Protect the vRealize Log Insight deployment by providing centralized role-based authentication and secure communication with the other components in the Software-Defined Data Center (SDDC).

Enable role-based access control in vRealize Log Insight by using the existing rainpole.local Active Directory domain.

Authorization and Authentication Management Design Decisions

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-OPS-LOG-012

Use Active Directory for authentication.

Provides fine-grained role and privilege-based access for administrator and operator roles.

You must provide access to the Active Directory from all Log Insight nodes.

SDDC-OPS-LOG-013

Configure a service account svc-loginsight on vCenter Server for application-to-application communication from vRealize Log Insight with vSphere.

Provides the following access control features:

vRealize Log Insight accesses vSphere with the minimum set of permissions that are required to collect vCenter Server events, tasks and alarms and to configure ESXi hosts for syslog forwarding.

In the event of a compromised account, the accessibility in the destination application remains restricted.

You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.

SDDC-OPS-LOG-014

Use global permissions when you create the svc-loginsight service account in vCenter Server.

Simplifies and standardizes the deployment of the service account across all vCenter Servers in the same vSphere domain.

Provides a consistent authorization layer.

All vCenter Server instances must be in the same vSphere domain.

SDDC-OPS-LOG-015

Configure a service account svc-vrli-vrops on vRealize Operations Manager for application-to-application communication from vRealize Log Insight for a two-way launch in context.

Provides the following access control features:

vRealize Log Insight and vRealize Operations Manager access each other with the minimum set of required permissions.

In the event of a compromised account, the accessibility in the destination application remains restricted.

You can introduce improved accountability in tracking request-response interactions between the components of the SDDC.

You must maintain the service account's life cycle outside of the SDDC stack to ensure its availability.

Replace default self-signed certificates with a CA-signed certificate to provide secure access to the vRealize Log Insight Web user interface.

Custom Certificates Design Decision

Decision ID

Design Decision

Design Justification

Design Implication

SDDC-OPS-LOG-016

Replace the default self-signed certificates with a CA-signed certificate.

Configuring a CA-signed certificate ensures that all communication to the externally facing Web UI is encrypted.

The administrator must have access to a Public Key Infrastructure (PKI) to acquire certificates.