0% found this document useful (0 votes)

101 views

Nutanix Security Guide v6 - 6 - Compressed

This document provides guidance on security best practices and configurations for Nutanix including hardening instructions, virtual trusted platform module, authentication, encryption, network segmentation, firewalls, and log management.

Uploaded by

maikson

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

101 views

Nutanix Security Guide v6 - 6 - Compressed

Uploaded by

maikson

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 233

AOS Security 6.

Security Guide
April 4, 2023
Contents

Audience & Purpose....................................................................................................5

Nutanix Security Infrastructure.............................................................................. 6

SCMA Implementation.............................................................................................................................................6
RHEL 7 STIG Implementation in Nutanix Controller VM........................................................................... 6
Security Updates........................................................................................................................................................7
Nutanix Security Landscape................................................................................................................................. 7

Hardening Instructions (nCLI).................................................................................9

Hardening AHV...........................................................................................................................................................9
Hardening Controller VM...................................................................................................................................... 14
TCP Wrapper Integration..........................................................................................................................18
IP Set Based Firewall................................................................................................................................. 18
Common Criteria...................................................................................................................................................... 19

Securing AHV VMs with Virtual Trusted Platform Module (vTPM).........20

Considerations for Enabling vTPM in AHV VMs.........................................................................................20
Creating AHV VMs with vTPM (aCLI)............................................................................................................ 20
Enabling vTPM for Existing AHV VMs (aCLI)............................................................................................... 21

Security Management Using Prism Element (PE).........................................23

Configuring Authentication................................................................................................................................. 23
Assigning Role Permissions.................................................................................................................... 33
Certificate Revocation Checking.......................................................................................................... 36
Authentication Best Practices............................................................................................................................37
Emergency Local Account Usage........................................................................................................ 37
Modifying Default Passwords.................................................................................................................38
Controlling Cluster Access...................................................................................................................... 38
Setup Admin Session Timeout.............................................................................................................. 39
Password Retry Lockout......................................................................................................................... 40
Internationalization (i18n)........................................................................................................................40
User Management.................................................................................................................................................... 41
Creating a User Account.......................................................................................................................... 41
Deleting a User Account (Local)......................................................................................................... 50
Certificate Management.........................................................................................................................................51
Installing an SSL Certificate.....................................................................................................................51
Replacing a Certificate............................................................................................................................. 55
Exporting an SSL Certificate for Third-party Backup Applications........................................ 58
Controlling Cluster Access.................................................................................................................................. 59
Data-at-Rest Encryption...................................................................................................................................... 60
Data-at-Rest Encryption (SEDs)...........................................................................................................62
Data-at-Rest Encryption (Software Only).........................................................................................75
Switching from SED-EKM to Software-LKM.................................................................................... 89
Configuring Dual Encryption................................................................................................................. 90
Backing up Keys......................................................................................................................................... 90

ii
Importing Keys.............................................................................................................................................. 91
Securing Traffic Through Network Segmentation..................................................................................... 92
Traffic Types In a Segmented Network............................................................................................. 93
Segmented and Unsegmented Networks.........................................................................................94
Implementation Considerations.......................................................................................................... 100
Configuring the Network on an AHV Host.....................................................................................102
Network Segmentation for Traffic Types (Backplane, Management, and RDMA)...........104
Service-Specific Traffic Isolation......................................................................................................... 127
Configuring Backplane IP Pool............................................................................................................ 133
Enabling Backplane Network Segmentation on a Mixed Hypervisor Cluster.................... 134
Updating Backplane Portgroup........................................................................................................... 135
IP Address Customization for each CVM and Host.....................................................................136
Enabling Physical Backplane Segmentation on Hyper-V Using CLI..................................... 138
Network Segmentation during Cluster Expansion.......................................................................138
Network Segmentation–Related Changes During an AOS Upgrade.................................... 139
Firewall Requirements..........................................................................................................................................139
Log management...................................................................................................................................................139
Log Forwarding..........................................................................................................................................139
Documenting the Log Fingerprint.....................................................................................................140

Security Management Using Prism Central (PC)..........................................141

Configuring Authentication................................................................................................................................ 141
Adding An Authentication Directory (Prism Central)................................................................. 141
Adding a SAML-based Identity Provider......................................................................................... 148
Enabling and Configuring Client Authentication..........................................................................150
Certificate Revocation Checking......................................................................................................... 152
User Management..................................................................................................................................................153
Managing Local User Accounts........................................................................................................... 153
Deleting a Directory User Account....................................................................................................164
Controlling User Access (RBAC).........................................................................................................165
Installing an SSL Certificate.............................................................................................................................204
Controlling Remote (SSH) Access.................................................................................................................207
Security Policies using Flow............................................................................................................................ 208
Data-in-Transit Encryption................................................................................................................................208
Enabling Data-in-Transit Encryption................................................................................................ 208
Securing AHV VMs with Virtual Trusted Platform Module (vTPM)................................................... 210
Considerations for Enabling vTPM in AHV VMs (Prism Central)............................................210
Creating a VM with vTPM....................................................................................................................... 211
Enabling vTPM on an Existing VM..................................................................................................... 212
Removing vTPM from an Existing VM.............................................................................................. 213
Security Dashboard...............................................................................................................................................213
Security Widget (PC Main Dashboard)............................................................................................214
Security Dashboard Wizard.................................................................................................................. 215
Using the Security Dashboard............................................................................................................. 216
Managing Security Dashboard............................................................................................................. 219
Password Retry Lockout.....................................................................................................................................219

Security Management Using Identity and Access Management

(Prism Central)..................................................................................................... 220
Identity and Access Management Prerequisites and Considerations.............................................. 222
Enabling IAM...........................................................................................................................................................224
Configuring Authentication...............................................................................................................................225
Enabling and Configuring Client Authentication/CAC..............................................................226
Updating ADFS When Using SAML Authentication...................................................................228

iii
Adding a SAML-based Identity Provider........................................................................................ 228
Restoring Identity and Access Management Configuration Settings............................................... 231

Accessing a List of Open Source Software Running on a Cluster........ 232

Copyright.................................................................................................................... 233
AUDIENCE & PURPOSE
This Security Guide is intended for security-minded people responsible for architecting,
managing, and supporting infrastructures, especially those who want to address security
without adding more human resources or additional processes to their datacenters.
This guide offers an overview of the security development life cycle (SecDL) and host of
security features supported by Nutanix. It also demonstrates how Nutanix complies with
security regulations to streamline infrastructure security management. In addition to this, this
guide addresses the technical requirements that are site specific or compliance-standards (that
should be adhered), which are not enabled by default.

Note:
Hardening of the guest OS or any applications running on top of the Nutanix
infrastructure is beyond the scope of this guide. We recommend that you refer to the
documentation of the products that you have deployed in your Nutanix environment.

AOS Security | Audience & Purpose | 5

NUTANIX SECURITY INFRASTRUCTURE
Nutanix takes a holistic approach to security with a secure platform, extensive automation,
and a robust partner ecosystem. The Nutanix security development life cycle (SecDL)
integrates security into every step of product development, rather than applying it as an
afterthought. The SecDL is a foundational part of product design. The strong pervasive culture
and processes built around security harden the Enterprise Cloud Platform and eliminate zero-
day vulnerabilities. Efficient one-click operations and self-healing security models easily enable
automation to maintain security in an always-on hyperconverged solution.
Since traditional manual configuration and checks cannot keep up with the ever-growing list of
security requirements, Nutanix conforms to RHEL 7 Security Technical Implementation Guides
(STIGs) that use machine-readable code to automate compliance against rigorous common
standards. With Nutanix Security Configuration Management Automation (SCMA), you can
quickly and continually assess and remediate your platform to ensure that it meets or exceeds
all regulatory requirements.
Nutanix has standardized the security profile of the Controller VM to a security compliance
baseline that meets or exceeds the standard high-governance requirements.
The most commonly used references in United States to guide vendors to build products
according to the set of technical requirements are as follows.

• The National Institute of Standards and Technology Special Publications Security and
Privacy Controls for Federal Information Systems and Organizations (NIST 800.53)
• The US Department of Defense Information Systems Agency (DISA) Security Technical
Implementation Guides (STIG)

SCMA Implementation
The Nutanix platform and all products leverage the Security Configuration Management
Automation (SCMA) framework to ensure that services are constantly inspected for variance to
the security policy.
Nutanix has implemented security configuration management automation (SCMA) to check
multiple security entities for both Nutanix storage and AHV. Nutanix automatically reports log
inconsistencies and reverts them to the baseline.
With SCMA, you can schedule the STIG to run hourly, daily, weekly, or monthly. STIG has the
lowest system priority within the virtual storage controller, ensuring that security checks do not
interfere with platform performance.

Note: Only the SCMA schedule can be modified. The AIDE schedule is run on a fixed weekly
schedule. To change the SCMA schedule for AHV or the Controller VM, see Hardening
Instructions (nCLI) on page 9.

RHEL 7 STIG Implementation in Nutanix Controller VM

Nutanix leverages SaltStack and SCMA to self-heal any deviation from the security baseline
configuration of the operating system and hypervisor to remain in compliance. If any
component is found as non-compliant, then the component is set back to the supported
security settings without any intervention. To achieve this objective, Nutanix has implemented
the Controller VM to support STIG compliance with the RHEL 7 STIG as published by DISA.
The STIG rules are capable of securing the boot loader, packages, file system, booting and
service control, file ownership, authentication, kernel, and logging.

AOS Security | Nutanix Security Infrastructure | 6

Example: STIG rules for Authentication
Prohibit direct root login, lock system accounts other than root, enforce several password
maintenance details, cautiously configure SSH, enable screen-locking, configure user shell
defaults, and display warning banners.

Security Updates
Nutanix provides continuous fixes and updates to address threats and vulnerabilities. Nutanix
Security Advisories provide detailed information on the available security fixes and updates,
including the vulnerability description and affected product/version.
To see the list of security advisories or search for a specific advisory, log on to the Support
Portal and select Documentation, and then Security Advisories.

Nutanix Security Landscape

This topic provides highlights on Nutanix security landscape and its highlights. The following
table helps to identify the security features offered out-of-the-box in Nutanix infrastructure.

Topic Highlights

Authentication and Authorization

• Support for Authentication types and
directories
• Role Permissions
• Password Complexity Support with
standard Pluggable Authentication Module
(PAM) library

Network segmentation VLAN-based, data driven segmentation

Security Policy Management Implement security policies using
Microsegmentation.
Data security and integrity
• Cluster access control
• SSL certificate management
• Data-at-rest (DAR) encryption

Hardening Instructions
• Hardening AHV
• Hardening Controller VM
• TCP Wrapper Integration

Log monitoring and analysis

• Cluster-wide log shipping
• Documenting the log fingerprint
• See Pulse Health Monitoring in the Prism
Web Console Guide

Flow Networking See Flow Networking Guide

UEFI See UEFI Support for VMs in the AHV

Administration Guide

AOS Security | Nutanix Security Infrastructure | 7

Topic Highlights

Secure Boot See Secure Boot Support for VMs in the AHV
Administration Guide

Windows Credential Guard support See Windows Defender Credential Guard

Support in AHV in the AHV Administration
Guide

RBAC See Controlling User Access (RBAC)

AOS Security | Nutanix Security Infrastructure | 8

HARDENING INSTRUCTIONS (NCLI)
This chapter describes how to implement security hardening features for Nutanix AHV and
Controller VM.

Hardening AHV
You can use Nutanix Command Line Interface (nCLI) in order to customize the various
configuration settings related to AHV as described below.

AOS Security | Hardening Instructions (nCLI) | 9

Table 1: Configuration Settings to Harden the AHV

Description Command or Settings Output

Getting the cluster-wide Run the following command: Enable Aide : false
configuration of the SCMA nutanix@cvm$ ncli cluster get- Enable Core : false
policy. hypervisor-security-config Enable High Strength P... :
false
Enable Banner : false
Schedule : DAILY

Enabling the Advanced Run the following command: Enable Aide : true
Intrusion Detection nutanix@cvm$ ncli cluster Enable Core : false
Environment (AIDE) to run on edit-hypervisor-security- Enable High Strength P... :
a weekly basis. params enable-aide=true false
Enable Banner : false
Schedule : DAILY

Enabling the high-strength Run the following command: Enable Aide : true
password policies (minlen=15, nutanix@cvm$ ncli cluster Enable Core : false
difok=8, maxclassrepeat=4). edit-hypervisor-security- Enable High Strength P... :
params \ true
Enable Banner : false
enable-high-strength- Schedule : DAILY
password=true

Enabling the defense Run the following command: Enable Aide : true
knowledge consent banner of nutanix@cvm$ ncli cluster Enable Core : false
the US department. edit-hypervisor-security- Enable High Strength P... :
params enable-banner=true true
Enable Banner : true
Schedule : DAILY

Changing the default schedule Run the following command: Enable Aide : true
of running the SCMA. The nutanix@cvm$ ncli cluster Enable Core : false
schedule can be hourly, daily, edit-hypervisor-security- Enable High Strength P... :
weekly, and monthly. params schedule=hourly true
Enable Banner : true
Schedule : HOURLY

Enabling the settings so that Run the following command: Enable Aide : true
AHV can generate stack nutanix@cvm$ ncli cluster Enable Core : true
traces for any cluster issue. edit-hypervisor-security- Enable High Strength P... :
params enable-core=true true
Enable Banner : true
Schedule : HOURLY
Note: Nutanix
recommends that Core
should not be set to true
unless instructed by the
Nutanix support team.

Configuring security levels for Run the following command:

the nutanix user for ssh login nutanix@cvm$ ncli cluster
to the Nutanix Cluster. edit-cvm-security-params ssh-
security-level=limited

AOS Security | Hardening Instructions (nCLI) | 10

Description Command or Settings Output

Enabling locking of the Run the following command:

security configuration. nutanix@cvm$ ncli cluster
edit-cvm-security-params
enable-lock-status=true

Enabling iTLB Multihit Run the following command: Enable Aide : true
Mitigation (CVE-2018-12207) nutanix@cvm$ ncli cluster Enable Core
for all AHV nodes. edit-cvm-security-params : true
enable-itlb-multihit- Enable High
Note: mitigation=true Strength P... : true
Enable Banner
• This settings is : true
Schedule
disabled by default
: HOURLY
• Enabling this Enable iTLB
setting may have Multihit M... : true
performance
impact on the
running workloads

AOS Security | Hardening Instructions (nCLI) | 11

Description Command or Settings Output

When a high governance The settings should be as

official needs to run the follows:
hardened configuration. Enable Aide :
true
Enable Core
: false
Enable High Strength
P... : true
Enable Banner
: false
Enable SNMPv3 Only
: true
Schedule
: HOURLY
Enable Kernel
Mitigations : false
SSH Security Level
: LIMITED
Enable Lock Status
: true
Enable Kernel Core
: true

AOS Security | Hardening Instructions (nCLI) | 12

Description Command or Settings Output

When a federal official The settings should be as

needs to run the hardened follows:
configuration. Enable Aide :
true
Enable Core
: false
Enable High Strength
P... : true
Enable Banner
: true
Enable SNMPv3 Only
: true
Schedule
: HOURLY
Enable Kernel
Mitigations : false
SSH Security Level
: LIMITED
Enable Lock Status
: true
Enable Kernel Core
: true

Note: A banner file can

be modified to support
non-DoD customer
banners.

Backing up the DoD banner Run the following command

file. on the AHV host:
[root@AHV-host ~]# cp -a /
etc/puppet/modules/kvm/files/
issue.DoD \
/etc/puppet/modules/kvm/files/
issue.DoD.bak

Important: Any changes

in the banner file are
not preserved across
upgrades.

Modifying the DoD banner file. Run the following command

on the AHV host:
[root@AHV-host ~]# vi /etc/
puppet/modules/kvm/files/
issue.DoD

Note: Repeat all the

above steps on every
AHV in a cluster.

Important: Any changes

in the banner file are
not preserved across
upgrades.

AOS Security | Hardening Instructions (nCLI) | 13

Description Command or Settings Output

Setting the banner for all Run the following command:

nodes through nCLI. nutanix@cvm$ ncli cluster
edit-hypervisor-security-
params enable-banner=true

The following options are configured or customized to harden the AHV:

• Enable AIDE: Advanced Intrusion Detection Environment (AIDE) is a Linux utility that
monitors a given node. After you install the AIDE package, the system will generate a
database that contains all the files you selected in your configuration file by entering the
aide -–init command as a root user. You can move the database to a secure location in
a read-only media or on other machines. After you create the database, you can use the
aide -–check command for the system to check the integrity of the files and directories by
comparing the files and directories on your system with the snapshot in the database. In
case there are unexpected changes, a report gets generated, which you can review. If the
changes to existing files or files added are valid, you can use the aide --update command to
update the database with the new changes.
• Enable high strength password: You can run the command as shown in the table in this
section to enable high-strength password policies (minlen=15, difok=8, maxclassrepeat=4).

Note:

• minlen is the minimum required length for a password.

• difok is the minimum number of characters that must be different from the old
password.
• maxclassrepeat is the number of consecutive characters of same class that you
can use in a password.

• Enable Core: A core dump consists of the recorded state of the working memory of
a computer program at a specific time, generally when the program gets crashed or
terminated abnormally. Core dumps are used to assist in diagnosing or debugging errors in
computer programs. You can enable the core for troubleshooting purposes.
• Enable Banner: You can set a banner to display a specific message. For example, set a
banner to display a warning message that the system is available to authorized users only.

Hardening Controller VM
You can use Nutanix Command Line Interface (nCLI) in order to customize the various
configuration settings related to the Controller VM as described below.
For the complete list of cluster security parameters, see Edit the security params of a Cluster in
the Command Reference guide.

• Run the following command to support cluster-wide configuration of the SCMA policy.
nutanix@cvm$ ncli cluster get-cvm-security-config

The current cluster configuration is displayed.

Enable Aide : false
Enable Core : false
Enable High Strength P... : false
Enable Banner : false

AOS Security | Hardening Instructions (nCLI) | 14

Enable SNMPv3 Only : false
Schedule : DAILY
Enable Kernel Mitigations : false
SSH Security Level : DEFAULT
Enable Lock Status : false
Enable Kernel Core : false

• Run the following command to schedule weekly execution of Advanced Intrusion Detection
Environment (AIDE).
nutanix@cvm$ ncli cluster edit-cvm-security-params enable-aide=true

The following output is displayed.

Enable Aide : true
Enable Core : false
Enable High Strength P... : false
Enable Banner : false
Enable SNMPv3 Only : false
Schedule : DAILY
Enable Kernel Mitigations : false
SSH Security Level : DEFAULT
Enable Lock Status : false
Enable Kernel Core : false

• Run the following command to enable the strong password policy.

nutanix@cvm$ ncli cluster edit-cvm-security-params enable-high-strength-password=true

The following output is displayed.

Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : false
Enable SNMPv3 Only : false
Schedule : DAILY
Enable Kernel Mitigations : false
SSH Security Level : DEFAULT
Enable Lock Status : false
Enable Kernel Core : false

• Run the following command to enable the defense knowledge consent banner of the US
department.
nutanix@cvm$ ncli cluster edit-cvm-security-params enable-banner=true

The following output is displayed.

Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : true
Enable SNMPv3 Only : false
Schedule : DAILY
Enable Kernel Mitigations : false
SSH Security Level : DEFAULT
Enable Lock Status : false
Enable Kernel Core : false

AOS Security | Hardening Instructions (nCLI) | 15

• Run the following command to enable the settings to allow only SNMP version 3.
nutanix@cvm$ ncli cluster edit-cvm-security-params enable-snmpv3-only=true

The following output is displayed.

Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : true
Enable SNMPv3 Only : true
Schedule : DAILY
Enable Kernel Mitigations : false
SSH Security Level : DEFAULT
Enable Lock Status : false
Enable Kernel Core : false

• Run the following command to change the default schedule of running the SCMA. The
schedule can be hourly, daily, weekly, and monthly.
nutanix@cvm$ ncli cluster edit-cvm-security-params schedule=hourly

The following output is displayed.

Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : true
Enable SNMPv3 Only : true
Schedule : HOURLY
Enable Kernel Mitigations : false
SSH Security Level : DEFAULT
Enable Lock Status : false
Enable Kernel Core : false

• Run the following command to enable the settings so that Controller VM can generate stack
traces for any cluster issue.
nutanix@cvm$ ncli cluster edit-cvm-security-params enable-core=true

The following output is displayed.

Note: Nutanix recommends that Core should not be set to true unless instructed by the
Nutanix support team.

• Run the following command to configure security levels for the nutanix user for ssh login to
the Nutanix Cluster.
nutanix@cvm$ ncli cluster edit-cvm-security-params ssh-security-level=limited

The following output is displayed.

Enable Aide : true
Enable Core : false

AOS Security | Hardening Instructions (nCLI) | 16

Enable High Strength P... : true
Enable Banner : true
Enable SNMPv3 Only : true
Schedule : HOURLY
Enable Kernel Mitigations : false
SSH Security Level : LIMITED
Enable Lock Status : true
Enable Kernel Core : true

• Run the following command to enable to locking of the security configuration.

nutanix@cvm$ ncli cluster edit-cvm-security-params enable-lock-status=true

The following output is displayed.

Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : true
Enable SNMPv3 Only : true
Schedule : HOURLY
Enable Kernel Mitigations : false
SSH Security Level : LIMITED
Enable Lock Status : true
Enable Kernel Core : true

Note: If set true, the configuration settings can not be edited by the user and a support call
will need to be made to unlock this configuration.

Scenario-Based Hardening

• When a high governance official needs to run the hardened configuration then the settings
should be as follows.
Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : false
Enable SNMPv3 Only : true
Schedule : HOURLY
Enable Kernel Mitigations : false
SSH Security Level : LIMITED
Enable Lock Status : true
Enable Kernel Core : true

• When a federal official needs to run the hardened configuration then the settings should be
as follows.
Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : true
Enable SNMPv3 Only : true
Schedule : HOURLY
Enable Kernel Mitigations : false
SSH Security Level : LIMITED
Enable Lock Status : true
Enable Kernel Core : true

AOS Security | Hardening Instructions (nCLI) | 17

DoD Banner Configuration

• Note: A banner file can be modified to support non-DoD customer banners.

• Run the following command to backup the DoD banner file.

nutanix@cvm$ sudo cp -a /srv/salt/security/CVM/sshd/DODbanner \
/srv/salt/security/CVM/sshd/DODbannerbak

• Run the following command to modify DoD banner file.

nutanix@cvm$ sudo vi /srv/salt/security/CVM/sshd/DODbanner

Note: Repeat all the above steps on every Controller VM in a cluster.

• Run the following command to backup the DoD banner file of the Prism Central VM.
nutanix@pcvm$ sudo cp -a /srv/salt/security/PC/sshd/DODbanner \
/srv/salt/security/PC/sshd/DODbannerbak

• Run the following command to modify DoD banner file of the Prism Central VM.
nutanix@pcvm$ sudo vi /srv/salt/security/PC/sshd/DODbanner

• Run the following command to set the banner for all nodes through nCLI.
nutanix@cvm$ ncli cluster edit-cvm-security-params enable-banner=true

TCP Wrapper Integration

Nutanix Controller VM uses the tcp_wrappers package to allow TCP supported daemons to
control the network subnets which can access the libwrapped daemons. By default, SCMA
controls the /etc/hosts.allow file in /srv/salt/security/CVM/network/hosts.allow and
contains a generic entry to allow access to NFS, secure shell, and SNMP.
sshd: ALL : ALLOW
rpcbind: ALL : ALLOW
snmpd: ALL : ALLOW
snmptrapd: ALL : ALLOW

Nutanix recommends that the above configuration is changed to include only the localhost
entries and the management network subnet for the restricted operations; this applies to both
production and high governance compliance environments. This ensures that all subnets used
to communicate with the CVMs are included in the /etc/hosts.allow file.

IP Set Based Firewall

The IP set-based firewall feature implements strict firewall rules for intra cluster communication.
This feature enables individual IP address filtering for intra cluster communication for various
internal services. Prism considers only individual Controller VM and hypervisor IP addresses as
trusted sources to receive RPC and API request from other CVMs in the same cluster.

Enabling IP Set Based Firewall

Before you begin

Ensure that there is no maintenance operation running in the Tasks page. For more information
on how to open Tasks page, see View Tasks Status topic in the Prism Web Console Guide.

AOS Security | Hardening Instructions (nCLI) | 18

About this task
To enable the IP set-based firewall feature across all nodes in a cluster, run the following
command:

Procedure

1. nutanix@pcvm$ allssh modify_firewall -w feature_set.ip_set_based_firewall_support=True

Note:
The modify_firewall command is case-sensitive.

2. nutanix@pcvm$ cluster restart_genesis

For the changes to take effect, restart the cluster.
You can run the modify_firewall command on individual nodes as well:
nutanix@pcvm$ modify_firewall -w feature_set.ip_set_based_firewall_support=True
nutanix@pcvm$ genesis restart

What to do next
To view the new firewall behavior, run the sudo iptables-save command.
When you run the modify_firewall command, Genesis changes the firewall behavior for few
ports. They are:

• In the base_config.json file, for ports listed under MGMT key the firewall behavior changes.
Sample:
-A MGMT -i eth0 -p tcp -m tcp --dport 9876 -m set --match-set ntnx-cvm-ips src -j ACCEPT

• In the config_with_backplane.json file, only when you enable backplane network

segmentation on the cluster, the firewall behavior changes for ports listed under
BACKPLANE key. Sample:
-A BACKPLANE -i eth2 -p tcp -m tcp --dport 9876 -m set --match-set ntnx-cvm-ips src -j
ACCEPT

However, the firewall behavior does not change for ports listed under the
MGMT_OPENFROMALL key.

Common Criteria
Common Criteria is an international security certification that is recognized by many countries
around the world. Nutanix AOS and AHV are Common Criteria certified by default and no
additional configuration is required to enable the Common Criteria mode. For more information,
see the Nutanix Trust website.

Note: Nutanix uses FIPS-validated cryptography by default.

AOS Security | Hardening Instructions (nCLI) | 19

SECURING AHV VMS WITH VIRTUAL
TRUSTED PLATFORM MODULE (VTPM)
Overview
A Trusted Platform Module (TPM) is used to manage cryptographic keys for security services
like encryption and hardware (and software) integrity protection. AHV vTPM is software-based
emulation of the TPM 2.0 specification that works as a virtual device.

Note: AHV vTPM does NOT require OR use a hardware TPM.

You can use the AHV vTPM feature to secure virtual machines running on AHV.

vTPM Use Cases

AHV vTPM provides virtualization-based security support for the following primary use cases.

• Support for storing cryptographic keys and certificates for Microsoft Windows BitLocker
• TPM protection for storing VBS encryption keys for Windows Defender Credential Guard
See Microsoft documentation for details on Microsoft Windows Defender Credential Guard and
Microsoft Windows BitLocker.

Tip: Windows 11 installation requires TPM 2.0, see Microsoft website for Windows 11 specs,
features, and computer requirements.

Considerations for Enabling vTPM in AHV VMs

Requirements
Supported Software Versions:

• AHV version 20220304.242 or above

• AOS version 6.5.1 or above
VM Requirements:

• You must enable UEFI on the VM on which you want to enable vTPM, see UEFI Support for
VM.
• You must enable Secure Boot (applicable if using Microsoft Windows BitLocker), see Secure
Boot Support for VMs.

Limitations

• All Secure Boot limitations apply to vTPM VM.

• Disaster recovery is not supported for vTPM VMs.

Creating AHV VMs with vTPM (aCLI)

About this task
You can create a virtual machine with the vTPM configuration enabled using the following aCLI
procedure.

AOS Security | Securing AHV VMs with Virtual Trusted Platform Module (vTPM) | 20
Procedure

1. Log on to any Controller VM in the cluster with SSH.

2. At the CVM prompt, type acli to enter the Acropolis CLI mode.

3. Create a VM with the required configuration using one of the following methods.

» Create a VM using Prism Element or Prism Central web console. If you choose to create
the VM using Prism Element or Prism Central, proceed to Step 4.

Note: For simplicity, it is recommended to use Prism Element or Prism Central web
console to create VMs, see Creating a VM.

» Create a VM using aCLI. You can enable vTPM at the time of creating a VM. To enable
vTPM during VM creation, do the following and proceed to step 5 (skip step 4).
Use the "vm.create" command with required arguments to create a VM. For details on VM
creation command ("vm.create") and supported arguments using aCLI, see "vm" in the
Command Reference Guide.
acli> vm.create <vm-name> machine_type=q35 uefi_boot=true secure_boot=true
virtual_tpm=true <argument(s)>

Replace <vm-name> with the name of the VM and <argument(s)> with one or more
arguments as needed for your VM.

4. Enable vTPM.
acli> vm.update <vm-name> virtual_tpm=true

In the above command, replace "<vm-name>" with name of the newly created VM.

5. Start the VM.

acli> vm.on <vm-name>

Replace <vm-name> with the name of the VM.

vTPM is enabled on the VM.

Enabling vTPM for Existing AHV VMs (aCLI)

About this task
You can update the settings of an existing virtual machine (that satisfies vTPM requirements) to
enable vTPM using the following aCLI procedure.

Procedure

1. Log on to any Controller VM in the cluster with SSH.

2. At the CVM prompt, type acli to enter the acropolis CLI mode.

3. Shut down the VM to enforce an update on the VM.

acli> vm.shutdown <vm-name>

Replace <vm-name> with the name of the VM.

4. Enable vTPM.
acli> vm.update <vm-name> virtual_tpm=true

Replace <vm-name> with the name of the VM.

AOS Security | Securing AHV VMs with Virtual Trusted Platform Module (vTPM) | 21
5. Start the VM.
acli> vm.on <vm-name>

Replace <vm-name> with the name of the VM.

vTPM is enabled on the VM.

AOS Security | Securing AHV VMs with Virtual Trusted Platform Module (vTPM) | 22
SECURITY MANAGEMENT USING PRISM
ELEMENT (PE)
Nutanix provides several mechanisms to maintain security in a cluster using Prism Element.

Configuring Authentication
About this task
Nutanix supports user authentication. To configure authentication types and directories and to
enable client authentication or to enable client authentication only, do the following:

Caution: The web console (and nCLI) does not allow the use of the not secure SSLv2 and SSLv3
ciphers. There is a possibility of an SSL Fallback situation in some browsers which denies access
to the web console. To eliminate this, disable (uncheck) SSLv2 and SSLv3 in any browser used
for access. However, TLS must be enabled (checked).

Procedure

1. Click the gear icon in the main menu and then select Authentication in the Settings page.
The Authentication Configuration window appears.

Note: The following steps combine three distinct procedures, enabling authentication (step
2), configuring one or more directories for LDAP/S authentication (steps 3-5), and enabling
client authentication (step 6). Perform the steps for the procedures you need. For example,
perform step 6 only if you intend to enforce client authentication.

2. To enable server authentication, click the Authentication Types tab and then check the box
for either Local or Directory Service (or both). After selecting the authentication types, click
the Save button.
The Local setting uses the local authentication provided by Nutanix (see User Management
on page 41). This method is employed when a user enters just a login name without
specifying a domain (for example, user1 instead of [email protected]). The Directory
Service setting validates user@domain entries and validates against the directory specified in

AOS Security | Security Management Using Prism Element (PE) | 23

the Directory List tab. Therefore, you need to configure an authentication directory if you
select Directory Service in this field.

Figure 1: Authentication Types Tab

Note: The Nutanix admin user can log on to the management interfaces, including the web
console, even if the Local authentication type is disabled.

3. To add an authentication directory, click the Directory List tab and then click the New
Directory option.
A set of fields is displayed. Do the following in the indicated fields:

a. Directory Type: Select one of the following from the pull-down list.

• Active Directory: Active Directory (AD) is a directory service implemented by

Microsoft for Windows domain networks.

Note:

• Users with the "User must change password at next logon" attribute
enabled will not be able to authenticate to the web console (or nCLI).
Ensure users with this attribute first login to a domain workstation and
change their password prior to accessing the web console. Also, if SSL is
enabled on the Active Directory server, make sure that Nutanix has access
to that port (open in firewall).
• An Active Directory user name or group name containing spaces is not
supported for Prism Element authentication.
• Active Directory domain created by using non-ASCII text may not be
supported. For more information about usage of ASCII or non-ASCII text
in Active Directory configuration, see the Internationalization (i18n) on
page 40 section.
• Use of the "Protected Users" group is currently unsupported for Prism
authentication. For more details on the "Protected Users" group, see
“Guidance about how to configure protected accounts” on Microsoft
documentation website.
• The Microsoft AD is LDAP v2 and LDAP v3 compliant.

AOS Security | Security Management Using Prism Element (PE) | 24

• The Microsoft AD servers supported are Windows Server 2012 R2,
Windows Server 2016, and Windows Server 2019.

• OpenLDAP: OpenLDAP is a free, open source directory service, which uses the
Lightweight Directory Access Protocol (LDAP), developed by the OpenLDAP
project. Nutanix currently supports the OpenLDAP 2.4 release running on CentOS
distributions only.
b. Name: Enter a directory name.
This is a name you choose to identify this entry; it need not be the name of an actual
directory.
c. Domain: Enter the domain name.
Enter the domain name in DNS format, for example, nutanix.com.

d. Directory URL: Enter the URL address to the directory.

The URL format is as follows for an LDAP entry: ldap://host:ldap_port_num. The host
value is either the IP address or fully qualified domain name. (In some environments, a
simple domain name is sufficient.) The default LDAP port number is 389. Nutanix also
supports LDAPS (port 636) and LDAP/S Global Catalog (ports 3268 and 3269). The
following are example configurations appropriate for each port option:

Note: LDAPS support does not require custom certificates or certificate trust import.

• Port 389 (LDAP). Use this port number (in the following URL form) when the
configuration is single domain, single forest, and not using SSL.
ldap://ad_server.mycompany.com:389

• Port 636 (LDAPS). Use this port number (in the following URL form) when the
configuration is single domain, single forest, and using SSL. This requires all Active
Directory Domain Controllers have properly installed SSL certificates.
ldaps://ad_server.mycompany.com:636

Note: The LDAP server SSL certificate must include a Subject Alternative Name
(SAN) that matches the URL provided during the LDAPS setup.

• Port 3268 (LDAP - GC). Use this port number when the configuration is multiple
domain, single forest, and not using SSL.
• Port 3269 (LDAPS - GC). Use this port number when the configuration is multiple
domain, single forest, and using SSL.

Note: When constructing your LDAP/S URL to use a Global Catalog server, ensure
that the Domain Control IP address or name being used is a global catalog server
within the domain being configured. If not, queries over 3268/3269 may fail.

Note: When querying the global catalog, the users sAMAccountName field must be
unique across the AD forest. If the sAMAccountName field is not unique across the
subdomains, authentication may fail intermittently or consistently.

Note: For the complete list of required ports, see Port Reference.

AOS Security | Security Management Using Prism Element (PE) | 25

e. (OpenLDAP only) Configure the following additional fields:
1. User Object Class: Enter the value that uniquely identifies the object class of a user.
2. User Search Base: Enter the base domain name in which the users are configured.
3. Username Attribute: Enter the attribute to uniquely identify a user.
4. Group Object Class: Enter the value that uniquely identifies the object class of a
group.
5. Group Search Base: Enter the base domain name in which the groups are configured.
6. Group Member Attribute: Enter the attribute that identifies users in a group.
7. Group Member Attribute Value: Enter the attribute that identifies the users provided
as value for Group Member Attribute.
f. Search Type. How to search your directory when authenticating. Choose Non Recursive
if you experience slow directory logon performance. For this option, ensure that users
listed in Role Mapping are listed flatly in the group (that is, not nested). Otherwise,
choose the default Recursive option.
g. Service Account Username: Enter the service account user name in the
[email protected] format that you want the web console to use to log in to the Active
Directory.
A service account is created to run only a particular service or application with the
credentials specified for the account. According to the requirement of the service or
application, the administrator can limit access to the service account.
A service account is under the Managed Service Accounts in the Active Directory server.
An application or service uses the service account to interact with the operating system.

AOS Security | Security Management Using Prism Element (PE) | 26

Enter your Active Directory service account credentials in this (username) and the
following (password) field.

Note: Be sure to update the service account credentials here whenever the service
account password changes or when a different service account is used.

h. Service Account Password: Enter the service account password.

i. When all the fields are correct, click the Save button (lower right).
This saves the configuration and redisplays the Authentication Configuration dialog box.
The configured directory now appears in the Directory List tab.
j. Repeat this step for each authentication directory you want to add.

Note:

• The Controller VMs need access to the Active Directory server, so open the
standard Active Directory ports to each Controller VM in the cluster (and the
virtual IP if one is configured).
• No permissions are granted to the directory users by default. To grant
permissions to the directory users, you must specify roles for the users in that
directory (see Assigning Role Permissions on page 33).
• Service account for both Active directory and openLDAP must have full read
permission on the directory service. Additionally, for successful Prism Element
authentication, the users must also have search or read privileges.

AOS Security | Security Management Using Prism Element (PE) | 27

Figure 2: Directory List Tab

4.
To edit a directory entry, click the Directory List tab and then click the pencil icon for
that entry.
After clicking the pencil icon, the Directory List fields reappear (see step 3). Enter the new
information in the appropriate fields and then click the Save button.

