Location>code7788 >text

[VMware VCF] Manage password policies for components in a VCF environment.

Popularity:284 ℃/2024-12-12 20:58:04

You can use the "Password management" function in SDDC Manager to standardize the password management.Managing user passwords for components in a VCF environmentYou can also create password rotation scheduling tasks to prevent forgotten or otherwise expired passwords and component outages from impacting your business, such as updating, rotating, and remediating component passwords.

Use the SoS utility to check the user password status of components in the VCF environment, such as last modified date, expiration date, and time remaining to expiration, as shown below.

vcf@vcf-mgmt01-sddc01 [ ~ ]$ sudo /opt/vmware/sddc-support/sos --password-health
[sudo] password for vcf
Welcome to Supportability and Serviceability(SoS) utility!
Performing SoS operation for vcf-mgmt01 domain components
Health Check : /var/log/vmware/vcf/sddc-support/healthcheck-2024-12-07-12-29-31-149728
Health Check log : /var/log/vmware/vcf/sddc-support/healthcheck-2024-12-07-12-29-31-149728/
NOTE : The Health check operation was invoked without --skip-known-host-check, additional identity checks will be included for Connectivity Health, Password Health and Certificate Health Checks because of security reasons.

SDDC Manager :                                                                                 
+-------------------------+-----------+
|          Stage          |   Status  |
+-------------------------+-----------+
|         Bringup         | Completed |
| Management Domain State | Completed |
+-------------------------+-----------+
+--------------------+---------------+
|     Component      |    Identity   |
+--------------------+---------------+
|    SDDC-Manager    | 192.168.32.70 |
| Number of Servers  |       4       |
+--------------------+---------------+
Password Expiry Status : GREEN                                                                                 
+-----+-----------------------------------------+---------------------------+-------------------+--------------+-----------------+-------+
| SL# |                Component                |            User           | Last Changed Date | Expiry Date  | Expires in Days | State |
+-----+-----------------------------------------+---------------------------+-------------------+--------------+-----------------+-------+
|  1  |   ESXI :   | svc-vcf-vcf-mgmt01-esxi01 |    Dec 02, 2024   |    Never     |      Never      | GREEN |
|     |                                         |            root           |    Dec 02, 2024   |    Never     |      Never      | GREEN |
|  2  |   ESXI :   | svc-vcf-vcf-mgmt01-esxi02 |    Dec 02, 2024   |    Never     |      Never      | GREEN |
|     |                                         |            root           |    Dec 02, 2024   |    Never     |      Never      | GREEN |
|  3  |   ESXI :   | svc-vcf-vcf-mgmt01-esxi03 |    Dec 02, 2024   |    Never     |      Never      | GREEN |
|     |                                         |            root           |    Dec 02, 2024   |    Never     |      Never      | GREEN |
|  4  |   ESXI :   | svc-vcf-vcf-mgmt01-esxi04 |    Dec 02, 2024   |    Never     |      Never      | GREEN |
|     |                                         |            root           |    Dec 02, 2024   |    Never     |      Never      | GREEN |
|  5  |    NSX :    |           admin           |    Dec 07, 2024   | Mar 07, 2025 |     90 days     | GREEN |
|     |                                         |            root           |    Dec 07, 2024   | Mar 07, 2025 |     90 days     | GREEN |
|     |                                         |           audit           |    Dec 07, 2024   | Mar 07, 2025 |     90 days     | GREEN |
|  6  |   SDDC :   |            vcf            |    Dec 07, 2024   | Dec 07, 2025 |     365 days    | GREEN |
|     |                                         |            root           |    Dec 07, 2024   | Mar 07, 2025 |     90 days     | GREEN |
|     |                                         |           backup          |    Dec 07, 2024   | Dec 07, 2025 |     365 days    | GREEN |
|  7  | vCenter :  |            root           |    Dec 07, 2024   | Mar 07, 2025 |     89 days     | GREEN |
+-----+-----------------------------------------+---------------------------+-------------------+--------------+-----------------+-------+

Legend:

 GREEN - No attention required, health status is NORMAL
 YELLOW - May require attention, health status is WARNING
 RED - Requires immediate attention, health status is CRITICAL


Health Check completed successfully for : [VCF-SUMMARY, PASSWORD-CHECK]                                                                                
vcf@vcf-mgmt01-sddc01 [ ~ ]$

Based on the output above, you can get a good idea of the status of each component's user passwords, but you may be wondering if I can re-adjust the default "password policy" for these components? For example, password expiration, password complexity, account lockout, etc. The answer is yes! The answer is yes! First, let's refer to the《Information Security and Access of Identity and Access Management for VMware Cloud Foundation》product documentation, start by understanding the default password policy for components in a VCF environment.

