional) Both

vService Manager TCP 15007, 15008 (optional) Outbound

vSphere Replication TCP 31031, 44046 (optional) Outbound

vCenter SSO LDAPS TCP 11711, 11712 (optional) Outbound

