As a security measure, you can rotate passwords for the logical and physical accounts on all racks in your system. The process of password rotation generates randomized passwords for the selected accounts.

You can rotate passwords for the following accounts.

  • VxRail Manager
  • ESXi
  • vCenter Server

    By default, the vCenter Server root password expires after 90 days.

  • NSX-T Edge
  • NSX Manager
  • vRealize Suite Lifecycle Manager
  • SDDC Manager backup user
The default password policy for rotated passwords is:
  • 15 character in length
  • At least one uppercase letter, a number, and one of the following special characters: ! @ # $ ^ *
  • No more than two of the same characters consecutively

To update the SDDC Manager root, super user, and API passwords, see Updating SDDC Manager Passwords.


  • Verify that there are no currently failed workflows in your Cloud Foundation system. To check for failed workflows, click Dashboard in the navigation pane and expand the Tasks pane at the bottom of the page.
  • Verify that no active workflows are running or are scheduled to run during the brief time period that the password rotation process is running. It is recommended that you schedule password rotation for a time when you expect to have no running workflows.
  • Only a user with the ADMIN role can perform this task.


  1. From the navigation pane, choose Administration > Security > Password Management > Locally Managed.

    The Password Management page displays a table with detailed information about all domains, including their account, credential type, FQDN, IP address, and user name. This table is dynamic. Each column can be sorted.

    You can click the filter icon next to the table header and filter the results by a string value. For example, click the icon next to User Name and enter admin to display only domains with that user name value.

  2. Select the account for which you want to rotate passwords from the Component drop-down menu. For example, ESXI.
  3. Select one or more accounts and click Rotate.
    A message appears at the top of the page showing the progress of the operation. The Tasks panel also shows detailed status for the password rotation operation. Click on the task name to view sub-tasks. As each of these tasks are run, the status is updated. If the task fails, you can click Retry.


Password rotation is complete when all sub-tasks are completed successfully.