For security reasons, you can change passwords for the accounts that are used by your SDDC Manager instance. Changing these passwords periodically or when certain events occur, such as an administrator leaving your organization, reduces the likelihood of security vulnerabilities.

Note: For information about password policy design including the details and justification for the configuration of password expiration, complexity, and account lockout policies, see the Information Security and Access Control Design for VMware Cloud Foundation in the Identity and Access Management for VMware Cloud Foundation validated solution. For step-by-step instructions on configuring password policies, see Password Policy Configuration in VMware Cloud Foundation Operations Guide

You entered passwords for your VMware Cloud Foundation system as part of the bring-up procedure. You can rotate and update some of these passwords using the password management functionality in the SDDC Manager UI, including:

  • Accounts used for service consoles, such as the ESXi root account.
  • The single sign-on administrator account(s).
    Note: SDDC Manager manages passwords for all SSO administrator accounts, even if you created isolated VI workload domains that use different SSO domains than the management domain.
  • The default administrative user account used by virtual appliances.
  • Service accounts that are automatically generated during bring-up, host commissioning, and workload creation.

    Service accounts have a limited set of privileges and are created for communication between products. Passwords for service accounts are randomly generated by SDDC Manager. You cannot manually set a password for service accounts. To update the credentials of service accounts, you can rotate the passwords.

To provide optimal security and proactively prevent any passwords from expiring, you must rotate passwords every 80 days.
Note: Do not change the passwords for system accounts and the [email protected] account outside SDDC Manager. This can break your VMware Cloud Foundation system.

You can also use the VMware Cloud Foundation API to look up and manage credentials. In the SDDC Manager UI, click Developer Center > API Explorer and browse to the APIs for managing credentials.

Starting with VMware Cloud Foundation 5.2.1, you can also manage passwords using the vSphere Client.

Password Expiration Notifications

The SDDC Manager UI provides a banner notification for any passwords managed by VMware Cloud Foundation that are expiring within the next 14 days. For example:
Banner notification showing an alert about expiring passwords.
You can also click Security > Password Management in the navigation pane to view password expiration information.
Note: Password expiration information is not available for vCenter Server SSO service accounts.
Expired passwords will display a status of Disconnected. For example:
An image showing expired passwords with a "Disconnected" status.
For an expired password, you must update the password outside of VMware Cloud Foundation and then remediate the password using the SDDC Manager UI or the VMware Cloud Foundation API. See Remediate Passwords.
Note: Password expiration information in the SDDC Manager UI is updated once a day. To get real-time information, use the VMware Cloud Foundation API.