By default, VMware Cloud Foundation uses vCenter Single Sign-On as the identity provider and uses the system domain as its identity source, and you can add LDAP- and OpenLDAP-based Active Directory as a vCenter Single Sign-On You can add LDAP- and OpenLDAP-based Active Directory as the identity source for vCenter Single Sign-On, or you can configure Microsoft ADFS, Okta, or Microsoft Entra ID as the identity source.VMware Cloud Foundation external identity provider instead of using the vCenter Single Sign-On that is built into vCenter Server.
After you have configured the identity provider or added an identity source, you can add users and groups to theVMware Cloud Foundationto provide the user with an overview of theSDDC Manager UI as well asVMware Cloud Foundation deployed in the systemvCenter Server respond in singingNSX Manager access to the instance, users can log in and perform different tasks depending on their assigned role (administrator, operator, or viewer).
Note that SDDC Manager manages only the users and groups of the Manage Workload SSO Domain. If you create a VI workload domain that is not joined to the Manage Workload Domain's SSO domain, but is a standalone VI workload SSO domain, you must manage the users and groups in the SSO domain using the VI Workload Domain vCenter Server ( vSphere Client) must be used to manage the users and groups in the SSO domain.
I. Understanding component account types
Navigate to the SDDC Manager UI->Security->Password Management, a place where you can view all the component accounts managed by SDDC Manager. These account types primarily consist of user accounts (USER), system accounts (SYSTEM), and service accounts (SERVICE). The SERVICE account type is automatically created by VMware Cloud Foundation and is used for interactions between product components, while the other account types are typically local to the product components themselves.
The account type of the ESXi component.
The account type of the vCenter Server component.
The account type of the NSX component.
The account type of the SDDC Manager component.
II. Retrieve the user password of the component
Component accounts in the VCF environment are controlled by theSDDC Manager After administration, you can actually retrieve the account credentials for these components through SDDC Manager, for example, when you subsequently update or rotate the user passwords for the components, which may be used at some point in the future when you want to access the components directly for maintenance or troubleshooting. Use the vcf user ssh to connect to the SDDC Manager CLI and retrieve the user passwords for the components via the lookup_passwords command.
You can run the command directly and depending on the type of component selected, then get the password of the corresponding component user.
Run the command and use SSO to manage user authentication to retrieve user passwords for ESXi components directly.
lookup_passwords -u administrator@ -p Vcf520@password -e ESXI -n 1 -s 20
Run the command and use SSO administrative user authentication to retrieve the root user password for the vCenter Server component directly.
lookup_passwords -u administrator@ -p Vcf520@password -e VCENTER -n 1 -s 20
Run the command and use SSO administrative user authentication to retrieve the SSO user password for the vCenter Server component directly.
lookup_passwords -u administrator@ -p Vcf520@password -e PSC -n 1 -s 20
Run the command and use SSO to manage user authentication to retrieve user passwords for NSX components directly.
lookup_passwords -u administrator@ -p Vcf520@password -e NSXT_MANAGER -n 1 -s 20
Run the command and use SSO administrative user authentication to retrieve the backup user password for the SDDC Manager component directly.
lookup_passwords -u administrator@ -p Vcf520@password -e BACKUP -n 1 -s 20
III. User passwords for management components
By default, user passwords for components in the VCF environment have an expiration date, and we can use the SoS utility to run a password status check on the SDDC Manager as shown below.
vcf@vcf-mgmt01-sddc01 [ ~ ]$ sudo /opt/vmware/sddc-support/sos --password-health
Welcome to Supportability and Serviceability(SoS) utility!
Performing SoS operation for vcf-mgmt01 domain components
Health Check : /var/log/vmware/vcf/sddc-support/healthcheck-2024-12-07-11-10-45-128001
Health Check log : /var/log/vmware/vcf/sddc-support/healthcheck-2024-12-07-11-10-45-128001/
NOTE : The Health check operation was invoked without --skip-known-host-check, additional identity checks will be included for Connectivity Health, Password Health and Certificate Health Checks because of security reasons.
