As a security measure, you can rotate passwords for the components in your VMware Cloud Foundation instance. The process of password rotation generates randomized passwords for the selected accounts. You can rotate passwords manually or set up auto-rotation for accounts managed by SDDC Manager.
You can rotate passwords for the following accounts.
- ESXi
Note: Auto-rotate is not suported for ESXi.
- vCenter Server
By default, the vCenter Server root password expires after 90 days.
Note: Auto-rotate is automatically enabled for vCenter Server service accounts. It may take up to 24 hours to configure the service account auto-rotate policy for a newly deployed vCenter Server. - vSphere Single-Sign On (PSC)
- NSX Edge nodes
- NSX Manager
- VMware Avi Load Balancer (formerly known as NSX Advanced Load Balancer)
- VMware Aria Suite Lifecycle
- VMware Aria Operations for Logs
- VMware Aria Operations
- VMware Aria Automation
- Workspace ONE Access
Note: For Workspace ONE Access passwords, the password rotation method varies depending on the user account. See the table below for details.
- SDDC Manager backup user
Workspace ONE Access User Account |
VMware Aria Suite Lifecycle Locker Entry |
Password Rotation Method |
Password Rotation Scope |
---|---|---|---|
admin (443) |
xint-wsa-admin |
SDDC Manager Password Rotation |
Application |
admin (8443) |
xint-wsa-admin |
VMware Aria Suite Lifecycle Global Environment |
Per node |
configadmin (443) |
xint-wsa-configadmin |
|
Application |
sshuser |
global-env-admin |
VMware Aria Suite Lifecycle Global Environment |
Per node |
root (ssh) |
xint-wsa-root |
SDDC Manager Password Rotation |
Per node |
- 20 characters in length
- At least one uppercase letter, a number, and one of the following special characters: ! @ # $ ^ *
- No more than two of the same characters consecutively
If you changed the vCenter Server password length using the vSphere Client or the ESXi password length using the VMware Host Client, rotating the password for those components from SDDC Manager generates a password that complies with the password length that you specified.
To update the SDDC Manager root, super user, and API passwords, see Updating SDDC Manager Passwords.
Prerequisites
- Verify that there are no currently failed workflows in SDDC Manager. To check for failed workflows, click Dashboard in the navigation pane and expand the Tasks pane at the bottom of the page.
- Verify that no active workflows are running or are scheduled to run during the brief time period that the password rotation process is running. It is recommended that you schedule password rotation for a time when you expect to have no running workflows.
- Only a user with the ADMIN role can perform this task.