Nutanix Security Guide v6 7
Nutanix Security Guide v6 7
Nutanix Security Guide v6 7
ii
Backing up Keys.............................................................................................................................87
Importing Keys................................................................................................................................88
Securing Traffic Through Network Segmentation..................................................................................... 89
Traffic Types In a Segmented Network......................................................................................... 90
Segmented and Unsegmented Networks.......................................................................................90
Implementation Considerations...................................................................................................... 96
Configuring the Network on an AHV Host..................................................................................... 98
Network Segmentation for Traffic Types (Backplane, Management, and RDMA)......................... 99
Service-Specific Traffic Isolation.................................................................................................. 127
Configuring Backplane IP Pool.................................................................................................... 135
Enabling Backplane Network Segmentation on a Mixed Hypervisor Cluster............................... 136
Updating Backplane Portgroup.....................................................................................................137
IP Address Customization for each CVM and Host.....................................................................138
Enabling Physical Backplane Segmentation on Hyper-V Using CLI............................................139
Network Segmentation during Cluster Expansion........................................................................140
Network Segmentation–Related Changes During an AOS Upgrade........................................... 140
Firewall Requirements.............................................................................................................................140
Log management.....................................................................................................................................140
Log Forwarding.............................................................................................................................141
Documenting the Log Fingerprint.................................................................................................141
iii
Identity and Access Management Prerequisites and Considerations.....................................................225
Configuring Authentication...................................................................................................................... 226
Enabling and Configuring Client Authentication/CAC.................................................................. 227
Updating ADFS When Using SAML Authentication..................................................................... 228
Adding a SAML-based Identity Provider...................................................................................... 229
Restoring Identity and Access Management Configuration Settings...................................................... 231
Copyright........................................................................................................233
AUDIENCE & PURPOSE
This Security Guide is intended for security-minded people responsible for architecting, managing, and supporting
infrastructures, especially those who want to address security without adding more human resources or additional
processes to their datacenters.
This guide offers an overview of the security development life cycle (SecDL) and host of security features supported
by Nutanix. It also demonstrates how Nutanix complies with security regulations to streamline infrastructure security
management. In addition to this, this guide addresses the technical requirements that are site specific or compliance-
standards (that should be adhered), which are not enabled by default.
Note:
Hardening of the guest OS or any applications running on top of the Nutanix infrastructure is beyond the
scope of this guide. We recommend that you refer to the documentation of the products that you have
deployed in your Nutanix environment.
• The National Institute of Standards and Technology Special Publications Security and Privacy Controls for
Federal Information Systems and Organizations (NIST 800.53)
• The US Department of Defense Information Systems Agency (DISA) Security Technical Implementation Guides
(STIG)
SCMA Implementation
The Nutanix platform and all products leverage the Security Configuration Management Automation (SCMA)
framework to ensure that services are constantly inspected for variance to the security policy.
Nutanix has implemented security configuration management automation (SCMA) to check multiple security
entities for both Nutanix storage and AHV. Nutanix automatically reports log inconsistencies and reverts them to the
baseline.
With SCMA, you can schedule the STIG to run hourly, daily, weekly, or monthly. STIG has the lowest system
priority within the virtual storage controller, ensuring that security checks do not interfere with platform performance.
Note: Only the SCMA schedule can be modified. The AIDE schedule is run on a fixed weekly schedule. To change the
SCMA schedule for AHV or the Controller VM, see Hardening Instructions (nCLI) on page 9.
Procedure
Security Updates
Nutanix provides continuous fixes and updates to address threats and vulnerabilities. Nutanix Security Advisories
provide detailed information on the available security fixes and updates, including the vulnerability description and
affected product/version.
To see the list of security advisories or search for a specific advisory, log on to the Support Portal and select
Documentation, and then Security Advisories.
Topic Highlights
Secure Boot See Secure Boot Support for VMs in the AHV
Administration Guide
Windows Credential Guard support See Windows Defender Credential Guard Support in
AHV in the AHV Administration Guide
Hardening AHV
You can use Nutanix Command Line Interface (nCLI) in order to customize the various configuration
settings related to AHV as described below.
Getting the cluster-wide Run the following command: Enable Aide : false
configuration of the SCMA policy. nutanix@cvm$ ncli cluster Enable Core : false
get-hypervisor-security- Enable High Strength P... :
config false
Enable Banner : false
Schedule : DAILY
Enabling the Advanced Intrusion Run the following command: Enable Aide : true
Detection Environment (AIDE) to nutanix@cvm$ ncli cluster Enable Core : false
run on a weekly basis. edit-hypervisor-security- Enable High Strength P... :
params enable-aide=true false
Enable Banner : false
Schedule : DAILY
Enabling the high-strength Run the following command: Enable Aide : true
password policies (minlen=15, nutanix@cvm$ ncli cluster Enable Core : false
difok=8, maxclassrepeat=4). edit-hypervisor-security- Enable High Strength P... :
params \ true
Enable Banner : false
enable-high-strength- Schedule : DAILY
password=true
Enabling the defense knowledge Run the following command: Enable Aide : true
consent banner of the US nutanix@cvm$ ncli cluster Enable Core : false
department. edit-hypervisor-security- Enable High Strength P... :
params enable-banner=true true
Enable Banner : true
Schedule : DAILY
Changing the default schedule of Run the following command: Enable Aide : true
running the SCMA. The schedule nutanix@cvm$ ncli cluster Enable Core : false
can be hourly, daily, weekly, and edit-hypervisor-security- Enable High Strength P... :
monthly. params schedule=hourly true
Enable Banner : true
Schedule : HOURLY
Enabling the settings so that AHV Run the following command: Enable Aide : true
can generate stack traces for any nutanix@cvm$ ncli cluster Enable Core : true
cluster issue. edit-hypervisor-security- Enable High Strength P... :
params enable-core=true true
Enable Banner : true
Note: Nutanix recommends Schedule : HOURLY
that Core should not be set to
true unless instructed by the
Nutanix support team.
Enabling iTLB Multihit Mitigation Run the following command: Enable Aide : true
(CVE-2018-12207) for all AHV nutanix@cvm$ ncli cluster Enable Core
nodes. edit-cvm-security-params : true
enable-itlb-multihit- Enable High
Note: mitigation=true Strength P... : true
Enable
• This settings is disabled Banner : true
by default Schedule
: HOURLY
• Enabling this setting Enable iTLB
may have performance Multihit M... : true
impact on the running
workloads
Enabling iTLB Multihit Mitigation Run the following command: Enable Aide : true
(CVE-2018-12207) for all AHV nutanix@cvm$ ncli cluster Enable Core
nodes. edit-cvm-security-params : true
enable-itlb-multihit- Enable High
Note: mitigation=true Strength P... : true
Enable
• This settings is disabled Banner : true
by default Schedule
: HOURLY
• Enabling this setting Enable iTLB
may have performance Multihit M... : true
impact on the running
workloads
Setting the banner for all nodes Run the following command:
through nCLI. nutanix@cvm$ ncli cluster
edit-hypervisor-security-
params enable-banner=true
• Enable AIDE: Advanced Intrusion Detection Environment (AIDE) is a Linux utility that monitors a given node.
After you enable AIDE in ncli, an executable file named aide gets copied to /etc/cron.weekly/ directory. When
the weekly cron job runs, the executable aide file generates aide database. You can move the aide database to a
secure location in a read-only media or on other machines. After aide database is created, you can use the aide
-–check command for the system to check the integrity of the files and directories by comparing the files and
directories on your system with the snapshot in the database. In case there are unexpected changes, a report gets
generated, which you can review. During AOS version upgrades and changes made to existing files or files added
are valid, then the aide database must be updated manually using the aide --update command.
• Enable high strength password: You can run the command as shown in the table in this section to enable
high-strength password policies (minlen=15, difok=8, maxclassrepeat=4).
Note:
• Enable Core: A core dump consists of the recorded state of the working memory of a computer program at a
specific time, generally when the program gets crashed or terminated abnormally. Core dumps are used to assist in
diagnosing or debugging errors in computer programs. You can enable the core for troubleshooting purposes.
• Enable Banner: You can set a banner to display a specific message. For example, set a banner to display a
warning message that the system is available to authorized users only.
Hardening Controller VM
You can use Nutanix Command Line Interface (nCLI) in order to customize the various configuration
settings related to the Controller VM as described below.
For the complete list of cluster security parameters, see Edit the security params of a Cluster in the Command
Reference guide.
• Run the following command to support cluster-wide configuration of the SCMA policy.
nutanix@cvm$ ncli cluster get-cvm-security-config
The current cluster configuration is displayed.
Enable Aide : false
Enable Core : false
Enable High Strength P... : false
Enable Banner : false
Enable SNMPv3 Only : false
Schedule : DAILY
Enable Kernel Mitigations : false
SSH Security Level : DEFAULT
Enable Lock Status : false
• Run the following command to schedule weekly execution of Advanced Intrusion Detection Environment (AIDE).
nutanix@cvm$ ncli cluster edit-cvm-security-params enable-aide=true
The following output is displayed.
Enable Aide : true
Enable Core : false
Enable High Strength P... : false
Enable Banner : false
Enable SNMPv3 Only : false
Schedule : DAILY
Enable Kernel Mitigations : false
SSH Security Level : DEFAULT
Enable Lock Status : false
Enable Kernel Core : false
• Run the following command to enable the defense knowledge consent banner of the US department.
nutanix@cvm$ ncli cluster edit-cvm-security-params enable-banner=true
The following output is displayed.
Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : true
Enable SNMPv3 Only : false
Schedule : DAILY
Enable Kernel Mitigations : false
SSH Security Level : DEFAULT
Enable Lock Status : false
Enable Kernel Core : false
• Run the following command to enable the settings to allow only SNMP version 3.
nutanix@cvm$ ncli cluster edit-cvm-security-params enable-snmpv3-only=true
The following output is displayed.
Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : true
Enable SNMPv3 Only : true
Schedule : DAILY
Enable Kernel Mitigations : false
• Run the following command to change the default schedule of running the SCMA. The schedule can be hourly,
daily, weekly, and monthly.
nutanix@cvm$ ncli cluster edit-cvm-security-params schedule=hourly
The following output is displayed.
Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : true
Enable SNMPv3 Only : true
Schedule : HOURLY
Enable Kernel Mitigations : false
SSH Security Level : DEFAULT
Enable Lock Status : false
Enable Kernel Core : false
• Run the following command to enable the settings so that Controller VM can generate stack traces for any cluster
issue.
nutanix@cvm$ ncli cluster edit-cvm-security-params enable-core=true
The following output is displayed.
Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : true
Enable SNMPv3 Only : true
Schedule : HOURLY
Enable Kernel Mitigations : false
SSH Security Level : DEFAULT
Enable Lock Status : false
Enable Kernel Core : true
Note: Nutanix recommends that Core should not be set to true unless instructed by the Nutanix support team.
• Run the following command to configure security levels for the nutanix user for ssh login to the Nutanix Cluster.
nutanix@cvm$ ncli cluster edit-cvm-security-params ssh-security-level=limited
The following output is displayed.
Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : true
Enable SNMPv3 Only : true
Schedule : HOURLY
Enable Kernel Mitigations : false
SSH Security Level : LIMITED
Enable Lock Status : true
Enable Kernel Core : true
Note: If set true, the configuration settings can not be edited by the user and a support call will need to be made to
unlock this configuration.
Scenario-Based Hardening
• When a high governance official needs to run the hardened configuration then the settings should be as follows.
Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : false
Enable SNMPv3 Only : true
Schedule : HOURLY
Enable Kernel Mitigations : false
SSH Security Level : LIMITED
Enable Lock Status : true
Enable Kernel Core : true
• When a federal official needs to run the hardened configuration then the settings should be as follows.
Enable Aide : true
Enable Core : false
Enable High Strength P... : true
Enable Banner : true
Enable SNMPv3 Only : true
Schedule : HOURLY
Enable Kernel Mitigations : false
SSH Security Level : LIMITED
Enable Lock Status : true
Enable Kernel Core : true
• Run the following command to modify DoD banner file of the Prism Central VM.
nutanix@pcvm$ sudo vi /srv/salt/security/PC/sshd/DODbanner
• Run the following command to set the banner for all nodes through nCLI.
nutanix@cvm$ ncli cluster edit-cvm-security-params enable-banner=true
Procedure
Note:
The modify_firewall command is case-sensitive.
What to do next
To view the new firewall behavior, run the sudo iptables-save command.
When you run the modify_firewall command, Genesis changes the firewall behavior for few ports. They are:
• In the base_config.json file, for ports listed under MGMT key the firewall behavior changes. Sample:
-A MGMT -i eth0 -p tcp -m tcp --dport 9876 -m set --match-set ntnx-cvm-ips src -j
ACCEPT
• In the config_with_backplane.json file, only when you enable backplane network segmentation on the
cluster, the firewall behavior changes for ports listed under BACKPLANE key. Sample:
-A BACKPLANE -i eth2 -p tcp -m tcp --dport 9876 -m set --match-set ntnx-cvm-ips src -
j ACCEPT
However, the firewall behavior does not change for ports listed under the MGMT_OPENFROMALL key.
Common Criteria
Common Criteria is an international security certification that is recognized by many countries around the world.
Nutanix AOS and AHV are Common Criteria certified by default and no additional configuration is required to
enable the Common Criteria mode. For more information, see the Nutanix Trust website.
Procedure
Note: OSCP is the recommended method for checking certificate revocation in client authentication.
You can use the CRL certificate revocation checking method if required, as described in this section.
To enable certificate revocation checking using CRL for client authentication, do the following.
Procedure
Specify all the CRLs that are required for certificate validation.
ncli authconfig set-certificate-revocation set-crl-uri=<uri 1>,<uri 2> set-crl-refresh-
interval=<refresh interval in seconds> set-crl-expiration-interval=<expiration interval
in seconds>
Configuring Authentication
About this task
Nutanix supports user authentication. To configure authentication types and directories and to enable client
authentication or to enable client authentication only, do the following:
Caution: The web console (and nCLI) does not allow the use of the not secure SSLv2 and SSLv3 ciphers. There is a
possibility of an SSL Fallback situation in some browsers which denies access to the web console. To eliminate this,
disable (uncheck) SSLv2 and SSLv3 in any browser used for access. However, TLS must be enabled (checked).
Procedure
1. Click the gear icon in the main menu and then select Authentication in the Settings page.
The Authentication Configuration window appears.
Note: The following steps combine three distinct procedures, enabling authentication (step 2), configuring one or
more directories for LDAP/S authentication (steps 3-5), and enabling client authentication (step 6). Perform the
steps for the procedures you need. For example, perform step 6 only if you intend to enforce client authentication.
2. To enable server authentication, click the Authentication Types tab and then check the box for either Local or
Directory Service (or both). After selecting the authentication types, click the Save button.
The Local setting uses the local authentication provided by Nutanix (see User Management on page 35).
This method is employed when a user enters just a login name without specifying a domain (for example, user1
instead of [email protected]). The Directory Service setting validates user@domain entries and validates
against the directory specified in the Directory List tab. Therefore, you need to configure an authentication
directory if you select Directory Service in this field.
Note: The Nutanix admin user can log on to the management interfaces, including the web console, even if the
Local authentication type is disabled.
a. Directory Type: Select one of the following from the pull-down list.
• Active Directory: Active Directory (AD) is a directory service implemented by Microsoft for Windows
domain networks.
Note:
• Users with the "User must change password at next logon" attribute enabled will not be able
to authenticate to the web console (or nCLI). Ensure users with this attribute first login to
a domain workstation and change their password prior to accessing the web console. Also,
if SSL is enabled on the Active Directory server, make sure that Nutanix has access to that
port (open in firewall).
• An Active Directory user name or group name containing spaces is not supported for Prism
Element authentication.
• Active Directory domain created by using non-ASCII text may not be supported. For more
information about usage of ASCII or non-ASCII text in Active Directory configuration, see
the Internationalization (i18n) on page 34 section.
• Use of the "Protected Users" group is currently unsupported for Prism authentication.
For more details on the "Protected Users" group, see “Guidance about how to configure
protected accounts” on Microsoft documentation website.
• The Microsoft AD is LDAP v2 and LDAP v3 compliant.
• The Microsoft AD servers supported are Windows Server 2012 R2, Windows Server 2016,
and Windows Server 2019.
• OpenLDAP: OpenLDAP is a free, open source directory service, which uses the Lightweight Directory
Access Protocol (LDAP), developed by the OpenLDAP project. Nutanix currently supports the
OpenLDAP 2.4 release running on CentOS distributions only.
b. Name: Enter a directory name.
This is a name you choose to identify this entry; it need not be the name of an actual directory.
c. Domain: Enter the domain name.
Enter the domain name in DNS format, for example, nutanix.com.
d. Directory URL: Enter the URL address to the directory.
The URL format is as follows for an LDAP entry: ldap://host:ldap_port_num. The host value is
either the IP address or fully qualified domain name. (In some environments, a simple domain name is
sufficient.) The default LDAP port number is 389. Nutanix also supports LDAPS (port 636) and LDAP/S
Note: LDAPS support does not require custom certificates or certificate trust import.
• Port 389 (LDAP). Use this port number (in the following URL form) when the configuration is single
domain, single forest, and not using SSL.
ldap://ad_server.mycompany.com:389
• Port 636 (LDAPS). Use this port number (in the following URL form) when the configuration is single
domain, single forest, and using SSL. This requires all Active Directory Domain Controllers have
properly installed SSL certificates.
ldaps://ad_server.mycompany.com:636
Note: The LDAP server SSL certificate must include a Subject Alternative Name (SAN) that matches the
URL provided during the LDAPS setup.
• Port 3268 (LDAP - GC). Use this port number when the configuration is multiple domain, single forest,
and not using SSL.
• Port 3269 (LDAPS - GC). Use this port number when the configuration is multiple domain, single forest,
and using SSL.
Note: When constructing your LDAP/S URL to use a Global Catalog server, ensure that the Domain
Control IP address or name being used is a global catalog server within the domain being configured. If
not, queries over 3268/3269 may fail.
Note: When querying the global catalog, the users sAMAccountName field must be unique across the
AD forest. If the sAMAccountName field is not unique across the subdomains, authentication may fail
intermittently or consistently.
Note: For the complete list of required ports, see Port Reference.
Note: Be sure to update the service account credentials here whenever the service account password changes
or when a different service account is used.
Note:
• The Controller VMs need access to the Active Directory server, so open the standard Active
Directory ports to each Controller VM in the cluster (and the virtual IP if one is configured).
• No permissions are granted to the directory users by default. To grant permissions to the directory
users, you must specify roles for the users in that directory (see Assigning Role Permissions on
page 29).
• Service account for both Active directory and openLDAP must have full read permission on the
directory service. Additionally, for successful Prism Element authentication, the users must also
have search or read privileges.
4.
To edit a directory entry, click the Directory List tab and then click the pencil icon for that entry.
After clicking the pencil icon, the Directory List fields reappear (see step 3). Enter the new information in the
appropriate fields and then click the Save button.
5. To delete a directory entry, click the Directory List tab and then click the X icon for that entry.
After clicking the X icon, a window prompt appears to verify the delete action; click the OK button. The entry is
removed from the list.
Note: To authenticate on the PE with Client Chain Certificate the 'Subject name’ field must be present. The
subject name should match the userPrincipalName (UPN) in the AD. The UPN is a username with domain
address. For example [email protected].
