vRealize Operations – Authentication

Out of the box, vROPs 6.7 comes with a set of local admin accounts designed to be used for initial product setup and cluster management/maintenance.

Screen Shot 2018-08-23 at 09.58.02

These accounts should not be used on a daily basis (it’s just bad practice and has no audit trail), therefore one of the first things that should be done POST installation is to define the authentication mechanism that will be used.

Using the “Authentication Sources” option we can add new type of authentication.

Screen Shot 2018-08-23 at 10.00.22

Basic Directory Authentication

There are a few options to choose from including direct AD connectivity and open LDAP which require the user to enter domain/directory credentials.

Screen Shot 2018-08-23 at 10.08.21

Advanced mode enables you to provide additional search criteria such as base DN and specific host details to use for directory sync and lookup if required.  In most cases “Basic” mode is sufficient.

Screen Shot 2018-08-23 at 10.07.13

Once a directory has been added and successfully synchronised it should look similar to this:

Screen Shot 2018-08-23 at 10.10.06

Using vCenter as SSO

The SSO SAML option allows us to forward authentication requests to vCenter SSO and leverage the directory configuration that has already been configured there, rather than configuring it again within vROPs.  You can also choose to import groups that have been created in SSO.

Screen Shot 2018-08-23 at 10.17.54

The SSL certificate that relates to the vCenter will have to be trusted by vROPs before this configuration is committed.  You will be prompted for this either during the “Test” or “Ok” submission.

Screen Shot 2018-08-23 at 10.20.08

Advanced Authentication

For advanced authentication methods (i.e. smartcard/certificate, RSA etc.) an additional component is required in the form of vIDM (VMware Identity Manager).  One or more vIDM appliances will need to be deployed to sit alongside vROPs, or alternatively an existing vIDM instance can also be used.

To use any of these additional methods of authentication, vIDM will need to be configured for the directory required and then the appropriate authentication adapters enabled within vIDM.  Once this has been done a “vmware identity manager” authentication source can be added to vROPs.

In this example we are going to setup vIDM for an “Active Directory over LDAP” directory source (you could also integrate vIDM into the directory if desired) with certificate based authentication.  You need to login as a vIDM system administrator to perform this configuration.

Selecting “Identity & Access Management” followed by “Add Directory” will take you to the screen where the initial configuration can be performed.  Note the screenshots here are from vIDM version 2.9.2 however the principal is the same for other versions.  You can deploy multiple vIDM appliances under a load balancer for a highly available solution however this is beyond the scope of this article.

Screen Shot 2018-08-23 at 10.30.19

You can select to change the search attribute to universal principal name if required.

Screen Shot 2018-08-23 at 10.57.06

Once created vIDM will sync the directory based on the configuration supplied, into its internal database.  It does NOT sync passwords, this is always handed off to the directory for authentication.

Screen Shot 2018-08-23 at 10.59.48

The next part of the puzzle is to tell vIDM the authentication adapters it can use.  This is done by selecting the “Setup” button  under “Identity & Access Management”.

Screen Shot 2018-08-23 at 11.01.36

Clicking on the worker hyperlink will lead you to worker configuration page where the authentication adapters can be enabled/disabled and configured.

Screen Shot 2018-08-23 at 11.03.57Screen Shot 2018-08-23 at 11.04.55

The hyperlink for the required mechanism can be selected and then configured.  The password adapter is configured by default OOTB.  Here we have selected the certificate adapter which requires the issuing root CA and intermediate CA certificates to be uploaded as well optional fields such as revocation URLs, OID values for certificate policies accepted etc.

Screen Shot 2018-08-23 at 11.07.02.png

Once the adapter has been populated with the required data and submitted it will show as enabled in the list of all adapters.

Screen Shot 2018-08-23 at 11.11.38

Now the access policy for vIDM can be amended to require that certificate authentication is used for access.  This is done by modifying the “default_access_policy_set”.

Screen Shot 2018-08-23 at 11.13.58

Screen Shot 2018-08-23 at 11.14.49

The authentication method for the web browser should be amended by clicking on its hyperlink and then changing the authentication mechanism to certificate.  A fallback mechanism can be specified if required however if the user base is to be restricted to only one form of authentication then the fallback mechanism can be removed as shown below.

Screen Shot 2018-08-23 at 11.17.03

The policy should now show with the following rules and can be saved.  The remaining configuration can now be done from within vROPs.

Screen Shot 2018-08-23 at 11.18.47

The authentication source type selected should be “VMware Identity Manager” as shown below.  The “Redirect FQDN/IP” field tells vIDM were to return the user to once successful authentication has been achieved.  This is normally the master node and may require updating if the master node becomes unavailable.

Screen Shot 2018-08-23 at 11.22.23

Screen Shot 2018-08-23 at 11.26.20

vIDM should now be showing as an authentication source within vIDM as shown below.

Screen Shot 2018-08-23 at 11.27.06

Users can now log into vROPs via vIDM using the redirect button.  The button will take the user to vIDM for authentication and return them back to vROPs once successfully authenticated.

Screen Shot 2018-08-23 at 11.29.12

The user will get read-only access by default.  Once users have logged in with their accounts for the first time they will show in the user tab and be clearly marked as users coming from vIDM.  From this point a user can be added to a new vROPs user group and assigned the specific access rights required for vROPs access.

Screen Shot 2018-08-23 at 11.33.13

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s