VMware Cloud Foundation 4.5

5.2 5.1 5.0 4.5
Deutsch Français Italiano 日本語 English

Configuring Password Complexity Policies in
VMware Cloud Foundation

A password complexity policy defines the minimum requirements for the definition of an account’s password. The settings are different according to the account type and component of the
VMware Cloud Foundation
 instance.
Management Component
Password Complexity Settings
Scope
ESXi
  • Minimum length
  • Minimum lowercase characters
  • Minimum uppercase characters
  • Minimum numeric characters
  • Minimum special characters
  • Minimum unique passwords before reuse
Local user
vCenter Single Sign-On
  • Minimum length
  • Maximum length
  • Minimum alphabetic characters
  • Minimum lowercase characters
  • Minimum uppercase characters
  • Minimum numeric characters
  • Minimum special characters
  • Maximum consecutive identical characters
  • Minimum unique passwords before reuse
vCenter Single Sign-On domain
vCenter Server
  • Minimum length
  • Minimum lowercase characters
  • Minimum uppercase characters
  • Minimum numeric characters
  • Minimum special characters
  • Minimum unique passwords before reuse
Local user
NSX Manager
  • Minimum length
  • Minimum lowercase characters
  • Minimum uppercase characters
  • Minimum numeric characters
  • Minimum special characters
  • Minimum characters different from the old password
Local user
NSX Edge
  • Minimum length
  • Minimum lowercase characters
  • Minimum uppercase characters
  • Minimum numeric characters
  • Minimum special characters
  • Minimum characters different from the old password
Local user
SDDC Manager
  • Minimum length
  • Minimum lowercase characters
  • Minimum uppercase characters
  • Minimum numeric characters
  • Minimum special characters
  • Minimum characters different from the old password
  • Minimum unique passwords before reuse
Local user

Configure the Local User Password Complexity Policy for ESXi

Define the requirements for local user passwords for the ESXi hosts in
VMware Cloud Foundation
 including required password length, character class requirements, or allowing passphrases.
Setting
Default Value
Security.PasswordHistory
0
Security.PasswordQualityControl
retry=3 min=disabled,disabled,disabled,7,7
For information about the format of the
Security.PasswordQualityControl
 settings, see ESXi Passwords and Account Lockout in the
vSphere Security
 documentation.

UI Procedure

  1. Log in to the management domain vCenter Server at
    https://<management_vcenter_server_fqdn>/ui
     by using an account with
    Administrator
     privileges.
  2. In the
    Hosts and clusters
     inventory, expand the management domain vCenter Server tree and expand the management domain data center.
  3. Expand the management domain cluster.
  4. Select the first ESXi host and click the
    Configure
     tab.
  5. In the
    System
     section, click
    Advanced system settings
    .
  6. On the
    Advanced system settings
     page, click
    Edit
    .
  7. In the key filter text box, enter
    Security.PasswordHistory
    , configure the settings according to the requirements of your organization.
  8. In the key filter text box, enter
    Security.PasswordQualityControl
    , enter values for the settings according to the requirements of your organization, and click
    OK
    .
  9. Repeat this procedure on all remaining hosts in the cluster.
  10. Repeat this procedure on all remaining clusters in the management domain.
  11. Repeat this procedure for all VI workload domains and their clusters.

PowerShell Procedure

  1. Start Windows PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"
$cluster = "sfo-m01-cl01"

$policy = "retry=3 min=disabled,disabled,disabled,7,7”
$history = "3"
  3. Perform the configuration by running the command in the PowerShell console.
    Update-EsxiPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -cluster $cluster -policy $policy -history $history
  4. Repeat this procedure on all remaining clusters in the management domain.
  5. Repeat this procedure for all VI workload domains and their clusters.

Configure the Password Complexity Policy for vCenter Single Sign-On

Define the password format requirements for the vCenter Single Sign-On built-in identity provider for
VMware Cloud Foundation
.
The password complexity policy applies only to user accounts in the
vsphere.local
 domain of the vCenter Single Sign-On built-in identity provider. The policy does not apply to local system accounts and
administrator@vsphere.local
.
Setting
Default Value
Restrict reuse
5
Maximum length
20
Minimum length
8
Special characters
1
Alphabetic characters
2
Uppercase characters
1
Lowercase characters
1
Numeric characters
1
Identical adjacent characters
1

UI Procedure

  1. Log in to the management domain vCenter Server at
    https://<management_vcenter_server_fqdn>/ui
     by using an account with
    Administrator
     privileges.
  2. From the vSphere Client Menu, select
    Administration
    .
  3. In the
    Single Sign On
     section, click
    Configuration
    .
  4. On the
    Configuration
     page, click the
    Local accounts
     tab.
  5. In the
    Password policy
     section, click
    Edit
    .
  6. Modify the settings according to the requirements of your organization and click
    Save
    .