Note: Uploaded certificate files must be PEM encoded. The web console restarts after the upload step.
Note: The web console restarts when you change these settings.
Note: The CA must be the same for both the client chain certificate and the certificate on the local machine or
smart card.
a. Directory: Select the authentication directory that contains the CAC users that you want to authenticate.
This list includes the directories that are configured on the Directory List tab.
b. Service Username: Enter the user name in the user [email protected] format that you want the web
console to use to log in to the Active Directory.
c. Service Password: Enter the password for the service user name.
Note: Enabling CAC disables all other directory service and local user logons, only the local admin user logon
is permitted in this case.
Note: The web console restarts after you change this setting.
The Common Access Card (CAC) is a smart card about the size of a credit card, which some organizations use to
access their systems. After you insert the CAC into the CAC reader connected to your system, the software in the
reader prompts you to enter a PIN. After you enter a valid PIN, the software extracts your personal certificate that
represents you and forwards the certificate to the server using the HTTP protocol.
Nutanix Prism verifies the certificate as follows:
• Validates that the certificate has been signed by your organization’s trusted signing certificate.
• Extracts the Electronic Data Interchange Personal Identifier (EDIPI) from the certificate and uses the EDIPI to
check the validity of an account within the Active Directory. The security context from the EDIPI is used for
your PRISM session.
• Prism Element supports both certificate authentication and basic authentication in order to handle both
Prism Element login using a certificate and allowing REST API to use basic authentication. It is physically
not possible for REST API to use CAC certificates. With this behavior, if the certificate is present during
Prism Element login, the certificate authentication is used. However, if the certificate is not present, basic
authentication is enforced and used.
Note: Nutanix Prism does not support OpenLDAP as directory service for CAC.
If you map a Prism role to a CAC user and not to an Active Directory group or organizational unit to which the
user belongs, specify the EDIPI (User Principal Name, or UPN) of that user in the role mapping. A user who
presents a CAC with a valid certificate is mapped to a role and taken directly to the web console home page. The
web console login page is not displayed.
Note: If you have logged on to Prism by using CAC authentication, to successfully log out of Prism, close the
browser after you click Log Out.
8. Click the Close button to close the Authentication Configuration dialog box.
Procedure
• Viewer: This role allows a user to view information only. It does not provide permission to perform any
administrative tasks.
• Cluster Admin: This role allows a user to view information and perform any administrative task (but not
create or modify user accounts).
• User Admin: This role allows the user to view information, perform any administrative task, and create or
modify user accounts.
Note: After updating to AOS 6.0 or later, users and user groups with Active Directory (AD) Backup Admin
role assigned cannot log in to Prism using their AD credentials or access v3 APIs. For more information, see
KB-14105 .
d. Values: Enter the case-sensitive entity names (in a comma separated list with no spaces) that should be
assigned this role.
The values are the actual names of the organizational units (meaning it applies to all users in those OUs),
groups (all users in those groups), or users (each named user) assigned this role. For example, entering value
Note:
• Do not include a domain in the value, for example enter just admin-gp, not admin-
[email protected]. However, when users log into the web console, they need to include the
domain in their user name.
• The AD user UPN must be in the user@domain_name format.
• When an admin defines user role mapping using an AD with forest setup, the admin can map to
the user with the same name from any domain in the forest setup. To avoid this case, set up the
user-role mapping with AD that has a specific domain setup.
Note: All users in an authorized service directory have full administrator permissions when role mapping is not
defined for that directory. However, after creating a role map, any users in that directory that are not explicitly
granted permissions through the role mapping are denied access (no permissions).
f. Repeat this step for each role map you want to add.
You can create a role map for each authorized directory. You can also create multiple maps that apply to a
single directory. When there are multiple maps for a directory, the most specific rule for a user applies. For
example, adding a GROUP map set to Cluster Admin and a USER map set to Viewer for select users in
that group means all users in the group have administrator permission except those specified users who have
viewing permission only.
5. To delete a role map entry, click the "X" icon for that entry.
After clicking the X icon, a window prompt appears to verify the delete action; click the OK button. The entry is
removed from the list.
Note: Local emergency account usage does not support any external access mechanisms, specifically for the external
application authentication or external Rest API authentication.
For all the external authentication, you must configure the cluster to use an external IAM service such as Active
Directory. You must create service accounts on the IAM and the accounts must have access grants to the cluster
through Prism web console user account management configuration for authentication.
Procedure
3. Respond to the prompts and provide the current and new root password.
Changing password for nutanix.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
Note:
• Changing the user account password on one of the Controller VMs is applied to all Controller VMs
in the cluster.
• Ensure that you preserve the modified nutanix user password, since the local authentication (PAM)
module requires the previous password of the nutanix user to successfully start the password reset
process.
• For the root account, both the console and SSH direct login is disabled.
Note: Use this procedure to lock down access to the Controller VM and hypervisor host. In addition, it is possible to
lock down access to the hypervisor.
Procedure
1. Click the gear icon in the main menu and then select Cluster Lockdown in the Settings page.
The Cluster Lockdown dialog box appears. Enabled public keys (if any) are listed in this window.
2. To disable (or enable) remote login access, uncheck (check) the Enable Remote Login with Password box.
Remote login access is enabled by default.
3. To add a new public key, click the New Public Key button and then do the following in the displayed fields:
• RSA
• ECDSA
a. Click the Save button (lower right) to save the key and return to the main Cluster Lockdown window.
There are no public keys available by default, but you can add any number of public keys.
Note: Deleting all the public keys and disabling remote login access locks down the cluster from SSH access.
Procedure
1. Click the gear icon in the main menu and then select UI Settings in the Settings page.
2. Select the session timeout for the current user from the Session Timeout For Current User drop-down list.
3. Select the appropriate option from the Session Timeout Override drop-down list to override the session
timeout.
Internationalization (i18n)
The following table lists all the supported and unsupported entities in UTF-8 encoding.
User management
Chart name
Caution: The creation of none of the above entities are supported on Hyper-V because of the DR limitations.
User Management
Nutanix user accounts can be created or updated as needed using the Prism web console.
• The web console allows you to add (see Creating a User Account on page 35), edit (see Updating a User
Account on page 38), or delete (see Deleting a User Account (Local) on page 44) local user accounts at
any time.
•
You can reset the local user account password using nCLI if you are locked out and cannot login to the Prism
Element or Prism Central web console ( see Resetting Password (CLI) on page 43).
• You can also configure user accounts through Active Directory and LDAP (see Configuring Authentication on
page 20). Active Directory domain created by using non-ASCII text may not be supported.
Note: In addition to the Nutanix user account, there are IPMI, Controller VM, and hypervisor host users. Passwords for
these accounts cannot be changed through the web console.
Procedure
1. Click the gear icon in the main menu and then select Local User Management in the Settings page.
The User Management dialog box appears.
2. To add a user, click the New User button and do the following in the displayed fields:
Note: AOS uses the email address for client authentication and logging when the local user performs user and
cluster tasks in the web console.
• Select the User Admin box to allow the user to view information, perform any administrative task, and
create or modify user accounts. (Checking this box automatically selects the Cluster Admin box to
indicate that this user has full permissions. However, a user administrator has full permissions regardless of
whether the cluster administrator box is checked.)
• Select the Cluster Admin box to allow the user to view information and perform any administrative task
(but not create or modify user accounts).
Note: Backup admin user is designed for Nutanix Mine integrations as of AOS version 5.19 and has
minimal functionality in cluster management. This role has restricted access to the Nutanix Mine cluster.
•
• Home - The user cannot a register a cluster with Prism Central. The registration
widget is disabled. Other read-only data is displayed and available.
• Alerts - Alerts and events are displayed. However, the user cannot resolve or
acknowledge any alert or event. The user cannot configure Alert Policy or Email
configuration.
• Hardware - The user cannot expand the cluster or remove hosts from the cluster.
Read-only data is displayed and available.
• Network - Networking data or configuration is displayed but configuration options
are not available.
• Settings - The user can only upload a new image using the Settings page.
• VM - The user cannot configure options like Create VM and Network
Configuration in the VM page. The following options are available for the user in
the VM page:
Power List
Unordered On bullet 5
Unordered
Power List
Off bullet 5
Note: To update your account credentials (that is, the user you are currently logged on as), see Updating My
Account on page 40. Changing the password for a different user is not supported; you must log in as that user to
change the password.
Procedure
1. Click the gear icon in the main menu and then select Local User Management in the Settings page.
The User Management dialog box appears.
3. To edit the user credentials, click the pencil icon for that user and update one or more of the values in the
displayed fields:
a. Username: The username is fixed when the account is created and cannot be changed.
b. First Name: Enter a different first name.
c. Last Name: Enter a different last name.
d. Email: Enter a different valid email address.
Note: AOS Prism uses the email address for client authentication and logging when the local user performs
user and cluster tasks in the web console.
• Select the User Admin box to allow the user to view information, perform any administrative task, and
create or modify user accounts. (Checking this box automatically selects the Cluster Admin box to
indicate that this user has full permissions. However, a user administrator has full permissions regardless of
whether the cluster administrator box is checked.)
• Select the Cluster Admin box to allow the user to view information and perform any administrative task
(but not create or modify user accounts).
• Select the Backup Admin box to allow the user to perform backup-related administrative tasks. This role
does not have permission to perform cluster or user administrative tasks.
Note: By default, there is no password expiration day set for a local user account.
Updating My Account
1. To update your password, select Change Password from the user icon pull-down list in the web console.
The Change Password dialog box appears. Do the following in the indicated fields:
Note: You can change the password for the "admin" account only once per day. Please contact Nutanix support if
you need to update the password multiple times in one day
Note:
Only a user with admin privileges can reset a password for other users.
Procedure
3. Use the ncli user reset-password command and specify the username and password of the user whose password is
to be reset:
nutanix@cvm$ ncli user reset-password user-name=xxxxx password=yyyyy
• Replace user-name=xxxxx with the name of the user whose password is to be reset.
• Replace password=yyyyy with the new password.
What to do next
You can relaunch the Prism Element or the Prism Central web console and verify the new password setting.
Procedure
2. Run the following command to obtain the virtual IP address of the cluster:
nutanix@cvm$ ncli cluster info
The current cluster configuration is displayed.
Cluster Id : 0001ab12-abcd-efgh-0123-012345678m89::123456
Cluster Uuid : 0001ab12-abcd-efgh-0123-012345678m89
Cluster Name : three
Cluster Version : 6.0
Cluster Full Version : el7.3-release-fraser-6.0-
a0b1c2345d6789ie123456fg789h1212i34jk5lm6
External IP address : 10.10.10.10
Node Count : 3
Block Count : 1
. . . . .
Note: The external IP address in the output is the virtual IP address of the cluster.
5. From the Python console, run the following command to print the SSL certificate.
$ print ssl.get_server_certificate(('virtual_IP_address',9440),
ssl_version=ssl.PROTOCOL_TLSv1_2)
Example: Refer to the following example where virtual_IP_address value is replaced by 10.10.10.10.
$ print ssl.get_server_certificate(('10.10.10.10', 9440),
ssl_version=ssl.PROTOCOL_TLSv1_2)
The SSL certificate is displayed on the console.
-----BEGIN CERTIFICATE-----
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01
23456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123
456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz012345
6789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234567
89ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789AB
CDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCD
EFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEF
GHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGH
IJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJ
KLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKL
MNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMN
OPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOP
QRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQR
STUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRST
UVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUV
WXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWX
YZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZab
cdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcd
efghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef
ghij
-----END CERTIFICATE-----
1. Click the gear icon in the main menu and then select Local User Management in the Settings page.
The User Management dialog box appears.
2. Click the X icon for that user. Note that you cannot delete the admin user.
A window prompt appears to verify the action; click the OK button. The user account is removed and the user no
longer appears in the list.
Note:
• You can import only a cluster-wide SSL certificate in Prism web console. The SSL certificate cannot be
customized for an individual controller VM (CVM).
• Nutanix recommends that you check for the validity of the certificate periodically and replace the
certificate if it is invalid.
Procedure
1. Click the gear icon in the main menu and in the Settings page, select SSL Certificate.
The SSL Certificate dialog box appears.
» To regenerate Nutanix default self-signed certificate, select Regenerate Self Signed Certificate and then
click Apply.
A dialog box appears to verify the action; click OK. A new RSA 2048 bit self-signed certificate is generated
and applied for Prism web console.
» To import self-signed SSL certificate or CA signed certificate, select Import Key and Certificate and then
click Next.
• Private Key Type: Select the appropriate private key type for the self-signed certificate from the dropdown
list.
• Private Key: Click Choose file and select the private key.
• Public Certificate: Click Choose file and select the self-signed certificate corresponding to the private key.
• CA Certificate/Chain: Click Choose file select the self-signed certificate corresponding to the private key.
The following table lists certificate components and its corresponding file type to choose when SSL certificate
window prompts:
• Private Key Type: Select the appropriate private key type for the CA signed certificate from the dropdown
list.
• Private Key: Click Choose file and select the private key.
• Public Certificate: Click Choose file and select the CA signed public portion of the certificate
corresponding to the private key.
• CA Certificate/Chain: Click Choose file and select the certificate or chain of the signing authority for the
public certificate.
Note: To create a chain file from the list of CA certificates, see Generating a Certificate Signing
Request with Subject Alternative Name for submission to Certificate Authority (CA) on
page 52.
The following table lists certificate components and its corresponding file type to choose when SSL certificate
window prompts:
Results
After generating or importing the new certificate, the interface gateway restarts. If the certificate and credentials are
valid, the interface gateway uses the new certificate immediately, which means that your browser session (and all
other open browser sessions) is invalid until you reload the page and accept the new certificate. If anything is wrong
with the certificate (such as a corrupted file or wrong certificate type), the new certificate is discarded, and the system
reverts to the original default certificate provided by Nutanix.
Note: The system holds only one custom SSL certificate. If a new certificate is uploaded, it replaces the existing
certificate. The previous certificate is discarded.
Note:
• Client and CAC authentication only supports RSA 2048 bit certificate.
• RSA 4096 bit certificates might not work with certain AOS and Prism Central releases. Please see the
release notes for your AOS and Prism Central versions. Specifying an RSA 4096 bit certificate might
cause multiple cluster services to restart frequently. To work around the issue, see KB 12775.
• Certificate import fails if you attempt to upload SHA-1 certificate (including root CA).
1. Log in to any of the controller VMs (CVMs) with SSH using the management IP address of the CVM:
$ ssh admin@cvm_ip_address
2. To generate a private key with a bit length of your choice, run one of the following commands:
Important: While you are generating the private key, ensure that the private key is not password protected.
3. To generate the CSR of your choice, run one of the following commands:
For example, to generate a CSR for RSA 2048 private key using SHA-256 signature algorithm:
admin@cvm$ openssl req -new -nodes -key my_key_name.key -sha256 -out
my_csr_name.csr
For example, to generate a CSR for ECDSA 384 private key using SHA-384 signature algorithm:
admin@cvm$ openssl req -new -nodes -key my_key_name.pem -sha384 -out
my_csr_name.csr
4. Enter the information in the command output to incorporate into your certificate request:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
5. Create a configuration file named san.cnf that contains the following text:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.0 = example1.domain.com
DNS.1 = example2.domain.com
DNS.2 = example3.domain.com
DNS.3 = *.domain.com
IP.0 = x.x.x.x
[alt_names]
Specify your DNS and IP addresses. If you have a range of hosts, use wildcards (*) to match any subdomain of the
domain name.
Example:
admin@cvm$ openssl x509 -req -days 1460 -in my_csr_name.csr -signkey my_key_name.key
-out my_crt_name.crt -sha256 -extensions v3_req -extfile san.cnf
7. Copy my_key_name.key and my_crt_name.crt from the CVM to your local machine:
admin@cvm$ scp my_key_name.key my_crt_name.crt username@local-machine:/
local_file_path/
What to do next
After you successfully create a self-signed certificate with a private key, follow the procedure described
in Importing an SSL Certificate on page 45 to replace the default certificate with your self-signed SSL
certificate. The following table lists certificate components and its corresponding file type to choose when
SSL certificate window prompts:
Procedure
1. Log in to any of the controller VMs (CVMs) with SSH using the management IP address of the CVM:
$ ssh admin@cvm_ip_address
2. Create a configuration file named ssl.cnf that contains the following text:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, BU)
commonName = Common Name (e.g. server FQDN or YOUR name)
emailAddress = Email Address
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.0 = example1.domain.com
DNS.1 = example2.domain.com
DNS.2 = example3.domain.com
DNS.3 = *.domain.com
IP.0 = x.x.x.x
[alt_names]
Specify your DNS and IP addresses. If you have a range of hosts, use wildcards (*) to match any subdomain of
the domain name.
Important: While you are generating the private key, ensure that the private key is not password protected.
4. To generate the CSR of your choice, run one of the following commands:
For example, to generate a CSR for RSA 2048 private key using SHA-256 signature algorithm:
admin@cvm$ openssl req -new -nodes -key my_key_name.key -sha256 -out
my_csr_name.csr -config ssl.cnf
For example, to generate a CSR for ECDSA 384 private key using SHA-384 signature algorithm:
admin@cvm$ openssl req -new -nodes -key my_key_name.pem -sha384 -out
my_csr_name.csr -config ssl.cnf
5. Enter the information in the command output to incorporate into your certificate request:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []: US
State or Province Name (full name) []: CA
Locality Name (eg, city) []: San Jose
Organization Name (eg, company) []: Nutanix Inc
Organizational Unit Name (eg, BU) []:IT
6. Copy my_key_name.key and my_crt_name.crt from the CVM to your local machine:
nutanix@cvm$ scp my_key_name.key my_csr_name.csr username@local-machine:/
local_file_path/
9. Download all the certificate files received from CA to the local file directory.
10. (Optional) If the CA chain certificate provided by the certificate authority is not in a single file, run the
following command to concatenate the list of CA certificates into a chain file:
$ cat intermediateCAcert.crt rootCAcert.crt > ca_chain_certs.crt
Note:
• The chain must start with the certificate of the signer and ends with the root CA certificate.
• Ensure that the chain file only has the root and intermediate certificates. If your chain file has
public or private certificates, it will fail to import in Prism web console.
What to do next
Follow Importing an SSL Certificate on page 45 section to replace the default certificate with a CA
signed certificate. The following table lists certificate components and its corresponding file type to choose
when SSL certificate window prompts:
• Verify that the CA certificate chain uses SHA 256 as a signature algorithm:
admin@cvm$ openssl crl2pkcs7 -nocrl -certfile ca_chain_certs.crt | openssl pkcs7 -
print_certs -noout -text | grep -Ew '(Subject|Issuer|Signature Algorithm):' | grep -
C1 Issuer
• If the certificate is DER encoded, run the following command to convert the certificate from DER to PEM-
encoded ASCII format:
admin@cvm$ openssl x509 -in certDER.crt -inform der -outform pem -out cert.crt
Certificate format
Ensure that all the certificates do not have any extra data (or custom attributes) before the beginning (-----BEGIN
CERTIFICATE-----) or after the end (-----END CERTIFICATE-----) of the block.
2. Run the following command to obtain the virtual IP address of the cluster:
nutanix@cvm$ ncli cluster info
The current cluster configuration is displayed.
