Password policies include password expiration policy, password complexity policy, and account lockout policy.

For the Intelligent Network Visibility for VMware Cloud Foundation validated solution, you configure the password policies for local VMware Aria Operations for Networks appliance users.

  • Password expiration policy defines the length of time a credential’s password is valid before the system forces a password change.

  • Password complexity policy defines the minimum requirements surrounding the definition of an account’s password.

  • Account lockout policy defines the behavior of the system when incorrect credentials are used for authenticating to the system.

Note:

You can follow a step-by-step approach by using product user interface or an automated approach by running PowerShell commands that are available in the open source PowerShell Module for VMware Cloud Foundation Password Management(VMware.CloudFoundation.PasswordManagement) available on the PowerShell Gallery.

You can initiate discussions, report bugs, suggest enhancements, and learn about contributing to the project on the GitHub repository.

Configure the Local User Password Expiration Policy for the VMware Aria Operations for Networks for Intelligent Network Visibility for VMware Cloud Foundation

For local user accounts of VMware Aria Operations for Networks, you configure the password expiration policy on a per-user basis.

To maintain a standardized expiration policy, this procedure must be completed on each VMware Aria Operations for Networks platform and collector node.

Table 1. Default Password Expiration Policy for VMware Aria Operations for Networks
User

Setting

Default

Description
support

maxdays

99999

Maximum number of days between password change.

(By default, the password is set to never expire.)

mindays

0

Minimum number of days between password change.

warndays

7

Number of days of warning before a password expires.
consoleuser

maxdays

99999

Maximum number of days between password change

(By default, the password is set to never expire.)

mindays

0

Minimum number of days between password change.

warndays

7

Number of days of warning before a password expires.

UI Procedure

  1. Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
  2. In the VMs and templates inventory, expand the management domain vCenter Server and the VMware Aria Operations for Networks virtual machine folder.
  3. Select the VMware Aria Operations for Networks platform node.
  4. On the Summary page, click Launch web console.
  5. Log in to VMware Aria Operations for Networks platform node as the support user.
  6. Change the value of the maximum number of days between password changes.
    sudo chage --maxdays <max_days> support
  7. Change the value of the minimum number of days between password changes.
    sudo chage --mindays <min_days> support
  8. Change the value of the number of warning days before the password expiration.
    sudo chage --warndays <warn_days> support
  9. Verify the configuration.
    sudo chage --list support
  10. Repeat this procedure for the consoleuser account

PowerShell Procedure

  1. Start PowerShell.

  2. Replace the values in the sample code and run the commands.

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" 
$sddcManagerUser = "[email protected]" 
$sddcManagerPass = "VMw@re1!" 

$maxDays = "90" 
$minDays = "0" 
$warnDays = "7"

  3. To get the current configuration, run the command.

    Request-AriaLocalUserPasswordExpiration -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -product vrni

  4. To configure the local user password expiration policy, run the command.

    Update-AriaLocalUserPasswordExpiration -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -product vrni -localUser support -maxDays $maxDays -minDays $minDays -warnDays $warnDays

Update-AriaLocalUserPasswordExpiration -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -product vrni -localUser consoleuser -maxDays $maxDays -minDays $minDays -warnDays $warnDays

  5. Run the command in Step 3 to get the updated configuration.

Configure the Local User Password Complexity Policy for the VMware Aria Operations for Networks for Intelligent Network Visibility for VMware Cloud Foundation

The password complexity policy of the VMware Aria Operations for Networks platform and collector nodes determines the password format requirements. These are based on an account-specific set of rules.

This procedure must be completed for each VMware Aria Operations for Networks platform and collector node to maintain a standardized complexity policy.

Table 2. Default Password Complexity Policy for VMware Aria Operations for Networks

Setting

Default

Description

dcredit

-1

Minimum number of numerical characters required.

ucredit

-1

Minimum number of uppercase characters required.

lcredit

-1

Minimum number of lowercase characters required.

ocredit

-1

Minimum number of special characters required.

minlen

14

Minimum total number of characters required.

difok

3

Minimum number of unique characters different from the previous password.

retry

3

Maximum number of retries allowed.

remember

5

Maximum number of previous passwords remembered.

UI Procedure

  1. Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
  2. In the VMs and templates inventory, expand the management domain vCenter Server and the VMware Aria Operations for Networks virtual machine folder.
  3. Select the VMware Aria Operations for Networks platform node,
  4. On the Summary page, click Launch web console.
  5. Log in to VMware Aria Operations for Networks platform node as the support user.
  6. Configure the settings according to the requirements of your organization.
    sudo sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/common-password
sudo sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/common-password
sudo sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/common-password
sudo sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/common-password
sudo sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/common-password
sudo sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/common-password
sudo sed -i -E 's/retry=[-]?[0-9]+/retry=<your_value>/g' /etc/pam.d/common-password
sudo sed -i -E 's/remember=[-]?[0-9]+/remember=<your_value>/g' /etc/pam.d/common-password
  7. Verify the configuration. 
    cat /etc/pam.d/common-password

PowerShell Procedure

  1. Start PowerShell.

  2. Replace the values in the sample code and run the commands. 

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" 
$sddcManagerUser = "[email protected]" 
$sddcManagerPass = "VMw@re1!" 

