On each rack in turn, you run the ./vrm-cli.sh rotate-all command in each rack's SDDC Manager virtual machine to rotate all of the passwords that are managed by SDDC Manager.

Before you begin

Verify the following prerequisites are met:

  • No failed workflows exist in the environment. Use the Workflows area of the System Status page to verify the environment has no workflows in a failure state.

  • No active workflows, such as creating or deleting workload domains, are running or are expected to run during the password rotation process. Schedule a window of time when you expect to have no running workflows before performing on-demand password rotation.

  • You have the root account credentials to log in to each rack's SDDC Manager VM. For details, see Credentials for Logging In To the SDDC Manager (vrm) Virtual Machine.

About this task

First run the ./vrm-cli.sh rotate-all command on the primary rack. After running it on the primary rack, run the ./vrm-cli.sh rotate-all command on the second rack, then on the third rack, and so on. For a description of which rack is the primary rack in the environment, see About the Primary Rack and the SDDC Manager Virtual IP Address.

Note:

Before running any vrm-cli.sh command, it is a best practice to stop both the vrm-watchdogserver and vrm-tcserver services in the SDDC Manager VM. However, if you omit explicitly stopping these services prior to running the ./vrm-cli.sh rotate-all command, the command will attempt to stop the services automatically before it starts the rotation process. Then, at the end of the rotation process, if the command has automatically stopped the services, it will attempt to restart the vrm-watchdogserver service, which also restarts the vrm-tcserver service.

Procedure

  1. For the primary rack, using the root account, connect and log in, for example by SSH, to the rack's SDDC Manager VM.
  2. Change to the /home/vrack/VMware/vRack directory.
  3. Save a copy of the /home/vrack/VMware/vRack/vrm.properties file to a secure location where you can access it later if necessary.
  4. Change to the /home/vrack/bin directory.
  5. Stop the vrm-watchdogserver and vrm-tcserver services.
    service vrm-watchdogserver stop
    service vrm-tcserver stop
    Note:

    Even though the ./vrm-cli.sh lookup-password command can run without stopping the services, it is a best practice to stop both services before running any vrm-cli.sh command.

  6. At the prompt, use the vrm-cli tool's lookup-password command to obtain the listing of the current account credentials so that you can compare it to the post-rotated listing.
    ./vrm-cli.sh lookup-password 
    		  

    The output displays the account credentials and IP addresses for the physical and logical entities that are managed by the vrm-cli tool. The username and password for each account is displayed.

  7. Save the output to a secure location.
  8. Rotate this rack's passwords by typing the following command
    ./vrm-cli.sh rotate-all

    This command changes the passwords of the physical and logical components on the rack. Because this first run is performed on the primary rack, this step also changes the passwords of entities used across the racks.

    Note:

    The rotate-all command does not change the IPMI passwords.

  9. To rotate the IPMI passwords, run the command ./vrm-cli.sh rotate-ipmi.
    ./vrm-cli.sh rotate-password-ipmi
  10. Obtain the listing of the updated account credentials and save a copy.
    ./vrm-cli.sh lookup-password 
    		  
  11. Compare the output file you saved prior to rotation with the output file you saved now and verify that all passwords are changed.
  12. Restart the vrm-watchdogserver service, which also restarts the vrm-tcserver service.
    service vrm-watchdogserver start
  13. For the next physical rack, using the root account, connect and log in, for example by SSH, to the rack's SDDC Manager VM.
  14. Stop the vrm-watchdogserver and vrm-tcserver services:
    service vrm-watchdogserver stop
    service vrm-tcserver stop
  15. Change to the /home/vrack/VMware/vRack directory.
  16. Save a copy of the /home/vrack/VMware/vRack/vrm.properties file to a secure location where you can access it later if necessary.
  17. Change to the /home/vrack/bin directory.
  18. At the prompt, use the vrm-cli tool's lookup-password command to obtain the listing of the current account credentials.
    ./vrm-cli.sh lookup-password 
    		  

    The output displays the account credentials and IP addresses for the physical and logical entities that are managed by the vrm-cli tool. The username and password for each account is displayed.

  19. Save the output to a secure location so that you can compare it to the post-rotated listing.
  20. Rotate this rack's passwords by typing the following command
    ./vrm-cli.sh rotate-all

    This command changes the passwords of the physical and logical components local to this rack.

  21. To rotate the IPMI passwords, run the command ./vrm-cli.sh rotate-ipmi.
    ./vrm-cli.sh rotate-password-ipmi
  22. Obtain the listing of the updated account credentials and save a copy.
    ./vrm-cli.sh lookup-password 
    		  
  23. Compare the output file you saved prior to rotation with the output file you saved now and verify that all passwords are changed.
  24. Restart the vrm-watchdogserver service, which also restarts the vrm-tcserver service.
    service vrm-watchdogserver start
  25. Repeat the steps to rotate the passwords for each physical rack in your installation.