VMware Cloud Foundation 5.1

5.2 5.1 5.0 4.5
Français Italiano 日本語 English

Configure the Local User Password Complexity Policy for NSX Edge

Define the password format requirements for local users on the NSX Edge appliance in
VMware Cloud Foundation
.
Setting
Default Value
Description
minlen
15
Minimum password length
If your password policy requires setting the minimum password length to a value greater than 20, you cannot use password rotation in SDDC Manager.
lcredit
-1
Maximum number of lowercase characters that will generate a credit
ucredit
-1
Maximum number of uppercase characters that will generate a credit
dcredit
-1
Maximum number of digits that will generate a credit
ocredit
-1
Maximum number of other characters that will generate a credit
difok
0
Minimum number of characters that must be different from the old password
retry
3
Maximum number of retries

UI Procedure

  1. If you are configuring an NSX Edge virtual appliance, open the appliance console by using the Web console in the vSphere Client.
    1. Log in to the vCenter Server instance for the workload domain at
      https://<vcenter_server-fqdn>/ui
       by using an account with
      Administrator
       privileges.
    2. In the
      VMs and templates
       inventory, navigate to and expand the VM folder containing the NSX Edge cluster for the workload domain.
    3. Select the first node of the NSX Edge cluster and click
      Launch web console
      .
  2. If you are configuring a bare-metal NSX Edge appliance, open the appliance console by using an out-of-band management interface, such as iLO or iDRAC.
  3. Log in to the NSX Edge node as
    root
    .
  4. Back up the password requirements for the appliance using the following command.
    cp -p /etc/pam.d/common-password /etc/pam.d/common-password-`date +%F_%H:%M:%S`.back
  5. Verify that all settings for configuring password requirements for SDDC Manager users are added in the
    /etc/pam.d/common-password
     file.
    #
# /etc/pam.d/common-password - password-related modules common to all services
#

# here are the per-package modules (the "Primary" block)
password requisite pam_cracklib.so retry=3 minlen=12 difok=0 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root
password required pam_pwhistory.so use_authtok enforce_for_root remember=0
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config
  6. If some settings are missing in the
    /etc/pam.d/common-password
     file, add them manually.
  7. Set these settings according to the requirements of your organization using the following commands.
    sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/retry=[-]?[0-9]+/retry=<your_value>/g' /etc/pam.d/common-password
  8. Repeat this procedure on the remaining NSX Edge cluster nodes in the workload domain.
  9. Repeat this procedure on all NSX Edge clusters in the remaining workload domains.

PowerShell Procedure

You can use the PowerShell command for configuring the password complexity policies only on the NSX Edge nodes in
VMware Cloud Foundation
 that are deployed by using SDDC Manager. For NSX Edge virtual appliances that are deployed manually and for bare-metal NSX Edge appliances, configure the policies manually according to the
NSX documentation
.
  1. Start PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$minLength = "15"
$minLowercase = "-1"
$minUppercase = "-1"
$minNumerical = "-1"
$minSpecial = "-1"
$minUnique = "0"
$maxRetry = "3"
  3. Perform the configuration by running the command in the PowerShell console.
    Update-NsxtEdgePasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -minLength $minLength -minLowercase $minLowercase -minUppercase $minUppercase -minNumerical $minNumerical -minSpecial $minSpecial -minUnique $minUnique -maxRetry $maxRetry
  4. Repeat this procedure for all NSX Edge clusters in the remaining workload domains.

Content feedback and comments