Rotate Passwords
As a security measure, you can rotate
passwords for the components in your VMware Cloud Foundation instance. The process of
password rotation generates randomized passwords for the selected accounts. You can rotate
passwords manually or set up auto-rotation for accounts managed by SDDC Manager.
- Verify that there are no currently failed workflows inSDDC Manager. To check for failed workflows, clickDashboardin the navigation pane and expand theTaskspane at the bottom of the page.
- Verify that no active workflows are running or are scheduled to run during the brief time period that the password rotation process is running. It is recommended that you schedule password rotation for a time when you expect to have no running workflows.
- Only a user with the ADMIN role can perform this task.
You can rotate passwords for the following accounts.
- VxRail Manager
- ESXiAuto-rotate is not suported for ESXi.
- vCenter ServerBy default, the vCenter Server root password expires after 90 days.Auto-rotate is automatically enabled for vCenter Server service accounts. It may take up to 24 hours to configure the service account auto-rotate policy for a newly deployed vCenter Server.
- vSphere Single-Sign On (PSC)
- NSX Edge nodes
- NSX Manager
- vRealize Suite Lifecycle Manager
- vRealize Log Insight
- vRealize Operations
- vRealize Automation
- Workspace ONE AccessFor Workspace ONE Access passwords, the password rotation method varies depending on the user account. See the table below for details.
- SDDC Managerbackupuser
Workspace ONE Access
User Account | vRealize Suite
Lifecycle Manager Locker Entry | Password Rotation
Method | Password Rotation
Scope |
|---|---|---|---|
admin (443) | xint-wsa-admin | SDDC Manager
Password Rotation | Application |
admin (8443) | xint-wsa-admin | vRealize Suite
Lifecycle Manager Global Environment | Per node |
configadmin
(443) | xint-wsa-configadmin |
| Application |
sshuser | global-env-admin | vRealize Suite
Lifecycle Manager Global Environment | Per node |
root (ssh) | xint-wsa-root | SDDC Manager
Password Rotation | Per node |
The default password policy for rotated passwords requires:
- 20 characters in length
- At least one uppercase letter, a number, and one of the following special characters:! @ # $ ^ *
- No more than two of the same characters consecutively
If you changed the vCenter Server password length using the vSphere Client or the ESXi
password length using the VMware Host Client, rotating the password for those
components from SDDC Manager generates a password that complies with the password
length that you specified.
To update the
SDDC
Manager
root, super user, and
API passwords, see Updating SDDC Manager Passwords. - In the navigation pane, click .
- Click the tab for the component that includes the accounts for which you want to rotate a password.
For example,ESXI. - Select one or more accounts and click one of the following operation.
- Rotate Now
- Schedule RotationYou can set the password rotation interval (30 days, 60 days, or 90 days). You can also deactivate the schedule.Auto-rotate schedule is configured to run at midnight on the scheduled date. If auto-rotate could not start due to any technical issue, there is a provision to auto-retry every hour till start of the next day. In case schedule rotation is missed due to technical issues the UI displays a global notification with failed task status. The status of the schedule rotation can also be checked on the Tasks panel.
A message appears at the top of the page showing the progress of the operation. The Tasks panel also shows detailed status for the password rotation operation. To view sub-tasks, click the task name. As each of these tasks is run, the status is updated. If the task fails, you can clickRetry.
Password rotation is complete when all
sub-tasks are completed successfully.