As a security measure, you can rotate passwords for the logical and physical entities on all racks in your system. The process of password rotation generates randomized passwords for the selected accounts.

You can rotate passwords for the following entities.

  • ESXi
  • vCenter Server

    By default, the vCenter Server root password expires after 90 days.

  • PSC

    By default, the PSC password expires after 90 days.

  • NSX Manager
  • NSX Controllers (NSX for vSphere and NSX-T)
  • NSX Edge
  • NSX-T Manager
  • vRealize Log Insight
  • vRealize Operations
  • vRealize Automation
  • vRealize Suite Lifecycle Manager
  • SDDC Manager backup user
The default password policy for rotated passwords is:
  • 15 character in length
  • At least one uppercase letter, a number, and one of the following special characters: ! @ # $ ^ *
  • No more than two of the same characters consecutively

To update the SDDC Manager root, super user, and API passwords, see Updating SDDC Manager Passwords.

Prerequisites

  • Verify that there are no currently failed workflows in your VMware Cloud Foundation system. To check for failed workflows, click Dashboard in the navigation pane and expand the Tasks pane at the bottom of the page.
  • Verify that no active workflows are running or are scheduled to run during the brief time period that the password rotation process is running. It is recommended that you schedule password rotation for a time when you expect to have no running workflows.
  • Configure the privileged user. For more information, see Configure Dual Authentication.

Procedure

  1. From the navigation pane, choose Administration > Security > Password Management > Locally Managed..

    The Password Management page displays a table with detailed information about all domains, including their component, credential type, FQDN, IP address, and user name. This table is dynamic. Each column can be sorted.

    You can click the filter icon next to the table header and filter the results by a string value. For example, click this icon next to User Name and enter admin to display only domains with that user name value.

  2. Select the component type for which you want to rotate passwords from the Component drop-down menu. For example, ESXI.
  3. Select one or more components and click Rotate.
  4. Enter the privileged username and the privileged password and click Rotate.
    A message appears at the top of the page showing the progress of the operation. The Tasks panel also shows detailed status for the password rotation operation. Click on the task name to view sub-tasks. As each of these tasks are run, the status is updated. If the task fails, you can click Retry.

Results

Password rotation is compete when all sub-tasks are completed successfully.