5.8
Table Of Contents
- vCloud Suite Architecture Overview and Use Cases
- Contents
- About this book
- Introduction to vCloud Suite
- Architecture Overview
- Conceptual Design of a vCloud Suite Environment
- vCloud Suite Components in the Management Cluster
- Software-Defined Data Center Core Infrastructure
- Delivering an Infrastructure Service
- Delivering Platform as a Service
- Deploying vCloud Suite
- Install vCloud Suite Components
- Update vCloud Suite Components
- External Dependencies for Deploying vCloud Suite
- System Requirements of vCloud Suite Components
- Security Considerations
- Licensing
- vCloud Suite Licensing Model
- Activating vCloud Suite Components in the vSphere Web Client
- Activating vCloud Suite Components in the vSphere Client
- Add the vCloud Suite License by Using the vSphere Client
- Assign the vCloud Suite License to vSphere in the vSphere Client
- Assign the vCloud Suite License to vCenter Operations Management Suite in the vSphere Client
- Assign the vCloud Suite License to vCloud Networking and Security in the vSphere Client
- Assign the vCloud Suite License Key to vCenter Site Recovery Manager
- Activating vCloud Suite Components by Using Their Own Licensing Interfaces
- Monitoring License Usage for vCloud Suite
- vCloud Suite Use Cases
- Index
Securing vCenter Server Systems
Securing vCenter Server includes ensuring security of the host where vCenter Server is running, following
best practices for assigning privileges and roles, and verifying the integrity of the clients that connect to
vCenter Server.
Strictly control vCenter Server administrator privileges to increase security for the system, as follows:
n
Full administrative rights to vCenter Server should be removed from the local Windows administrator
account and granted to a special-purpose local vCenter Server administrator account. Grant full
vSphere administrative rights only to those administrators who are required to have it. Do not grant
this privilege to any group whose membership is not strictly controlled.
n
Avoid allowing users to log in directly to the vCenter Server system. Allow only those users who have
legitimate tasks to perform to log into the system and confirm that these events are audited.
n
Install vCenter Server using a service account instead of a Windows account. A service account or a
Windows account can be used to run vCenter Server. Using a service account allows to enable
Windows authentication for SQL Server, which provides more security. The service account must be an
administrator on the local machine.
n
Check for privilege reassignment when restarting vCenter Server. If the user or user group that is
assigned the Administrator role on the root folder of the server cannot be verified as a valid user or
group, the Administrator privileges are removed and assigned to the local Windows Administrators
group.
Grant minimal privileges to the vCenter Server database user. The database user requires only certain
privileges specific to database access. In addition, some privileges are required only for installation and
upgrade. These can be removed after the product is installed or upgraded.
Encryption and Security Certificates
ESXi and vCenter Server support standard X.509 version 3 (X.509v3) certificates to encrypt session
information sent over Secure Socket Layer (SSL) protocol connections between components. If SSL is
enabled, data is private, protected, and cannot be modified in transit without detection.
Certificate checking is enabled by default and SSL certificates are used to encrypt network traffic. However,
ESXi and vCenter Server use automatically generated certificates that are created as part of the installation
process and stored on the server system. These certificates are unique and make it possible to begin using
the server, but they are not verifiable and are not signed by a trusted, well-known certificate authority (CA).
These default certificates are vulnerable to possible man-in-the-middle attacks. To receive the full benefit of
certificate checking, particularly if encrypted remote connections are to be used externally, install new
certificates that are signed by a valid internal certificate authority or acquire a certificate from a trusted
security authority.
The SSL Certificate Automation Tool is a command-line utility that automates the Self- or CA-signed
certificate renewal process for vSphere 5.5. See VMware KB 2057340.
vCenter Single Sign-On
vCenter Single Sign-On is a component of the management infrastructure that provides the capability to
manage the environment with Active Directory credentials.
In product versions earlier than vCenter Server 5.1, when users connect to vCenter Server, they were
authenticated when vCenter Server validated their credentials against an Active Directory domain or the list
of local operating system users. In vCenter Server 5.5, users authenticate through vCenter Single Sign On.
Chapter 3 Deploying vCloud Suite
VMware, Inc. 39