 

I. Password expiration policy

assemblies
(military) rank parameterization default (setting) descriptive note
ESXi hosts local user 99999 (never) Set how many days the password expires. You can manage password expiration policies on a per-host basis using the advanced system settings in the vSphere Client or Host Client. You can modify configuration settings on each ESXi host to optimize settings and comply with your organization's policy and regulatory standards.
vCenter Server
security situation

Maximum (days)

90

Set the maximum number of days for the password to expire.

You can manage password expiration policies on an instance-by-instance basis. You can modify configuration settings on each vCenter Server instance to optimize settings and comply with your organization's policy and regulatory standards.

Minimum (days)

0

Set the minimum number of days for the password to expire.

Warning

7 Set the number of days to warn before the password expires.
local user

Password Expires

Yes

Setting up root Whether the password has expired.

Password validity

90

Set how many days the password expires.

Email for expiration warning

-

Set up an email with a password expiration warning.

Warning (days)

7 Set the number of days to warn before the password expires.
Single Sign-On Maximum lifetime 90 Set how many days the password expires. You can manage the vCenter Single Sign-On password expiration policy for each built-in identity provider domain. The password expiration policy applies only to vCenter Single Sign-On built-in identity provider domains (such as) in the user account. This policy does not apply to local system accounts or to the domain's defaultjanitorsAccounts (e.g.administrator@You can modify the configuration settings for the vCenter Single Sign-On identity provider domain.) You can modify the configuration settings for the vCenter Single Sign-On identity provider domain to optimize the settings and comply with your organization's policy and regulatory standards.
NSX + NSX Edge

local user

maxdays 90 Set the maximum number of days for the password to expire. You can manage NSX password expiration policies on a per-user basis by using the APIs for built-in NSX accounts on NSX Local Manager clusters and NSX Edge nodes. You can modify the configuration on each NSX Local Manager cluster and each NSX Edge node to optimize settings and comply with your organization's policy and regulatory standards.
SDDC Manager local user maxdays 90

Set the maximum number of days for the password to expire.

(VMware Cloud Foundation 4.5 and higher)

You can manage password expiration policies based on users. You can modify a user's configuration to optimize settings and comply with your organization's policy and regulatory standards.

365

Set the maximum number of days for the password to expire.

(VMware Cloud Foundation 4.4 and higher)

mindays 0 Set the minimum number of days for the password to expire.
warndays 7

Set the number of days to warn before the password expires.

 

II. Password Complexity Strategy

assemblies
(military) rank parameterization default (setting) descriptive note
ESXi hosts
local user

retry=3 min=disabled,disabled,disabled,7,7

The number of resets for password setting or updating, a value of 3 indicates that the number of retries for setting a password that does not meet the above requirements is 3.

Character category and password phrase minimum length requirements. Passwords with one or two character classes are not allowed, nor are password phrases, as the first three have been deactivated. Passwords using three and four character categories require 7 characters.

Capital letters at the beginning of the password do not count towards the number of character classes used. Numbers at the end of the password do not count towards the number of character classes used.

You can manage password complexity policies on a per-host basis using the advanced system settings in the vSphere Client or Host Client. You can edit and modify the configuration to optimize the settings and comply with your organization's policy and regulatory standards.

0 Sets the number of times the history of remembering passwords that have been set, a value of 0 means no limit.
vCenter Server
local user dcredit -1

Sets the number of numeric characters (e.g., 0, 1, 2) that the password should contain; a value of -1 means at least one.