Cluster Id : 0001ab12-abcd-efgh-0123-012345678m89::123456
Cluster Uuid : 0001ab12-abcd-efgh-0123-012345678m89
Cluster Name : three
Cluster Version : 6.0
Cluster Full Version : el7.3-release-fraser-6.0-
a0b1c2345d6789ie123456fg789h1212i34jk5lm6
External IP address : 10.10.10.10
Node Count : 3
Block Count : 1
. . . . .
Note: The external IP address in the output is the virtual IP address of the cluster.
5. From the Python console, run the following command to print the SSL certificate.
$ print ssl.get_server_certificate(('virtual_IP_address',9440),
ssl_version=ssl.PROTOCOL_TLSv1_2)
Example: Refer to the following example where virtual_IP_address value is replaced by 10.10.10.10.
$ print ssl.get_server_certificate(('10.10.10.10', 9440),
ssl_version=ssl.PROTOCOL_TLSv1_2)
The SSL certificate is displayed on the console.
-----BEGIN CERTIFICATE-----
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01
23456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123
456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz012345
6789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz01234567
89ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789AB
CDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCD
EFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEF
GHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGH
IJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJ
KLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKL
MNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMN
OPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOP
QRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQR
STUVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRST
UVWXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUV
WXYZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWX
YZabcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZab
cdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcd
Note: Use this procedure to lock down access to the Controller VM and hypervisor host. In addition, it is possible to
lock down access to the hypervisor.
Procedure
1. Click the gear icon in the main menu and then select Cluster Lockdown in the Settings page.
The Cluster Lockdown dialog box appears. Enabled public keys (if any) are listed in this window.
2. To disable (or enable) remote login access, uncheck (check) the Enable Remote Login with Password box.
Remote login access is enabled by default.
3. To add a new public key, click the New Public Key button and then do the following in the displayed fields:
• RSA
• ECDSA
a. Click the Save button (lower right) to save the key and return to the main Cluster Lockdown window.
There are no public keys available by default, but you can add any number of public keys.
Note: Deleting all the public keys and disabling remote login access locks down the cluster from SSH access.
Data-at-Rest Encryption
Nutanix provides an option to secure data while it is at rest using either self-encrypted drives or software-
only encryption and key-based access management (cluster's native or external KMS for software-only
encryption).
Encryption Methods
Nutanix provides you with the following options to secure your data.
• Self Encrypting Drives (SED) Encryption - You can use a combination of SEDs and an external KMS to
secure your data while it is at rest.
• Software-only Encryption - Nutanix AOS uses the AES-256 encryption standard to encrypt your data. Once
enabled, software-only data-at-rest encryption cannot be disabled, thus protecting against accidental data leaks
due to human errors. Software-only encryption supports both Nutanix Native Key Manager (local and remote) and
External KMS to secure your keys.
Note the following points regarding data-at-rest encryption.
• For ESXi and Hyper-V, software-only encryption can be implemented at a cluster level or container level. For
AHV, encryption can be implemented at the cluster level only.
• Nutanix recommends using cluster-level encryption. With the cluster-level encryption, the administrative
overhead of selecting different containers for the data storage gets eliminated.
• Encryption cannot be disabled once it is enabled at a cluster level or container level.
• Encryption can be implemented on an existing cluster with data that exists. If encryption is enabled on an existing
cluster (AHV, ESXi, or Hyper-V), the unencrypted data is transformed into an encrypted format in a low priority
background task that is designed not to interfere with other workload running in the cluster.
• Data-at-rest encryption choices can be implemented at the entity level using storage policies in Prism Central.
Deployments can continue to have data-at-rest encryption capabilities scoped for the entire cluster. Storage policy
provides the additional option to control the encryption scope decisions at the entity (VM or VG) level. For more
information, see Storage Policies Based Encryption in the Prism Central Infrastructure Guide
• Data can be encrypted using either self-encrypted drives (SEDs) or software-only encryption. You can change the
encryption method from SEDs to software-only. You can perform the following configurations.
• For ESXi and Hyper-V clusters, you can switch from SEDs and External Key Management (EKM)
combination to software-only encryption and EKM combination. First, you must disable the encryption in the
cluster where you want to change the encryption method. Then, select the cluster and enable encryption to
transform the unencrypted data into an encrypted format in the background.
• For AHV, background encryption is supported.
• Once the task to encrypt a cluster begins, you cannot cancel the operation. Even if you stop and restart the cluster,
the system resumes the operation.
• In the case of mixed clusters with ESXi and AHV nodes, where the AHV nodes are used for storage only, the
encryption policies consider the cluster as an ESXi cluster. So, the cluster-level and container-level encryption are
available.
Note: Software-only encryption requires additional space if erasure coding (EC) is enabled on the cluster (or
container). The additional space requirement is temporary, and EC space savings are restored once the encryption
process is complete.
Enabling encryption on EC-enabled clusters involves completely decoding EC-encoded data and re-
encoding the data for EC. This process of decoding and re-encoding requires additional space on the
cluster. Encryption is initiated only if the aggregate of EC-based space saving and current space usage
is less than 85 percent of the cluster capacity. Additionally, the cluster continuously checks if the
aggregate space usage stays below 85 percent for the encryption to progress.
Key Management
Nutanix supports a Native Key Management Server, also called Local Key Manager (LKM), thus avoiding the
dependency on an External Key Manager (EKM). Cluster localised Key Management Service support requires a
minimum of 3-node in a cluster and is supported only for software-only encryption. So, 1-node and 2-node clusters
can use either the Native KMS (remote) option or an EKM. .
The following types of keys are used for encryption.
• Data Encryption Key (DEK) - A symmetric key, such as AES-256, that is used to encrypt the data.
• Key Encryption Key (KEK) - This key is used to encrypt or decrypt the DEK.
Note the following points regarding the key management.
• Nutanix does not support the use of the Local Key Manager with a third party External Key Manager.
• Dual encryption (both SED and software-only encryption) requires an EKM. For more information, see
Configuring Dual Encryption on page 86.
• You can switch from an EKM to LKM, and inversely. For more information, see Switching between Native
Key Manager and External Key Manager on page 83.
• Rekey of keys stored in the Native KMS is supported for the Leader Keys. For more information, see Changing
Key Encryption Keys (SEDs) on page 71 and Changing Key Encryption Keys (Software Only) on
page 84.
• You must back up the keys stored in the Native KMS. For more information, see Backing up Keys on
page 87.
• You must backup the encryption keys whenever you create a new container or remove an existing container.
Nutanix Cluster Check (NCC) checks the status of the backup and sends an alert if you do not take a backup at the
time of creating or removing a container.
Note: If you are running the AOS Pro License on G6 platforms and above, you can use SED encryption by installing
an add-on license.
Note: If an SED cluster is present, then while executing the data-at-rest encryption, you will get an option to either
select data-at-rest encryption using SEDs or data-at-rest encryption using AOS.
Note: This solution provides enhanced security for data on a drive, but it does not secure data in transit.
Note: Contact Nutanix customer support for assistance before attempting to convert an existing cluster. A non-
protected cluster can contain both SED and standard drives, but Nutanix does not support a mixed cluster when
protection is enabled. All the disks in a protected cluster must be SED drives.
2. Data on the drives is always encrypted but read or write access to that data is open. By default, the access
to data on the drives is protected by the in-built manufacturer key. However, when data protection for the
cluster is enabled, the Controller VM must provide the proper key to access data on a SED. The Controller VM
communicates with the SEDs through a Trusted Computing Group (TCG) Security Subsystem Class (SSC)
Enterprise protocol.
A symmetric data encryption key (DEK) such as AES 256 is applied to all data being written to or read from the
disk. The key is known only to the drive controller and never leaves the physical subsystem, so there is no way to
access the data directly from the drive.
Another key, known as a key encryption key (KEK), is used to encrypt/decrypt the DEK and authenticate to the
drive. (Some vendors call this the authentication key or PIN.)
Each drive has a separate KEK that is generated through the FIPS compliant random number generator present
in the drive controller. The KEK is 32 bytes long to resist brute force attacks. The KEKs are sent to the key
management server for secure storage and later retrieval; they are not stored locally on the node (even though they
are generated locally).
In addition to the above, the leader encryption key (MEK) is used to encrypt the KEKs.
Each node maintains a set of certificates and keys in order to establish a secure connection with the external key
management server.
3. Keys are stored in a key management server that is outside the cluster, and the Controller VM communicates with
the key management server using the Key Management Interoperability Protocol (KMIP) to upload and retrieve
drive keys.
Only one key management server device is required, but it is recommended that multiple devices are employed
so the key management server is not a potential single point of failure. Configure the key manager server devices
to work in clustered mode so they can be added to the cluster configuration as a single entity that is resilient to a
single failure.
Preparing for Data-at-Rest Encryption (External KMS for SEDs and Software Only)
Caution: DO NOT HOST A KEY MANAGEMENT SERVER VM ON THE ENCRYPTED CLUSTER THAT IS
USING IT!
Doing so could result in complete data loss if there is a problem with the VM while it is hosted in that
cluster.
If you are using an external KMS for encryption using AOS, preparation steps outside the web console are required.
The information in this section is applicable if you choose to use an external KMS for configuring encryption.
You must install the license of the external key manager for all nodes in the cluster. See Compatibility and
Interoperability Matrix for a complete list of the supported key management servers. For instructions on how to
configure a key management server, refer to the documentation from the appropriate vendor.
The system accesses the EKM under the following conditions:
• Starting a cluster
• Regenerating a key (key regeneration occurs automatically every year by default)
• Adding or removing a node (only when Self Encrypting Drives is used for encryption)
• Switching between Native to EKM or EKM to Native
• Starting, and restarting a service (only if Software-based encryption is used)
• Upgrading AOS (only if Software-based encryption is used)
• NCC heartbeat check if EKM is alive
Note: The key management server must support KMIP version 1.0 or later.
» SafeNet
Ensure that Security > High Security > Key Security > Disable Creation and Use of Global Keys
is checked.
» Vormetric
Set the appliance to compatibility mode. Suite B mode causes the SSL handshake to fail.
2. Generate a certificate signing request (CSR) for each node in the cluster.
Tip: After generating the certificate from Prism, (if required) you can update the custom common name (CN)
setting by running the following command using nCLI.
ncli data-at-rest-encryption-certificate update-csr-information domain-
name=abcd.test.com
In the above command example, replace "abcd.test.com" with the actual domain name.
• A UID field is populated with a value of Nutanix. This can be useful when configuring a Nutanix group for
access control within a key management server, since it is based on fields within the client certificates.
Note: Some vendors when doing client certificate authentication expect the client username to be a field in the
CSR. While the CN and UID are pre-generated, many of the user populated fields can be used instead if desired. If
a node-unique field such as CN is chosen, users must be created on a per node basis for access control. If a cluster-
unique field is chosen, customers must create a user for each cluster.
» Safenet
The SafeNet KeySecure key management server includes a local CA option to generate signed certificates, or
you can use other third-party vendors to create the signed certificates.
To enable FIPS compliance, add user nutanix to the CA that signed the CSR. Under Security > High
Security > FIPS Compliance click Set FIPS Compliant.
Note: Some CAs strip the UID field when returning a signed certificate.
To comply with FIPS, Nutanix does not support the creation of global keys.
In the SafeNet KeySecure management console, go to Device > Key Server > Key Server > KMIP
Properties > Authentication Settings.
Then do the following:
• Set the Username Field in Client Certificate option to UID (User ID).
• Set the Client Certificate Authentication option to Used for SSL session and username.
If you do not perform these settings, the KMS creates global keys and fails to encrypt the clusters or containers
using the software only method.
4. Upload the signed SSL certificates (one for each node) and the certificate for the CA to the cluster. These
certificates are used to authenticate with the key management server.
5. Generate keys (KEKs) for the SED drives and upload those keys to the key management server.
1. Click the gear icon in the main menu and then select Data at Rest Encryption in the Settings page.
The Data at Rest Encryption dialog box appears. Initially, encryption is not configured, and a message to that
effect appears.
3. Select the Encryption Type as Drive-based Encryption. This option is displayed only when SEDs are detected.
a. Enter appropriate credentials for your organization in the Email, Organization, Organizational Unit,
Country Code, City, and State fields and then click the Save CSR Info button.
The entered information is saved and is used when creating a certificate signing request (CSR). To specify
more than one Organization Unit name, enter a comma separated list.
Note: You can update this information until an SSL certificate for a node is uploaded to the cluster, at which
point the information cannot be changed (the fields become read only) without first deleting the uploaded
certificates.
b. Click the Download CSRs button, and then in the new screen click the Download CSRs for all nodes
to download a file with CSRs for all the nodes or click a Download link to download a file with the CSR for
that node.
• The certificates must be X.509 format. (DER, PKCS, and PFX formats are not supported.)
» If you have configured multiple key management servers in cluster mode, click the Add Address button
to provide the addresses for each key management server device in the cluster.
» If you have stand-alone key management servers, click the Save button. Repeat this step (Add New Key
Management Server button) for each key management server device to add.
Note: If your key management servers are configured into a leader/follower (active/passive) relationship
and the architecture is such that the follower cannot accept write requests, do not add the follower into this
Note: To prevent potential configuration problems, always use the Add Address button for key
management servers configured into cluster mode. Only a stand-alone key management server should be
added as a new server.
6. In the Add a New Certificate Authority section, enter a name for the CA, click the Upload CA Certificate
button, and select the certificate for the CA used to sign your node certificates (see step 4c). Repeat this step for
all CAs that were used in the signing process.
Note: Before removing a drive or node from an SED cluster, ensure that the testing is successful and the status is
Verified. Otherwise, the drive or node will be locked.
Note: Before removing a drive or node from an SED cluster, ensure that the testing is successful and the status is
Verified. Otherwise, the drive or node will be locked.
Note: If changes are made to the configuration after protection has been enabled, such as adding a new key
management server, you must rekey the disks for the modification to take full effect (see Changing Key
Encryption Keys (SEDs) on page 71).
Procedure
1. Click the gear icon in the main menu and then select Data at Rest Encryption in the Settings page.
» If cluster encryption is enabled currently, click the Unprotect button to disable it.
» If cluster encryption is disabled currently, click the Protect button to enable it.
Enabling cluster encryption enforces the use of secured keys to access data on the SEDs in the cluster; disabling
cluster encryption means the data can be accessed without providing a key.
Procedure
1. Click the gear icon in the main menu and then select Data at Rest Encryption in the Settings page.
2. In the Cluster Encryption page, select Manage Keys and click the Rekey All Disks button under Hardware
Encryption.
Rekeying a cluster under heavy workloads may result in higher-than-normal IO latency, and some data may
become temporarily unavailable. To continue with the rekey operation, click Confirm Rekey.
This step resets the KEKs for all the self encrypting disks in the cluster.
Note:
• The Rekey All Disks button appears only when cluster protection is active.
• If the cluster is already protected and a new key management server is added, you must press the
Rekey All Disks button to use this new key management server for storing secrets.
Procedure
1. In the web console, go to the Hardware dashboard and select the Diagram tab.
2. Select the target disk in the diagram (upper section of screen) and then click the Remove Disk button (at the
bottom right of the following diagram).
As part of the disk removal process, the DEK for that disk is automatically cycled on the drive controller. The
previous DEK is lost and all new disk reads are indecipherable. The key encryption key (KEK) is unchanged, and
the new DEK is protected using the current KEK.
Note:
• When a node is removed, all SEDs in that node are crypto-erased automatically as part of the node
removal process.
• When you run the cluster destroy command to decommission your entire cluster, the command
automatically performs a crypto erase on the SED as the final step.
Note: On G6 platforms running the AOS Pro license, you can use software encryption by installing an add-on license.
Software encryption using a local key manager (LKM) supports the following features:
• For AHV, the data can be encrypted on a cluster level. This is applicable to an empty cluster or a cluster with
existing data.
• For ESXi and Hyper-V, the data can be encrypted on a cluster or container level. The cluster or container can be
empty or contain existing data. Consider the following points for container level encryption.
• Once you enable container level encryption, you can not change the encryption type to cluster level encryption
later.
• After the encryption is enabled, the administrator needs to enable encryption for every new container.
Note: In case of mixed hypervisors, only the following combinations are supported.
Note: This solution provides enhanced security for data on a drive, but it does not secure data in transit.
• For software encryption, data protection must be enabled for the cluster before any data is encrypted. Also, the
Controller VM must provide the proper key to access the data.
• A symmetric data encryption key (DEK) such as AES 256 is applied to all data being written to or read from the
disk. The key is known only to AOS, so there is no way to access the data directly from the drive.
• In case of an external KMS:
Each node maintains a set of certificates and keys in order to establish a secure connection with the key
management server.
Only one key management server device is required, but it is recommended that multiple devices are employed
so the key management server is not a potential single point of failure. Configure the key manager server devices
to work in clustered mode so they can be added to the cluster configuration as a single entity that is resilient to a
single failure.
• Nutanix provides the option to choose the KMS type as the Native KMS (local), Native KMS (remote), or
External KMS.
• Cluster Localised Key Management Service (Native KMS (local)) requires a minimum of 3-node cluster. 1-node
and 2-node clusters are not supported.
• Software encryption using Native KMS is supported for remote office/branch office (ROBO) deployments using
the Native KMS (remote) KMS type.
• For external KMS, a separate key management server is required to store the keys outside of the cluster. Each
key management server device must be configured and addressable through the network. It is recommended that
multiple key manager server devices be configured to work in clustered mode so they can be added to the cluster
configuration as a single entity that is resilient to a single failure.
Caution: DO NOT HOST A KEY MANAGEMENT SERVER VM ON THE ENCRYPTED CLUSTER THAT IS
USING IT!!
Doing so could result in complete data loss if there is a problem with the VM while it is hosted in that
cluster.
Note: You must install the license of the external key manager for all nodes in the cluster. See Compatibility
and Interoperability Matrix for a complete list of the supported key management servers. For instructions on
how to configure a key management server, refer to the documentation from the appropriate vendor.
• This feature requires an Ultimate license, or as an Add-On to the PRO license (for the latest generation of
products). Ensure that you have procure the add-on license key to use the data-at-rest encryption using AOS,
contact Sales team to procure the license.
• Caution: For security, you can't disable software-only data-at-rest encryption once it is enabled.
1. Click the gear icon in the main menu and then select Data at Rest Encryption in the Settings page.
The Data at Rest Encryption dialog box appears. Initially, encryption is not configured, and a message to
that effect appears.
Caution: You can enable encryption for the entire cluster or just the container. However, if you enable
encryption on a container; and there are any encryption key issue like loss of encryption key, you can encounter
the following:
• The entire cluster data is affected, not just the encrypted container.
• All the user VMs of the cluster will not able to access the data.
The hardware option is displayed only when SEDs are detected. Else, software based encryption type will be
used by default.
Note: For ESXi and Hyper-V, the data can be encrypted on a cluster or container level. The cluster or container
can be empty or contain existing data. Consider the following points for container level encryption.
• Once you enable container level encryption, you can not change the encryption type to cluster level
encryption later.
• After the encryption is enabled, the administrator needs to enable encryption for every new
container.
a. In the web console, select Storage from the pull-down main menu (upper left of screen) and then select the
Table and Storage Container tabs.
b. To enable encryption, select the target storage container and then click the Update link.
The Update Storage Container window appears.
c. In the Advanced Settings area, select the Enable check box to enable encryption for the storage
container you selected.
