Password management CLI commands are located in /home/vrack/bin in the SDDC Manager virtual machine's file system. Only the root account can run these commands. To run a command, change to the /home/vrack/bin directory and type the command.

To get help on a specific command, use the following option.

command --help

For example, to get help on the lookup command, use the following command.

lookup-passwords --help

Lookup Commands

Use these commands to look up information about entities managed by SDDC Manager.

Table 1. Lookup Commands

Command

Options

Description

lookup-history

latest

timestamp yyyy-mm-dd.hh:mm:ss

-json

Manages and retrieves the password history recorded in Zookeeper.

lookup-history latest lists the account information from the most recent history recorded in Zookeeper.

lookup-history timestamp yyyy-mm-dd.hh:mm:ss lists the password-rotation history associated with the specified timestamp.

lookup-passwords

None

Retrieves and lists the account credentials for the built-in accounts that are managed and rotated by SDDC Manager. See also Look Up Account Credentials.

Password Change, Set Up, and Generation Commands

Use these commands to change passwords to software-generated randomized passwords for the accounts that are managed by SDDC Manager, set up ESXi host passwords, and generate passwords that adhere to the SDDC Manager password policies.

Table 2. Password Change, Set Up, and Generation Commands

Command

Options

Description

rotate-passwords

None

Rotates passwords for all inventory items that are visible and safe to automatically rotate.

decrypt

encrypted-text

Decrypts the input text and prints the output to the command line.

Used by SDDC Manager. Manual use of this command is not needed.

encrypt

plain-text

Encrypts the input text and prints the output to the command line.

Used by SDDC Manager. Manual use of this command is not needed.

setup-esx-password

None

Creates a password workflow for setting an ESXi host password using the old password provided.

Used by the host commissioning procedure. Manual use of this command is not needed.

Password Workflow Commands

Use these commands for password workflows. Commands are listed alphabetically.

Table 3. Password Workflow Commands

Command

Options

Description

create-password-workflow

None

Creates specific password workflows.

Used by SDDC Manager. Manual use of this command is not needed.

To rotate passwords, use the rotate-passwords or setup-esx-password command.

delete-password-workflows

latest

Deletes a workflow. In general, it is a workflow that has failed and cannot otherwise be corrected so that it can resume and run to completion. The identifier of the workflow can be obtained by one of the following:

  • For a failed workflow, use the following command.

    get-password-workflow latest

  • For an older, successful workflow, use the following command.

    list-password-workflows

get-password

--ip xxx.xxx.xxx.xxx

username login

Retrieves a password for a device.

get-password --ip xxx.xxx.xxx.xxx retrieves the password for the device with the specified IP address.

get-password-workflow

latest

Retrieves specific password workflow instance by using its identifier.

For example, the following commands displays the latest (or current) workflow.

get-password-workflow latest

get-sso

-p

-u

Retrieves either the SSO username or password. This command works even when SDDC Manager is not running.

get-sso -p retrieves the SSO password.

get-sso -u retrieves the SSO username.

list-password-workflows

None

Lists all of the password workflows in the system. You can view a few summary attributes about each workflow, including its identifier and status, as well as an error message when applicable.

resume-password-workflows

--skip-failed-task

Resumes a failed workflow.

You may run this command after you take corrective action based on a failed task during password rotation.

resume-password-workflows --skip-failed-task skips a failed task and resumes the workflow.

After a success message is displayed, run the monitor-password-workflow to see the workflow progress.

monitor-password-workflow

None

Monitors the latest (or current) workflow, which is an asynchronous job running in the SDDC Manager. It polls the status of the workflow and reports percentage completed until the workflow finishes, at which time it reports its status.

vrm-rest

None

Private command containing implementation details of the CLI commands. Manual use of this command is not needed.