To ensure security in your installation, you can rotate the passwords for the built-in accounts that are used by the installation's physical and logical entities using the vrm-cli tool. Rotating these passwords periodically or when certain events occur, such as an administrator leaving your organization, reduces the likelihood of security vulnerabilities occurring.
Many of the physical and logical entities in your Cloud Foundation installation have built-in accounts. Those accounts' passwords are managed by the SDDC Manager software's vrm-cli tool. At the end of the bring-up process on a physical rack, you are required to rotate the account passwords by logging in to that rack's SDDC Manager virtual machine, stopping the vrm-watchdogserver and vrm-tcserver services, and running the ./vrm-cli.sh rotate-all command. At any time, you can use the ./vrm-cli.sh lookup-password command to get a listing of the account names and current passwords for these built-in accounts.
The types of accounts for which the passwords are rotated using the vrm-cli tool are:
Accounts used for service consoles, for example the ESX root account
Single sign-on account
Default administrative user account used by virtual appliances
Cumulus Account used by switches running Cumulus Linux, for example, the management switches
Network-admin roles used by switches not running Cumulus Linux
Root accounts for the LCM and LCM Backup virtual machines
Service accounts, such as the backupuser account for the LCM Backup virtual machine
Internal database service accounts, such as the JDBC account
To rotate IPMI passwords, you run the ./vrm-cli.sh rotate-password-ipmi command.
The rotation process generates randomized passwords for the accounts.
Always modify these passwords using the vrm-cli tool. Do not manually modify the passwords for the accounts that are managed by the vrm-cli tool. Manually modifying these passwords outside of the vrm-cli tool breaks the SDDC Manager software's ability to manage the physical and logical entities.
When you rotate passwords on-demand in a steady-state installation, you must run the ./vrm-cli.sh rotate-all command in turn on each physical rack in the installation. When the command is run on the Cloud Foundation environment's primary rack, the passwords for entities local to that rack, such as the ESXi hosts and switches, are rotated as well as the entities that cross physical racks, such as the vRealize Operations Manager cluster nodes. After running the command on the primary rack, you run the command on the subsequent racks, which changes the passwords for entities local to that rack.
For a description of which rack in a Cloud Foundation installation is the primary rack, see About the Primary Rack and the SDDC Manager Virtual IP Address.
You run the vrm-cli.sh rotate-all command by logging in to a rack's SDDC Manager VM using the root account credentials. The
vrm-cli.sh script is located in the /home/vrack/bin directory. For information about the SDDC Manager VM's root account, see Credentials for Logging In To the SDDC Manager (vrm) Virtual Machine.
Before performing on-demand password rotation, ensure:
No failed workflows exist in your installation. Use the Workflows area of the System Status page to verify there are no workflows in a failure state.
No active workflows, such as creating or deleting workload domains, are running or are expected to run during the password rotation process. Before performing on-demand password rotation, schedule a window of time in which you expect no running workflows to occur.
The services vrm-watchdogserver and vrm-tcserver are stopped in the SDDC Manager virtual machine in which you are running the vrm-cli tool.