SDDC Manager :
+-------------------------+-----------+
| Stage | Status |
+-------------------------+-----------+
| Bringup | Completed |
| Management Domain State | Completed |
+-------------------------+-----------+
+--------------------+---------------+
| Component | Identity |
+--------------------+---------------+
| SDDC-Manager | 192.168.32.70 |
| Number of Servers | 4 |
+--------------------+---------------+
Password Expiry Status : GREEN
+-----+-----------------------------------------+---------------------------+-------------------+--------------+-----------------+-------+
| SL# | Component | User | Last Changed Date | Expiry Date | Expires in Days | State |
+-----+-----------------------------------------+---------------------------+-------------------+--------------+-----------------+-------+
| 1 | ESXI : | svc-vcf-vcf-mgmt01-esxi01 | Dec 02, 2024 | Never | Never | GREEN |
| | | root | Dec 02, 2024 | Never | Never | GREEN |
| 2 | ESXI : | svc-vcf-vcf-mgmt01-esxi02 | Dec 02, 2024 | Never | Never | GREEN |
| | | root | Dec 02, 2024 | Never | Never | GREEN |
| 3 | ESXI : | svc-vcf-vcf-mgmt01-esxi03 | Dec 02, 2024 | Never | Never | GREEN |
| | | root | Dec 02, 2024 | Never | Never | GREEN |
| 4 | ESXI : | svc-vcf-vcf-mgmt01-esxi04 | Dec 02, 2024 | Never | Never | GREEN |
| | | root | Dec 02, 2024 | Never | Never | GREEN |
| 5 | NSX : | admin | Sep 26, 2024 | Dec 25, 2024 | 18 days | GREEN |
| | | root | Sep 26, 2024 | Dec 25, 2024 | 18 days | GREEN |
| | | audit | Sep 26, 2024 | Dec 25, 2024 | 18 days | GREEN |
| 6 | SDDC : | vcf | Nov 12, 2024 | Nov 12, 2025 | 340 days | GREEN |
| | | root | Nov 12, 2024 | Feb 10, 2025 | 65 days | GREEN |
| | | backup | Nov 12, 2024 | Nov 12, 2025 | 340 days | GREEN |
| 7 | vCenter : | root | Sep 26, 2024 | Dec 25, 2024 | 17 days | GREEN |
+-----+-----------------------------------------+---------------------------+-------------------+--------------+-----------------+-------+
Legend:
GREEN - No attention required, health status is NORMAL
YELLOW - May require attention, health status is WARNING
RED - Requires immediate attention, health status is CRITICAL
Health Check completed successfully for : [VCF-SUMMARY, PASSWORD-CHECK]
vcf@vcf-mgmt01-sddc01 [ ~ ]$
SDDC Manager can manage user passwords of components, such as Update password, Rotate password and Remediate password, etc. Update password means to "manually" update your own password for a certain user; Rotate password means to "automatically" update random passwords for one/many/all users. Update password refers to "manually" updating the password set by a user; Rotate password refers to "automatically" updating one/multiple/all users to generate a random password, which can be set to rotate on a scheduled basis, for example, every 30/60/90 days; Remediate password is automatically rotated to update the component's password; Remediate password is automatically rotated to update the component's password. This method can be set to schedule rotation, for example, every 30/60/90 days to automatically rotate the component's password; Repair password means that when a component's password has expired, the administrator can only manually update the password in the component, and then repair the component's password through SDDC Manager to synchronize the update.
Note that scheduling rotation is not supported for user passwords for ESXi components.
By clicking "Update Password", we can manually set a password to update the component's password.
Complete the update.
The command allows you to view the updated password.
Click "Rotate Passwords" and the system will automatically generate a random password to update the component's password.
Check the updated password again with the command.
Click on "Scheduling Rotation" to set up an automatic rotation schedule for passwords in a component. Configure it to run at midnight on the scheduled date to disable rotation scheduling and password rotation will become manual.
Note, it seems that the UI can't see the scheduling settings after the scheduling rotation is set in the current VCF 5.2.1 version, it should be visible in the previous version, but it can be viewed in other ways as well.
As you may notice from the "Password Management" list, it seems that the only user for the SDDC Manager component is the backup account, and there should be vcf and root users not listed. If you need to update the passwords of the vcf and root users, you need to manually ssh to the SDDC Manager CLI and then use the passwd command to update them, as shown in the following figure.
What if the passwords for the vcf and root users have expired? You can log in to vCenter Server (vSphere Client), locate the SDDC Manager virtual machine and open the Web Console.
Then log in locally with the expired password and use the passwd command to update the root password as well as the vcf user password.
The SDDC Manager component actually has a local account (admin@local) in addition to the user described above, and the local account is typically used to access theVMware Cloud Foundation API, for example, when vCenter Server shuts down/fails and the SSO administrator user (administrator@) is not available, this local account can then perform API operations independently of the SSO user.
