A password complexity policy defines the minimum requirements for the definition of an account’s password. The settings are different according to the account type and component of the VMware Cloud Foundation instance.
| Management Component | Password Complexity Settings | Scope |
|---|---|---|
| ESXi |
|
Local user |
| vCenter Single Sign-On |
|
vCenter Single Sign-On domain |
| vCenter Server |
|
Local user |
| NSX Manager |
|
Local user |
| NSX Edge |
|
Local user |
| SDDC Manager |
|
Local user |
Prerequisites
Configure the Local User Password Complexity Policy for ESXi
Define the requirements for local user passwords for the ESXi hosts in VMware Cloud Foundation including required password length, character class requirements, or allowing passphrases.
| Setting |
Default Value |
|---|---|
| Security.PasswordHistory |
0 |
| Security.PasswordQualityControl |
retry=3 min=disabled,disabled,disabled,7,7 |
For information about the format of the Security.PasswordQualityControl settings, see ESXi Passwords and Account Lockout in the vSphere Security documentation.
UI Procedure
- Log in to the vCenter Server instance for the workload domain at https://<vcenter_server-fqdn>/ui by using an account with Administrator privileges.
- In the Hosts and clusters inventory, navigate to and expand the first vSphere cluster.
Select the first ESXi host and click the Configure tab.
In the System section, click Advanced system settings.
On the Advanced system settings page, click Edit.
In the key filter text box, enter Security.PasswordHistory, configure the settings according to the requirements of your organization.
In the key filter text box, enter Security.PasswordQualityControl, enter values for the settings according to the requirements of your organization, and click OK.
Repeat this procedure on all remaining hosts in the cluster.
Repeat this procedure on all remaining clusters in the workload domain.
Repeat this procedure for all the other workload domains and their clusters.
PowerShell Procedure
Start Windows PowerShell.
Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-m01" $cluster = "sfo-m01-cl01" $policy = "retry=3 min=disabled,disabled,disabled,7,7” $history = "3"
Perform the configuration by running the command in the PowerShell console.
Update-EsxiPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -cluster $cluster -policy $policy -history $history
Repeat this procedure on all remaining clusters in the
$sddcDomainNameworkload domain.Repeat this procedure for all clusters in the remaining workload domains.
Configure the Password Complexity Policy for vCenter Single Sign-On
Define the password format requirements for the vCenter Single Sign-On built-in identity provider for VMware Cloud Foundation.
The password complexity policy applies only to user accounts in the vsphere.local domain of the vCenter Single Sign-On built-in identity provider. The policy does not apply to local system accounts and [email protected].
Setting |
Default Value |
|---|---|
Restrict reuse |
5 |
Maximum length |
20 |
Minimum length |
8 |
Special characters |
1 |
Alphabetic characters |
2 |
Uppercase characters |
1 |
Lowercase characters |
1 |
Numeric characters |
1 |
Identical adjacent characters |
1 |
UI Procedure
- Log in to the vCenter Server instance for the workload domain at https://<vcenter_server-fqdn>/ui by using an account with Administrator privileges.
- From the vSphere Client Menu, select Administration.
In the Single Sign On section, click Configuration.
On the Configuration page, click the Local accounts tab.
In the Password policy section, click Edit.
Modify the settings according to the requirements of your organization and click Save.
PowerShell Procedure
Start Windows PowerShell.
Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-m01" $minLength = "8" $maxLength = "20" $minAlphabetic = "2" $minLowercase = "1" $minUppercase = "1" $minNumerical = "1" $minSpecial = "1" $maxIdenticalAdjacent = "1" $history = "5"
Perform the configuration by running the command in the PowerShell console.
Update-SsoPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -minLength $minLength -maxLength $maxLength -minAlphabetic $minAlphabetic -minLowercase $minLowercase -minUppercase $minUppercase -minNumeric $minNumerical -minSpecial $minSpecial -maxIdenticalAdjacent $maxIdenticalAdjacent -history $history
Configure the Local User Password Complexity Policy for vCenter Server
Define the password format requirements for the local users of the vCenter Server appliances in VMware Cloud Foundation, such as the root account.
Setting |
Default Value |
Description |
|---|---|---|
minlen |
6 |
Minimum password length |
lcredit |
-1 |
Maximum number of lowercase characters that will generate a credit |
ucredit |
-1 |
Maximum number of uppercase characters that will generate a credit |
dcredit |
-1 |
Maximum number of digits that will generate a credit |
ocredit |
-1 |
Maximum number of other characters that will generate a credit |
difok |
4 |
Minimum number of characters that must be different from the old password |
remember |
5 |
Maximum number of passwords the system remembers |
UI Procedure
Log in to the vCenter Server appliance for a workload domain using SSH as root.
