A password complexity policy defines the minimum requirements for the definition of an account’s password. The settings are different according to the account type and component of the VMware Cloud Foundation instance.
| Management Component | Password Complexity Settings | Scope |
|---|---|---|
| ESXi |
|
Local user |
| vCenter Single Sign-On |
|
vCenter Single Sign-On domain |
| vCenter Server |
|
Local user |
| NSX Manager |
|
Local user |
| NSX Edge |
|
Local user |
| SDDC Manager |
|
Local user |
Prerequisites
Configure the Local User Password Complexity Policy for ESXi
Define the requirements for local user passwords for the ESXi hosts in VMware Cloud Foundation including required password length, character class requirements, or allowing passphrases.
Setting |
Default Value |
|---|---|
Security.PasswordHistory |
0 |
Security.PasswordQualityControl |
retry=3 min=disabled,disabled,disabled,7,7 |
For information about the format of the Security.PasswordQualityControl settings, see ESXi Passwords and Account Lockout in the vSphere Security documentation.
UI Procedure
- Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
- In the Hosts and clusters inventory, expand the management domain vCenter Server tree and expand the management domain data center.
- Expand the management domain cluster.
Select the first ESXi host and click the Configure tab.
In the System section, click Advanced system settings.
On the Advanced system settings page, click Edit.
In the key filter text box, enter Security.PasswordHistory, configure the settings according to the requirements of your organization.
In the key filter text box, enter Security.PasswordQualityControl, enter values for the settings according to the requirements of your organization, and click OK.
Repeat this procedure on all remaining hosts in the cluster.
Repeat this procedure on all remaining clusters in the management domain.
Repeat this procedure for all VI workload domains and their clusters.
PowerShell Procedure
Start Windows PowerShell.
Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-m01" $cluster = "sfo-m01-cl01" $policy = "retry=3 min=disabled,disabled,disabled,7,7” $history = "3"
Perform the configuration by running the command in the PowerShell console.
Update-EsxiPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -cluster $cluster -policy $policy -history $history
Repeat this procedure on all remaining clusters in the management domain.
Repeat this procedure for all VI workload domains and their clusters.
Configure the Password Complexity Policy for vCenter Single Sign-On
Define the password format requirements for the vCenter Single Sign-On built-in identity provider for VMware Cloud Foundation.
The password complexity policy applies only to user accounts in the vsphere.local domain of the vCenter Single Sign-On built-in identity provider. The policy does not apply to local system accounts and [email protected].
Setting |
Default Value |
|---|---|
Restrict reuse |
5 |
Maximum length |
20 |
Minimum length |
8 |
Special characters |
1 |
Alphabetic characters |
2 |
Uppercase characters |
1 |
Lowercase characters |
1 |
Numeric characters |
1 |
Identical adjacent characters |
1 |
UI Procedure
- Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
- From the vSphere Client Menu, select Administration.
In the Single Sign On section, click Configuration.
On the Configuration page, click the Local accounts tab.
In the Password policy section, click Edit.
Modify the settings according to the requirements of your organization and click Save.
PowerShell Procedure
Start Windows PowerShell.
Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-m01" $minLength = "8" $maxLength = "20" $minAlphabetic = "2" $minLowercase = "1" $minUppercase = "1" $minNumerical = "1" $minSpecial = "1" $maxIdenticalAdjacent = "1" $history = "5"
Perform the configuration by running the command in the PowerShell console.
Update-SsoPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -minLength $minLength -maxLength $maxLength -minAlphabetic $minAlphabetic -minLowercase $minLowercase -minUppercase $minUppercase -minNumeric $minNumerical -minSpecial $minSpecial -maxIdenticalAdjacent $maxIdenticalAdjacent -history $history
Configure the Local User Password Complexity Policy for vCenter Server
Define the password format requirements for the local users of the vCenter Server appliances in VMware Cloud Foundation, such as the root account.
Setting |
Default Value |
Description |
|---|---|---|
minlen |
6 |
Minimum password length |
lcredit |
-1 |
Maximum number of lowercase characters that will generate a credit |
ucredit |
-1 |
Maximum number of uppercase characters that will generate a credit |
dcredit |
-1 |
Maximum number of digits that will generate a credit |
ocredit |
-1 |
Maximum number of other characters that will generate a credit |
difok |
4 |
Minimum number of characters that must be different from the old password |
remember |
5 |
Maximum number of passwords the system remembers |
UI Procedure
-
Log in to the vCenter Server appliance for the management domain using SSH as root.