Note:
• Cluster Localised Key Management Service (Native KMS (local)) requires a minimum of 3-node
cluster. 1-node and 2-node clusters are not supported.
• For enhanced security of ROBO environments (typically, 1 or 2 node clusters), select the Native
KMS (remote) for software based encryption of ROBO clusters managed by Prism Central.
Note: This is option is available only if the cluster is registered to Prism Central.
For external KMS type, select the External KMS option and click Save KMS type. Continue to step 5 for
further configuration.
Note: You can switch between the KMS types at a later stage if the specific KMS prerequisites are met, see
Switching between Native Key Manager and External Key Manager on page 83.
a. Enter appropriate credentials for your organization in the Email, Organization, Organizational Unit,
Country Code, City, and State fields and then click the Save CSR Info button.
The entered information is saved and is used when creating a certificate signing request (CSR). To specify
more than one Organization Unit name, enter a comma separated list.
Note: You can update this information until an SSL certificate for a node is uploaded to the cluster, at which
point the information cannot be changed (the fields become read only) without first deleting the uploaded
certificates.
b. Click the Download CSRs button, and then in the new screen click the Download CSRs for all nodes
to download a file with CSRs for all the nodes or click a Download link to download a file with the CSR
for that node.
• The certificates must be X.509 format. (DER, PKCS, and PFX formats are not supported.)
» If you have configured multiple key management servers in cluster mode, click the Add Address
button to provide the addresses for each key management server device in the cluster.
» If you have stand-alone key management servers, click the Save button. Repeat this step (Add New
Key Management Server button) for each key management server device to add.
Note: If your key management servers are configured into a master/slave (active/passive) relationship
and the architecture is such that the follower cannot accept write requests, do not add the follower into
Note: To prevent potential configuration problems, always use the Add Address button for key
management servers configured into cluster mode. Only a stand-alone key management server should be
added as a new server.
7. In the Add a New Certificate Authority section, enter a name for the CA, click the Upload CA Certificate
button, and select the certificate for the CA used to sign your node certificates (see step 3c). Repeat this step for
all CAs that were used in the signing process.
Note: Before removing a drive or node from an SED cluster, ensure that the testing is successful and the status is
Verified. Otherwise, the drive or node will be locked.
Caution: To help ensure that your data is secure, you cannot disable software-only data-at-rest encryption once it
is enabled. Nutanix recommends regularly backing up your data, encryption keys, and key management server.
Note: If changes are made to the configuration after protection has been enabled, such as adding a new key
management server, you must do the rekey operation for the modification to take full effect. In case of EKM,
rekey to change the KEKs stored in the EKM. In case of LKM, rekey to change the leader key used by native key
manager, see Changing Key Encryption Keys (Software Only) on page 84) for details.
Note: Once the task to encrypt a cluster begins, you cannot cancel the operation. Even if you stop and restart the
cluster, the system resumes the operation.
After Software Encryption has been established, Nutanix supports the ability to switch the KMS type from the
External Key Manager to the Native Key Manager or from the Native Key Manager to an External Key Manager,
without any down time.
Note:
To change the KMS type, change the KMS selection by editing the encryption configuration. For details, see step 4 in
Configuring Data-at-Rest Encryption (Software Only) on page 74 section.
Note: This operation completes in a few minutes, depending on the number of encrypted objects and network speed.
Procedure
1. Click the gear icon in the main menu and then select Data at Rest Encryption in the Settings page.
Note: The Rekey button appears only when cluster protection is active.
Note: If the cluster is already protected and a new key management server is added, you must press the Rekey
button to use this new key management server for storing secrets.
Note: To help ensure that your data is secure, you cannot disable software-only data-at-rest encryption once it is
enabled. Nutanix recommends regularly backing up your data, encryption keys, and key management server.
• For information on how to delete a storage container, see Modifying a Storage Container in the Prism
Element Web Console Guide.
• For information on how to destroy a cluster, see Destroying a Cluster in the Acropolis Advanced
Administration Guide.
Note:
When you delete a storage container, the Curator scans and deletes the DEK and KEK keys
automatically.
When you destroy a cluster, then:
• the Native Key Manager (local) destroys the master key shares and the encrypted DEKs/KEKs.
• the Native Key Manager (remote) retains the root key on the PC if the cluster is still registered to a
PC when it is destroyed. You must unregister a cluster from the PC and then destroy the cluster to
delete the root key.
• the External Key Manager deletes the encrypted DEKs. However, the KEKs remain on the EKM.
You must use an external key manager UI to delete the KEKs.
Procedure
1. Perform the steps for the software-only encryption with External KMS. For more information, see Configuring
Data-at-Rest Encryption (Software Only) on page 74.
After the background task completes, all the data gets encrypted by the software. The time taken to complete the
task depends on the amount of data and foreground I/O operations in the cluster.
2. Disable the SED encryption. Ensure that all the disks are unprotected.
For more information, see Enabling/Disabling Encryption (SEDs) on page 70.
3. Switch the key management server from the External KMS to Local Key Manager. For more information, see
Switching between Native Key Manager and External Key Manager on page 83.
1. Click the gear icon in the main menu and then select Data at Rest Encryption in the Settings page.
2. In the Cluster Encryption page, check to enable both Drive-based and Software-based encryption.
Backing up Keys
Procedure
2. Click the gear icon in the main menu and then select Data at Rest Encryption in the Settings page.
Note: Ensure you move the backup key file to a safe location.
Tip: If vTPM is enabled, the downloaded key backup includes vTPM keys, in addition to the encryption keys.
Procedure
2. Click the hamburger icon, then select Clusters > List view.
Note: Ensure that you move the backup key file to a safe location.
Tip: If vTPM is enabled, the downloaded key backup includes vTPM keys, in addition to the encryption keys.
Importing Keys
You can import the encryption keys from backup. You must note the specific commands in this topic if you
backed up your keys to an external key manager (EKM)
Note: Nutanix recommends that you contact Nutanix Support for this operation. Extended cluster downtime might
result if you perform this task incorrectly.
Procedure
2. Retrieve the encryption keys stored on the cluster and verify that all the keys you want to retrieve are listed.
In this example, the password is Nutanix.123. date is the timestamp portion of the backup file name.
mantle_recovery_util --backup_file_path=/home/nutanix/encryption_key_backup_date \
--password=Nutanix.123 --list_key_ids=true
4. If you are using an external key manager such as IBM Security Key Lifecycle Manager, Gemalto Safenet, or
Vormetric Data Security Manager, use the --store_kek_remotely option to import the keys into the cluster.
In this example, date is the timestamp portion of the backup file name.
mantle_recovery_util --backup_file_path path/encryption_key_backup_date \
--password key_password --store_kek_remotely
Tip: The imported key backup includes vTPM keys (if vTPM is enabled during backup), in addition to the
encryption keys.
If you further isolate service-specific traffic, additional vNICs are created on the CVM. Each service requiring
isolation is assigned a dedicated virtual NIC on the CVM. The NICs are named ntnx0, ntnx1, and so on. Each service-
specific NIC is placed on a configurable existing or new virtual network (vSwitch or bridge) and a VLAN and IP
subnet are specified.
Figure 52: Backplane and Service Specific Segmentation Configured with two vSwitches on
an ESXi Cluster
• The eth0 vNIC on the CVM and vmk0 on the host are carrying management traffic and connected to the
hypervisor through the existing PGm (portgroup) on vSwitch0.
• The eth2 vNIC on the CVM and vmk2 on the host are carrying backplane traffic and connected to the hypervisor
through a new user created PGb on the existing vSwitch.
Figure 53: Backplane and Service Specific Segmentation Configured with two vSwitches on
an AHV Cluster
• The eth0 vNIC on the CVM is carrying management traffic and connected to the hypervisor through the existing
vnet0.
• Other vNICs such as eth2, ntnx0, and ntnx1 are connected to the hypervisor through the auto created interfaces on
either the existing or new vSwitch.
Note: In the above figure the interface name 'br0-bp' is read as 'br0-backplane'.
The following table describes the vNIC, port group (PG), VM kernel (vmk), virtual network (vnet) and virtual switch
connections for CVM and hypervisor in different implementation scenarios. The tables capture information for ESXi
and AHV hypervisors:
Backplane and Service eth0: vmk0 via existing PGm on Existing vnet0
Specific Segmentation vSwitch0
with 1 vSwitch Management traffic
Backplane and Service eth0: vmk0 via existing PGm on Existing vnet0
Specific Segmentation vSwitch0
with 2 vSwitches Management traffic
Implementation Considerations
Supported Environment
Network segmentation is supported in the following environment:
• For network segmentation by traffic type (separating backplane traffic from management traffic):
• AHV
• ESXi
• Hyper-V
• For service-specific traffic isolation:
• AHV
• ESXi
• For logical network segmentation, AOS version must be 5.5 or later. For physical segmentation and service-
specific traffic isolation, the AOS version must be 5.11 or later.
• RDMA requirements:
• Network segmentation is supported with RDMA for AHV and ESXi hypervisors only.
• For more information about RDMA, see Remote Direct Memory Access in the NX Series Hardware
Administration Guide.
Prerequisites
Disable proxy ARP within the Nutanix VLAN before configuring network segmentation.
• Ensure that the VLAN and subnet that you plan to use for the network segment are routable.
• Make sure that you have a pool of IP addresses to specify when configuring segmentation. For each cluster, you
need n+1 IP addresses, where n is the number of nodes in the cluster. The additional IP address is for the virtual
IP address requirement.
• Enable network segmentation for disaster recovery at both sites (local and remote) before configuring remote sites
at those sites.
Limitations
• If network segmentation is enabled for Volumes, volume group attachments are not recovered during VM
recovery.
• Nutanix service VMs such as Objects worker nodes continue to communicate with the CVM eth0 interface when
using Volumes for iSCSI traffic. Other external clients such as Files use the new service-specific CVM interface.
• Management (The default network that cannot be moved from CVM eth0)
• Backplane
• RDMA
• Service Specific Disaster Recovery
• Service Specific Volumes
Caution:
Nutanix has deprecated support for manual multi-homed CVM network interfaces from AOS version
5.15 and later. Such a manual configuration can lead to unexpected issues on these releases. If you have
configured an eth2 interface on the CVM manually, refer to the KB-9479 and Nutanix Field Advisory #78
for details on how to remove the eth2 interface.
Troubleshooting Tips
This section provides information to assist troubleshooting of Network Segmentation deployments.
The Failed to restart one or more services after Backplane was enabled error may occur while enabling network
segmentation. In such cases, the network segmentation task gets completed, however, restarting one or more services
fails to complete on time.
To ensure the necessary services starts on time, login to a CVM over SSH and run the following command:
nutanix@CVM:~$ cluster start
To configure host networking for physical and service-specific network segmentation, do the following:
Note: If you are segmenting traffic on nodes that are already part of a cluster, perform the first step. If you are
segmenting traffic on an unconfigured node that is not part of a cluster, perform the second step directly.
Procedure
1. If you are segmenting traffic on nodes that are already part of a cluster, do the following:
a. From the default virtual switch vs0, remove the uplinks that you want to add to the virtual switch you created
by updating the default virtual switch.
For information about updating the default virtual switch vs0 to remove the uplinks, see Creating or
Updating a Virtual Switch in the Prism Element Web Console Guide.
b. Create a virtual switch for the backplane traffic or service whose traffic you want to isolate.
Add the uplinks to the new virtual switch.
For information about creating a new virtual switch, see Creating or Updating a Virtual Switch in the Prism
Web Console Guide.
2. If you are segmenting traffic on an unconfigured node (new host) that is not part of a cluster, do the following:
a. Create a bridge for the backplane traffic or service whose traffic you want to isolate by logging on to the new
AHV host.
ovs-vsctl add-br br1
b. From the default bridge br0, log on to the host CVM and keep only eth0 and eth1 in br0.
manage_ovs --bridge_name br0 --interfaces eth0,eth1 --bond_name br0-up --bond_mode
active-backup update_uplinks
c. Log on to the host CVM and then add eth2 and eth3 to the uplink bond of br1.
Note: If this step is not done correctly, a network loop can be created that causes a network outage. Ensure that
no other uplink interfaces exist on this bridge before adding the new interfaces, and always add interfaces into a
bond.
What to do next
Prism can configure a VLAN only on AHV hosts. Therefore, if the hypervisor is ESXi, in addition to
configuring the VLAN on the physical switch, make sure to configure the VLAN on the port group.
If you are performing physical network segmentation, see Physically Isolating the Backplane Traffic on an
Existing Cluster on page 118.
If you are performing service-specific traffic isolation, see Service-Specific Traffic Isolation on page 127.
• You can segment the network on an existing cluster by using the Prism web console.
Isolating the Backplane Traffic Logically on an Existing Cluster (VLAN-Based Segmentation Only)
You can segment the network on an existing cluster by using the Prism web console. You must configure
a separate VLAN for the backplane network to achieve logical segmentation. The network segmentation
process creates a separate network for backplane communications on the existing default virtual switch.
The process then places the eth2 interfaces (that the process creates on the CVMs during upgrade) and
the host interfaces on the newly created network. This method allows you to achieve logical segmentation
of traffic over the selected VLAN. From the specified subnet, assign IP addresses to each new interface.
You, therefore, need two IP addresses per node. When you specify the VLAN ID, AHV places the newly
created interfaces on the specified VLAN.
• For ESXi clusters, it is mandatory to create and manage port groups that networking uses for CVM and backplane
networking. Therefore, ensure that you create port groups on the default virtual switch vs0 for the ESXi hosts and
CVMs.
Since backplane traffic segmentation is logical, it is based on the VLAN that is tagged for the port groups.
Therefore, while creating the port groups ensure that you tag the new port groups created for the ESXi hosts and
CVMs with the appropriate VLAN ID. Consult your networking team to acquire the necessary VLANs for use
with Nutanix nodes.
• For new backplane networks, you must specify a non-routable subnet. The interfaces on the backplane network
are automatically assigned IP addresses from this subnet, so reserve the entire subnet for the backplane network
segmentation. See the Configuring Backplane IP Pool on page 135 topic to create an IP pool for backplane
interfaces.
Note: Nutanix does not control these VLAN IDs. Consult your networking team to acquire VLANs for the
Management and Backplane networks.
To segment the network on an existing ESXi and Hyper-V clusters for a backplane LAN, do the following:
To segment the network on an existing AHV cluster for a backplane LAN, follow the procedure described in the
Physically Isolating the Backplane Traffic on an AHV Cluster on page 118 topic.
Note:
In this method, for AHV nodes, logical segmentation (VLAN-based segmentation) is done on the default
bridge. The process creates the host backplane interface (VMkernel) on the Backplane Network port
group on ESXi or br0-backplane (interface) on br0 bridge in case of AHV. The eth2 interface on the
CVM is on CVM Backplane Network by default.
You don't need to manually create the VMkernel adapter (vmk) for backplane segmentation since the
workflow takes care of creating it on the port group selected as the host port group or default Backplane
Network port group if none was selected.
1. Log on to the Prism web console, click the gear icon in the top-right corner, and then click Network
Configuration in the Settings page.
The Network Configuration dialog box appears.
2. In the Network Configuration > Internal Interfaces > Backplane LAN row, click Configure.
The Create Interface dialog box appears.
Note: For VLAN-based segmentation, Nutanix recommends you leave the Host Port Group and CVM Port
Group fields blank. Prism selects the default port group from vSwitch0 when you do not provide the Host
Port Group and CVM Port Group details.
RDMA Overview
Remote Direct Memory Access (RDMA) enables you to directly transfer data between multiple hosts without
involving CPU, OS, or system cache. RDMA reduces the communication latency and increases the bandwidth output
for the data transfer. It directly uses the network adapters for data transfer and never creates a data copy between
network layers.
When RDMA is enabled, the CPU resources available for other applications running in the cluster enhance the AOS
data acceleration mechanism.
For more information on how to enable RDMA port pass-through to the CVM during Foundation, see Configuring
Foundation VM by Using the Foundation GUI.
ZTR Specifications
The ZTR is a deployment mechanism for RDMA setup in which the Mellanox NIC firmware handles the entire
configurations (card optimizations) without any user intervention or dependency on the customized switch profiles or
switch compatibility. ZTR reduces RDMA deployment duration and does not require the support of PFC and End-to-
end Congestion Notification (ECN) settings.
ZTR functionality is supported with both ESXi and AHV hypervisors. For information about how to enable ZTR for
RDMA network segmentation, see Isolating the Backplane Traffic on an Existing RDMA Cluster on page 105.
Nutanix recommends you use ZTR only if NVIDIA Mellanox Connect X-5 Ethernet Adapters (Cx5 NICs) or
NVIDIA Mellanox Connect X-6 Ethernet Adapters (Cx6 NICs) are available in your setup. For more information
about the NICs compatibility for ZTR feature, see NIC Compatibility Matrix for RDMA Features on page 103.
The following table provides the information about NIC compatibility with RDMA features; RDMA Port Pass-
through and ZTR, and the required workaround:
• During Foundation
setup where CVM
reserves the entire NIC
for RDMA port pass-
through. In this case,
the host cannot use the
empty NIC port for
other operations nor can
it change the selected
port.
• After cluster creation in
case of AHV only.
• During Foundation
setup where CVM
reserves the entire NIC
for RDMA port pass-
through. In this case,
the host cannot use the
empty NIC port for
other operations nor can
it change the selected
port.
• After cluster creation in
case of AHV only.
Important:
• A mix of RDMA NIC families on the same node is not supported. For example, a combination of
NVIDIA Mellanox ConnectX-4 Ethernet Adapter (CX-4 NIC) and NVIDIA Mellanox ConnectX-5
Ethernet Adapter (CX-5 NIC) or a combination of CX-5 NICs with different speeds such as CX-5 10Gb
NIC and CX-5 25Gb NIC, on the same node is not supported. If you have any of these combination
types of RDMA NIC families on the same node, the system never allows you to enable RDMA on the
cluster.
This section describes how to configure the RDMA network segmentation settings using either PFC or ZTR
from Prism Central.
• Specify a non-routable subnet. The interfaces on the backplane network are automatically assigned IP addresses
from the subnet. You reserve the entire subnet for the backplane network alone.
• If you plan to specify a VLAN for the RDMA network, ensure that the VLAN is configured on the physical
switch ports to which the nodes are connected.
• Configure the switch interface as a trunk port.
• Observe the NICs compatibility information specified in NIC Compatibility Matrix for RDMA Features on
page 103 .
• Mixed configuration in a cluster is not supported where some nodes have RDMA port pass-through or ZTR
enabled while other nodes have it disabled. All nodes in the cluster need to be uniformly configured with the
RDMA functionality.
The following prerequisites are applicable only for ZTR :
• NVIDIA Mellanox Connect X-5 Ethernet Adapters (Cx5 NICs) or NVIDIA Mellanox Connect X-6 Ethernet
Adapters (Cx6 NICs) are available. For details, see NIC Compatibility Matrix for RDMA Features on
page 103.
• NICs on all nodes are running the same NIC firmware. Perform a NCC health check to verify the minimum driver
version recommended and supported by Mellanox NIC running on the Nutanix platforms. For information about
how to perform NCC Health check, see KB-4289
• AHV or ESXi hypervisor and AOS 6.6 or later (CVM 6.6) are deployed for the cluster. For information about
supported AHV or ESXi hypervisor versions, see KB-4289.
