As a security measure, you can rotate passwords for the components in your VMware Cloud Foundation instance. The process of password rotation generates randomized passwords for the selected accounts. You can rotate passwords manually or set up auto-rotation for accounts managed by SDDC Manager.

You can rotate passwords for the following accounts.

  • ESXi
    Note: Auto-rotate is not suported for ESXi.
  • vCenter Server

    By default, the vCenter Server root password expires after 90 days.

    Note: Auto-rotate is automatically enabled for vCenter Server service accounts. It may take up to 24 hours to configure the service account auto-rotate policy for a newly deployed vCenter Server.
  • vSphere Single-Sign On (PSC)
  • NSX Edge nodes
  • NSX Manager
  • VMware Aria Suite Lifecycle
  • VMware Aria Operations for Logs
  • VMware Aria Operations
  • VMware Aria Automation
  • Workspace ONE Access
    Note: For Workspace ONE Access passwords, the password rotation method varies depending on the user account. See the table below for details.
  • SDDC Manager backup user
Table 1. Password Rotation Details for Workspace ONE Access User Accounts

Workspace ONE Access User Account

VMware Aria Suite Lifecycle Locker Entry

Password Rotation Method

Password Rotation Scope

admin (443)


SDDC Manager Password Rotation


admin (8443)


VMware Aria Suite Lifecycle Global Environment

Per node

configadmin (443)


  1. Reset the configadmin user password in Workspace ONE Access via the email reset link.
  2. Create a new credential object in VMware Aria Suite Lifecycle Locker to match the new password.
  3. Update the credential object referenced by globalEnvironment in VMware Aria Suite Lifecycle locker to the new credential object.




VMware Aria Suite Lifecycle Global Environment

Per node

root (ssh)


SDDC Manager Password Rotation

Per node

The default password policy for rotated passwords requires:
  • 20 characters in length
  • At least one uppercase letter, a number, and one of the following special characters: ! @ # $ ^ *
  • No more than two of the same characters consecutively

If you changed the vCenter Server password length using the vSphere Client or the ESXi password length using the VMware Host Client, rotating the password for those components from SDDC Manager generates a password that complies with the password length that you specified.

To update the SDDC Manager root, super user, and API passwords, see Updating SDDC Manager Passwords.


  • Verify that there are no currently failed workflows in SDDC Manager. To check for failed workflows, click Dashboard in the navigation pane and expand the Tasks pane at the bottom of the page.
  • Verify that no active workflows are running or are scheduled to run during the brief time period that the password rotation process is running. It is recommended that you schedule password rotation for a time when you expect to have no running workflows.
  • Only a user with the ADMIN role can perform this task.


  1. In the navigation pane, click Security > Password Management.
  2. Click the component that includes the accounts for which you want to rotate a password.
    Password Management options for ESXi accounts.
    For example, ESXI.
  3. Select one or more accounts and click one of the following operation.
    • Rotate Now
    • Schedule Rotation
      You can set the password rotation interval (30 days, 60 days, or 90 days). You can also deactivate the schedule.
      Note: Auto-rotate schedule is configured to run at midnight on the scheduled date. If auto-rotate could not start due to any technical issue, there is a provision to auto-retry every hour till start of the next day. In case schedule rotation is missed due to technical issues the UI displays a global notification with failed task status. The status of the schedule rotation can also be checked on the Tasks panel.
    A message appears at the top of the page showing the progress of the operation. The Tasks panel also shows detailed status for the password rotation operation. To view sub-tasks, click the task name. As each of these tasks is run, the status is updated. If the task fails, you can click Retry.


Password rotation is complete when all sub-tasks are completed successfully.