Enable shell access.
shell
- Back up the password requirements for the appliance by using the following command.
cp -p /etc/pam.d/system-password /etc/pam.d/system-password-`date +%F_%H:%M:%S`.back
-
Set these settings according to the requirements of your organization using the following commands.
sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/system-passwords sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/remember=[-]?[0-9]+/remember=<your_value>/g' /etc/pam.d/system-password
Repeat this procedure on the vCenter Server instance for the remaining workload domains.
PowerShell Procedure
- Start Windows PowerShell.
- Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-m01" $minLength = "6" $minLowercase = "-1" $minUppercase = "-1" $minNumeric = "-1" $minSpecial = "-1" $minUnique = "4" $history = "5"
- Perform the configuration by running the command in the PowerShell console.
Update-VcenterPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -minLength $minLength -minLowercase $minLowercase -minUppercase $minUppercase -minNumerical $minNumeric -minSpecial $minSpecial -minUnique $minUnique -history $history
- Repeat this procedure for all VI workload domains.
Configure the Local User Password Complexity Policy for NSX Manager
Define the password format requirements for local users of the NSX Manager appliances in VMware Cloud Foundation.
Setting |
Default Value |
Description |
|---|---|---|
minlen |
12 |
Minimum password length
Note:
If your password policy requires setting the minimum password length to a value greater than 20, you cannot use password rotation in SDDC Manager. |
lcredit |
-1 |
Maximum number of lowercase characters that will generate a credit |
ucredit |
-1 |
Maximum number of uppercase characters that will generate a credit |
dcredit |
-1 |
Maximum number of digits that will generate a credit |
ocredit |
-1 |
Maximum number of other characters that will generate a credit |
difok |
0 |
Minimum number of characters that must be different from the old password |
| MAX_PASSWORD_LEN | 128 | Maximum Password Length |
| maxrepeat | 0 | Maximum number of consecutive characters allowed |
| maxsequence | 0 | Maximum number of times a single character may be repeated |
| remember | 0 | Maximum number of passwords the system remembers |
| hash_algorithm | sha512 | Hash algorithm |
UI Procedure
- Log in to vCenter Server at https://<vcenter_server_fqdn>/ui as [email protected].
- Expand the VM folder containing the NSX Manager cluster for the management domain.
- Select the first node of the NSX Manager cluster and click Launch web console.
- Log in to the NSX Manager node as admin.
- Start changing the password complexity policy by running the set password-complexity command.
- In the prompt, set interactively the password complexity settings according to the requirements of your organization.
Minimum password length (leave empty to not change): <your_value> Maximum password length (leave empty to not change): <your_value> Lower characters (leave empty to not change): <your_value> Upper characters (leave empty to not change): <your_value> Numeric characters (leave empty to not change): <your_value> Special characters (leave empty to not change): <your_value> Minimum unique characters (leave empty to not change): <your_value> Allowed similar consecutives (leave empty to not change): <your_value> Allowed monotonic sequence (leave empty to not change): <your_value> Hash algorithm (leave empty to not change): <your_value> Password remembrance (leave empty to not change): <your_value>
- Repeat this procedure on the remaining NSX Local Manager nodes for the management domain.
- Repeat this procedure on the NSX Local Manager clusters for all VI workload domains.
- Repeat this procedure on all NSX Global Manager nodes.
PowerShell Procedure
- Start Windows PowerShell.
- Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-m01" $minLength = "12" $minLowercase = "-1" $minUppercase = "-1" $minNumerical = "-1" $minSpecial = "-1" $minUnique = "0" $maxLength = "128" $maxRepeats = "0" $maxSequence = "0" $history = "0" $hashAlgorithm = "sha512"
- Perform the configuration by running the command in the PowerShell console.
Update-NsxtManagerPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -minLength $minLength -minLowercase $minLowercase -minUppercase $minUppercase -minNumerical $minNumerical -minSpecial $minSpecial -minUnique $minUnique -maxLength $maxLenth -maxRepeats $maxRepeats -maxSequence $maxSequence -history $history -hash_algorithm $hashAlgorithm
- Repeat this procedure on the NSX Local Manager clusters for all VI workload domains.
- Configure the password complexity policies on all NSX Global Manager clusters manually in the appliance console of each node.
Configure the Local User Password Complexity Policy for NSX Edge
Define the password format requirements for local users on the NSX Edge appliance in VMware Cloud Foundation.
