A password complexity policy defines the minimum requirements for the definition of an account’s password. The settings are different according to the account type and component of the VMware Cloud Foundation instance.

Management Component Password Complexity Settings Scope
ESXi
  • Minimum length
  • Minimum lowercase characters
  • Minimum uppercase characters
  • Minimum numeric characters
  • Minimum special characters
  • Minimum unique passwords before reuse
Local user
vCenter Single Sign-On
  • Minimum length
  • Maximum length
  • Minimum alphabetic characters
  • Minimum lowercase characters
  • Minimum uppercase characters
  • Minimum numeric characters
  • Minimum special characters
  • Maximum consecutive identical characters
  • Minimum unique passwords before reuse
vCenter Single Sign-On domain
vCenter Server
  • Minimum length
  • Minimum lowercase characters
  • Minimum uppercase characters
  • Minimum numeric characters
  • Minimum special characters
  • Minimum unique passwords before reuse
Local user
NSX Manager
  • Minimum length
  • Minimum lowercase characters
  • Minimum uppercase characters
  • Minimum numeric characters
  • Minimum special characters
  • Minimum characters different from the old password
Local user
NSX Edge
  • Minimum length
  • Minimum lowercase characters
  • Minimum uppercase characters
  • Minimum numeric characters
  • Minimum special characters
  • Minimum characters different from the old password
Local user
SDDC Manager
  • Minimum length
  • Minimum lowercase characters
  • Minimum uppercase characters
  • Minimum numeric characters
  • Minimum special characters
  • Minimum characters different from the old password
  • Minimum unique passwords before reuse
Local user

Prerequisites

See Password Policy Configuration Prerequisites.

Configure the Local User Password Complexity Policy for ESXi

Define the requirements for local user passwords for the ESXi hosts in VMware Cloud Foundation including required password length, character class requirements, or allowing passphrases.

Setting

Default Value

Security.PasswordHistory

0

Security.PasswordQualityControl

retry=3 min=disabled,disabled,disabled,7,7

For information about the format of the Security.PasswordQualityControl settings, see ESXi Passwords and Account Lockout in the vSphere Security documentation.

UI Procedure

  1. Log in to the vCenter Server instance for the workload domain at https://<vcenter_server-fqdn>/ui by using an account with Administrator privileges.
  2. In the Hosts and clusters inventory, navigate to and expand the first vSphere cluster.
  3. Select the first ESXi host and click the Configure tab.

  4. In the System section, click Advanced system settings.

  5. On the Advanced system settings page, click Edit.

  6. In the key filter text box, enter Security.PasswordHistory, configure the settings according to the requirements of your organization.

  7. In the key filter text box, enter Security.PasswordQualityControl, enter values for the settings according to the requirements of your organization, and click OK.

  8. Repeat this procedure on all remaining hosts in the cluster.

  9. Repeat this procedure on all remaining clusters in the workload domain.

  10. Repeat this procedure for all the other workload domains and their clusters.

PowerShell Procedure

  1. Start PowerShell.

  2. Replace the values in the sample code and run the commands in the PowerShell console.

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "[email protected]"
    $sddcManagerPass = "VMw@re1!"
    
    $sddcDomainName = "sfo-m01"
    $cluster = "sfo-m01-cl01"
    
    $policy = "retry=3 min=disabled,disabled,disabled,7,7”
    $history = "3"
    
  3. Perform the configuration by running the command in the PowerShell console.

    Update-EsxiPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -cluster $cluster -policy $policy -history $history
  4. Repeat this procedure on all remaining clusters in the $sddcDomainName workload domain.

  5. Repeat this procedure for all clusters in the remaining workload domains.

Configure the Password Complexity Policy for vCenter Single Sign-On

Define the password format requirements for the vCenter Single Sign-On built-in identity provider for VMware Cloud Foundation.

The password complexity policy applies only to user accounts in the vsphere.local domain of the vCenter Single Sign-On built-in identity provider. The policy does not apply to local system accounts and [email protected].

Setting

Default Value

Restrict reuse

5

Maximum length

20

Minimum length

8

Special characters

1

Alphabetic characters

2

Uppercase characters

1

Lowercase characters

1

Numeric characters

1

Identical adjacent characters

1

UI Procedure

  1. Log in to the vCenter Server instance for the workload domain at https://<vcenter_server-fqdn>/ui by using an account with Administrator privileges.
  2. From the vSphere Client Menu, select Administration.
  3. In the Single Sign On section, click Configuration.

  4. On the Configuration page, click the Local accounts tab.

  5. In the Password policy section, click Edit.

  6. Modify the settings according to the requirements of your organization and click Save.

PowerShell Procedure

  1. Start PowerShell.

  2. Replace the values in the sample code and run the commands in the PowerShell console.

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "[email protected]"
    $sddcManagerPass = "VMw@re1!"
    
