VCF Password Management

 

VMware Cloud Foundation provides the ability to manage passwords for logical and physical entities on all racks in your system. The process of password rotation generates randomized passwords for the selected accounts.

You can change passwords for the following entities:

  • ESXi
  • vCenter / PSC
  • NSX Manager
  • NSX Edges
  • Internal backup account
 
SDDC Manager Log In

Log in to SDDC Manager

Once the browser has launched follow these steps to log in.

  1. Open SDDC Manager FQDN using your browser
  2. In the User name box enter: administrator@vsphere.local
  3. In the Password box enter: PASSWORD
  4. Click the LOGIN button
 
Password Update

Once logged into the SDDC Manager interface:

  1. Click Security
  2. Click Password Management
  3. Check the box for the root account on host esxi-1.vcf.sddc.lab
  4. Click the three vertical dots for the user root on host esxi-1.vcf.sddc.lab
  5. Select UPDATE
 
Enter Updated Password

Once the Update Password dialog box is open, fill in the password you would like it changed to.

  1. Enter PASSOWRD as the password
  2. Click UPDATE

With the password update you will be prompted to update the Autofill in the browser.

1. Click the Not now button.

 
Monitor the Task

Monitor the progress of the task by opening the Tasks window in the lower left and

  1. Tasks link
  2. Clicking the REFRESH link.
 
Login to ESXi to Validate the Password Change

Once the page opens use the following credentials to validate the password change was successful.

  1. Fill in the values:
    • Username: root
    • Password: PASSWORD (or the password you supplied in the previous step when changing the root user password)
  2. Click the Log in button

A successful login shows that the password was updated for the root account on this host.

Log Out and Close Tab

  1. Click on root@esxi-1.vcf.sddc.lab
  2. Click Log out
 
Password Rotation

The other option is to rotate instead of update. We can test this by navigating back to the first tab for SDDC Manager

  1. Click Security
  2. Click Password Management
  3. Select the three vertical dots next to root for host esxi-1.vcf.sddc.lab
  4. Select Rotate Password

Rotate

  1. Click the ROTATE button again in the confirmation pop-up dialog box.

This will rotate the password to a randomly generated password that will be stored in the SDDC Manager database.

Validate the Password Rotation

There are two ways to look up the password once it has been rotated. You may either (1) SSH into the SDDC Manager and follow the admin guide and use the lookup_passwords command. This requires SSH access to the host or (2) Use the API to look up the credentials. We will do the latter in this exercise.

  1. Navigate to Developer Center
  2. Click the API Explorer tab
  3. Expand the Credentials API category
  4. Expand GET /v1/credentials
 
Execute Credentials API

  1. Enter the resourceName esxi-1.vcf.sddc.lab
  2. Click EXECUTE
 
Locate New Password

  1. Expand PageOfCredential
  2. Expand the second Credential(GUID)
  3. Confirm the username is root
  4. View and Copy(exclude the quotes) the password. Your password will be different than what is listed above.
 
Login to ESXi
 

Once the page opens use the following credentials to validate that the password change was successful

  1. Enter:
    • Username: root
    • Password: <password copied from previous step> (this is the password that is in your developer center)
  2. Clicking the Log In button allows us to see that the password rotation was successful.
 
Conclusion

Now have a good understanding of how you can leverage SDDC manager to update or rotate your passwords across all of the VCF components. This is critical feature to maintain secure access for your Workload Domains.

Related Posts

Scroll to Top