5. To delete a directory entry, click the Directory List tab and then click the X icon for that
entry.
After clicking the X icon, a window prompt appears to verify the delete action; click the OK
button. The entry is removed from the list.

AOS Security | Security Management Using Prism Element (PE) | 28

6. To enable client authentication, do the following:

a. Click the Client tab.

b. Select the Configure Client Chain Certificate check box.
Client Chain Certificate is a list of certificates that includes all intermediate CA and root-
CA certificates.

Note: To authenticate on the PE with Client Chain Certificate the 'Subject name’ field must
be present. The subject name should match the userPrincipalName (UPN) in the AD. The
UPN is a username with domain address. For example [email protected].

Figure 3: Client Tab (1)

c. Click the Choose File button, browse to and select a client chain certificate to upload, and
then click the Open button to upload the certificate.

Note: Uploaded certificate files must be PEM encoded. The web console restarts after the
upload step.

AOS Security | Security Management Using Prism Element (PE) | 29

Figure 4: Client Tab (2)
d. To enable client authentication, click Enable Client Authentication.
e. To modify client authentication, do one of the following:

Note: The web console restarts when you change these settings.

• Click Enable Client Authentication to disable client authentication.

AOS Security | Security Management Using Prism Element (PE) | 30

Figure 5: Authentication Window: Client Tab (3)
Client authentication allows you to securely access the Prism by exchanging a digital
certificate. Prism will validate that the certificate is signed by your organization’s trusted
signing certificate.
Client authentication ensures that the Nutanix cluster gets a valid certificate from the user.
Normally, a one-way authentication process occurs where the server provides a certificate
so the user can verify the authenticity of the server (see Installing an SSL Certificate on
page 51). When client authentication is enabled, this becomes a two-way authentication
where the server also verifies the authenticity of the user. A user must provide a valid
certificate when accessing the console either by installing the certificate on their local
machine or by providing it through a smart card reader. Providing a valid certificate enables
user login from a client machine with the relevant user certificate without utilizing user name
and password. If the user is required to login from a client machine which does not have the
certificate installed, then authentication using user name and password is still available.

Note: The CA must be the same for both the client chain certificate and the certificate on the
local machine or smart card.

AOS Security | Security Management Using Prism Element (PE) | 31

7. To specify a service account that the web console can use to log in to Active Directory and
authenticate Common Access Card (CAC) users, select the Configure Service Account
check box, and then do the following in the indicated fields:

Figure 6: Common Access Card Authentication

a. Directory: Select the authentication directory that contains the CAC users that you want
to authenticate.
This list includes the directories that are configured on the Directory List tab.
b. Service Username: Enter the user name in the user [email protected] format that you want
the web console to use to log in to the Active Directory.
c. Service Password: Enter the password for the service user name.

AOS Security | Security Management Using Prism Element (PE) | 32

d. Click Enable CAC Authentication.

Note: Enabling CAC disables all other directory service and local user logons, only the
local admin user logon is permitted in this case.

Note: For federal customers only.

Note: The web console restarts after you change this setting.

The Common Access Card (CAC) is a smart card about the size of a credit card, which some
organizations use to access their systems. After you insert the CAC into the CAC reader
connected to your system, the software in the reader prompts you to enter a PIN. After you
enter a valid PIN, the software extracts your personal certificate that represents you and
forwards the certificate to the server using the HTTP protocol.
Nutanix Prism verifies the certificate as follows:

• Validates that the certificate has been signed by your organization’s trusted signing
certificate.
• Extracts the Electronic Data Interchange Personal Identifier (EDIPI) from the certificate
and uses the EDIPI to check the validity of an account within the Active Directory. The
security context from the EDIPI is used for your PRISM session.
• Prism Element supports both certificate authentication and basic authentication in order
to handle both Prism Element login using a certificate and allowing REST API to use
basic authentication. It is physically not possible for REST API to use CAC certificates.
With this behavior, if the certificate is present during Prism Element login, the certificate
authentication is used. However, if the certificate is not present, basic authentication is
enforced and used.

Note: Nutanix Prism does not support OpenLDAP as directory service for CAC.

If you map a Prism role to a CAC user and not to an Active Directory group or organizational
unit to which the user belongs, specify the EDIPI (User Principal Name, or UPN) of that
user in the role mapping. A user who presents a CAC with a valid certificate is mapped to
a role and taken directly to the web console home page. The web console login page is not
displayed.

Note: If you have logged on to Prism by using CAC authentication, to successfully log out of
Prism, close the browser after you click Log Out.

8. Click the Close button to close the Authentication Configuration dialog box.

Assigning Role Permissions

About this task

When user authentication is enabled for a directory service (see Configuring Authentication on
page 23), the directory users do not have any permissions by default. To grant permissions
to the directory users, you must specify roles for the users (with associated permissions) to
organizational units (OUs), groups, or individuals within a directory.
If you are using Active Directory, you must also assign roles to entities or users, especially
before upgrading from a previous AOS version.
To assign roles, do the following:

AOS Security | Security Management Using Prism Element (PE) | 33

Procedure

1. In the web console, click the gear icon in the main menu and then select Role Mapping in the
Settings page.
The Role Mapping window appears.

Figure 7: Role Mapping Window

AOS Security | Security Management Using Prism Element (PE) | 34

2. To create a role mapping, click the New Mapping button.
The Create Role Mapping window appears. Do the following in the indicated fields:

a. Directory: Select the target directory from the pull-down list.

Only directories previously defined when configuring authentication appear in this list.
If the desired directory does not appear, add that directory to the directory list (see
Configuring Authentication on page 23) and then return to this procedure.
b. LDAP Type: Select the desired LDAP entity type from the pull-down list.
The entity types are GROUP, USER, and OU.
c. Role: Select the user role from the pull-down list.
There are three roles from which to choose:

• Viewer: This role allows a user to view information only. It does not provide permission
to perform any administrative tasks.
• Cluster Admin: This role allows a user to view information and perform any
administrative task (but not create or modify user accounts).
• User Admin: This role allows the user to view information, perform any administrative
task, and create or modify user accounts.
d. Values: Enter the case-sensitive entity names (in a comma separated list with no spaces)
that should be assigned this role.
The values are the actual names of the organizational units (meaning it applies to all users
in those OUs), groups (all users in those groups), or users (each named user) assigned this
role. For example, entering value "admin-gp,support-gp" when the LDAP type is GROUP
and the role is Cluster Admin means all users in the admin-gp and support-gp groups
should be assigned the cluster administrator role.

Note:

• Do not include a domain in the value, for example enter just admin-gp, not
[email protected]. However, when users log into the web console, they
need to include the domain in their user name.
• The AD user UPN must be in the user@domain_name format.
• When an admin defines user role mapping using an AD with forest setup, the
admin can map to the user with the same name from any domain in the forest
setup. To avoid this case, set up the user-role mapping with AD that has a
specific domain setup.

e. When all the fields are correct, click Save.

This saves the configuration and redisplays the Role Mapping window. The new role map
now appears in the list.

Note: All users in an authorized service directory have full administrator permissions when
role mapping is not defined for that directory. However, after creating a role map, any

AOS Security | Security Management Using Prism Element (PE) | 35

users in that directory that are not explicitly granted permissions through the role mapping
are denied access (no permissions).

f. Repeat this step for each role map you want to add.
You can create a role map for each authorized directory. You can also create multiple
maps that apply to a single directory. When there are multiple maps for a directory, the
most specific rule for a user applies. For example, adding a GROUP map set to Cluster
Admin and a USER map set to Viewer for select users in that group means all users in
the group have administrator permission except those specified users who have viewing
permission only.

Figure 8: Create Role Mapping Window

3.
To edit a role map entry, click the pencil icon for that entry.
After clicking the pencil icon, the Edit Role Mapping window appears, which contains the
same fields as the Create Role Mapping window (see step 2). Enter the new information in
the appropriate fields and then click the Save button.

4. To delete a role map entry, click the "X" icon for that entry.
After clicking the X icon, a window prompt appears to verify the delete action; click the OK
button. The entry is removed from the list.

5. Click the Close button to close the Role Mapping window.

Certificate Revocation Checking

Enabling Certificate Revocation Checking using Online Certificate Status Protocol (nCLI)

About this task

OCSP is the recommended method for checking certificate revocation in client authentication.
You can enable certificate revocation checking using the OSCP method through the command
line interface (nCLI).
To enable certificate revocation checking using OCSP for client authentication, do the following.

AOS Security | Security Management Using Prism Element (PE) | 36

Procedure

1. Set the OCSP responder URL.

ncli authconfig set-certificate-revocation set-ocsp-responder=<ocsp url><ocsp url> indicates
the location of the OCSP responder.

2. Verify if OCSP checking is enabled.

ncli authconfig get-client-authentication-config

The expected output if certificate revocation checking is enabled successfully is as follows.

Auth Config Status: true
File Name: ca.cert.pem
OCSP Responder URI: http://<ocsp-responder-url>

Enabling Certificate Revocation Checking using Certificate Revocation Lists (nCLI)

About this task

Note: OSCP is the recommended method for checking certificate revocation in client
authentication.

You can use the CRL certificate revocation checking method if required, as described in this
section.
To enable certificate revocation checking using CRL for client authentication, do the following.

Procedure
Specify all the CRLs that are required for certificate validation.
ncli authconfig set-certificate-revocation set-crl-uri=<uri 1>,<uri 2> set-crl-refresh-
interval=<refresh interval in seconds> set-crl-expiration-interval=<expiration interval in
seconds>

• The above command resets any previous OCSP or CRL configurations.

• The URIs must be percent-encoded and comma separated.
• The CRLs are updated periodically as specified by the crl-refresh-interval value. This
interval is common for the entire list of CRL distribution points. The default value for this is
86400 seconds (1 day).
• The periodically updated CRLs are cached in-memory for the duration specified by value
of set-crl-expiration-interval and expired after the duration, in case a particular CRL
distribution point is not reachable. This duration is configured for the entire list of CRL
distribution points. The default value for this is 604800 seconds (7 days).

Authentication Best Practices

The authentication best practices listed here are guidance to secure the Nutanix platform by
using the most common authentication security measures.

Emergency Local Account Usage

You must use the admin account as a local emergency account. The admin account ensures
that both the Prism Web Console and the Controller VM are available when the external
services such as Active Directory is unavailable.

AOS Security | Security Management Using Prism Element (PE) | 37

Note: Local emergency account usage does not support any external access mechanisms,
specifically for the external application authentication or external Rest API authentication.

For all the external authentication, you must configure the cluster to use an external IAM service
such as Active Directory. You must create service accounts on the IAM and the accounts
must have access grants to the cluster through Prism web console user account management
configuration for authentication.

Modifying Default Passwords

You must change the default Controller VM password for nutanix user account by adhering to
the password complexity requirements.

Procedure

1. SSH to the Controller VM.

2. Change the "nutanix" user account password.

nutanix@cvm$ passwd nutanix

3. Respond to the prompts and provide the current and new root password.
Changing password for nutanix.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.

Note:

• Changing the user account password on one of the Controller VMs is applied to
all Controller VMs in the cluster.
• Ensure that you preserve the modified nutanix user password, since the local
authentication (PAM) module requires the previous password of the nutanix user
to successfully start the password reset process.
• For the root account, both the console and SSH direct login is disabled.
• It is recommended to use the admin user as the administrative emergency
account.

Controlling Cluster Access

About this task

Nutanix supports the Cluster lockdown feature. This feature enables key-based SSH access to
the Controller VM and AHV on the Host (only for nutanix/admin users).
Enabling cluster lockdown mode ensures that password authentication is disabled and only the
keys you have provided can be used to access the cluster resources. Thus making the cluster
more secure.
You can create a key pair (or multiple key pairs) and add the public keys to enable key-based
SSH access. However, when site security requirements do not allow such access, you can
remove all public keys to prevent SSH access.
To control key-based SSH access to the cluster, do the following:

AOS Security | Security Management Using Prism Element (PE) | 38

Note: Use this procedure to lock down access to the Controller VM and hypervisor host. In
addition, it is possible to lock down access to the hypervisor.

Procedure

1. Click the gear icon in the main menu and then select Cluster Lockdown in the Settings page.
The Cluster Lockdown dialog box appears. Enabled public keys (if any) are listed in this
window.

Figure 9: Cluster Lockdown Window

2. To disable (or enable) remote login access, uncheck (check) the Enable Remote Login with
Password box.
Remote login access is enabled by default.

3. To add a new public key, click the New Public Key button and then do the following in the
displayed fields:

a. Name: Enter a key name.

b. Key: Enter (paste) the key value into the field.

Note: Prism supports the following key types.

• RSA
• ECDSA

a. Click the Save button (lower right) to save the key and return to the main Cluster
Lockdown window.
There are no public keys available by default, but you can add any number of public keys.

4. To delete a public key, click the X on the right of that key line.

Note: Deleting all the public keys and disabling remote login access locks down the cluster
from SSH access.

Setup Admin Session Timeout

By default, the users are logged out automatically after being idle for 15 minutes. You can
change the session timeout for users and configure to override the session timeout by following
the steps shown below.

AOS Security | Security Management Using Prism Element (PE) | 39

Procedure

1. Click the gear icon in the main menu and then select UI Settings in the Settings page.

2. Select the session timeout for the current user from the Session Timeout For Current User
drop-down list.

Figure 10: Session Timeout Settings

3. Select the appropriate option from the Session Timeout Override drop-down list to override
the session timeout.

Password Retry Lockout

For enhanced security, Prism Element locks out the admin account for a period of 15 minutes
after a default number of unsuccessful login attempts. Once the account is locked out, the
following message is displayed at the logon screen.
Account locked due to too many failed attempts
You can attempt entering the password after the 15 minutes lockout period, or contact Nutanix
Support in case you have forgotten your password.

Internationalization (i18n)
The following table lists all the supported and unsupported entities in UTF-8 encoding.

Table 2: Internationalization Support

Supported Entities Unsupported Entities

Cluster name Acropolis file server

Storage Container name Share path

Storage pool Internationalized domain names

VM name E-mail IDs

AOS Security | Security Management Using Prism Element (PE) | 40

Supported Entities Unsupported Entities

Snapshot name Hostnames

Volume group name Integers

Protection domain name Password fields

Remote site name Any Hardware related names ( for example,

vSwitch, iSCSCI initiator, vLAN name)

User management

Chart name

Caution: The creation of none of the above entities are supported on Hyper-V because of the DR
limitations.

Entities Support (ASCII or non-ASCII) for the Active Directory Server

• In the New Directory Configuration, Name field is supported in non-ASCII.

• In the New Directory Configuration, Domain field is not supported in non-ASCII.
• In Role mapping, Values field is supported in non-ASCII.
• User names and group names are supported in non-ASCII.

User Management
Nutanix user accounts can be created or updated as needed using the Prism web console.

• The web console allows you to add (see Creating a User Account on page 41), edit (see
Updating a User Account on page 44), or delete (see Deleting a User Account (Local) on
page 50) local user accounts at any time.
•
You can reset the local user account password using nCLI if you are locked out and cannot
login to the Prism Element or Prism Central web console ( see Resetting Password (CLI) on
page 49).
• You can also configure user accounts through Active Directory and LDAP (see Configuring
Authentication on page 23). Active Directory domain created by using non-ASCII text
may not be supported.

Note: In addition to the Nutanix user account, there are IPMI, Controller VM, and hypervisor host
users. Passwords for these accounts cannot be changed through the web console.

Creating a User Account

About this task

The admin user is created automatically when you get a Nutanix system, but you can add more
users as needed. Note that you cannot delete the admin user. To create a user, do the following:

Note: You can also configure user accounts through Active Directory (AD) and LDAP (see
Configuring Authentication on page 23).

AOS Security | Security Management Using Prism Element (PE) | 41

Procedure

1. Click the gear icon in the main menu and then select Local User Management in the Settings
page.
The User Management dialog box appears.

Figure 11: User Management Window

2. To add a user, click the New User button and do the following in the displayed fields:

a. Username: Enter a user name.

b. First Name: Enter a first name.
c. Last Name: Enter a last name.
d. Email: Enter a valid user email address.

Note: AOS uses the email address for client authentication and logging when the local
user performs user and cluster tasks in the web console.

e. Password: Enter a password (maximum of 255 characters).

A second field to verify that the password is not included, so be sure to enter the
password correctly in this field.
f. Language: Select the language setting for the user.
By default English is selected. You can select Simplified Chinese or Japanese. Depending
on the language that you select here, the cluster locale is be updated for the new user.
For example, if you select Simplified Chinese, the next time that the new user logs on to
the web console, the user interface is displayed in Simplified Chinese.
g. Roles: Assign a role to this user.

• Select the User Admin box to allow the user to view information, perform any
administrative task, and create or modify user accounts. (Checking this box
automatically selects the Cluster Admin box to indicate that this user has full
permissions. However, a user administrator has full permissions regardless of whether
the cluster administrator box is checked.)
• Select the Cluster Admin box to allow the user to view information and perform any
administrative task (but not create or modify user accounts).

AOS Security | Security Management Using Prism Element (PE) | 42

• Select the Backup Admin box to allow the user to perform backup-related
administrative tasks. This role does not have permission to perform cluster or user
tasks.

Note: Backup admin user is designed for Nutanix Mine integrations as of AOS version
5.19 and has minimal functionality in cluster management. This role has restricted access
to the Nutanix Mine cluster.

• Health, Analysis, and Tasks features are available in read-only mode.

• The File server and Data Protection options in the web console are not
available for this user.
• The following features are available for Backup Admin users with limited
functionality.

•
• Home - The user cannot a register a cluster with Prism Central. The
registration widget is disabled. Other read-only data is displayed and
available.
• Alerts - Alerts and events are displayed. However, the user cannot
resolve or acknowledge any alert or event. The user cannot configure
Alert Policy or Email configuration.
• Hardware - The user cannot expand the cluster or remove hosts from
the cluster. Read-only data is displayed and available.
• Network - Networking data or configuration is displayed but
configuration options are not available.
• Settings - The user can only upload a new image using the Settings
page.
• VM - The user cannot configure options like Create VM and Network
Configuration in the VM page. The following options are available for
the user in the VM page:

Unordered
Launch console
List bullet 5
Unordered
Power OnList bullet 5
Unordered
Power Off
List bullet 5

AOS Security | Security Management Using Prism Element (PE) | 43

• Leaving all the boxes unchecked allows the user to view information, but it does not
provide permission to perform cluster or user tasks.
h. When all the fields are correct, click Save.
This saves the configuration and the web console redisplays the dialog box with the new
user-administrative appearing in the list.

Figure 12: Create User Window

Updating a User Account

About this task

Update credentials and change the role for an existing user by using this procedure.

Note: To update your account credentials (that is, the user you are currently logged on as),
see Updating My Account on page 46. Changing the password for a different user is not
supported; you must log in as that user to change the password.

Procedure

1. Click the gear icon in the main menu and then select Local User Management in the Settings
page.
The User Management dialog box appears.

AOS Security | Security Management Using Prism Element (PE) | 44

2. Enable or disable the login access for a user by clicking the toggle text Yes (enabled) or No
(disabled) in the Enabled column.
A Yes value in the Enabled column means that the login is enabled; a No value in the
Enabled column means it is disabled.

Note: A user account is enabled (login access activated) by default.

3. To edit the user credentials, click the pencil icon for that user and update one or more of the
values in the displayed fields:

a. Username: The username is fixed when the account is created and cannot be changed.
b. First Name: Enter a different first name.
c. Last Name: Enter a different last name.
d. Email: Enter a different valid email address.

Note: AOS Prism uses the email address for client authentication and logging when the
local user performs user and cluster tasks in the web console.

e. Roles: Change the role assigned to this user.

AOS Security | Security Management Using Prism Element (PE) | 45

• Leaving all the boxes unchecked allows the user to view information, but it does not
provide permission to perform cluster or user-administrative administrative tasks.
f. Reset Password: Change the password of this user.
Enter the new password for Password and Confirm Password fields. Click the info icon to
view the password complexity requirements.
g. When all the fields are correct, click Save.
This saves the configuration and redisplays the dialog box with the new user appearing in
the list.

Figure 13: Update User Window

Updating My Account

About this task

To update your account credentials (that is, credentials for the user you are currently logged in
as), do the following:

AOS Security | Security Management Using Prism Element (PE) | 46

Procedure

1. To update your password, select Change Password from the user icon pull-down list in
the web console.
The Change Password dialog box appears. Do the following in the indicated fields:

a. Current Password: Enter the current password.

b. New Password: Enter a new password.
c. Confirm Password: Re-enter the new password.
d. When the fields are correct, click the Save button (lower right). This saves the new
password and closes the window.

Note: You can change the password for the "admin" account only once per day. Please
contact Nutanix support if you need to update the password multiple times in one day

Figure 14: Change Password Window

AOS Security | Security Management Using Prism Element (PE) | 47

2. To update other details of your account, select Update Profile from the user icon pull-down
list.
The Update Profile dialog box appears. Update (as desired) one or more of the following
fields:

a. First Name: Enter a different first name.

b. Last Name: Enter a different last name.
c. Email: Enter a different valid user email address.
d. Language: Select a language for your account.
e. API Key: Enter the key value to use a new API key.
f. Public Key: Click the Choose File button to upload a new public key file.
g. When all the fields are correct, click the Save button (lower right). This saves the changes
and closes the window.

Figure 15: Update Profile Window

AOS Security | Security Management Using Prism Element (PE) | 48

Resetting Password (CLI)
This procedure describes how to reset a local user's password on the Prism Element or the
Prism Central web consoles.

About this task

To reset the password using nCLI, do the following:

Note:
Only a user with admin privileges can reset a password for other users.

Procedure

1. Access the CVM via SSH.

2. Log in with the admin credentials.

3. Use the ncli user reset-password command and specify the username and password of the
user whose password is to be reset:
nutanix@cvm$ ncli user reset-password user-name=xxxxx password=yyyyy

• Replace user-name=xxxxx with the name of the user whose password is to be reset.
• Replace password=yyyyy with the new password.

What to do next
You can relaunch the Prism Element or the Prism Central web console and verify the new
password setting.

Exporting an SSL Certificate for Third-party Backup Applications

Nutanix allows you to export an SSL certificate for Prism Element on a Nutanix cluster and use
it with third-party backup applications.

Procedure

1. Log on to a Controller VM in the cluster using SSH.

2. Run the following command to obtain the virtual IP address of the cluster:
nutanix@cvm$ ncli cluster info

The current cluster configuration is displayed.

Cluster Id : 0001ab12-abcd-efgh-0123-012345678m89::123456
Cluster Uuid : 0001ab12-abcd-efgh-0123-012345678m89
Cluster Name : three
Cluster Version : 6.0
Cluster Full Version : el7.3-release-fraser-6.0-a0b1c2345d6789ie123456fg789h1212i34jk5lm6
External IP address : 10.10.10.10
Node Count : 3
Block Count : 1
. . . . .

Note: The external IP address in the output is the virtual IP address of the cluster.

AOS Security | Security Management Using Prism Element (PE) | 49

3. Run the following command to enter into the Python prompt:
nutanix@cvm$ python

The Python prompt appears.

4. Run the following command to import the SSL library.

$ import ssl

5. From the Python console, run the following command to print the SSL certificate.
$ print ssl.get_server_certificate(('virtual_IP_address',9440),
ssl_version=ssl.PROTOCOL_TLSv1_2)

Example: Refer to the following example where virtual_IP_address value is replaced by

10.10.10.10.
$ print ssl.get_server_certificate(('10.10.10.10', 9440), ssl_version=ssl.PROTOCOL_TLSv1_2)

The SSL certificate is displayed on the console.

Deleting a User Account (Local)

About this task

To delete an existing user, do the following:

AOS Security | Security Management Using Prism Element (PE) | 50

Procedure

1. Click the gear icon in the main menu and then select Local User Management in the Settings
page.
The User Management dialog box appears.

Figure 16: User Management Window

2. Click the X icon for that user. Note that you cannot delete the admin user.
A window prompt appears to verify the action; click the OK button. The user account is
removed and the user no longer appears in the list.

Certificate Management
This chapter describes how to install and replace an SSL certificate for configuration and use on
the Nutanix Controller VM.

Note: Nutanix recommends that you check for the validity of the certificate periodically, and
replace the certificate if it is invalid.

Installing an SSL Certificate

About this task

Nutanix supports SSL certificate-based authentication for console access. To install a self-
signed or custom SSL certificate, do the following:

Important: Ensure that SSL certificates are not password protected.

Note:

• Nutanix recommends that customers replace the default self-signed certificate with
a CA signed certificate.
• SSL certificate (self-signed or signed by CA) can only be installed cluster-wide from
Prism. SSL certificates can not be customized for individual Controller VM.

AOS Security | Security Management Using Prism Element (PE) | 51

Procedure

1. Click the gear icon in the main menu and then select SSL Certificate in the Settings page.
The SSL Certificate dialog box appears.

Figure 17: SSL Certificate Window

2. To replace (or install) a certificate, click the Replace Certificate button.

3. To create a new self-signed certificate, click the Regenerate Self Signed Certificate option
and then click the Apply button.
A dialog box appears to verify the action; click the OK button. This generates and applies a
new RSA 2048-bit self-signed certificate for the Prism user interface.

Figure 18: SSL Certificate Window: Regenerate

AOS Security | Security Management Using Prism Element (PE) | 52

4. To apply a custom certificate that you provide, do the following:

a. Click the Import Key and Certificate option and then click the Next button.

Figure 19: SSL Certificate Window: Import

b. Do the following in the indicated fields, and then click the Import Files button.

Note:

• All the three imported files for the custom certificate must be PEM encoded.
• Ensure that the private key does not have any extra data (or custom
attributes) before the beginning (-----BEGIN CERTIFICATE-----) or after the
end (-----END CERTIFICATE-----) of the private key block.
• See Recommended Key Configurations on page 55 to ensure proper set of
key types, sizes/curves, and signature algorithms.

• Private Key Type: Select the appropriate type for the signed certificate from the pull-
down list (RSA 4096 bit, RSA 2048 bit, EC DSA 256 bit, or EC DSA 384 bit).
• Private Key: Click the Browse button and select the private key associated with the
certificate to be imported.
• Public Certificate: Click the Browse button and select the signed public portion of the
server certificate corresponding to the private key.
• CA Certificate/Chain: Click the Browse button and select the certificate or chain of the
signing authority for the public certificate.

AOS Security | Security Management Using Prism Element (PE) | 53

Figure 20: SSL Certificate Window: Select Files

In order to meet the high security standards of NIST SP800-131a compliance, the
requirements of the RFC 6460 for NSA Suite B, and supply the optimal performance for
encryption, the certificate import process validates the correct signature algorithm is
used for a given key/cert pair. See Recommended Key Configurations on page 55 to
ensure proper set of key types, sizes/curves, and signature algorithms. The CA must sign
all public certificates with proper type, size/curve, and signature algorithm for the import
process to validate successfully.

Note: There is no specific requirement for the subject name of the certificates (subject
alternative names (SAN) or wildcard certificates are supported in Prism).

You can use the cat command to concatenate a list of CA certificates into a chain file.
$ cat signer.crt inter.crt root.crt > server.cert

Order is essential. The total chain should begin with the certificate of the signer and end
with the root CA certificate as the final entry.

Results
After generating or uploading the new certificate, the interface gateway restarts. If the
certificate and credentials are valid, the interface gateway uses the new certificate immediately,
which means your browser session (and all other open browser sessions) will be invalid until
you reload the page and accept the new certificate. If anything is wrong with the certificate
(such as a corrupted file or wrong certificate type), the new certificate is discarded, and the
system reverts back to the original default certificate provided by Nutanix.

Note: The system holds only one custom SSL certificate. If a new certificate is uploaded, it
replaces the existing certificate. The previous certificate is discarded.

AOS Security | Security Management Using Prism Element (PE) | 54

Recommended Key Configurations
This table provides the Nutanix recommended set of key types, sizes/curves, and signature
algorithms.

Key Type Size/Curve Signature Algorithm

RSA 4096 SHA-256, SHA-384 or SHA512
RSA 2048 SHA-256, SHA-384 or SHA512
EC DSA 256 prime256v1 ecdsa-with-sha256
EC DSA 384 secp384r1 ecdsa-with-sha384
EC DSA 521 secp521r1 ecdsa-with-sha512

Note:

• Client and CAC authentication only supports RSA 2048 bit certificate.
• RSA 4096 bit certificates might not work with certain AOS and Prism Central
releases. Please see the release notes for your AOS and Prism Central versions.
Specifying an RSA 4096 bit certificate might cause multiple cluster services to
restart frequently. To work around the issue, see KB 12775.
• Certificate import fails if you attempt to upload SHA-1 certificate (including root CA).

Replacing a Certificate
Nutanix simplifies the process of certificate replacement to support the need of Certificate
Authority (CA) based chains of trust. Nutanix recommends you to replace the default supplied
self-signed certificate with a CA signed certificate.

Procedure

1. Login to the Prism and click the gear icon.

2. Click SSL Certificate.

3. Select Replace Certificate to replace the certificate.

AOS Security | Security Management Using Prism Element (PE) | 55

4. Do one of the following.

» Select Regenerate self signed certificate to generate a new self-signed certificate.

Note:

• This automatically generates and applies a certificate.

» Select Import key and certificate to import the custom key and certificate.
The following files are required and should be PEM encoded to import the keys and
certificate.

• The private key associated with the certificate. The below section describes generating a
private key in detail.
• The signed public portion of the server certificate corresponding to the private key.
• The CA certificate or chain of the signing authority for the certificate.

Note:
You must obtain the Public Certificate and CA Certificate/Chain from the certificate
authority.

Figure 21: Importing Certificate

Generating an RSA 4096 and RSA 2048 private key

AOS Security | Security Management Using Prism Element (PE) | 56

Tip: You can run the OpenSSL commands for generating private key and CSR on a Linux
client with OpenSSL installed.

Note: Some OpenSSL command parameters might not be supported on older OpenSSL
versions and require OpenSSL version 1.1.1 or above to work.

• Run the following OpenSSL command to generate a RSA 4096 private key and the
Certificate Signing Request (CSR).
openssl req -out server.csr -new -newkey rsa:4096
-nodes -sha256 -keyout server.key

• Run the following OpenSSL command to generate an RSA 2048 private key and the
Certificate Signing Request (CSR).
openssl req -out server.csr -new -newkey rsa:2048
-nodes -sha256 -keyout server.key

After executing the openssl command, the system prompts you to provide more details
that will be incorporated into your certificate. The mandatory fields are - Country Name,
State or Province Name, and Organization Name. The optional fields are - Locality Name,
Organizational Unit Name, Email Address, and Challenge Password.
Nutanix recommends including a DNS name for all CVMs in the certificate using the Subject
Alternative Name (SAN) extension. This avoids SSL certificate errors when you access a
CVM by direct DNS instead of the shared cluster IP. This example shows how to include a
DNS name while generating an RSA 4096 private key:
openssl req -out server.csr -new -newkey rsa:4096 -sha256 -nodes
-addext "subjectAltName = DNS:example.com"
-keyout server.key

For a 3-node cluster you can provide DNS name for all three nodes in a single command. For
example:
openssl req -out server.csr -new -newkey rsa:4096 -sha256 -nodes
-addext "subjectAltName = DNS:example1.com,DNS:example2.com,DNS:example3.com"
-keyout server.key

If you have added a SAN (subjectAltName) extension to your certificate, then every time you
add or remove a node from the cluster, you must add the DNS name when you generate or
sign a new certificate.
Generating an EC DSA 256 and EC DSA 384 private key

• Run the following OpenSSL command to generate a EC DSA 256 private key and the
Certificate Signing Request (CSR).
openssl ecparam -out dsakey.pem -name prime256v1 –genkey
openssl req -out dsacert.csr -new -key dsakey.pem -nodes -sha256

• Run the following OpenSSL command to generate a EC DSA 384 private key and the
Certificate Signing Request (CSR).
openssl ecparam -out dsakey.pem -name secp384r1 –genkey
openssl req -out dsacert.csr -new -key dsakey.pem -nodes –sha384

AOS Security | Security Management Using Prism Element (PE) | 57

proper set of key types, sizes/curves, and signature algorithms. The CA must sign all public
certificates with proper type, size/curve, and signature algorithm for the import process to
validate successfully.

Note: There is no specific requirement for the subject name of the certificates (subject
alternative names (SAN) or wildcard certificates are supported in Prism).

You can use the cat command to concatenate a list of CA certificates into a chain file.$ cat
signer.crt inter.crt root.crt > server.cert

Order is essential. The total chain should begin with the certificate of the signer and end with
the root CA certificate as the final entry.

5. If the CA chain certificate provided by the certificate authority is not in a single file, then run
the following command to concatenate the list of CA certificates into a chain file.
cat signer.crt inter.crt root.crt > server.cert

Note: The chain should start with the certificate of the signer and ends with the root CA
certificate.

6. Browse and add the Private Key, Public Certificate, and CA Certificate/Chain.

7. Click Import Files.

What to do next
Prism restarts and you must login to use the application.

Exporting an SSL Certificate for Third-party Backup Applications

Nutanix allows you to export an SSL certificate for Prism Element on a Nutanix cluster and use
it with third-party backup applications.

Procedure

1. Log on to a Controller VM in the cluster using SSH.

2. Run the following command to obtain the virtual IP address of the cluster:
nutanix@cvm$ ncli cluster info

The current cluster configuration is displayed.

Note: The external IP address in the output is the virtual IP address of the cluster.

3. Run the following command to enter into the Python prompt:

nutanix@cvm$ python

The Python prompt appears.

AOS Security | Security Management Using Prism Element (PE) | 58

4. Run the following command to import the SSL library.
$ import ssl

5. From the Python console, run the following command to print the SSL certificate.
$ print ssl.get_server_certificate(('virtual_IP_address',9440),
ssl_version=ssl.PROTOCOL_TLSv1_2)

Example: Refer to the following example where virtual_IP_address value is replaced by

10.10.10.10.
$ print ssl.get_server_certificate(('10.10.10.10', 9440), ssl_version=ssl.PROTOCOL_TLSv1_2)

The SSL certificate is displayed on the console.

Controlling Cluster Access

About this task
Nutanix supports the Cluster lockdown feature. This feature enables key-based SSH access to
the Controller VM and AHV on the Host (only for nutanix/admin users).
Enabling cluster lockdown mode ensures that password authentication is disabled and only the
keys you have provided can be used to access the cluster resources. Thus making the cluster
more secure.
You can create a key pair (or multiple key pairs) and add the public keys to enable key-based
SSH access. However, when site security requirements do not allow such access, you can
remove all public keys to prevent SSH access.
To control key-based SSH access to the cluster, do the following:

Note: Use this procedure to lock down access to the Controller VM and hypervisor host. In
addition, it is possible to lock down access to the hypervisor.

AOS Security | Security Management Using Prism Element (PE) | 59

Procedure

1. Click the gear icon in the main menu and then select Cluster Lockdown in the Settings page.
The Cluster Lockdown dialog box appears. Enabled public keys (if any) are listed in this
window.

Figure 22: Cluster Lockdown Window

2. To disable (or enable) remote login access, uncheck (check) the Enable Remote Login with
Password box.
Remote login access is enabled by default.

3. To add a new public key, click the New Public Key button and then do the following in the
displayed fields:

a. Name: Enter a key name.

b. Key: Enter (paste) the key value into the field.

Note: Prism supports the following key types.

• RSA
• ECDSA

a. Click the Save button (lower right) to save the key and return to the main Cluster
Lockdown window.
There are no public keys available by default, but you can add any number of public keys.

4. To delete a public key, click the X on the right of that key line.

Note: Deleting all the public keys and disabling remote login access locks down the cluster
from SSH access.

Data-at-Rest Encryption
Nutanix provides an option to secure data while it is at rest using either self-encrypted drives or
software-only encryption and key-based access management (cluster's native or external KMS
for software-only encryption).

Encryption Methods
Nutanix provides you with the following options to secure your data.

• Self Encrypting Drives (SED) Encryption - You can use a combination of SEDs and an
external KMS to secure your data while it is at rest.

AOS Security | Security Management Using Prism Element (PE) | 60

• Software-only Encryption - Nutanix AOS uses the AES-256 encryption standard to encrypt
your data. Once enabled, software-only data-at-rest encryption cannot be disabled, thus
protecting against accidental data leaks due to human errors. Software-only encryption
supports both Nutanix Native Key Manager (local and remote) and External KMS to secure
your keys.
Note the following points regarding data-at-rest encryption.

• Encryption is supported for AHV, ESXi, and Hyper-V.

• For ESXi and Hyper-V, software-only encryption can be implemented at a cluster level or
container level. For AHV, encryption can be implemented at the cluster level only.
• Nutanix recommends using cluster-level encryption. With the cluster-level encryption,
the administrative overhead of selecting different containers for the data storage gets
eliminated.
• Encryption cannot be disabled once it is enabled at a cluster level or container level.
• Encryption can be implemented on an existing cluster with data that exists. If encryption is
enabled on an existing cluster (AHV, ESXi, or Hyper-V), the unencrypted data is transformed
into an encrypted format in a low priority background task that is designed not to interfere
with other workload running in the cluster.
• Data can be encrypted using either self-encrypted drives (SEDs) or software-only
encryption. You can change the encryption method from SEDs to software-only. You can
perform the following configurations.

