A password expiration policy defines the period of time an account’s password can be used before the system enforces a password change. According to the management component of the VMware Cloud Foundation instance, you define this policy at the global level or at a local user level.
Management Component |
Password Expiration Settings |
Scope |
---|---|---|
ESXi |
Password expiration interval (days) |
Local users |
vCenter Single Sign-On |
Password expiration interval (days) |
Global |
vCenter Server |
|
|
NSX Manager |
Password expiration interval (days) |
Local users |
NSX Edge |
Password expiration interval (days) |
Local users |
SDDC Manager |
|
Local users |
Prerequisites
Configure the Local User Password Expiration Policy for ESXi
Define the interval of time before the password of a local user on an ESXi host in VMware Cloud Foundation expires and a change is enforced.
Setting |
Default Value |
---|---|
Security.PasswordMaxDays |
99999 |
Prerequisites
If you plan to reduce the expiration period of a local account's password, rotate the password of the account by using SDDC Manager. See Rotate Passwords.
The password expiration date is determined by adding the password expiration period to the date of the last password change. If the time since the last password change is greater than the new expiration period, the password expires immediately.
UI Procedure
- Log in to the vCenter Server instance for the workload domain at https://<vcenter_server-fqdn>/ui by using an account with Administrator privileges.
- In the Hosts and clusters inventory, navigate to and expand the first vSphere cluster.
Select the first ESXi host and click the Configure tab.
In the System section, click Advanced system settings.
On the Advanced system settings page, click Edit.
In the key filter text box, enter Security.PasswordMaxDays, enter a value for the setting according to the requirements of your organization, and click OK.
Repeat this procedure on the remaining hosts in the cluster.
-
Repeat this procedure on all remaining clusters in the workload domain.
-
Repeat this procedure for all clusters in the remaining workload domains.
PowerShell Procedure
Start the Windows PowerShell console.
Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-m01" $cluster = "sfo-m01-cl01" $maxDays = "99999"
Perform the configuration by running the command in the PowerShell console.
Update-EsxiPasswordExpiration -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -cluster $cluster -maxDays $maxDays
Repeat this procedure for all remaining clusters in the
$sddcDomainName
workload domain.Repeat this procedure for all clusters in the remaining workload domains.
Configure the Password Expiration Policy for vCenter Single Sign-On
Define the interval of time before the password of a user account in the vsphere.local domain in VMware Cloud Foundation expires and a change is enforced.
The password expiration policy applies only to the user accounts in the vsphere.local domain for the vCenter Single Sign-On built-in identity provider. The policy does not apply to local system accounts and [email protected].
SDDC Manager creates dedicated service accounts within the vCenter Single Sign-On built-in identity provider. Changing the password expiration policy affects these service accounts too.
Setting |
Default Value |
---|---|
Maximum lifetime |
90 |
UI Procedure
- Log in to the vCenter Server instance for the workload domain at https://<vcenter_server-fqdn>/ui by using an account with Administrator privileges.
- From the vSphere Client Menu, select Administration.
In the Single sign on section, click Configuration.
On the Configuration page, click the Local accounts tab.
In the Password policy section, click Edit
Enter a value for the Maximum lifetime setting according to the requirements of your organization and click Save.
PowerShell Procedure
Start Windows PowerShell.
Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-m01" $maxDays = "90"
Perform the configuration by running the command in the PowerShell console.
Update-SsoPasswordExpiration -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -maxDays $maxDays
Configure the Global Password Expiration Policy for vCenter Server
Define globally the interval of time before the passwords of the local user accounts on a vCenter Server appliance in VMware Cloud Foundation expire and a change is enforced.
Setting |
Default Value |
---|---|
Maximum number of days between password change |
90 |
Minimum number of days between password change |
0 |
Number of days of warning before password expires |
7 |
You can configure the global password expiration policy for vCenter Server only by using the API.
PowerShell Procedure
Start Windows PowerShell.
Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-m01" $maxDays = "90" $minDays = "0" $warningDays = "7"
Perform the configuration by running the command in the PowerShell console.
Update-VcenterPasswordExpiration -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -maxDays $maxDays -minDays $minDays -warnDays $warningDays
- Repeat this procedures for the remaining workload domains.
Configure the root User Password Expiration Policy for vCenter Server
Define the interval of time before the password of the root account of the vCenter Server appliances in VMware Cloud Foundation expires and a change is enforced.
Setting |
Default Value |
---|---|
Password validity (days) |
90 |
Email for expiration warning |
- |
Number of days of warning before password expires |
7 |
Prerequisites
Configure the target vCenter Server instance with a sending email account under General on the Configure tab in the vSphere Client.
UI Procedure
- Log in to the vCenter Server Management Interface at https://<vcenter_server_fqdn>:5480 as root.
In the navigation pane, click Administration.
In the Password expiration settings section, click Edit.
Configure the settings according to the requirements of your organization and click Save.
Log in to the vCenter Server appliance console using SSH as root.
Enable shell access.
shell
Change the number of days of warning before password expires value using the following command.
chage --warndays <your_value> root
Repeat this procedure for all remaining workload domains.
PowerShell Procedure
Start Windows PowerShell.
Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-m01" $email = "[email protected]" $maxDays = "90" $warningDays = "7"
Perform the configuration by running the command in the PowerShell console.
Update-VcenterRootPasswordExpiration -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -email $email -maxDays $maxDays -warnDays $warningdays
- Repeat this procedure for all remaining workload domains.
