VMware Cloud Foundation 4.5

5.2 5.1 5.0 4.5
Deutsch Français Italiano 日本語 English

Configuring Password Expiration Policies in
VMware Cloud Foundation

A password expiration policy defines the period of time an account’s password can be used before the system enforces a password change. According to the management component of the
VMware Cloud Foundation
 instance, you define this policy at the global level or at a local user level.
Management Component
Password Expiration Settings
Scope
ESXi
Password expiration interval (days)
Local users
vCenter Single Sign-On
Password expiration interval (days)
Global
vCenter Server
  • Password expiration interval (days)
  • Password expiration reminder (days)
  • Expiry notification email address
  • Global
  • Local users
NSX Manager
Password expiration interval (days)
Local users
NSX Edge
Password expiration interval (days)
Local users
SDDC Manager
  • Password expiration interval (days)
  • Password expiration reminder (days)
Local users

Configure the Local User Password Expiration Policy for ESXi

Define the interval of time before the password of a local user on an ESXi host in
VMware Cloud Foundation
 expires and a change is enforced.
Setting
Default Value
Security.PasswordMaxDays
99999

Prerequisites

If you plan to reduce the expiration period of a local account's password, rotate the password of the account by using SDDC Manager. See Rotate Passwords.
The password expiration date is determined by adding the password expiration period to the date of the last password change. If the time since the last password change is greater than the new expiration period, the password expires immediately.

UI Procedure

  1. Log in to the management domain vCenter Server at
    https://<management_vcenter_server_fqdn>/ui
     by using an account with
    Administrator
     privileges.
  2. In the
    Hosts and clusters
     inventory, expand the management domain vCenter Server tree and expand the management domain data center.
  3. Expand the default management vSphere cluster.
  4. Select the first ESXi host and click the
    Configure
     tab.
  5. In the
    System
     section, click
    Advanced system settings
    .
  6. On the
    Advanced system settings
     page, click
    Edit
    .
  7. In the key filter text box, enter
    Security.PasswordMaxDays
    , enter a value for the setting according to the requirements of your organization, and click
    OK
    .
  8. Repeat this procedure on the remaining hosts in the cluster.
  9. Repeat this procedure on the remaining clusters in the management domain.
  10. Repeat this procedure on all clusters in the VI workload domains.

PowerShell Procedure

  1. Start the Windows PowerShell console.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"
$cluster = "sfo-m01-cl01"

$maxDays = "99999"
  3. Perform the configuration by running the command in the PowerShell console.
    Update-EsxiPasswordExpiration -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -cluster $cluster -maxDays $maxDays
  4. Repeat this procedure for all remaining clusters in the management domain.
  5. Repeat this procedure for all VI workload domains and their clusters.

Configure the Password Expiration Policy for vCenter Single Sign-On

Define the interval of time before the password of a user account in the
vsphere.local
 domain in
VMware Cloud Foundation
 expires and a change is enforced.
The password expiration policy applies only to the user accounts in the
vsphere.local
 domain for the vCenter Single Sign-On built-in identity provider. The policy does not apply to local system accounts and
administrator@vsphere.local
.
SDDC Manager creates dedicated service accounts within the vCenter Single Sign-On built-in identity provider. Changing the password expiration policy affects these service accounts too.
Setting
Default Value
Maximum lifetime
90

UI Procedure

  1. Log in to the management domain vCenter Server at
    https://<management_vcenter_server_fqdn>/ui
     by using an account with
    Administrator
     privileges.
  2. From the vSphere Client Menu, select
    Administration
    .
  3. In the
    Single sign on
     section, click
    Configuration
    .
  4. On the
    Configuration
     page, click the
    Local accounts
     tab.
  5. In the
    Password policy
     section, click
    Edit
  6. Enter a value for the
    Maximum lifetime
     setting according to the requirements of your organization and click
    Save
    .

