When you change the root password for a VMware Cloud Director appliance, you must also update the appliance certificate private key to use the new password. The procedure for version 10.4 includes console proxy settings.

Starting with VMware Cloud Director 10.4, the console proxy uses the same IP address and port as the REST API. The console proxy and REST API use a single certificate.
Note: VMware Cloud Director 10.4.1 and later do not support the legacy implementation of the console proxy feature.

If you want change the root password of the VMware Cloud Director appliance 10.4.1 or later, see Change the Root Password of the VMware Cloud Director Appliance 10.4.1 or Later.

Procedure

  1. Log in directly or by using an SSH client to the VMware Cloud Director appliance console as root.
  2. Run the passwd command and change the password for the root user. 
    passwd root
    Note: If FIPS mode is enabled, the root password of the appliance must contain at least 14 characters.
    Note: If the root password is already expired, VMware Cloud Director prompts you to set it the first time when you log in to the VMware Cloud Director appliance console as root.
  3. Run the commands to back up the existing certificate files. 
    cp /opt/vmware/vcloud-director/etc/user.http.pem /tmp/user.http.pem
cp /opt/vmware/vcloud-director/etc/user.http.key /tmp/user.http.key
cp /opt/vmware/vcloud-director/etc/user.consoleproxy.pem /tmp/user.consoleproxy.pem
cp /opt/vmware/vcloud-director/etc/user.consoleproxy.key /tmp/user.consoleproxy.key
  4. To generate new private keys, run the following OpenSSL commands. 
    openssl pkcs8 -in /opt/vmware/vcloud-director/etc/user.http.key -out /opt/vmware/vcloud-director/etc/new.user.http.key -topk8 -passin pass:old_root_password -passout pass:new_root_password
openssl pkcs8 -in /opt/vmware/vcloud-director/etc/user.consoleproxy.key -out /opt/vmware/vcloud-director/etc/new.user.consoleproxy.key -topk8 -passin pass:old_root_password -passout pass:new_root_password
  5. Run the following commands to replace the old private key file with the new one. 
    mv /opt/vmware/vcloud-director/etc/new.user.http.key /opt/vmware/vcloud-director/etc/user.http.key
mv /opt/vmware/vcloud-director/etc/new.user.consoleproxy.key /opt/vmware/vcloud-director/etc/user.consoleproxy.key
  6. To verify the user and group ownership of the private key files, run the chown command. 
    chown vcloud.vcloud /opt/vmware/vcloud-director/etc/user.http.key
chown vcloud.vcloud /opt/vmware/vcloud-director/etc/user.consoleproxy.key
  7. To use the private key's new password, update the VMware Cloud Director server configuration. 
    /opt/vmware/vcloud-director/bin/cell-management-tool certificates -j --cert /opt/vmware/vcloud-director/etc/user.http.pem --key /opt/vmware/vcloud-director/etc/user.http.key --key-password new_root_password
/opt/vmware/vcloud-director/bin/cell-management-tool certificates -p --cert /opt/vmware/vcloud-director/etc/user.consoleproxy.pem --key /opt/vmware/vcloud-director/etc/user.consoleproxy.key --key-password new_root_password

What to do next

Repeat this procedure on each appliance in the cluster.
Important: All appliances must share the same root password. Any newly deployed appliance must use the new root password.