Local accounts can update their passwords via the API. Navigate to the API Explorer, enter "admin" to filter the API category, and then use the PATCH /v1/users/local/admin option to update the password for the local account. When the status shows "204, No Content" after execution, the update is successful.
The default SSO administrator user for the vCenter Server component has an expiration date, so you will also need to update the password for this user, which appears as the "PSC" resource type in SDDC Manager.
When updating the password of the SSO administrator user through SDDC Manager, the prompt does not allow rotation of PSC credentials. Since there is only one SSO administrator user (administrator@) by default, you need to create an alternate SSO administrator user before you can perform the update operation.
You can create an SSO administrator user (e.g., vcfadmin@) by logging into vCenter Server (vSphere Client) and then add another user in the "Administrator" role in SDDC Manager as shown below.
SDDC Manger has added another SSO administrator user.
Use the new SSO administrator user to log in to SDDC Manager, at which point the password for the other SSO administrator user can successfully complete the rotation.
If the environment is VMware Cloud Foundation version 5.2.1, you can also manage the passwords for the components through vCenter Server (vSphere Client).
Use the SoS utility to view the updated password status of the components again, and the password expiration dates for all components have now been refreshed to the latest status.
vcf@vcf-mgmt01-sddc01 [ ~ ]$ sudo /opt/vmware/sddc-support/sos --password-health
[sudo] password for vcf
Welcome to Supportability and Serviceability(SoS) utility!
Performing SoS operation for vcf-mgmt01 domain components
Health Check : /var/log/vmware/vcf/sddc-support/healthcheck-2024-12-07-12-29-31-149728
Health Check log : /var/log/vmware/vcf/sddc-support/healthcheck-2024-12-07-12-29-31-149728/
NOTE : The Health check operation was invoked without --skip-known-host-check, additional identity checks will be included for Connectivity Health, Password Health and Certificate Health Checks because of security reasons.
SDDC Manager :
+-------------------------+-----------+
| Stage | Status |
+-------------------------+-----------+
| Bringup | Completed |
| Management Domain State | Completed |
+-------------------------+-----------+
+--------------------+---------------+
| Component | Identity |
+--------------------+---------------+
| SDDC-Manager | 192.168.32.70 |
| Number of Servers | 4 |
+--------------------+---------------+
Password Expiry Status : GREEN
+-----+-----------------------------------------+---------------------------+-------------------+--------------+-----------------+-------+
| SL# | Component | User | Last Changed Date | Expiry Date | Expires in Days | State |
+-----+-----------------------------------------+---------------------------+-------------------+--------------+-----------------+-------+
| 1 | ESXI : | svc-vcf-vcf-mgmt01-esxi01 | Dec 02, 2024 | Never | Never | GREEN |
| | | root | Dec 02, 2024 | Never | Never | GREEN |
| 2 | ESXI : | svc-vcf-vcf-mgmt01-esxi02 | Dec 02, 2024 | Never | Never | GREEN |
| | | root | Dec 02, 2024 | Never | Never | GREEN |
| 3 | ESXI : | svc-vcf-vcf-mgmt01-esxi03 | Dec 02, 2024 | Never | Never | GREEN |
| | | root | Dec 02, 2024 | Never | Never | GREEN |
| 4 | ESXI : | svc-vcf-vcf-mgmt01-esxi04 | Dec 02, 2024 | Never | Never | GREEN |
| | | root | Dec 02, 2024 | Never | Never | GREEN |
| 5 | NSX : | admin | Dec 07, 2024 | Mar 07, 2025 | 90 days | GREEN |
| | | root | Dec 07, 2024 | Mar 07, 2025 | 90 days | GREEN |
| | | audit | Dec 07, 2024 | Mar 07, 2025 | 90 days | GREEN |
| 6 | SDDC : | vcf | Dec 07, 2024 | Dec 07, 2025 | 365 days | GREEN |
| | | root | Dec 07, 2024 | Mar 07, 2025 | 90 days | GREEN |
| | | backup | Dec 07, 2024 | Dec 07, 2025 | 365 days | GREEN |
| 7 | vCenter : | root | Dec 07, 2024 | Mar 07, 2025 | 89 days | GREEN |
+-----+-----------------------------------------+---------------------------+-------------------+--------------+-----------------+-------+
Legend:
GREEN - No attention required, health status is NORMAL
YELLOW - May require attention, health status is WARNING
RED - Requires immediate attention, health status is CRITICAL
Health Check completed successfully for : [VCF-SUMMARY, PASSWORD-CHECK]
vcf@vcf-mgmt01-sddc01 [ ~ ]$