Password Policy Configuration for VMware Cloud Foundation

Configuring password policies includes the configuration of password expiration, complexity and account lockout policies according to the requirements of your organization which might be based on industry compliance standards. In VMware Cloud Foundation, this activity is performed manually.

Password Policy Configuration and Password Management

VMware Cloud Foundation does not prescribe or automate the process of configuring a password policy across the system. However, your organization might have specific requirements defined either by the organization itself or through an industry compliance standard that prescribes the changes that you must make to the default policy configuration.

After you configure the password policy, you can use SDDC Manager to rotate or manually update the passwords of the management components in VMware Cloud Foundation by using automation. See Password Management in VMware Cloud Foundation Administration Guide.

For information about password policy design including the details and justification for the configuration of password expiration, complexity and account lockout policies, see the Information Security and Access Control Design for VMware Cloud Foundation in the Identity and Access Management for VMware Cloud Foundation validated solution.

Table 1. Password Policies Support in the Management Components of VMware Cloud Foundation
Password Policy	Support by Management Component
Password expiration	ESXi vCenter Single Sign-On vCenter Server NSX Manager NSX Edge SDDC Manager
Password complexity	ESXi vCenter Single Sign-On vCenter Server NSX Manager NSX Edge SDDC Manager
Account lockout	ESXi vCenter Single Sign-On vCenter Server NSX Manager NSX Edge SDDC Manager

Approaches to Password Policy Configuration

For initial configuration of the password policy in VMware Cloud Foundation, you usually configure all password policies on a management component and then proceed with the next one. You can also configure a specific property in a password policy across several management components.

Table 2. Password Policy Configuration by Management Component
Management Component
ESXi	Configure the Local User Password Expiration Policy for ESXi Configure the Local User Password Complexity Policy for ESXi Configure the Local Account Lockout Policy for ESXi
vCenter Single Sign-on	Configure the Password Expiration Policy for vCenter Single Sign-On Configure the Password Complexity Policy for vCenter Single Sign-On Configure the Account Lockout Policy for vCenter Single Sign-On
vCenter Server	Password expiration policy Configure the Global Password Expiration Policy for vCenter Server Configure the root User Password Expiration Policy for vCenter Server Configure the Local User Password Complexity Policy for vCenter Server Configure the root User Account Lockout Policy for vCenter Server
NSX Manager	Configure the Local User Password Expiration Policy for NSX Manager Configure the Local User Password Complexity Policy for NSX Manager Configure the Local User Account Lockout Policy for NSX Manager
NSX Edge	Configure the Local User Password Expiration Policy for NSX Edge Configure the Local User Password Complexity Policy for NSX Edge Configure the Local User Account Lockout Policy for NSX Edge
SDDC Manager	Configure the Local User Password Expiration Policy for SDDC Manager Configure the Local User Password Complexity Policy for SDDC Manager Configure the Local User Account Lockout Policy for SDDC Manager

Prerequisites

To perform the configuration associated with password policy configuration, verify that your system fulfills the following prerequisites.


Category	Prerequisite
Environment	Verify that your VMware Cloud Foundation instance is healthy and fully operational.

If you want to use the infrastructure-as-code method to perform the configuration procedures associated with password policy configuration, verify that your system fulfills the following prerequisites.

Table 3. System Requirements for Infrastructure-as-Code
CLI Method	Prerequisite
PowerShell	Verify that your system has Microsoft PowerShell 5.1 installed. See Microsoft PowerShell. Install the PowerValidatedSolutions PowerShell module together with the supporting modules from the PowerShell Gallery by running the following commands. Install-Module -Name VMware.PowerCLI -MinimumVersion 12.7.0 Install-Module -Name VMware.vSphere.SsoAdmin -MinimumVersion 1.3.8 Install-Module -Name ImportExcel -MinimumVersion 7.1.1 Install-Module -Name PowerVCF -MinimumVersion 2.2.0 Install-Module -Name PowerValidatedSolutions -MinimumVersion 2.0.0 Import the PowerValidatedSolutions and the PowerCLI PowerShell modules by running the following commands. Import-Module -Name VMware.PowerCLI -MinimumVersion 12.7.0 Import-Module -Name PowerValidatedSolutions -MinimumVersion 2.0.0

Table 3. System Requirements for Infrastructure-as-Code

CLI Method

Prerequisite

PowerShell

Verify that your system has Microsoft PowerShell 5.1 installed. See Microsoft PowerShell.

Install the PowerValidatedSolutions PowerShell module together with the supporting modules from the PowerShell Gallery by running the following commands.

Install-Module -Name VMware.PowerCLI -MinimumVersion 12.7.0
Install-Module -Name VMware.vSphere.SsoAdmin -MinimumVersion 1.3.8
Install-Module -Name ImportExcel -MinimumVersion 7.1.1
Install-Module -Name PowerVCF -MinimumVersion 2.2.0
Install-Module -Name PowerValidatedSolutions -MinimumVersion 2.0.0

Import the PowerValidatedSolutions and the PowerCLI PowerShell modules by running the following commands.

Import-Module -Name VMware.PowerCLI -MinimumVersion 12.7.0
Import-Module -Name PowerValidatedSolutions -MinimumVersion 2.0.0