Password Policy Configuration for VMware Cloud Foundation

Configuring password policies includes the configuration of password expiration, complexity and account lockout policies according to the requirements of your organization which might be based on industry compliance standards. In VMware Cloud Foundation, this activity is performed manually.

Password Policy Configuration and Password Management

VMware Cloud Foundation does not prescribe or automate the process of configuring a password policy across the system. However, your organization might have specific requirements defined either by the organization itself or through an industry compliance standard that prescribes the changes that you must make to the default policy configuration.

After you configure the password policy, you can use SDDC Manager to rotate or manually update the passwords of the management components in VMware Cloud Foundation by using automation. See Password Management in VMware Cloud Foundation Administration Guide.

For information about password policy design including the details and justification for the configuration of password expiration, complexity and account lockout policies, see the Information Security and Access Control Design for VMware Cloud Foundation in the Identity and Access Management for VMware Cloud Foundation validated solution.

Table 1. Password Policies Support in the Management Components of VMware Cloud Foundation
Password Policy	Support by Management Component
Password expiration	ESXi vCenter Single Sign-On vCenter Server NSX Manager NSX Edge SDDC Manager
Password complexity	ESXi vCenter Single Sign-On vCenter Server NSX Manager NSX Edge SDDC Manager
Account lockout	ESXi vCenter Single Sign-On vCenter Server NSX Manager NSX Edge SDDC Manager

Manual and Automated Password Policy Configuration

To configure password policies in VMware Cloud Foundation, you can follow a step-by-step approach by using product user interface or an automated approach by running PowerShell commands that are available in the VMware.CloudFoundation.PasswordManagement module in PowerShell Gallery.

If you want to learn more details about, provide feedback, report an issue with automation, or contribute to the VMware.CloudFoundation.PasswordManagement module, go to the VMware.CloudFoundation.PasswordManagement open-source project in GitHub.

Approaches to Password Policy Configuration

For initial configuration of the password policy in VMware Cloud Foundation, you usually configure all password policies on a management component and then proceed with the next one. You can also configure a specific property in a password policy across several management components.

Table 2. Password Policy Configuration by Management Component
Management Component
ESXi	Configure the Local User Password Expiration Policy for ESXi Configure the Local User Password Complexity Policy for ESXi Configure the Local Account Lockout Policy for ESXi
vCenter Single Sign-on	Configure the Password Expiration Policy for vCenter Single Sign-On Configure the Password Complexity Policy for vCenter Single Sign-On Configure the Account Lockout Policy for vCenter Single Sign-On
vCenter Server	Password expiration policy Configure the Global Password Expiration Policy for vCenter Server Configure the root User Password Expiration Policy for vCenter Server Configure the Local User Password Complexity Policy for vCenter Server Configure the root User Account Lockout Policy for vCenter Server
NSX Manager	Configure the Local User Password Expiration Policy for NSX Manager Configure the Local User Password Complexity Policy for NSX Manager Configure the Local User Account Lockout Policy for NSX Manager
NSX Edge	Configure the Local User Password Expiration Policy for NSX Edge Configure the Local User Password Complexity Policy for NSX Edge Configure the Local User Account Lockout Policy for NSX Edge
SDDC Manager	Configure the Local User Password Expiration Policy for SDDC Manager Configure the Local User Password Complexity Policy for SDDC Manager Configure the Local User Account Lockout Policy for SDDC Manager

Prerequisites

To perform the configuration associated with password policy configuration, verify that your system fulfills the following prerequisites.


Category	Prerequisite
Environment	Verify that your VMware Cloud Foundation instance is healthy and fully operational.
Infrastructure-as-code	To use the infrastructure-as-code method for password policy configuration, verify that your system fulfills the prerequisites, described in the documentation of the VMware.CloudFoundation.PasswordManagement open-source project in GitHub.