• For ESXi and Hyper-V clusters, you can switch from SEDs and External Key Management
(EKM) combination to software-only encryption and EKM combination. First, you must
disable the encryption in the cluster where you want to change the encryption method.
Then, select the cluster and enable encryption to transform the unencrypted data into an
encrypted format in the background.
• For AHV, background encryption is supported.
• Once the task to encrypt a cluster begins, you cannot cancel the operation. Even if you stop
and restart the cluster, the system resumes the operation.
• In the case of mixed clusters with ESXi and AHV nodes, where the AHV nodes are used for
storage only, the encryption policies consider the cluster as an ESXi cluster. So, the cluster-
level and container-level encryption are available.
• You can use a combination of SED and non-SED drives in a cluster. After you encrypt a
cluster using the software-only encryption, all the drives are considered as unencrypted
drives. In case you switch from the SED encryption to the software-only encryption, you can
add SED or non-SED drives to the cluster.
• Data is not encrypted when it is replicated to another cluster. You must enable the
encryption for each cluster. Data is encrypted as a part of the write operation and decrypted
as a part of the read operation. During the replication process, the system reads, decrypts,
and then sends the data over to the other cluster. You can use a third-party network solution
if there a requirement to encrypt the data during the transmission to another cluster.
• Software-only encryption does not impact the data efficiency features such as deduplication,
compression, erasure coding, zero block suppression, and so on. The software encryption
is the last data transformation performed. For example, during the write operation,
compression is performed first, followed by encryption.

AOS Security | Security Management Using Prism Element (PE) | 61

Key Management
Nutanix supports a Native Key Management Server, also called Local Key Manager (LKM),
thus avoiding the dependency on an External Key Manager (EKM). Cluster localised Key
Management Service support requires a minimum of 3-node in a cluster and is supported only
for software-only encryption. So, 1-node and 2-node clusters can use either the Native KMS
(remote) option or an EKM. .
The following types of keys are used for encryption.

• Data Encryption Key (DEK) - A symmetric key, such as AES-256, that is used to encrypt the
data.
• Key Encryption Key (KEK) - This key is used to encrypt or decrypt the DEK.
Note the following points regarding the key management.

• Nutanix does not support the use of the Local Key Manager with a third party External Key
Manager.
• Dual encryption (both SED and software-only encryption) requires an EKM. For more
information, see Configuring Dual Encryption on page 90.
• You can switch from an EKM to LKM, and inversely. For more information, see Switching
between Native Key Manager and External Key Manager on page 86.
• Rekey of keys stored in the Native KMS is supported for the Leader Keys. For more
information, see Changing Key Encryption Keys (SEDs) on page 73 and Changing Key
Encryption Keys (Software Only) on page 87.
• You must back up the keys stored in the Native KMS. For more information, see Backing up
Keys on page 90.
• You must backup the encryption keys whenever you create a new container or remove an
existing container. Nutanix Cluster Check (NCC) checks the status of the backup and sends
an alert if you do not take a backup at the time of creating or removing a container.

Data-at-Rest Encryption (SEDs)

For customers who require enhanced data security, Nutanix provides a data-at-rest security
option using Self Encrypting Drives (SEDs) included in the Ultimate license.

Note: If you are running the AOS Pro License on G6 platforms and above, you can use SED
encryption by installing an add-on license.

Following features are supported:

• Data is encrypted on all drives at all times.

• Data is inaccessible in the event of drive or node theft.
• Data on a drive can be securely destroyed.
• A key authorization method allows password rotation at arbitrary times.
• Protection can be enabled or disabled at any time.
• No performance penalty is incurred despite encrypting all data.
• Re-key of the leader encryption key (MEK) at arbitrary times is supported.

AOS Security | Security Management Using Prism Element (PE) | 62

Note: If an SED cluster is present, then while executing the data-at-rest encryption, you will get
an option to either select data-at-rest encryption using SEDs or data-at-rest encryption using
AOS.

Figure 23: SED and AOS Options

Note: This solution provides enhanced security for data on a drive, but it does not secure data in
transit.

Data Encryption Model

To accomplish these goals, Nutanix implements a data security configuration that uses SEDs
with keys maintained through a separate key management device. Nutanix uses open standards
(TCG and KMIP protocols) and FIPS validated SED drives for interoperability and strong
security.

Figure 24: Cluster Protection Overview

This configuration involves the following workflow:

1. The security implementation begins by installing SEDs for all data drives in a cluster.
The drives are FIPS 140-2 validated and use FIPS 140-2 validated cryptographic modules.
Creating a new cluster that includes SEDs only is straightforward, but an existing cluster can
be converted to support data-at-rest encryption by replacing the existing drives with SEDs
(after migrating all the VMs/vDisks off of the cluster while the drives are being replaced).

Note: Contact Nutanix customer support for assistance before attempting to convert an
existing cluster. A non-protected cluster can contain both SED and standard drives, but
Nutanix does not support a mixed cluster when protection is enabled. All the disks in a
protected cluster must be SED drives.

AOS Security | Security Management Using Prism Element (PE) | 63

2. Data on the drives is always encrypted but read or write access to that data is open. By
default, the access to data on the drives is protected by the in-built manufacturer key.
However, when data protection for the cluster is enabled, the Controller VM must provide
the proper key to access data on a SED. The Controller VM communicates with the SEDs
through a Trusted Computing Group (TCG) Security Subsystem Class (SSC) Enterprise
protocol.
A symmetric data encryption key (DEK) such as AES 256 is applied to all data being written
to or read from the disk. The key is known only to the drive controller and never leaves the
physical subsystem, so there is no way to access the data directly from the drive.
Another key, known as a key encryption key (KEK), is used to encrypt/decrypt the DEK and
authenticate to the drive. (Some vendors call this the authentication key or PIN.)
Each drive has a separate KEK that is generated through the FIPS compliant random number
generator present in the drive controller. The KEK is 32 bytes long to resist brute force
attacks. The KEKs are sent to the key management server for secure storage and later
retrieval; they are not stored locally on the node (even though they are generated locally).
In addition to the above, the leader encryption key (MEK) is used to encrypt the KEKs.
Each node maintains a set of certificates and keys in order to establish a secure connection
with the external key management server.
3. Keys are stored in a key management server that is outside the cluster, and the Controller
VM communicates with the key management server using the Key Management
Interoperability Protocol (KMIP) to upload and retrieve drive keys.
Only one key management server device is required, but it is recommended that multiple
devices are employed so the key management server is not a potential single point of failure.
Configure the key manager server devices to work in clustered mode so they can be added
to the cluster configuration as a single entity that is resilient to a single failure.
4. When a node experiences a full power off and power on (and cluster protection is enabled),
the controller VM retrieves the drive keys from the key management server and uses them to
unlock the drives.
If the Controller VM cannot get the correct keys from the key management server, it cannot
access data on the drives.
If a drive is re-seated, it becomes locked.
If a drive is stolen, the data is inaccessible without the KEK (which cannot be obtained from
the drive). If a node is stolen, the key management server can revoke the node certificates to
ensure they cannot be used to access data on any of the drives.

Preparing for Data-at-Rest Encryption (External KMS for SEDs and Software Only)

About this task

Caution: DO NOT HOST A KEY MANAGEMENT SERVER VM ON THE ENCRYPTED CLUSTER

THAT IS USING IT!
Doing so could result in complete data loss if there is a problem with the VM while it is
hosted in that cluster.

If you are using an external KMS for encryption using AOS, preparation steps outside the
web console are required. The information in this section is applicable if you choose to use an
external KMS for configuring encryption.
You must install the license of the external key manager for all nodes in the cluster. See
Compatibility and Interoperability Matrix for a complete list of the supported key management

AOS Security | Security Management Using Prism Element (PE) | 64

servers. For instructions on how to configure a key management server, refer to the
documentation from the appropriate vendor.
The system accesses the EKM under the following conditions:

• Starting a cluster
• Regenerating a key (key regeneration occurs automatically every year by default)
• Adding or removing a node (only when Self Encrypting Drives is used for encryption)
• Switching between Native to EKM or EKM to Native
• Starting, and restarting a service (only if Software-based encryption is used)
• Upgrading AOS (only if Software-based encryption is used)
• NCC heartbeat check if EKM is alive

Procedure

1. Configure a key management server.

The key management server devices must be configured into the network so the cluster
has access to those devices. For redundant protection, it is recommended that you employ
at least two key management server devices, either in active-active cluster mode or stand-
alone.

Note: The key management server must support KMIP version 1.0 or later.

» SafeNet
Ensure that Security > High Security > Key Security > Disable Creation and Use of Global
Keys is checked.

» Vormetric
Set the appliance to compatibility mode. Suite B mode causes the SSL handshake to fail.

2. Generate a certificate signing request (CSR) for each node in the cluster.

• The Common Name field of the CSR is populated automatically with

unique_node_identifier.nutanix.com to identify the node associated with the certificate.

Tip: After generating the certificate from Prism, (if required) you can update the custom
common name (CN) setting by running the following command using nCLI.
ncli data-at-rest-encryption-certificate update-csr-information domain-
name=abcd.test.com

In the above command example, replace "abcd.test.com" with the actual domain
name.

• A UID field is populated with a value of Nutanix. This can be useful when configuring a
Nutanix group for access control within a key management server, since it is based on
fields within the client certificates.

Note: Some vendors when doing client certificate authentication expect the client username
to be a field in the CSR. While the CN and UID are pre-generated, many of the user populated
fields can be used instead if desired. If a node-unique field such as CN is chosen, users

AOS Security | Security Management Using Prism Element (PE) | 65

must be created on a per node basis for access control. If a cluster-unique field is chosen,
customers must create a user for each cluster.

3. Send the CSRs to a certificate authority (CA) and get them signed.

» Safenet
The SafeNet KeySecure key management server includes a local CA option to generate
signed certificates, or you can use other third-party vendors to create the signed
certificates.
To enable FIPS compliance, add user nutanix to the CA that signed the CSR. Under
Security > High Security > FIPS Compliance click Set FIPS Compliant.

Note: Some CAs strip the UID field when returning a signed certificate.

To comply with FIPS, Nutanix does not support the creation of global keys.
In the SafeNet KeySecure management console, go to Device > Key Server > Key Server >
KMIP Properties > Authentication Settings.
Then do the following:

• Set the Username Field in Client Certificate option to UID (User ID).
• Set the Client Certificate Authentication option to Used for SSL session and username.
If you do not perform these settings, the KMS creates global keys and fails to encrypt the
clusters or containers using the software only method.

4. Upload the signed SSL certificates (one for each node) and the certificate for the CA to the
cluster. These certificates are used to authenticate with the key management server.

5. Generate keys (KEKs) for the SED drives and upload those keys to the key management
server.

Configuring Data-at-Rest Encryption (SEDs)

Nutanix offers an option to use self-encrypting drives (SEDs) to store data in a cluster. When
SEDs are used, there are several configuration steps that must be performed to support data-
at-rest encryption in the cluster.

Before you begin

A separate key management server is required to store the keys outside of the cluster. Each
key management server device must be configured and addressable through the network. It
is recommended that multiple key manager server devices be configured to work in clustered
mode so they can be added to the cluster configuration as a single entity (see step 5) that is
resilient to a single failure.

About this task

To configure cluster encryption, do the following:

AOS Security | Security Management Using Prism Element (PE) | 66

Procedure

1. Click the gear icon in the main menu and then select Data at Rest Encryption in the Settings
page.
The Data at Rest Encryption dialog box appears. Initially, encryption is not configured, and a
message to that effect appears.

Figure 25: Data at Rest Encryption Screen (initial)

2. Click the Create Configuration button.

Clicking the Continue Configuration button, configure it link, or Edit Config button does the
same thing, which is display the Data-at-Rest Encryption configuration page.

3. Select the Encryption Type as Drive-based Encryption. This option is displayed only when
SEDs are detected.

AOS Security | Security Management Using Prism Element (PE) | 67

4. In the Certificate Signing Request Information section, do the following:

Figure 26: Certificate Signing Request Section

a. Enter appropriate credentials for your organization in the Email, Organization,

Organizational Unit, Country Code, City, and State fields and then click the Save CSR Info
button.
The entered information is saved and is used when creating a certificate signing request
(CSR). To specify more than one Organization Unit name, enter a comma separated list.

Note: You can update this information until an SSL certificate for a node is uploaded to
the cluster, at which point the information cannot be changed (the fields become read
only) without first deleting the uploaded certificates.

b. Click the Download CSRs button, and then in the new screen click the Download CSRs
for all nodes to download a file with CSRs for all the nodes or click a Download link to
download a file with the CSR for that node.

Figure 27: Download CSRs Screen

c. Send the files with the CSRs to the desired certificate authority.
The certificate authority creates the signed certificates and returns them to you. Store the
returned SSL certificates and the CA certificate where you can retrieve them in step 6.

AOS Security | Security Management Using Prism Element (PE) | 68

• The certificates must be X.509 format. (DER, PKCS, and PFX formats are not
supported.)
• The certificate and the private key should be in separate files.

5. In the Key Management Server section, do the following:

Figure 28: Key Management Server Section

a. Click the Add New Key Management Server button.

b. In the Add a New Key Management Server screen, enter a name, IP address, and port
number for the key management server in the appropriate fields.
The port is where the key management server is configured to listen for the KMIP
protocol. The default port number is 5696. For the complete list of required ports, see
Port Reference.

» If you have configured multiple key management servers in cluster mode, click the Add
Address button to provide the addresses for each key management server device in
the cluster.
» If you have stand-alone key management servers, click the Save button. Repeat this
step (Add New Key Management Server button) for each key management server
device to add.

Note: If your key management servers are configured into a leader/follower (active/
passive) relationship and the architecture is such that the follower cannot accept write
requests, do not add the follower into this configuration. The system sends requests

AOS Security | Security Management Using Prism Element (PE) | 69

(read or write) to any configured key management server, so both read and write
access is needed for key management servers added here.

Note: To prevent potential configuration problems, always use the Add Address button
for key management servers configured into cluster mode. Only a stand-alone key
management server should be added as a new server.

Figure 29: Add Key Management Server Screen

c. To edit any settings, click the pencil icon for that entry in the key management server list
to redisplay the add page and then click the Save button after making the change. To
delete an entry, click the X icon.

6. In the Add a New Certificate Authority section, enter a name for the CA, click the Upload CA
Certificate button, and select the certificate for the CA used to sign your node certificates
(see step 4c). Repeat this step for all CAs that were used in the signing process.

Figure 30: Certificate Authority Section

7. Go to the Key Management Server section (see step 5) and do the following:

a. Click the Manage Certificates button for a key management server.

b. In the Manage Signed Certificates screen, upload the node certificates either by clicking
the Upload Files button to upload all the certificates in one step or by clicking the Upload
link (not shown in the figure) for each node individually.
c. Test that the certificates are correct either by clicking the Test all nodes button to test
the certificates for all nodes in one step or by clicking the Test CS (or Re-Test CS) link

AOS Security | Security Management Using Prism Element (PE) | 70

for each node individually. A status of Verified indicates the test was successful for that
node.

Note: Before removing a drive or node from an SED cluster, ensure that the testing is
successful and the status is Verified. Otherwise, the drive or node will be locked.

a. Repeat this step for each key management server.

Note: Before removing a drive or node from an SED cluster, ensure that the testing is
successful and the status is Verified. Otherwise, the drive or node will be locked.

Figure 31: Upload Signed Certificates Screen

AOS Security | Security Management Using Prism Element (PE) | 71

8. When the configuration is complete, click the Protect button on the opening page to enable
encryption protection for the cluster.
A clear key icon appears on the page.

Figure 32: Data-at-Rest Encryption Screen (unprotected)

The key turns gold when cluster encryption is enabled.

Note: If changes are made to the configuration after protection has been enabled, such as
adding a new key management server, you must rekey the disks for the modification to take
full effect (see Changing Key Encryption Keys (SEDs) on page 73).

Figure 33: Data-at-Rest Encryption Screen (protected)

Enabling/Disabling Encryption (SEDs)

Data on a self encrypting drive (SED) is always encrypted, but enabling/disabling data-at-
rest encryption for the cluster determines whether a separate (and secured) key is required to
access that data.

About this task

To enable or disable data-at-rest encryption after it has been configured for the cluster (see
Configuring Data-at-Rest Encryption (SEDs) on page 66), do the following:

Note: The key management server must be accessible to disable encryption.

AOS Security | Security Management Using Prism Element (PE) | 72

Procedure

1. Click the gear icon in the main menu and then select Data at Rest Encryption in the Settings
page.

2. In the Cluster Encryption page, do one of the following:

» If cluster encryption is enabled currently, click the Unprotect button to disable it.
» If cluster encryption is disabled currently, click the Protect button to enable it.
Enabling cluster encryption enforces the use of secured keys to access data on the SEDs in
the cluster; disabling cluster encryption means the data can be accessed without providing a
key.

Changing Key Encryption Keys (SEDs)

The key encryption key (KEK) can be changed at any time. This can be useful as a periodic
password rotation security precaution or when a key management server or node becomes
compromised. If the key management server is compromised, only the KEK needs to be
changed, because the KEK is independent of the drive encryption key (DEK). There is no need
to re-encrypt any data, just to re-encrypt the DEK.

About this task

To change the KEKs for a cluster, do the following:

Procedure

1. Click the gear icon in the main menu and then select Data at Rest Encryption in the Settings
page.

AOS Security | Security Management Using Prism Element (PE) | 73

2. In the Cluster Encryption page, select Manage Keys and click the Rekey All Disks button
under Hardware Encryption.
Rekeying a cluster under heavy workloads may result in higher-than-normal IO latency, and
some data may become temporarily unavailable. To continue with the rekey operation, click
Confirm Rekey.
This step resets the KEKs for all the self encrypting disks in the cluster.

Note:

• The Rekey All Disks button appears only when cluster protection is active.
• If the cluster is already protected and a new key management server is added,
you must press the Rekey All Disks button to use this new key management
server for storing secrets.

Figure 34: Cluster Encryption Screen

Destroying Data (SEDs)

Data on a self encrypting drive (SED) is always encrypted, and the data encryption key (DEK)
used to read the encrypted data is known only to the drive controller. All data on the drive can
effectively be destroyed (that is, become permanently unreadable) by having the controller
change the DEK. This is known as a crypto-erase.

About this task

To crypto-erase a SED, do the following:

Procedure

1. In the web console, go to the Hardware dashboard and select the Diagram tab.

AOS Security | Security Management Using Prism Element (PE) | 74

2. Select the target disk in the diagram (upper section of screen) and then click the Remove
Disk button (at the bottom right of the following diagram).
As part of the disk removal process, the DEK for that disk is automatically cycled on the
drive controller. The previous DEK is lost and all new disk reads are indecipherable. The key
encryption key (KEK) is unchanged, and the new DEK is protected using the current KEK.

Note: When a node is removed, all SEDs in that node are crypto-erased automatically as part
of the node removal process.

Figure 35: Removing a Disk

Data-at-Rest Encryption (Software Only)

For customers who require enhanced data security, Nutanix provides a software-only
encryption option for data-at-rest security (SEDs not required) included in the Ultimate license.

Note: On G6 platforms running the AOS Pro license, you can use software encryption by
installing an add-on license.

Software encryption using a local key manager (LKM) supports the following features:

• For AHV, the data can be encrypted on a cluster level. This is applicable to an empty cluster
or a cluster with existing data.
• For ESXi and Hyper-V, the data can be encrypted on a cluster or container level. The
cluster or container can be empty or contain existing data. Consider the following points for
container level encryption.

• Once you enable container level encryption, you can not change the encryption type to
cluster level encryption later.
• After the encryption is enabled, the administrator needs to enable encryption for every
new container.
• Data is encrypted at all times.
• Data is inaccessible in the event of drive or node theft.
• Data on a drive can be securely destroyed.
• Re-key of the leader encryption key at arbitrary times is supported.
• Cluster’s native KMS is supported.

AOS Security | Security Management Using Prism Element (PE) | 75

Note: In case of mixed hypervisors, only the following combinations are supported.

• ESXi and AHV

• Hyper-V and AHV

Note: This solution provides enhanced security for data on a drive, but it does not secure data in
transit.

Data Encryption Model

To accomplish the above mentioned goals, Nutanix implements a data security configuration
that uses AOS functionality along with the cluster’s native or an external key management
server. Nutanix uses open standards (KMIP protocols) for interoperability and strong security.

Figure 36: Cluster Protection Overview

This configuration involves the following workflow:

• For software encryption, data protection must be enabled for the cluster before any data is
encrypted. Also, the Controller VM must provide the proper key to access the data.
• A symmetric data encryption key (DEK) such as AES 256 is applied to all data being written
to or read from the disk. The key is known only to AOS, so there is no way to access the data
directly from the drive.
• In case of an external KMS:
Each node maintains a set of certificates and keys in order to establish a secure connection
with the key management server.
Only one key management server device is required, but it is recommended that multiple
devices are employed so the key management server is not a potential single point of failure.
Configure the key manager server devices to work in clustered mode so they can be added
to the cluster configuration as a single entity that is resilient to a single failure.

Configuring Data-at-Rest Encryption (Software Only)

Nutanix offers a software-only option to perform data-at-rest encryption in a cluster or
container.

AOS Security | Security Management Using Prism Element (PE) | 76

Before you begin

• Nutanix provides the option to choose the KMS type as the Native KMS (local), Native KMS
(remote), or External KMS.
• Cluster Localised Key Management Service (Native KMS (local)) requires a minimum of 3-
node cluster. 1-node and 2-node clusters are not supported.
• Software encryption using Native KMS is supported for remote office/branch office (ROBO)
deployments using the Native KMS (remote) KMS type.
• For external KMS, a separate key management server is required to store the keys outside
of the cluster. Each key management server device must be configured and addressable
through the network. It is recommended that multiple key manager server devices be
configured to work in clustered mode so they can be added to the cluster configuration as a
single entity that is resilient to a single failure.

Caution: DO NOT HOST A KEY MANAGEMENT SERVER VM ON THE ENCRYPTED CLUSTER

THAT IS USING IT!!
Doing so could result in complete data loss if there is a problem with the VM while it
is hosted in that cluster.

Note: You must install the license of the external key manager for all nodes in the cluster.
See Compatibility and Interoperability Matrix for a complete list of the supported key
management servers. For instructions on how to configure a key management server, refer to
the documentation from the appropriate vendor.

• This feature requires an Ultimate license, or as an Add-On to the PRO license (for the latest
generation of products). Ensure that you have procure the add-on license key to use the
data-at-rest encryption using AOS, contact Sales team to procure the license.
• Caution: For security, you can't disable software-only data-at-rest encryption once it is
enabled.

About this task

To configure cluster or container encryption, do the following:

AOS Security | Security Management Using Prism Element (PE) | 77

Procedure

1. Click the gear icon in the main menu and then select Data at Rest Encryption in the
Settings page.
The Data at Rest Encryption dialog box appears. Initially, encryption is not configured, and
a message to that effect appears.

Figure 37: Data at Rest Encryption Screen (initial)

2. Click the Create Configuration button.

Clicking the Continue Configuration button, configure it link, or Edit Config button does
the same thing, which is display the Data-at-Rest Encryption configuration page

AOS Security | Security Management Using Prism Element (PE) | 78

3. Select the Encryption Type as Encrypt the entire cluster or Encrypt storage containers.
Then click Save Encryption Type.

Caution: You can enable encryption for the entire cluster or just the container. However,
if you enable encryption on a container; and there are any encryption key issue like loss of
encryption key, you can encounter the following:

• The entire cluster data is affected, not just the encrypted container.
• All the user VMs of the cluster will not able to access the data.

The hardware option is displayed only when SEDs are detected. Else, software based
encryption type will be used by default.

Figure 38: Select encryption type

Note: For ESXi and Hyper-V, the data can be encrypted on a cluster or container level. The
cluster or container can be empty or contain existing data. Consider the following points for
container level encryption.

To enable encryption for every new storage container, do the following:

a. In the web console, select Storage from the pull-down main menu (upper left of screen)
and then select the Table and Storage Container tabs.
b. To enable encryption, select the target storage container and then click the Update link.
The Update Storage Container window appears.
c. In the Advanced Settings area, select the Enable check box to enable encryption for the
storage container you selected.

AOS Security | Security Management Using Prism Element (PE) | 79

Figure 39: Update storage container
d. Click Save to complete.

AOS Security | Security Management Using Prism Element (PE) | 80

4. Select the Key Management Service.
To keep the keys safe with the native KMS, select Native KMS (local) or Native KMS
(remote) and click Save KMS type. If you select this option, skip to step 9 to complete the
configuration.

Note:

• Cluster Localised Key Management Service (Native KMS (local)) requires a

minimum of 3-node cluster. 1-node and 2-node clusters are not supported.
• For enhanced security of ROBO environments (typically, 1 or 2 node clusters),
select the Native KMS (remote) for software based encryption of ROBO clusters
managed by Prism Central.

Note: This is option is available only if the cluster is registered to Prism Central.

For external KMS type, select the External KMS option and click Save KMS type. Continue
to step 5 for further configuration.

Figure 40: Select KMS Type

Note: You can switch between the KMS types at a later stage if the specific KMS
prerequisites are met, see Switching between Native Key Manager and External Key
Manager on page 86.

AOS Security | Security Management Using Prism Element (PE) | 81

5. In the Certificate Signing Request Information section, do the following:

Figure 41: Certificate Signing Request Section

a. Enter appropriate credentials for your organization in the Email, Organization,

Organizational Unit, Country Code, City, and State fields and then click the Save CSR
Info button.
The entered information is saved and is used when creating a certificate signing request
(CSR). To specify more than one Organization Unit name, enter a comma separated list.

Figure 42: Download CSRs Screen

c. Send the files with the CSRs to the desired certificate authority.
The certificate authority creates the signed certificates and returns them to you. Store
the returned SSL certificates and the CA certificate where you can retrieve them in step
5.

AOS Security | Security Management Using Prism Element (PE) | 82

• The certificates must be X.509 format. (DER, PKCS, and PFX formats are not
supported.)
• The certificate and the private key should be in separate files.

6. In the Key Management Server section, do the following:

Figure 43: Key Management Server Section

a. Click the Add New Key Management Server button.

» If you have configured multiple key management servers in cluster mode, click the
Add Address button to provide the addresses for each key management server
device in the cluster.
» If you have stand-alone key management servers, click the Save button. Repeat this
step (Add New Key Management Server button) for each key management server
device to add.

Note: If your key management servers are configured into a master/slave (active/
passive) relationship and the architecture is such that the follower cannot accept write
requests, do not add the follower into this configuration. The system sends requests

AOS Security | Security Management Using Prism Element (PE) | 83

(read or write) to any configured key management server, so both read and write
access is needed for key management servers added here.

Note: To prevent potential configuration problems, always use the Add Address
button for key management servers configured into cluster mode. Only a stand-alone
key management server should be added as a new server.

Figure 44: Add Key Management Server Screen

7. In the Add a New Certificate Authority section, enter a name for the CA, click the Upload
CA Certificate button, and select the certificate for the CA used to sign your node
certificates (see step 3c). Repeat this step for all CAs that were used in the signing process.

Figure 45: Certificate Authority Section

8. Go to the Key Management Server section (see step 4) and do the following:

a. Click the Manage Certificates button for a key management server.

b. In the Manage Signed Certificates screen, upload the node certificates either by clicking
the Upload Files button to upload all the certificates in one step or by clicking the
Upload link (not shown in the figure) for each node individually.
c. Test that the certificates are correct either by clicking the Test all nodes button to test
the certificates for all nodes in one step or by clicking the Test CS (or Re-Test CS) link

AOS Security | Security Management Using Prism Element (PE) | 84

for each node individually. A status of Verified indicates the test was successful for that
node.
d. Repeat this step for each key management server.

Note: Before removing a drive or node from an SED cluster, ensure that the testing is
successful and the status is Verified. Otherwise, the drive or node will be locked.

Figure 46: Upload Signed Certificates Screen

9. When the configuration is complete, click the Enable Encryption button.

Enable Encryption window is displayed.

Figure 47: Data-at-Rest Encryption Screen (unprotected)

Caution: To help ensure that your data is secure, you cannot disable software-only data-
at-rest encryption once it is enabled. Nutanix recommends regularly backing up your data,
encryption keys, and key management server.

10. Enter ENCRYPT.

11. Click Encrypt button.

The data-at-rest encryption is enabled. To view the status of the encrypted cluster or
container, go to Data at Rest Encryption in the Settings menu.
When you enable encryption, a low priority background task runs to encrypt all the
unencrypted data. This task is designed to take advantage of any available CPU space to
encrypt the unencrypted data within a reasonable time. If the system is occupied with other

AOS Security | Security Management Using Prism Element (PE) | 85

workloads, the background task consumes less CPU space. Depending on the amount of
data in the cluster, the background task can take 24 to 36 hours to complete.

Note: If changes are made to the configuration after protection has been enabled, such as
adding a new key management server, you must do the rekey operation for the modification
to take full effect. In case of EKM, rekey to change the KEKs stored in the EKM. In case
of LKM, rekey to change the leader key used by native key manager, see Changing Key
Encryption Keys (Software Only) on page 87) for details.

Note: Once the task to encrypt a cluster begins, you cannot cancel the operation. Even if
you stop and restart the cluster, the system resumes the operation.

Figure 48: Data-at-Rest Encryption Screen (protected)

Switching between Native Key Manager and External Key Manager

After Software Encryption has been established, Nutanix supports the ability to switch the
KMS type from the External Key Manager to the Native Key Manager or from the Native Key
Manager to an External Key Manager, without any down time.

Note:

• The Native KMS requires a minimum of 3-node cluster.

• For external KMS, a separate key management server is required to store the keys
outside of the cluster. Each key management server device must be configured and
addressable through the network. It is recommended that multiple key manager
server devices be configured to work in clustered mode so they can be added to the
cluster configuration as a single entity that is resilient to a single failure.

AOS Security | Security Management Using Prism Element (PE) | 86

• It is recommended that you backup and save the encryption keys with identifiable
names before and after changing the KMS type. For backing up keys, see Backing up
Keys on page 90.

To change the KMS type, change the KMS selection by editing the encryption configuration.
For details, see step 3 in Configuring Data-at-Rest Encryption (Software Only) on page 76
section.

Figure 49: Select KMS type

After you change the KMS type and save the configuration, the encryption keys are re-
generated on the selected KMS storage medium and data is re-encrypted with the new keys.
The old keys are destroyed.

Note: This operation completes in a few minutes, depending on the number of encrypted objects
and network speed.

Changing Key Encryption Keys (Software Only)

About this task

To change the KEKs for a cluster, do the following:

Procedure

1. Click the gear icon in the main menu and then select Data at Rest Encryption in the Settings
page.

AOS Security | Security Management Using Prism Element (PE) | 87

2. In the Cluster Encryption page, select Manage Keys and click the Rekey button under
Software Encryption.

Note: The Rekey button appears only when cluster protection is active.

Note: If the cluster is already protected and a new key management server is added, you
must press the Rekey button to use this new key management server for storing secrets.

Figure 50: Cluster Encryption Screen

Note: The system automatically regenerates the leader key yearly.

Destroying Data (Software Only)

Data on the AOS cluster is always encrypted, and the data encryption key (DEK) used to read
the encrypted data is known only to the AOS. All data on the drive can effectively be destroyed
(that is, become permanently unreadable) by deleting the container or cluster. This is known as
a crypto-erase.

About this task

Note: To help ensure that your data is secure, you cannot disable software-only data-at-rest
encryption once it is enabled. Nutanix recommends regularly backing up your data, encryption
keys, and key management server.

To crypto-erase the container or cluster, do the following:

AOS Security | Security Management Using Prism Element (PE) | 88

Procedure

1. Delete the storage container or destroy the cluster.

• For information on how to delete a storage container, see Modifying a Storage Container
in the Prism Web Console Guide.
• For information on how to destroy a cluster, see Destroying a Cluster in the Acropolis
Advanced Administration Guide.

Note:
When you delete a storage container, the Curator scans and deletes the DEK and
KEK keys automatically.
When you destroy a cluster, then:

• the Native Key Manager (local) destroys the master key shares and the encrypted
DEKs/KEKs.

• the Native Key Manager (remote) retains the root key on the PC if the cluster is
still registered to a PC when it is destroyed. You must unregister a cluster from
the PC and then destroy the cluster to delete the root key.

• the External Key Manager deletes the encrypted DEKs. However, the KEKs remain
on the EKM. You must use an external key manager UI to delete the KEKs.

2. Delete the key backup files, if any.

Switching from SED-EKM to Software-LKM

This section describes the steps to switch from SED and External KMS combination to
software-only and LKM combination.

About this task

To switch from SED-EKM to Software-LKM, do the following.

Procedure

1. Perform the steps for the software-only encryption with External KMS. For more information,
see Configuring Data-at-Rest Encryption (Software Only) on page 76.
After the background task completes, all the data gets encrypted by the software. The time
taken to complete the task depends on the amount of data and foreground I/O operations in
the cluster.

2. Disable the SED encryption. Ensure that all the disks are unprotected.
For more information, see Enabling/Disabling Encryption (SEDs) on page 72.

3. Switch the key management server from the External KMS to Local Key Manager. For more
information, see Switching between Native Key Manager and External Key Manager on
page 86.

AOS Security | Security Management Using Prism Element (PE) | 89

Configuring Dual Encryption

About this task

Dual Encryption protects the data on the clusters using both SED and software-only
encryption. An external key manager is used to store the keys for dual encryption, the Native
KMS is not supported.
To configure dual encryption, do the following:

Procedure

1. Click the gear icon in the main menu and then select Data at Rest Encryption in the Settings
page.

2. In the Cluster Encryption page, check to enable both Drive-based and Software-based
encryption.

3. Click Save Encryption Type.

Figure 51: Dual Encryption

4. Continue with the rest of the encryption configuration, see:

• Configuring Data-at-Rest Encryption (Software Only) on page 76

• Configuring Data-at-Rest Encryption (SEDs) on page 66

Backing up Keys

About this task

You can take a backup of encryption keys:

• when you enable Software-only Encryption for the first time

• after you regenerate the keys
Backing up encryption keys is critical in the very unlikely situation in which keys get corrupted.
You can download key backup file for a cluster on a PE or all clusters on a PC. To download key
backup file for all clusters, see Taking a Consolidated Backup of Keys (Prism Central).
To download the key backup file for a cluster, do the following:

Procedure

1. Log on to the Prism Element web console.

AOS Security | Security Management Using Prism Element (PE) | 90

2. Click the gear icon in the main menu and then select Data at Rest Encryption in the Settings
page.

3. In the Cluster Encryption page, select Manage Keys.

4. Enter and confirm the password.

5. Click the Download Key Backup button.

The backup file is saved in the default download location on your local machine.

Note: Ensure you move the backup key file to a safe location.

Taking a Consolidated Backup of Keys (Prism Central)

If you are using the Native KMS option with software encryption for your clusters, you can take
a consolidated backup of all the keys from Prism Central.

About this task

To take a consolidated backup of keys for software encryption-enabled clusters (Native KMS-
only), do the following:

Procedure

1. Log on to the Prism Central web console.

2. Click the hamburger icon, then select Clusters > List view.

3. Select a cluster, go to Actions, then select Manage & Backup Keys.

4. Download the backup keys:

a. In Password, enter your password.

b. In Confirm Password, reenter your password.
c. To change the encryption key, select the Rekey Encryption Key (KEK) box .
d. To download the backup key, click Backup Key.

Note: Ensure that you move the backup key file to a safe location.

Importing Keys
You can import the encryption keys from backup. You must note the specific commands in this
topic if you backed up your keys to an external key manager (EKM)

About this task

Note: Nutanix recommends that you contact Nutanix Support for this operation. Extended
cluster downtime might result if you perform this task incorrectly.

