VCAP6-DCV Deploy Objective 8.1

Objective 8.1 of VCAP6-Deploy exam covers following topics:

  • Add/Edit/Remove Users on an ESXi Host
  • Configure vCenter Roles and Permissions
  • Configure and Manage Active Directory Integration
  • Analyze Logs for Security-Related Messages
  • Enable and Configure an ESXi Pass-Phrase
  • Disable the Managed Object Browser (MOB) to reduce attack surface

We will have a look on these topics one by one

                                            Add/Edit/Remove Users on an ESXi Host

The default built-in accounts that are baked with a new Esxi installation are:

  • root user: Each Esxi host has a single root user with an admin role. This account can be used for local administration and used to connect to vCenter.
  • vpxuser: vCenter Server uses this account when interacting with the hosts. vCenter Server has Administrator privileges on the host that it manages. The vCenter Server administrator can perform most of the same tasks on the host as the root user, however, he cannot directly create, delete, or edit local users and groups for hosts.
Read More

Password Policy for vSphere 6.0 Hosts

A complex password is a firstmost requirement for any system that simply uses username/password (no RSA, 2Factor authentication kinda thing) for authentication. For a windows or unix/linux based systems, system administrators used to push complex password requirements via AD/LDAP.

A complex password ensures that system is least vulnerable to any unauthorized attempt to login to your system and vSphere is no different than any other system in this regard. 

With release of vSphere 6, VMware enahnced their password policy and enforced to use more complex passwords with Esxi hosts and SSO. Esxi host enforces password requirements for direct access from the DCUI, Esxi Shell, SSH and vSphere web Client.  

ESXi uses the pam_passwdqc.so plug-in to set the password policy/rules. ESXi doesn’t place any complexity restrictions on the root account’s password. However, non-root accounts will be subject to the default rules defined in pam_passwdqc.so.

In previous release of vSphere, Esxi host password complexity changes were made by editing the /etc/pam.d/passwdRead More

Customize SSH and Esxi Shell Settings for Increased Security

The ESXi Shell provides access to maintenance commands and other configuration options. Esxi shell and SSH comes in handy when there are certain tasks that can’t be done through the Web Client or other remote management tools. 

Enabling local and remote shell access on Esxi hosts

Login to vSphere Web Client and select an Esxi host and navigate to Manage > Settings > Security Profile Services and click Edit

We can enable/dsable below services and also can change their start up method:

  • Direct Console UI
  • ESXi Shell
  • SSH

Enabling SSH or local shell through the DCUI.

Go to the console of the host. Press F2 and enter esxi host credentials.

Select Troubleshooting Options and hit Enter on each service you want to enable/disable.

Configuring the Timeout For the ESXi Shell

By default the timeout setting for the ESXi shell is set to disabled. The shell timeout setting allows you to specify how long an inactive session is left open.Read More

Enable and Configure ESXi Host Lockdown Mode

To enhance the security measures in a virtualized environment, it is often advisable to limit direct access to Esxi hosts and this is when lockdown mode concept comes into picture. Lockdown mode is used on Esxi hosts in order to improve security of the hosts which are centrally managed by vCenter server.

When the lockdown mode is enabled, the host is managed using the vSphere Client connected to the managing vCenter Server, VMware PowerCLI, or VMware vSphere Command-Line Interface (vCLI). The only difference is that access is authenticated through the vCenter Server instead of using a local account on the ESXi host.

When the lockdown mode is enabled, access to the host through SSH is unavailable except to configured exception users.

Lockdown mode in vSphere 6.0

With vSphere 6.0, VMware introduced a couple of new concepts into lockdown mode as listed below

  • Normal Lockdown Mode
  • Strict Lockdown Mode
  • Exception Users

Lets understand about these concepts one by one.Read More

Configure SSL Timeouts on Esxi Host

To authenticate against vCenter SSO, solution users uses certificates to establish a secure connection. A solution user presents the certificate to vCenter SSO in 3 cases:

  • When solution user authenticates against sso for very first time.
  • After a reboot, and
  • After a timeout has elapsed.

The timeout value can be set from the Web Client. The default value for this is 2592000 seconds (30 days). To change the default value, login to vSphere Web Client and navigate to  Administration > Single Sign-On > Configuration > Policies > Token Policy.