Enable shell access.
shell
- Back up the password requirements for the appliance by using the following command.
cp -p /etc/pam.d/system-password /etc/pam.d/system-password-`date +%F_%H:%M:%S`.back
-
Set these settings according to the requirements of your organization using the following commands.
sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/system-passwords sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/remember=[-]?[0-9]+/remember=<your_value>/g' /etc/pam.d/system-password
Repeat this procedure on each VI workload domain vCenter Server.
PowerShell Procedure
- Start Windows PowerShell.
- Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-m01" $minLength = "6" $minLowercase = "-1" $minUppercase = "-1" $minNumeric = "-1" $minSpecial = "-1" $minUnique = "4" $history = "5"
- Perform the configuration by running the command in the PowerShell console.
Update-VcenterPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -minLength $minLength -minLowercase $minLowercase -minUppercase $minUppercase -minNumerical $minNumeric -minSpecial $minSpecial -minUnique $minUnique -history $history
- Repeat this procedure for all VI workload domains.
Configure the Local User Password Complexity Policy for NSX Manager
Define the password format requirements for local users of the NSX Manager appliances in VMware Cloud Foundation.
| Setting |
Default Value |
Description |
|---|---|---|
| minlen |
15 |
Minimum password length
Note:
If your password policy requires setting the minimum password length to a value greater than 20, you cannot use password rotation in SDDC Manager. |
| lcredit |
-1 |
Maximum number of lowercase characters that will generate a credit |
| ucredit |
-1 |
Maximum number of uppercase characters that will generate a credit |
| dcredit |
-1 |
Maximum number of digits that will generate a credit |
| ocredit |
-1 |
Maximum number of other characters that will generate a credit |
| difok |
0 |
Minimum number of characters that must be different from the old password |
| retry |
3 |
Maximum number of retries |
UI Procedure
- Log in to vCenter Server at https://<vcenter_server_fqdn>/ui as [email protected].
- Expand the VM folder containing the NSX Manager cluster for the management domain.
- Select the first node of the NSX Manager cluster and click Launch web console.
- Log in to the NSX Manager node as root.
- Back up the password requirements for the appliance using the following command.
cp -p /etc/pam.d/common-password /etc/pam.d/common-password-`date +%F_%H:%M:%S`.back
- Set these settings according to the requirements of your organization using the following commands.
sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/common-password sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/common-password sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/common-password sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/common-password sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/common-password sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/common-password sed -i -E 's/retry=[-]?[0-9]+/retry=<your_value>/g' /etc/pam.d/common-password
- Repeat this procedure on the remaining NSX Local Manager nodes for the management domain.
- Repeat this procedure on the NSX Local Manager clusters for all VI workload domains.
- Repeat this procedure on all NSX Global Manager nodes.
PowerShell Procedure
- Start Windows PowerShell.
- Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-m01" $minLength = "15" $minLowercase = "-1" $minUppercase = "-1" $minNumerical = "-1" $minSpecial = "-1" $minUnique = "0" $maxRetry = "3"
- Perform the configuration by running the command in the PowerShell console.
Update-NsxtManagerPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -minLength $minLength -minLowercase $minLowercase -minUppercase $minUppercase -minNumerical $minNumerical -minSpecial $minSpecial -minUnique $minUnique -maxRetry $maxRetry
- Repeat this procedure on the NSX Local Manager clusters for all VI workload domains.
- Configure the password complexity policies on all NSX Global Manager clusters manually in the appliance console of each node.
Configure the Local User Password Complexity Policy for NSX Edge
Define the password format requirements for local users on the NSX Edge appliance in VMware Cloud Foundation.
| Setting |
Default Value |
Description |
|---|---|---|
| minlen |
15 |
Minimum password length
Note:
If your password policy requires setting the minimum password length to a value greater than 20, you cannot use password rotation in SDDC Manager. |
| lcredit |
-1 |
Maximum number of lowercase characters that will generate a credit |
| ucredit |
-1 |
Maximum number of uppercase characters that will generate a credit |
| dcredit |
-1 |
Maximum number of digits that will generate a credit |
| ocredit |
-1 |
Maximum number of other characters that will generate a credit |
| difok |
0 |
Minimum number of characters that must be different from the old password |
| retry |
3 |
Maximum number of retries |
UI Procedure
- If you are configuring an NSX Edge virtual appliance, open the appliance console by using the Web console in the vSphere Client.
- Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
- In the VMs and templates inventory, expand the management domain vCenter Server tree and expand the management domain data center.
- Expand the VM folder containing the NSX Edge cluster for the management domain.
- Select the first node of the NSX Edge cluster and click Launch web console.
- If you are configuring a bare-metal NSX Edge appliance, open the appliance console by using an out-of-band management interface, such as iLO or iDRAC.
- Log in to the NSX Edge node as root.
- Back up the password requirements for the appliance using the following command.
cp -p /etc/pam.d/common-password /etc/pam.d/common-password-`date +%F_%H:%M:%S`.back
- Set these settings according to the requirements of your organization using the following commands.
sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/common-password sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/common-password sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/common-password sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/common-password sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/common-password sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/common-password sed -i -E 's/retry=[-]?[0-9]+/retry=<your_value>/g' /etc/pam.d/common-password
- Repeat this procedure on the remaining NSX Edge cluster nodes in the management domain.
- Repeat this procedure on all NSX Edge clusters in the VI workload domains.
PowerShell Procedure
You can use the PowerShell command for configuring the password complexity policies only on the NSX Edge nodes in VMware Cloud Foundation that are deployed by using SDDC Manager. For NSX Edge virtual appliances that are deployed manually and for bare-metal NSX Edge appliances, configure the policies manually according to the NSX-T Data Center documentation.
- Start Windows PowerShell.
- Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-m01" $minLength = "15" $minLowercase = "-1" $minUppercase = "-1" $minNumerical = "-1" $minSpecial = "-1" $minUnique = "0" $maxRetry = "3"
- Perform the configuration by running the command in the PowerShell console.
Update-NsxtEdgePasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -minLength $minLength -minLowercase $minLowercase -minUppercase $minUppercase -minNumerical $minNumerical -minSpecial $minSpecial -minUnique $minUnique -maxRetry $maxRetry
- Repeat this procedure for all NSX Edge clusters in the VI workload domains.
Configure the Local User Password Complexity Policy for SDDC Manager
Define the password format requirements for local users of the SDDC Manager appliance.
| Setting |
Default Value |
Description |
|---|---|---|
| minlen |
8 |
Minimum password length |
| lcredit |
-1 |
Maximum number of lowercase characters that will generate a credit |
| ucredit |
-1 |
Maximum number of uppercase characters that will generate a credit |
| dcredit |
-1 |
Maximum number of digits that will generate a credit |
| ocredit |
-1 |
Maximum number of other characters that will generate a credit |
| minclass |
4 |
Minimum number of character types that must be used (that is, uppercase, lowercase, digits, other) |
| difok |
4 |
Minimum number of characters that must be different from the old password |
| retry |
3 |
Maximum number of retries |
| maxsequence |
0 |
Maximum number of times a single character may be repeated |
| remember |
5 |
Maximum number of passwords the system remembers |
UI Procedure
- Log in to the SDDC Manager appliance using SSH as vcf.
- Change to the root user.
su -
- Back the password requirement using the following command.
cp -p /etc/pam.d/system-password /etc/pam.d/system-password-`date +%F_%H:%M:%S`.back
Set these settings according to the requirements of your organization using the following commands.
sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/retry=[-]?[0-9]+/retry=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/remember=[-]?[0-9]+/remember=<your_value>/g' /etc/pam.d/system-password
PowerShell Procedure
Start Windows PowerShell.
Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" # Replace with the name of your management domain $sddcDomainName = "sfo-m01" $rootPass = "VMw@re1!" $minLength = "6" $minLowercase = "-1" $minUppercase = "-1" $minNumerical = "-1" $minSpecial = "-1" $minUnique = "4" $minClass = "4" $maxSequence = "0" $history = "5" $maxRetry = "3"
Perform the configuration by running the command in the PowerShell console.
Update-SddcManagerPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -rootPass $rootPass -minLength $minLength -minLowercase $minLowercase -minUppercase $minUppercase -minNumerical $minNumerical -minSpecial $minSpecial -minUnique $minUnique -minClass $minClass -maxSequence $maxSequence -history $history -maxRetry $maxRetry