Procedure

1. Log on to any Controller VM in the cluster with SSH.

AOS Security | Security Management Using Prism Element (PE) | 91

2. Retrieve the encryption keys stored on the cluster and verify that all the keys you want to
retrieve are listed.
In this example, the password is Nutanix.123. date is the timestamp portion of the backup file
name.
mantle_recovery_util --backup_file_path=/home/nutanix/encryption_key_backup_date \
--password=Nutanix.123 --list_key_ids=true

3. Import the keys into the cluster.

mantle_recovery_util --backup_file_path=/home/nutanix/key_backup \
--password=Nutanix.123 --interactive_mode

4. If you are using an external key manager such as IBM Security Key Lifecycle Manager,
Gemalto Safenet, or Vormetric Data Security Manager, use the --store_kek_remotely option
to import the keys into the cluster.
In this example, date is the timestamp portion of the backup file name.
mantle_recovery_util --backup_file_path path/encryption_key_backup_date \
--password key_password --store_kek_remotely

Securing Traffic Through Network Segmentation

Network segmentation enhances security, resilience, and cluster performance by isolating a
subset of traffic to its own network.
You can achieve traffic isolation in one or more of the following ways:
Isolating Backplane Traffic by using VLANs (Logical Segmentation)
You can separate management traffic from storage replication (or backplane) traffic by
creating a separate network segment (LAN) for storage replication. For more information
about the types of traffic seen on the management plane and the backplane, see Traffic
Types In a Segmented Network on page 93.
To enable the CVMs in a cluster to communicate over these separated networks, the
CVMs are multihomed. Multihoming is facilitated by the addition of a virtual network
interface card (vNIC) to the Controller VM and placing the new interface on the
backplane network. Additionally, the hypervisor is assigned an interface on the backplane
network.
The traffic associated with the CVM interfaces and host interfaces on the backplane
network can be secured further by placing those interfaces on a separate VLAN.
In this type of segmentation, both network segments continue to use the same external
bridge and therefore use the same set of physical uplinks. For physical separation, see
Physically Isolating the Backplane Traffic on an AHV Cluster.
Isolating backplane traffic from management traffic requires minimal configuration
through the Prism web console. No manual host (hypervisor) configuration steps are
required.
For information about isolating backplane traffic, see Isolating the Backplane Traffic
Logically on an Existing Cluster (VLAN-Based Segmentation Only) on page 104.
Isolating Backplane Traffic Physically (Physical Segementation)
You can physically isolate the backplane traffic (intra cluster traffic) from the
management traffic (Prism, SSH, SNMP) in to a separate vNIC on the CVM and using
a dedicated virtual network that has its own physical NICs. This type of segmentation

AOS Security | Security Management Using Prism Element (PE) | 92

therefore offers true physical separation of the backplane traffic from the management
traffic.
You can use Prism to configure the vNIC on the CVM and configure the backplane traffic
to communicate over the dedicated virtual network. However, you must first manually
configure the virtual network on the hosts and associate it with the physical NICs that it
requires for true traffic isolation.
For more information about physically isolating backplane traffic, see Physically Isolating
the Backplane Traffic on an AHV Cluster.
Isolating service-specific traffic
You can also secure traffic associated with a service (for example, Nutanix Volumes) by
confining its traffic to a separate vNIC on the CVM and using a dedicated virtual network
that has its own physical NICs. This type of segmentation therefore offers true physical
separation for service-specific traffic.
You can use Prism to create the vNIC on the CVM and configure the service to
communicate over the dedicated virtual network. However, you must first manually
configure the virtual network on the hosts and associate it with the physical NICs that it
requires for true traffic isolation. You need one virtual network for each service you want
to isolate. For a list of the services whose traffic you can isolate in the current release, see
Cluster Services That Support Traffic Isolation on page 102.
For information about isolating service-specific traffic, see Isolating Service-Specific
Traffic on page 127.
Isolating Stargate-to-Stargate traffic over RDMA
Some Nutanix platforms support remote direct memory access (RDMA) for Stargate-to-
Stargate service communication. You can create a separate virtual network for RDMA-
enabled network interface cards. If a node has RDMA-enabled NICs, Foundation passes
the NICs through to the CVMs during imaging. The CVMs use only the first of the two
RDMA-enabled NICs for Stargate-to-Stargate communications. The virtual NIC on the
CVM is named rdma0. Foundation does not configure the RDMA LAN. After creating
a cluster, you need to enable RDMA by creating an RDMA LAN from the Prism web
console. For more information about RDMA support, see Remote Direct Memory Access
in the NX Series Hardware Administration Guide.
For information about isolating backplane traffic on an RDMA cluster, see Isolating the
Backplane Traffic on an Existing RDMA Cluster on page 110.

Traffic Types In a Segmented Network

The traffic entering and leaving a Nutanix cluster can be broadly classified into the following
types:
Backplane traffic
Backplane traffic is intra-cluster traffic that is necessary for the cluster to function, and
it comprises traffic between CVMs and traffic between CVMs and hosts for functions
such as storage RF replication, host management, high availability, and so on. This traffic
uses eth2 on the CVM. In AHV, VM live migration traffic is also backplane, and uses the
AHV backplane interface, VLAN, and virtual switch when configured. For nodes that
have RDMA-enabled NICs, the CVMs use a separate RDMA LAN for Stargate-to-Stargate
communications.
Management traffic
Management traffic is administrative traffic, or traffic associated with Prism and SSH
connections, remote logging, SNMP, and so on. The current implementation simplifies the
definition of management traffic to be any traffic that is not on the backplane network,

AOS Security | Security Management Using Prism Element (PE) | 93

and therefore also includes communications between user VMs and CVMs. This traffic
uses eth0 on the CVM.
Traffic on the management plane can be further isolated per service or feature. An
example of this type of traffic is the traffic that the cluster receives from external iSCSI
initiators (Nutanix Volumes iSCSI traffic). For a list of services supported in the current
release, see Cluster Services That Support Traffic Isolation on page 102.

Segmented and Unsegmented Networks

In the default unsegmented network in a Nutanix cluster (ESXi and AHV), the Controller VM has
two virtual network interfaces—eth0 and eth1.
Interface eth0 is connected to the default external virtual switch, which is in turn connected to
the external network through a bond or NIC team that contains the host physical uplinks.
Interface eth1 is connected to an internal network that enables the CVM to communicate with
the hypervisor.
In the below unsegmented network (see figure Unsegmented Network - ESXi Cluster,
and Unsegmented Network - AHV Cluster) all external CVM traffic, whether backplane or
management traffic, uses interface eth0. These interfaces are on the default VLAN on the
default virtual switch.

AOS Security | Security Management Using Prism Element (PE) | 94

Figure 52: Unsegmented Network- ESXi Cluster

This figure shows an unsegmented network AHV cluster.

In AHV, VM live migration traffic is also backplane, and uses the AHV backplane interface,
VLAN, and virtual switch when configured.

AOS Security | Security Management Using Prism Element (PE) | 95

Figure 53: Unsegmented Network- AHV Cluster

If you further isolate service-specific traffic, additional vNICs are created on the CVM. Each
service requiring isolation is assigned a dedicated virtual NIC on the CVM. The NICs are named
ntnx0, ntnx1, and so on. Each service-specific NIC is placed on a configurable existing or new
virtual network (vSwitch or bridge) and a VLAN and IP subnet are specified.

Network with Segmentation

In a segmented network, management traffic uses CVM interface eth0 and additional services
can be isolated to different VLANs or virtual switches. In backplane segmentation, the
backplane traffic uses interface eth2. The backplane network uses either the default VLAN or,
optionally, a separate VLAN that you specify when segmenting the network. In ESXi, you must
select a port group for the new vmkernel interface. In AHV this internal interface is created
automatically in the selected virtual switch. For physical separation of the backplane network,
create this new port group on a separate virtual switch in ESXi, or select the desired virtual
switch in the AHV GUI.

AOS Security | Security Management Using Prism Element (PE) | 96

If you want to isolate service-specific traffic such as Volumes or Disaster Recovery as well as
backplane traffic, then additional vNICs are needed on the CVM, but no new vmkernel adapters
or internal interfaces are required. AOS creates additional vNICs on the CVM. Each service that
requires isolation is assigned a dedicated vNIC on the CVM. The NICs are named ntnx0, ntnx1,
and so on. Each service-specific NIC is placed on a configurable existing or new virtual network
(vSwitch or bridge) and a VLAN and IP subnet are specified.
You can choose to perform backplane segmentation alone, with no other forms of
segmentation. You can also choose to use one or more types of service specific segmentation
with or without backplane segmentation. In all of these cases, you can choose to segment any
service to either the existing, or a new virtual switch for further physical traffic isolation. The
combination selected is driven by the security and networking requirements of the deployment.
In most cases, the default configuration with no segmentation of any kind is recommended due
to simplicity and ease of deployment.
The following figure shows an implementation scenario where the backplane and service
specific segmentation is configured with two vSwitches on ESXi hypervisors.

Figure 54: Backplane and Service Specific Segmentation Configured with two vSwitches
on an ESXi Cluster

Here are the CVM to ESXi hypervisor connection details:

• The eth0 vNIC on the CVM and vmk0 on the host are carrying management traffic and
connected to the hypervisor through the existing PGm (portgroup) on vSwitch0.

AOS Security | Security Management Using Prism Element (PE) | 97

• The eth2 vNIC on the CVM and vmk2 on the host are carrying backplane traffic and
connected to the hypervisor through a new user created PGb on the existing vSwitch.
• The ntnx0 vNIC on the CVM is carrying iSCSI traffic and connected to the hypervisor
through PGi on the vSwitch1. No new vmkernel adapter is required.
• The ntnx1 vNIC on the CVM is carrying DR traffic and connected to the hypervisor through
PGd on the vSwitch2. Here as well, there is no new vmkernel adapter required.
The following figure shows an implementation scenario where the backplane and service
specific segmentation is configured with two vSwitches on an AHV hypervisors.

Figure 55: Backplane and Service Specific Segmentation Configured with two vSwitches
on an AHV Cluster

Here are the CVM to AHV hypervisor connection details:

• The eth0 vNIC on the CVM is carrying management traffic and connected to the hypervisor
through the existing vnet0.
• Other vNICs such as eth2, ntnx0, and ntnx1 are connected to the hypervisor through the auto
created interfaces on either the existing or new vSwitch.

Note: In the above figure the interface name 'br0-bp' is read as 'br0-backplane'.

The following table describes the vNIC, port group (PG), VM kernel (vmk), virtual network
(vnet) and virtual switch connections for CVM and hypervisor in different implementation
scenarios. The tables capture information for ESXi and AHV hypervisors:

AOS Security | Security Management Using Prism Element (PE) | 98

Table 3:

Implementation vNICs on CVM Connected to ESXi Connected to AHV

Scenarios Hypervisor Hypervisor

Backplane eth0: vmk0 via existing Existing vnet0

Segmentation with 1 PGm on vSwitch
vSwitch DR, iSCSI,
andManagement
traffic

eth2: New vmk2 via PGb on Auto created

vSwitch0 interfaces on bridge
Backplane traffic br0
CVM vNIC via PGb on
vSwitch0

Backplane eth0: vmk0 via existing Existing vnet0

Segmentation with 2 PGm on vSwitch0
vSwitches Management traffic

eth2: New vmk2 via PGb on Auto created

new vSwitch interfaces on new
Backplane traffic virtual switch
CVM vNIC via PGb on
new vSwitch

Service Specific eth0: vmk0 via existing Existing vnet0

Segmentation for PGm on vSwitch0
Volumes with 1 DR, Backplane, and
vSwitch Management traffic

ntnx0: CVM vNIC via PGi on Auto created interface

vSwitch0 on existing br0
iSCSI (Volumes) traffic

Service Specific eth0: vmk0 via existing Existing vnet0

Segmentation for PGm on vSwitch0
Volumes with 2 DR, Backplane, and
vSwitches Management traffic

ntnx0: CVM vNIC via PGi on Auto created interface

new vSwitch on new virtual switch
iSCSI (Volumes) traffic

Service Specific eth0: vmk0 via existing Existing vnet0

Segmentation for DR PGm on vSwitch0
with 1 vSwitch iSCSI, Backplane, and
Management traffic

ntnx1: CVM vNIC via PGd on Auto created interface

vSwitch0 on existing br0
DR traffic

Service Specific eth0: vmk0 via existing Existing vnet0

Segmentation for DR PGm on vSwitch0
with 2 vSwitches iSCSI, Backplane, and
Management traffic

AOS Security | Security Management Using Prism Element (PE) | 99

Implementation vNICs on CVM Connected to ESXi Connected to AHV
Scenarios Hypervisor Hypervisor

ntnx1: CVM vNIC via PGd on Auto created interface

new vSwitch on new virtual switch
DR traffic

Backplane and Service eth0: vmk0 via existing Existing vnet0

Specific Segmentation PGm on vSwitch0
with 1 vSwitch Management traffic

eth2: New vmk2 via PGb on Auto created

vSwitch0 interfaces on br0
Backplane traffic
CVM vNIC via PGb on
vSwitch0

ntnx0: CVM vNIC via PGi on Auto created interface

vSwitch0 on br0
iSCSI traffic

ntnx1: CVM vNIC via PGd on Auto created interface

vSwitch0 on br0
DR traffic

Backplane and Service eth0: vmk0 via existing Existing vnet0

Specific Segmentation PGm on vSwitch0
with 2 vSwitches Management traffic

eth2: New vmk2 via PGb on Auto created

new vSwitch interfaces on new
Backplane traffic virtual switch
CVM vNIC via PGb on
new vSwitch

ntnx0: CVM vNIC via PGi on Auto created interface

vSwitch1 on new virtual switch
iSCSI traffic
No new user defined
vmkernel adapter is
required.

ntnx1: CVM vNIC via PGd on Auto created interface

vSwitch2. in new virtual switch
DR traffic
No new user defined
vmkernel adapter is
required.

Implementation Considerations

Supported Environment
Network segmentation is supported in the following environment:

AOS Security | Security Management Using Prism Element (PE) | 100

• The hypervisor must be one of the following:

• For network segmentation by traffic type (separating backplane traffic from management
traffic):

• AHV
• ESXi
• Hyper-V
• For service-specific traffic isolation:

• AHV
• ESXi
• For logical network segmentation, AOS version must be 5.5 or later. For physical
segmentation and service-specific traffic isolation, the AOS version must be 5.11 or later.
• RDMA requirements:

• Network segmentation is supported with RDMA for AHV and ESXi hypervisors only.
• For more information about RDMA, see Remote Direct Memory Access in the NX Series
Hardware Administration Guide.

Prerequisites

For Nutanix Volumes

Stargate does not monitor the health of a segmented network. If physical network
segmentation is configured, network failures or connectivity issues are not tolerated. To
overcome this issue, configure redundancy in the network. That is, use two or more uplinks in a
fault tolerant configuration, connected to two separate physical switches.

For Disaster Recovery

• Ensure that the VLAN and subnet that you plan to use for the network segment are routable.
• Make sure that you have a pool of IP addresses to specify when configuring segmentation.
For each cluster, you need n+1 IP addresses, where n is the number of nodes in the cluster.
The additional IP address is for the virtual IP address requirement.
• Enable network segmentation for disaster recovery at both sites (local and remote) before
configuring remote sites at those sites.

Limitations

For Nutanix Volumes

• If network segmentation is enabled for Volumes, volume group attachments are not
recovered during VM recovery.
• Nutanix service VMs such as Objects worker nodes continue to communicate with the CVM
eth0 interface when using Volumes for iSCSI traffic. Other external clients such as Files use
the new service-specific CVM interface.

AOS Security | Security Management Using Prism Element (PE) | 101

For Disaster Recovery
The system does not support configuring a Leap DR and DR service specific traffic isolation
together.

Cluster Services That Support Traffic Isolation

You can isolate traffic associated with the following services to its own virtual network:

• Management (The default network that cannot be moved from CVM eth0)
• Backplane
• RDMA
• Service Specific Disaster Recovery
• Service Specific Volumes

Configurations in Which Network Segmentation Is Not Supported

Network segmentation is not supported in the following configurations:

• Clusters on which the CVMs have a manually created eth2 interface.

• Clusters on which the eth2 interface on one or more CVMs have been assigned an IP address
manually. During an upgrade to an AOS release that supports network segmentation, an
eth2 interface is created on each CVM in the cluster. Even though the cluster does not use
these interfaces until you configure network segmentation, you must not manually configure
these interfaces in any way.

Caution:
Nutanix has deprecated support for manual multi-homed CVM network interfaces from
AOS version 5.15 and later. Such a manual configuration can lead to unexpected issues
on these releases. If you have configured an eth2 interface on the CVM manually, refer
to the KB-9479 and Nutanix Field Advisory #78 for details on how to remove the eth2
interface.

Troubleshooting Tips
This section provides information to assist troubleshooting of Network Segmentation
deployments.
The Failed to restart one or more services after Backplane was enabled error may occur
while enabling network segmentation. In such cases, the network segmentation task gets
completed, however, restarting one or more services fails to complete on time.
To ensure the necessary services starts on time, login to a CVM over SSH and run the following
command:
nutanix@CVM:~$ cluster start

Configuring the Network on an AHV Host

These steps describe how to configure host networking for physical and service-specific
network segmentation on an AHV host. These steps are prerequisites for physical and service-
specific network segmentation and you must perform these steps before you perform physical
or service-specific traffic isolation. If you are configuring networking on an ESXi host, perform
the equivalent steps by referring to the ESXi documentation. On ESXi, you create vSwitches
and port groups to achieve the same results.

AOS Security | Security Management Using Prism Element (PE) | 102

About this task
For information about the procedures to create, update and delete a virtual switch in Prism
Element Web Console, see Configuring a Virtual Network for Guest VMs in the Prism Web
Console Guide.

Note: The term unconfigured node in this procedure refers to a node that is not part of a cluster
and is being prepared for cluster expansion.

To configure host networking for physical and service-specific network segmentation, do the
following:

Note: If you are segmenting traffic on nodes that are already part of a cluster, perform the first
step. If you are segmenting traffic on an unconfigured node that is not part of a cluster, perform
the second step directly.

Procedure

1. If you are segmenting traffic on nodes that are already part of a cluster, do the following:

a. From the default virtual switch vs0, remove the uplinks that you want to add to the virtual
switch you created by updating the default virtual switch.
For information about updating the default virtual switch vs0 to remove the uplinks, see
Creating or Updating a Virtual Switch in the Prism Web Console Guide.
b. Create a virtual switch for the backplane traffic or service whose traffic you want to
isolate.
Add the uplinks to the new virtual switch.
For information about creating a new virtual switch, see Creating or Updating a Virtual
Switch in the Prism Web Console Guide.

2. If you are segmenting traffic on an unconfigured node (new host) that is not part of a
cluster, do the following:

a. Create a bridge for the backplane traffic or service whose traffic you want to isolate by
logging on to the new AHV host.
ovs-vsctl add-br br1

b. From the default bridge br0, log on to the host CVM and keep only eth0 and eth1 in br0.
manage_ovs --bridge_name br0 --interfaces eth0,eth1 --bond_name br0-up --bond_mode active-
backup update_uplinks

c. Log on to the host CVM and then add eth2 and eth3 to the uplink bond of br1.
manage_ovs --bridge_name br1 --interfaces eth2,eth3 --bond_name br1-up --bond_mode active-
backup update_uplinks

Note: If this step is not done correctly, a network loop can be created that causes a
network outage. Ensure that no other uplink interfaces exist on this bridge before adding
the new interfaces, and always add interfaces into a bond.

What to do next
Prism can configure a VLAN only on AHV hosts. Therefore, if the hypervisor is ESXi, in addition
to configuring the VLAN on the physical switch, make sure to configure the VLAN on the port
group.

AOS Security | Security Management Using Prism Element (PE) | 103

If you are performing physical network segmentation, see Physically Isolating the Backplane
Traffic on an Existing Cluster on page 117.
If you are performing service-specific traffic isolation, see Service-Specific Traffic Isolation on
page 127.

Network Segmentation for Traffic Types (Backplane, Management, and RDMA)

You can segment the network on a Nutanix cluster in the following ways:

• You can segment the network on an existing cluster by using the Prism web console.
• You can segment the network when creating a cluster by using Nutanix Foundation 3.11.2 or
higher versions.
The following topics describe network segmentation procedures for existing clusters and
changes during AOS upgrade and cluster expansion. For more information about segmenting
the network when creating a cluster, see the Field Installation Guide.

Isolating the Backplane Traffic Logically on an Existing Cluster (VLAN-Based Segmentation

Only)
You can segment the network on an existing cluster by using the Prism web console. You must
configure a separate VLAN for the backplane network to achieve logical segmentation. The
network segmentation process creates a separate network for backplane communications
on the existing default virtual switch. The process then places the eth2 interfaces (that the
process creates on the CVMs during upgrade) and the host interfaces on the newly created
network. This method allows you to achieve logical segmentation of traffic over the selected
VLAN. From the specified subnet, assign IP addresses to each new interface. You, therefore,
need two IP addresses per node. When you specify the VLAN ID, AHV places the newly created
interfaces on the specified VLAN.

Before you begin

If your cluster has RDMA-enabled NICs, follow the procedure in Isolating the Backplane Traffic
on an Existing RDMA Cluster on page 110.

• For ESXi clusters, it is mandatory to create and manage port groups that networking uses
for CVM and backplane networking. Therefore, ensure that you create port groups on the
default virtual switch vs0 for the ESXi hosts and CVMs.
Since backplane traffic segmentation is logical, it is based on the VLAN that is tagged for
the port groups. Therefore, while creating the port groups ensure that you tag the new port
groups created for the ESXi hosts and CVMs with the appropriate VLAN ID. Consult your
networking team to acquire the necessary VLANs for use with Nutanix nodes.
• For new backplane networks, you must specify a non-routable subnet. The interfaces on the
backplane network are automatically assigned IP addresses from this subnet, so reserve the
entire subnet for the backplane network segmentation. See the Configuring Backplane IP
Pool on page 133 topic to create an IP pool for backplane interfaces.

About this task

You need separate VLANs for Management network and Backplane network. For example,
configure VLAN 100 as Management network VLAN and VLAN 200 as Backplane network
VLAN on the Ethernet links that connect the Nutanix nodes to the physical switch.

Note: Nutanix does not control these VLAN IDs. Consult your networking team to acquire VLANs
for the Management and Backplane networks.

AOS Security | Security Management Using Prism Element (PE) | 104

To segment the network on an existing ESXi and Hyper-V clusters for a backplane LAN, do the
following:
To segment the network on an existing AHV cluster for a backplane LAN, follow the procedure
described in the Physically Isolating the Backplane Traffic on an AHV Cluster on page 117
topic.

Note:
In this method, for AHV nodes, logical segmentation (VLAN-based segmentation) is
done on the default bridge. The process creates the host backplane interface on the
Backplane Network port group on ESXi or br0-backplane (interface) on br0 bridge in
case of AHV. The eth2 interface on the CVM is on CVM Backplane Network by default.

Procedure

1. Log on to the Prism web console, click the gear icon in the top-right corner, and then click
Network Configuration in the Settings page.
The Network Configuration dialog box appears.

2. In the Network Configuration > Internal Interfaces > Backplane LAN row, click Configure.
The Create Interface dialog box appears.

3. In the Create Interface dialog box, provide the necessary information.

• In Subnet IP, specify a non-routable subnet.

Ensure that the subnet has sufficient IP addresses. The segmentation process requires
two IP addresses per node. Reconfiguring the backplane to increase the size of the subnet
involves cluster downtime, so you might also want to make sure that the subnet can
accommodate new nodes in the future.
• In Netmask, specify the netmask.
• If you want to assign the interfaces on the network to a VLAN, specify the VLAN ID in the
VLAN ID field.
Nutanix recommends that you use a VLAN. If you do not specify a VLAN ID, the default
VLAN on the virtual switch is used.

4. Click Verify and Save.

The network segmentation process creates the backplane network if the network settings
that you specified pass validation.

RDMA over Converged Ethernet (RoCE)

This section provides the information about RDMA, RDMA port pass-through mechanism, and
how to configure the RDMA network segmentation using Zero-Touch RoCE (ZTR) or Priority-
Based Flow Control (PFC) mechanism.

RDMA Overview
Remote Direct Memory Access (RDMA) enables you to directly transfer data between multiple
hosts without involving CPU, OS, or system cache. RDMA reduces the communication latency
and increases the bandwidth output for the data transfer. It directly uses the network adapters
for data transfer and never creates a data copy between network layers.
When RDMA is enabled, the CPU resources available for other applications running in the
cluster enhance the AOS data acceleration mechanism.

AOS Security | Security Management Using Prism Element (PE) | 105

RDMA Port Pass-through Mechanism
The following table describes the supported RDMA port pass-through mechanisms:

Table 4: RDMA Port Pass-through Mechanism

AOS release Hypervisor RDMA Port Pass-through

Mechanism

Prior to AOS 6.6 RDMA port pass-through can

• AHV be done during Foundation
• ESXi setup only. In this case, the
CVM reserves the entire
NIC for RDMA port pass-
through. The host cannot
use the empty NIC port for
other operations nor can it
change the selected port. If
the NIC or port fails, or any
connectivity issue occurs, the
I/O traffic falls back to the
TCP/IP connection mode.

AOS Security | Security Management Using Prism Element (PE) | 106

AOS release Hypervisor RDMA Port Pass-through
Mechanism
AOS 6.6 and above AHV RDMA port pass-through
can be done either during
Foundation setup or after the
cluster creation is completed.
The following behavior is
applicable for RDMA port
pass-through:

• If RDMA port pass-through

is done during Foundation
setup, the CVM reserves
the entire NIC for RDMA
port pass-through. In this
case, the host cannot use
the empty NIC port for
other operations nor can it
change the selected port.
• If RDMA port pass-
through is not done during
Foundation setup, the
system provides you an
option to reserve the port
for RDMA.

Note: Ensure the

port that you reserve
for RDMA is not
allocated to the
uplink vswitch of the
host. If the port that
you want to reserve
for RDMA is already
allocated for uplink
vswitch, the system
displays it as disabled
for selection and you
need to manually
remove it from the
vswitch.

ESXi RDMA port pass-through can

be done during Foundation
setup only. In this case, the
system doesn’t provide you
an option to change the
port for RDMA after cluster
creation.

For more information on how to enable RDMA port pass-through to the CVM during
Foundation, see Configuring Foundation VM by Using the Foundation GUI.

AOS Security | Security Management Using Prism Element (PE) | 107

Cluster Expansion Case
When a new node is added to increase the capacity of a cluster, the RDMA ports cannot be
changed after the cluster is created. In this case, the system checks if RDMA is enabled in the
cluster. If enabled, the system provisions the RDMA for the new node, and selects the first port
available in the NIC. To change the RDMA port, you need to disable the RDMA for the whole
cluster and reconfigure it with the new port selection.

ZTR Specifications
The ZTR is a deployment mechanism for RDMA setup in which the Mellanox NIC firmware
handles the entire configurations (card optimizations) without any user intervention or
dependency on the customized switch profiles or switch compatibility. ZTR reduces RDMA
deployment duration and does not require the support of PFC and End-to-end Congestion
Notification (ECN) settings.
ZTR functionality is supported with both ESXi and AHV hypervisors. For information about
how to enable ZTR for RDMA network segmentation, see Isolating the Backplane Traffic on an
Existing RDMA Cluster on page 110.
Nutanix recommends you use ZTR only if NVIDIA Mellanox Connect X-5 Ethernet Adapters
(Cx5 NICs) are available in your setup. For more information about the NICs compatibility for
ZTR feature, see NIC Compatibility Matrix for RDMA Features on page 108.

NIC Compatibility Matrix for RDMA Features

The following table provides the information about NIC compatibility with RDMA features;
RDMA Port Pass-through and ZTR, and the required workaround:

Table 5: NIC Compatibility Matrix for RDMA Features

NIC Available at Site RDMA Feature Compatibility Workaround

Information

Connect X-4 Ethernet ZTR Not supported None

Adapter (CX-4)
Nutanix recommends
you use ZTR only if
Cx5 NICs are available
in your setup.

RDMA port pass- RDMA port pass- Perform RDMA port

through through after cluster pass-through during
creation is not Foundation setup, and
supported. then upgrade to AOS
6.6 release.

AOS Security | Security Management Using Prism Element (PE) | 108

NIC Available at Site RDMA Feature Compatibility Workaround
Information

Connect X-5 Ethernet ZTR Supported None

Adapter (CX-5)
RDMA port pass- Supported None
through
The RDMA port pass-
through is supported
for both the following
scenarios:

• During Foundation
setup
• After cluster
creation in case of
AHV only.

Connect X-6 Ethernet ZTR Yet to be qualified None

Adapter (CX-6)
ZTR support is yet to
be qualified with Cx6
NICs. ZTR might or
might not work with
Connect X-6 Ethernet
adapters (Cx6 NICs)
in AOS 6.6 release.
Nutanix recommends
you to use ZTR only if
Cx5 NICs are available
in your setup.

RDMA port pass- Yet to be qualified Perform RDMA port

through pass-through during
RDMA port pass-
Foundation setup, and
through after cluster
then upgrade to AOS
creation is yet to be
6.6 release.
qualified with CX-6
NICs.

Important:

• A mix of the RDMA NIC family, for example NVIDIA Mellanox Connect X-4 Ethernet
Adapter (CX-4 NIC) and NVIDIA Mellanox Connect X-5 Ethernet Adapter (CX-5
NIC), on the same node is not supported. If you have CX-4 and CX-5 NICs or any
other combination on the same node, the system never allows you to enable RDMA
on the cluster.
• Mixing NIC cards across nodes in a cluster is supported. In this case, the oldest family
of cards dictates the feature supported for the cluster. For example, if any CX-4 NIC
is present, the system blocks the RDMA live port pass-through and ZTR functions,
and allows only RDMA RF2.

AOS Security | Security Management Using Prism Element (PE) | 109

Isolating the Backplane Traffic on an Existing RDMA Cluster

This section describes how to configure the RDMA network segmentation settings using either
PFC or ZTR from Prism Central.

About this task

The network segmentation process creates a separate network for RDMA communications on
the existing default virtual switch and places the rdma0 interface (created on the CVMs during
upgrade) and the host interfaces on the newly created network. From the specified subnet,
IP addresses are assigned to each new interface. Two IP addresses are therefore required per
node. If you specify the optional VLAN ID, the newly created interfaces are placed on the VLAN.
A separate VLAN is highly recommended for the RDMA network to achieve true segmentation.

Before you begin

Ensure that the following prerequisites are met before you proceed with RDMA network
segmentation:

• Specify a non-routable subnet. The interfaces on the backplane network are automatically
assigned IP addresses from the subnet. You reserve the entire subnet for the backplane
network alone.
• If you plan to specify a VLAN for the RDMA network, ensure that the VLAN is configured on
the physical switch ports to which the nodes are connected.
• Configure the switch interface as a trunk port.
• Observe the NICs compatibility information specified in NIC Compatibility Matrix for RDMA
Features on page 108 .
• Mixed configuration in a cluster is not supported where some nodes have RDMA port pass-
through or ZTR enabled while other nodes have it disabled. All nodes in the cluster need to
be uniformly configured with the RDMA functionality
The following prerequisites are applicable only for ZTR :

• NVIDIA Mellanox Connect X-5 Ethernet Adapters (Cx5 NICs) are available. For details, see
NIC Compatibility Matrix for RDMA Features on page 108.
• NICs on all nodes are running the same NIC firmware. Perform a NCC health check to verify
the minimum driver version recommended and supported by Mellanox NIC running on the
Nutanix platforms. For information about how to perform NCC Health check, see KB-4289
• AHV or ESXi hypervisor and AOS 6.6 or later (CVM 6.6) are deployed for the cluster. For
information about supported AHV or ESXi hypervisor versions, see KB-4289.

Procedure

To isolate the backplane traffic on an existing RDMA cluster, perform the following steps:

1. Log on to the Prism web console, click the gear icon in the top-right corner, and click
Network Configuration in the Settings page.
The Network Configuration dialog box displays.

2. Click the Internal Interfaces tab.

The Internal Interfaces tab displays.

Note: If the system detects that NVIDIA Mellanox Cx5 NIC is used, it provides you the option
to configure RDMA.

AOS Security | Security Management Using Prism Element (PE) | 110

3. Click Configure in the RDMA row, and set the following attributes in RDMA dialog box:

• Under Subnet IP , specify a non-routable Subnet IP.

• Under Netmask, specify a non-routable netmask.

Note: Ensure that the subnet size can accommodate cluster expansion in the future.

• Under VLAN, specify a VLAN ID for the RDMA LAN.

Note: VLAN ID is optional with ZTR but Nutanix recommends you to use it for true
network segmentation and enhanced security

• Select either the Use Zero Touch RoCE checkbox to enable ZTR or select the PFC value
configured on the physical switch port.

Note: When the Use Zero Touch RoCE checkbox is selected:

• The PFC field is disabled.

• The system automatically defines the RDMA port if RDMA port pass-through is
done during Foundation setup. You cannot change the RDMA port in this case.

AOS Security | Security Management Using Prism Element (PE) | 111

Figure 56: RDMA Network Segmentation: Pass-through done during
Foundation

AOS Security | Security Management Using Prism Element (PE) | 112

4. Click Verify and Save.
The selected RDMA network segmentation settings are saved.

Note: If the RDMA port pass-through is not done during Foundation setup and only AHV
hypervisor is deployed, the system prompts you to define the RDMA port.

Perform the following steps to define RDMA port:

a. Click Next and select the RDMA port in the Port Selection tab.

AOS Security | Security Management Using Prism Element (PE) | 113

Figure 57: RDMA Network Segmentation - No Pass-through done during Foundation

AOS Security | Security Management Using Prism Element (PE) | 114

b. Select the port to be reserved for RDMA on all the hosts.

AOS Security | Security Management Using Prism Element (PE) | 115

Figure 58: RDMA Port Selection

AOS Security | Security Management Using Prism Element (PE) | 116

c. Click Save.

Physically Isolating the Backplane Traffic on an Existing Cluster

By using the Prism web console, you can configure the eth2 interface on a separate virtual
switch if you wish to isolate the backplane traffic to a separate physical network.
If you do not configure as separate virtual switch, the backplane traffic uses another VLAN in
the default switch for VLAN-based traffic isolation.
A virtual switch is known as the following in different hypervisors.

Hypervisor Virtual Switch

AHV Virtual Switch

ESXi vSwitch

Hyper-V Hyper-V Virtual Switch

Network segmentation process creates a separate network for backplane communications on

the new virtual switch. The segmentation process places the CVM eth2 interfaces and the host
interfaces on the newly created network. Specify a subnet with a network mask and, optionally,
a VLAN ID. From the specified subnet or an IP Pool assign IP addresses to each new interface in
the new network. You require a minimum of two IP addresses per node.
If you specify the optional VLAN ID, the newly created interfaces are placed on VLAN.
Nutanix highly recommends a separate VLAN for the backplane network to achieve true
segmentation.

Requirements and Limitations

• Ensure that physical isolation of backplane traffic is supported by the AOS version deployed.
• Ensure that you configure the network (port groups or bridges) on the hosts and associate
the network with the required physical NICs before you enable physical isolation of the
backplane traffic.
For AHV, see Configuring the Network on an AHV Host on page 102. For ESXI and Hyper-
V, see VMware and Microsoft documentation respectively.
• Segmenting backplane traffic can involve up to two rolling reboots of the CVMs. The first
rolling reboot is done to move the backplane interface (eth2) of the CVM to the selected
port group, virtual switch or Hyper-V switch. This is done only for CVM(s) whose backplane
interface is not already connected to the selected port group, virtual switch or Hyper-
V switch. The second rolling reboot is done to migrate the cluster services to the newly
configured backplane interface.

Physically Isolating the Backplane Traffic on an AHV Cluster

Before you begin

On the AHV hosts, do the following:
1. From the default virtual switch vs0, remove the uplinks (physical NICs) that you want to add
to a new virtual switch you create for the backplane traffic in the next step.
2. Create a virtual switch for the backplane traffic.
Add the uplinks to the new bond when you create the new virtual switch.

AOS Security | Security Management Using Prism Element (PE) | 117

See Configuring the Network on an AHV Host on page 102 for instructions about how to
perform these tasks on a host.

Note: Before you perform the following procedure, ensure that the uplinks you added to the
virtual switch are in the UP state.

About this task

Perform the following procedure to physically segment the backplane traffic on an AHV cluster.

Procedure

1. Shut down all the guest VMs in the cluster from within the guest OS or use the Prism
Element web console.

2. Place all nodes of a cluster into the maintenance mode.

a. Use SSH to log on to a Controller VM in the cluster

b. Determine the IP address of the node you want to put into the maintenance mode:
nutanix@cvm$ acli host.list

Note the value of Hypervisor IP for the node you want to put in the maintenance mode.
c. Put the node into the maintenance mode:
nutanix@cvm$ acli host.enter_maintenance_mode hypervisor-IP-address [wait="{ true |
false }" ] [non_migratable_vm_action="{ acpi_shutdown | block }" ]

Note: Never put Controller VM and AHV hosts into maintenance mode on single-node
clusters. It is recommended to shutdown user VMs before proceeding with disruptive
changes.

Replace host-IP-address with either the IP address or host name of the AHV host you want
to shut down.
The following are optional parameters for running the acli host.enter_maintenance_mode
command:

• wait
• non_migratable_vm_action
Do not continue if the host has failed to enter the maintenance mode.
d. Verify if the host is in the maintenance mode:
nutanix@cvm$ acli host.get host-ip

In the output that is displayed, ensure that node_state equals to

EnteredMaintenanceMode and schedulable equals to False.

AOS Security | Security Management Using Prism Element (PE) | 118

3. Enable backplane network segmentation.

a. Log on to the Prism web console, click the gear icon in the top-right corner, and then click
Network Configuration in the Settings page.
b. On the Internal Interfaces tab, in the Backplane LAN row, click Configure.
c. In the Backplane LAN dialog box, do the following:

• In Subnet IP, specify a non-routable subnet that is different from the subnet used by
the AHV host and CVMs.
The AOS CVM default route uses the CVM eth0 interface, and there is no route on the
backplane interface. Therefore, Nutanix recommends only using a non-routable subnet
for the backplane network. To avoid split routing, do not use a routable subnet for the
backplane network.
Make sure that the backplane subnet has a sufficient number of IP addresses. Two IP
addresses are required per node. Reconfiguring the backplane to increase the size of
the subnet involves cluster downtime, so you might also want to make sure that the
subnet can accommodate new nodes in the future.
• In Netmask, specify the network mask.
• If you want to assign the interfaces on the network to a VLAN, specify the VLAN ID in
the VLAN ID field.
Nutanix strongly recommends configuring a separate VLAN. If you do not specify a
VLAN ID, AOS applies the untagged VLAN on the virtual switch.
• In the Virtual Switch list, select the virtual switch you created for the backplane traffic.
d. Click Verify and Save.
If the network settings you specified pass validation, the backplane network is created
and the CVMs perform a reboot in a rolling fashion (one at a time), after which the
services use the new backplane network. The progress of this operation can be tracked on
the Prism tasks page.

