For security reasons, you can change passwords for the accounts that are used by your SDDC Manager instance. Changing these passwords periodically or when certain events occur, such as an administrator leaving your organization, reduces the likelihood of security vulnerabilities.
You entered passwords for your VMware Cloud Foundation system as part of the bring-up procedure. You can rotate and update some of these passwords using the password management functionality in the SDDC Manager UI, including:
- Accounts used for service consoles, such as the ESXi root account.
- The
root
andmystic
users of the VxRail Manager - The single sign-on administrator account(s).
Note: SDDC Manager manages passwords for all SSO administrator accounts, even if you created isolated VI workload domains that use different SSO domains than the management domain.
- The default administrative user account used by virtual appliances.
- Service accounts that are automatically generated during bring-up, host commissioning, and workload creation.
Service accounts have a limited set of privileges and are created for communication between products. Passwords for service accounts are randomly generated by SDDC Manager. You cannot manually set a password for service accounts. To update the credentials of service accounts, you can rotate the passwords.
You can also use the VMware Cloud Foundation API to look up and manage credentials. In the SDDC Manager UI, click and browse to the APIs for managing credentials.
Starting with VMware Cloud Foundation 5.2.1, you can also manage passwords using the vSphere Client.
Password Expiration Notifications
Expired passwords will display a status of Disconnected. For example:
For an expired password, you must update the password outside of VMware Cloud Foundation and then remediate the password using the SDDC Manager UI or the VMware Cloud Foundation API. See Remediate Passwords.