PowerShell Procedure

  1. Start Windows PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$minLength = "8"
$maxLength = "20"
$minAlphabetic = "2"
$minLowercase = "1"
$minUppercase = "1"
$minNumerical = "1"
$minSpecial = "1"
$maxIdenticalAdjacent = "1"
$history = "5"
  3. Perform the configuration by running the command in the PowerShell console.
    Update-SsoPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -minLength $minLength -maxLength $maxLength -minAlphabetic $minAlphabetic -minLowercase $minLowercase -minUppercase $minUppercase -minNumeric $minNumerical -minSpecial $minSpecial -maxIdenticalAdjacent $maxIdenticalAdjacent -history $history

Configure the Local User Password Complexity Policy for vCenter Server

Define the password format requirements for the local users of the vCenter Server appliances in
VMware Cloud Foundation
, such as the
root
 account.
Setting
Default Value
Description
minlen
6
Minimum password length
lcredit
-1
Maximum number of lowercase characters that will generate a credit
ucredit
-1
Maximum number of uppercase characters that will generate a credit
dcredit
-1
Maximum number of digits that will generate a credit
ocredit
-1
Maximum number of other characters that will generate a credit
difok
4
Minimum number of characters that must be different from the old password
remember
5
Maximum number of passwords the system remembers

UI Procedure

  1. Log in to the vCenter Server appliance for the management domain using SSH as
    root
    .
  2. Enable shell access.
    shell
  3. Back up the password requirements for the appliance by using the following command.
    cp -p /etc/pam.d/system-password /etc/pam.d/system-password-`date +%F_%H:%M:%S`.back
  4. Set these settings according to the requirements of your organization using the following commands.
    sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/system-passwords
sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/remember=[-]?[0-9]+/remember=<your_value>/g' /etc/pam.d/system-password
  5. Repeat this procedure on each VI workload domain vCenter Server.

PowerShell Procedure

  1. Start Windows PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$minLength = "6"
$minLowercase = "-1"
$minUppercase = "-1"
$minNumeric = "-1"
$minSpecial = "-1"
$minUnique = "4"
$history = "5"
  3. Perform the configuration by running the command in the PowerShell console.
    Update-VcenterPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -minLength $minLength -minLowercase $minLowercase -minUppercase $minUppercase -minNumerical $minNumeric -minSpecial $minSpecial -minUnique $minUnique -history $history
  4. Repeat this procedure for all VI workload domains.

Configure the Local User Password Complexity Policy for NSX Manager

Define the password format requirements for local users of the NSX Manager appliances in
VMware Cloud Foundation
.
Setting
Default Value
Description
minlen
15
Minimum password length
If your password policy requires setting the minimum password length to a value greater than 20, you cannot use password rotation in SDDC Manager.
lcredit
-1
Maximum number of lowercase characters that will generate a credit
ucredit
-1
Maximum number of uppercase characters that will generate a credit
dcredit
-1
Maximum number of digits that will generate a credit
ocredit
-1
Maximum number of other characters that will generate a credit
difok
0
Minimum number of characters that must be different from the old password
retry
3
Maximum number of retries

UI Procedure

  1. Log in to vCenter Server at
    https://<vcenter_server_fqdn>/ui
     as
    administrator@vsphere.local
    .
  2. Expand the VM folder containing the NSX Manager cluster for the management domain.
  3. Select the first node of the NSX Manager cluster and click
    Launch web console
    .
  4. Log in to the NSX Manager node as
    root
    .
  5. Back up the password requirements for the appliance using the following command.
    cp -p /etc/pam.d/common-password /etc/pam.d/common-password-`date +%F_%H:%M:%S`.back
  6. Set these settings according to the requirements of your organization using the following commands.
    sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/retry=[-]?[0-9]+/retry=<your_value>/g' /etc/pam.d/common-password
  7. Repeat this procedure on the remaining NSX Local Manager nodes for the management domain.
  8. Repeat this procedure on the NSX Local Manager clusters for all VI workload domains.
  9. Repeat this procedure on all NSX Global Manager nodes.

PowerShell Procedure

  1. Start Windows PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$minLength = "15"
$minLowercase = "-1"
$minUppercase = "-1"
$minNumerical = "-1"
$minSpecial = "-1"
$minUnique = "0"
$maxRetry = "3"
  3. Perform the configuration by running the command in the PowerShell console.
    Update-NsxtManagerPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -minLength $minLength -minLowercase $minLowercase -minUppercase $minUppercase -minNumerical $minNumerical -minSpecial $minSpecial -minUnique $minUnique -maxRetry $maxRetry
  4. Repeat this procedure on the NSX Local Manager clusters for all VI workload domains.
  5. Configure the password complexity policies on all NSX Global Manager clusters manually in the appliance console of each node.