PowerShell Procedure

  1. Start Windows PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$maxDays = "90"
  3. Perform the configuration by running the command in the PowerShell console.
    Update-SsoPasswordExpiration -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -maxDays $maxDays

Configure the Global Password Expiration Policy for vCenter Server

Define globally the interval of time before the passwords of the local user accounts on a vCenter Server appliance in
VMware Cloud Foundation
 expire and a change is enforced.
Setting
Default Value
Maximum number of days between password change
90
Minimum number of days between password change
0
Number of days of warning before password expires
7
You can configure the global password expiration policy for vCenter Server only by using the API.

PowerShell Procedure

  1. Start Windows PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$maxDays = "90"
$minDays = "0"
$warningDays = "7"
  3. Perform the configuration by running the command in the PowerShell console.
    Update-VcenterPasswordExpiration -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -maxDays $maxDays -minDays $minDays -warnDays $warningDays
  4. Repeat this procedures for all VI workload domains.

Configure the root User Password Expiration Policy for vCenter Server

Define the interval of time before the password of the
root
 account of the vCenter Server appliances in
VMware Cloud Foundation
 expires and a change is enforced.
Setting
Default Value
Password validity (days)
90
Email for expiration warning
-
Number of days of warning before password expires
7

Prerequisites

Configure the target vCenter Server instance with an email send account under
Settings
General
 on the
Configure
 tab in the vSphere Client.

UI Procedure

  1. Log in to the vCenter Server Management Interface at
    https://<vcenter_server_fqdn>:5480
     as
    root
    .
  2. In the navigation pane, click
    Administration
    .
  3. In the
    Password expiration settings
     section, click
    Edit
    .
  4. Configure the settings according to the requirements of your organization and click
    Save
    .
  5. Log in to the vCenter Server appliance console using SSH as
    root
    .
  6. Enable shell access.
    shell
  7. Change the number of days of warning before password expires value using the following command.
    chage --warndays <your_value> root
  8. Repeat this procedure for all VI workload domains.

PowerShell Procedure

  1. Start Windows PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$email = "admin@rainpole.io"
$maxDays = "90"
$warningDays = "7"
  3. Perform the configuration by running the command in the PowerShell console. 
    Update-VcenterRootPasswordExpiration -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -email $email -maxDays $maxDays -warnDays $warningdays
  4. Repeat this procedure for all VI workload domains.

Configure the Local User Password Expiration Policy for NSX Manager

Configure the password expiration policy for NSX Manager local users in
VMware Cloud Foundation
. You configure the policy on a per-user basis for the built-in NSX accounts.
User
Setting
Default Value
root
Maximum number of days between password change
90
admin
Maximum number of days between password change
90
audit
Maximum number of days between password change
90
guestuser1
Maximum number of days between password change
90
guestuser2
Maximum number of days between password change
90

UI Procedure

  1. Log in to the management domain vCenter Server at
    https://<management_vcenter_server_fqdn>/ui
     by using an account with
    Administrator
     privileges.
  2. In the
    VMs and templates
     inventory, expand the management domain vCenter Server tree and expand the management domain data center.
  3. Expand the VM folder containing the NSX Manager cluster for the management domain.
  4. Select the first node of the NSX Manager cluster and click
    Launch web console
    .
  5. Log in to the NSX Manager node as
    admin
    .
  6. Change the maximum number of days between password change using the following command.
    set user root password-expiration <your_value>
    The change is replicated to the other nodes in the NSX Manager cluster.
  7. Repeat this procedure for the remaining local accounts.
  8. Repeat this procedure on the NSX Local Manager clusters for all VI workload domains.
  9. Repeat this procedure on all NSX Global Manager clusters.

PowerShell Procedure

  1. Start Windows PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$maxDays = "90"
  3. Perform the configuration by running the command in the PowerShell console.
    Update-NsxtManagerPasswordExpiration -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -maxdays $maxDays
  4. Repeat this procedure for the NSX Local Manager clusters for all VI workload domains.
  5. Configure the password expiration policies on all NSX Global Manager clusters manually in the appliance console of the first node of each cluster.

