As a security measure, you can rotate passwords for the components in your VMware Cloud Foundation instance. The process of password rotation generates randomized passwords for the selected accounts. You can rotate passwords manually or set up auto-rotation for accounts managed by SDDC Manager.

You can rotate passwords for the following accounts.

  • ESXi
    Note: Auto-rotate is not suported for ESXi.
  • vCenter Server

    By default, the vCenter Server root password expires after 90 days.

    Note: Auto-rotate is automatically enabled for vCenter Server service accounts. It may take up to 24 hours to configure the service account auto-rotate policy for a newly deployed vCenter Server.
  • vSphere Single-Sign On (PSC)
  • NSX Edge nodes
  • NSX Manager
  • vRealize Suite Lifecycle Manager
  • vRealize Log Insight
  • vRealize Operations
  • vRealize Automation
  • Workspace ONE Access
    Note: For Workspace ONE Access passwords, the password rotation method varies depending on the user account. See the table below for details.
  • SDDC Manager backup user
Table 1. Password Rotation Details for Workspace ONE Access User Accounts

Workspace ONE Access User Account

vRealize Suite Lifecycle Manager Locker Entry

Password Rotation Method

Password Rotation Scope

admin (443)

xint-wsa-admin

SDDC Manager Password Rotation

Application

admin (8443)

xint-wsa-admin

vRealize Suite Lifecycle Manager Global Environment

Per node

configadmin (443)

xint-wsa-configadmin
  1. Reset the configadmin user password in Workspace ONE Access via the email reset link.
  2. Create a new credential object in vRealize Suite Lifecycle Manager Locker to match the new password.
  3. Update the credential object referenced by globalEnvironment in vRealize Suite Lifecycle Manager locker to the new credential object.

Application

sshuser

global-env-admin

vRealize Suite Lifecycle Manager Global Environment

Per node

root (ssh)

xint-wsa-root

SDDC Manager Password Rotation

Per node
The default password policy for rotated passwords requires:
  • 20 characters in length
  • At least one uppercase letter, a number, and one of the following special characters: ! @ # $ ^ *
  • No more than two of the same characters consecutively

If you changed the vCenter Server password length using the vSphere Client or the ESXi password length using the VMware Host Client, rotating the password for those components from SDDC Manager generates a password that complies with the password length that you specified.

To update the SDDC Manager root, super user, and API passwords, see Updating SDDC Manager Passwords.

Prerequisites

  • Verify that there are no currently failed workflows in SDDC Manager. To check for failed workflows, click Dashboard in the navigation pane and expand the Tasks pane at the bottom of the page.
  • Verify that no active workflows are running or are scheduled to run during the brief time period that the password rotation process is running. It is recommended that you schedule password rotation for a time when you expect to have no running workflows.
  • Only a user with the ADMIN role can perform this task.

Procedure

  1. In the navigation pane, click Security > Password Management.
  2. Click the tab for the component that includes the accounts for which you want to rotate a password.
    Password Management options for ESXi accounts.
    For example, ESXI.
  3. Select one or more accounts and click one of the following operation.
    • Rotate Now
    • Schedule Rotation
      You can set the password rotation interval (30 days, 60 days, or 90 days). You can also deactivate the schedule.
      Note: Auto-rotate schedule is configured to run at midnight on the scheduled date. If auto-rotate could not start due to any technical issue, there is a provision to auto-retry every hour till start of the next day. In case schedule rotation is missed due to technical issues the UI displays a global notification with failed task status. The status of the schedule rotation can also be checked on the Tasks panel.
    A message appears at the top of the page showing the progress of the operation. The Tasks panel also shows detailed status for the password rotation operation. To view sub-tasks, click the task name. As each of these tasks is run, the status is updated. If the task fails, you can click Retry.

Results

Password rotation is complete when all sub-tasks are completed successfully.