VCAP-CMA Deploy – Objective 8.2

Disclaimer: These are my notes from studying for the 3V0-31.18 exam. If something doesn’t make sense, please feel free to reach out.

The main goal for this objective is the security of vRealize Automation.

Objective 8.2 – Secure a vRealize Automation deployment in accordance with the VMware
hardening guide

References

This is very much around the appliance itself so familiarity with Linux hardening, particularly around SSH will be beneficial. Almost all these changes are made on individual hosts so will need to be made on each host.

Very roughly, this can be split into:

  • Client Access
  • Data at rest
  • Data in transit
  • Misc

I’m just going to run through a brief overview of each section. For further detail have a read of the very comprehensive documentation.

Client Access

To secure access to the appliance you need to think along the lines of creating a separate user to login to the appliance (VAMI, Console & SSH) and disabling direct root access. Once logged into a CLI you can su to root. Definitely only enable SSH when required. Also consider password policies and matching the local users password to the corporate policy.

You may also want to consider changing the default timeouts for vRA. The default is set to 30 minutes.

Data at Rest

This is to secure access to the data that is held on local disk. This is the database and application files. If you need access to the database for anything outside of the application you should create another user account for this purpose rather than using the default postgres user. There is also a list of commands in the hardening guide to ensure that the application files are secure, they are by default but this should give you an idea if something has been tampered with.

Data in Transit

Securing the data while it stored on the disk is no good unless the access to that data is also secure. You’ll want to disable SSL v3.0, TLS v1.0 & v1.1 and configure the accepted cipher suites as per your corporate policies on all the below services:

  • haproxy
  • lighttpd
  • vcac
  • vco
  • rabbitmq
  • IaaS Servers

You may also want to consider the response headers for these services to ensure that additional information is given away in this manner either.

 

2 thoughts on “VCAP-CMA Deploy – Objective 8.2

  1. Thanks James.
    I am studying your notes for preparing the exam.

    Have you passed the exam yet .?? i have scheduled mine in the end of Nov…. i guess the most difficult part could be VRO.. etc.. at least it applied to me 😦

    1. Hi RL,
      If I’m honest it’s not scheduled yet, hopefully before the end of the year.
      The extensibility piece will definitely be the most difficult for me as it’s just not something I generally cover at work and there is no substitute for real world experience!

      Let me know how you get on!
      James

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s