For security reasons, you can change passwords for the accounts that are used by your SDDC Manager instance. Changing these passwords periodically or when certain events occur, such as an administrator leaving your organization, reduces the likelihood of security vulnerabilities.

Note: For information on password policy design, see Information Security and Access in the Identity and Access Management for VMware Cloud Foundation validated solution.

You entered passwords for your VMware Cloud Foundation system as part of the bring-up procedure. You can rotate and update some of these passwords using the password management functionality in the SDDC Manager UI, including:

  • Accounts used for service consoles, such as the ESXi root account.
  • The single sign-on administrator account(s).
    Note: SDDC Manager manages passwords for all SSO administrator accounts, even if you created isolated VI workload domains that use different SSO domains than the management domain.
  • The default administrative user account used by virtual appliances.
  • Service accounts that are automatically generated during bring-up, host commissioning, and workload creation.

    Service accounts have a limited set of privileges and are created for communication between products. Passwords for service accounts are randomly generated by SDDC Manager. You cannot manually set a password for service accounts. To update the credentials of service accounts, you can rotate the passwords.

To provide optimal security and proactively prevent any passwords from expiring, you must rotate passwords every 80 days.
Note: Do not change the passwords for system accounts and the administrator@vsphere.local account outside SDDC Manager. This can break your VMware Cloud Foundation system.

You can also use the VMware Cloud Foundation API to look up and manage credentials. In the SDDC Manager UI, click Developer Center > API Explorer and browse to the APIs for managing credentials.

Password Expiration Notifications

The SDDC Manager UI provides a banner notification for any passwords managed by VMware Cloud Foundation that are expiring within the next 14 days. For example:
Banner notification showing an alert about expiring passwords.
You can also click Security > Password Management in the navigation pane to view password expiration information. For example:
Password Management page showing passwords that are expiring within 14 days.
Note: Password expiration information is not available for vCenter Server SSO service accounts.
Expired passwords will display a status of Disconnected. For example:
An image showing expired passwords with a "Disconnected" status.
For an expired password, you must update the password outside of VMware Cloud Foundation and then remediate the password using the SDDC Manager UI or the VMware Cloud Foundation API. See Remediate Passwords.
Note: Password expiration information in the SDDC Manager UI is updated once a day. To get real-time information, use the VMware Cloud Foundation API.