You can do this by using a per-instance/etc//system-password file to manage local user password complexity policies. You can modify the configuration settings on each vCenter Server instance to optimize the settings and comply with your organization's policy and regulatory standards.
ucredit -1

Sets the number of uppercase letters (e.g., A, B, C) that the password should contain; a value of -1 means at least one.

lcredit -1

Sets the number of lowercase letters (e.g., a, b, c) that the password should contain; a value of -1 means at least one.

ocredit -1

Sets the number of other characters that the password should contain (such as! , @, #) number, a value of -1 means at least one.

minlen 6

Sets the minimum number of characters the password should have, a value of 6 means at least six characters.

difok 4

Sets the number of characters that are different for the new password compared to the old one, a value of 4 means that it has at least four characters that are different.

remember 5 Sets the number of times in the history of remembering passwords that have been set, a value of 5 means that the new password should not be any of the 5 times it has been set previously.
Single Sign-On

Restrict reuse

5 Sets the number of times in the history of remembering passwords that have been set, a value of 5 means that the new password should not be any of the 5 times it has been set previously. You can manage the vCenter Single Sign-On password expiration policy for each built-in identity provider domain. The password complexity policy applies only to vCenter Single Sign-On built-in identity provider domains (for example, the) in the user account. This policy does not apply to local system accounts or the built-in identity provider's defaultjanitorsAccounts (e.g.administrator@)。

Maximum length

20

Set the maximum password length (number of characters).

Minimum length

8

Set the minimum password length (number of characters).

Special characters

1

Sets the minimum number of special characters.

Alphabetic characters

2

Sets the minimum number of alphabetic characters.

Uppercase characters

1

Sets the minimum number of uppercase characters.

Lowercase characters

1

Sets the minimum number of lowercase characters.

Numeric characters

1

Sets the minimum number of numeric characters.

Identical adjacent characters

1 Sets the maximum number of identical neighboring characters.
NSX + NSX Edge
local user dcredit -1

Sets the number of numeric characters (e.g., 0, 1, 2) that the password should contain; a value of -1 means at least one.

You can use the built-in NSX accounts on NSX Manager clusters and NSX Edge nodes on a per-node basis by using the/etc//common-password file to manage password complexity policies. You can modify the configuration on each NSX Manager node and each NSX Edge node to optimize settings and comply with your organization's policy and regulatory standards.
ucredit -1

Sets the number of uppercase letters (e.g., A, B, C) that the password should contain; a value of -1 means at least one.

lcredit -1

Sets the number of lowercase letters (e.g., a, b, c) that the password should contain; a value of -1 means at least one.

ocredit -1

Sets the number of other characters that the password should contain (such as! , @, #) number, a value of -1 means at least one.

minlen 15

Sets the minimum number of characters the password should have, a value of 15 means at least fifteen characters.

difok 0

Sets the number of characters that make the new password different compared to the old one, a value of 0 means no limit.

retry 3 The number of resets for password setting or updating, a value of 3 indicates that the number of retries for setting a password that does not meet the above requirements is 3.
SDDC Manager local user dcredit -1

Sets the number of numeric characters (e.g., 0, 1, 2) that the password should contain; a value of -1 means at least one.

You can use the/etc//system-password Document Management Password Complexity Policy. You can edit and modify the configuration to optimize settings and comply with your organization's policy and regulatory standards.
ucredit -1

Sets the number of uppercase letters (e.g., A, B, C) that the password should contain; a value of -1 means at least one.

lcredit -1

Sets the number of lowercase letters (e.g., a, b, c) that the password should contain; a value of -1 means at least one.

ocredit -1

Sets the number of other characters that the password should contain (such as! , @, #) number, a value of -1 means at least one.

minlen 8

Sets the minimum number of characters the password should have, a value of 15 means at least fifteen characters.

minclass 4

Set the minimum number of character types that must be used for the password (e.g., uppercase, lowercase, numeric, etc.).

difok 4

Sets the number of characters that are different for the new password compared to the old one, a value of 4 means that it has at least four characters that are different.

retry 3

The number of resets for password setting or updating, a value of 3 indicates that the number of retries for setting a password that does not meet the above requirements is 3.

maxsequence 0

Sets the maximum number of times a single character of the password can be repeated, a value of 0 means no limit.

remember 5 Sets the number of times in the history of remembering passwords that have been set, a value of 5 means that the new password should not be any of the 5 times it has been set previously.

 

III. Account locking strategy

assemblies
(military) rank parameterization default (setting) descriptive note
ESXi hosts

local user
5 Set the maximum number of authentication failures before an account is locked.

SSH and the API support ESXi account lockout. If a user tries to log in using SSH or the API with incorrect local account credentials, the account is locked out. account locking is not supported by DCUI and ESXi Shell.