Procedure
To isolate the backplane traffic on an existing RDMA cluster, perform the following steps:
1. Log on to the Prism Element web console, click the gear icon in the top-right corner, and click Network
Configuration in the Settings page.
The Network Configuration dialog box displays.
Note: If the system detects that NVIDIA Mellanox Cx5 NIC or NVIDIA Mellanox Cx6 NIC is used, it provides
you the option to configure RDMA.
3. Click Configure in the RDMA row, and set the following attributes in RDMA dialog box:
Warning: The Configure option is disabled if any of the following conditions exist in your setup:
• All the nodes in the cluster do not contain at least two RDMA-enabled NIC cards.
• A mix of RDMA NIC families on the same node is present. For example, a combination of NVIDIA
Mellanox ConnectX-4 Ethernet Adapter (CX-4 NIC) and NVIDIA Mellanox ConnectX-5 Ethernet
Adapter (CX-5 NIC) or a combination of CX-5 NICs with different speeds such as CX-5 10Gb NIC
and CX-5 25Gb NIC, on the same node is present. If you have any of these combination types of
RDMA NIC families on the same node, the system never allows you to enable RDMA on the cluster.
Mixing NIC cards across nodes in a cluster is supported. In this case, the oldest family of cards
dictates the feature supported for the cluster. For example, if any CX-4 NIC is present, the system
Note: Ensure that the subnet size can accommodate cluster expansion in the future.
Note: VLAN ID is optional with ZTR but Nutanix recommends you to use it for true network segmentation
and enhanced security
• Select either the Use Zero Touch RoCE checkbox to enable ZTR or select the PFC value configured on the
physical switch port.
Note: If the RDMA port pass-through is not done during Foundation setup and only AHV hypervisor is deployed,
the system prompts you to define the RDMA port.
a. Click Next and select the RDMA port in the Port Selection tab.
• Enhances the I/O flow performance between AHV host and CVM. iSER bypasses both the AHV host and CVM
kernel spaces and enables you to achieve low latency in the I/O data transfer as the data is sent and received
between AHV host and CVM without the involvement of the TCP software stack. iSER enables you to achieve
a high bandwidth in the I/O data transfer as it removes the unwanted context switches and system calls between
AHV host and CVM.
• Saves platform resources due to less CPU utilization as an application can read remote memory without any
intervention of the remote processor.
The following figure shows how the I/O traffic flows between AHV host and CVM:
The following figure shows the detailed network architecture for iSER:
For iSER, CVM requires a minimum of 48 GiB vRAM. However, Nutanix recommends you set 64 GiB vRAM
for CVM for optimum performance. For more information, see Controller VM (CVM) Field Specifications in
Acropolis Advanced Admin Guide.
You can perform iSER NIC port pass-through either during Foundation setup or after the completion of cluster
creation using Prism Element.
The following behavior applies to iSER port pass-through:
• If you perform the iSER port pass-through during Foundation setup, the CVM reserves the whole NIC for both
iSER and RDMA data replication. The CVM reserves one port on the NIC for RDMA data replication and
configures the other port for iSER. For more information about Foundation setup, see Configuring Foundation
VM by Using the Foundation GUI in Field Installation Guide.
• If you perform the iSER port pass-through after cluster creation, the system allows you to configure iSER on one
of the unconnected NIC ports. You can use the other NIC port to configure RDMA if RDMA port-passthrough is
not done during Foundation setup.
Note: Ensure the port that you configure for iSER is not allocated to the uplink vswitch of the host. If the port
that you want to configure for iSER is already allocated for uplink vswitch, the system displays it as disabled for
selection and you need to remove it from the vswitch manually.
When a new node is added to increase the capacity of a cluster, the iSER ports cannot be changed after the cluster is
created. In this case, the system checks if iSER is enabled in the cluster. If enabled, the system provisions the iSER
for the new node and selects the first port available in the NIC. To change the iSER port, disable the iSER for the
whole cluster and reconfigure it with the new port selection.
The following table provides the information about NIC compatibility for iSER:
• During Foundation
setup where CVM
reserves the whole
NIC for both iSER and
RDMA data replication.
• After cluster creation
in case of AHV only,
where the system
provides you an option
to configure iSER on
one of the unconnected
NIC ports. You can
use the other NIC
port to configure
RDMA if RDMA port-
passthrough is not done
during Foundation
setup.
Important:
• A mix of RDMA NIC families on the same node is not supported. For example, a combination of
NVIDIA Mellanox ConnectX-4 Ethernet Adapter (CX-4 NIC) and NVIDIA Mellanox ConnectX-5
Ethernet Adapter (CX-5 NIC) or a combination of CX-5 NICs with different speeds such as CX-5 10Gb
NIC and CX-5 25Gb NIC, on the same node is not supported. If you have any of these combination
types of RDMA NIC families on the same node, you cannot enable RDMA data replication on the
cluster and cannot configure ports for iSER.
• Mixing NIC cards across nodes in a cluster is supported. In this case, the oldest family of cards dictates
the iSER port pass-through function. For example, if any CX-4 NIC is present, the system blocks the
iSER live port pass-through and allows only RDMA data replication.
iSER Limitations
This section describes how to configure the iSER port in an existing RDMA cluster.
Note: During AOS or AHV upgrade from previous versions, iSER gets automatically enabled and AHV and CVM
configures an internal IP address for iSER.
Procedure
1. Log on to the Prism web console, click the gear icon in the top-right corner, and click Network Configuration
in the Settings page.
The Network Configuration dialog box displays.
Note: If the system detects that NVIDIA Mellanox Cx5 NIC is used, it provides you the option to configure iSER.
Note: If only AHV is deployed and iSER port pass-through is not done during Foundation setup, the system allows
you to define the iSER port.
ESXi vSwitch
Network segmentation process creates a separate network for backplane communications on the new virtual switch.
The segmentation process places the CVM eth2 interfaces and the host interfaces on the newly created network.
Specify a subnet with a network mask and, optionally, a VLAN ID. From the specified subnet or an IP Pool assign IP
addresses to each new interface in the new network. You require a minimum of two IP addresses per node.
If you specify the optional VLAN ID, the newly created interfaces are placed on VLAN.
Nutanix highly recommends a separate VLAN for the backplane network to achieve true segmentation.
• Ensure that physical isolation of backplane traffic is supported by the AOS version deployed.
• Ensure that you configure the network (port groups or bridges) on the hosts and associate the network with the
required physical NICs before you enable physical isolation of the backplane traffic.
For AHV, see Configuring the Network on an AHV Host on page 98. For ESXI and Hyper-V, see VMware
and Microsoft documentation respectively.
• Segmenting backplane traffic can involve up to two rolling reboots of the CVMs. The first rolling reboot is done
to move the backplane interface (eth2) of the CVM to the selected port group, virtual switch or Hyper-V switch.
This is done only for CVM(s) whose backplane interface is not already connected to the selected port group,
virtual switch or Hyper-V switch. The second rolling reboot is done to migrate the cluster services to the newly
configured backplane interface.
Procedure
1. Shut down all the guest VMs in the cluster from within the guest OS or use the Prism Element web console.
Note: Never put Controller VM and AHV hosts into maintenance mode on single-node clusters. It is
recommended to shutdown user VMs before proceeding with disruptive changes.
Replace host-IP-address with either the IP address or host name of the AHV host you want to shut down.
The following are optional parameters for running the acli host.enter_maintenance_mode command:
• wait
• non_migratable_vm_action
Example.
nutanix@cvm$ acli host.enter_maintenance_mode 197.116.6.79
EnterMaintenanceMode: pending
EnterMaintenanceMode: complete
Do not continue if the host has failed to enter the maintenance mode.
d. Verify if the host is in the maintenance mode:
nutanix@cvm$ acli host.get host-ip
In the output that is displayed, ensure that node_state equals to EnteredMaintenanceMode and
schedulable equals to False.
Example.
nutanix@cvm$ acli host.get 197.116.6.79
197.116.6.79 {
cpu_usage_ppm: 192941
cvm_memory_size_bytes: 21474836480
cvm_num_vcpus: 8
cvm_num_vnics: 3
cvm_uuid: "e96dbef0-d425-4926-9fe8-4d10b1a69902"
host_overhead_bytes: 4957721854
logical_timestamp: 23
max_mem_ha_reserved_bytes: 0
mem_assigned_bytes: 0
mem_usage_bytes: 26654856446
a. Log on to the Prism web console, click the gear icon in the top-right corner, and then click Network
Configuration in the Settings page.
b. On the Internal Interfaces tab, in the Backplane LAN row, click Configure.
c. In the Backplane LAN dialog box, do the following:
• In Subnet IP, specify a non-routable subnet that is different from the subnet used by the AHV host and
CVMs.
The AOS CVM default route uses the CVM eth0 interface, and there is no route on the backplane interface.
Therefore, Nutanix recommends only using a non-routable subnet for the backplane network. To avoid
split routing, do not use a routable subnet for the backplane network.
Make sure that the backplane subnet has a sufficient number of IP addresses. Two IP addresses are required
per node. Reconfiguring the backplane to increase the size of the subnet involves cluster downtime, so you
might also want to make sure that the subnet can accommodate new nodes in the future.
• In Netmask, specify the network mask.
• If you want to assign the interfaces on the network to a VLAN, specify the VLAN ID in the VLAN ID
field.
Nutanix strongly recommends configuring a separate VLAN. If you do not specify a VLAN ID, AOS
applies the untagged VLAN on the virtual switch.
• In the Virtual Switch list, select the virtual switch you created for the backplane traffic.
d. Click Verify and Save.
If the network settings you specified pass validation, the backplane network is created and the CVMs perform
a reboot in a rolling fashion (one at a time), after which the services use the new backplane network. The
progress of this operation can be tracked on the Prism tasks page.
4. Log on to a CVM in the cluster with SSH and stop Acropolis cluster-wide:
nutanix@cvm$ allssh genesis stop acropolis
a. From any CVM in the cluster, run the following command to exit the AHV host from the maintenance mode:
nutanix@cvm$ acli host.exit_maintenance_mode host-ip
Replace host-ip with the IP address of the host.
Example.
nutanix@CVM$ acli host.exit_maintenance_mode 197.116.6.79
ExitMaintenanceMode: pending
7. Power on the guest VMs from the Prism Element web console.
Note: You don't need to manually create the VMkernel adapter for backplane segmentation since the workflow takes
care of creating it on the port group selected as the host port group.
See the ESXi documentation for instructions about how to perform these tasks.
Note: Before you perform the following procedure, ensure that the uplinks you added to the vSwitch are in the UP
state.
1. Log on to the Prism web console, click the gear icon in the top-right corner, and then click Network
Configuration in the Settings page.
2. On the Internal Interfaces tab, in the Backplane LAN row, click Configure.
a. In Subnet IP, specify a non-routable subnet that is different from the subnet used by the ESXi host and
CVMs.
The AOS CVM default route uses the CVM eth0 interface, and there is no route on the backplane interface.
Therefore, Nutanix recommends only using a non-routable subnet for the backplane network. To avoid split
routing, do not use a routable subnet for the backplane network.
Make sure that the subnet has a sufficient number of IP addresses. Two IP addresses are required per node.
Reconfiguring the backplane to increase the size of the subnet involves cluster downtime, so you might also
want to make sure that the subnet can accommodate new nodes in the future.
b. In Netmask, specify the network mask.
c. If you want to assign the interfaces on the network to a VLAN, specify the VLAN ID in the VLAN ID field.
Nutanix strongly recommends configuring a separate VLAN. If you do not specify a VLAN ID, AOS applies
the default VLAN on the virtual switch.
d. In the Host Port Group list, select the port group you created for the host.
A port group can be a standard vSwitch port group, a distributed vSwitch port group or a NSX segment
reflected as a distributed port group in the vCenter.
e. In the CVM Port Group list, select the port group you created for the CVM.
A port group can be a standard vSwitch port group, a distributed vSwitch port group or a NSX segment
reflected as distributed port group in the vCenter.
Note:
Nutanix clusters support both vSphere Standard Switches and vSphere Distributed Switches with either
normal portgroups or NSX segment backed portgroups. However, you must mandatorily configure only
one type of virtual switches in one cluster. Configure all the backplane and management traffic in one
cluster on either vSphere Standard Switches or vSphere Distributed Switches. Do not mix Standard and
Distributed vSwitches on a single cluster. Ensure to have the same port group type (normal or NSX
segment) on all nodes of the cluster.
Note: Before you perform the following procedure, ensure that the uplinks you added to the backplane Virtual Switch
are in the UP state.
Procedure
1. Log on to the Prism web console, click the gear icon in the top-right corner, and then click Network
Configuration in the Settings page.
2. On the Internal Interfaces tab, in the Backplane LAN row, click Configure.
a. In Subnet IP, specify a non-routable subnet that is different from the subnet used by the Hyper-V host and
CVMs.
The AOS CVM default route uses the CVM eth0 interface, and there is no route on the backplane interface.
Therefore, Nutanix recommends only using a non-routable subnet for the backplane network. To avoid split
routing, do not use a routable subnet for the backplane network.
Make sure that the subnet has a sufficient number of IP addresses. Two IP addresses are required per node.
Reconfiguring the backplane to increase the size of the subnet involves cluster downtime, so you might also
want to make sure that the subnet can accommodate new nodes in the future.
b. In Netmask, specify the network mask.
c. If you want to assign the interfaces on the network to a VLAN, specify the VLAN ID in the VLAN ID field.
Nutanix strongly recommends configuring a separate VLAN. If you do not specify a VLAN ID, AOS applies
the default VLAN on the virtual switch.
d. In the Bridge list, select the Hyper-V switch you created for the backplane traffic.
Note: Segmenting backplane traffic can involve up to two rolling reboots of the CVMs. The first rolling reboot
is done to move the backplane interface (eth2) of the CVM to the selected port group or virtual switch. This is
done only for CVM(s) whose backplane interface is not already connected to the selected port group or bridge
virtual switch. The second rolling reboot is done to migrate the cluster services to the newly configured backplane
interface.
Caution: At the end of this procedure, the cluster stops and restarts, even if only the VLAN is changed, and therefore
involves cluster downtime.
Caution: During the reconfiguration process, you might receive an error message similar to the following.
Failed to reach a node.
You can safely ignore this error message and therefore do not stop the script manually.
Note: The backplane_ip_reconfig command is not supported on ESXi clusters with vSphere Distributed
Switches. To reconfigure the backplane network on a vSphere Distributed Switch setup, disable the backplane
network (see Disabling Network Segmentation on an ESXi and Hyper-V Clusters on page 124)
and enable again with a different subnet or VLAN.
3. Type yes to confirm that you want to reconfigure the backplane network.
The reconfiguration procedure takes a few minutes and includes a cluster restart. If you type anything other than
yes, network reconfiguration is aborted.
4. After the process completes, verify that the backplane was reconfigured.
a. Verify that the IP addresses of the eth2 interfaces on the CVM are set correctly.
nutanix@cvm$ svmips -b
Output similar to the following is displayed:
172.30.25.1 172.30.25.3 172.30.25.5
b. Verify that the IP addresses of the backplane interfaces of the hosts are set correctly.
nutanix@cvm$ hostips -b
Output similar to the following is displayed:
172.30.25.2 172.30.25.4 172.30.25.6
The svmips and hostips commands, when used with the option b, display the IP addresses assigned to the
interfaces on the backplane.
Procedure
• Use this CLI to disable network segmentation on an ESXi and Hyper-V cluster:
nutanix@cvm$ network_segmentation --backplane_network --disable
Output similar to the following appears:
Operation type : Disable
Network type : kBackplane
Params : {}
Please enter [Y/y] to confirm or any other key to cancel the operation
Type Y or y to confirm that you want to reconfigure the backplane network.
If you type Y or y, network segmentation is disabled and the controller VMs (CVMs) restart in a rolling
manner, one CVM at a time. If you type anything other than Y or y, network segmentation is not disabled.
This method does not involve cluster downtime.
3. Verify that network segmentation was successfully disabled. You can verify this in one of two ways:
Important:
nutanix@cvm$ svmips
192.127.3.2 192.127.3.3 192.127.3.4
nutanix@cvm$ svmips -b
192.127.3.2 192.127.3.3 192.127.3.4
nutanix@cvm$ hostips
192.127.3.5 192.127.3.6 192.127.3.7
nutanix@cvm$ hostips -b
192.127.3.5 192.127.3.6 192.127.3.7
In the above example, the outputs of the svmips and hostips commands with and without the -b option are the
same, indicating that the backplane network segmentation is disabled.
1. Shut down all the guest VMs in the cluster from within the guest OS or use the Prism Element web console.
Note: Never put Controller VM and AHV hosts into maintenance mode on single-node clusters. It is
recommended to shutdown user VMs before proceeding with disruptive changes.
Replace host-IP-address with either the IP address or host name of the AHV host you want to shut down.
The following are optional parameters for running the acli host.enter_maintenance_mode command:
• wait
• non_migratable_vm_action
Do not continue if the host has failed to enter the maintenance mode.
d. Verify if the host is in the maintenance mode:
nutanix@cvm$ acli host.get host-ip
In the output that is displayed, ensure that node_state equals to EnteredMaintenanceMode and
schedulable equals to False.
a. Log on to the Prism web console, click the gear icon in the top-right corner, and then click Network
Configuration under the Settings.
b. In the Internal Interfaces tab, in the Backplane LAN row, click Disable.
4. Log on to a CVM in the cluster with SSH and stop Acropolis cluster-wide:
nutanix@cvm$ allssh genesis stop acropolis
a. From any CVM in the cluster, run the following command to exit the AHV host from the maintenance mode:
nutanix@cvm$ acli host.exit_maintenance_mode host-ip
Replace host-ip with the new IP address of the host.
This command migrates (live migration) all the VMs that were previously running on the host back to the host.
b. Verify if the host has exited the maintenance mode:
nutanix@cvm$ acli host.get host-ip
In the output that is displayed, ensure that node_state equals to kAcropolisNormal or AcropolisNormal
and schedulable equals to True.
7. Power on the guest VMs from the Prism Element web console.
• Ensure to configure each host as described in Configuring the Network on an AHV Host on page 98.
• Review Prerequisites on page 97.
Procedure
1. Log on to the Prism web console and click the gear icon at the top-right corner of the page.
3. In the details pane, on the Internal Interfaces tab, click Create New Interface.
The Create New Interface dialog box is displayed.
Note: Add at least n+1 IP addresses in an IP range considering n is the number of nodes in the cluster.
• Click Save.
• Use Add an IP Pool to add more IP address pools. You can use only one IP address pool at any given
time.
• Select the IP address pool that you want to use, and then click Next.
What to do next
See Service-Specific Settings and Configurations on page 131 for any additional tasks that are required
after you segment the network for a service.
Procedure
1. Disable the network segmentation configured for a service by following the instructions in Disabling Network
Segmentation Configured for a Service on page 130.
2. Create the network again by following the instructions in Isolating Service-Specific Traffic on page 128.
Procedure
1. Log on to the Prism web console and click the gear icon at the top-right corner of the page.
3. On the Internal Interfaces tab, for the interface that you want to disable, click Disable.
Note: The defined IP address pool is available even after disabling the network segmentation.
• Disable the network segmentation configured for a service by following the instructions in Disabling Network
Segmentation Configured for a Service on page 130.
