Nutanix Security Hardening AOS 7.5, Part 3: IAM & Troubleshooting

Part 3 of our AOS 7.5 security series covers Identity and Access Management configuration and common troubleshooting scenarios.

Catch up: Part 1: CVM, PCVM & AHV Hardening | Part 2: Cluster Lockdown & Encryption

Identity and Access Management (IAM)

IAM in Prism Central provides granular RBAC with support for multiple identity providers.

Supported Identity Providers

  • Microsoft Active Directory (AD)
  • OpenLDAP
  • SAML 2.0 Identity Providers (ADFS, Entra ID, Okta, PingOne, Shibboleth, Keycloak)
  • Common Access Card (CAC) authentication

Configure Certificate Revocation Checking (OCSP)

Set the OCSP responder URL:

bash
ncli authconfig set-certificate-revocation set-ocsp-responder=https://ocsp.example.com

Verify the configuration:

bash
ncli authconfig get-client-authentication-config

Expected output:

output
Auth Config Status: true
File Name: ca.cert.pem
OCSP Responder URI: http://ocsp-responder-url

Configure CRL-Based Revocation Checking

bash
ncli authconfig set-certificate-revocation \
  set-crl-uri=http://crl1.example.com/crl.pem,http://crl2.example.com/crl.pem \
  set-crl-refresh-interval=86400 \
  set-crl-expiration-interval=604800

Reset Local User Password via nCLI

bash
ncli user reset-password user-name=admin password=NewSecureP@ssw0rd!

Password requirements:

  • Minimum 8 characters
  • At least one lowercase letter
  • At least one uppercase letter
  • At least one digit
  • At least one special character
  • At least 4 characters different from old password
  • Cannot be among last 5 passwords
  • No more than 2 consecutive character occurrences

Troubleshooting

Verify Security Configuration

Check CVM security status across all nodes:

bash
for i in $(hostips); do echo "=== $i ==="; ssh $i "ncli cluster get-cvm-security-config"; done

Check SCMA Status

View SCMA schedule and status:

bash
ncli cluster get-cvm-security-config | grep -i schedule

Lock Status Issues

If security configuration is locked and changes are needed:

bash
ncli cluster edit-cvm-security-params enable-lock-status=false

Note: Contact Nutanix Support to unlock if enabled.

CAC Authentication Issues

Ensure port 9441 is open in your firewall for CAC client authentication:

bash
sudo iptables -L -n | grep 9441

Summary

This wraps up our 3-part Nutanix AOS 7.5 security hardening series. We covered STIG compliance and SCMA in Part 1, cluster lockdown and encryption in Part 2, and IAM with troubleshooting here in Part 3. Together, these configurations provide enterprise-grade security aligned with NIS2 and DORA compliance requirements. Regular STIG compliance reports and security audits will help maintain your security posture over time.