When you change the root password for a VMware Cloud Director appliance, you must also update the appliance certificate keystore to use the new password.
- Familiarize yourself with the
keytoolcommand. VMware Cloud Director places a copy of keytool at /opt/vmware/vcloud-director/jre/bin/keytool.
- If you are using wildcard certificates and you are storing them on the NFS shared transfer storage, to ensure that they are updated, follow the procedure described in Deploy the VMware Cloud Director Appliance with Signed Wildcard Certificates for HTTPS and Console Proxy Communication.
- Log in directly or by using an SSH client to the VMware Cloud Director appliance console as root.
- Run the
passwdcommand and change the password for the root user.
passwd rootNote: If the root password is already expired, VMware Cloud Director prompts you to set it the first time when you log in to the VMware Cloud Director appliance console as root.
- Run the command to back up the existing certificates keystore file.
cp /opt/vmware/vcloud-director/certificates.ks /tmp/certificates.ks
- To generate a new certificates keystore, run the
keytool -importkeystore -srckeystore /opt/vmware/vcloud-director/certificates.ks -srcstoretype PKCS12 -srcstorepass old_root_password -destkeystore /opt/vmware/vcloud-director/certificates-new.ks -deststoretype PKCS12 -deststorepass new_root_password -destkeypass new_root_passwordNote:Starting with VMware Cloud Director 10.2, the default certificate keystore type for the VMware Cloud Director appliance is PKCS12. If you are using a version of the appliance that was upgraded to version 10.2, use JCEKS as the
keytool -importkeystore -srckeystore /opt/vmware/vcloud-director/certificates.ks -srcstoretype JCEKS -srcstorepass old_root_password -destkeystore /opt/vmware/vcloud-director/certificates-new.ks -deststoretype JCEKS -deststorepass new_root_password -destkeypass new_root_password
- Run the command to replace the old certificates keystore file with the new one.
mv /opt/vmware/vcloud-director/certificates-new.ks /opt/vmware/vcloud-director/certificates.ks
- To verify the user and group ownership of the keystore file, run the
chown vcloud.vcloud /opt/vmware/vcloud-director/certificates.ks
- To use the keystore's new password, update the VMware Cloud Director server configuration:
/opt/vmware/vcloud-director/bin/cell-management-tool certificates -j -p --keystore /opt/vmware/vcloud-director/certificates.ks --keystore-password new_root_password
What to do next
Important: All appliances must share the same root password. Any newly deployed appliance must use the new root password.