Configure the Local User Password Complexity Policy for NSX Edge

Define the password format requirements for local users on the NSX Edge appliance in
VMware Cloud Foundation
.
Setting
Default Value
Description
minlen
15
Minimum password length
If your password policy requires setting the minimum password length to a value greater than 20, you cannot use password rotation in SDDC Manager.
lcredit
-1
Maximum number of lowercase characters that will generate a credit
ucredit
-1
Maximum number of uppercase characters that will generate a credit
dcredit
-1
Maximum number of digits that will generate a credit
ocredit
-1
Maximum number of other characters that will generate a credit
difok
0
Minimum number of characters that must be different from the old password
retry
3
Maximum number of retries

UI Procedure

  1. If you are configuring an NSX Edge virtual appliance, open the appliance console by using the Web console in the vSphere Client.
    1. Log in to the management domain vCenter Server at
      https://<management_vcenter_server_fqdn>/ui
       by using an account with
      Administrator
       privileges.
    2. In the
      VMs and templates
       inventory, expand the management domain vCenter Server tree and expand the management domain data center.
    3. Expand the VM folder containing the NSX Edge cluster for the management domain.
    4. Select the first node of the NSX Edge cluster and click
      Launch web console
      .
  2. If you are configuring a bare-metal NSX Edge appliance, open the appliance console by using an out-of-band management interface, such as iLO or iDRAC.
  3. Log in to the NSX Edge node as
    root
    .
  4. Back up the password requirements for the appliance using the following command.
    cp -p /etc/pam.d/common-password /etc/pam.d/common-password-`date +%F_%H:%M:%S`.back
  5. Set these settings according to the requirements of your organization using the following commands.
    sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/retry=[-]?[0-9]+/retry=<your_value>/g' /etc/pam.d/common-password
  6. Repeat this procedure on the remaining NSX Edge cluster nodes in the management domain.
  7. Repeat this procedure on all NSX Edge clusters in the VI workload domains.

PowerShell Procedure

You can use the PowerShell command for configuring the password complexity policies only on the NSX Edge nodes in
VMware Cloud Foundation
 that are deployed by using SDDC Manager. For NSX Edge virtual appliances that are deployed manually and for bare-metal NSX Edge appliances, configure the policies manually according to the
NSX-T Data Center documentation
.
  1. Start Windows PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$minLength = "15"
$minLowercase = "-1"
$minUppercase = "-1"
$minNumerical = "-1"
$minSpecial = "-1"
$minUnique = "0"
$maxRetry = "3"
  3. Perform the configuration by running the command in the PowerShell console.
    Update-NsxtEdgePasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -minLength $minLength -minLowercase $minLowercase -minUppercase $minUppercase -minNumerical $minNumerical -minSpecial $minSpecial -minUnique $minUnique -maxRetry $maxRetry
  4. Repeat this procedure for all NSX Edge clusters in the VI workload domains.

Configure the Local User Password Complexity Policy for SDDC Manager

Define the password format requirements for local users of the SDDC Manager appliance.
Setting
Default Value
Description
minlen
8
Minimum password length
lcredit
-1
Maximum number of lowercase characters that will generate a credit
ucredit
-1
Maximum number of uppercase characters that will generate a credit
dcredit
-1
Maximum number of digits that will generate a credit
ocredit
-1
Maximum number of other characters that will generate a credit
minclass
4
Minimum number of character types that must be used (that is, uppercase, lowercase, digits, other)
difok
4
Minimum number of characters that must be different from the old password
retry
3
Maximum number of retries
maxsequence
0
Maximum number of times a single character may be repeated
remember
5
Maximum number of passwords the system remembers

UI Procedure

  1. Log in to the SDDC Manager appliance using SSH as
    vcf
    .
  2. Change to the
    root
     user.
    su -
  3. Back the password requirement using the following command.
    cp -p /etc/pam.d/system-password /etc/pam.d/system-password-`date +%F_%H:%M:%S`.back
  4. Set these settings according to the requirements of your organization using the following commands.
    sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/retry=[-]?[0-9]+/retry=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/remember=[-]?[0-9]+/remember=<your_value>/g' /etc/pam.d/system-password

PowerShell Procedure

  1. Start Windows PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

# Replace with the name of your management domain
$sddcDomainName = "sfo-m01"

$rootPass = "VMw@re1!"
$minLength = "6"
$minLowercase = "-1"
$minUppercase = "-1"
$minNumerical = "-1"
$minSpecial = "-1"
$minUnique = "4"
$minClass = "4"
$maxSequence = "0"
$history = "5"
$maxRetry = "3"
  3. Perform the configuration by running the command in the PowerShell console.
    Update-SddcManagerPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -rootPass $rootPass -minLength $minLength -minLowercase $minLowercase -minUppercase $minUppercase -minNumerical $minNumerical -minSpecial $minSpecial -minUnique $minUnique -minClass $minClass -maxSequence $maxSequence -history $history -maxRetry $maxRetry

Content feedback and comments