• Observe the Limitation specified in Limitation for vNIC Hot-Unplugging topic in AHV Admin Guide.
you
Nutanix Volumes
Network segmentation for Volumes also requires you to migrate iSCSI client connections to the new
segmented network. If you no longer require segmentation for Volumes traffic, you must also migrate
connections back to eth0 after disabling the vNIC used for Volumes traffic.
You can create up to two different networks for Nutanix Volumes with different IP pools, VLANs, and data services
IP addresses. For example, you can create two iSCSI networks, one for production and one for non-production traffic,
on the same Nutanix cluster.
Follow the instructions in Isolating Service-Specific Traffic on page 128 again to create the second network for
Volumes after you create the first network.
Note:
You can specify only one client subnet while
configuring network segmentation for Volumes
in the Prism Element Web Console.
After you enable network segmentation for Volumes, you must manually migrate connections from existing
iSCSI clients to the newly segmented network.
Note: Even though support is available to run iSCSI traffic on both the segmented and management networks at the
same time, Nutanix recommends that you move the iSCSI traffic for guest VMs to the segmented network to achieve
true isolation.
Procedure
1. Log out from all the clients connected to iSCSI targets that are using CVM eth0 or the Data Service IP address.
2. Optionally, remove all the discovery records for the Data Services IP address (DSIP) on eth0.
3. If the clients are allowlisted by their IP address, remove the client IP address that is on the management network
from the allowlist, and then add the client IP address on the new network to the allowlist.
nutanix@cvm$ acli vg.detach_external vg_name initiator_network_id=old_vm_IP
nutanix@cvm$ acli vg.attach_external vg_name initiator_network_id=new_vm_IP
Replace vg_name with the name of the volume group and old_vm_IP and new_vm_IP with the old and new
client IP addresses, respectively.
Procedure
1. Log out from all the clients connected to iSCSI targets using the CVM vNIC dedicated to Volumes.
2. Remove all the discovery records for the DSIP on the new interface.
The settings for configuring network segmentation for disaster recovery apply to all Asynchronous,
NearSync, and Metro Availability replication schedules. You can use disaster recovery with Asynchronous,
NearSync, and Metro Availability replications only if both the primary site and the recovery site is
configured with Network Segmentation. Before enabling or disabling the network segmentation on a host,
disable all the disaster recovery replication schedules running on that host.
After configuring network segmentation for disaster recovery, configure remote sites at both locations. You also need
to reconfigure remote sites if you disable network segmentation.
For information about configuring remote sites, see Remote Site Configuration in the Data Protection and
Recovery with Prism Element Guide.
A stretched Layer 2 network configuration allows the source and remote metro clusters to be in the same
broadcast domain and communicate without a gateway.
Procedure
Replace the following: (See Isolating Service-Specific Traffic on page 128 for the information)
• DR-ip-pool-name with the name of the IP Pool created for the DR service or any existing unused IP
address pool.
• DR-vlan-id with the VLAN ID used for the DR service.
• portgroup with the details of the CVM Port Group used for the DR service in the ESXi hypervisor.
• virtual-switch with the details of the Virtual Switch used for the DR service in the AHV hypervisor.
This example shows how to configure network segment as a stretched L2 network on a cluster running ESXi
hypervisor:
nutanix@cvm$ network_segmentation --service_network --service_name=kDR --
ip_pool=DR_pool
--service_vlan=124 --desc_name="L2 Strech for ESXi" --
host_physical_network=portgroup0
--stretched_metro
For example, configure network segment as a stretched L2 network on a cluster running AHV hypervisor:
nutanix@cvm$ network_segmentation --service_network --service_name=kDR --
ip_pool=DR_pool
--service_vlan=124 --desc_name="L2 Strech for AHV" --host_virtual_switch=vs0
--stretched_metro
For more information about the network_segmentation command, see the Command Reference guide.
The settings for configuring network segmentation for Nutanix Disaster Recovery apply to all Asynchronous,
NearSync, and Synchronous replication schedules. For detailed information about network segmentation for Nutanix
Disaster Recovery, see Network Segmentation in the Nutanix Disaster Recovery Guide.
Procedure
Procedure
For example, enable network segmentation on a mixed hypervisor containing ESXi and AHV storage only nodes:
nutanix@cvm$ network_segmentation --backplane_network
--ip_pool=BackplanePool
--backplane_vlan=1234
--esx_host_physical_network=host-pg
--esx_cvm_physical_network=cvm-pg
• Move from one vSphere Standard Switch (VSS) portgroup to another VSS portgroup within the same virtual
standard switch
• Move from one VSS portgroup to another VSS portgroup in a different Virtual Standard Switch
• Move from a VSS portgroup to a vSphere Distributed Switch (VDS) portgroup
• Move from a VDS portgroup to a VSS
Note:
For renaming existing VSS or VDS portgroups, you must manually perform the rename operation from the
vCenter application or use the ESXi CLI and run the update operation with the new portgroup. This is to
ensure the configuration stored in the Nutanix internal database is up to date.
• This feature is not supported on clusters running on the AHV and Hyper-V hypervisors.
• This feature does not support updating any other configuration such as VLAN ID, and IP address.
Note: This feature does not perform any network validation on the new portgroups. Hence the user must ensure the
portgroup settings are accurate before proceeding with the portgroup update operation. If the settings are not accurate,
the CVM on that node may not be able to communicate with its peers and this results in a stuck rolling reboot.
Procedure
For example:
nutanix@cvm$ network_segmentation --backplane_network
--host_physical_network=new-bp-host-pgroup
--cvm_physical_network=new-bp-cvm-pgroup
--update
For creating a port group, see Creating Port Groups on the Distributed Switch in vSphere Administration
Guide for Acropolis.
IP Address customization for each CVM and host feature enables you to allocate an IP address manually to a CVM
and host. This helps in maintaining similarity between external and segmented IP addresses. This feature is supported
while configuring backplane segmentation, service specific traffic isolation for Volumes, and service specific traffic
isolation for Disaster Recovery.
Procedure
2. Log on to the CVM in the cluster where the JSON file exists using SSH
3. Enable Service Specific Traffic Isolation for Volumes using the JSON file
nutanix@CVM:~$ network_segmentation --service_network
--ip_pool=pool1 --desc_name="Volumes Seg 1"
--service_name=kVolumes
--host_physical_network=dv-volumes-network-1
--service_vlan=151
--ip_map_filepath=/home/nutanix/ip_map.json
Procedure
For example:
nutanix@CVM:~$ network_segmentation --backplane_network
--ip_pool=BackplanePool
--backplane_vlan=1234
--host_physical_network=BackplaneSwitch
• If you enable the backplane network segmentation, Prism allocates two IP addresses for every new node from the
backplane IP Pool.
• If you enable service-specific traffic isolation, Prism allocates one IP address for every new node from the
respective (Volumes or DR) IP pools.
• If enough IP addresses are not available in the specified network, the Prism Element web console displays a
failure message in the tasks page. To add more IP ranges to the IP pool, see Configuring Backplane IP Pool on
page 135.
• If you cannot add more IPs to the IP pool, then reconfigure that specific network segmentation. For more
information about how to reconfigure the network, see Reconfiguring the Backplane Network on page 123.
• The network settings on the physical switch to which the new nodes are connected must be identical to the
other nodes in the cluster. New nodes communicate with current nodes using the same VLAN ID for segmented
networks. Otherwise, the expand cluster task will fail in the network validation stage.
• After fulfilling the earlier points, you can add nodes to the cluster. For instructions about how to add nodes to your
Nutanix cluster, see Expanding a Cluster in the Prism Web Console Guide.
Note:
Do not delete the eth2 interface that is created on the Controller VMs, even if you are not using the network
segmentation feature.
Firewall Requirements
The Ports and Protocols describes detailed port information (like protocol, service description, source, destination,
and associated service) for Nutanix products and services. It includes port and protocol information for 1-click
upgrades and LCM updates.
Log management
This chapter describes how to configure cluster-wide setting for log-forwarding and documenting the log fingerprint.
Note: The audit in the Controller VM uses the audisp plugin by default to ship all the audit logs to the rsyslog
daemon (stored in /home/log/messages). Searching for audispd in the central log host provides the entire content
of the audit logs from the Controller VM. The audit daemon is configured with a rules engine that adheres to the
auditing requirements of the Operating System Security Requirements Guide (OS SRG), and is embedded as part of the
Controller VM STIG.
Use the nCLI to enable forwarding of system, audit, aide, and SCMA logs of all the Controller nodes in a cluster at
the required log level. For more information, see Send Logs to Remote Syslog Server in the Acropolis Advanced
Administration Guide
Procedure
2. Run the following command to document the fingerprint for each public key assigned to an individual admin.
nutanix@cvm$ ssh-keygen -lf /<location of>/id_rsa.pub
The fingerprint is then compared to the SSH daemon log entries and forwarded to the central log host (/home/log/
secure in the Controller VM).
Note: After completion of the ssh public key inclusion in Prism and verification of connectivity, disable the
password authentication for all the Controller VMs and AHV hosts. From the Prism main menu, de-select Cluster
Lockdown configuration > Enable Remote Login with password check box from the gear icon drop-
down list.
Configuring Authentication
Caution: Prism Central does not support the SSLv2 and SSLv3 ciphers. Therefore, you must disable the SSLv2 and
SSLv3 options in a browser before accessing Prism Central. This avoids an SSL Fallback and access denial situations.
However, you must enable TLS protocol in the browser.
• SAML authentication. Users can authenticate through a supported identity provider when SAML support is
enabled for Prism Central. The Security Assertion Markup Language (SAML) is an open standard for exchanging
authentication and authorization data between two parties: an identity provider (IDP) and Prism Central as the
service provider.
IAM allows additional IDPs for Single Sign-on.. For more information, see More SAML Identity Providers
(IDP) and Updating ADFS When Using SAML Authentication on page 228.
• Local user authentication. Users can authenticate if they have a local Prism Central account. See the Nutanix
Security Guide for these procedures.
• Active Directory authentication. Users can authenticate using their Active Directory (or OpenLDAP) credentials
when Active Directory support is enabled for Prism Central. See the Nutanix Security Guide for these
procedures.
Caution: Prism Central does not allow the use of the (not secure) SSLv2 and SSLv3 ciphers. To eliminate the
possibility of an SSL Fallback situation and denied access to Prism Central, disable (uncheck) SSLv2 and SSLv3 in any
browser used for access. However, TLS must be enabled (checked).
Procedure
a. Directory Type: Select one of the following from the pull-down list.
• Active Directory: Active Directory (AD) is a directory service implemented by Microsoft for Windows
domain networks.
Note:
• Users with the "User must change password at next logon" attribute enabled will not be
able to authenticate to Prism Central. Ensure users with this attribute first login to a domain
workstation and change their password prior to accessing Prism Central. Also, if SSL is
enabled on the Active Directory server, make sure that Nutanix has access to that port (open
in firewall).
• Use of the "Protected Users" group is currently unsupported for Prism authentication.
For more details on the "Protected Users" group, see “Guidance about how to configure
protected accounts” on Microsoft documentation website.
• An Active Directory user name or group name containing spaces is not supported for Prism
Central authentication.
• The Microsoft AD is LDAP v2 and LDAP v3 compliant.
• The Microsoft AD servers supported are Windows Server 2012 R2, Windows Server 2016,
and Windows Server 2019.
• OpenLDAP: OpenLDAP is a free, open source directory service, which uses the Lightweight Directory
Access Protocol (LDAP), developed by the OpenLDAP project.
Note: Prism Central uses a service account to query OpenLDAP directories for user information and does
not currently support certificate-based authentication with the OpenLDAP directory.
Note: LDAPS support does not require custom certificates or certificate trust import.
• Port 389 (LDAP). Use this port number (in the following URL form) when the configuration is single
domain, single forest, and not using SSL.
ldap://ad_server.mycompany.com:389
• Port 636 (LDAPS). Use this port number (in the following URL form) when the configuration is single
domain, single forest, and using SSL. This requires all Active Directory Domain Controllers have
properly installed SSL certificates.
ldaps://ad_server.mycompany.com:636
• Port 3268 (LDAP - GC). Use this port number when the configuration is multiple domain, single forest,
and not using SSL.
• Port 3269 (LDAPS - GC). Use this port number when the configuration is multiple domain, single forest,
and using SSL.
Note:
• When constructing your LDAP/S URL to use a Global Catalog server, ensure that the
Domain Control IP address or name being used is a global catalog server within the domain
being configured. If not, queries over 3268/3269 may fail.
• Cross-forest trust between multiple AD forests is not supported.
Note:
The value for the following variables depend on your OpenLDAP configuration.
• User Object Class: Enter the value that uniquely identifies the object class of a user.
• User Search Base: Enter the base domain name in which the users are configured.
• Username Attribute: Enter the attribute to uniquely identify a user.
• Group Object Class: Enter the value that uniquely identifies the object class of a group.
• Group Search Base: Enter the base domain name in which the groups are configured.
• Group Member Attribute: Enter the attribute that identifies users in a group.
• Group Member Attribute Value: Enter the attribute that identifies the users provided as value for
Group Member Attribute.
Here are some of the possible options for the fields:
• For Active Directory, enter the service account user name in the [email protected] format.
• For OpenLDAP, enter the service account user name in the following Distinguished Name (DN) format:
cn=username, dc=company, dc=com
A service account is created to run only a particular service or application with the credentials specified
for the account. According to the requirement of the service or application, the administrator can limit
access to the service account.
A service account is under the Managed Service Accounts in the Active Directory and openLDAP
server. An application or service uses the service account to interact with the operating system. Enter
Note: Be sure to update the service account credentials here whenever the service account password
changes or when a different service account is used.
Note:
• No permissions are granted to the directory users by default. To grant permissions to the directory
users, you must specify roles for the users in that directory (see Configuring Role Mapping on
page 186).
• Service account for both Active directory and openLDAP must have full read permission on the
directory service.
5. To edit a directory entry, click the pencil icon for that entry.
After clicking the pencil icon, the relevant fields reappear. Enter the new information in the appropriate fields and
then click the Save button.
• An identity provider (typically a server or other computer) is the system that provides authentication through a
SAML request. There are various implementations that can provide authentication services in line with the SAML
standard.
• You can specify other tested standard-compliant IDPs in addition to ADFS. See the Prism Central release
notes topic Identity and Access Management Software Support for specific support requirements and also
Security Management Using Identity and Access Management (Prism Central) on page 223.
IAM allows only one identity provider at a time, so if you already configured one, the + New IDP link does not
appear.
• You must configure the identity provider to return the NameID attribute in SAML response. Prism Central uses the
NameID attribute for role mapping.
Procedure
a. Configuration name: Enter a name for the identity provider. This name appears in the logon authentication
screen.
b. Group Attribute Name (Optional): Optionally, enter the group attribute name such as groups. Ensure
that this name matches the group attribute name provided in the IDP configuration.
c. Group Attribute Delimiter (Optional): Optionally, enter a delimiter that needs to be used when multiple
groups are selected for the Group attribute.
d. Import Metadata: Click this option to upload a metadata file that contains the identity provider information.
Identity providers typically provide an XML file on their website that includes metadata about that identity
provider, which you can download from that site and then upload to Prism Central. Click + Import Metadata
5. To edit an identity provider entry, click the pencil icon for that entry.
After clicking the pencil icon, the relevant fields reappear. Enter the new information in the appropriate fields and
then click the Save button.
6. To delete an identity provider entry, click the X icon for that entry.
After clicking the X icon, a window prompt appears to verify the delete action; click the OK button. The entry is
removed from the list.
Procedure
Note:
• Client and CAC authentication only supports RSA 2048 bit certificate.
• Uploaded certificate files must be PEM encoded. The web console restarts after the upload step.
Note: The web console restarts when you change these settings.
Note: The CA must be the same for both the client chain certificate and the certificate on the local machine or
smart card.
a. Directory: Select the authentication directory that contains the CAC users that you want to authenticate.
This list includes the directories that are configured on the Directory List tab.
b. Service Username: Enter the user name in the user [email protected] format that you want the web
console to use to log in to the Active Directory.
c. Service Password: Enter the password for the service user name.
d. Click Enable CAC Authentication.
Note: Enabling CAC disables all other directory service and local user logons, only the local admin user logon
is permitted in this case.
Note: The Prism Central console restarts after you change this setting.
The Common Access Card (CAC) is a smart card about the size of a credit card, which some organizations use to
access their systems. After you insert the CAC into the CAC reader connected to your system, the software in the
reader prompts you to enter a PIN. After you enter a valid PIN, the software extracts your personal certificate that
represents you and forwards the certificate to the server using the HTTP protocol.
Nutanix Prism verifies the certificate as follows:
• Validates that the certificate has been signed by your organization’s trusted signing certificate.
• Extracts the Electronic Data Interchange Personal Identifier (EDIPI) from the certificate and uses the EDIPI to
check the validity of an account within the Active Directory. The security context from the EDIPI is used for
your PRISM session.
• Prism Central supports both certificate authentication and basic authentication in order to handle both
Prism Central login using a certificate and allowing REST API to use basic authentication. It is physically
not possible for REST API to use CAC certificates. With this behavior, if the certificate is present during
Prism Central login, the certificate authentication is used. However, if the certificate is not present, basic
authentication is enforced and used.
Note: Nutanix Prism does not support OpenLDAP as directory service for CAC.
If you map a Prism Central role to a CAC user and not to an Active Directory group or organizational unit to
which the user belongs, specify the EDIPI (User Principal Name, or UPN) of that user in the role mapping. A user
who presents a CAC with a valid certificate is mapped to a role and taken directly to the web console home page.
The web console login page is not displayed.
Note: If you have logged on to Prism Central by using CAC authentication, to successfully log out of Prism
Central, close the browser after you click Log Out.
User Management
Managing Local User Accounts
• To add user accounts through Active Directory, see Configuring Authentication. If you enable the
Prism Self Service feature, an Active Directory is assigned as part of that process.
• Changing the Prism Central admin user password does not impact registration (re-registering clusters is
not required).
Procedure
Note: A second field to verify the password is not included, so be sure to enter the password correctly in this
field.
• Checking the User Admin box allows the user to view information, perform any administrative task, and
create or modify user accounts.
• Checking the Prism Central Admin (formerly "Cluster Admin") box allows the user to view information
and perform any administrative task, but it does not provide permission to manage (create or modify) other
user accounts.
• Leaving both boxes unchecked allows the user to view information, but it does not provide permission to
perform any administrative tasks or manage other user accounts.
h. When all the fields are correct, click the Save button (lower right).
This saves the configuration and redisplays the dialog box with the new user appearing in the list.
1. To modify a user account, click the pencil icon for that user and update one or more of the values as desired in the
Update User window.
2. To disable login access for a user account, click the Yes value in the Enabled field for that user; to enable the
account, click the No value.
A Yes value means the login is enabled; a No value means it is disabled. A user account is enabled (login access
activated) by default.
Procedure
Note: Password complexity requirements might appear above the fields; if they do, your new password must
comply with these rules.
Note: By default, there is no password expiration day set for a local user account.
Note: Your keys can be managed from the API Keys page on the Nutanix support portal (see Licensing).
Your connection will be secure without the optional public key (following field), and the public key option is
provided in the event that your default public key expires.
f. Public Key: Click the Choose File button to upload a new public key file.
g. When all the fields are correct, click the Save button (lower right). This saves the changes and closes the
window.