Setting |
Default Value |
Description |
|---|---|---|
minlen |
15 |
Minimum password length
Note:
If your password policy requires setting the minimum password length to a value greater than 20, you cannot use password rotation in SDDC Manager. |
lcredit |
-1 |
Maximum number of lowercase characters that will generate a credit |
ucredit |
-1 |
Maximum number of uppercase characters that will generate a credit |
dcredit |
-1 |
Maximum number of digits that will generate a credit |
ocredit |
-1 |
Maximum number of other characters that will generate a credit |
difok |
0 |
Minimum number of characters that must be different from the old password |
retry |
3 |
Maximum number of retries |
UI Procedure
If you are configuring an NSX Edge virtual appliance, open the appliance console by using the Web console in the vSphere Client.
- Log in to the vCenter Server instance for the workload domain at https://<vcenter_server-fqdn>/ui by using an account with Administrator privileges.
In the VMs and templates inventory, navigate to and expand the VM folder containing the NSX Edge cluster for the workload domain.
Select the first node of the NSX Edge cluster and click Launch web console.
If you are configuring a bare-metal NSX Edge appliance, open the appliance console by using an out-of-band management interface, such as iLO or iDRAC.
Log in to the NSX Edge node as root.
Back up the password requirements for the appliance using the following command.
cp -p /etc/pam.d/common-password /etc/pam.d/common-password-`date +%F_%H:%M:%S`.back
Set these settings according to the requirements of your organization using the following commands.
sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/common-password sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/common-password sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/common-password sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/common-password sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/common-password sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/common-password sed -i -E 's/retry=[-]?[0-9]+/retry=<your_value>/g' /etc/pam.d/common-password
Repeat this procedure on the remaining NSX Edge cluster nodes in the workload domain.
Repeat this procedure on all NSX Edge clusters in the remaining workload domains.
PowerShell Procedure
You can use the PowerShell command for configuring the password complexity policies only on the NSX Edge nodes in VMware Cloud Foundation that are deployed by using SDDC Manager. For NSX Edge virtual appliances that are deployed manually and for bare-metal NSX Edge appliances, configure the policies manually according to the NSX documentation.
Start Windows PowerShell.
Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-m01" $minLength = "15" $minLowercase = "-1" $minUppercase = "-1" $minNumerical = "-1" $minSpecial = "-1" $minUnique = "0" $maxRetry = "3"
Perform the configuration by running the command in the PowerShell console.
Update-NsxtEdgePasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -minLength $minLength -minLowercase $minLowercase -minUppercase $minUppercase -minNumerical $minNumerical -minSpecial $minSpecial -minUnique $minUnique -maxRetry $maxRetry
Repeat this procedure for all NSX Edge clusters in the remaining workload domains.
Configure the Local User Password Complexity Policy for SDDC Manager
Define the password format requirements for local users of the SDDC Manager appliance.
| Setting |
Default Value |
Description |
|---|---|---|
| minlen |
8 |
Minimum password length |
| lcredit |
-1 |
Maximum number of lowercase characters that will generate a credit |
| ucredit |
-1 |
Maximum number of uppercase characters that will generate a credit |
| dcredit |
-1 |
Maximum number of digits that will generate a credit |
| ocredit |
-1 |
Maximum number of other characters that will generate a credit |
| minclass |
4 |
Minimum number of character types that must be used (that is, uppercase, lowercase, digits, other) |
| difok |
4 |
Minimum number of characters that must be different from the old password |
| retry |
3 |
Maximum number of retries |
| maxsequence |
0 |
Maximum number of times a single character may be repeated |
| remember |
5 |
Maximum number of passwords the system remembers |
UI Procedure
- Log in to the SDDC Manager appliance using SSH as vcf.
- Change to the root user.
su -
- Back the password requirement using the following command.
cp -p /etc/pam.d/system-password /etc/pam.d/system-password-`date +%F_%H:%M:%S`.back
Set these settings according to the requirements of your organization using the following commands.
sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/retry=[-]?[0-9]+/retry=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/remember=[-]?[0-9]+/remember=<your_value>/g' /etc/pam.d/system-password
PowerShell Procedure
Start Windows PowerShell.
Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" # Replace with the name of your management domain $sddcDomainName = "sfo-m01" $rootPass = "VMw@re1!" $minLength = "6" $minLowercase = "-1" $minUppercase = "-1" $minNumerical = "-1" $minSpecial = "-1" $minUnique = "4" $minClass = "4" $maxSequence = "0" $history = "5" $maxRetry = "3"
Perform the configuration by running the command in the PowerShell console.
Update-SddcManagerPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -rootPass $rootPass -minLength $minLength -minLowercase $minLowercase -minUppercase $minUppercase -minNumerical $minNumerical -minSpecial $minSpecial -minUnique $minUnique -minClass $minClass -maxSequence $maxSequence -history $history -maxRetry $maxRetry