4. Log on to a CVM in the cluster with SSH and stop Acropolis cluster-wide:
nutanix@cvm$ allssh genesis stop acropolis

5. Restart Acropolis cluster-wide:

nutanix@cvm$ cluster start

6. Remove all nodes from the maintenance mode.

a. From any CVM in the cluster, run the following command to exit the AHV host from the
maintenance mode:
nutanix@cvm$ acli host.exit_maintenance_mode host-ip

Replace host-ip with the new IP address of the host.

This command migrates (live migration) all the VMs that were previously running on the
host back to the host.
b. Verify if the host has exited the maintenance mode:
nutanix@cvm$ acli host.get host-ip

In the output that is displayed, ensure that node_state equals to kAcropolisNormal or

AcropolisNormal and schedulable equals to True.

AOS Security | Security Management Using Prism Element (PE) | 119

7. Power on the guest VMs from the Prism Element web console.

Physically Isolating the Backplane Traffic on an ESXi Cluster

Before you begin

On the ESXi hosts, do the following:
1. Create a vSwitch for the backplane traffic.
2. From vSwitch0, remove the uplinks (physical NICs) that you want to add to the vSwitch you
created for the backplane traffic.
3. On the backplane vSwitch, create one port group for the CVM and another for the host.
Ensure that at least one uplink is present in the Active Adaptors list for each port group if
you have overridden the failover order.
See the ESXi documentation for instructions about how to perform these tasks.

Note: Before you perform the following procedure, ensure that the uplinks you added to the
vSwitch are in the UP state.

About this task

Perform the following procedure to physically segment the backplane traffic.

Procedure

1. Log on to the Prism web console, click the gear icon in the top-right corner, and then click
Network Configuration in the Settings page.

2. On the Internal Interfaces tab, in the Backplane LAN row, click Configure.

3. In the Backplane LAN dialog box, do the following:

a. In Subnet IP, specify a non-routable subnet.

If you do not specify a secure non-routable subnet, AHV uses the routable subnet on the
default gateway. AOS does not route packets from the backplane network. Therefore,
Nutanix recommends only using a secure non-routable subnet for the backplane network.
Do not use a routable subnet for this purpose.
Make sure that the subnet has a sufficient number of IP addresses. Two IP addresses
are required per node. Reconfiguring the backplane to increase the size of the subnet
involves cluster downtime, so you might also want to make sure that the subnet can
accommodate new nodes in the future.
b. In Netmask, specify the network mask.
c. If you want to assign the interfaces on the network to a VLAN, specify the VLAN ID in the
VLAN ID field.
Nutanix strongly recommends configuring a separate VLAN. If you do not specify a VLAN
ID, AOS applies the default VLAN on the virtual switch.
d. In the Host Port Group list, select the port group you created for the host.
e. In the CVM Port Group list, select the port group you created for the CVM.

Note:
Nutanix clusters support both vSphere Standard Switches and vSphere Distributed
Switches. However, you must mandatorily configure only one type of virtual
switches in one cluster. Configure all the backplane and management traffic in one

AOS Security | Security Management Using Prism Element (PE) | 120

cluster on either vSphere Standard Switches or vSphere Distributed Switches. Do
not mix Standard and Distributed vSwitches on a single cluster.

4. Click Verify and Save.

If the network settings you specified pass validation, the backplane network is created and
the CVMs perform a reboot in a rolling fashion (one at a time), after which the services use
the new backplane network. The progress of this operation can be tracked on the Prism
tasks page.

Physically Isolating the Backplane Traffic on a Hyper-V Cluster

Before you begin

On the Hyper-V hosts, do the following:
1. Create a Hyper-V Virtual Switch for the backplane traffic.
2. From the default External Switch, remove the uplinks (physical NICs) that you want to add
to the backplane Virtual Switch you created for the backplane traffic.
3. On the backplane Virtual Switch, create a subnet and, optionally, assign a VLAN.
See the Hyper-V documentation on the Microsoft portal for instructions about how to perform
these tasks.

Note: Before you perform the following procedure, ensure that the uplinks you added to the
backplane Virtual Switch are in the UP state.

About this task

Perform the following procedure to physically segment the backplane traffic.

Procedure

1. Log on to the Prism web console, click the gear icon in the top-right corner, and then click
Network Configuration in the Settings page.

2. On the Internal Interfaces tab, in the Backplane LAN row, click Configure.

3. In the Backplane LAN dialog box, do the following:

a. In Subnet IP, specify a non-routable subnet.

If you do not specify a secure non-routable subnet, AHV uses the routable subnet on the
default gateway. AOS does not route packets from the backplane network. Therefore,
Nutanix recommends only using a secure non-routable subnet for the backplane network.
Do not use a routable subnet for this purpose.
Make sure that the subnet has a sufficient number of IP addresses. Two IP addresses
are required per node. Reconfiguring the backplane to increase the size of the subnet
involves cluster downtime, so you might also want to make sure that the subnet can
accommodate new nodes in the future.
b. In Netmask, specify the network mask.
c. If you want to assign the interfaces on the network to a VLAN, specify the VLAN ID in the
VLAN ID field.
Nutanix strongly recommends configuring a separate VLAN. If you do not specify a VLAN
ID, AOS applies the default VLAN on the virtual switch.
d. In the Bridge list, select the Hyper-V switch you created for the backplane traffic.

AOS Security | Security Management Using Prism Element (PE) | 121

4. Click Verify and Save.
If the network settings you specified pass validation, the backplane network is created and
the CVMs perform a reboot in a rolling fashion (one at a time), after which the services use
the new backplane network. The progress of this operation can be tracked on the Prism
tasks page.

Note: Segmenting backplane traffic can involve up to two rolling reboots of the CVMs. The
first rolling reboot is done to move the backplane interface (eth2) of the CVM to the selected
port group or virtual switch. This is done only for CVM(s) whose backplane interface is not
already connected to the selected port group or bridge virtual switch. The second rolling
reboot is done to migrate the cluster services to the newly configured backplane interface.

Reconfiguring the Backplane Network

Backplane network reconfiguration is a CLI-driven procedure that you perform on any one of
the CVMs in the cluster. The change is propagated to the remaining CVMs.

About this task

Caution: At the end of this procedure, the cluster stops and restarts, even if only the VLAN is
changed, and therefore involves cluster downtime.

To reconfigure the cluster, do the following:

Procedure

1. Log on to any CVM in the cluster using SSH.

2. Reconfigure the backplane network.

nutanix@cvm$ backplane_ip_reconfig [--backplane_vlan=vlan-id] \
[--backplane_ip_pool=ip_pool_name]

Replace vlan-id with the new VLAN ID, and ip_pool_name with the newly created backplane IP
pool.
See Configuring Backplane IP Pool on page 133 to create a backplane IP pool.
For example, reconfigure the backplane network to use VLAN ID 10 and newly created
backplane IP pool.
nutanix@cvm$ backplane_ip_reconfig --backplane_vlan=10 \
--backplane_ip_pool=NewBackplanePool

Output similar to the following is displayed:

This operation will do a 'cluster stop', resulting in disruption of
cluster services. Do you still want to continue? (Type "yes" (without quotes)
to continue)
Type yes to confirm that you want to reconfigure the backplane network.

Caution: During the reconfiguration process, you might receive an error message similar to
the following.
Failed to reach a node.
You can safely ignore this error message and therefore do not stop the script manually.

Note: The backplane_ip_reconfig command is not supported on ESXi clusters with vSphere
Distributed Switches. To reconfigure the backplane network on a vSphere Distributed Switch
setup, disable the backplane network (see Disabling Network Segmentation on an ESXi
and Hyper-V Clusters on page 123) and enable again with a different subnet or VLAN.

AOS Security | Security Management Using Prism Element (PE) | 122

3. Type yes to confirm that you want to reconfigure the backplane network.
The reconfiguration procedure takes a few minutes and includes a cluster restart. If you type
anything other than yes, network reconfiguration is aborted.

4. After the process completes, verify that the backplane was reconfigured.

a. Verify that the IP addresses of the eth2 interfaces on the CVM are set correctly.
nutanix@cvm$ svmips -b

Output similar to the following is displayed:

172.30.25.1 172.30.25.3 172.30.25.5

b. Verify that the IP addresses of the backplane interfaces of the hosts are set correctly.
nutanix@cvm$ hostips -b

Output similar to the following is displayed:

172.30.25.2 172.30.25.4 172.30.25.6

The svmips and hostips commands, when used with the option b, display the IP addresses
assigned to the interfaces on the backplane.

Disabling Network Segmentation on an ESXi and Hyper-V Clusters

Backplane network reconfiguration is a CLI-driven procedure that you perform on any one of
the CVMs in the cluster. The change is propagated to the remaining CVMs.

About this task

Procedure

1. Log on to any CVM in the cluster using SSH.

2. Disable the backplane network.

• Use this CLI to disable network segmentation on an ESXi and Hyper-V cluster:
nutanix@cvm$ network_segmentation --backplane_network --disable

Output similar to the following appears:

Operation type : Disable
Network type : kBackplane
Params : {}
Please enter [Y/y] to confirm or any other key to cancel the operation

Type Y/y to confirm that you want to reconfigure the backplane network.
If you type Y/y, network segmentation is disabled and the cluster restarts in a rolling
manner, one CVM at a time. If you type anything other than Y/y, network segmentation is
not disabled.
This method does not involve cluster downtime.

AOS Security | Security Management Using Prism Element (PE) | 123

3. Verify that network segmentation was successfully disabled. You can verify this in one of
two ways:

» Verify that the backplane is disabled.

nutanix@cvm$ network_segment_status

Output similar to the following is displayed:

2017-11-23 06:18:23 INFO zookeeper_session.py:110 network_segment_status is
attempting to connect to Zookeeper
Network segmentation is disabled

» Verify that the commands to show the backplane IP addresses of the CVMs and hosts
list the management IP addresses (run the svmips and hostips commands once without
the b option and once with the b option, and then compare the IP addresses shown in the
output).

Important:
nutanix@cvm$ svmips
192.127.3.2 192.127.3.3 192.127.3.4
nutanix@cvm$ svmips -b
192.127.3.2 192.127.3.3 192.127.3.4
nutanix@cvm$ hostips
192.127.3.5 192.127.3.6 192.127.3.7
nutanix@cvm$ hostips -b
192.127.3.5 192.127.3.6 192.127.3.7

In the example above, the outputs of the svmips and hostips commands with and
without the b option are the same, indicating that the backplane network segmentation is
disabled.

Disabling Network Segmentation on an AHV Cluster

About this task

You perform backplane network reconfiguration procedure on any one of the CVMs in the
cluster. The change propagates to the remaining CVMs.

Procedure

1. Shut down all the guest VMs in the cluster from within the guest OS or use the Prism
Element web console.

AOS Security | Security Management Using Prism Element (PE) | 124

2. Place all nodes of a cluster into the maintenance mode.

a. Use SSH to log on to a Controller VM in the cluster

b. Determine the IP address of the node you want to put into the maintenance mode:
nutanix@cvm$ acli host.list

Note: Never put Controller VM and AHV hosts into maintenance mode on single-node
clusters. It is recommended to shutdown user VMs before proceeding with disruptive
changes.

Replace host-IP-address with either the IP address or host name of the AHV host you want
to shut down.
The following are optional parameters for running the acli host.enter_maintenance_mode
command:

• wait
• non_migratable_vm_action
Do not continue if the host has failed to enter the maintenance mode.
d. Verify if the host is in the maintenance mode:
nutanix@cvm$ acli host.get host-ip

In the output that is displayed, ensure that node_state equals to

EnteredMaintenanceMode and schedulable equals to False.

AOS Security | Security Management Using Prism Element (PE) | 125

3. Disable backplane network segmentation from the Prism Web Console.

a. Log on to the Prism web console, click the gear icon in the top-right corner, and then click
Network Configuration under the Settings.
b. In the Internal Interfaces tab, in the Backplane LAN row, click Disable.

Figure 59: Disable Network Configuration

c. Click Yes to disable Backplane LAN.
This involves a rolling reboot of CVMs to migrate the cluster services back to the external
interface.

4. Log on to a CVM in the cluster with SSH and stop Acropolis cluster-wide:
nutanix@cvm$ allssh genesis stop acropolis

5. Restart Acropolis cluster-wide:

nutanix@cvm$ cluster start

6. Remove all nodes from the maintenance mode.

a. From any CVM in the cluster, run the following command to exit the AHV host from the
maintenance mode:
nutanix@cvm$ acli host.exit_maintenance_mode host-ip

Replace host-ip with the new IP address of the host.

This command migrates (live migration) all the VMs that were previously running on the
host back to the host.
b. Verify if the host has exited the maintenance mode:
nutanix@cvm$ acli host.get host-ip

In the output that is displayed, ensure that node_state equals to kAcropolisNormal or

AcropolisNormal and schedulable equals to True.

7. Power on the guest VMs from the Prism Element web console.

AOS Security | Security Management Using Prism Element (PE) | 126

Service-Specific Traffic Isolation
Isolating the traffic associated with a specific service is a two-step process. The process is as
follows:

• Configure the networks and uplinks on each host manually. Prism only creates the VNIC that
the service requires, and it places that VNIC on the bridge or port group that you specify.
Therefore, you must manually create the bridge or /port group on each host and add the
required physical NICs as uplinks to that bridge or port group.
• Configure network segmentation for the service by using Prism. Create an extra VNIC for the
service, specify any additional parameters that are required (for example, IP address pools),
and the bridge or port group that you want to dedicate to the service.

Isolating Service-Specific Traffic

Before you begin

• Ensure to configure each host as described in Configuring the Network on an AHV Host on
page 102.
• Review Prerequisites on page 101.

About this task

To isolate a service to a separate virtual network, do the following:

Procedure

1. Log on to the Prism web console and click the gear icon at the top-right corner of the page.

2. In the left pane, click Network Configuration.

3. In the details pane, on the Internal Interfaces tab, click Create New Interface.
The Create New Interface dialog box is displayed.

AOS Security | Security Management Using Prism Element (PE) | 127

4. On the Interface Details tab, do the following:

a. Specify a descriptive name for the network segment.

b. (On AHV) Optionally, in VLAN ID, specify a VLAN ID.
Make sure that the VLAN ID is configured on the physical switch.
c. In Bridge (on AHV) or CVM Port Group (on ESXi), select the bridge or port group that
you created for the network segment.
d. To specify an IP address pool for the network segment, click Create New IP Pool, and
then, in the IP Pool dialog box, do the following:

• In Name, specify a name for the pool.

• In Netmask, specify the network mask for the pool.
• Click Add an IP Range, specify the start and end IP addresses in the IP Range dialog
box that is displayed.
• Use Add an IP Range to add as many IP address ranges as you need.

Note: Add at least n+1 IP addresses in an IP range considering n is the number of nodes
in the cluster.

• Click Save.
• Use Add an IP Pool to add more IP address pools. You can use only one IP address
pool at any given time.
• Select the IP address pool that you want to use, and then click Next.

Note: You can also use an existing unused IP address pool.

5. On the Feature Selection tab, do the following:

You cannot enable network segmentation for multiple services at the same time. Complete
the configuration for one service before you enable network segmentation for another
service.

a. Select the service whose traffic you want to isolate.

b. Configure the settings for the selected service.
The settings on this page depend on the service you select. For information about
service-specific settings, see Service-Specific Settings and Configurations on page 130.
c. Click Save.

6. In the Create Interface dialog box, click Save.

The CVMs are rebooted multiple times, one after another. This procedure might trigger
more tasks on the cluster. For example, if you configure network segmentation for disaster
recovery, the firewall rules are added on the CVM to allow traffic on the specified ports
through the new CVM interface and updated when a new recovery cluster is added or an
existing cluster is modified.

What to do next
See Service-Specific Settings and Configurations on page 130 for any additional tasks that are
required after you segment the network for a service.

AOS Security | Security Management Using Prism Element (PE) | 128

Modifying Network Segmentation Configured for a Service
To modify network segmentation configured for a service, you must first disable network
segmentation for that service and then create the network interface again for that service with
the new IP address pool and VLAN.

About this task

For example, if the interface of the service you want to modify is ntnx0, after the
reconfiguration, the same interface (ntnx0) is assigned to that service if that interface is not
assigned to any other service. If ntnx0 is assigned to another service, a new interface (for
example ntnx1) is created and assigned to that service.
Perform the following to reconfigure network segmentation configured for a service.

Procedure

1. Disable the network segmentation configured for a service by following the instructions in
Disabling Network Segmentation Configured for a Service on page 129.

2. Create the network again by following the instructions in Isolating Service-Specific Traffic on
page 127.

Disabling Network Segmentation Configured for a Service

To disable network segmentation configured for a service, you must disable the dedicated
VNIC. Disabling network segmentation frees up the name of the VNIC. Disabling network
segmentation frees up the vNIC’s name. The free name is reused in a subsequent network
segmentation configuration.

About this task

At the end of this procedure, the cluster performs a rolling restart. Disabling network
segmentation might also disrupt the functioning of the associated service. To restore normal
operations, you might have to perform other tasks immediately after the cluster has completed
the rolling restart. For information about the follow-up tasks, see Service-Specific Settings and
Configurations on page 130.
To disable the network segmentation configured for a service, do the following:

Procedure

1. Log on to the Prism web console and click the gear icon at the top-right corner of the page.

2. In the left pane, click Network Configuration.

3. On the Internal Interfaces tab, for the interface that you want to disable, click Disable.

Note: The defined IP address pool is available even after disabling the network segmentation.

Deleting a vNIC Configured for a Service

If you disable network segmentation for a service, the vNIC for that service is not deleted. AOS
reuses the vNIC if you enable network segmentation again. However, you can manually delete a
vNIC by logging into any CVM in the cluster with SSH.

Before you begin

Ensure that the following prerequisites are met before you delete the vNIC configured for a
Service:

AOS Security | Security Management Using Prism Element (PE) | 129

• Disable the network segmentation configured for a service by following the instructions in
Disabling Network Segmentation Configured for a Service on page 129.
• Observe the Limitation specified in Limitation for vNIC Hot-Unplugging topic in AHV Admin
Guide.
you

About this task

Perform the following to delete a vNIC.

Procedure

1. Log on to any CVM in the cluster with SSH.

2. Delete the vNIC.

nutanix@cvm$ network_segmentation --service_network --interface="interface-name" --delete

Replace interface-name with the name of the interface you want to delete. For example,
ntnx0.

Service-Specific Settings and Configurations

The following sections describe the settings required by the services that support network
segmentation.

Nutanix Volumes

Network segmentation for Volumes also requires you to migrate iSCSI client connections to the
new segmented network. If you no longer require segmentation for Volumes traffic, you must
also migrate connections back to eth0 after disabling the vNIC used for Volumes traffic.
You can create two different networks for Nutanix Volumes with different IP pools, VLANs, and
data services IP addresses. For example, you can create two iSCSI networks for production and
non-production traffic on the same Nutanix cluster.
Follow the instructions in Isolating Service-Specific Traffic on page 127 again to create the
second network for Volumes after you create the first network.

Table 6: Settings to be Specified When Configuring Traffic Isolation

Parameter or Setting Description

Virtual IP (Optional) Virtual IP address for the service. If
specified, the IP address must be picked from
the specified IP address pool. If not specified,
an IP address from the specified IP address
pool is selected for you.
Client Subnet The network (in CIDR notation) that hosts the
iSCSI clients. Required If the vNIC created for
the service on the CVM is not on the same
network as the clients.
Gateway Gateway to the subnetwork that hosts the
iSCSI clients. Required If you specify the client
subnet.

AOS Security | Security Management Using Prism Element (PE) | 130

Migrating iSCSI Connections to the Segmented Network

After you enable network segmentation for Volumes, you must manually migrate connections
from existing iSCSI clients to the newly segmented network.

Before you begin

Make sure that the task for enabling network segmentation for the service succeeds.

About this task

Note: Even though support is available to run iSCSI traffic on both the segmented and
management networks at the same time, Nutanix recommends that you move the iSCSI traffic for
guest VMs to the segmented network to achieve true isolation.

To migrate iSCSI connections to the segmented network, do the following:

Procedure

1. Log out from all the clients connected to iSCSI targets that are using CVM eth0 or the Data
Service IP address.

2. Optionally, remove all the discovery records for the Data Services IP address (DSIP) on eth0.

3. If the clients are allowlisted by their IP address, remove the client IP address that is on the
management network from the allowlist, and then add the client IP address on the new
network to the allowlist.
nutanix@cvm$ acli vg.detach_external vg_name initiator_network_id=old_vm_IP
nutanix@cvm$ acli vg.attach_external vg_name initiator_network_id=new_vm_IP

Replace vg_name with the name of the volume group and old_vm_IP and new_vm_IP with the old
and new client IP addresses, respectively.

4. Discover the virtual IP address specified for Volumes.

5. Connect to the iSCSI targets from the client.

Migrating Existing iSCSI Connections to the Management Network (Controller VM eth0)

About this task

To migrate existing iSCSI connections to eth0, do the following:

Procedure

1. Log out from all the clients connected to iSCSI targets using the CVM vNIC dedicated to
Volumes.

2. Remove all the discovery records for the DSIP on the new interface.

3. Discover the DSIP for eth0.

4. Connect the clients to the iSCSI targets.

Disaster Recovery with Protection Domains

The settings for configuring network segmentation for disaster recovery apply to all
Asynchronous, NearSync, and Metro Availability replication schedules. You can use disaster
recovery with Asynchronous, NearSync, and Metro Availability replications only if both the

AOS Security | Security Management Using Prism Element (PE) | 131

primary site and the recovery site is configured with Network Segmentation. Before enabling
or disabling the network segmentation on a host, disable all the disaster recovery replication
schedules running on that host.

Table 7: Settings to be Specified When Configuring Traffic Isolation

Parameter or Setting Description

Note: Virtual IP address is different from

the external IP address and the data
services IP address of the cluster.

Gateway Gateway to the subnetwork (subnet).

Remote Site Configuration

After configuring network segmentation for disaster recovery, configure remote sites at both
locations. You also need to reconfigure remote sites if you disable network segmentation.
For information about configuring remote sites, see Remote Site Configuration in the Data
Protection and Recovery with Prism Element Guide.

Segmenting a Stretched Layer 2 Network for Disaster Recovery

A stretched Layer 2 network configuration allows the source and remote metro clusters to be in
the same broadcast domain and communicate without a gateway.

About this task

You can enable network segmentation for disaster recovery on a stretched Layer 2 network
that does not have a gateway. A stretched Layer 2 network is usually configured across the
physically remote clusters such as a metro availability cluster deployment. A stretched Layer 2
network allows the source and remote clusters to be configured in the same broadcast domain
without the usual gateway.
See AOS Release Notes for minimum AOS version required to configure a stretched Layer 2
network.
To configure a network segment as a stretched L2 network, do the following.

AOS Security | Security Management Using Prism Element (PE) | 132

Procedure

• Run the following command:

nutanix@cvm$ network_segmentation --service_network --service_name=kDR --ip_pool=DR-ip-pool-
name --service_vlan=DR-vlan-id --desc_name=Description --host_physical_network=portgroup/
bridge --stretched_metro

Replace the following: (See Isolating Service-Specific Traffic on page 127 for the
information)

• DR-ip-pool-name with the name of the IP Pool created for the DR service or any existing
unused IP address pool.
• DR-vlan-id with the VLAN ID being used for the DR service.
• Description with a suitable description of this stretched L2 network segment.
• portgroup/bridge with the details of Bridge or CVM Port Group used for the DR service.
For more information about the network_segmentation command, see the Command
Reference guide.

Nutanix Disaster Recovery

The settings for configuring network segmentation for Nutanix Disaster Recovery apply to all
Asynchronous, NearSync, and Synchronous replication schedules. For detailed information
about network segmentation for Nutanix Disaster Recovery, see Network Segmentation in the
Nutanix Disaster Recovery Guide.

Table 8: Settings to be Specified When Configuring Traffic Isolation

Parameter or Setting Description

Note: Virtual IP address is different from

the external IP address and the data
services IP address of the cluster.

Gateway Gateway to the subnetwork.

Configuring Backplane IP Pool

This procedure shows how to create an IP pool for backplane interfaces using the new CLI.

About this task

Network Segmentation for backplane traffic previously required an entire subnet even if
a cluster has a small number of nodes. This resulted in inefficient use of IP addresses. The
backplane IP pool feature enables you to provide a small IP pool instead of an entire subnet.
You can create an IP address pool using the new network_segmentation ip_pool command.
The named IP pool includes one or more IP ranges. For example, an IP address from 172.16.1.100

AOS Security | Security Management Using Prism Element (PE) | 133

to 172.16.1.105 can be one IP range and 172.16.1.120 to 172.16.1.125 can be another IP range within
the same named IP pool and same IP subnet.
At present in the Prism interface, there is no option to create an IP address pool for backplane
segmentation. However, the Prism interface allows creating small IP address pools for service-
specific traffic such as Volumes and DR. You can use the new network_segmentation
ip_pool CLI to create IP address pools for Backplane, Volumes, and DR as well. You can also
manage (edit, delete, and update) IP address pools that are created for Backplane, Volumes
and DR using the new CLI.

Procedure

1. Log on to any CVM in the cluster using SSH

2. Create a new IP pool and define the IP ranges

nutanix@cvm$ network_segmentation --ip_pool_name=IP-Pool-name --ip_pool_netmask=netmask
--ip_ranges="[(‘First-IP-Address', ‘Last-IP-Address'), (‘First-IP-Address', ‘Last-IP-
Address')]"
ip_pool create

Replace:

• IP-Pool-name with a user defined IP pool name

• Netmask with a network mask in dotted decimal mask notation
• First-IP-Address with the first IP Address in the range
• Last-IP-Address with the last IP Address in the same range
For example:
nutanix@cvm$ network_segmentation --ip_pool_name=BackplanePool --
ip_pool_netmask=255.255.255.0
--ip_ranges="[('172.16.1.100', '172.16.1.105'), ('172.16.1.120', '172.16.1.125')]"
ip_pool create

3. Enable Network Segmentation for backplane using the new IP pool

nutanix@cvm$ network_segmentation --backplane_network --ip_pool=BackplanePool --
backplane_vlan=1234
--host_virtual_switch=vs1

Enabling Backplane Network Segmentation on a Mixed Hypervisor Cluster

This procedure shows how to enable Backplane Network Segmentation on a mixed hypervisor
cluster.

About this task

You can enable Backplane Network Segmentation on a mixed hypervisor cluster containing:

• ESXi and AHV storage only nodes.

• Hyper-V and AHV storage only nodes.

Procedure

1. Log on to any CVM in the cluster using SSH.

AOS Security | Security Management Using Prism Element (PE) | 134

2. Enable network segmentation for backplane traffic
On a cluster containing ESXi and AHV storage only nodes:
nutanix@cvm$ network_segmentation --backplane_network
--ip_pool=IP-pool-name
--backplane_vlan=VLAN-ID
[--esx_host_physical_network=ESXi-host-portgroup-name ]
[--esx_cvm_physical_network=ESXi-cvm-portgroup-name ]
[--ahv_host_physical_network=AHV-network-name ]

On a cluster containing Hyper-V and AHV storage only nodes:

nutanix@cvm$ network_segmentation --backplane_network
--ip_pool=IP-pool-name
--backplane_vlan=VLAN-ID
[--hyperv_host_physical_network=HyperV-host-network-name ]
[--ahv_host_physical_network=AHV-network-name ]

In the above command replace:

• IP-Pool-name with a user defined IP pool name

• VLAN-ID with a backplane VLAN ID
• ESXi-host-portgroup-name with the ESXi host network name
• ESXi-cvm-portgroup-name with the ESXi CVM network name
• AHV-network-name with the AHV storage only node bridge name
• HyperV-host-network-name with the Hyper-V switch name
For example, enable network segmentation on a mixed hypervisor containing ESXi and AHV
storage only nodes:
nutanix@cvm$ network_segmentation --backplane_network
--ip_pool=BackplanePool
--backplane_vlan=1234
--esx_host_physical_network=host-pg
--esx_cvm_physical_network=cvm-pg
--ahv_host_physical_network=br1

Updating Backplane Portgroup

You can update the backplane portgroups that are assigned to CVM and host nodes. Earlier,
to change a portgroup that is assigned to a CVM and host, you had to disable Network
Segmentation and re-enable with new portgroups.
This feature is only supported on a cluster running ESXi hypervisor.
Updating backplane portgroups helps you to:

• Move from one vSphere Standard Standard Switch (VSS) portgroup to another VSS
portgroup within the same virtual standard switch
• Move from one VSS portgroup to another VSS portgroup in a different Virtual Standard
Switch
• Move from a VSS portgroup to a vSphere Distributed Switch (VDS) portgroup
• Move from a VDS portgroup to a VSS

Note:

AOS Security | Security Management Using Prism Element (PE) | 135

For renaming existing VSS or VDS portgroups, you must manually perform the
rename operation from the vCenter application or use the ESXi CLI and run the update
operation with the new portgroup. This is to ensure the configuration stored in the
Nutanix internal database is up to date.

Limitations of Updating Backplane Portgroup

Consider the following limitations before updating backplane portgroups:

• This feature is not supported on clusters running on the AHV and Hyper-V hypervisors.
• This feature does not support updating any other configuration such as VLAN ID, and IP
address.

Note: This feature does not perform any network validation on the new portgroups. Hence the
user must ensure the portgroup settings are accurate before proceeding with the portgroup
update operation. If the settings are not accurate, the CVM on that node may not be able to
communicate with its peers and this results in a stuck rolling reboot.

Updating Backplane Portgroup

This procedure shows how to update backplane portgroups:

About this task

You can update the backplane portgroups that are assigned to CVM and host nodes

Procedure

1. Log on to any CVM in the cluster using SSH

2. Update the CVM and host portgroups

nutanix@cvm$ network_segmentation --backplane_network
--host_physical_network=new-host-portgroup-name
--cvm_physical_network=new-cvm-portgroup-name
--update

In the above command replace:

• new-host-portgroup-name with the new host portgroup name

• new-cvm-portgroup-name with the new CVM portgroup name
For example:
nutanix@cvm$ network_segmentation --backplane_network
--host_physical_network=new-bp-host-pgroup
--cvm_physical_network=new-bp-cvm-pgroup
--update

For creating a port group, see Creating Port Groups on the Distributed Switch in vSphere
Administration Guide for Acropolis.

IP Address Customization for each CVM and Host

This procedure shows how to create custom IP addresses for each CVM and host for network
segmentation.

About this task

AOS Security | Security Management Using Prism Element (PE) | 136

IP Address customization for each CVM and host feature enables you to allocate an IP
address manually to a CVM and host. This helps in maintaining similarity between external and
segmented IP addresses. This feature is supported while configuring backplane segmentation,
service specific traffic isolation for Volumes, and service specific traffic isolation for Disaster
Recovery.

Procedure

1. Create a JSON file with a mapping of IP Addresses

You must manually define the mapping of the CVM external IP address to the new
segmented IP address in a JSON file. The segmented IP addresses should belong to the
same IP address pool that is created from the Prism UI or the CLI command before starting
the Network Segmentation operation. You can create and save the JSON file in any CVM in
the cluster.
Here is the example of JSON file format:

• JSON file format for Backplane Segmentation:

{
"svmips": {
`cvm_external_ip1`: `cvm_backplane_ip1`,
`cvm_external_ip2`: `cvm_backplane_ip2`,
`cvm_external_ip3`: `cvm_backplane_ip3`
},
"hostips": {
`host_external_ip1`: `host_backplane_ip1`,
`host_external_ip2`: `host_backplane_ip2`,
`host_external_ip3`: `host_backplane_ip3`
}
}

For example:
{
"svmips": {
"10.47.240.141": "172.16.10.141",
"10.47.240.142": "172.16.10.142",
"10.47.240.143": "172.16.10.143"
},
"hostips": {
"10.47.240.137": "172.16.10.137",
"10.47.240.138": "172.16.10.138",
"10.47.240.139": "172.16.10.139"
}
}

• JSON file format for Service Segmentation:

{
"svmips": {
`cvm_external_ip1`: `cvm_service_ip1`,
`cvm_external_ip2`: `cvm_service_ip2`,
`cvm_external_ip3`: `cvm_service_ip3`
}
}

For example:
{
"svmips": {
"10.47.240.141": "10.47.6.141",

AOS Security | Security Management Using Prism Element (PE) | 137

"10.47.240.142": "10.47.6.142",
"10.47.240.143": "10.47.6.143"
}
}

2. Log on to the CVM in the cluster where the JSON file exists using SSH

3. Enable Service Specific Traffic Isolation for Volumes using the JSON file
nutanix@CVM:~$ network_segmentation --service_network
--ip_pool=pool1 --desc_name="Volumes Seg 1"
--service_name=kVolumes
--host_physical_network=dv-volumes-network-1
--service_vlan=151
--ip_map_filepath=/home/nutanix/ip_map.json

Enabling Physical Backplane Segmentation on Hyper-V Using CLI

This procedure shows how to enable physical backplane segmentation on a cluster containing
Hyper-V node using CLI.

About this task

Physical backplane segmentation support is now available on a cluster containing Hyper-V
nodes. Earlier, the support was available on AHV and ESXi nodes.

Procedure

1. Log on to any CVM in the cluster using SSH

2. Enable backplane segmentation on a Hyper-V node

nutanix@CVM:~$ network_segmentation --backplane_network
--ip_pool=IP-Pool-name
--backplane_vlan=VLAN-ID
--host_physical_network=hyperv_host_physical_network

In the above command replace:

• IP-Pool-name with a user defined IP pool name

• VLAN-ID with a backplane VLAN ID
• hyperv_host_physical_network with the Hyper-V switch name
For example:
nutanix@CVM:~$ network_segmentation --backplane_network
--ip_pool=BackplanePool
--backplane_vlan=1234
--host_physical_network=BackplaneSwitch

Network Segmentation during Cluster Expansion

When expanding a cluster:

• If you enable the backplane network segmentation, Prism allocates two IP addresses for
every new node from the backplane IP Pool.
• If you enable service-specific traffic isolation, Prism allocates one IP address for every new
node from the respective (Volumes or DR) IP pools.

AOS Security | Security Management Using Prism Element (PE) | 138

• If enough IP addresses are not available in the specified network, the Prism Element web
console displays a failure message in the tasks page. To add more IP ranges to the IP pool,
see Configuring Backplane IP Pool on page 133.
• If you cannot add more IPs to the IP pool, then reconfigure that specific network
segmentation. For more information about how to reconfigure the network, see
Reconfiguring the Backplane Network on page 122.
• The network settings on the physical switch to which the new nodes are connected must be
identical to the other nodes in the cluster. New nodes communicate with current nodes using
the same VLAN ID for segmented networks. Otherwise, the expand cluster task will fail in the
network validation stage.
• After fulfilling the earlier points, you can add nodes to the cluster. For instructions about how
to add nodes to your Nutanix cluster, see Expanding a Cluster in the Prism Web Console
Guide.

Network Segmentation–Related Changes During an AOS Upgrade

When you upgrade from an AOS version which does not support network segmentation to an
AOS version that does, the eth2 interface (used to segregate backplane traffic) is automatically
created on each CVM. However, the network remains unsegmented, and the cluster services on
the CVM continue to use eth0 until you configure network segmentation.
The vNICs ntnx0, ntnx1, and so on, are not created during an upgrade to a release that supports
service-specific traffic isolation. They are created when you configure traffic isolation for a
service.

Note:
Do not delete the eth2 interface that is created on the Controller VMs, even if you are
not using the network segmentation feature.

Firewall Requirements
Ports and Protocols describes detailed port information (like protocol, service description,
source, destination, and associated service) for Nutanix products and services. It includes port
and protocol information for 1-click upgrades and LCM updates.

Log management
This chapter describes how to configure cluster-wide setting for log-forwarding and
documenting the log fingerprint.

Log Forwarding
The Nutanix Controller VM provides a method for log integrity by using a cluster-wide setting
to forward all the logs to a central log host. Due to the appliance form factor of the Controller
VM, system and audit logs does not support local log retention periods as a significant increase
in log traffic can be used to orchestrate a distributed denial of service attack (DDoS).
Nutanix recommends deploying a central log host in the management enclave to adhere to any
compliance or internal policy requirement for log retention. In case of any system compromise,
a central log host serves as a defense mechanism to preserve log integrity.

Note: The audit in the Controller VM uses the audisp plugin by default to ship all the audit logs
to the rsyslog daemon (stored in /home/log/messages). Searching for audispd in the central log
host provides the entire content of the audit logs from the Controller VM. The audit daemon
is configured with a rules engine that adheres to the auditing requirements of the Operating

AOS Security | Security Management Using Prism Element (PE) | 139

System Security Requirements Guide (OS SRG), and is embedded as part of the Controller VM
STIG.