On few blogs I read the following steps for configuring ssl timeouts. 

We can configure SSL timeouts for ESXi by editing a configuration file on the ESXi host.

Timeout periods can be set for 2 types of idle connections:

1: The Read Timeout setting applies to connections that have completed the SSL handshake process with port 443 of ESXi.

2: The Handshake Timeout setting applies to connections that have not completed the SSL handshake process on port 443 of ESXi.Read More

Enable/Disable certificate checking on Esxi Host

The data that travels between clients and ESXi hosts is encrypted to ensure that the transactions are private and authenticated. The SSL is used to create a secure connection between the clients, ESXi hosts, and/or the vCenter Server.  SSL uses TCP/IP and allows SSL-enabled ESXi hosts and/or vCenter Server to authenticate with SSL-enabled clients. 

When an ESXi host or vCenter Server is installed, the installation includes SSL certificates. These preinstalled, auto generated certificates are not from an official certificate authority (CA), but they can be used to establish an initial connection.

The vCenter Server uses an SSL certificate when adding ESXi hosts and to connect to managed ESXi hosts whose passwords are stored in the vCenter Server database. After an authenticated encrypted connection is established, a smaller session key is encrypted and exchanged using public and private key pairs.

This shared session key is then used to encrypt and decrypt the data between client and server.Read More

Refresh/Regenerate/Replace Esxi 6.0 SSL Certificates

To improve security in your virtualized environment, it is advisable to use the signed certificates because  ‘self-signed’ certificate will not be trusted by default in it’s communications with other systems. There are various ways to deploy signed certificates on your Esxi hosts and in this post we will look at available options.

Refreshing Esxi Certificates

If you have updated the certificate information and want to push those changes to certificate installed on Esxi host, the simplest method is to do a refresh certificate. Lets understand this by an example.

Suppose this is the current configuration of the vCenter certificate where country name is US and Org Unit is “VMware Engineering”

Now suppose you have updated the various configuration value for your vCenter certificate as shown below

Now if you select the Esxi host and navigate to Manage > Settings > Certificates, you will see it still contains the old information i.eRead More

Configure and manage VMware Endpoint Certificate Store

VMware Endpoint Certificate Store (VECS) serves as a local repository for certificates, private keys, and other certificate information that can be stored in a keystore. You can decide not to use VMCA as your certificate authority and certificate signer, but you must use VECS to store all vCenter certificates, keys, and so on. ESXi certificates are stored locally on each host and not in VECS.

VECS runs as part of the VMware Authentication Framework Daemon (VMAFD). VECS runs on every embedded deployment, Platform Services Controller node, and management node (vCenter) and holds the keystores that contain the certificates and keys.

VECS polls VMware Directory Service (vmdir) periodically for updates to the TRUSTED_ROOTS store. You can also explicitly manage certificates and keys in VECS using vecs-cli commands.

VECS Default Stores

1: Machine SSL Store (MACHINE_SSL_CERT)

This store is used by the reverse proxy service on every vSphere node. This store is also used by the VMware Directory Service (vmdir) on embedded deployments and on each Platform Services Controller node.Read More

Replacing vSphere 6.0 certificates using VMCA as a Subordinate CA

vSphere 6.0 brought many enhancements with it and one of the most significant among them was VMware Certificate Authority which is VMware’s own CA and it eases the pain of certificate management in vSphere 6.

VMCA is itself a fully functional CA and can be used to issue certificates to all vSphere 6 components (vCenter and ESXi hosts) in your environment. VMCA dont have any graphical interface like Microsoft CA and is totally command line driven.

VMCA is part of Platform services controller and there are various deployment model available for configuring VMCA including:

  • VMCA as Root CA
  • VMCA as Subordinate CA to an External Enterprise CA
  • External CA
  • Hybrid mode

Derek Seamen has explained about these deployment options in greater detail here

By default, the VMCA self-signs its own certificate which is used by vCenter server and Esxi hosts. If  your organization policy don’t allow using self-signed certs then you can replace the certs generated by VMCA and sending them to an enterprise CA for signing.Read More