Manage the passwords of the components deployed according to the design objectives and design guidance of the Cloud-Based Automation for VMware Cloud Foundation validated solution.
Password management activities include the configuration of password policies, such as password expiration, password complexity or account lockout, and password rotation and remediation.
Configure the Local User Password Expiration Policy of the Cloud Proxy and Cloud Extensibility Proxy Appliances for Cloud-Based Automation for VMware Cloud Foundation
For local users of the Cloud Proxy and Cloud Extensibility Proxy appliances, you configure the password expiration policy on a per-user basis.
User |
Setting |
Default Value |
|---|---|---|
root |
Maximum number of days between password change |
90 |
Minimum number of days between password change |
0 |
|
Number of days of warning before password expires |
7 |
Procedure
- Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
In the VMs and templates inventory, expand the management domain vCenter Server and the Cloud Proxy virtual machines folder.
Locate and select the Cloud Proxy appliance and, on the Summary page, click Launch Web Console.
Log in to the Cloud Proxy appliance by using the root user.
Change the value of the maximum number of days between password change by running the following command.
chage --maxdays <your_value> root
Change the value of the minimum number of days between password change by running the following command.
chage --mindays <your_value> root
Change the value of the number of days of warning before the password expires by running the following command.
chage --warndays <your_value> root
Verify the configuration of the desired values by running the following command.
chage --list root
Repeat the procedure for the Cloud Extensibility Proxy appliance.
Configure the Local User Password Complexity Policy for the Cloud Proxy and Cloud Extensibility Proxy Appliances for Cloud-Based Automation for VMware Cloud Foundation
The password complexity policy for local users of the Cloud Proxy and Cloud Extensibility Proxy appliances determines the password format requirements on the basis of an account-specific set of rules.
Setting |
Default Value |
Description |
|---|---|---|
|
8 |
Minimum password length (characters) |
|
|
Maximum number of lowercase characters that generate a credit |
|
|
Maximum number of uppercase characters that generate a credit |
|
|
Maximum number of digits that generate a credit |
|
|
Maximum number of other characters that generate a credit |
|
|
Minimum number of character types that must be used (for example, uppercase, lowercase, digits, or special characters) |
|
|
Minimum number of characters that must be different from the old password |
|
3 |
Maximum number of retries |
|
|
Maximum number of times a single character may be repeated |
|
3 |
Maximum number of passwords the system remembers |
Procedure
- Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
In the VMs and templates inventory, expand the management domain vCenter Server and the Cloud Proxy virtual machines folder.
Locate and select the Cloud Proxy appliance and, on the Summary page, click Launch Web Console.
Log in to the Cloud Proxy appliance by using the root user.
Configure the settings according to the requirements of your organization by running the following commands.
sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/minclass=[-]?[0-9]+/minclass=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/retry=[-]?[0-9]+/retry=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/maxsequence=[-]?[0-9]+/maxsequence=<your_value>/g' /etc/pam.d/system-password sed -i -E 's/remember=[-]?[0-9]+/remember=<your_value>/g' /etc/pam.d/system-password
Verify the configuration of the desired values by running the following command.
cat /etc/pam.d/system-password
Repeat the procedure for the Cloud Extensibility Proxy appliance.
Configure the Local User Account Lockout Policy for the Cloud Proxy and Cloud Extensibility Proxy Appliances for Cloud-Based Automation for VMware Cloud Foundation
To configure the Cloud Proxy and Cloud Extensibility Proxy appliances account lockout policy for the local account, decide on certain policy settings.
Setting |
Default Value |
|---|---|
Maximum number of failed login attempts |
3 |
Unlock time for root |
600 seconds |
Unlock time |
600 seconds |
Procedure
- Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
In the VMs and templates inventory, expand the management domain vCenter Server and the Cloud Proxy virtual machines folder.
Locate and select the Cloud Proxy appliance and, on the Summary page, click Launch Web Console.
Log in to the Cloud Proxy appliance by using the root user.
Change the maximum number of failed attempts by running the following command.
sed -i -E 's/deny=[-]?[0-9]+/deny=
<your_value>/g' /etc/pam.d/system-authChange the unlock time for the root account by running the following command.
sed -i -E 's/root_unlock_time=[-]?[0-9]+/root_unlock_time=
<your_value>/g' /etc/pam.d/system-authChange the unlock time for all other accounts by running the following command.
sed -i -E 's/ unlock_time=[-]?[0-9]+/unlock_time=
<your_value>/g' /etc/pam.d/system-authVerify the configuration of the desired values by running the following command.
cat /etc/pam.d/system-auth
Repeat the procedure for the Cloud Extensibility Proxy appliance.
Change the Root Account Password for the Cloud Proxy Appliance for Cloud-Based Automation for VMware Cloud Foundation
The root password of the Cloud Proxy appliance expires after 90 days by default. To ensure services are fully operational and you have full access to the appliance, reset the password before it expires.
Procedure
- Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
In the VMs and templates inventory, expand the management domain vCenter Server and the Cloud Proxy virtual machines folder.
Right-click the Cloud Proxy virtual machine, and select Open remote console.
In the VMware Remote Console window, press Enter and log in as root.
To change the root password, run the command.
passwd root
Update the Root Account Password for the Cloud Extensibility Proxy Appliance for Cloud-Based Automation for VMware Cloud Foundation
The root password of the Cloud Extensibility Proxy appliance expires after 365 days by default. To ensure services are fully operational and you have full access to the appliance, reset the password before it expires.
Procedure
- Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
In the VMs and templates inventory, expand the management domain vCenter Server and the Cloud Extensibility Proxy virtual machines folder.
Right-click the Cloud Proxy virtual machine, and select Open remote console.
In the VMware Remote Console window, press Enter and log in as root.
To change the root password, run the command.
passwd root