Use the nCLI to enable forwarding of system, audit, aide, and SCMA logs of all the Controller
nodes in a cluster at the required log level. For more information, see Send Logs to Remote
Syslog Server in the Acropolis Advanced Administration Guide

Documenting the Log Fingerprint

For forensic analysis, non-repudiation is established by verifying the fingerprint of the public
key for the log file entry.

Procedure

1. Login to the CVM.

2. Run the following command to document the fingerprint for each public key assigned to an
individual admin.
nutanix@cvm$ ssh-keygen -lf /<location of>/id_rsa.pub

The fingerprint is then compared to the SSH daemon log entries and forwarded to the
central log host (/home/log/secure in the Controller VM).

Note: After completion of the ssh public key inclusion in Prism and verification of
connectivity, disable the password authentication for all the Controller VMs and AHV hosts.
From the Prism main menu, de-select Cluster Lockdown configuration > Enable Remote
Login with password check box from the gear icon drop-down list.

AOS Security | Security Management Using Prism Element (PE) | 140

SECURITY MANAGEMENT USING PRISM
CENTRAL (PC)
Prism Central provides several mechanisms and features to enforce security of your multi-
cluster environment.
If you enable Identity and Access Management (IAM), see Security Management Using Identity
and Access Management (Prism Central) on page 220.

Configuring Authentication
Caution: Prism Central does not support the SSLv2 and SSLv3 ciphers. Therefore, you must
disable the SSLv2 and SSLv3 options in a browser before accessing Prism Central. This avoids
an SSL Fallback and access denial situations. However, you must enable TLS protocol in the
browser.

Prism Central supports these user authentication options:

• SAML authentication. Users can authenticate through a supported identity provider when
SAML support is enabled for Prism Central. The Security Assertion Markup Language (SAML)
is an open standard for exchanging authentication and authorization data between two
parties: an identity provider (IDP) and Prism Central as the service provider.
If you do not enable Nutanix Identity and Access Management (IAM) on Prism Central, ADFS
is the only supported IDP for Single Sign-on. If you enable IAM, additional IDPs are available.
For more information, see Security Management Using Identity and Access Management
(Prism Central) on page 220 and Updating ADFS When Using SAML Authentication on
page 228.
• Local user authentication. Users can authenticate if they have a local Prism Central account.
See the Nutanix Security Guide for these procedures.
• Active Directory authentication. Users can authenticate using their Active Directory (or
OpenLDAP) credentials when Active Directory support is enabled for Prism Central. See the
Nutanix Security Guide for these procedures.

Adding An Authentication Directory (Prism Central)

Before you begin

Caution: Prism Central does not allow the use of the (not secure) SSLv2 and SSLv3 ciphers. To
eliminate the possibility of an SSL Fallback situation and denied access to Prism Central, disable
(uncheck) SSLv2 and SSLv3 in any browser used for access. However, TLS must be enabled
(checked).

AOS Security | Security Management Using Prism Central (PC) | 141

Procedure

1. In the web console, click the gear icon in the main menu and then select Authentication in
the Settings page.
The Authentication Configuration window appears.

Figure 60: Authentication Configuration Window

2. To add an authentication directory, click the New Directory button.

A set of fields is displayed. Do the following in the indicated fields:

a. Directory Type: Select one of the following from the pull-down list.

• Active Directory: Active Directory (AD) is a directory service implemented by

Microsoft for Windows domain networks.

Note:

• Users with the "User must change password at next logon" attribute
enabled will not be able to authenticate to Prism Central. Ensure users
with this attribute first login to a domain workstation and change their
password prior to accessing Prism Central. Also, if SSL is enabled on the
Active Directory server, make sure that Nutanix has access to that port
(open in firewall).
• Use of the "Protected Users" group is currently unsupported for Prism
authentication. For more details on the "Protected Users" group, see
“Guidance about how to configure protected accounts” on Microsoft
documentation website.
• An Active Directory user name or group name containing spaces is not
supported for Prism Central authentication.
• The Microsoft AD is LDAP v2 and LDAP v3 compliant.
• The Microsoft AD servers supported are Windows Server 2012 R2,
Windows Server 2016, and Windows Server 2019.

AOS Security | Security Management Using Prism Central (PC) | 142

• OpenLDAP: OpenLDAP is a free, open source directory service, which uses the
Lightweight Directory Access Protocol (LDAP), developed by the OpenLDAP project.

Note: Prism Central uses a service account to query OpenLDAP directories for user
information and does not currently support certificate-based authentication with the
OpenLDAP directory.

b. Name: Enter a directory name.

This is a name you choose to identify this entry; it need not be the name of an actual
directory.
c. Domain: Enter the domain name.
Enter the domain name in DNS format, for example, nutanix.com.

d. Directory URL: Enter the URL address to the directory.

Note: LDAPS support does not require custom certificates or certificate trust import.

• Port 389 (LDAP). Use this port number (in the following URL form) when the
configuration is single domain, single forest, and not using SSL.
ldap://ad_server.mycompany.com:389

Note:

• When constructing your LDAP/S URL to use a Global Catalog server,

ensure that the Domain Control IP address or name being used is a global

AOS Security | Security Management Using Prism Central (PC) | 143

catalog server within the domain being configured. If not, queries over
3268/3269 may fail.
• Cross-forest trust between multiple AD forests is not supported.

For the complete list of required ports, see Port Reference.

e. [OpenLDAP only] Configure the following additional fields:

Note:
The value for the following variables depend on your OpenLDAP configuration.

• User Object Class: Enter the value that uniquely identifies the object class of a user.
• User Search Base: Enter the base domain name in which the users are configured.
• Username Attribute: Enter the attribute to uniquely identify a user.
• Group Object Class: Enter the value that uniquely identifies the object class of a
group.
• Group Search Base: Enter the base domain name in which the groups are configured.
• Group Member Attribute: Enter the attribute that identifies users in a group.
• Group Member Attribute Value: Enter the attribute that identifies the users provided
as value for Group Member Attribute.
Here are some of the possible options for the fields:

• User Object Class: user | person | inetOrgPerson | organizationalPerson |

posixAccount
• User Search Base: ou=<organizational unit>, dc=<domain>
• Username Attribute: uid
• Group Object Class: posixGroup | groupOfNames
• Group Search Base: ou=<organizational unit>, dc=<domain>
• Group Member Attribute: member | memberUid
• Group Member Attribute Value: uid
f. Search Type. How to search your directory when authenticating. Choose Non Recursive
if you experience slow directory logon performance. For this option, ensure that users

AOS Security | Security Management Using Prism Central (PC) | 144

listed in Role Mapping are listed flatly in the group (that is, not nested). Otherwise,
choose the default Recursive option.
g. Service Account Username: Depending upon the Directory type you select in step 2.a,
the service account user name format as follows:

• For Active Directory, enter the service account user name in the [email protected]
format.
• For OpenLDAP, enter the service account user name in the following Distinguished
Name (DN) format:
cn=username, dc=company, dc=com

A service account is created to run only a particular service or application with the
credentials specified for the account. According to the requirement of the service or
application, the administrator can limit access to the service account.
A service account is under the Managed Service Accounts in the Active Directory and
openLDAP server. An application or service uses the service account to interact with

AOS Security | Security Management Using Prism Central (PC) | 145

the operating system. Enter your Active Directory and openLDAP service account
credentials in this (username) and the following (password) field.

Note: Be sure to update the service account credentials here whenever the service
account password changes or when a different service account is used.

h. Service Account Password: Enter the service account password.

Note:

• No permissions are granted to the directory users by default. To grant

permissions to the directory users, you must specify roles for the users in that
directory (see Configuring Role Mapping on page 191).
• Service account for both Active directory and openLDAP must have full read
permission on the directory service.

AOS Security | Security Management Using Prism Central (PC) | 146

Figure 61: Directory List Fields

3. To edit a directory entry, click the pencil icon for that entry.
After clicking the pencil icon, the relevant fields reappear. Enter the new information in the
appropriate fields and then click the Save button.

4. To delete a directory entry, click the X icon for that entry.

After clicking the X icon, a window prompt appears to verify the delete action; click the OK
button. The entry is removed from the list.

AOS Security | Security Management Using Prism Central (PC) | 147

Adding a SAML-based Identity Provider

Before you begin

• An identity provider (typically a server or other computer) is the system that provides
authentication through a SAML request. There are various implementations that can provide
authentication services in line with the SAML standard.
• You can specify other tested standard-compliant IDPs in addition to ADFS. See the
Prism Central release notes topic Identity and Access Management Software Support for
specific support requirements and also Security Management Using Identity and Access
Management (Prism Central) on page 220.
IAM allows only one identity provider at a time, so if you already configured one, the + New
IDP link does not appear.
• You must configure the identity provider to return the NameID attribute in SAML response.
Prism Central uses the NameID attribute for role mapping.

Procedure

1. In the web console, click the gear icon in the main menu and then select Authentication in
the Settings page.

2. To add a SAML-based identity provider, click the + New IDP link.

A set of fields is displayed. Do the following in the indicated fields:

a. Configuration name: Enter a name for the identity provider. This name appears in the
logon authentication screen.
b. Group Attribute Name (Optional): Optionally, enter the group attribute name such as
groups. Ensure that this name matches the group attribute name provided in the IDP
configuration.
c. Group Attribute Delimiter (Optional): Optionally, enter a delimiter that needs to be used
when multiple groups are selected for the Group attribute.
d. Import Metadata: Click this option to upload a metadata file that contains the identity
provider information.
Identity providers typically provide an XML file on their website that includes metadata
about that identity provider, which you can download from that site and then upload to
Prism Central. Click + Import Metadata to open a search window on your local system

AOS Security | Security Management Using Prism Central (PC) | 148

and then select the target XML file that you downloaded previously. Click the Save button
to save the configuration.

Figure 62: Identity Provider Fields (metadata configuration)

This step completes configuring an identity provider in Prism Central, but you must also
configure the callback URL for Prism Central on the identity provider. To configure the
callback URL, click the Download Metadata link just below the Identity Providers table to
download an XML file that describes Prism Central and then upload this metadata file to the
identity provider.

3. To edit an identity provider entry, click the pencil icon for that entry.
After clicking the pencil icon, the relevant fields reappear. Enter the new information in the
appropriate fields and then click the Save button.

4. To delete an identity provider entry, click the X icon for that entry.
After clicking the X icon, a window prompt appears to verify the delete action; click the OK
button. The entry is removed from the list.

AOS Security | Security Management Using Prism Central (PC) | 149

Enabling and Configuring Client Authentication

Procedure

1. In the web console, click the gear icon in the main menu and then select Authentication in
the Settings page.

2. Click the Client tab, then do the following steps.

a. Select the Configure Client Chain Certificate check box.

The Client Chain Certificate is a list of certificates that includes all intermediate CA and
root-CA certificates.
b. Click the Choose File button, browse to and select a client chain certificate to upload, and
then click the Open button to upload the certificate.

Note:

• Client and CAC authentication only supports RSA 2048 bit certificate.
• Uploaded certificate files must be PEM encoded. The web console restarts
after the upload step.

c. To enable client authentication, click Enable Client Authentication.

d. To modify client authentication, do one of the following:

Note: The web console restarts when you change these settings.

• Click Enable Client Authentication to disable client authentication.

• Click Remove to delete the current certificate. (This also disables client authentication.)
• To enable OCSP or CRL based certificate revocation checking, see Certificate
Revocation Checking on page 36.
Client authentication allows you to securely access the Prism by exchanging a digital
certificate. Prism will validate that the certificate is signed by your organization’s trusted
signing certificate.
Client authentication ensures that the Nutanix cluster gets a valid certificate from the user.
Normally, a one-way authentication process occurs where the server provides a certificate
so the user can verify the authenticity of the server (see Installing an SSL Certificate on
page 204). When client authentication is enabled, this becomes a two-way authentication
where the server also verifies the authenticity of the user. A user must provide a valid
certificate when accessing the console either by installing the certificate on the local
machine or by providing it through a smart card reader.

Note: The CA must be the same for both the client chain certificate and the certificate on the
local machine or smart card.

AOS Security | Security Management Using Prism Central (PC) | 150

3. To specify a service account that the Prism Central web console can use to log in to Active
Directory and authenticate Common Access Card (CAC) users, select the Configure Service
Account check box, and then do the following in the indicated fields:

Note: Enabling CAC disables all other directory service and local user logons, only the
local admin user logon is permitted in this case.

Note: For federal customers only.

Note: The Prism Central console restarts after you change this setting.

• Validates that the certificate has been signed by your organization’s trusted signing
certificate.
• Extracts the Electronic Data Interchange Personal Identifier (EDIPI) from the certificate
and uses the EDIPI to check the validity of an account within the Active Directory. The
security context from the EDIPI is used for your PRISM session.
• Prism Central supports both certificate authentication and basic authentication in order
to handle both Prism Central login using a certificate and allowing REST API to use
basic authentication. It is physically not possible for REST API to use CAC certificates.
With this behavior, if the certificate is present during Prism Central login, the certificate
authentication is used. However, if the certificate is not present, basic authentication is
enforced and used.

Note: Nutanix Prism does not support OpenLDAP as directory service for CAC.

If you map a Prism Central role to a CAC user and not to an Active Directory group or
organizational unit to which the user belongs, specify the EDIPI (User Principal Name, or
UPN) of that user in the role mapping. A user who presents a CAC with a valid certificate is
mapped to a role and taken directly to the web console home page. The web console login
page is not displayed.

Note: If you have logged on to Prism Central by using CAC authentication, to successfully log
out of Prism Central, close the browser after you click Log Out.

AOS Security | Security Management Using Prism Central (PC) | 151

Certificate Revocation Checking

Enabling Certificate Revocation Checking using Online Certificate Status Protocol (nCLI)

About this task

Procedure

1. Set the OCSP responder URL.

ncli authconfig set-certificate-revocation set-ocsp-responder=<ocsp url><ocsp url> indicates
the location of the OCSP responder.

2. Verify if OCSP checking is enabled.

ncli authconfig get-client-authentication-config

The expected output if certificate revocation checking is enabled successfully is as follows.

Auth Config Status: true
File Name: ca.cert.pem
OCSP Responder URI: http://<ocsp-responder-url>

Enabling Certificate Revocation Checking using Certificate Revocation Lists (nCLI)

About this task

Note: OSCP is the recommended method for checking certificate revocation in client
authentication.

You can use the CRL certificate revocation checking method if required, as described in this
section.
To enable certificate revocation checking using CRL for client authentication, do the following.

• The above command resets any previous OCSP or CRL configurations.

AOS Security | Security Management Using Prism Central (PC) | 152

User Management
Managing Local User Accounts

About this task

The Prism Central admin user is created automatically, but you can add more (locally defined)
users as needed. To add, update, or delete a user account, do the following:

Note:

• To add user accounts through Active Directory, see Configuring Authentication. If

you enable the Prism Self Service feature, an Active Directory is assigned as part of
that process.
• Changing the Prism Central admin user password does not impact registration (re-
registering clusters is not required).

Procedure

• Click the gear icon in the main menu and then select Local User Management in the Settings
page.
The Local User Management dialog box appears.

Figure 63: User Management Window

AOS Security | Security Management Using Prism Central (PC) | 153

• To add a user account, click the New User button and do the following in the displayed
fields:

a. Username: Enter a user name.

b. First Name: Enter a first name.
c. Last Name: Enter a last name.
d. Email: Enter a valid user email address.
e. Password: Enter a password (maximum of 255 characters).

Note: A second field to verify the password is not included, so be sure to enter the
password correctly in this field.

f. Language: Select the language setting for the user.

English is selected by default. You have an option to select Simplified Chinese or
Japanese. If you select either of these, the cluster locale is updated for the new user. For

AOS Security | Security Management Using Prism Central (PC) | 154

example, if you select Simplified Chinese, the user interface is displayed in Simplified
Chinese when the new user logs in.
g. Roles: Assign a role to this user.
There are three options:

• Checking the User Admin box allows the user to view information, perform any
administrative task, and create or modify user accounts.
• Checking the Prism Central Admin (formerly "Cluster Admin") box allows the user
to view information and perform any administrative task, but it does not provide
permission to manage (create or modify) other user accounts.
• Leaving both boxes unchecked allows the user to view information, but it does
not provide permission to perform any administrative tasks or manage other user
accounts.
h. When all the fields are correct, click the Save button (lower right).
This saves the configuration and redisplays the dialog box with the new user appearing in
the list.

AOS Security | Security Management Using Prism Central (PC) | 155

Figure 64: Create User Window

Editing, Disabling, or Deleting a Local User Account

About this task

To update, disable, or delete a local user account, do the following:

AOS Security | Security Management Using Prism Central (PC) | 156

Procedure

1. To modify a user account, click the pencil icon for that user and update one or more of the
values as desired in the Update User window.

Figure 65: Update User Window

2. To disable login access for a user account, click the Yes value in the Enabled field for that
user; to enable the account, click the No value.
A Yes value means the login is enabled; a No value means it is disabled. A user account is
enabled (login access activated) by default.

3. To delete a user account, click the X icon for that user.

A window prompt appears to verify the action; click the OK button. The user account is
removed and the user no longer appears in the list.

AOS Security | Security Management Using Prism Central (PC) | 157

Updating My Account

About this task

To update your account credentials (that is, credentials for the user you are currently logged in
as), do the following:

AOS Security | Security Management Using Prism Central (PC) | 158

Procedure

1. To update your password, select Change Password from the user icon pull-down list of the
main menu.
The Change Password dialog box appears. Do the following in the indicated fields:

a. Current Password: Enter the current password.

Note: Password complexity requirements might appear above the fields; if they do, your new
password must comply with these rules.

AOS Security | Security Management Using Prism Central (PC) | 159

Figure 66: Change Password Window
AOS Security | Security Management Using Prism Central (PC) | 160
2. To update other details of your account, select Update Profile from the user icon pull-down
list.
The Update Profile dialog box appears. Do the following in the indicated fields for any
parameters you want to change:

a. First Name: Enter a different first name.

b. Last Name: Enter a different last name.
c. Email Address: Enter a different valid user email address.
d. Language: Select a different language for your account from the pull-down list.
e. API Key: Enter a new API key.

Note: Your keys can be managed from the API Keys page on the Nutanix support portal
(see Licensing). Your connection will be secure without the optional public key (following

AOS Security | Security Management Using Prism Central (PC) | 161

field), and the public key option is provided in the event that your default public key
expires.

f. Public Key: Click the Choose File button to upload a new public key file.
g. When all the fields are correct, click the Save button (lower right). This saves the changes
and closes the window.

AOS Security | Security Management Using Prism Central (PC) | 162

AOS Security | Security Management Using Prism Central (PC) | 163
Resetting Password (CLI)
This procedure describes how to reset a local user's password on the Prism Element or the
Prism Central web consoles.

About this task

To reset the password using nCLI, do the following:

Note:
Only a user with admin privileges can reset a password for other users.

Procedure

1. Access the CVM via SSH.

2. Log in with the admin credentials.

3. Use the ncli user reset-password command and specify the username and password of the
user whose password is to be reset:
nutanix@cvm$ ncli user reset-password user-name=xxxxx password=yyyyy

• Replace user-name=xxxxx with the name of the user whose password is to be reset.
• Replace password=yyyyy with the new password.

What to do next
You can relaunch the Prism Element or the Prism Central web console and verify the new
password setting.

Deleting a Directory User Account

About this task

To delete a directory-authenticated user, do the following:

Procedure

1. Click the Hamburger icon, and go to Administration > Projects

The Project page appears. This page lists all existing projects.

2. Select the project that the user is associated with and go to Actions > Update Projects
The Edit Projects page appears.

3. Go to Users, Groups, Roles tab.

AOS Security | Security Management Using Prism Central (PC) | 164

4. Click the X icon to delete the user.

Figure 68: Edit Project Window

5. Click Save
Prism deletes the user account and also removes the user from any associated projects.
Repeat the same steps if the user is associated with multiple projects.

Controlling User Access (RBAC)

Prism Central supports role-based access control (RBAC) that you can configure to provide
customized access permissions for users based on their assigned roles. The roles dashboard
allows you to view information about all defined roles and the users and groups assigned to
those roles.

• Prism Central includes a set of predefined roles (see Built-in Role Management on
page 166).
• You can also define additional custom roles (see Custom Role Management on page 166).
• Configuring authentication confers default user permissions that vary depending on the
type of authentication (full permissions from a directory service or no permissions from an
identity provider). You can configure role maps to customize these user permissions (see
Configuring Role Mapping on page 191).

AOS Security | Security Management Using Prism Central (PC) | 165

• You can refine access permissions even further by assigning roles to individual users or
groups that apply to a specified set of entities (see Assigning a Role on page 200).

Note: Please note that the entities are treated as separate instances. For example, if you want
to grant a user or a group the permission to manage cluster and images, an administrator
must add both of these entities to the list of assignments.

• With RBAC, user roles do not depend on the project membership. You can use RBAC and
log in to Prism Central even without a project membership.

Note: Defining custom roles and assigning roles are supported on AHV only.

Built-in Role Management

The following built-in roles are defined by default. You can see a more detailed list of
permissions for any of the built-in roles through the details view for that role (see Displaying
Role Permissions on page 202). The Project Admin, Developer, Consumer, and Operator roles
are available when assigning roles in a project.

Role Privileges

Super Admin Full administrator privileges

Prism Admin Full administrator privileges except for creating or modifying
the user accounts
Prism Viewer View-only privileges
Self-Service Admin Manages all cloud-oriented resources and services

Note: This is the only cloud administration role available.

Project Admin Manages cloud objects (roles, VMs, Apps, Marketplace)

belonging to a project

Note: You can specify a role for a user when you assign
a user to a project, so individual users or groups can have
different roles in the same project.

Developer Develops, troubleshoots, and tests applications in a project

Consumer Accesses the applications and blueprints in a project
Operator Accesses the applications in a project
VPC Admin Manages VPCs and related entities. Agnostic of the physical
network/infrastructure. VPC admin of a Nutanix deployment.

Note: Previously, the Super Admin role was called User Admin, the Prism Admin role was called
Prism Central Admin and Cluster Admin, and the Prism Viewer was called Viewer.

Custom Role Management

If the built-in roles are not sufficient for your needs, you can create one or more custom roles
(AHV only).

AOS Security | Security Management Using Prism Central (PC) | 166

Creating a Custom Role

About this task

To create a custom role, do the following:

Procedure

1. Go to the roles dashboard (select Administration > Roles in the pull-down menu) and click
the Create Role button.
The Roles page appears. See Custom Role Permissions on page 170 for a list of the
permissions available for each custom role option.

AOS Security | Security Management Using Prism Central (PC) | 167

2. In the Roles page, do the following in the indicated fields:

a. Role Name: Enter a name for the new role.

b. Description (optional): Enter a description of the role.

Note: All entity types are listed by default, but you can display just a subset by entering a
string in the Filter Entities search field.

Figure 69: Filter Entities

c. Select an entity you want to add to this role and provide desired access permissions from
the available options. The access permissions vary depending on the selected entity.
For example, for the VM entity, click the radio button for the desired VM permissions:

• No Access
• View Access
• Basic Access
• Edit Access
• Set Custom Permissions
If you select Set Custom Permissions, click the Change link to display the Custom VM
Permissions window, check all the permissions you want to enable, and then click the

AOS Security | Security Management Using Prism Central (PC) | 168

Save button. Optionally, check the Allow VM Creation box to allow this role to create
VMs.

Figure 70: Custom VM Permissions Window

3. Click Save to create the role. The page closes and the new role appears in the Roles view list.

AOS Security | Security Management Using Prism Central (PC) | 169

Modifying a Custom Role

About this task

Perform the following procedure to modify or delete a custom role.

Procedure

1. Go to the roles dashboard and select (check the box for) the desired role from the list.

2. Do one of the following:

» To modify the role, select Update Role from the Actions pull-down list. The Roles page for
that role appears. Update the field values as desired and then click Save. See Creating a
Custom Role on page 167 for field descriptions.
» To delete the role, select Delete from the Action pull-down list. A confirmation message is
displayed. Click OK to delete and remove the role from the list.

Custom Role Permissions

A selection of permission options are available when creating a custom role.

The following table lists the permissions you can grant when creating or modifying a custom
role. When you select an option for an entity, the permissions listed for that option are granted.
If you select Set custom permissions, a complete list of available permissions for that entity
appears. Select the desired permissions from that list.

Entity Option Permissions

App (application) No Access (none)

Basic Access Abort App Runlog, Access Console VM,
Action Run App, Clone VM, Create AWS VM,
Create Image, Create VM, Delete AWS VM,
Delete VM, Download App Runlog, Update
AWS VM, Update VM, View App, View AWS
VM, View VM
Set Custom Abort App Runlog, Access Console VM,
Permissions (select Action Run App, Clone VM, Create App,
from list) Create AWS VM, Create Image, Create VM,
Delete App, Delete AWS VM, Delete VM,
Download App Runlog, Update App, Update
AWS VM, Update VM, View App, View AWS
VM, View VM
VM Recovery Point No Access (none)
View Only View VM Recovery Point
Full Access Delete VM Recovery Point, Restore VM
Recovery Point, Snapshot VM, Update VM
Recovery Point, View VM Recovery Point,
Allow VM Recovery Point creation
Set Custom Delete VM Recovery Point, Restore VM
Permissions (Change) Recovery Point, Snapshot VM, Update VM
Recovery Point, View VM Recovery Point

AOS Security | Security Management Using Prism Central (PC) | 170

Entity Option Permissions

Note:
You can assign permissions for the VM Recovery Point entity
to users or user groups in the following two ways.

• Manually assign permission for each VM where the

recovery point is created.
• Assign permission using Categories in the Role Assignment
workflow.

Tip: When a recovery point is created, it is associated with

the same category as the VM.

VM No Access (none)
View Access Access Console VM, View VM
Basic Access Access Console VM, Update VM Power State,
View VM
Edit Access Access Console VM, Update VM, View Subnet,
View VM
Full Access Access Console VM, Clone VM, Create VM,
Delete VM, Export VM, Update VM, Update
VM Boot Config, Update VM CPU, Update VM
Categories, Update VM Description, Update
VM Disk List, Update VM GPU List, Update
VM Memory, Update VM NIC List, Update VM
Owner, Update VM Power State, Update VM
Project, View Cluster, View Subnet, View VM.
Set Custom Access Console VM, Clone VM, Create
Permissions (select VM, Delete VM, Update VM, Update VM
from list) Boot Config, Update VM CPU, Update VM
Categories, Update VM Disk List, Update VM
GPU List, Update VM Memory, Update VM NIC
List, Update VM Owner, Update VM Power
State, Update VM Project, View Cluster, View
Subnet, View VM.

Granular permissions (applicable if IAM is

enabled, see Granular Role-Based Access
Control (RBAC) on page 194) for details.
Allow VM Power Off, Allow VM Power
On, Allow VM Reboot, Allow VM Reset,
Expand VM Disk Size, Mount VM CDROM,
Unmount VM CDROM, Update VM Memory
Overcommit, Update VM NGT Config, Update
VM Power State Mechanism

Allow VM creation (n/a)

(additional option)
Blueprint No Access (none)

AOS Security | Security Management Using Prism Central (PC) | 171

Entity Option Permissions
View Access View Account, View AWS AZ, View AWS
Elastic IP, View AWS Image, View AWS Key
Pair, View AWS Machine Type, View AWS
Region, View AWS Role, View AWS Security
Group, View AWS Subnet, View AWS Volume
Type, View AWS VPC, View Blueprint, View
Cluster, View Image, View Project, View
Subnet
Basic Access Access Console VM, Clone VM, Create
App,Create Image, Create VM, Delete VM,
Launch Blueprint, Update VM, View Account,
View App, View AWS AZ, View AWS Elastic
IP, View AWS Image, View AWS Key Pair,
View AWS Machine Type, View AWS Region,
View AWS Role, View AWS Security Group,
View AWS Subnet, View AWS Volume Type,
View AWS VPC, View Blueprint, View Cluster,
View Image, View Project, View Subnet, View
VM
Full Access Access Console VM, Clone Blueprint, Clone
VM, Create App, Create Blueprint, Create
Image, Create VM, Delete Blueprint, Delete
VM, Download Blueprint, Export Blueprint,
Import Blueprint, Launch Blueprint, Render
Blueprint, Update Blueprint, Update VM,
Upload Blueprint, View Account, View App,
View AWS AZ, View AWS Elastic IP, View
AWS Image, View AWS Key Pair, View AWS
Machine Type, View AWS Region, View AWS
Role, View AWS Security Group, View AWS
Subnet, View AWS Volume Type, View AWS
VPC, View Blueprint, View Cluster, View
Image, View Project, View Subnet, View VM
Set Custom Access Console VM, Clone VM, Create App,
Permissions (select Create Blueprint, Create Image, Create VM,
from list) Delete Blueprint, Delete VM, Download
Blueprint, Export Blueprint, Import Blueprint,
Launch Blueprint, Render Blueprint, Update
Blueprint, Update VM, Upload Blueprint, View
Account, View App, View AWS AZ, View
AWS Elastic IP, View AWS Image, View AWS
Key Pair, View AWS Machine Type, View
AWS Region, View AWS Role, View AWS
Security Group, View AWS Subnet, View AWS
Volume Type, View AWS VPC, View Blueprint,
View Cluster, View Image, View Project, View
Subnet, View VM
Marketplace Item No Access (none)
View marketplace and View Marketplace Item
published blueprints

AOS Security | Security Management Using Prism Central (PC) | 172

Entity Option Permissions
View marketplace and Update Marketplace Item, View Marketplace
publish new blueprints Item
Full Access Config Marketplace Item, Create Marketplace
Item, Delete Marketplace Item, Render
Marketplace Item, Update Marketplace Item,
View Marketplace Item
Set Custom Config Marketplace Item, Create Marketplace
Permissions (select Item, Delete Marketplace Item, Render
from list) Marketplace Item, Update Marketplace Item,
View Marketplace Item
Report No Access (none)
View Only Notify Report Instance, View Common Report
Config, View Report Config, View Report
Instance
Full Access Create Common Report Config, Create
Report Config, Create Report Instance,
Delete Common Report Config, Delete
Report Config, Delete Report Instance, Notify
Report Instance, Run Report Config, Share
Report Config, Share Report Instance, Update
Common Report Config, Update Report
Config, View Common Report Config, View
Report Config, View Report Instance, View
User, View User Group
Cluster No Access (none)
View Access View Cluster
Update Access Update Cluster
Full Access Update Cluster, View Cluster
Subnet No Access (none)
View Access View Subnet, View Virtual Switch
Image No Access (none)
View Only View Image
Set Custom Copy Image Remote, Create Image, Delete
Permissions (select Image, Migrate Image, Update Image, View
from list) Image
OVA No Access (none)
View Access View OVA
Full Access View OVA, Create OVA, Update OVA and
Delete OVA
Set custom View OVA, Create OVA, Update OVA and
permissions Change Delete OVA
Recovery Plan No Access (none)
View Access View recovery plan

AOS Security | Security Management Using Prism Central (PC) | 173

Entity Option Permissions
Test Execution Access View recovery plan, Validate recovery plan,
Test recovery plan, Clean up test entities
Full Execution Access View recovery plan, Validate recovery plan,
Test recovery plan, Clean up test entities,
Planned failover, Unplanned failover
Set custom View recovery plan, Validate recovery plan,
permissions Change Test recovery plan, Clean up test entities,
Planned failover, Unplanned failover
Object Store No Access (none)
View Access View Object Store
Full Access View Object Store, Create Object Store,
Update Object Store and Delete Object Store
Set custom View Object Store, Create Object Store,
permissions Change Update Object Store and Delete Object Store
Analysis Session No Access (none)
View Only View Analysis Session
Full Access Create Analysis Session, Delete Analysis
Session, Share Analysis Session, Update
Analysis Session, View Analysis Session, View
User and View User Group

Note: Enable CMSP to use this feature.

Dashboard No Access (none)

View Only View Dashboard
Full Access Create Dashboard, Delete Dashboard,
Share Dashboard, Update Dashboard, View
Dashboard, View User and View User Group

Note: Enable CMSP to use this feature.

Capacity Scenario No Access (none)

View Only View Capacity Scenario
Full Access Create Whatif, Delete Whatif, Share Whatif,
Update Whatif, View Whatif, View User and
View User Group

Note: Enable CMSP to use this feature.

The following table describe the permissions.

Note: By default, assigning certain permissions to a user role might implicitly assign more
permissions to that role. However, the implicitly assigned permissions will not be displayed in the
details page for that role. These permissions are displayed only if you manually assign them to
that role.

AOS Security | Security Management Using Prism Central (PC) | 174

Permission Description Assigned Implicilty By

Create App Allows to create an

application.
Delete App Allows to delete an
application.
View App Allows to view an application.
Action Run App Allows to run action on an
application.
Download App Runlog Allows to download an
application runlog.
Abort App Runlog Allows to abort an application
runlog.
Access Console VM Allows to access the console
of a virtual machine.
Create VM Allows to create a virtual
machine.
View VM Allows to view a virtual
machine.
Clone VM Allows to clone a virtual
machine.
Delete VM Allows to delete a virtual
machine.
Export VM Allows to export a virtual
machine
Snapshot VM Allows to snapshot a virtual
machine.
View VM Recovery Point Allows to view a
vm_recovery_point.
Update VM Recovery Point Allows to update a
vm_recovery_point.
Delete VM Recovery Point Allows to delete a
vm_recovery_point.
Restore VM Recovery Point Allows to restore a
vm_recovery_point.
Update VM Allows to update a virtual
machine.
Update VM Boot Config Allows to update a virtual Update VM
machine's boot configuration.
Update VM CPU Allows to update a virtual Update VM
machine's CPU configuration.
Update VM Categories Allows to update a virtual Update VM
machine's categories.
Update VM Description Allows to update a virtual Update VM
machine's description.

AOS Security | Security Management Using Prism Central (PC) | 175

Permission Description Assigned Implicilty By
Update VM GPU List Allows to update a virtual Update VM
machine's GPUs.
Update VM NIC List Allows to update a virtual Update VM
machine's NICs.
Update VM Owner Allows to update a virtual Update VM
machine's owner.
Update VM Project Allows to update a virtual Update VM
machine's project.
Update VM NGT Config Allows updates to a virtual Update VM
machine's Nutanix Guest Tools
configuration.
Update VM Power State Allows updates to a virtual Update VM
machine's power state.
Update VM Disk List Allows to update a virtual Update VM
machine's disks.
Update VM Memory Allows to update a virtual Update VM
machine's memory
configuration.
Update VM Power State Allows updates to a virtual Update VM or Update VM
Mechanism machine's power state Power State
mechanism.
Allow VM Power Off Allows power off and Update VM or Update VM
shutdown operations on a Power State
virtual machine.
Allow VM Power On Allows power on operation on Update VM or Update VM
a virtual machine. Power State
Allow VM Reboot Allows reboot operation on a Update VM or Update VM
virtual machine. Power State
Expand VM Disk Size Allows to expand a virtual Update VM or Update VM
machine's disk size. Disk List
Mount VM CDROM Allows to mount an ISO to Update VM or Update VM
virtual machine's CDROM. Disk List
Unmount VM CDROM Allows to unmount ISO from Update VM or Update VM
virtual machine's CDROM. Disk List
Update VM Memory Allows to update a virtual Update VM or Update VM
Overcommit machine's memory Memory
overcommit configuration.
Allow VM Reset Allows reset (hard reboot) Update VM, Update VM
operation on a virtual Power State, or Allow VM
machine. Reboot
View Cluster Allows to view a cluster.
Update Cluster Allows to update a cluster.
Create Image Allows to create an image.
View Image Allows to view a image.

AOS Security | Security Management Using Prism Central (PC) | 176

Permission Description Assigned Implicilty By
Copy Image Remote Allows to copy an image from
local PC to remote PC.
Delete Image Allows to delete an image.
Migrate Image Allows to migrate an image
from PE to PC.
Update Image Allows to update a image.
Create Image Placement Allows to create an image
Policy placement policy.
View Image Placement Policy Allows to view an image
placement policy.
Delete Image Placement Allows to delete an image
Policy placement policy.
Update Image Placement Allows to update an image
Policy placement policy.
Create AWS VM Allows to create an AWS
virtual machine.
View AWS VM Allows to view an AWS virtual
machine.
Update AWS VM Allows to update an AWS
virtual machine.
Delete AWS VM Allows to delete an AWS
virtual machine.
View AWS AZ Allows to view AWS
Availability Zones.
View AWS Elastic IP Allows to view an AWS Elastic
IP.
View AWS Image Allows to view an AWS image.
View AWS Key Pair Allows to view AWS keypairs.
View AWS Machine Type Allows to view AWS machine
types.
View AWS Region Allows to view AWS regions.
View AWS Role Allows to view AWS roles.
View AWS Security Group Allows to view an AWS
security group.
View AWS Subnet Allows to view an AWS
subnet.
View AWS Volume Type Allows to view AWS volume
types.
View AWS VPC Allows to view an AWS VPC.
Create Subnet Allows to create a subnet.
View Subnet Allows to view a subnet.