Configure the Local User Password Expiration Policy for NSX Edge

Configure password expiration for NSX Edge local users in
VMware Cloud Foundation
. You configure it on a per-user basis for the built-in NSX accounts.
User
Setting
Default Value
root
Maximum number of days between password change
90
admin
Maximum number of days between password change
90
audit
Maximum number of days between password change
90
guestuser1
Maximum number of days between password change
90
guestuser2
Maximum number of days between password change
90

UI Procedure

  1. If you are configuring an NSX Edge virtual appliance, open the appliance console by using the Web console in the vSphere Client.
    1. Log in to the management domain vCenter Server at
      https://<management_vcenter_server_fqdn>/ui
       by using an account with
      Administrator
       privileges.
    2. In the
      VMs and templates
       inventory, expand the management domain vCenter Server tree and expand the management domain data center.
    3. Expand the VM folder containing the NSX Edge cluster for the management domain.
    4. Select the first node of the NSX Edge cluster and click
      Launch web console
      .
  2. If you are configuring a bare-metal NSX Edge appliance, open the appliance console by using an out-of-band management interface, such as iLO or iDRAC.
  3. Log in to the NSX Edge node as
    admin
    .
  4. Change the maximum number of days between password change using the following command.
    set user root password-expiration <your_value>
  5. Repeat this procedure for the remaining local accounts.
  6. Repeat this procedure on the remaining NSX Edge nodes in the cluster of the management domain.
  7. Repeat this procedure on all NSX Edge clusters in the VI workload domains.

PowerShell Procedure

You can use the PowerShell command for configuring the password expiration policies only on the NSX Edge nodes in
VMware Cloud Foundation
 that are deployed by using SDDC Manager. For NSX Edge virtual appliances that are deployed manually and for bare-metal NSX Edge appliances, configure the policies manually according to the
NSX-T Data Center documentation
.
  1. Start Windows PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$maxDays = "90"
  3. Perform the configuration by running the command in the PowerShell console.
    Update-NsxtEdgePasswordExpiration -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -maxdays $maxDays
  4. Repeat this procedure for all NSX Edge clusters in the VI workload domains.

Configure the Local User Password Expiration Policy for SDDC Manager

Configure password expiration for SDDC Manager on a per-user basis for local users.
User
Setting
Default Value
root
Maximum number of days between password change
90
Minimum number of days between password change
0
Number of days of warning before password expires
7
vcf
Maximum number of days between password change
90
Minimum number of days between password change
0
Number of days of warning before password expires
7
backup
Maximum number of days between password change
90
Minimum number of days between password change
0
Number of days of warning before password expires
7

UI Procedure

  1. Log in to the SDDC Manager appliance using SSH as
    vcf
    .
  2. Change to the
    root
     user.
    su -
  3. Change the maximum number of days between password change using the following command.
    chage --maxdays <your_value> root
  4. Change the minimum number of days between password change using the following command.
    chage --mindays <your_value> root
  5. Change the number of days of warning before password expires using the following command.
    chage --warndays <your_value> root
  6. Repeat this procedure for the remaining local accounts.

PowerShell Procedure

  1. Start Windows PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

# Replace with the name of your management domain
$sddcDomainName = "sfo-m01"

$vmName = "sfo-vcf01"
$guestuser = "root"
$guestPassword = "VMw@re1!”
$localUsers = @("root","vcf","backup")


$maxDays = "90"
$minDays = "0"
$warningDays = "7"
  3. Perform the configuration by running the command in the PowerShell console.
    Update-LocalUserPasswordExpiration -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -vmName $vmName -guestUser $guestUser -guestPassword $guestPassword -localUser $localUsers -minDays $minDays -maxDays $maxDays -warnDays $warningDays

Content feedback and comments