    $sddcDomainName = "sfo-m01"
    
    $minLength = "8"
    $maxLength = "20"
    $minAlphabetic = "2"
    $minLowercase = "1"
    $minUppercase = "1"
    $minNumerical = "1"
    $minSpecial = "1"
    $maxIdenticalAdjacent = "1"
    $history = "5"
    
  3. Perform the configuration by running the command in the PowerShell console.

    Update-SsoPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -minLength $minLength -maxLength $maxLength -minAlphabetic $minAlphabetic -minLowercase $minLowercase -minUppercase $minUppercase -minNumeric $minNumerical -minSpecial $minSpecial -maxIdenticalAdjacent $maxIdenticalAdjacent -history $history

Configure the Local User Password Complexity Policy for vCenter Server

Define the password format requirements for the local users of the vCenter Server appliances in VMware Cloud Foundation, such as the root account.

Setting

Default Value

Description

minlen

6

Minimum password length

lcredit

-1

Maximum number of lowercase characters that will generate a credit

ucredit

-1

Maximum number of uppercase characters that will generate a credit

dcredit

-1

Maximum number of digits that will generate a credit

ocredit

-1

Maximum number of other characters that will generate a credit

difok

4

Minimum number of characters that must be different from the old password

remember

5

Maximum number of passwords the system remembers

UI Procedure

  1. Log in to the vCenter Server appliance for a workload domain using SSH as root.

  2. Enable shell access.

    shell
  3. Back up the password requirements for the appliance by using the following command.
    cp -p /etc/pam.d/system-password /etc/pam.d/system-password-`date +%F_%H:%M:%S`.back
  4. Verify that all settings for configuring password requirements for vCenter Server local users are added in the /etc/pam.d/system-password file.

    # Begin /etc/pam.d/system-password
    
    # use sha512 hash for encryption, use shadow, and try to use any previously
    # defined authentication token (chosen password) set by any prior module
    password  requisite   pam_pwquality.so  dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=6 difok=4 enforce_for_root
    password  required    pam_pwhistory.so  remember=5 retry=3 enforce_for_root use_authtok
    password  required    pam_unix.so       sha512 use_authtok shadow try_first_pass
    # End /etc/pam.d/system-password
  5. If some settings are missing in the /etc/pam.d/system-password file, add them manually.

  6. After all required settings are added in the /etc/pam.d/system-password file, set their values according to the requirements of your organization using the following commands.

    sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/system-password
    sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/system-passwords
    sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/system-password
    sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/system-password
    sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/system-password
    sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/system-password
    sed -i -E 's/remember=[-]?[0-9]+/remember=<your_value>/g' /etc/pam.d/system-password
  7. Repeat this procedure on the vCenter Server instances for the remaining workload domains.

PowerShell Procedure

  1. Start Windows PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "[email protected]"
    $sddcManagerPass = "VMw@re1!"
    
    $sddcDomainName = "sfo-m01"
    
    $minLength = "6"
    $minLowercase = "-1"
    $minUppercase = "-1"
    $minNumeric = "-1"
    $minSpecial = "-1"
    $minUnique = "4"
    $history = "5"
  3. Perform the configuration by running the command in the PowerShell console.
    Update-VcenterPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -minLength $minLength -minLowercase $minLowercase -minUppercase $minUppercase -minNumerical $minNumeric -minSpecial $minSpecial -minUnique $minUnique -history $history
  4. Repeat this procedure for all VI workload domains.

Configure the Local User Password Complexity Policy for NSX Manager

Define the password format requirements for local users of the NSX Manager appliances in VMware Cloud Foundation.

Setting

Default Value

Description

minlen

12

Minimum password length

Note:

If your password policy requires setting the minimum password length to a value greater than 20, you cannot use password rotation in SDDC Manager.

lcredit

-1

Maximum number of lowercase characters that will generate a credit

ucredit

-1

Maximum number of uppercase characters that will generate a credit

dcredit

-1

Maximum number of digits that will generate a credit

ocredit

-1

Maximum number of other characters that will generate a credit

difok

0

Minimum number of characters that must be different from the old password

MAX_PASSWORD_LEN 128 Maximum Password Length
maxrepeat 0 Maximum number of consecutive characters allowed
maxsequence 0 Maximum number of times a single character may be repeated
remember 0 Maximum number of passwords the system remembers
hash_algorithm sha512 Hash algorithm

