Manage the passwords of the components deployed according to the design objectives and design guidance of the Intelligent Network Visibility for VMware Cloud Foundation validated solution.

Password management activities include the configuration of password policies, such as password expiration, password complexity, account lockout, password rotation and remediation.

Configure the Local User Password Expiration Policy for the VMware Aria Operations for Networks for Intelligent Network Visibility for VMware Cloud Foundation

For local user accounts of VMware Aria Operations for Networks, you configure the password expiration policy on a per-user basis.

To maintain a standardized expiration policy, this procedure must be completed on each VMware Aria Operations for Networks platform and collector node.

Table 1. Default Password Expiration Policy for VMware Aria Operations for Networks
User

Setting

Default

Description
support

maxdays

99999

Maximum number of days between password change.

(By default, the password is set to never expire.)

mindays

0

Minimum number of days between password change.

warndays

7

Number of days of warning before a password expires.
consoleuser

maxdays

99999

Maximum number of days between password change

(By default, the password is set to never expire)

mindays

0

Minimum number of days between password change.

warndays

7

Number of days of warning before a password expires.

Procedure

  1. Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
  2. In the VMs and templates inventory, expand the management domain vCenter Server and the VMware Aria Operations for Networks virtual machine folder.
  3. Select the VMware Aria Operations for Networks platform node.
  4. On the Summary page, click Launch web console.
  5. Log in to VMware Aria Operations for Networks platform node as the support user.
  6. Change the value of the maximum number of days between password changes.
    sudo chage --maxdays <max_days> support
  7. Change the value of the minimum number of days between password changes.
    sudo chage --mindays <min_days> support
  8. Change the value of the number of warning days before the password expiration.
    sudo chage --warndays <warn_days> support
  9. Verify the configuration.
    sudo chage --list support
  10. Repeat this procedure for the consoleuser account

Configure the Local User Password Complexity Policy for the VMware Aria Operations for Networks for Intelligent Network Visibility for VMware Cloud Foundation

The password complexity policy of the VMware Aria Operations for Networks platform and collector nodes determines the password format requirements. These are based on an account-specific set of rules.

This procedure must be completed for each VMware Aria Operations for Networks platform and collector node to maintain a standardized complexity policy.

Table 2. Default Password Complexity Policy for VMware Aria Operations for Networks

Setting

Default

Description

dcredit

-1

Maximum number of digits that generate a credit

ucredit

-1

Maximum number of uppercase characters that generate a credit

lcredit

-1

Maximum number of lowercase characters that generate a credit

ocredit

-1

Maximum number of other characters that generate a credit

minlen

8

Minimum password length

difok

3

Minimum number of characters that must be different from the old password

retry

3

Maximum number of retries

remember

5

Maximum number of passwords the system remembers

UI Procedure

  1. Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
  2. In the VMs and templates inventory, expand the management domain vCenter Server and the VMware Aria Operations for Networks virtual machine folder.
  3. Select the VMware Aria Operations for Networks platform node,
  4. On the Summary page, click Launch web console.
  5. Log in to VMware Aria Operations for Networks platform node as the support user.
  6. Configure the settings according to the requirements of your organization.
    sudo sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/common-password
sudo sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/common-password
sudo sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/common-password
sudo sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/common-password
sudo sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/common-password
sudo sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/common-password
sudo sed -i -E 's/retry=[-]?[0-9]+/retry=<your_value>/g' /etc/pam.d/common-password
sudo sed -i -E 's/remember=[-]?[0-9]+/remember=<your_value>/g' /etc/pam.d/common-password
  7. Verify the configuration. 
    cat /etc/pam.d/common-password

Configure the Local User Account Lockout Policy for the VMware Aria Operations for Networks for Intelligent Network Visibility for VMware Cloud Foundation

To configure the VMware Aria Operations for Networks account lockout policy for local user accounts, configure these specific policy settings.

