Manage the passwords of the components deployed according to the design objectives and design guidance of the Cloud-Based Intelligent Operations for VMware Cloud Foundation validated solution.

Password management activities include the configuration of password policies, such as password expiration, password complexity or account lockout, and password rotation and remediation.

Configure the Local User Password Expiration Policy of the Cloud Proxy Appliance for Cloud-Based Intelligent Operations for VMware Cloud Foundation

For local users of the Cloud Proxy appliance, you configure the password expiration policy on a per-user basis.

Upon password expiry of the Cloud Proxy appliance, the agent life cycle management functionality continues to work but the OVA upgrade on reboot cannot occur until the cloud administrator sets a new password.
Table 1. Password Expiration Policy Settings for Local Users for the Cloud Proxy Appliance

User

Setting

Default Value

root

Maximum number of days between password change

90

Minimum number of days between password change

0

Number of days of warning before password expires

7

Procedure

  1. Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.

  2. In the VMs and templates inventory, expand the management domain vCenter Server and the Cloud Proxy virtual machines folder.

  3. Locate and select the Cloud Proxy appliance and, on the Summary page, click Launch Web Console.

  4. Log in to the Cloud Proxy appliance by using the root user.

  5. Change the value of the maximum number of days between password change by running the following command.

    chage --maxdays <your_value> root

  6. Change the value of the minimum number of days between password change by running the following command.

    chage --mindays <your_value> root

  7. Change the value of the number of days of warning before the password expires by running the following command.

    chage --warndays <your_value> root

  8. Verify the configuration of the desired values by running the following command.

    chage --list root

Configure the Local User Password Complexity Policy for the Cloud Proxy Appliance for Cloud-Based Intelligent Operations for VMware Cloud Foundation

The password complexity policy for local users of the Cloud Proxy appliance determines the password format requirements on the basis of an account-specific set of rules.

Table 2. Password Complexity Policy for Local Users for the Cloud Proxy Appliance

Setting

Default Value

Description

minlen

8

Minimum password length (characters)

lcredit

-1

Maximum number of lowercase characters that generate a credit

ucredit

-1

Maximum number of uppercase characters that generate a credit

dcredit

-1

Maximum number of digits that generate a credit

ocredit

-1

Maximum number of other characters that generate a credit

minclass

4

Minimum number of character types that must be used (for example, uppercase, lowercase, digits, or special characters)

difok

4

Minimum number of characters that must be different from the old password

retry

3

Maximum number of retries

maxsequence

0

Maximum number of times a single character may be repeated

remember

3

Maximum number of passwords the system remembers

Procedure

  1. Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.

  2. In the VMs and templates inventory, expand the management domain vCenter Server and the Cloud Proxy virtual machines folder.

  3. Locate and select the Cloud Proxy appliance and, on the Summary page, click Launch Web Console.

  4. Log in to the Cloud Proxy appliance by using the root user.

  5. Configure the settings according to the requirements of your organization by running the following commands.

    sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/minclass=[-]?[0-9]+/minclass=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/retry=[-]?[0-9]+/retry=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/maxsequence=[-]?[0-9]+/maxsequence=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/remember=[-]?[0-9]+/remember=<your_value>/g' /etc/pam.d/system-password

  6. Verify the configuration of the desired values by running the following command.

    cat /etc/pam.d/system-password

Configure the Local User Account Lockout Policy for the Cloud Proxy Appliance for Cloud-Based Intelligent Operations for VMware Cloud Foundation

To configure the Cloud Proxy appliance account lockout policy for the local account, decide on certain policy settings.

Table 3. Lockout Policy Settings for Local User Accounts for the Cloud Proxy Appliance

Setting

Default Value

Maximum number of failed login attempts

3

Unlock time for root

600 seconds

Unlock time

600 seconds

Procedure

  1. Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.

  2. In the VMs and templates inventory, expand the management domain vCenter Server and the Cloud Proxy virtual machines folder.

  3. Locate and select the Cloud Proxy appliance and, on the Summary page, click Launch Web Console.

  4. Log in to the Cloud Proxy appliance by using the root user.

  5. Change the maximum number of failed attempts by running the following command.

    sed -i -E 's/deny=[-]?[0-9]+/deny=<your_value>/g' /etc/pam.d/system-auth

  6. Change the unlock time for the root account by running the following command.

    sed -i -E 's/root_unlock_time=[-]?[0-9]+/root_unlock_time=<your_value>/g' /etc/pam.d/system-auth

  7. Change the unlock time for all other accounts by running the following command.

    sed -i -E 's/ unlock_time=[-]?[0-9]+/unlock_time=<your_value>/g' /etc/pam.d/system-auth

  8. Verify the configuration of the desired values by running the following command.

    cat /etc/pam.d/system-auth

Change the Root Account Password for the Cloud Proxy Appliance for Cloud-Based Intelligent Operations for VMware Cloud Foundation

The root account password of the Cloud Proxy appliance expires after 90 days by default. To ensure that services are fully operational and you have full access to the appliance, reset the password before it expires.

Procedure

  1. Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.

  2. In the VMs and templates inventory, expand the management domain vCenter Server and the Cloud Proxy virtual machines folder.

  3. Right-click the Cloud Proxy virtual machine and select Open remote console.

  4. In the VMware Remote Console window, press Enter and log in as root.

  5. To change the root password, run the command.

    passwd root