UI Procedure

  1. Log in to vCenter Server at https://<vcenter_server_fqdn>/ui as [email protected].
  2. Expand the VM folder containing the NSX Manager cluster for the management domain.
  3. Select the first node of the NSX Manager cluster and click Launch web console.
  4. Log in to the NSX Manager node as admin.
  5. Start changing the password complexity policy by running the set password-complexity command.
  6. In the prompt, set interactively the password complexity settings according to the requirements of your organization.
    Minimum password length (leave empty to not change): <your_value>
    Maximum password length (leave empty to not change): <your_value>
    Lower characters (leave empty to not change): <your_value>
    Upper characters (leave empty to not change): <your_value>
    Numeric characters (leave empty to not change): <your_value>
    Special characters (leave empty to not change): <your_value>
    Minimum unique characters (leave empty to not change): <your_value>
    Allowed similar consecutives (leave empty to not change): <your_value>
    Allowed monotonic sequence (leave empty to not change): <your_value>
    Hash algorithm (leave empty to not change): <your_value>
    Password remembrance (leave empty to not change): <your_value>
  7. Repeat this procedure on the remaining NSX Local Manager nodes for the management domain.
  8. Repeat this procedure on the NSX Local Manager clusters for all VI workload domains.
  9. Repeat this procedure on all NSX Global Manager nodes.

PowerShell Procedure

  1. Start PowerShell.
  2. Replace the values in the sample code and run the commands in the PowerShell console.
    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "[email protected]"
    $sddcManagerPass = "VMw@re1!"
    
    $sddcDomainName = "sfo-m01"
    
    $minLength = "12"
    $minLowercase = "-1"
    $minUppercase = "-1"
    $minNumerical = "-1"
    $minSpecial = "-1"
    $minUnique = "0"
    $maxLength = "128"
    $maxRepeats = "0"
    $maxSequence = "0"
    $history = "0"
    $hashAlgorithm = "sha512"
    
  3. Perform the configuration by running the command in the PowerShell console.
    Update-NsxtManagerPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -minLength $minLength -minLowercase $minLowercase -minUppercase $minUppercase -minNumerical $minNumerical -minSpecial $minSpecial -minUnique $minUnique -maxLength $maxLenth -maxRepeats $maxRepeats -maxSequence $maxSequence -history $history -hash_algorithm $hashAlgorithm
  4. Repeat this procedure on the NSX Local Manager clusters for all VI workload domains.
  5. Configure the password complexity policies on all NSX Global Manager clusters manually in the appliance console of each node.

Configure the Local User Password Complexity Policy for NSX Edge

Define the password format requirements for local users on the NSX Edge appliance in VMware Cloud Foundation.

Setting

Default Value

Description

minlen

15

Minimum password length

Note:

If your password policy requires setting the minimum password length to a value greater than 20, you cannot use password rotation in SDDC Manager.

lcredit

-1

Maximum number of lowercase characters that will generate a credit

ucredit

-1

Maximum number of uppercase characters that will generate a credit

dcredit

-1

Maximum number of digits that will generate a credit

ocredit

-1

Maximum number of other characters that will generate a credit

difok

0

Minimum number of characters that must be different from the old password

retry

3

Maximum number of retries

UI Procedure

  1. If you are configuring an NSX Edge virtual appliance, open the appliance console by using the Web console in the vSphere Client.

    1. Log in to the vCenter Server instance for the workload domain at https://<vcenter_server-fqdn>/ui by using an account with Administrator privileges.
    2. In the VMs and templates inventory, navigate to and expand the VM folder containing the NSX Edge cluster for the workload domain.

    3. Select the first node of the NSX Edge cluster and click Launch web console.

  2. If you are configuring a bare-metal NSX Edge appliance, open the appliance console by using an out-of-band management interface, such as iLO or iDRAC.

  3. Log in to the NSX Edge node as root.

  4. Back up the password requirements for the appliance using the following command.

    cp -p /etc/pam.d/common-password /etc/pam.d/common-password-`date +%F_%H:%M:%S`.back
    
  5. Verify that all settings for configuring password requirements for SDDC Manager users are added in the /etc/pam.d/common-password file.

    #
    # /etc/pam.d/common-password - password-related modules common to all services
    #
    
    # here are the per-package modules (the "Primary" block)
    password requisite pam_cracklib.so retry=3 minlen=12 difok=0 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root
    password required pam_pwhistory.so use_authtok enforce_for_root remember=0
    password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
    # here's the fallback if no module succeeds
    password requisite pam_deny.so
    # prime the stack with a positive return value if there isn't one already;
    # this avoids us returning an error just because nothing sets a success code
    # since the modules above will each just jump around
    password required pam_permit.so
    # and here are more per-package modules (the "Additional" block)
    # end of pam-auth-update config
    
  6. If some settings are missing in the /etc/pam.d/common-password file, add them manually.

  7. Set these settings according to the requirements of your organization using the following commands.

    sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/common-password
    sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/common-password
    sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/common-password
    sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/common-password
    sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/common-password
    sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/common-password
    sed -i -E 's/retry=[-]?[0-9]+/retry=<your_value>/g' /etc/pam.d/common-password
  8. Repeat this procedure on the remaining NSX Edge cluster nodes in the workload domain.