This procedure must be completed on each VMware Aria Operations for Networks platform and collector node to maintain a standardized account lockout policy.

Table 3. Default Account Lockout Policy for VMware Aria Operations for Networks Support and Consoleuser Accounts.

Setting

Default

Description

deny

Not Defined

Maximum number of authentication failures before the account is locked

unlock_time

Not Defined

Amount of time in seconds that the account remains locked
Table 4. Default Account Lockout Policy for VMware Aria Operations for Networks Administrator Account

Setting

Default

Description

deny

5

Maximum number of authentication failures before the account is locked

unlock_time

15

Amount of time in minutes that the account remains locked.

Each subsequent failed login attempt adds an additional 15 minutes to the lockout duration, with a maximum of one day.

UI Procedure

  1. Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
  2. In the VMs and templates inventory, expand the management domain vCenter Server and the VMware Aria Operations for Networks virtual machine folder.
  3. Select the VMware Aria Operations for Networks platform node.
  4. On the Summary page, click Launch web console.
  5. Log in to VMware Aria Operations for Networks platform node as the support user.
  6. Set the maximum number of failed attempts and the unlock time for all local accounts.
    sudo sed -i '/pam_deny.so/a auth    required pam_tally2.so onerr=fail deny=<your_value> unlock_time=<your_value>' /etc/pam.d/common-auth
  7. Verify the configuration.
    cat /etc/pam.d/common-auth

  8. Restart the SSH service for the new rules to take effect on the system.

    sudo systemctl restart sshd

Manage Passwords for VMware Aria Operations for Networks for Intelligent Network Visibility for VMware Cloud Foundation

Follow these procedures to change the VMware Aria Operations for Networks platform and collector node passwords.

Create Passwords for VMware Aria Operations for Networks in VMware Aria Suite Lifecycle for Intelligent Network Visibility for VMware Cloud Foundation

To manage the passwords for the VMware Aria Operations for Networks support and consoleuser local accounts in VMware Aria Suite Lifecycle, you must first add the passwords to VMware Aria Suite Lifecycle.

Procedure

  1. Log in to VMware Aria Suite Lifecycle at https://<aria_suite_lifecycle_fqdn> as vcfadmin@local.
  2. On the My services page, click Locker.
  3. In the navigation pane, click Passwords.
  4. On the Passwords page, click Add.
  5. On the Add Password page, configure the values and click Add.

Update Passwords for VMware Aria Operations for Networks in VMware Aria Suite Lifecycle for Intelligent Network Visibility for VMware Cloud Foundation

Update the VMware Aria Operations for Networks support and consoleuser local user passwords for each platform and collector node in VMware Aria Suite Lifecycle.

Procedure

  1. Log in to VMware Aria Suite Lifecycle at https://<aria_suite_lifecycle_fqdn> as vcfadmin@local.
  2. On the My services page, click Lifecycle operations.
  3. In the navigation pane, click Environments.

  4. Navigate to the card for the cross-instance environment where VMware Aria Operations for Networks is installed and select View details.

  5. Select the VMware Aria Operations for Networks node you want to update and click Change node password.
  6. On the Change node password dialog box, configure the settings and click Submit
  7. On the Request details page, monitor the progress until all stages have a Completed status.

Update the Administrator Password for VMware Aria Operations for Networks for Intelligent Network Visibility for VMware Cloud Foundation

Update the VMware Aria Operations for Networks Administrator password in the VMware Aria Operations for Networks UI.

Note:

Do not use the admin@local account to perform these steps.

Procedure

  1. Log in to the VMware Aria Operations for Networks at https://<aria_operations_for_networks_fqdn> with a user assigned to the Administrator role.

  2. In the left pane, navigate to Settings > Identity and access management.
  3. Click the User management tab, locate the Administrator user and click the Edit icon.
  4. In the Edit local user dialog box, click the Reset password checkbox, enter the password, and click Submit.