Note:
Only a user with admin privileges can reset a password for other users.
Procedure
3. Use the ncli user reset-password command and specify the username and password of the user whose password is
to be reset:
nutanix@cvm$ ncli user reset-password user-name=xxxxx password=yyyyy
• Replace user-name=xxxxx with the name of the user whose password is to be reset.
• Replace password=yyyyy with the new password.
What to do next
You can relaunch the Prism Element or the Prism Central web console and verify the new password setting.
Procedure
4. Select the project that the user is associated with and go to Actions > Update Projects
The Edit Projects page appears.
7. Click Save
Prism deletes the user account and also removes the user from any associated projects.
Repeat the same steps if the user is associated with multiple projects.
• Prism Central includes a set of predefined roles (see Built-in Role Management on page 163).
• You can also define additional custom roles (see Custom Role Management on page 164).
• Configuring authentication confers default user permissions that vary depending on the type of authentication (full
permissions from a directory service or no permissions from an identity provider). You can configure role maps to
customize these user permissions (see Configuring Role Mapping on page 186).
Note: Please note that the entities are treated as separate instances. For example, if you want to grant a user or a
group the permission to manage cluster and images, an administrator must add both of these entities to the list of
assignments.
• With RBAC, user roles do not depend on the project membership. You can use RBAC and log in to Prism Central
even without a project membership.
• You can also use Granular RBAC to assign fine-grained VM operation permissions to users based on your
specific requirements. This feature enables you to create custom roles with finer permission entities like "Allow
VM Power On" or "Allow VM Power Off" as compared to the broader permissions categories like "Update VM".
Note:
Note: Defining custom roles and assigning roles are supported on AHV only.
Role Privileges
Project Admin Manages cloud objects (roles, VMs, Apps, Marketplace) belonging to
a project
Note: You can specify a role for a user when you assign a user to a
project, so individual users or groups can have different roles in the same
project.
Procedure
Note: You must enter a unique name for the custom role; built-in role names are not allowed (including some
Nutanix-internal role names).
Note: All entity types are listed by default, but you can display just a subset by entering a string in the Filter
Entities search field.
c. Select an entity you want to add to this role and provide desired access permissions from the available options.
The access permissions vary depending on the selected entity.
For example, for the VM entity, click the radio button for the desired VM permissions:
• No Access
• View Access
• Basic Access
• Edit Access
• Set Custom Permissions
If you select Set Custom Permissions, click the Change link to display the Custom VM Permissions
window, select all the permissions you want to enable, and then click Save. Optionally, check the Allow VM
Creation box to allow this role to create VMs.
5. Click Save to create the role. The page closes and the new role appears in the Roles view list.
» To modify the role, select Update Role from the Actions pull-down list. The Roles page for that
role appears. Update the field values as desired and then click Save. See Creating a Custom Role on
page 164 for field descriptions.
» To delete the role, select Delete from the Action pull-down list. A confirmation message is displayed. Click
OK to delete and remove the role from the list.
Note:
You can assign permissions for the VM Recovery Point entity to users or
user groups in the following two ways.
VM No Access (none)
View Access Access Console VM, View VM
Basic Access Access Console VM, Update VM Power State, View
VM
Edit Access Access Console VM, Update VM, View Overlay
Subnet, View Subnet, View VPC, View VM
Full Access Access Console VM, Allow VM Power Off, Allow
VM Power On, Allow VM Reboot, Allow VM Reset,
Allow VM Volume Group Connection, Clone VM,
Create VM, Delete VM, Expand VM Disk Size,
Export VM, Mount VM CDROM, Unmount VM
CDROM, Update VM, Update VM Boot Config,
Update VM CPU, Update VM Categories, Update
VM Description, Update VM Disk List, Update VM
GPU List, Update VM Memory, Update VM Memory
Overcommit, Update VM NGT Config, Update VM
NIC List, Update VM Name, Update VM Owner,
Update VM Power State, Update VM Power State
Mechanism, Update VM Project, View Cluster,
View Marketplace Item, View Overlay Subnet, View
Project, View Subnet, View VPC, View VM
Note: By default, assigning certain permissions to a user role might implicitly assign more permissions to that role.
However, the implicitly assigned permissions will not be displayed in the details page for that role. These permissions
are displayed only if you manually assign them to that role.
Procedure
5. The Roles page for that role appears. In the Roles page, do the following in the indicated fields:
• Select Full Access and then select Allow VM recovery point creation.
• Click Change next to Set Custom Permissions to customize the permissions. Enable Restore VM
Recovery Point permission. This permission also grants the permission to view the VM created from the
restore process.
d. Click Save to add the role. The page closes and the new role appears in the Roles view list.
6. In the Roles view, select the newly created role and click Manage Assignment to assign the user to this role.
• Under Select Users or User Groups or OUs, enter the target user name. The search box displays the
matched records. Select the required listing from the records.
• Under Entities, select VM Recovery Point, select Individual Entry from the drop-down list, and then
select All VM Recovery Points.
• Click Save to finish.
Procedure
5. Directory or Provider: Select the target directory or identity provider from the pull-down list.
Only directories and identity providers previously configured in the authentication settings are available. If the
desired directory or provider does not appear in the list, add that directory or provider, and then return to this
procedure.
6. Type: Select the desired LDAP entity type from the pull-down list.
This field appears only if you have selected a directory from the Directory or Provider pull-down list. The
following entity types are available:
• Viewer: Allows users with view-only access to the information and hence cannot perform any
administrative tasks.
• Cluster Admin (Formerly Prism Central Admin): Allows users to view and perform all administrative
tasks except creating or modifying user accounts.
• User Admin: Allows users to view information, perform administrative tasks, and to create and modify user
accounts.
8. Values: Enter the entity names. The entity names are assigned with the respective roles that you have selected.
The entity names are case sensitive. If you need to provide more than one entity name, then the entity names
should be separated by a comma (,) without any spaces in between them.
LDAP-based authentication
• For AD
Enter the actual names used by the organizational units (it applies to all users and groups in those OUs),
groups (all users in those groups), or users (each named user) used in LDAP in the Values field.
For example, entering sr_dev_1,staff_dev_1 in the Values field when the LDAP type is Group and the role is
Cluster Admin, implies that all users in the sr_dev_1 and staff_dev_1 groups are assigned the administrative
role for the cluster.
Do not include the domain name in the value. For example, enter all_dev, and not
all_dev@<domain_name>. However, when users log in to Cluster Admin, include the domain along with the
username.
User: Enter the sAMAccountName or userPrincipalName in the values field.
Group: Enter common name (cn) or name.
OU: Enter name.
• For OpenLDAP
User: Use the username attribute (that was configured while adding the directory) value.
Group: Use the group name attribute (cn) value.
OU: Use the OU attribute (ou) value.
SAML-based authentication:
You must configure the NameID attribute in the identity provider. You can enter the NameID returned in the
SAML response in the Values field.
For SAML, only User type is supported. Other types such as, Group and OU, are not supported.
If you enable Identity and Access Management, see Security Management Using Identity and Access
Management (Prism Central) on page 223
9. Click Save.
The role mapping configurations are saved, and the new role is listed in the Role Mapping window.
You can create a role map for each authorized directory. You can also create multiple role maps that apply to a
single directory. When there are multiple maps for a directory, the most specific rule for a user applies.
For example, adding a Group map set to Cluster Admin and a User map set to Viewer for a few specific users in
that group means all users in the group have administrator permission except those few specific users who have
only viewing permission.
11. To delete a role map entry, click the X icon for that entry and click the OK button to confirm the role map entry
deletion.
The role map entry is removed from the list.
Note: The Prism Central supports assigning up to 15 clusters to any user or user group.
Procedure
1. Log in to Prism Central as an administrator any user with super admin access.
Note: You can skip this step if an Active Directory is already configured.
Select Admin Center in the Application Switcher. Go to IAM > Settings > Authentication, click + New
Directory and add your preferred Active Directory.
5. Select Prism Admin or Prism Viewer role, then click Actions > Manage Assignment.
You will add users or user groups and assign clusters to the new role in the upcoming steps.
9. Click Save.
AD or IDP users or User Groups can log on and access Prism Central as a Prism Admin or Prism Viewer, and
view or act on the entities like VM, host, and container from the configured clusters.
Cluster Role-Based Access Control (RBAC) for Audits and Events allows a super-admin user to provide Prism
Admin and Prism Viewer roles access to one or more clusters registered with Prism Central. A user with Prism
Admin or Prism Viewer role can view all audits and events.
For more information on configuring cluster RBAC for audits and events, see Configuring Cluster RBAC for
Audits and Events on page 192.
Procedure
1. Log in to Prism Central as an administrator any user with super admin access.
Note: You can skip this step if an Active Directory is already configured.
Select Admin Center in the Application Switcher. Go to IAM > Settings > Authentication, click + New
Directory and add your preferred Active Directory.
5. Select Prism Admin or Prism Viewer role, then click Actions > Manage Assignment.
For illustration purpose, the Prism Admin role is selected in this step.
6. Click Add New to add a new user or user groups to this role.
You will add users or user groups and assign clusters to the Prism Admin or Prism Viewer role in the upcoming
steps.
8. In the Select Clusters field, you can provide cluster access to AD users or User Groups using the Individual
entity option (one or more registered clusters) or ALL Clusters option.
9. Click Save.
AD users or User Groups can log on and access Prism Central as a Prism Admin or Prism Viewer. They can view
or act on the available entities in the configured clusters such as audits, events, volume groups, virtual disks, and
storage containers.
Cluster role-based access control (RBAC) for Volume Group feature enables a super-admin user to provide Prism
Admin and Prism Viewer roles access to one or more clusters registered with Prism Central. A user with Prism
Admin role can view and update the entities like volume groups, virtual disks, and storage containers from the
allowed clusters. However, a user with Prism Viewer role can only view the entities.
Cluster RBAC is currently supported on an on-prem Prism Central instance hosted in a Prism Element cluster running
AHV. After you enable the Micro Services Infrastructure feature on Prism Central, the Cluster RBAC feature is then
automatically enabled.
Cluster RBAC for Volume Group feature is supported on AHV and ESXi clusters.
Note: Prism Central supports Cluster RBAC for VG feature from PC.2022.6 release.
Role Privileges
Procedure
1. Log in to Prism Central as an administrator any user with super admin access.
Note: You can skip this step if an Active Directory is already configured.
Select Admin Center in the Application Switcher. Go to IAM > Settings > Authentication, click + New
Directory and add your preferred Active Directory.
5. Select Prism Admin or Prism Viewer role, then click Actions > Manage Assignment.
For illustration purpose, the Prism Admin role is selected in this step.
You will add users or user groups and assign clusters to the Prism Admin or Prism Viewer role in the upcoming
steps.
8. In the Select Clusters field, you can provide cluster access to AD users or User Groups using the Individual
entity option (one or more registered clusters) or ALL Clusters option.
Assigning a Role
Procedure
1. Log in to Prism Central as an administrator any user with super admin access.
Note: You can skip this step if an Active Directory is already configured.
Select Admin Center in the Application Switcher. Go to IAM > Settings > Authentication, click + New
Directory and add your preferred Active Directory.
5. Select the desired role in the roles dashboard, then click Actions > Manage Assignment.
6. Click Add New to add Active Directory based users or user groups, or IDP users or user groups (or OUs) to this
role.
You are adding users or user groups and assigning entities to the new role in the next steps.
Note: Please note that the entities are treated as separate instances. For example, if you want to grant a user
or a group the permission to manage cluster and images, an administrator must add both of these entities to the
list of assignments.
8. In Entities selection, select the entities or groups of entities on which this role will be applied.
The selected entities can either be in a category, in a cluster, or an individual entity. The list of available entities
depends on the role selected in Step 5.
9. Repeat Step 5 and Step 6 for any combination of users/entities you want to define.
Note: To allow users to create certain entities like a VM, you may also need to grant them access to related
entities like clusters, networks, and images that the VM requires.
4. Click the Users tab to display the users that are assigned this role.
5. Click the User Groups tab to display the groups that are assigned this role.
6. Click the Role Assignment tab to display the user/entity pairs assigned this role (see Assigning a Role on
page 197).
Note:
• You can import only a cluster-wide SSL certificate in Prism Central. The SSL certificate cannot be
customized for an individual controller VM (CVM).
• Generating a Self-signed SSL Certificate with Subject Alternative Name on page 203
• Generating a Certificate Signing Request with Subject Alternative Name for submission to Certificate
Authority (CA) on page 206
Procedure
» To regenerate Nutanix default self-signed certificate, select Regenerate Self Signed Certificate and then
click Apply.
A dialog box appears to verify the action; click OK. A new RSA 2048 bit self-signed certificate is generated
and applied for Prism Central.
» To import self-signed SSL certificate or CA signed certificate, select Import Key and Certificate and then
click Next.
• Private Key Type: Select the appropriate private key type for the self-signed certificate from the dropdown
list.
• Private Key: Click Choose file and select the private key.
• Public Certificate: Click Choose file and select the self-signed certificate corresponding to the private key.
• CA Certificate/Chain: Click Choose file select the self-signed certificate corresponding to the private key.
The following table lists certificate components and its corresponding file type to choose when SSL certificate
window prompts:
• Private Key Type: Select the appropriate private key type for the CA signed certificate from the dropdown
list.
• Private Key: Click Choose file and select the private key.
• Public Certificate: Click Choose file and select the CA signed public portion of the certificate
corresponding to the private key.
• CA Certificate/Chain: Click Choose file and select the certificate or chain of the signing authority for the
public certificate.
Note: To create a chain file from the list of CA certificates, see Generating a Certificate Signing
Request with Subject Alternative Name for submission to Certificate Authority (CA) on
page 206.
The following table lists certificate components and its corresponding file type to choose when SSL certificate
window prompts:
Results
After generating or importing the new certificate, the interface gateway restarts. If the certificate and credentials are
valid, the interface gateway uses the new certificate immediately, which means that your browser session (and all
other open browser sessions) is invalid until you reload the page and accept the new certificate. If anything is wrong
with the certificate (such as a corrupted file or wrong certificate type), the new certificate is discarded, and the system
reverts to the original default certificate provided by Nutanix.
Note: The system holds only one custom SSL certificate. If a new certificate is uploaded, it replaces the existing
certificate. The previous certificate is discarded.
Procedure
1. Log in to any of the controller VMs (CVMs) with SSH using the management IP address of the CVM:
$ ssh admin@cvm_ip_address
Important: While you are generating the private key, ensure that the private key is not password protected.
3. To generate the CSR of your choice, run one of the following commands:
For example, to generate a CSR for RSA 2048 private key using SHA-256 signature algorithm:
admin@cvm$ openssl req -new -nodes -key my_key_name.key -sha256 -out
my_csr_name.csr
For example, to generate a CSR for ECDSA 384 private key using SHA-384 signature algorithm:
admin@cvm$ openssl req -new -nodes -key my_key_name.pem -sha384 -out
my_csr_name.csr
4. Enter the information in the command output to incorporate into your certificate request:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:US
State or Province Name (full name) []:CA
Locality Name (eg, city) []:San Jose
Organization Name (eg, company) []: Nutanix Inc
Organizational Unit Name (eg, section) []: IT
5. Create a configuration file named san.cnf that contains the following text:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
[v3_req]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.0 = example1.domain.com
DNS.1 = example2.domain.com
DNS.2 = example3.domain.com
DNS.3 = *.domain.com
IP.0 = x.x.x.x
[alt_names]
Specify your DNS and IP addresses. If you have a range of hosts, use wildcards (*) to match any subdomain of the
domain name.
Example:
admin@cvm$ openssl x509 -req -days 1460 -in my_csr_name.csr -signkey my_key_name.key
-out my_crt_name.crt -sha256 -extensions v3_req -extfile san.cnf
7. Copy my_key_name.key and my_crt_name.crt from the CVM to your local machine:
admin@cvm$ scp my_key_name.key my_crt_name.crt username@local-machine:/
local_file_path/
What to do next
After you successfully create a self-signed certificate with a private key, follow the procedure described
in Importing an SSL Certificate on page 200 to replace the default certificate with your self-signed SSL
certificate. The following table lists certificate components and its corresponding file type to choose when
SSL certificate window prompts:
Procedure
1. Log in to any of the controller VMs (CVMs) with SSH using the management IP address of the CVM:
$ ssh admin@cvm_ip_address
2. Create a configuration file named ssl.cnf that contains the following text:
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
stateOrProvinceName = State or Province Name (full name)
localityName = Locality Name (eg, city)
organizationName = Organization Name (eg, company)
organizationalUnitName = Organizational Unit Name (eg, BU)
commonName = Common Name (e.g. server FQDN or YOUR name)
emailAddress = Email Address
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.0 = example1.domain.com
DNS.1 = example2.domain.com
DNS.2 = example3.domain.com
DNS.3 = *.domain.com
IP.0 = x.x.x.x
[alt_names]
Specify your DNS and IP addresses. If you have a range of hosts, use wildcards (*) to match any subdomain of
the domain name.
Important: While you are generating the private key, ensure that the private key is not password protected.
4. To generate the CSR of your choice, run one of the following commands:
For example, to generate a CSR for RSA 2048 private key using SHA-256 signature algorithm:
admin@cvm$ openssl req -new -nodes -key my_key_name.key -sha256 -out
my_csr_name.csr -config ssl.cnf
For example, to generate a CSR for ECDSA 384 private key using SHA-384 signature algorithm:
admin@cvm$ openssl req -new -nodes -key my_key_name.pem -sha384 -out
my_csr_name.csr -config ssl.cnf
5. Enter the information in the command output to incorporate into your certificate request:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []: US
State or Province Name (full name) []: CA
Locality Name (eg, city) []: San Jose
Organization Name (eg, company) []: Nutanix Inc
Organizational Unit Name (eg, BU) []:IT
6. Copy my_key_name.key and my_crt_name.crt from the CVM to your local machine:
nutanix@cvm$ scp my_key_name.key my_csr_name.csr username@local-machine:/
local_file_path/
9. Download all the certificate files received from CA to the local file directory.
10. (Optional) If the CA chain certificate provided by the certificate authority is not in a single file, run the
following command to concatenate the list of CA certificates into a chain file:
$ cat intermediateCAcert.crt rootCAcert.crt > ca_chain_certs.crt
Note:
• The chain must start with the certificate of the signer and ends with the root CA certificate.
• Ensure that the chain file only has the root and intermediate certificates. If your chain file has
public or private certificates, it will fail to import in Prism Central.
What to do next
Follow Importing an SSL Certificate on page 200 section to replace the default certificate with a CA
signed certificate. The following table lists certificate components and its corresponding file type to choose
when SSL certificate window prompts:
• Verify that the CA certificate chain uses SHA 256 as a signature algorithm:
admin@cvm$ openssl crl2pkcs7 -nocrl -certfile ca_chain_certs.crt | openssl pkcs7 -
print_certs -noout -text | grep -Ew '(Subject|Issuer|Signature Algorithm):' | grep -
C1 Issuer
• If the certificate is DER encoded, run the following command to convert the certificate from DER to PEM-
encoded ASCII format:
admin@cvm$ openssl x509 -in certDER.crt -inform der -outform pem -out cert.crt
Certificate format
Ensure that all the certificates do not have any extra data (or custom attributes) before the beginning (-----BEGIN
CERTIFICATE-----) or after the end (-----END CERTIFICATE-----) of the block.