  9. Repeat this procedure on all NSX Edge clusters in the remaining workload domains.

PowerShell Procedure

You can use the PowerShell command for configuring the password complexity policies only on the NSX Edge nodes in VMware Cloud Foundation that are deployed by using SDDC Manager. For NSX Edge virtual appliances that are deployed manually and for bare-metal NSX Edge appliances, configure the policies manually according to the NSX documentation.

  1. Start PowerShell.

  2. Replace the values in the sample code and run the commands in the PowerShell console.

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "[email protected]"
    $sddcManagerPass = "VMw@re1!"
    
    $sddcDomainName = "sfo-m01"
    
    $minLength = "15"
    $minLowercase = "-1"
    $minUppercase = "-1"
    $minNumerical = "-1"
    $minSpecial = "-1"
    $minUnique = "0"
    $maxRetry = "3"
  3. Perform the configuration by running the command in the PowerShell console.

    Update-NsxtEdgePasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -minLength $minLength -minLowercase $minLowercase -minUppercase $minUppercase -minNumerical $minNumerical -minSpecial $minSpecial -minUnique $minUnique -maxRetry $maxRetry
  4. Repeat this procedure for all NSX Edge clusters in the remaining workload domains.

Configure the Local User Password Complexity Policy for SDDC Manager

Define the password format requirements for local users of the SDDC Manager appliance.

Setting

Default Value

Description

minlen

15

Minimum password length

lcredit

-1

Maximum number of lowercase characters that will generate a credit

ucredit

-1

Maximum number of uppercase characters that will generate a credit

dcredit

-1

Maximum number of digits that will generate a credit

ocredit

-1

Maximum number of other characters that will generate a credit

minclass

4

Minimum number of character types that must be used (that is, uppercase, lowercase, digits, other)

difok

4

Minimum number of characters that must be different from the old password

retry

3

Maximum number of retries

maxsequence

0

Maximum number of times a single character may be repeated

remember

5

Maximum number of passwords the system remembers

UI Procedure

  1. Log in to the SDDC Manager appliance using SSH as vcf.
  2. Change to the root user.
    su -
  3. Back the password requirement using the following command.
    cp -p /etc/pam.d/system-password /etc/pam.d/system-password-`date +%F_%H:%M:%S`.back
  4. Verify that all settings for configuring password requirements for SDDC Manager users are added in the /etc/pam.d/system-password file.

    # Begin /etc/pam.d/system-password
    
    password   required pam_pwhistory.so remember=5 retry=5 enforce_for_root use_authtok
    password   required pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=7 difok=4 minclass=4 maxsequence=0 enforce_for_root
    password   required pam_unix.so sha512 shadow use_authtok
    
    # End /etc/pam.d/system-password
    
  5. If some settings are missing in the /etc/pam.d/system-password file, add them manually.

  6. After all required settings are added in the /etc/pam.d/system-password file, set their values according to the requirements of your organization using the following commands.

    sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/system-password
    sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/system-password
    sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/system-password
    sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/system-password
    sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/system-password
    sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/system-password
    sed -i -E 's/retry=[-]?[0-9]+/retry=<your_value>/g' /etc/pam.d/system-password
    sed -i -E 's/remember=[-]?[0-9]+/remember=<your_value>/g' /etc/pam.d/system-password

PowerShell Procedure

  1. Start PowerShell.

  2. Replace the values in the sample code and run the commands in the PowerShell console.

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
    $sddcManagerUser = "[email protected]"
    $sddcManagerPass = "VMw@re1!"
    
    # Replace with the name of your management domain
    $sddcDomainName = "sfo-m01"
    
    $rootPass = "VMw@re1!"
    $minLength = "15"
    $minLowercase = "-1"
    $minUppercase = "-1"
    $minNumerical = "-1"
    $minSpecial = "-1"
    $minUnique = "4"
    $minClass = "4"
    $maxSequence = "0"
    $history = "5"
    $maxRetry = "3"
    
  3. Perform the configuration by running the command in the PowerShell console.

    Update-SddcManagerPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -rootPass $rootPass -minLength $minLength -minLowercase $minLowercase -minUppercase $minUppercase -minNumerical $minNumerical -minSpecial $minSpecial -minUnique $minUnique -minClass $minClass -maxSequence $maxSequence -history $history -maxRetry $maxRetry