You can use the advanced system settings in the vSphere Client or Host Client to manage account lockout policies on a per-host basis. You can edit and modify the configuration to optimize the settings and comply with your organization's policy and regulatory standards.

900 Set the amount of time (in seconds) that the account will be in the locked state.
vCenter Server
local user deny 3 Set the maximum number of authentication failures before an account is locked. You can do this by using a per-instance/etc//system-auth file to manage local user account lockout policies. You can modify the configuration settings on each vCenter Server instance to optimize the settings and comply with your organization's policy and regulatory standards.
unlock_time 900 Set the amount of time (in seconds) that the account will be in the locked state.
root_unlock_time 300 Sets the amount of time (in seconds) that the root account is in the locked state.
Single Sign-On Maximum number of failed login attempts 5 Set the maximum number of authentication failures before an account is locked. You can manage vCenter Single Sign-On account lockout policies by built-in identity provider domain. You can edit and modify the configuration to optimize settings and comply with your organization's policy and regulatory standards.
Time interval between failures 180 Set the time (in seconds) for a failed login, e.g. 5 consecutive failures in 180 seconds before the account is locked.
Unlock time 900 Sets the amount of time (in seconds) that the root account is locked. If it is set to 0, the administrator must explicitly unlock the account.
NSX + NSX Edge
Local users (API) max-auth-failures 5

Set the maximum number of authentication failures before an account is locked.

You can use authentication policies, and you can manage account lockout policies by instance for NSX Local Manager clusters and by node instance for NSX Edge nodes. You can configure account lockout policies for the NSX Manager user interface and APIs and command line interface (CLI) for NSX Local Manager clusters and NSX Edge nodes. You can modify the configuration on each NSX Local Manager cluster and each NSX Edge node to optimize the settings and comply with your organization's policy and regulatory standards.
lockout-reset-period 180

Set the time (in seconds) for a failed login, e.g. 5 consecutive failures in 180 seconds before the account is locked.

lockout-period 900

Set the amount of time (in seconds) that the account will be in the locked state.

Local user (CLI) max-auth-failures 5

Set the maximum number of authentication failures before an account is locked.

lockout-period 900 Set the amount of time (in seconds) that the account will be in the locked state.
SDDC Manager local user deny 3

Set the maximum number of authentication failures before an account is locked.

You can use the/etc//system-auth File management account lockout policies. You can edit and modify the configuration to optimize the settings and comply with your organization's policy and regulatory standards.
unlock_time 86400

Set the amount of time (in seconds) that the account will be in the locked state.

root_unlock_time 300 Sets the amount of time (in seconds) that the root account is in the locked state.

 

IV. Managing password strategies

After understanding the password policies of components in a VCF environment, you may want to manage the password policies of these VCF components because of compliance or security requirements, so you can refer to this《VMware Cloud Foundation Operations Guide》following in the product documentation, and then perform password policy management for the corresponding component as needed.

  • Configuring Password Expiration Policies in VMware Cloud Foundation
  • Configuring Password Complexity Policies in VMware Cloud Foundation
  • Configuring Account Lockout Policies in VMware Cloud Foundation

According to the documentation listed above, there are many ways to manage these password policies. The most primitive way is to manually modify the parameters for different password policies of different components, and then complete the process of adjusting the password policies of the components one by one. However, this approach is too cumbersome for large environments with hundreds or thousands of hosts, another approach in the document will be more convenient, that is, to use the "PowerShell" command to configure. PowerShell configuration requires the following PowerShell modules:

  • PowerShell Module for VMware Cloud Foundation Password Management (PowerShell Gallery)
  • PowerShell Module for VMware Cloud Foundation Password Management (Github)

Refer to the documentation, and then use the following command to install the VCF Password Manager module. Note that before installing and using this module, refer to this "Use PowerVCF to connect to and manage your VMware Cloud Foundation environment."The article prepares the other runtime environments on which this module depends.

Install-Module -Name  -Scope CurrentUser
Get-Module -Name  -ListAvailable

View the command options supported by the module.

Get-Command -Module 

Verify that the environment meets the requirements for running the PowerShell module.

Test-VcfPasswordManagementPrereq

Use PowerVCF to connect to SDDC Manager.

Request-VCFToken -fqdn  -username administrator@ -password Vcf521@password

Use the following command to get the default password policy for all components of the specified VCF version, or output it directly as a JSON file.

