Hello vCenter Community,
I've got a few questions that with your answers may help me with our problems. The first area deals with the different login methods to vCenter and hosts. The second issue deals with vulnerability scanning.
1. Login Modes:
When I built out our VMware suite I had to use each of the three different login GUI's below to make all configurations and then you have Single Sign On.
Web Client
vSphere Client
VvCenter Server Appliance Management Interface :5480
Our IA or Cyber Security team has locked me down to using only the Single Sign On method using Windows Credentials through the vSphere Client.
I'm trying to configure a system account for Tenable SC "Security Center" so that we can scan the VCSA 6.7 and ESXi hosts, but we're running into problems.
RESOURCES:
Tenable Knowledge Article 000001403
The specific information is this:
If you are trying to perform a compliance scan against both the ESXi hosts and vCenter:
---All of the above apply
-Your scan policy must have VMware vCenter SOAP API Settings defined along with an uploaded audit file
-Your vCenter server must be specified in the target list
-Your scan policy must have VMware SOAP API Settings defined along with an uploaded audit file
-Your ESXi host IPs must be specified in the target list
To perform a successful compliance scan against VMware systems, users must have the following:
1. Administrative credentials for VMware vCenter or ESXi. (Tenable has developed APIs for both ESXi (the interface available for free to manage VMs on ESX/ESXi), and vCenter (an add-on product available from VMware at some cost to manage one or more ESX/ESXi servers). This plugin can leverage either ESXi or vCenter credentials to do its job.)
2. Audit policy for VMware vCenter/ESXi Compliance Checks.
3. Plugin ID #64455 (VMware vCenter/ESXi Compliance Checks)
######
QUESTIONS:
1. Can Admin accounts set up for Tenable scanning using the vSphere Client HTML5 GUI Single Sign-On complete the scans successfully or is another login method required?
2. Is the Web Client and the "Management Interface :5480" login still required for managing configurations or can everything be done now from HTML 5 only?
3. Since my Admin account is now ran through Windows Credentials how do I get my rights back "given that IA still wants me to run systems"?