• AES128-CTR
• AES192-CTR
• AES256-CTR
You can create a key pair (or multiple key pairs) and add the public keys to enable key-based SSH access. However,
when site security requirements do not allow such access, you can remove all public keys to prevent SSH access.
To control key-based SSH access to Prism Central, do the following:
Procedure
4. To disable (or enable) remote login access, uncheck (check) the Enable Remote Login with Password box.
Remote login access is enabled by default.
5. To add a new public key, click the New Public Key button and then do the following in the displayed fields:
6. To delete a public key, click the X on the right of that key line.
Note: Deleting all the public keys and disabling remote login access locks down the cluster from SSH access.
Data-in-Transit Encryption
Data-in-Transit Encryption allows you to encrypt service level traffic between the cluster nodes. Data-in-Transit
Encryption, along with Data-at-Rest Encryption on page 58, protects the entire life cycle of data and is an essential
countermeasure for unauthorized access of critical data.
To enable Data-in-Transit Encryption, see Enabling Data-in-Transit Encryption on page 211.
• Data-in-Transit Encryption can have an impact on I/O latency and CPU performance.
• Intra-cluster traffic encryption is supported only for the Stargate service.
• RDMA traffic encryption is not supported.
• When a Controller VM goes down, the traffic from guest VM to remote Controller VM is not encrypted.
• Traffic between guest VMs connected to Volume Groups is not encrypted when the target disk is on a
remote Controller VM.
Procedure
3. Go to Hardware > Clusters > Actions and select Enable Data-In-Transit Encryption.
The following confirmation dialog box is displayed.
Procedure
3. Go to Hardware > Clusters > Actions and select Disable Data-In-Transit Encryption.
The following confirmation dialog box is displayed.
You can use the AHV vTPM feature to secure virtual machines running on AHV.
• Support for storing cryptographic keys and certificates for Microsoft Windows BitLocker
Tip: Windows 11 installation requires TPM 2.0, see Microsoft website for Windows 11 specs, features, and computer
requirements.
Requirements
Supported Software Versions:
• You must enable UEFI on the VM on which you want to enable vTPM, see UEFI Support for VM.
• You must enable Secure Boot (applicable if using Microsoft Windows BitLocker), see Secure Boot Support for
VMs.
Limitations
Procedure
1. Go to the List tab of the VMs dashboard (see VM Summary View) and click the Create VM button.
The Create VM wizard appears. Follow the instructions in the Creating a VM topic for details on the Create
VM wizard.
Note: Shield VM Security Settings is available only if you have enabled UEFI BIOS Mode for Boot
Configuration.
3. Click Next at the subsequent VM setting tabs and then click Save.
What to do next
You can now start the VM to verify if the vTPM configuration is applied on the VM.
Procedure
1. You can choose to manage or update an existing VM configuration using any of the following methods, see
Managing a VM (AHV) for details.
• Select the target VM in the List tab of the VMs dashboard (see VMs Summary View) and choose the
required action from the Actions menu.
• Right-click on the target VM in the List tab of the VMs dashboard and select the required action from the
drop-down list.
• Go to the details page of a selected VM (see VM Details View) and select the desired action.
2. VM must be powered off before you can update the Shield VM Security Settings configuration. To power off
the VM, select More and then Power Off.
Note:
• Shield VM Security Settings is available only if you have enabled UEFI BIOS Mode for Boot
Configuration
• Shield VM settings cannot be selected when the VM is running. Shut down the VM to update these
settings.
5. Click Next at the subsequent VM setting tabs and then click Save.
What to do next
You can now start the VM to verify if the vTPM configuration is applied on the VM.
Procedure
1. You can choose to manage or update an existing VM configuration using any of the following methods, see
Managing a VM (AHV) for details.
• Select the target VM in the List tab of the VMs dashboard (see VMs Summary View) and choose the
required action from the Actions menu.
• Right-click on the target VM in the List tab of the VMs dashboard and select the required action from the
drop-down list.
• Go to the details page of a selected VM (see VM Details View) and select the desired action.
2. VM must be shut down before you can update the Shield VM Security Settings configuration. To shut down
the VM, select More and then Power Off.
Warning: Disabling vTPM may severely affect VM functionality or result in data loss. For example, if Microsoft
Windows BitLocker key is stored in vTPM, then you will require the recovery key to unlock the encrypted disk.
Note: Shield VM settings cannot be selected when the VM is running. Shut down the VM to update these settings.
5. Click Next at the subsequent VM setting tabs and then click Save.
Security Dashboard
This topic provides an overview of the Security Dashboard.
Overview
The Security Dashboard provides dynamic summary of the security posture across all registered clusters. The
Security Dashboard allows you to view the most critical security parameters like cluster-based issue summary, STIG
policy compliance, security hardening, and identified vulnerabilities. The security dashboard is divided into multiple
widgets to represent different security focus areas.
You can customize the security dashboard based on your preference. See Managing Security Dashboard on
page 221 to customize the security dashboard. A sample view of the Security Dashboard with the default widgets
is displayed in the figure.
Requirements
Ensure that meet the following requirements to use Security Dashboard.
• Enable Microservices infrastructure on Prism Central, see Enabling Microservices Infrastructure Manually in
the Prism Central Infrastructure Guide.
• Ensure that your cluster is running on AOS version 6.6 or later and Prism Central version 2022.9 or later.
Procedure
2. Open the drop-down menu on the upper left and select Administration > LCM.
4. From the list of softwares available for upgrade, select PC Core Services and click Upgrade.
Note:
• Manual upgrade of security dashboard (PC Core Services module) is applicable to the following
software versions:
• Go to Prism Central Main Dashboard > Security widget and click View All Issues.
Tip: The Security Dashboard Wizard is automatically presented as a pop-up when you access the dashboard
feature for the first time. Click Start Tour to begin the dashboard walkthrough. Optionally, click Skip for Now to
go the dashboard directly.
Tip: You can change the view of the security dashboard based on the following options.
• All clusters
• Individual cluster
• Selection of clusters
The View selection menu on the top-right corner of the dashboard allows you to switch between the
different views. The values displayed in the widgets are dynamically updated based your selection.
Summary
The Summary widget allows you to view your open security issues or focus on the clusters that have the most
number of security issues. You can click the Summary pie graph to view the following information.
• Security Hardening
• STIG Issues
• Vulnerabilities
Tip: The Security Dashboard refreshes once daily. Updating the STIG check based vulnerabilities information requires
a manual refresh. You can initiate a manual refresh by clicking the refresh icon at the bottom of the widget. Manual
refresh process takes some approximately 20 minutes to 2 hours to complete and depends on the number of clusters in
your environment.
STIG Policy
STIG helps detect deviation from the security baseline configuration of the operating system and hypervisor to remain
in compliance. Nutanix has implemented the Controller VM and Prism Central VM to support STIG compliance with
the RHEL 8 STIG as published by DISA. For more information, see DISA STIG Guidance Reference.
The STIG Policy widget provides an accurate snapshot of policy violations or deviations (resulting in failure)
from the baseline STIG policy. This widget displays the STIG policy compliance status according to controls and
resources.
Note: The STIG checks are run only on the node running primary Prism Element.
Status by Resources (Total) Total number of individual resources that have failed a
set of STIG controls.
Click View Failed Controls to view the list of STIG controls that are not met.
Security Hardening
The Security Hardening widget displays the status of security hardening controls applied on your clusters. This
widget also allows you to configure multiple security hardening controls from the widget directly.
You can configure the following Security Hardening configurations from the security hardening widget.
Security Configuration Management Automation Enable SCMA frequency for AHV hosts and Controller
(SCMA) VM.
Defense Consent Banner Enable defense consent banner for AHV hosts and
Controller VM.
Refer to the Nutanix Security Guide to enable other hardening settings using Prism or nCLI.
Vulnerabilities
The Vulnerabilities widget displays a list of vulnerabilities (or CVEs) associated with your clusters based on the
Acropolis Operating System versions.
Click View All Vulnerabilities to view the list of all vulnerabilities and the recommended upgrade path for
mitigating the identified vulnerabilities.
Note: Not all the listed CVEs might be resolved when upgraded to a new release.
1. Click the Manage Dashboard hyperlink available at the top-right corner of the Security Dashboard.
Note: Security Dashboard refreshes once daily. This process takes some time to complete.
IAM Features
Highly Scalable Architecture
Based on the Kubernetes open source platform, IAM uses independent pods for authentication (AuthN),
authorization (AuthZ), and IAM data storage and replication.
• Each pod automatically scales independently of Prism Central when required. No user intervention or
control is required.
• When new features or functions are available, you can update IAM pods independently of Prism Central
updates through Life Cycle Manager (LCM).
• IAM uses a rolling upgrade method to help ensure zero downtime.
Secure by Design
Note: IAM supports SAML-based authentication with Azure AD. LDAP-based authentication with Azure
AD is not supported.
• Okta
AOS Security | Security Management Using Identity and Access Management (Prism Central) | 223
• PingOne
• Shibboleth
• Keycloak
Nutanix supports SAML 2.0 compliant IDPs.
Users can log on from the Prism Central web console only. IDP-initiated authentication work flows are not
supported. That is, logging on or signing on from an IDP web page or site is not supported.
Updated Authentication Page
The Prism Central login page is updated depending on your IAM configuration. For example, if you have
configured local user account and Active Directory authentication, this default page appears for directory
(AD) users as follows. To log in as a local user, click the Log In with your Nutanix Local Account link.
Figure 91: Sample Default Prism Central IAM Logon Page, Active Directory And Local User
Authentication
In another example, if you have configured SAML authentication instances named Shibboleth and AD2, Prism
Central displays this page.
AOS Security | Security Management Using Identity and Access Management (Prism Central) | 224
Figure 92: Sample Prism Central IAM Logon Page, Active Directory , Identity Provider, And
Local User Authentication
Note: After upgrade to pc.2022.9 if the Security Assertion Markup Language (SAML) IDP is configured, you need
to download the Prism Central metadata and re-configure the SAML IDP to recognize Prism Central as the service
provider. See Updating ADFS When Using SAML Authentication on page 228 to create the required rules
for ADFS.
IAM Prerequisites
For specific minimum software support and requirements for IAM, see the Prism Central release notes.
For microservices infrastructure requirements, see Microservices Infrastructure.
Prism Central
See Microservices Infrastructure.
Prism Element Clusters
See Microservices Infrastructure.
IAM Considerations
First Log on after Upgrading to Prism Central Version
After you upgrade Prism Central to a minimum version of pc.2022.9, when you log in to Prism
Central for the first time using IAM, click Log in with your Nutanix Local Account and log in using
the default admin credentials.
AOS Security | Security Management Using Identity and Access Management (Prism Central) | 225
After this first time login, for subsequent login you can use your Active Directory (AD) user credentials.
Existing Authentication and Authorization Migrated When IAM is Enabled
• IAM migrates existing authentication and authorization configurations, including Common Access Card
client authentication configurations.
If Security Assertion Markup Language (SAML) IDP is configured
Signed single logout (SAML SLO) is not supported. This limitation results in a error on the SAML
ADFS page when you logout of Prism Central
Upgrading Prism Central After Enabling CMSP
After you upgrade Prism Central, if Microservices Infrastructure (and IAM) was previously enabled,
both the services are enabled by default if the cluster meets all the requirements as provided in
Microservices Infrastructure. You must contact Nutanix Support for any custom requirement.
Note: After upgrade to pc.2022.9 if the Security Assertion Markup Language (SAML) IDP is configured,
you need to download the Prism Central metadata and re-configure the SAML IDP to recognize Prism Central
as the service provider. See Updating ADFS When Using SAML Authentication on page 228 to
create the required rules for ADFS.
• IAM supports deployments where CAC authentication and client authentication are enabled on Prism
Central. If you want to enable a client to authenticate by using certificates, you must also enable CAC
authentication.
Note: IAM does not support client authentication if CAC authentication is not enabled.
• Ensure that port 9441 is open in your firewall if you are using CAC client authentication.
Hypervisor Support
• IAM is enabled only on an on-premise Prism Central (PC) deployment hosted on an AOS cluster running
AHV or ESXi. Clusters running other hypervisors are not supported.
Configuring Authentication
Caution: Prism Central does not support the SSLv2 and SSLv3 ciphers. Therefore, you must disable the SSLv2 and
SSLv3 options in a browser before accessing Prism Central. This disabling avoids an SSL Fallback and access denial
situations. However, you must enable TLS protocol in the browser.
• SAML authentication. Users can authenticate through a supported identity provider when SAML support is
enabled for Prism Central. The Security Assertion Markup Language (SAML) is an open standard for exchanging
authentication and authorization data between two parties: an identity provider (IDP) and Prism Central as the
service provider.
With IAM, in addition to ADFS, other IDPs are available. For more information, see More SAML Identity
Providers (IDP) on page and Updating ADFS When Using SAML Authentication on page 228.
• Local user authentication. Users can authenticate if they have a local Prism Central account. For more
information, see Managing Local User Accounts.
AOS Security | Security Management Using Identity and Access Management (Prism Central) | 226
• Active Directory authentication. Users can authenticate using their Active Directory (or OpenLDAP) credentials
when Active Directory support is enabled for Prism Central.
• To enable a client to authenticate by using certificates, you must also enable CAC authentication.
• Ensure that port 9441 is open in your firewall if you are using CAC client authentication. After enabling CAC
client authentication, your CAC logon redirects the browser to use port 9441.
Procedure
Note: Uploaded certificate files must be PEM encoded. The web console restarts after the upload step.
Note: The web console restarts when you change these settings.
Note: The CA must be the same for both the client chain certificate and the certificate on the local machine or
smart card.
AOS Security | Security Management Using Identity and Access Management (Prism Central) | 227
5. To specify a service account that the Prism Central web console can use to log in to Active Directory and
authenticate Common Access Card (CAC) users, select the Configure Service Account check box. Then do
the following in the indicated fields:
a. Directory: Select the authentication directory that contains the CAC users that you want to authenticate.
This list includes the directories that are configured on the Directory List tab.
b. Service Username: Enter the user name in the user [email protected] format that you want the web
console to use to logon to the Active Directory.
c. Service Password: Enter the password for the service user name.
d. Click Enable CAC Authentication.
Note: The Prism Central console restarts after you change this setting.
The Common Access Card (CAC) is a smart card about the size of a credit card, which some organizations use to
access their systems. After you insert the CAC into the CAC reader connected to your system, the software in the
reader prompts you to enter a PIN. After you enter a valid PIN, the software extracts your personal certificate that
represents you and forwards the certificate to the server using the HTTP protocol.
Nutanix Prism verifies the certificate as follows:
• Validates that the certificate has been signed by the trusted signing certificate of your organization.
• Extracts the Electronic Data Interchange Personal Identifier (EDIPI) from the certificate and uses the EDIPI to
check the validity of an account within the Active Directory. The security context from the EDIPI is used for
your PRISM session.
• Prism Central supports both certificate authentication and basic authentication in order to handle both
Prism Central login using a certificate and allowing REST API to use basic authentication. It is physically
not possible for REST API to use CAC certificates. With this behavior, if the certificate is present during
Prism Central login, the certificate authentication is used. However, if the certificate is not present, basic
authentication is enforced and used.
If you map a Prism Central role to a CAC user and not to an Active Directory group or organizational unit to
which the user belongs, specify the EDIPI (User Principal Name, or UPN) of that user in the role mapping. A user
who presents a CAC with a valid certificate is mapped to a role and taken directly to the web console home page.
The web console login page is not displayed.
Note: If you have logged on to Prism Central by using CAC authentication, to successfully log out of Prism
Central, close the browser after you click Log Out.
AOS Security | Security Management Using Identity and Access Management (Prism Central) | 228
As an example, this topic uses UPN as the LDAP attribute to map. You could also map the email address attribute to
NameID. See the Microsoft Active Directory Federation Services documentation for details about creating a claims
aware Relying Party Trust and claims rules.
Procedure
1. In the Relying Party Trust for Prism Central, configure a claims issuance policy with two rules.
2. For the rule using the Send LDAP Attributes as Claims template, select the LDAP Attribute as User-
Principal-Name and set Outgoing Claim Type to UPN.
For User group configuration using the Send LDAP Attributes as Claims template, select the LDAP
Attribute as Token-Groups - Unqualified-Names and set Outgoing Claim Type to Group.
• An identity provider (typically a server or other computer) is the system that provides authentication through a
SAML request. There are various implementations that can provide authentication services in line with the SAML
standard.
• You can specify other tested standard-compliant IDPs in addition to ADFS. See the Prism Central release
notes topic Identity and Access Management Software Support for specific support requirements and also
Security Management Using Identity and Access Management (Prism Central) on page 223.
IAM allows only one identity provider at a time, so if you already configured one, the + New IDP link does not
appear.
• You must configure the identity provider to return the NameID attribute in SAML response. Prism Central uses the
NameID attribute for role mapping.
Procedure
AOS Security | Security Management Using Identity and Access Management (Prism Central) | 229
4. To add a SAML-based identity provider, click the + New IDP link.
A set of fields is displayed. Do the following in the indicated fields:
a. Configuration name: Enter a name for the identity provider. This name appears in the logon authentication
screen.
b. Group Attribute Name (Optional): Optionally, enter the group attribute name such as groups. Ensure
that this name matches the group attribute name provided in the IDP configuration.
c. Group Attribute Delimiter (Optional): Optionally, enter a delimiter that needs to be used when multiple
groups are selected for the Group attribute.
d. Import Metadata: Click this option to upload a metadata file that contains the identity provider information.
Identity providers typically provide an XML file on their website that includes metadata about that identity
provider, which you can download from that site and then upload to Prism Central. Click + Import Metadata
to open a search window on your local system and then select the target XML file that you downloaded
previously. Click the Save button to save the configuration.
AOS Security | Security Management Using Identity and Access Management (Prism Central) | 230
link just below the Identity Providers table to download an XML file that describes Prism Central and then upload
this metadata file to the identity provider.
5. To edit an identity provider entry, click the pencil icon for that entry.
After clicking the pencil icon, the relevant fields reappear. Enter the new information in the appropriate fields and
then click the Save button.
6. To delete an identity provider entry, click the X icon for that entry.
After clicking the X icon, a window prompt appears to verify the delete action; click the OK button. The entry is
removed from the list.
Procedure
1. Log in to the Prism Central VM through an SSH session as the nutanix user.
4. To validate that your settings have been restored, log on to the Prism Central web console and go to Settings >
Authentication and check the settings.
AOS Security | Security Management Using Identity and Access Management (Prism Central) | 231
ACCESSING A LIST OF OPEN SOURCE
SOFTWARE RUNNING ON A CLUSTER
As an admin user, you can access a text file that lists all of the open source software running on a cluster.
Procedure
1. Log on to any Controller VM in the cluster as the admin user by using SSH.
AOS Security | Accessing a List of Open Source Software Running on a Cluster | 232
COPYRIGHT
Copyright 2023 Nutanix, Inc.
Nutanix, Inc.
1740 Technology Drive, Suite 150
San Jose, CA 95110
All rights reserved. This product is protected by U.S. and international copyright and intellectual property
laws. Nutanix and the Nutanix logo are registered trademarks of Nutanix, Inc. in the United States and/or other
jurisdictions. All other brand and product names mentioned herein are for identification purposes only and may be
trademarks of their respective holders.