Nutanix Security Hardening AOS 7.5, Part 3: IAM & Troubleshooting
Part 3 of our AOS 7.5 security series covers Identity and Access Management configuration and common troubleshooting scenarios.
Catch up: Part 1: CVM, PCVM & AHV Hardening | Part 2: Cluster Lockdown & Encryption
Identity and Access Management (IAM)
IAM in Prism Central provides granular RBAC with support for multiple identity providers.
Supported Identity Providers
- Microsoft Active Directory (AD)
- OpenLDAP
- SAML 2.0 Identity Providers (ADFS, Entra ID, Okta, PingOne, Shibboleth, Keycloak)
- Common Access Card (CAC) authentication
Configure Certificate Revocation Checking (OCSP)
Set the OCSP responder URL:
ncli authconfig set-certificate-revocation set-ocsp-responder=https://ocsp.example.com
Verify the configuration:
ncli authconfig get-client-authentication-config
Expected output:
Auth Config Status: true
File Name: ca.cert.pem
OCSP Responder URI: http://ocsp-responder-url
Configure CRL-Based Revocation Checking
ncli authconfig set-certificate-revocation \
set-crl-uri=http://crl1.example.com/crl.pem,http://crl2.example.com/crl.pem \
set-crl-refresh-interval=86400 \
set-crl-expiration-interval=604800
Reset Local User Password via nCLI
ncli user reset-password user-name=admin password=NewSecureP@ssw0rd!
Password requirements:
- Minimum 8 characters
- At least one lowercase letter
- At least one uppercase letter
- At least one digit
- At least one special character
- At least 4 characters different from old password
- Cannot be among last 5 passwords
- No more than 2 consecutive character occurrences
Troubleshooting
Verify Security Configuration
Check CVM security status across all nodes:
for i in $(hostips); do echo "=== $i ==="; ssh $i "ncli cluster get-cvm-security-config"; done
Check SCMA Status
View SCMA schedule and status:
ncli cluster get-cvm-security-config | grep -i schedule
Lock Status Issues
If security configuration is locked and changes are needed:
ncli cluster edit-cvm-security-params enable-lock-status=false
Note: Contact Nutanix Support to unlock if enabled.
CAC Authentication Issues
Ensure port 9441 is open in your firewall for CAC client authentication:
sudo iptables -L -n | grep 9441
Summary
This wraps up our 3-part Nutanix AOS 7.5 security hardening series. We covered STIG compliance and SCMA in Part 1, cluster lockdown and encryption in Part 2, and IAM with troubleshooting here in Part 3. Together, these configurations provide enterprise-grade security aligned with NIS2 and DORA compliance requirements. Regular STIG compliance reports and security audits will help maintain your security posture over time.