Configure the Local User Password Expiration Policy for NSX Manager
Configure the password expiration policy for NSX Manager local users in VMware Cloud Foundation. You configure the policy on a per-user basis for the built-in NSX accounts.
User |
Setting |
Default Value |
---|---|---|
root |
Maximum number of days between password change |
90 |
admin |
Maximum number of days between password change |
90 |
audit |
Maximum number of days between password change |
90 |
guestuser1 |
Maximum number of days between password change |
90 |
guestuser2 |
Maximum number of days between password change |
90 |
UI Procedure
- Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
- In the VMs and templates inventory, expand the management domain vCenter Server tree and expand the management domain data center.
Expand the VM folder containing the NSX Manager cluster for the management domain.
Select the first node of the NSX Manager cluster and click Launch web console.
Log in to the NSX Manager node as admin.
Change the maximum number of days between password change using the following command.
set user root password-expiration <your_value>
The change is replicated to the other nodes in the NSX Manager cluster.
Repeat this procedure for the remaining local accounts.
Repeat this procedure on the NSX Local Manager clusters for all VI workload domains.
Repeat this procedure on all NSX Global Manager clusters.
PowerShell Procedure
Start Windows PowerShell.
Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-m01" $maxDays = "90"
Perform the configuration by running the command in the PowerShell console.
Update-NsxtManagerPasswordExpiration -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -maxdays $maxDays
Repeat this procedure for the NSX Local Manager clusters for all VI workload domains.
Configure the password expiration policies on all NSX Global Manager clusters manually in the appliance console of the first node of each cluster.
Configure the Local User Password Expiration Policy for NSX Edge
Configure password expiration for NSX Edge local users in VMware Cloud Foundation. You configure it on a per-user basis for the built-in NSX accounts.
User |
Setting |
Default Value |
---|---|---|
root |
Maximum number of days between password change |
90 |
admin |
Maximum number of days between password change |
90 |
audit |
Maximum number of days between password change |
90 |
guestuser1 |
Maximum number of days between password change |
90 |
guestuser2 |
Maximum number of days between password change |
90 |
UI Procedure
- If you are configuring an NSX Edge virtual appliance, open the appliance console by using the Web console in the vSphere Client.
- Log in to the vCenter Server instance for the workload domain at https://<vcenter_server-fqdn>/ui by using an account with Administrator privileges.
- In the VMs and templates inventory, navigate to and expand the VM folder containing the NSX Edge nodes for the workload domain.
-
Select the first node of the NSX Edge cluster and click Launch web console.
- If you are configuring a bare-metal NSX Edge appliance, open the appliance console by using an out-of-band management interface, such as iLO or iDRAC.
Log in to the NSX Edge node as admin.
Change the maximum number of days between password change using the following command.
set user root password-expiration <your_value>
Repeat this procedure for the remaining local accounts.
Repeat this procedure on the remaining NSX Edge nodes in the cluster of the workload domain.
Repeat this procedure on all NSX Edge clusters in the remaining workload domains.
PowerShell Procedure
You can use the PowerShell command for configuring the password expiration policies only on the NSX Edge nodes in VMware Cloud Foundation that are deployed by using SDDC Manager. For NSX Edge virtual appliances that are deployed manually and for bare-metal NSX Edge appliances, configure the policies manually according to the NSX documentation.
Start Windows PowerShell.
Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" $sddcDomainName = "sfo-m01" $maxDays = "90"
Perform the configuration by running the command in the PowerShell console.
Update-NsxtEdgePasswordExpiration -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -maxdays $maxDays
Repeat this procedure for all NSX Edge clusters in the remaining workload domains.
Configure the Local User Password Expiration Policy for SDDC Manager
Configure password expiration for SDDC Manager on a per-user basis for local users.
User |
Setting |
Default Value |
---|---|---|
root |
Maximum number of days between password change |
90 |
Minimum number of days between password change |
0 |
|
Number of days of warning before password expires |
7 |
|
vcf |
Maximum number of days between password change |
90 |
Minimum number of days between password change |
0 |
|
Number of days of warning before password expires |
7 |
|
backup |
Maximum number of days between password change |
90 |
Minimum number of days between password change |
0 |
|
Number of days of warning before password expires |
7 |
UI Procedure
- Log in to the SDDC Manager appliance using SSH as vcf.
- Change to the root user.
su -
- Change the maximum number of days between password change using the following command.
chage --maxdays <your_value> root
- Change the minimum number of days between password change using the following command.
chage --mindays <your_value> root
- Change the number of days of warning before password expires using the following command.
chage --warndays <your_value> root
- Repeat this procedure for the remaining local accounts.
PowerShell Procedure
- Start Windows PowerShell.
- Replace the values in the sample code and run the commands in the PowerShell console.
$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" $sddcManagerUser = "[email protected]" $sddcManagerPass = "VMw@re1!" # Replace with the name of your management domain $sddcDomainName = "sfo-m01" $vmName = "sfo-vcf01" $guestuser = "root" $guestPassword = "VMw@re1!” $localUsers = @("root","vcf","backup") $maxDays = "90" $minDays = "0" $warningDays = "7"
- Perform the configuration by running the command in the PowerShell console.
Update-LocalUserPasswordExpiration -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -vmName $vmName -guestUser $guestUser -guestPassword $guestPassword -localUser $localUsers -minDays $minDays -maxDays $maxDays -warnDays $warningDays