$minNumerical = "1" 
$minUppercase = "1" 
$minLowercase = "1" 
$minSpecial = "1" 
$minLength = "15" 
$minUnique = "5" 
$maxRetry = "3"
$history = "10"

  3. To get the current configuration, run the command.

    Request-AriaLocalUserPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -product vrni

  4. To configure the local user password complexity policy, run the command.

    Update-AriaLocalUserPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -product vrni -numerical $minNumerical -uppercase $minUppercase -lowercase $minLowercase -special $minSpecial -minLength $minLength -unique $minUnique -retry $maxRetry -history $history

  5. Run the command in Step 3 to get the updated configuration.

Configure the Local User Account Lockout Policy for the VMware Aria Operations for Networks for Intelligent Network Visibility for VMware Cloud Foundation

To configure the VMware Aria Operations for Networks account lockout policy for local user accounts, configure these specific policy settings.

This procedure must be completed on each VMware Aria Operations for Networks platform and collector node to maintain a standardized account lockout policy.

Table 3. Default Account Lockout Policy for VMware Aria Operations for Networks Support and Consoleuser Accounts.

Setting

Default

Description

deny

Not Defined

Maximum number of authentication failures before the account is locked.

unlock_time

Not Defined

Amount of time in seconds that the account remains locked.

UI Procedure

  1. Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
  2. In the VMs and templates inventory, expand the management domain vCenter Server and the VMware Aria Operations for Networks virtual machine folder.
  3. Select the VMware Aria Operations for Networks platform node.
  4. On the Summary page, click Launch web console.
  5. Log in to VMware Aria Operations for Networks platform node as the support user.
  6. Set the maximum number of failed attempts and the unlock time for all local accounts.
    sudo sed -i '/pam_deny.so/a auth    required pam_tally2.so onerr=fail deny=<your_value> unlock_time=<your_value>' /etc/pam.d/common-auth
  7. Verify the configuration.
    cat /etc/pam.d/common-auth

  8. Restart the SSH service for the new rules to take effect on the system.

    sudo systemctl restart sshd

PowerShell Procedure

  1. Start PowerShell.

  2. Replace the values in the sample code and run the commands.

    $sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "[email protected]"
$sddcManagerPass = "VMw@re1!"

$maxFailures = "5"
$unlockInterval = "900"

  3. To get the current configuration, run the command.

    Request-AriaLocalUserAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -product vrni

  4. To configure the local user account lockout policy, run the command.

    Update-AriaLocalUserPasswordAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -product vrni -failures $maxFailures -unlockInterval $unlockInterval

  5. Run the command in Step 3 to get the updated configuration.

Manage Passwords for VMware Aria Operations for Networks for Intelligent Network Visibility for VMware Cloud Foundation

Follow these procedures to change the VMware Aria Operations for Networks platform and collector node passwords.

Create Passwords for VMware Aria Operations for Networks in VMware Aria Suite Lifecycle for Intelligent Network Visibility for VMware Cloud Foundation

To manage the passwords for the VMware Aria Operations for Networkssupport and consoleuser local accounts in VMware Aria Suite Lifecycle, you must first add the passwords to VMware Aria Suite Lifecycle.

Procedure

  1. Log in to VMware Aria Suite Lifecycle at https://<aria_suite_lifecycle_fqdn> as vcfadmin@local.
  2. On the My services page, click Locker.
  3. In the navigation pane, click Passwords.
  4. On the Passwords page, click Add.
  5. On the Add Password page, configure the values and click Add.

Update Passwords for VMware Aria Operations for Networks in VMware Aria Suite Lifecycle for Intelligent Network Visibility for VMware Cloud Foundation

Update the VMware Aria Operations for Networkssupport and consoleuser local user passwords for each platform and collector node in VMware Aria Suite Lifecycle.

Procedure

  1. Log in to VMware Aria Suite Lifecycle at https://<aria_suite_lifecycle_fqdn> as vcfadmin@local.
  2. On the My services page, click Lifecycle operations.
  3. In the navigation pane, click Environments.

  4. Navigate to the card for the cross-instance environment where VMware Aria Operations for Networks is installed and select View details.

  5. Select the VMware Aria Operations for Networks node you want to update and click Change node password.
  6. On the Change node password dialog box, configure the settings and click Submit
  7. On the Request details page, monitor the progress until all stages have a Completed status.

Update the Administrator Password for VMware Aria Operations for Networks for Intelligent Network Visibility for VMware Cloud Foundation

Update the VMware Aria Operations for NetworksAdministrator password in the VMware Aria Operations for Networks UI.

Note:

Do not use the admin@local account to perform these steps.

Procedure

  1. Log in to the VMware Aria Operations for Networks at https://<aria_operations_for_networks_fqdn> with a user assigned to the Administrator role.

  2. In the left pane, navigate to Settings > Identity and access management.
  3. Click the User management tab, locate the Administrator user and click the Edit icon.
  4. In the Edit local user dialog box, click the Reset password checkbox, enter the password, and click Submit.