Configuring password policies includes the configuration of password expiration, complexity and account lockout policies according to the requirements of your organization which might be based on industry compliance standards. In VMware Cloud Foundation, this activity is performed manually.

Password Policy Configuration and Password Management

VMware Cloud Foundation does not prescribe or automate the process of configuring a password policy across the system. However, your organization might have specific requirements defined either by the organization itself or through an industry compliance standard that prescribes the changes that you must make to the default policy configuration.

After you configure the password policy, you can use SDDC Manager to rotate or manually update the passwords of the management components in VMware Cloud Foundation by using automation. See Password Management in VMware Cloud Foundation Administration Guide.

For information about password policy design including the details and justification for the configuration of password expiration, complexity and account lockout policies, see the Information Security and Access Control Design for VMware Cloud Foundation in the Identity and Access Management for VMware Cloud Foundation validated solution.

Table 1. Password Policies Support in the Management Components of VMware Cloud Foundation

Password Policy

Support by Management Component

Password expiration

  • ESXi

  • vCenter Single Sign-On

  • vCenter Server

  • NSX Manager

  • NSX Edge

  • SDDC Manager

Password complexity

  • ESXi

  • vCenter Single Sign-On

  • vCenter Server

  • NSX Manager

  • NSX Edge

  • SDDC Manager

Account lockout

  • ESXi

  • vCenter Single Sign-On

  • vCenter Server

  • NSX Manager

  • NSX Edge

  • SDDC Manager

Manual and Automated Password Policy Configuration

To configure password policies in VMware Cloud Foundation, you can follow a step-by-step approach by using product user interface or an automated approach by running PowerShell commands that are available in the VMware.CloudFoundation.PasswordManagement module in PowerShell Gallery.

If you want to learn more details about, provide feedback, report an issue with automation, or contribute to the VMware.CloudFoundation.PasswordManagement module, go to the VMware.CloudFoundation.PasswordManagement open-source project in GitHub.

Approaches to Password Policy Configuration

For initial configuration of the password policy in VMware Cloud Foundation, you usually configure all password policies on a management component and then proceed with the next one. You can also configure a specific property in a password policy across several management components.

Table 2. Password Policy Configuration by Management Component

Management Component

ESXi

vCenter Single Sign-on

vCenter Server

NSX Manager

NSX Edge

SDDC Manager

Prerequisites

To perform the configuration associated with password policy configuration, verify that your system fulfills the following prerequisites.

Category

Prerequisite

Environment

  • Verify that your VMware Cloud Foundation instance is healthy and fully operational.
Infrastructure-as-code To use the infrastructure-as-code method for password policy configuration, verify that your system fulfills the prerequisites, described in the documentation of the VMware.CloudFoundation.PasswordManagement open-source project in GitHub.