Password Management for Cloud-Based Network Visibility for VMware Cloud Foundation

Manage the passwords of the components deployed according to the design objectives and design guidance of the Cloud-Based Network Visibility for VMware Cloud Foundation validated solution.

Password management activities include the configuration of password policies, such as password expiration, password complexity or account lockout, and password rotation and remediation.

Configure the Local User Password Expiration Policy for the VMware Aria Operations for Networks Data Collector Appliance for Cloud-Based Network Visibility for VMware Cloud Foundation

For local user accounts of the VMware Aria Operations for Networks Data Collector appliance, you configure the password expiration policy on a per-user basis.

Upon password expiry of the VMware Aria Operations for Networks Data Collector appliance, the life cycle management functionality of the agent continues to work, but the appliance cannot be upgraded on reboot before the cloud administrator sets a new password.

Table 1. Default Password Expiration Policy for VMware Aria Operations for Networks Data Collector Appliance
User	Setting	Default	Description
support	`maxdays`	`99999`	Maximum number of days between password change (By default, the password is set to never expire)
	`mindays`	`0`	Minimum number of days between password change.
	`warndays`	`7`	Number of days of warning before a password expires
consoleuser	`maxdays`	`99999`	Maximum number of days between password change (By default, the password is set to never expire)
	`mindays`	`0`	Minimum number of days between password change.
	`warndays`	`7`	Number of days of warning before a password expires

Procedure

Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
In the VMs and templates inventory, expand the management domain vCenter Server and the VMware Aria Operations for Networks Data Collector virtual machine folder.
Select the VMware Aria Operations for Networks Data Collector appliance and, on the Summary page, click Launch web console.
Log in to the VMware Aria Operations for Networks Data Collector appliance by using the support user.
Change the value of the maximum number of days between password changes.
```
sudo chage --maxdays <max_days> support
```
Change the value of the minimum number of days between password changes.
```
sudo chage --mindays <min_days> support
```
Change the value of the number of warning days before the password expiration.
```
sudo chage --warndays <warn_days> support
```
Verify the configuration.
```
sudo chage --list support
```

Configure the Local User Password Complexity Policy for the VMware Aria Operations for Networks Data Collector Appliance for Cloud-Based Network Visibility for VMware Cloud Foundation

The password complexity policy for local user accounts of the VMware Aria Operations for Networks Data Collector appliance determines the password format requirements based on an account-specific set of rules.

Table 2. Default Password Complexity Policy for VMware Aria Operations for Networks Data Collector Appliance
Setting	Default	Description
`dcredit`	`-1`	Maximum number of digits that generate a credit
`ucredit`	`-1`	Maximum number of uppercase characters that generate a credit
`lcredit`	`-1`	Maximum number of lowercase characters that generate a credit
`ocredit`	`-1`	Maximum number of other characters that generate a credit
`minlen`	`8`	Minimum password length
`difok`	`3`	Minimum number of characters that must be different from the old password
`retry`	`3`	Maximum number of retries
`remember`	`5`	Maximum number of passwords the system remembers

UI Procedure

Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
In the VMs and templates inventory, expand the management domain vCenter Server and the VMware Aria Operations for Networks Data Collector virtual machine folder.
Select the VMware Aria Operations for Networks Data Collector appliance and, on the Summary page, click Launch web console.
Log in to the VMware Aria Operations for Networks Data Collector appliance by using the support user.

Configure the settings according to the requirements of your organization.

sudo sed -i -E 's/dcredit=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/common-password
sudo sed -i -E 's/ucredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/common-password
sudo sed -i -E 's/lcredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/common-password
sudo sed -i -E 's/ocredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/common-password
sudo sed -i -E 's/minlen=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/common-password
sudo sed -i -E 's/difok=[-]?[0-9]+/minclass=<your_value>/g' /etc/pam.d/common-password
sudo sed -i -E 's/retry=[-]?[0-9]+/retry=<your_value>/g' /etc/pam.d/common-password
sudo sed -i -E 's/remember=[-]?[0-9]+/remember=<your_value>/g' /etc/pam.d/common-password

Verify the configuration.
```
cat /etc/pam.d/common-password
```

Configure the Local User Account Lockout Policy for the VMware Aria Operations for Networks Data Collector Appliance for Cloud-Based Network Visibility for VMware Cloud Foundation

To configure the VMware Aria Operations for Networks Data Collector appliance account lockout policy for the local user accounts, configure specific policy settings.

Table 3. Default Account Lockout Policy for VMware Aria Operations for Networks Data Collector Appliance
Setting	Default	Description
`deny`	`Not Defined`	Maximum number of authentication failures before the account is locked
`unlock_time`	`Not Defined`	Amount of time in seconds that the account remains locked

UI Procedure

Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
In the VMs and templates inventory, expand the management domain vCenter Server and the VMware Aria Operations for Networks Data Collector virtual machine folder.
Select the VMware Aria Operations for Networks Data Collector appliance and, on the Summary page, click Launch Web Console.
Log in to the VMware Aria Operations for Networks Data Collector appliance by using the support user.

Set the maximum number of failed attempts and the unlock time for the support and consoleuser accounts.

sed -i '17iauth    required                        pam_tally2.so onerr=fail deny=<your_value> unlock_time=<your_value> audit' /etc/pam.d/common-auth

Verify the configuration.
```
cat /etc/pam.d/common-auth
```
Restart the SSH service for the new rules to take effect on the system.
```
sudo systemctl restart sshd
```

Change the Support Account Password for the VMware Aria Operations for Networks Data Collector Appliance for Cloud-Based Network Visibility for VMware Cloud Foundation

To ensure the VMware Aria Operations for Networks Data Collector appliance services are fully operational and you have full access to the appliance, reset the password for the support account.

Procedure

Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
In the VMs and templates inventory, expand the management domain vCenter Server and the VMware Aria Operations for Networks Data Collector virtual machine folder.
Select the VMware Aria Operations for Networks Data Collector appliance and, on the Summary page, click Launch web console.
Log in to the VMware Aria Operations for Networks Data Collector appliance by using the support user.
To change the password, run the command.
```
passwd support
```
Enter the new password.