AOS Security | Security Management Using Prism Central (PC) | 177

Permission Description Assigned Implicilty By
Update Subnet Allows to update a subnet.
Delete Subnet Allows to delete a subnet.
Create Blueprint Allows to create the blueprint
of an application.
View Blueprint Allows to view the blueprint of
an application.
Launch Blueprint Allows to launch the blueprint
of an application.
Clone Blueprint Allows to clone the blueprint
of an application.
Delete Blueprint Allows to delete the blueprint
of an application.
Download Blueprint Allows to download the
blueprint of an application.
Export Blueprint Allows to export the blueprint
of an application.
Import Blueprint Allows to import the blueprint
of an application.
Render Blueprint Allows to render the blueprint
of an application.
Update Blueprint Allows to update the blueprint
of an application.
Upload Blueprint Allows to upload the blueprint
of an application.
Create OVA Allows to create an OVA.
View OVA Allows to view an OVA.
Update OVA Allows to update an OVA.
Delete OVA Allows to delete an OVA.
Create Marketplace Item Allows to create a
marketplace item.
View Marketplace Item Allows to view a marketplace
item.
Update Marketplace Item Allows to update a
marketplace item.
Config Marketplace Item Allows to configure a
marketplace item.
Render Marketplace Item Allows to render a
marketplace item.
Delete Marketplace Item Allows to delete a
marketplace item.
Create Report Config Allows to create a
report_config.

AOS Security | Security Management Using Prism Central (PC) | 178

Permission Description Assigned Implicilty By
View Report Config Allows to view a
report_config.
Run Report Config Allows to run a report_config.
Share Report Config Allows to share a
report_config.
Update Report Config Allows to update a
report_config.
Delete Report Config Allows to delete a
report_config.
Create Common Report Allows to create a common
Config report_config.
View Common Report Config Allows to view a common
report_config.
Update Common Report Allows to update a common
Config report_config.
Delete Common Report Allows to delete a common
Config report_config.
Create Report Instance Allows to create a
report_instance.
View Report Instance Allows to view a
report_instance.
Notify Report Instance Allows to notify a
report_instance.
Notify Report Instance Allows to notify a
report_instance.
Share Report Instance Allows to share a
report_instance.
Delete Report Instance Allows to delete a
report_instance.
View Account Allows to view an account.
View Project Allows to view a project.
View User Allows to view a user.
View User Group Allows to view a user group.
View Name Category Allows to view a category's
name.
View Value Category Allows to view a category's
value.
View Virtual Switch Allows to view a virtual switch.

The following table describe the permissions.

Note: By default, assigning certain permissions to a user role might implicitly assign more
permissions to that role. However, the implicitly assigned permissions will not be displayed in the

AOS Security | Security Management Using Prism Central (PC) | 179

details page for that role. These permissions are displayed only if you manually assign them to
that role.

Permission Description Assigned Implicilty By

Create App Allows to create an

AOS Security | Security Management Using Prism Central (PC) | 180

Permission Description Assigned Implicilty By
Update VM Description Allows to update a virtual Update VM
machine's description.
Update VM GPU List Allows to update a virtual Update VM
machine's GPUs.
Update VM NIC List Allows to update a virtual Update VM
machine's NICs.
Update VM Owner Allows to update a virtual Update VM
machine's owner.
Update VM Project Allows to update a virtual Update VM
machine's project.
Update VM NGT Config Allows updates to a virtual Update VM
machine's Nutanix Guest Tools
configuration.
Update VM Power State Allows updates to a virtual Update VM
machine's power state.
Update VM Disk List Allows to update a virtual Update VM
machine's disks.
Update VM Memory Allows to update a virtual Update VM
machine's memory
configuration.
Update VM Power State Allows updates to a virtual Update VM or Update VM
Mechanism machine's power state Power State
mechanism.
Allow VM Power Off Allows power off and Update VM or Update VM
shutdown operations on a Power State
virtual machine.
Allow VM Power On Allows power on operation on Update VM or Update VM
a virtual machine. Power State
Allow VM Reboot Allows reboot operation on a Update VM or Update VM
virtual machine. Power State
Expand VM Disk Size Allows to expand a virtual Update VM or Update VM
machine's disk size. Disk List
Mount VM CDROM Allows to mount an ISO to Update VM or Update VM
virtual machine's CDROM. Disk List
Unmount VM CDROM Allows to unmount ISO from Update VM or Update VM
virtual machine's CDROM. Disk List
Update VM Memory Allows to update a virtual Update VM or Update VM
Overcommit machine's memory Memory
overcommit configuration.
Allow VM Reset Allows reset (hard reboot) Update VM, Update VM
operation on a virtual Power State, or Allow VM
machine. Reboot
View Cluster Allows to view a cluster.
Update Cluster Allows to update a cluster.

AOS Security | Security Management Using Prism Central (PC) | 181

Permission Description Assigned Implicilty By
Create Image Allows to create an image.
View Image Allows to view a image.
Copy Image Remote Allows to copy an image from
local PC to remote PC.
Delete Image Allows to delete an image.
Migrate Image Allows to migrate an image
from PE to PC.
Update Image Allows to update a image.
Create Image Placement Allows to create an image
Policy placement policy.
View Image Placement Policy Allows to view an image
placement policy.
Delete Image Placement Allows to delete an image
Policy placement policy.
Update Image Placement Allows to update an image
Policy placement policy.
Create AWS VM Allows to create an AWS
virtual machine.
View AWS VM Allows to view an AWS virtual
machine.
Update AWS VM Allows to update an AWS
virtual machine.
Delete AWS VM Allows to delete an AWS
virtual machine.
View AWS AZ Allows to view AWS
Availability Zones.
View AWS Elastic IP Allows to view an AWS Elastic
IP.
View AWS Image Allows to view an AWS image.
View AWS Key Pair Allows to view AWS keypairs.
View AWS Machine Type Allows to view AWS machine
types.
View AWS Region Allows to view AWS regions.
View AWS Role Allows to view AWS roles.
View AWS Security Group Allows to view an AWS
security group.
View AWS Subnet Allows to view an AWS
subnet.
View AWS Volume Type Allows to view AWS volume
types.
View AWS VPC Allows to view an AWS VPC.

AOS Security | Security Management Using Prism Central (PC) | 182

Permission Description Assigned Implicilty By
Create Subnet Allows to create a subnet.
View Subnet Allows to view a subnet.
Update Subnet Allows to update a subnet.
Delete Subnet Allows to delete a subnet.
Create Blueprint Allows to create the blueprint
of an application.
View Blueprint Allows to view the blueprint of
an application.
Launch Blueprint Allows to launch the blueprint
of an application.
Clone Blueprint Allows to clone the blueprint
of an application.
Delete Blueprint Allows to delete the blueprint
of an application.
Download Blueprint Allows to download the
blueprint of an application.
Export Blueprint Allows to export the blueprint
of an application.
Import Blueprint Allows to import the blueprint
of an application.
Render Blueprint Allows to render the blueprint
of an application.
Update Blueprint Allows to update the blueprint
of an application.
Upload Blueprint Allows to upload the blueprint
of an application.
Create OVA Allows to create an OVA.
View OVA Allows to view an OVA.
Update OVA Allows to update an OVA.
Delete OVA Allows to delete an OVA.
Create Marketplace Item Allows to create a
marketplace item.
View Marketplace Item Allows to view a marketplace
item.
Update Marketplace Item Allows to update a
marketplace item.
Config Marketplace Item Allows to configure a
marketplace item.
Render Marketplace Item Allows to render a
marketplace item.
Delete Marketplace Item Allows to delete a
marketplace item.

AOS Security | Security Management Using Prism Central (PC) | 183

Permission Description Assigned Implicilty By
Create Report Config Allows to create a
report_config.
View Report Config Allows to view a
report_config.
Run Report Config Allows to run a report_config.
Share Report Config Allows to share a
report_config.
Update Report Config Allows to update a
report_config.
Delete Report Config Allows to delete a
report_config.
Create Common Report Allows to create a common
Config report_config.
View Common Report Config Allows to view a common
report_config.
Update Common Report Allows to update a common
Config report_config.
Delete Common Report Allows to delete a common
Config report_config.
Create Report Instance Allows to create a
report_instance.
View Report Instance Allows to view a
report_instance.
Notify Report Instance Allows to notify a
report_instance.
Notify Report Instance Allows to notify a
report_instance.
Share Report Instance Allows to share a
report_instance.
Delete Report Instance Allows to delete a
report_instance.
View Account Allows to view an account.
View Project Allows to view a project.
View User Allows to view a user.
View User Group Allows to view a user group.
View Name Category Allows to view a category's
name.
View Value Category Allows to view a category's
value.
View Virtual Switch Allows to view a virtual switch.

The following table describe the permissions.

AOS Security | Security Management Using Prism Central (PC) | 184

Permission Description Assigned Implicilty By

Create App Allows to create an

AOS Security | Security Management Using Prism Central (PC) | 185

Permission Description Assigned Implicilty By
Update VM Categories Allows to update a virtual Update VM
machine's categories.
Update VM Description Allows to update a virtual Update VM
machine's description.
Update VM GPU List Allows to update a virtual Update VM
machine's GPUs.
Update VM NIC List Allows to update a virtual Update VM
machine's NICs.
Update VM Owner Allows to update a virtual Update VM
machine's owner.
Update VM Project Allows to update a virtual Update VM
machine's project.
Update VM NGT Config Allows updates to a virtual Update VM
machine's Nutanix Guest Tools
configuration.
Update VM Power State Allows updates to a virtual Update VM
machine's power state.
Update VM Disk List Allows to update a virtual Update VM
machine's disks.
Update VM Memory Allows to update a virtual Update VM
machine's memory
configuration.
Update VM Power State Allows updates to a virtual Update VM or Update VM
Mechanism machine's power state Power State
mechanism.
Allow VM Power Off Allows power off and Update VM or Update VM
shutdown operations on a Power State
virtual machine.
Allow VM Power On Allows power on operation on Update VM or Update VM
a virtual machine. Power State
Allow VM Reboot Allows reboot operation on a Update VM or Update VM
virtual machine. Power State
Expand VM Disk Size Allows to expand a virtual Update VM or Update VM
machine's disk size. Disk List
Mount VM CDROM Allows to mount an ISO to Update VM or Update VM
virtual machine's CDROM. Disk List
Unmount VM CDROM Allows to unmount ISO from Update VM or Update VM
virtual machine's CDROM. Disk List
Update VM Memory Allows to update a virtual Update VM or Update VM
Overcommit machine's memory Memory
overcommit configuration.
Allow VM Reset Allows reset (hard reboot) Update VM, Update VM
operation on a virtual Power State, or Allow VM
machine. Reboot

AOS Security | Security Management Using Prism Central (PC) | 186

Permission Description Assigned Implicilty By
View Cluster Allows to view a cluster.
Update Cluster Allows to update a cluster.
Create Image Allows to create an image.
View Image Allows to view a image.
Copy Image Remote Allows to copy an image from
local PC to remote PC.
Delete Image Allows to delete an image.
Migrate Image Allows to migrate an image
from PE to PC.
Update Image Allows to update a image.
Create Image Placement Allows to create an image
Policy placement policy.
View Image Placement Policy Allows to view an image
placement policy.
Delete Image Placement Allows to delete an image
Policy placement policy.
Update Image Placement Allows to update an image
Policy placement policy.
Create AWS VM Allows to create an AWS
virtual machine.
View AWS VM Allows to view an AWS virtual
machine.
Update AWS VM Allows to update an AWS
virtual machine.
Delete AWS VM Allows to delete an AWS
virtual machine.
View AWS AZ Allows to view AWS
Availability Zones.
View AWS Elastic IP Allows to view an AWS Elastic
IP.
View AWS Image Allows to view an AWS image.
View AWS Key Pair Allows to view AWS keypairs.
View AWS Machine Type Allows to view AWS machine
types.
View AWS Region Allows to view AWS regions.
View AWS Role Allows to view AWS roles.
View AWS Security Group Allows to view an AWS
security group.
View AWS Subnet Allows to view an AWS
subnet.

AOS Security | Security Management Using Prism Central (PC) | 187

Permission Description Assigned Implicilty By
View AWS Volume Type Allows to view AWS volume
types.
View AWS VPC Allows to view an AWS VPC.
Create Subnet Allows to create a subnet.
View Subnet Allows to view a subnet.
Update Subnet Allows to update a subnet.
Delete Subnet Allows to delete a subnet.
Create Blueprint Allows to create the blueprint
of an application.
View Blueprint Allows to view the blueprint of
an application.
Launch Blueprint Allows to launch the blueprint
of an application.
Clone Blueprint Allows to clone the blueprint
of an application.
Delete Blueprint Allows to delete the blueprint
of an application.
Download Blueprint Allows to download the
blueprint of an application.
Export Blueprint Allows to export the blueprint
of an application.
Import Blueprint Allows to import the blueprint
of an application.
Render Blueprint Allows to render the blueprint
of an application.
Update Blueprint Allows to update the blueprint
of an application.
Upload Blueprint Allows to upload the blueprint
of an application.
Create OVA Allows to create an OVA.
View OVA Allows to view an OVA.
Update OVA Allows to update an OVA.
Delete OVA Allows to delete an OVA.
Create Marketplace Item Allows to create a
marketplace item.
View Marketplace Item Allows to view a marketplace
item.
Update Marketplace Item Allows to update a
marketplace item.
Config Marketplace Item Allows to configure a
marketplace item.

AOS Security | Security Management Using Prism Central (PC) | 188

Permission Description Assigned Implicilty By
Render Marketplace Item Allows to render a
marketplace item.
Delete Marketplace Item Allows to delete a
marketplace item.
Create Report Config Allows to create a
report_config.
View Report Config Allows to view a
report_config.
Run Report Config Allows to run a report_config.
Share Report Config Allows to share a
report_config.
Update Report Config Allows to update a
report_config.
Delete Report Config Allows to delete a
report_config.
Create Common Report Allows to create a common
Config report_config.
View Common Report Config Allows to view a common
report_config.
Update Common Report Allows to update a common
Config report_config.
Delete Common Report Allows to delete a common
Config report_config.
Create Report Instance Allows to create a
report_instance.
View Report Instance Allows to view a
report_instance.
Notify Report Instance Allows to notify a
report_instance.
Notify Report Instance Allows to notify a
report_instance.
Share Report Instance Allows to share a
report_instance.
Delete Report Instance Allows to delete a
report_instance.
View Account Allows to view an account.
View Project Allows to view a project.
View User Allows to view a user.
View User Group Allows to view a user group.
View Name Category Allows to view a category's
name.

AOS Security | Security Management Using Prism Central (PC) | 189

Permission Description Assigned Implicilty By
View Value Category Allows to view a category's
value.
View Virtual Switch Allows to view a virtual switch.

Granting Restore Permission to Project User

About this task

By default, only a self service admin or a cluster admin can view and restore the recovery
points. However, a self service admin or cluster admin can grant permission to the project user
to restore the VM from a recovery point.
To grant restore Permission to a project user, do the following:

Procedure

1. Log on to Prism Central with cluster admin or self service admin credentials.

2. Go to the roles dashboard (select Administration > Roles in the pull-down menu) and do one
of the following:

• Click the Create Role button.

• Select an existing role of a project user and then select Duplicate from the Actions drop-
down menu. To modify the duplicate role, select Update Role from the Actions pull-down
list.

3. The Roles page for that role appears. In the Roles page, do the following in the indicated
fields:

a. Role Name: Enter a name for the new role.

b. Description (optional): Enter a description of the role.
c. Expand VM Recovery Point and do one of the following:

• Select Full Access and then select Allow VM recovery point creation.
• Click Change next to Set Custom Permissions to customize the permissions. Enable
Restore VM Recovery Point permission. This permission also grants the permission to
view the VM created from the restore process.
d. Click Save to add the role. The page closes and the new role appears in the Roles view
list.

4. In the Roles view, select the newly created role and click Manage Assignment to assign the
user to this role.

5. In the Add New dialog, do the following:

• Under Select Users or User Groups or OUs, enter the target user name. The search box
displays the matched records. Select the required listing from the records.
• Under Entities, select VM Recovery Point, select Individual Entry from the drop-down list,
and then select All VM Recovery Points.
• Click Save to finish.

AOS Security | Security Management Using Prism Central (PC) | 190

Configuring Role Mapping

About this task

After user authentication is configured (see Configuring Authentication on page 141), the
users or the authorized directories are not assigned the permissions by default. The required
permissions must be explicitly assigned to users, authorized directories, or organizational units
using role mapping.
You can refine the authentication process by assigning a role with associated permissions to
users, groups, and organizational units. This procedure allows you to map and assign users to
the predefined roles in Prism Central such as, User Admin, Cluster Admin, and Viewer. To assign
roles, do the following:

Procedure

1. Click the gear icon in the main menu and then select Role Mapping from the Settings page.
The Role Mapping window appears.

Figure 71: Role Mapping Window

AOS Security | Security Management Using Prism Central (PC) | 191

2. To create a role mapping, click the New Mapping button.
The Create Role Mapping window appears. Enter the required information in the following
fields.

Figure 72: Create Role Mapping Window

3. Directory or Provider: Select the target directory or identity provider from the pull-down list.
Only directories and identity providers previously configured in the authentication settings
are available. If the desired directory or provider does not appear in the list, add that
directory or provider, and then return to this procedure.

4. Type: Select the desired LDAP entity type from the pull-down list.
This field appears only if you have selected a directory from the Directory or Provider pull-
down list. The following entity types are available:

• User: A named user. For example, dev_user_1.

• Group: A group of users. For example, dev_grp1, dev_grp2, sr_dev_1, and staff_dev_1.
• OU: organizational units with one or more users, groups, and even other organizational
units. For example, all_dev, consists of user dev_user_1 and groups dev_grp1, dev_grp2,
sr_dev_1, and staff_dev_1.

AOS Security | Security Management Using Prism Central (PC) | 192

5. Role: Select a user role from the pull-down list.
You can choose one of the following roles:

• Viewer: Allows users with view-only access to the information and hence cannot perform
any administrative tasks.
• Cluster Admin (Formerly Prism Central Admin): Allows users to view and perform all
administrative tasks except creating or modifying user accounts.
• User Admin: Allows users to view information, perform administrative tasks, and to create
and modify user accounts.

6. Values: Enter the entity names. The entity names are assigned with the respective roles that
you have selected.
The entity names are case sensitive. If you need to provide more than one entity name, then
the entity names should be separated by a comma (,) without any spaces in between them.
LDAP-based authentication

• For AD
Enter the actual names used by the organizational units (it applies to all users and groups
in those OUs), groups (all users in those groups), or users (each named user) used in
LDAP in the Values field.
For example, entering sr_dev_1,staff_dev_1 in the Values field when the LDAP type is
Group and the role is Cluster Admin, implies that all users in the sr_dev_1 and staff_dev_1
groups are assigned the administrative role for the cluster.
Do not include the domain name in the value. For example, enter all_dev, and not
all_dev@<domain_name>. However, when users log in to Cluster Admin, include the domain
along with the username.
User: Enter the sAMAccountName or userPrincipalName in the values field.
Group: Enter common name (cn) or name.
OU: Enter name.
• For OpenLDAP
User: Use the username attribute (that was configured while adding the directory) value.
Group: Use the group name attribute (cn) value.
OU: Use the OU attribute (ou) value.
SAML-based authentication:
You must configure the NameID attribute in the identity provider. You can enter the NameID
returned in the SAML response in the Values field.
For SAML, only User type is supported. Other types such as, Group and OU, are not
supported.
If you enable Identity and Access Management, see Security Management Using Identity and
Access Management (Prism Central) on page 220

AOS Security | Security Management Using Prism Central (PC) | 193

7. Click Save.
The role mapping configurations are saved, and the new role is listed in the Role Mapping
window.
You can create a role map for each authorized directory. You can also create multiple role
maps that apply to a single directory. When there are multiple maps for a directory, the most
specific rule for a user applies.
For example, adding a Group map set to Cluster Admin and a User map set to Viewer for a
few specific users in that group means all users in the group have administrator permission
except those few specific users who have only viewing permission.

8. To edit a role map entry, click the pencil icon for that entry.
After clicking the pencil icon, the Edit Role Mapping window appears which is similar to the
Create Role Mapping window. Edit the required information in the required fields and click
the Save button to update the changes.

9. To delete a role map entry, click the X icon for that entry and click the OK button to confirm
the role map entry deletion.
The role map entry is removed from the list.

Granular Role-Based Access Control (RBAC)

Granular Role-Based Access Control (RBAC) allows you to assign fine-grained VM operation
permissions to users based on your specific requirements. This feature enables you to create
custom roles with finer permission entities like "Allow VM Power On" or "Allow VM Power Off"
as compared to the broader permissions categories like "Update VM".
The procedure to configure Granular RBAC to users is similar to the procedure outlined in
Creating a Custom Role on page 167. For the complete list of available permissions, see
Custom Role Permissions on page 170.

Note:

• Granular RBAC is supported for VMs running on an AHV cluster.

• Ensure that IAM is enabled, see Enabling IAM on page 224 for details.
• You must be running Prism Central version pc.2021.9 and AOS version 6.0.1 or above.

Cluster Role-Based Access Control (RBAC)

Cluster role-based access control (RBAC) feature enables a super-admin user to provide Prism
Admin and Prism Viewer roles access to one or more clusters registered with Prism Central. A
user with Prism Central admin or viewer role is able to view and act on the entities like VM, host,
container, VM recovery points, and recovery plans from the allowed clusters.
Cluster RBAC is currently supported on an on-prem Prism Central instance hosted in a Prism
Element cluster running AHV or ESXi. After you enable the Micro Services Infrastructure feature
on Prism Central, the Cluster RBAC feature is then automatically enabled.
This feature supports clusters that are hosted on AHV and VMware ESXi.

Note: The Prism Central supports assigning up to 15 clusters to any user or user group.

AOS Security | Security Management Using Prism Central (PC) | 194

Configuring Cluster RBAC

About this task

To configure Cluster RBAC in Prism Central for users or user groups, do the following.

Procedure

1. Log on to Prism Central as an admin user or any user with super admin access.

2. Configure active directory settings.

Note: You can skip this step if an active directory is already configured.

Go to Prism Central Settings > Authentication, click + New Directory and add your preferred
active directory.

3. Click the hamburger menu and go to Administration > Roles.

The page displays system defined and custom roles.

4. Select Prism Admin or Prism Viewer role, then click Actions > Manage Assignment.

5. Click Add New to add a new user or user groups or OU (IDP users or user groups) to this
role.

Figure 73: Role Assignment

You will add users or user groups and assign clusters to the new role in the upcoming steps.

AOS Security | Security Management Using Prism Central (PC) | 195

6. In the Select Users or User Groups or OUs field, do the following:

a. Select the configured AD or IDP from the drop-down.

The drop-down displays a list of available types of user or user group such as Local User,
AD based user or user groups, or SAML based user or user groups. Select Organizational
Units or OU for AD or directories that use SAML based IDP for authentication.

Figure 74: User, User Group or OU selection

b. Search and add the users or groups in the Search User field.
Typing few letters in the search field displays a list of users from which you can select,
and you can add multiple user names in this field.

AOS Security | Security Management Using Prism Central (PC) | 196

7. In the Select Clusters field, you can provide cluster access to AD users or User Groups using
the Individual entity option (one or more registered clusters) or ALL Clusters option.

Figure 75: Select Clusters

8. Click Save.
AD or IDP users or User Groups can log on and access Prism Central as a Prism Admin
or Prism Viewer, and view or act on the entities like VM, host, and container from the
configured clusters.

Cluster RBAC for Volume Group

Cluster role-based access control (RBAC) for Volume Group feature enables a super-admin
user to provide Prism Admin and Prism Viewer roles access to one or more clusters registered
with Prism Central. A user with Prism Admin role can view and update the entities like volume
groups, virtual disks, and storage containers from the allowed clusters. However, a user with
Prism Viewer role can only view the entities.
Cluster RBAC is currently supported on an on-prem Prism Central instance hosted in a Prism
Element cluster running AHV. After you enable the Micro Services Infrastructure feature on
Prism Central, the Cluster RBAC feature is then automatically enabled.
Cluster RBAC for Volume Group feature is supported on AHV and ESXi clusters.

Note: Prism Central supports Cluster RBAC for VG feature from PC.2022.6 release.

Table 9: List of Permissions for Prism Admin and Prism Viewer Roles

Role Privileges

Prism Admin Full administrator privileges except for

creating or modifying the user accounts

Prism Viewer View-only privileges

AOS Security | Security Management Using Prism Central (PC) | 197

Configuring Cluster RBAC for Volume Group

About this task

To configure Cluster RBAC for Volume Group in Prism Central for users or user groups, do the
following.

Procedure

1. Log on to Prism Central as an admin user or any user with super admin access.

2. Configure Active Directory settings.

Note: You can skip this step if an Active Directory is already configured.

Go to Prism Central Settings > Authentication, click + New Directory and add your preferred
Active Directory.

3. Click the hamburger menu and go to Administration > Roles.

The page displays system defined and custom roles.

4. Select Prism Admin or Prism Viewer role, then click Actions > Manage Assignment.

Figure 76: Prism Central Roles

For illustration purpose, the Prism Admin role is selected in this step.

AOS Security | Security Management Using Prism Central (PC) | 198

5. Click Add New to add a new user or user groups to this role.

Figure 77: Role Assignment

You will add users or user groups and assign clusters to the Prism Admin or Prism Viewer
role in the upcoming steps.

6. In the Select Users or Groups field, do the following:

a. Select the configured active directory (AD) from the drop-down.

b. Search and add the users or user groups.
To search a user or user group, start typing few letters and the system will automatically
suggest the names.

7. In the Select Clusters field, you can provide cluster access to AD users or User Groups using
the Individual entity option (one or more registered clusters) or ALL Clusters option.

Figure 78: Select Clusters

AOS Security | Security Management Using Prism Central (PC) | 199

8. Click Save.
AD users or User Groups can log on and access Prism Central as a Prism Admin or Prism
Viewer. They can view or act on the available entities in the configured clusters such as
volume groups, virtual disks, and storage containers.

Assigning a Role

About this task

In addition to configuring basic role maps (see Configuring Role Mapping on page 191), you
can configure more precise role assignments (AHV only). To assign a role to selected users or
groups that applies just to a specified set of entities, do the following:

Procedure

1. Log on to Prism Central as "admin" user or any user with "super admin" access.

2. Configure Active Directory settings.

Note: You can skip this step if an active directory is already configured.

Go to Prism Central Settings > Authentication, click + New Directory and add your preferred
active directory.

3. Click the hamburger menu and go to Administration > Roles.

The page displays system defined and custom roles.

4. Select the desired role in the roles dashboard, then click Actions > Manage Assignment.

5. Click Add New to add Active Directory based users or user groups, or IDP users or user
groups (or OUs) to this role.

Figure 79: Role Assignment

You are adding users or user groups and assigning entities to the new role in the next steps.

AOS Security | Security Management Using Prism Central (PC) | 200

6. In the Select Users or User Groups or OUs field, do the following:

a. Select the configured AD or IDP from the drop-down.

Figure 80: User, User Group or OU selection

7. In the Select Entities field, you can provide access to various entities. The list of available
entities depends on the role selected in Step 4.

This table lists the available entities for each role:

Table 10: Available Entities for a Role

Role Entities

Consumer AHV VM, Image, Image Placement Policy,

OVA, Subnets: VLAN

Developer AHV VM, Cluster, Image, Image Placement

Policy, OVA, Subnets:VLAN

Operator AHV VM, Subnets:VLAN

Prism Admin Individual entity (one or more clusters), All

Clusters

AOS Security | Security Management Using Prism Central (PC) | 201

Role Entities

Prism Viewer Individual entity (one or more clusters), All

Clusters

Custom role (User defined role) Individual entity, In Category (only AHV VMs)

This table shows the description of each entity:

Table 11: Description of Entities

Entity Description

AHV VM Allows you to manage VMs including create

and edit permission

Image Allows you to access and manage image

details

Image Placement Policy Allows you to access and manage image

placement policy details

OVA Allows you to view and manage OVA details

Subnets: VLAN Allows you to view subnet details

Cluster Allows you to view and manage details of

assigned clusters (AHV and ESXi clusters)

All Clusters Allows you to view and manage details of all

clusters

VM Recovery Points Allows you to perform recovery operations

with recovery points.

Recovery Plan (Single PC only) Allows you to view, validate, and test recovery
plans. Also allows you to clean up VMs
created after recovery plan test.

Individual entity Allows you to view and manage individual

entities such as AHV VM, Clusters, and
Subnets:VLAN

8. Repeat Step 5 and Step 6 for any combination of users/entities you want to define.

Note: To allow users to create certain entities like a VM, you may also need to grant them
access to related entities like clusters, networks, and images that the VM requires.

9. Click Save.

Displaying Role Permissions

About this task

Do the following to display the privileges associated with a role.

AOS Security | Security Management Using Prism Central (PC) | 202

Procedure

1. Go to the roles dashboard and select the desired role from the list.
For example, if you click the Consumer role, the details page for that role appears, and you
can view all the privileges associated with the Consumer role.

Figure 81: Role Summary Tab

2. Click the Users tab to display the users that are assigned this role.

Figure 82: Role Users Tab

AOS Security | Security Management Using Prism Central (PC) | 203

3. Click the User Groups tab to display the groups that are assigned this role.

4. Click the Role Assignment tab to display the user/entity pairs assigned this role (see
Assigning a Role on page 200).

Installing an SSL Certificate

About this task
Prism Central supports SSL certificate-based authentication for console access. To install a self-
signed or custom SSL certificate, do the following:

Important: Ensure that SSL certificates are not password protected.

Note: Nutanix recommends that you replace the default self-signed certificate with a CA signed
certificate.

Procedure

1. Click the gear icon in the main menu and then select SSL Certificate in the Settings page.

2. To replace (or install) a certificate, click the Replace Certificate button.

3. To create a new self-signed certificate, click the Replace Certificate option and then click the
Apply button.
A dialog box appears to verify the action; click the OK button. This generates and applies a
new RSA 2048-bit self-signed certificate for Prism Central.

Figure 83: SSL Certificate Window: Regenerate

AOS Security | Security Management Using Prism Central (PC) | 204

4. To apply a custom certificate that you provide, do the following:

a. Click the Import Key and Certificate option and then click the Next button.

Figure 84: SSL Certificate Window: Import

b. Do the following in the indicated fields, and then click the Import Files button.

Note:

• All the three imported files for the custom certificate must be PEM encoded.
• Ensure that the private key does not have any extra data (or custom
attributes) before the beginning (-----BEGIN CERTIFICATE-----) or after the
end (-----END CERTIFICATE-----) of the private key block.
• See Recommended Key Configurations on page 55 to ensure proper set of key
types, sizes/curves, and signature algorithms.

AOS Security | Security Management Using Prism Central (PC) | 205

Figure 85: Importing Certificate

In order to meet the high security standards of NIST SP800-131a compliance, the
requirements of the RFC 6460 for NSA Suite B, and supply the optimal performance
for encryption, the certificate import process validates the correct signature algorithm
is used for a given key/cert pair. See Recommended Key Configurations on page 55 to
ensure proper set of key types, sizes/curves, and signature algorithms. The CA must sign
all public certificates with proper type, size/curve, and signature algorithm for the import
process to validate successfully.

Note: There is no specific requirement for the subject name of the certificates (subject
alternative names (SAN) or wildcard certificates are supported in Prism).

You can use the cat command to concatenate a list of CA certificates into a chain file.
$ cat signer.crt inter.crt root.crt > server.cert

Order is essential. The total chain should begin with the certificate of the signer and end
with the root CA certificate as the final entry.

AOS Security | Security Management Using Prism Central (PC) | 206

Note: The system holds only one custom SSL certificate. If a new certificate is uploaded, it
replaces the existing certificate. The previous certificate is discarded.

Controlling Remote (SSH) Access

About this task
Nutanix supports key-based SSH access to Prism Central. Enabling key-based SSH access
ensures that password authentication is disabled and only the keys you have provided can be
used to access the Prism Central (only for nutanix/admin users). Thus making the Prism Central
more secure.
You can create a key pair (or multiple key pairs) and add the public keys to enable key-based
SSH access. However, when site security requirements do not allow such access, you can
remove all public keys to prevent SSH access.
To control key-based SSH access to Prism Central, do the following:

Procedure

1. Click the gear icon in the main menu and then select Cluster Lockdown in the Settings page.
The Cluster Lockdown dialog box appears. Enabled public keys (if any) are listed in this
window.

Figure 86: Cluster Lockdown Window

2. To disable (or enable) remote login access, uncheck (check) the Enable Remote Login with
Password box.
Remote login access is enabled by default.

AOS Security | Security Management Using Prism Central (PC) | 207

3. To add a new public key, click the New Public Key button and then do the following in the
displayed fields:

a. Name: Enter a key name.

b. Key: Enter (paste) the key value into the field.
c. Click the Save button (lower right) to save the key and return to the main Cluster
Lockdown window.
There are no public keys available by default, but you can add any number of public keys.

4. To delete a public key, click the X on the right of that key line.

Note: Deleting all the public keys and disabling remote login access locks down the cluster
from SSH access.

Security Policies using Flow

Nutanix Flow includes a policy-driven security framework that inspects traffic within the data
center. For more information, see the Flow Microsegmentation Guide.

Data-in-Transit Encryption
Data-in-Transit Encryption allows you to encrypt service level traffic between the cluster nodes.
Data-in-Transit Encryption, along with Data-at-Rest Encryption on page 60, protects the entire
life cycle of data and is an essential countermeasure for unauthorized access of critical data.
To enable Data-in-Transit Encryption, see Enabling Data-in-Transit Encryption on page 208.

Note:

• Data-in-Transit Encryption can have an impact on I/O latency and CPU performance.
• Intra-cluster traffic encryption is supported only for the Stargate service.
• RDMA traffic encryption is not supported.
• When a Controller VM goes down, the traffic from guest VM to remote Controller
VM is not encrypted.
• Traffic between guest VMs connected to Volume Groups is not encrypted when the
target disk is on a remote Controller VM.

Enabling Data-in-Transit Encryption

About this task

Data-in-Transit Encryption allows you to encrypt service level traffic between the cluster nodes.
To enable Data-in-Transit Encryption, do the following.

Before you begin

1. Ensure that the cluster is running AOS version 6.1.1 and Prism Central version pc.2022.4.
2. Ensure that you allow port 2009, which is used for Data-in-Transit Encryption.

Procedure

1. Log on to the Prism Central and click the gear icon.

AOS Security | Security Management Using Prism Central (PC) | 208

2. Go to Hardware > Clusters > Actions and select Enable Data-In-Transit Encryption.
The following confirmation dialog box is displayed.

Figure 87: Enable Data-in-Transit Encryption

3. Click Enable to confirm.

What to do next
You can disable Data-in-Transit Encryption after you have enabled it. To disable Data-in-Transit
Encryption, see Disabling Data-in-Transit Encryption on page 209.

Disabling Data-in-Transit Encryption

About this task

You can disable Data-in-Transit Encryption after you have enabled it. To disable Data-in-Transit
Encryption, do the following.

Procedure

1. Log on to the Prism Central and click the gear icon.

AOS Security | Security Management Using Prism Central (PC) | 209

2. Go to Hardware > Clusters > Actions and select Disable Data-In-Transit Encryption.
The following confirmation dialog box is displayed.

Figure 88: Disable Data-in-Transit Encryption

3. Click Disable to confirm.

Securing AHV VMs with Virtual Trusted Platform Module (vTPM)

Overview
A Trusted Platform Module (TPM) is used to manage cryptographic keys for security services
like encryption and hardware (and software) integrity protection. AHV vTPM is software-based
emulation of the TPM 2.0 specification that works as a virtual device.

Note: AHV vTPM does NOT require OR use a hardware TPM.

You can use the AHV vTPM feature to secure virtual machines running on AHV.

vTPM Use Cases

AHV vTPM provides virtualization-based security support for the following primary use cases.

Tip: Windows 11 installation requires TPM 2.0, see Microsoft website for Windows 11 specs,
features, and computer requirements.

Considerations for Enabling vTPM in AHV VMs (Prism Central)

Requirements
Supported Software Versions:

• Prism Central version pc.2022.9 or above

• AHV version 20220304.242 or above

AOS Security | Security Management Using Prism Central (PC) | 210

• AOS version 6.5.1 or above
VM Requirements:

Limitations

• All Secure Boot limitations apply to vTPM VM.

• Disaster recovery is not supported for vTPM VMs.

Creating a VM with vTPM

About this task

You can create a virtual machine with the vTPM configuration enabled using the following
procedure.

Procedure

1. Go to the List tab of the VMs dashboard (see VM Summary View) and click the Create VM
button.
The Create VM wizard appears. Follow the instructions in the Creating a VM topic for details
on the Create VM wizard.

2. At the Shield VM Security Settings, click the Attach vTPM check box to enable vTPM for the
selected VM.

Note: Shield VM Security Settings is available only if you have enabled UEFI BIOS Mode for
Boot Configuration.

Figure 89: Attach vTPM

3. Click Next at the subsequent VM setting tabs and then click Save.

What to do next
You can now start the VM to verify if the vTPM configuration is applied on the VM.

AOS Security | Security Management Using Prism Central (PC) | 211

Enabling vTPM on an Existing VM

About this task

You can update the settings of an existing virtual machine to enable vTPM using the following
procedure.

Procedure

1. You can choose to manage or update an existing VM configuration using any of the
following methods, see Managing a VM (AHV) for details.

