6.0.3
Table Of Contents
- vSphere Security
- Contents
- About vSphere Security
- Updated Information
- Security in the vSphere Environment
- vSphere Authentication with vCenter Single Sign-On
- Understanding vCenter Single Sign-On
- How vCenter Single Sign-On Protects Your Environment
- vCenter Single Sign-On Components
- How vCenter Single Sign-On Affects Installation
- How vCenter Single Sign-On Affects Upgrades
- Using vCenter Single Sign-On with vSphere
- Groups in the vsphere.local Domain
- vCenter Server Password Requirements and Lockout Behavior
- Configuring vCenter Single Sign-On Identity Sources
- Identity Sources for vCenter Server with vCenter Single Sign-On
- Set the Default Domain for vCenter Single Sign-On
- Add a vCenter Single Sign-On Identity Source
- Edit a vCenter Single Sign-On Identity Source
- Remove a vCenter Single Sign-On Identity Source
- Use vCenter Single Sign-On with Windows Session Authentication
- vCenter Server Two-Factor Authentication
- Using vCenter Single Sign-On as the Identity Provider for Another Service Provider
- Managing the Security Token Service (STS)
- Managing vCenter Single Sign-On Policies
- Managing vCenter Single Sign-On Users and Groups
- Add vCenter Single Sign-On Users
- Disable and Enable vCenter Single Sign-On Users
- Delete a vCenter Single Sign-On User
- Edit a vCenter Single Sign-On User
- Add a vCenter Single Sign-On Group
- Add Members to a vCenter Single Sign-On Group
- Remove Members from a vCenter Single Sign-On Group
- Delete vCenter Single Sign-On Solution Users
- Change Your vCenter Single Sign-On Password
- vCenter Single Sign-On Security Best Practices
- Troubleshooting vCenter Single Sign-On
- Understanding vCenter Single Sign-On
- vSphere Security Certificates
- Certificate Management Overview
- Managing Certificates with the Platform Services Controller Web Interface
- Explore Certificate Stores from the Platform Services Controller Web Interface
- Replace Certificates with New VMCA-Signed Certificates from the Platform Services Controller Web Interface
- Make VMCA an Intermediate Certificate Authority from the Platform Services Controller Web Interface
- Set up Your System to Use Custom Certificates from the Platform Services Controller
- Managing Certificates with the vSphere Certificate Manager Utility
- Revert Last Performed Operation by Republishing Old Certificates
- Reset All Certificates
- Regenerate a New VMCA Root Certificate and Replace All Certificates
- Make VMCA an Intermediate Certificate Authority (Certificate Manager)
- Generate Certificate Signing Requests with vSphere Certificate Manager (Intermediate CA)
- Replace VMCA Root Certificate with Custom Signing Certificate and Replace All Certificates
- Replace Machine SSL Certificate with VMCA Certificate (Intermediate CA)
- Replace Solution User Certificates with VMCA Certificates (Intermediate CA)
- Replace All Certificates with Custom Certificate (Certificate Manager)
- Manual Certificate Replacement
- Managing Certificates and Services with CLI Commands
- View vCenter Certificates with the vSphere Web Client
- Set the Threshold for vCenter Certificate Expiration Warnings
- vSphere Permissions and User Management Tasks
- Understanding Authorization in vSphere
- Understanding the vCenter Server Permission Model
- Hierarchical Inheritance of Permissions
- Multiple Permission Settings
- Managing Permissions for vCenter Components
- Global Permissions
- Using Roles to Assign Privileges
- Best Practices for Roles and Permissions
- Required Privileges for Common Tasks
- Securing ESXi Hosts
- Use Scripts to Manage Host Configuration Settings
- Configure ESXi Hosts with Host Profiles
- General ESXi Security Recommendations
- Certificate Management for ESXi Hosts
- Host Upgrades and Certificates
- ESXi Certificate Default Settings
- View Certificate Expiration Information for Multiple ESXi Hosts
- View Certificate Details for a Single ESXi Host
- Renew or Refresh ESXi Certificates
- Change Certificate Default Settings
- Understanding Certificate Mode Switches
- Change the Certificate Mode
- Replacing ESXi SSL Certificates and Keys
- Use Custom Certificates with Auto Deploy
- Restore ESXi Certificate and Key Files
- Customizing Hosts with the Security Profile
- ESXi Firewall Configuration
- Customizing ESXi Services from the Security Profile
- Enable or Disable a Service in the Security Profile
- Lockdown Mode
- Check the Acceptance Levels of Hosts and VIBs
- Assigning Permissions for ESXi
- Using Active Directory to Manage ESXi Users
- Using vSphere Authentication Proxy
- Configuring Smart Card Authentication for ESXi
- ESXi SSH Keys
- Using the ESXi Shell
- Modifying ESXi Web Proxy Settings
- vSphere Auto Deploy Security Considerations
- Managing ESXi Log Files
- Securing vCenter Server Systems
- vCenter Server Security Best Practices
- Verify Thumbprints for Legacy ESXi Hosts
- Verify that SSL Certificate Validation Over Network File Copy Is Enabled
- vCenter Server TCP and UDP Ports
- Control CIM-Based Hardware Monitoring Tool Access
- Securing Virtual Machines
- Limit Informational Messages from Virtual Machines to VMX Files
- Prevent Virtual Disk Shrinking
- Virtual Machine Security Best Practices
- General Virtual Machine Protection
- Use Templates to Deploy Virtual Machines
- Minimize Use of Virtual Machine Console
- Prevent Virtual Machines from Taking Over Resources
- Disable Unnecessary Functions Inside Virtual Machines
- Remove Unnecessary Hardware Devices
- Disable Unused Display Features
- Disable Unexposed Features
- Disable HGFS File Transfers