Get-PasswordPolicyDefault -version '5.2.0.0'
Get-PasswordPolicyDefault -generateJson -jsonFile  -version '5.2.0.0'

Use the following command to get the components in the VCF environmentpassword policyReport.

  • All workload domains
Invoke-PasswordPolicyManager -sddcManagerFqdn  -sddcManagerUser administrator@ -sddcManagerPass Vcf521@password -sddcRootPass Vcf521@password -reportPath "D:\Reporting" -darkMode -allDomains
  • Specify the workload domain
Invoke-PasswordPolicyManager -sddcManagerFqdn  -sddcManagerUser administrator@ -sddcManagerPass Vcf521@password -sddcRootPass Vcf521@password -reportPath "D:\Reporting" -darkMode -workloadDomain vcf-mgmt01

Use the following command to get the components in the VCF environmentPassword rotationReport.

  • All workload domains
Invoke-PasswordRotationManager  -sddcManagerFqdn  -sddcManagerUser administrator@ -sddcManagerPass Vcf521@password -sddcRootPass Vcf521@password -reportPath "D:\Reporting" -darkMode -allDomains
  • Specify the workload domain
Invoke-PasswordRotationManager -sddcManagerFqdn  -sddcManagerUser administrator@ -sddcManagerPass Vcf521@password -sddcRootPass Vcf521@password -reportPath "D:\Reporting" -darkMode -workloadDomain vcf-mgmt01

Uniformly configure password policies for all components in the VCF environment based on JSON files and report files.

Start-PasswordPolicyConfig -sddcManagerFqdn  -sddcManagerUser administrator@ -sddcManagerPass Vcf521@password -sddcRootPass Vcf521@password -reportPath "D:\Reporting" -policyFile ""

Retrieves the password expiration policy for the local user of the specified VCF component.

Request-LocalUserPasswordExpiration -server  -user administrator@ -pass Vcf521@password -domain vcf-mgmt01 -product vcenterServer -vmName vcf-mgmt01-vcsa01 -guestUser root -guestPassword Vcf521@password -localUser "root"

Updates the local user password expiration period (in days) for the specified VCF component.

Update-LocalUserPasswordExpiration -server  -user administrator@ -pass Vcf521@password -domain vcf-mgmt01 -vmName vcf-mgmt01-vcsa01 -guestUser root -guestPassword Vcf521@password -localUser "root","sshuser" -minDays 0 -maxDays 180 -warnDays 14

Retrieve the password expiration policy for the SDDC Manager component.

Request-SddcManagerPasswordExpiration -server  -user administrator@ -pass Vcf521@password  -rootPass Vcf521@password

Update the password expiration policy for the SDDC Manager component.

Update-SddcManagerPasswordExpiration -server  -user administrator@ -pass Vcf521@password  -rootPass Vcf521@password -minDays 0 -maxDays 400 -warnDays 14

Retrieve the password complexity policy for the ESXi component.

Request-EsxiPasswordComplexity -server  -user administrator@ -pass Vcf521@password -domain vcf-mgmt01 -cluster vcf-mgmt01-cluster01

Update the password complexity policy for ESXi components.

Update-EsxiPasswordComplexity -server  -user administrator@ -pass Vcf521@password -domain vcf-mgmt01 -cluster vcf-mgmt01-cluster01 -policy "retry=5 min=disabled,disabled,disabled,8,8" -history 3

Retrieve the account lockout policy for the ESXi component.

Request-EsxiAccountLockout -server  -user administrator@ -pass Vcf521@password -domain vcf-mgmt01 -cluster vcf-mgmt01-cluster01

Update the account lockout policy for ESXi components.

Update-EsxiAccountLockout -server  -user administrator@ -pass Vcf521@password -domain vcf-mgmt01 -cluster vcf-mgmt01-cluster01 -failures 3 -unlockInterval 600

Retrieves the password rotation settings for all components of a specified workload domain managed by SDDC Manager.

Request-PasswordRotationPolicy -server  -user administrator@ -pass Vcf521@password

Update the password rotation settings for vCenter Server components managed by SDDC Manager.

Update-PasswordRotationPolicy -server  -user administrator@ -pass Vcf521@password -domain vcf-mgmt01 -resource vcenterServer -resourceName  -credential SSH -credentialName root -autoRotate enabled -frequencyInDays 90