• Select the target VM in the List tab of the VMs dashboard (see VMs Summary View) and
choose the required action from the Actions menu.
• Right-click on the target VM in the List tab of the VMs dashboard and select the required
action from the drop-down list.
• Go to the details page of a selected VM (see VM Details View) and select the desired
action.

2. VM must be powered off before you can update the Shield VM Security Settings
configuration. To power off the VM, select More and then Power Off.

3. To modify the VM configuration, select Update.

4. Go to Shield VM Security Settings and click the Attach vTPM check box to enable vTPM for
the selected VM.

Note:

• Shield VM Security Settings is available only if you have enabled UEFI BIOS Mode
for Boot Configuration
• Shield VM settings cannot be selected when the VM is running. Shut down the VM
to update these settings.

Figure 90: Attach vTPM

5. Click Next at the subsequent VM setting tabs and then click Save.

What to do next
You can now start the VM to verify if the vTPM configuration is applied on the VM.

AOS Security | Security Management Using Prism Central (PC) | 212

Removing vTPM from an Existing VM

About this task

You can update the settings of an existing virtual machine to remove the previously enabled
vTPM setting using the following procedure.

Procedure

1. You can choose to manage or update an existing VM configuration using any of the
following methods, see Managing a VM (AHV) for details.

2. VM must be shut down before you can update the Shield VM Security Settings
configuration. To shut down the VM, select More and then Power Off.

3. To modify the VM configuration, select Update.

4. Go to Shield VM Security Settings and click (to uncheck) the Attach vTPM check box to
disable vTPM for the selected VM.

Warning: Disabling vTPM may severely affect VM functionality or result in data loss. For
example, if Microsoft Windows BitLocker key is stored in vTPM, then you will require the
recovery key to unlock the encrypted disk.

Note: Shield VM settings cannot be selected when the VM is running. Shut down the VM to
update these settings.

5. Click Next at the subsequent VM setting tabs and then click Save.

Security Dashboard
This topic provides an overview of the Security Dashboard.

Overview
The Security Dashboard provides dynamic summary of the security posture across all
registered clusters. The Security Dashboard allows you to view the most critical security
parameters like cluster-based issue summary, STIG policy compliance, security hardening, and
identified vulnerabilities. The security dashboard is divided into multiple widgets to represent
different security focus areas.
You can customize the security dashboard based on your preference. See Managing Security
Dashboard on page 219 to customize the security dashboard. A sample view of the Security
Dashboard with the default widgets is displayed in the figure.

AOS Security | Security Management Using Prism Central (PC) | 213

Requirements
Ensure that meet the following requirements to use Security Dashboard.

• Enable Microservices infrastructure on Prism Central, see Enabling Microservices

Infrastructure in the Prism Central Guide.
• Ensure that your cluster is running on AOS version 6.6 or later and Prism Central version
2022.9 or later.
• Ensure that your cluster has internet connectivity. Security Dashboard is not available on
dark sites.

Security Widget (PC Main Dashboard)

This topic provides the information on the Security information tile or widget available in the
Prism Central Main Dashboard.
The Security widget displays the total number of security issues in your clusters. The
issue count is also available based on categories like security hardening, STIG issues, and
vulnerabilities. Click View All Issuesto go to the Security Dashboard that contains detailed
information on the security posture of all registered clusters.

AOS Security | Security Management Using Prism Central (PC) | 214

Figure 91: Security Dashboard Widget

Security Dashboard Wizard

The Security Dashboard wizard allows you to take a guided tour and navigate through the
various tasks and workflows in the Security Dashboard.
The Security Wizard is automatically presented as a dialog-box when you access the dashboard
feature for the first time. Click Start Tour to begin the dashboard walkthrough.
Optionally, click Skip for Now to go the dashboard directly. To access this tour later, click the
help menu icon ("?"), expand New in Prism Central, and select Security Dashboard.

AOS Security | Security Management Using Prism Central (PC) | 215

Figure 92: Security Dashboard Wizard

Using the Security Dashboard

Security Dashboard is a customizable and dynamic console to monitor the security posture of
your Nutanix infrastructure in a single view.

Accessing the Security Dashboard

You can view the security dashboard in Prism Central using any of the following methods.

• Go to Prism Central Main Dashboard > Security widget and click View All Issues.

AOS Security | Security Management Using Prism Central (PC) | 216

• Click the hamburger icon, go to Network & Security > Security Dashboard.

Tip: The Security Dashboard Wizard is automatically presented as a pop-up when you access
the dashboard feature for the first time. Click Start Tour to begin the dashboard walkthrough.
Optionally, click Skip for Now to go the dashboard directly.

Navigating the Security Dashboard

The security dashboard displays the following four information tiles (widgets) by default.

• Summary on page 217

• STIG Policy on page 217
• Security Hardening on page 218
• Vulnerabilities on page 218

Tip: You can change the view of the security dashboard based on the following options.

• All clusters
• Individual cluster
• Selection of clusters
The View selection menu on the top-right corner of the dashboard allows you to switch
between the different views. The values displayed in the widgets are dynamically
updated based your selection.

Summary
The Summary widget allows you to view your open security issues or focus on the clusters
that have the most number of security issues. You can click the Summary pie graph to view the
following information.

• Total number of issues in the clusters

• Number of issues in the clusters categorized based on the following issue categories:

• Security Hardening
• STIG Issues
• Vulnerabilities

Tip: The Security Dashboard refreshes once daily. Updating the STIG check based vulnerabilities
information requires a manual refresh. You can initiate a manual refresh by clicking the refresh
icon at the bottom of the widget. Manual refresh process takes some approximately 20 minutes
to 2 hours to complete and depends on the number of clusters in your environment.

STIG Policy
STIG helps detect deviation from the security baseline configuration of the operating system
and hypervisor to remain in compliance. Nutanix has implemented the Controller VM and Prism
Central VM to support STIG compliance with the RHEL 8 STIG as published by DISA. For more
information, see DISA STIG Guidance Reference.

AOS Security | Security Management Using Prism Central (PC) | 217

The STIG Policy widget provides an accurate snapshot of policy violations or deviations
(resulting in failure) from the baseline STIG policy. This widget displays the STIG policy
compliance status according to controls and resources.

Note: The STIG checks are run only on the node running primary Prism Element.

Status by Controls (Unique) Number of unique STIG controls that are not
met.

Status by Resources (Total) Total number of individual resources that

have failed a set of STIG controls.

Click View Failed Controls to view the list of STIG controls that are not met.

STIG Policy - Failed Controls

The STIG Policy -Failed Controls dialog box allows you to view STIG controls that do not meet
the required settings.

Security Hardening
The Security Hardening widget displays the status of security hardening controls applied on
your clusters. This widget also allows you to configure multiple security hardening controls
from the widget directly.
You can configure the following Security Hardening configurations from the security hardening
widget.

Hardening Parameter Description

High-Strength Password Enable high strength password for clusters.

Note: Ensure that you update the

Controller VM and AHV passwords after
enabling this setting, see Resetting
Password (CVM) and Changing Admin
User Password (AHV).

Advanced Intrusion Detection Environment Enable AIDE.

(AIDE)
Security Configuration Management Enable SCMA frequency for AHV hosts and
Automation (SCMA) Controller VM.

Note: Higher frequency SCMA scan can

decrease performance on the respective
cluster.

Cluster Lockdown Enable cluster lockdown mode.

Defense Consent Banner Enable defense consent banner for AHV hosts
and Controller VM.

Refer to the Nutanix Security Guide to enable other hardening settings using Prism or nCLI.

Vulnerabilities
The Vulnerabilities widget displays a list of vulnerabilities (or CVEs) associated with your
clusters based on the Acropolis Operating System versions.

AOS Security | Security Management Using Prism Central (PC) | 218

Click View All Vulnerabilities to view the list of all vulnerabilities and the recommended
upgrade path for mitigating the identified vulnerabilities.

Note: Not all the listed CVEs might be resolved when upgraded to a new release.

Managing Security Dashboard

About this task

To manage the security dashboard, do the following.

Procedure

1. Click the Manage Dashboard hyperlink available at the top-right corner of the Security
Dashboard.

2. Click Refresh Dashboard to refresh the security dashboard manually.

Note: Security Dashboard refreshes once daily. This process takes some time to complete.

3. View Security Dashboard Version.

Ensure that your Security Dashboard version is updated in Life Cycle Manager (LCM) to
ensure security details are correct for all your clusters.

Figure 93: Manage Security Dashboard

Password Retry Lockout

For enhanced security, Prism Central and Prim Element locks out the default 'admin' account
for a period of 15 minutes after five unsuccessful login attempts. Once the account is locked
out, the following message is displayed at the login screen.
Account locked due to too many failed attempts

You can attempt entering the password after the 15 minutes lockout period, or contact Nutanix
Support in case you have forgotten your password.

AOS Security | Security Management Using Prism Central (PC) | 219

SECURITY MANAGEMENT USING
IDENTITY AND ACCESS MANAGEMENT
(PRISM CENTRAL)
Administered from Prism Central, Identity and Access Management (IAM) is an authentication
and authorization feature that uses attribute-based access control (ABAC). This section
describes Prism Central IAM prerequisites and SAML-based standard-compliant identity
provider (IDP) configuration.
IAM is enabled by default. When Microservices Infrastructure (CMSP) is enabled (whether
by default or manually) on Prism Central, IAM is automatically enabled. See Microservices
Infrastructure.
You can configure a wider selection of identity providers, including Security Assertion Markup
Language (SAML) based identity providers. The Prism Central web console presents an
updated sign-on/authentication page.
The enable process migrates existing directory, identity provider, and user configurations,
including Common Access Card (CAC) client authentication configurations. If you want to
enable a client to authenticate by using certificates, you must also enable CAC authentication.
See Identity and Access Management Prerequisites and Considerations on page 222. See also
the Prism Central release notes topic Identity and Access Management Software Support for
specific support requirements.
The work flows for creating authentication configurations and providing user and role access
described in Configuring Authentication on page 141)Configuring Authentication topic in
Security Guide are the same whether IAM is enabled or not.

IAM Features
Highly Scalable Architecture
Based on the Kubernetes open source platform, IAM uses independent pods for
authentication (AuthN), authorization (AuthZ), and IAM data storage and replication.

• Each pod automatically scales independently of Prism Central when required. No user
intervention or control is required.
• When new features or functions are available, you can update IAM pods independently
of Prism Central updates through Life Cycle Manager (LCM).
• IAM uses a rolling upgrade method to help ensure zero downtime.
Secure by Design

• Mutual TLS authentication (mTLS) secures IAM component communication.

• The Micro Services infrastructure (CMSP) on Prism Central provisions certificates for
mTLS.
More SAML Identity Providers (IDP)
Without enabling CMSP/IAM on Prism Central, Active Directory Federation Services
(ADFS) is the only supported IDP for Single Sign-on. After you enable it, IAM supports
more IDPs. Nutanix has tested these IDPs when SAML IDP authentication is configured
for Prism Central.

• Active Directory Federation Services (ADFS)

AOS Security | Security Management Using Identity and Access Management (Prism Central) | 220
• Azure Active Directory Federation Services (Azure ADFS)
• Okta
• PingOne
• Shibboleth
• Keycloak
Users can log on from the Prism Central web console only. IDP-initiated authentication
work flows are not supported. That is, logging on or signing on from an IDP web page or
site is not supported.
Updated Authentication Page
After enabling IAM, the Prism Central login page is updated depending on your
configuration. For example, if you have configured local user account and Active
Directory authentication, this default page appears for directory (AD) users as follows. To
log in as a local user, click the Log In with your Nutanix Local Account link.

Figure 94: Sample Default Prism Central IAM Logon Page, Active Directory And Local
User Authentication

In another example, if you have configured SAML authentication instances named Shibboleth
and AD2, Prism Central displays this page.

AOS Security | Security Management Using Identity and Access Management (Prism Central) | 221
Figure 95: Sample Prism Central IAM Logon Page, Active Directory , Identity Provider, And
Local User Authentication

Note: After upgrade to pc.2022.9 if the Security Assertion Markup Language (SAML) IDP is
configured, you need to download the Prism Central metadata and re-configure the SAML IDP
to recognize Prism Central as the service provider. See Updating ADFS When Using SAML
Authentication on page 228 to create the required rules for ADFS.

Identity and Access Management Prerequisites and Considerations

Make sure you meet the requirements listed before you enable the microservices infrastructure,
which enables IAM.

IAM Prerequisites
For specific minimum software support and requirements for IAM, see the Prism Central release
notes.
For microservices infrastructure requirements, see Microservices Infrastructure.
Prism Central
See Microservices Infrastructure.
Prism Element Clusters
See Microservices Infrastructure.

AOS Security | Security Management Using Identity and Access Management (Prism Central) | 222
IAM Considerations
First Log on after Upgrading to Prism Central Version
After you upgrade Prism Central to a minimum version of pc.2022.9, when you log in to
Prism Central for the first time using IAM, click Log in with your Nutanix Local Account
and log in using the default admin credentials.
After this first time login, for subsequent login you can use your Active Directory (AD)
user credentials.
Existing Authentication and Authorization Migrated When IAM is Enabled

• When you enable IAM by enabling CMSP, IAM migrates existing authentication and
authorization configurations, including Common Access Card client authentication
configurations.
If Security Assertion Markup Language (SAML) IDP is configured
Signed single logout (SAML SLO) is not supported. This limitation results in a error on the
SAML ADFS page when you logout of Prism Central
Upgrading Prism Central After Enabling CMSP
After you upgrade Prism Central, if Microservices Infrastructure (and IAM) was previously
enabled, both the services are enabled by default if the cluster meets all the requirements
as provided in Microservices Infrastructure. You must contact Nutanix Support for any
custom requirement.

Note: After upgrade to pc.2022.9 if the Security Assertion Markup Language (SAML) IDP
is configured, you need to download the Prism Central metadata and re-configure the
SAML IDP to recognize Prism Central as the service provider. See Updating ADFS When
Using SAML Authentication on page 228 to create the required rules for ADFS.

User Session Lifetime

• Each session has a maximum lifetime of 8 hours

• Session idle time is 15 minutes. After 15 minutes, a user or client is logged out and must
re-authenticate.
Client Authentication and Common Access Card (CAC) Support

• IAM supports deployments where CAC authentication and client authentication are
enabled on Prism Central. When IAM is enabled, if you want to enable a client to
authenticate by using certificates, you must also enable CAC authentication.

Note: IAM does not support client authentication if CAC authentication is not enabled.

• Ensure that port 9441 is open in your firewall if you are using CAC client
authentication.
Hypervisor Support

• You can deploy IAM on an on-premise Prism Central (PC) deployment hosted on
an AOS cluster running AHV or ESXi. Clusters running other hypervisors are not
supported.

AOS Security | Security Management Using Identity and Access Management (Prism Central) | 223
Enabling IAM
Before you begin

• IAM on Prism Central is disabled by default. When Microservices Infrastructure is enabled

(whether by default or manually) on Prism Central, IAM is automatically enabled.
• See Microservices Infrastructure in the Prism Central Guide.
• See Identity and Access Management Prerequisites and Considerations on page 222
and also the Prism Central release notes topic Identity and Access Management Software
Support for specific support requirements.

Procedure

1. Ensure that Microservices Infrastructure is enabled (whether by default or manually) on

Prism Central as described in Microservices Infrastructure.

2. To view task status:

a. Open a web browser and log in to the Prism Central web console.
b. Go to the Activity > Tasks dashboard and find the IAM Migration & Bootstrap task.
The task takes up to 60 minutes to complete. Part of the task is migrating existing
authentication configurations.

AOS Security | Security Management Using Identity and Access Management (Prism Central) | 224
3. After the enablement tasks are completed, including the IAM Migration & Bootstrap task, log
out of Prism Central. Wait at least 15 minutes before logging on to Prism Central.
The Prism Central web console shows a new log in page as shown below. This confirms that
IAM is enabled.

Note:
Depending on your existing authentication configuration, the log in page might look
different.

Also, you can go to Settings > Prism Central Management page to verify if Prism Central on
Microservices Infrastructure (CMSP) is enabled. CMSP and IAM enablement happen together.

Figure 96: Sample Prism Central IAM Logon Page

What to do next
Configure authentication and access. If you are implementing SAML authentication with Active
Directory Federated Services (ADFS), see Updating ADFS When Using SAML Authentication on
page 228.

Configuring Authentication
Caution: Prism Central does not support the SSLv2 and SSLv3 ciphers. Therefore, you must
disable the SSLv2 and SSLv3 options in a browser before accessing Prism Central. This disabling
avoids an SSL Fallback and access denial situations. However, you must enable TLS protocol in
the browser.

Prism Central supports user authentication with these authentication options:

AOS Security | Security Management Using Identity and Access Management (Prism Central) | 225
• SAML authentication. Users can authenticate through a supported identity provider when
SAML support is enabled for Prism Central. The Security Assertion Markup Language (SAML)
is an open standard for exchanging authentication and authorization data between two
parties: an identity provider (IDP) and Prism Central as the service provider.
With IAM, in addition to ADFS, other IDPs are available. For more information, see Security
Management Using Identity and Access Management (Prism Central) on page 220 and
Updating ADFS When Using SAML Authentication on page 228.
• Local user authentication. Users can authenticate if they have a local Prism Central account.
For more information, see Managing Local User Accounts.
• Active Directory authentication. Users can authenticate using their Active Directory (or
OpenLDAP) credentials when Active Directory support is enabled for Prism Central.

Enabling and Configuring Client Authentication/CAC

Before you begin

• To enable a client to authenticate by using certificates, you must also enable CAC
authentication.
• Ensure that port 9441 is open in your firewall if you are using CAC client authentication. After
enabling CAC client authentication, your CAC logon redirects the browser to use port 9441.

Procedure

1. In the web console, click the gear icon in the main menu and then select Authentication in
the Settings page.

2. Click the Client tab, then do the following steps.

a. Select the Configure Client Chain Certificate check box.

b. Click the Choose File button, browse to and select a client chain certificate to upload, and
then click the Open button to upload the certificate.

Note: Uploaded certificate files must be PEM encoded. The web console restarts after the
upload step.

c. To enable client authentication, click Enable Client Authentication.

d. To modify client authentication, do one of the following:

Note: The web console restarts when you change these settings.

• Click Enable Client Authentication to disable client authentication.

• Click Remove to delete the current certificate. (This deletion also disables client
authentication.)
• To enable OCSP or CRL-based certificate revocation checking, see Certificate
Revocation Checking.
Client authentication allows you to securely access the Prism by exchanging a digital
certificate. Prism validates if the certificate is signed by the trusted signing certificate of your
organization.
Client authentication ensures that the Nutanix cluster gets a valid certificate from the user.
Normally, a one-way authentication process occurs where the server provides a certificate so

AOS Security | Security Management Using Identity and Access Management (Prism Central) | 226
the user can verify the authenticity of the server. When client authentication is enabled, this
process becomes a two-way authentication where the server also verifies the authenticity
of the user. A user must provide a valid certificate when accessing the console either by
installing the certificate on the local machine, or by providing it through a smart card reader.

Note: The CA must be the same for both the client chain certificate and the certificate on the
local machine or smart card.

a. Directory: Select the authentication directory that contains the CAC users that you want
to authenticate.
This list includes the directories that are configured on the Directory List tab.
b. Service Username: Enter the user name in the user [email protected] format that you want
the web console to use to logon to the Active Directory.
c. Service Password: Enter the password for the service user name.
d. Click Enable CAC Authentication.

Note: For federal customers only.

Note: The Prism Central console restarts after you change this setting.

• Validates that the certificate has been signed by the trusted signing certificate of your
organization.
• Extracts the Electronic Data Interchange Personal Identifier (EDIPI) from the certificate
and uses the EDIPI to check the validity of an account within the Active Directory. The
security context from the EDIPI is used for your PRISM session.
• Prism Central supports both certificate authentication and basic authentication in order
to handle both Prism Central login using a certificate and allowing REST API to use
basic authentication. It is physically not possible for REST API to use CAC certificates.
With this behavior, if the certificate is present during Prism Central login, the certificate
authentication is used. However, if the certificate is not present, basic authentication is
enforced and used.
If you map a Prism Central role to a CAC user and not to an Active Directory group or
organizational unit to which the user belongs, specify the EDIPI (User Principal Name, or
UPN) of that user in the role mapping. A user who presents a CAC with a valid certificate is
mapped to a role and taken directly to the web console home page. The web console login
page is not displayed.

Note: If you have logged on to Prism Central by using CAC authentication, to successfully log
out of Prism Central, close the browser after you click Log Out.

AOS Security | Security Management Using Identity and Access Management (Prism Central) | 227
Updating ADFS When Using SAML Authentication
With Nutanix IAM, to maintain compatibility with new and existing IDP/SAML authentication
configurations, update your Active Directory Federated Services (ADFS) configuration -
specifically the Prism Central Relying Party Trust settings. For these configurations, you are
using SAML as the open standard for exchanging authentication and authorization data
between ADFS as the identity provider (IDP) and Prism Central as the service provider. See the
Microsoft Active Directory Federation Services documentation for details.

About this task

In your ADFS Server configuration, update the Prism Central Relying Party Trust settings by
creating claim rules to send the selected LDAP attribute as the SAML NameID in email address
format. For example, map the User Principal Name to NameID in the SAML assertion claims.
As an example, this topic uses UPN as the LDAP attribute to map. You could also map the
email address attribute to NameID. See the Microsoft Active Directory Federation Services
documentation for details about creating a claims aware Relying Party Trust and claims rules.

Procedure

1. In the Relying Party Trust for Prism Central, configure a claims issuance policy with two rules.

a. One rule based on the Send LDAP Attributes as Claims template.

b. One rule based on the Transform an Incoming Claim template

2. For the rule using the Send LDAP Attributes as Claims template, select the LDAP Attribute
as User-Principal-Name and set Outgoing Claim Type to UPN.
For User group configuration using the Send LDAP Attributes as Claims template, select
the LDAP Attribute as Token-Groups - Unqualified-Names and set Outgoing Claim Type to
Group.

3. For the rule using the Transform an Incoming Claim template:

a. Set Incoming claim type to UPN.

b. Set the Outgoing claim type to Name ID.
c. Set the Outgoing name ID format to Email.
d. Select Pass through all claim values.

Adding a SAML-based Identity Provider

Before you begin

AOS Security | Security Management Using Identity and Access Management (Prism Central) | 228
Procedure

1. In the web console, click the gear icon in the main menu and then select Authentication in
the Settings page.

2. To add a SAML-based identity provider, click the + New IDP link.

A set of fields is displayed. Do the following in the indicated fields:

AOS Security | Security Management Using Identity and Access Management (Prism Central) | 229
and then select the target XML file that you downloaded previously. Click the Save button
to save the configuration.

Figure 97: Identity Provider Fields (metadata configuration)

AOS Security | Security Management Using Identity and Access Management (Prism Central) | 230
Restoring Identity and Access Management Configuration Settings
Prism Central regularly backs up the Identity and Access Management (IAM) database, typically
every 15 minutes. This procedure describes how to restore a specific time-stamped IAM backup
instance.

About this task

You can restore authentication and authorization configuration settings available from the IAM
database. For example, use this procedure to restore your authentication and authorization
configuration to a previous state. You can choose an available time-stamped backup instance
when you run the shell script in this procedure, and your authentication and authorization
configuration is restored to the settings in the point-in-time backup.

Procedure

1. Log in to the Prism Central VM through an SSH session as the nutanix user.

2. Run the backup shell script restore_iamv2.sh

nutanix@pcvm$ sh /home/nutanix/cluster/bin/restore_iamv2.sh

The script displays a numbered list of available backups, including the backup file time-
stamp.
Enter the Backup No. from the backup list (default is 1):

3. Select a backup by number to start the restore process.

The script displays a series of messages indicating restore progress, similar to:
You Selected the Backup No 1
Stopping the IAM services
Waiting to stop all the IAM services and to start the restore process
Restore Process Started
Restore Process Completed
...
Restarting the IAM services
IAM Services Restarted Successfully

After the script runs successfully, the command shell prompt returns and your IAM
configuration is restored.

4. To validate that your settings have been restored, log on to the Prism Central web console
and go to Settings > Authentication and check the settings.

AOS Security | Security Management Using Identity and Access Management (Prism Central) | 231
ACCESSING A LIST OF OPEN SOURCE
SOFTWARE RUNNING ON A CLUSTER
As an admin user, you can access a text file that lists all of the open source software running on
a cluster.

About this task

Perform the following procedure to access a list of the open source software running on a
cluster.

Procedure

1. Log on to any Controller VM in the cluster as the admin user by using SSH.

2. Access the text file by using the following command.

less /usr/local/nutanix/license/blackduck_version_license.txt

AOS Security | Accessing a List of Open Source Software Running on a Cluster | 232
COPYRIGHT
Copyright 2023 Nutanix, Inc.
Nutanix, Inc.
1740 Technology Drive, Suite 150
San Jose, CA 95110
All rights reserved. This product is protected by U.S. and international copyright and intellectual
property laws. Nutanix and the Nutanix logo are registered trademarks of Nutanix, Inc. in the
United States and/or other jurisdictions. All other brand and product names mentioned herein
are for identification purposes only and may be trademarks of their respective holders.

AOS Security | Copyright | 233

Integrated Hospital Operations and Management Information System (iHOMIS)
No ratings yet
Integrated Hospital Operations and Management Information System (iHOMIS)
32 pages
NSX-T Data Center 3.2.3 Configuration - Maximums
100% (1)
NSX-T Data Center 3.2.3 Configuration - Maximums
19 pages
Vmware Validated Design 62 SDDC Architecture Design Vi Workload Domain
No ratings yet
Vmware Validated Design 62 SDDC Architecture Design Vi Workload Domain
166 pages
Matrices Notes by Trockers
No ratings yet
Matrices Notes by Trockers
48 pages
Vsphere Admin6 AOS v6 - 6
No ratings yet
Vsphere Admin6 AOS v6 - 6
107 pages
Advanced Admin AOS v6 - 6 - Compressed
No ratings yet
Advanced Admin AOS v6 - 6 - Compressed
87 pages
TN 2041 Nutanix Files
No ratings yet
TN 2041 Nutanix Files
66 pages
Nutanix Controller VM Security Operations Guide
No ratings yet
Nutanix Controller VM Security Operations Guide
15 pages
Nutanix Move v3 - 6
No ratings yet
Nutanix Move v3 - 6
159 pages
Nutanix Support Guide
No ratings yet
Nutanix Support Guide
29 pages
cr4 2x PDF
No ratings yet
cr4 2x PDF
2,092 pages
Customerfacing Portfolio Intro Deck
No ratings yet
Customerfacing Portfolio Intro Deck
29 pages
Nutanix-AHV-Installation-Step-By-Step-Screenshots-on-HP-Servers-1
No ratings yet
Nutanix-AHV-Installation-Step-By-Step-Screenshots-on-HP-Servers-1
10 pages
Nutanix-Files 1598838521771
No ratings yet
Nutanix-Files 1598838521771
47 pages
Nutanix Spec Sheet
No ratings yet
Nutanix Spec Sheet
9 pages
VI Systems Guide PDF
0% (1)
VI Systems Guide PDF
262 pages
Vsphere Administration Guide For Acropolis (Using Vsphere HTML 5 Client)
No ratings yet
Vsphere Administration Guide For Acropolis (Using Vsphere HTML 5 Client)
35 pages
Access To Free Nutanix NCP-MCI-5.20 Practice Exam Questions - FreeTestShare4
No ratings yet
Access To Free Nutanix NCP-MCI-5.20 Practice Exam Questions - FreeTestShare4
4 pages
NCP MCI Demo
No ratings yet
NCP MCI Demo
8 pages
Platform Administration Guide-NOS v3 5
No ratings yet
Platform Administration Guide-NOS v3 5
124 pages
Nutanix_Migration_Interview_Guide
No ratings yet
Nutanix_Migration_Interview_Guide
1 page
CCH with Nutanix Intersight Managed X-series Field Guide v1.0
No ratings yet
CCH with Nutanix Intersight Managed X-series Field Guide v1.0
141 pages
Prism Central and Prism Pro
No ratings yet
Prism Central and Prism Pro
43 pages
Nutanix - AHV Admin Guide v510
No ratings yet
Nutanix - AHV Admin Guide v510
72 pages
NUTANIX - Memory - Replacement-Platform - v4 - 7-NX1000 - NX3050 - NX3060 - NX6000 - NX8035G4 - NX9000
No ratings yet
NUTANIX - Memory - Replacement-Platform - v4 - 7-NX1000 - NX3050 - NX3060 - NX6000 - NX8035G4 - NX9000
32 pages
HCI Cluster Deployment - Predelivery Questionnaire
No ratings yet
HCI Cluster Deployment - Predelivery Questionnaire
42 pages
Nutanix - Advanced-Admin-AOS-v51
No ratings yet
Nutanix - Advanced-Admin-AOS-v51
63 pages
Nutanix ECA v6.5 Datasheet
No ratings yet
Nutanix ECA v6.5 Datasheet
5 pages
Nutanix
No ratings yet
Nutanix
43 pages
Veeam One 10 0 Multitenant Monitoring Reporting PDF
No ratings yet
Veeam One 10 0 Multitenant Monitoring Reporting PDF
32 pages
BP Nutanix Volumes
No ratings yet
BP Nutanix Volumes
49 pages
Nutanix - Command-Ref-AOS-v51
No ratings yet
Nutanix - Command-Ref-AOS-v51
276 pages
Pre-Flight IP Address Allocation Checklist Nutanix
No ratings yet
Pre-Flight IP Address Allocation Checklist Nutanix
4 pages
Vmware Site Recovery Technical Overview
No ratings yet
Vmware Site Recovery Technical Overview
26 pages
AHV Networking: Nutanix Best Practices
No ratings yet
AHV Networking: Nutanix Best Practices
50 pages
HCI Cluster Deployment - SoW Snippets
No ratings yet
HCI Cluster Deployment - SoW Snippets
2 pages
Nutanix On Hpe Proliant: Nutanix Best Practices Version 2.1 - February 2019 - Bp-2086
No ratings yet
Nutanix On Hpe Proliant: Nutanix Best Practices Version 2.1 - February 2019 - Bp-2086
22 pages
Dell EMC XC Nutanix FERNAOconnect2018
No ratings yet
Dell EMC XC Nutanix FERNAOconnect2018
35 pages
Zerto Virtual Replication Journal Overview Sizing and Best Practices
No ratings yet
Zerto Virtual Replication Journal Overview Sizing and Best Practices
18 pages
Tech Note-Nutanix-Clusters-On-Aws
100% (1)
Tech Note-Nutanix-Clusters-On-Aws
43 pages
Install and Configure Oneview: Objectives
100% (1)
Install and Configure Oneview: Objectives
21 pages
Nutanix Files
No ratings yet
Nutanix Files
64 pages
Single-Node and Two-Node Clusters FAQ
No ratings yet
Single-Node and Two-Node Clusters FAQ
13 pages
JD Nutanix L3
No ratings yet
JD Nutanix L3
2 pages
Lab - Nutanix Calm Workshop
No ratings yet
Lab - Nutanix Calm Workshop
69 pages
Zerto Virtual Replication VSphere Live DR Testing
No ratings yet
Zerto Virtual Replication VSphere Live DR Testing
32 pages
Mastering Vrealize Operations Manager - Sample Chapter
No ratings yet
Mastering Vrealize Operations Manager - Sample Chapter
27 pages
1.2 Vsphere-Vcenter-Server-701-Installation-Guide
No ratings yet
1.2 Vsphere-Vcenter-Server-701-Installation-Guide
89 pages
Boq
No ratings yet
Boq
4 pages
NCM-MCI-6.5
No ratings yet
NCM-MCI-6.5
9 pages
Vmware Vsan and Vxrail Buyer'S Guide and Reviews September 2019
No ratings yet
Vmware Vsan and Vxrail Buyer'S Guide and Reviews September 2019
13 pages
Nutanix Veeam Backup Replication Best Practices
No ratings yet
Nutanix Veeam Backup Replication Best Practices
29 pages
Vsphere Automation SDK 801 Programming Guide
No ratings yet
Vsphere Automation SDK 801 Programming Guide
286 pages
NCP Mci 6.5
No ratings yet
NCP Mci 6.5
4 pages
NSX For VSphere - A Foundation of The SDDC
No ratings yet
NSX For VSphere - A Foundation of The SDDC
234 pages
Beyondtrust Uvm Administration
No ratings yet
Beyondtrust Uvm Administration
47 pages
NSXT Install 24
No ratings yet
NSXT Install 24
226 pages
UCS Central Best Practices v2.2.3
100% (1)
UCS Central Best Practices v2.2.3
57 pages
Dell XC630-10 Nutanix On VMware ESXi Reference Architecture
No ratings yet
Dell XC630-10 Nutanix On VMware ESXi Reference Architecture
51 pages
Mastering Active Directory
From Everand
Mastering Active Directory
VICTOR P HENDERSON
No ratings yet
VMware Horizon View Essentials
From Everand
VMware Horizon View Essentials
Peter von Oven
No ratings yet
Implementing NetScaler VPX™ - Second Edition
From Everand
Implementing NetScaler VPX™ - Second Edition
Sandbu Marius
No ratings yet
Prism Element Data Protection Guide v6 - 5 - Compressed
No ratings yet
Prism Element Data Protection Guide v6 - 5 - Compressed
242 pages
Prism Central Guide Prism VPC - 2022 - 4 - Compressed
No ratings yet
Prism Central Guide Prism VPC - 2022 - 4 - Compressed
976 pages
System Specs NX3155GG8 - Compressed
No ratings yet
System Specs NX3155GG8 - Compressed
26 pages
Disaster Recovery DRaaS Guide VPC - 2022 - 9 - Compressed
No ratings yet
Disaster Recovery DRaaS Guide VPC - 2022 - 9 - Compressed
315 pages
Karbon-V2 4 Compressed
No ratings yet
Karbon-V2 4 Compressed
63 pages
Facial Emotion Detection in Low Light Conditions Using CNN
No ratings yet
Facial Emotion Detection in Low Light Conditions Using CNN
4 pages
ARBURG_ALS_680337_en_US
No ratings yet
ARBURG_ALS_680337_en_US
24 pages
Scan-to-SMB (Scan-to-Folder) : Copytech's Guide To Setting Up Scan-to-SMB (Scan-to-Folder) On Konica Minolta Mfds
No ratings yet
Scan-to-SMB (Scan-to-Folder) : Copytech's Guide To Setting Up Scan-to-SMB (Scan-to-Folder) On Konica Minolta Mfds
14 pages
Week 1&3 Python Programming
No ratings yet
Week 1&3 Python Programming
7 pages
Worksheet Classwork - Histograms and Frequency Tables
No ratings yet
Worksheet Classwork - Histograms and Frequency Tables
14 pages
Sports fantasy
No ratings yet
Sports fantasy
3 pages
Software Project Management
No ratings yet
Software Project Management
25 pages
19 - MASS
No ratings yet
19 - MASS
8 pages
UEC735
No ratings yet
UEC735
2 pages
Artificial Intelligence in Smart Tourism - A Conceptual Framework
No ratings yet
Artificial Intelligence in Smart Tourism - A Conceptual Framework
11 pages
Standard Operating Procedure
100% (1)
Standard Operating Procedure
15 pages
Internet: Vmware Vsphere Icm - Pod
No ratings yet
Internet: Vmware Vsphere Icm - Pod
1 page
Heidelberg Edge Perimetry - Brochure
No ratings yet
Heidelberg Edge Perimetry - Brochure
6 pages
Pig Vs Hive Big Data Analysis Showdown
No ratings yet
Pig Vs Hive Big Data Analysis Showdown
11 pages
Week 7
No ratings yet
Week 7
6 pages
Lab 10 - Programming With Transact-SQL
No ratings yet
Lab 10 - Programming With Transact-SQL
3 pages
EPI-DC-Competency-Framework
No ratings yet
EPI-DC-Competency-Framework
87 pages
Database Routing Multi Read-Write
No ratings yet
Database Routing Multi Read-Write
6 pages
BOC E Facility Form Dec 15 v9
No ratings yet
BOC E Facility Form Dec 15 v9
4 pages
Liebert Ups User Manual
No ratings yet
Liebert Ups User Manual
37 pages
Emc Unity Fast Technology Overview
No ratings yet
Emc Unity Fast Technology Overview
38 pages
Download Full Easy Computer Basics Windows 7 Edition Michael Miller PDF All Chapters
100% (14)
Download Full Easy Computer Basics Windows 7 Edition Michael Miller PDF All Chapters
60 pages
Web Programming Solved
100% (2)
Web Programming Solved
38 pages
Document 2820181.2 - Enterprise Manager 13.5 Cloud Control Upgrade Run Book
No ratings yet
Document 2820181.2 - Enterprise Manager 13.5 Cloud Control Upgrade Run Book
15 pages
aaaaabbbbbbhw1
No ratings yet
aaaaabbbbbbhw1
2 pages
IR Assignment Article Review 2023
No ratings yet
IR Assignment Article Review 2023
7 pages
(LiteBeam M5) - Main
No ratings yet
(LiteBeam M5) - Main
1 page
SAMPLE ICT BECE Questions and Answers
100% (1)
SAMPLE ICT BECE Questions and Answers
18 pages