- Disable Copy and Paste Operations Between Guest Operating System and Remote Console
- Limiting Exposure of Sensitive Data Copied to the Clipboard
- Restrict Users from Running Commands Within a Virtual Machine
- Prevent a Virtual Machine User or Process from Disconnecting Devices
- Modify Guest Operating System Variable Memory Limit
- Prevent Guest Operating System Processes from Sending Configuration Messages to the Host
- Avoid Using Independent Nonpersistent Disks
- Securing vSphere Networking
- Introduction to vSphere Network Security
- Securing the Network with Firewalls
- Secure the Physical Switch
- Securing Standard Switch Ports With Security Policies
- Securing vSphere Standard Switches
- Secure vSphere Distributed Switches and Distributed Port Groups
- Securing Virtual Machines with VLANs
- Creating a Network DMZ on a Single ESXi Host
- Creating Multiple Networks Within a Single ESXi Host
- Internet Protocol Security
- Ensure Proper SNMP Configuration
- Use Virtual Switches with the vSphere Network Appliance API Only If Required
- vSphere Networking Security Best Practices
- Best Practices Involving Multiple vSphere Components
- Synchronizing Clocks on the vSphere Network
- Storage Security Best Practices
- Verify That Sending Host Performance Data to Guests is Disabled
- Setting Timeouts for the ESXi Shell and vSphere Web Client
- Defined Privileges
- Alarms Privileges
- Auto Deploy and Image Profile Privileges
- Certificates Privileges
- Content Library Privileges
- Datacenter Privileges
- Datastore Privileges
- Datastore Cluster Privileges
- Distributed Switch Privileges
- ESX Agent Manager Privileges
- Extension Privileges
- Folder Privileges
- Global Privileges
- Host CIM Privileges
- Host Configuration Privileges
- Host Inventory
- Host Local Operations Privileges
- Host vSphere Replication Privileges
- Host Profile Privileges
- Inventory Service Provider Privileges
- Inventory Service Tagging Privileges
- Network Privileges
- Performance Privileges
- Permissions Privileges
- Profile-driven Storage Privileges
- Resource Privileges
- Scheduled Task Privileges
- Sessions Privileges
- Storage Views Privileges
- Tasks Privileges
- Transfer Service Privileges
- VRM Policy Privileges
- Virtual Machine Configuration Privileges
- Virtual Machine Guest Operations Privileges
- Virtual Machine Interaction Privileges
- Virtual Machine Inventory Privileges
- Virtual Machine Provisioning Privileges
- Virtual Machine Service Configuration Privileges
- Virtual Machine Snapshot Management Privileges
- Virtual Machine vSphere Replication Privileges
- dvPort Group Privileges
- vApp Privileges
- vServices Privileges
- Index
2 Generate solution user certicates that are signed by the new VMCA root certicate for the machine
solution user on each Platform Services Controller and each management node and for each additional
solution user (vpxd, vpxd-extension, vsphere-webclient) on each management node.
N The --Name parameter has to be unique. Including the name of the solution user store, for
example vpxd or vpxd-extension makes it easy to see which certicate maps to which solution user.
a Run the following command on the Platform Services Controller node to generate a solution user
certicate for the machine solution user on that node.
C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --gencert --cert=new-
machine.crt --privkey=machine-key.priv --Name=machine
b Generate a certicate for the machine solution user on each management node.
C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --gencert --cert=new-
machine.crt --privkey=machine-key.priv --Name=machine --server=<psc-ip-or-fqdn>
c Generate a certicate for the vpxd solution user on each management node.
C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --gencert --cert=new-vpxd.crt
--privkey=vpxd-key.priv --Name=vpxd --server=<psc-ip-or-fqdn>
d Generate a certicate for the vpxd-extensions solution user on each management node.
C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --gencert --cert=new-vpxd-
extension.crt --privkey=vpxd-extension-key.priv --Name=vpxd-extension --server=<psc-ip-
or-fqdn>
e Generate a certicate for the vsphere-webclient solution user on each management node by
running the following command.
C:\>"C:\Program Files\VMware\vCenter Server\vmcad\"certool --gencert --cert=new-vsphere-
webclient.crt --privkey=vsphere-webclient-key.priv --Name=vsphere-webclient --
server=<psc-ip-or-fqdn>
3 Replace the solution user certicates in VECS with the new solution user certicates.
N The --store and --alias parameters have to exactly match the default names for services.
a On the Platform Services Controller node, run the following command to replace the machine
solution user certicate:
C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry delete --store
machine --alias machine
C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry create --store
machine --alias machine --cert new-machine.crt --key machine-key.priv
b Replace the machine solution user certicate on each management node:
C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry delete --store
machine --alias machine
C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry create --store
machine --alias machine --cert new-machine-vc.crt --key machine-vc-key.priv
c Replace the vpxd solution user certicate on each management node.
C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry delete --store vpxd --
alias vpxd
C:\>"C:\Program Files\VMware\vCenter Server\vmafdd\"vecs-cli entry create --store vpxd --
alias vpxd --cert new-vpxd.crt --key vpxd-key.priv
Chapter 3 vSphere Security Certificates
VMware, Inc. 99