Configure the Local User Password Complexity Policy for Intelligent Operations Management for VMware Cloud Foundation

The password complexity policy for local users of the VMware Aria Operations appliances and the VMware Cloud Proxy appliances determines the password format requirements on the basis of an account-specific set of rules.

Table 1. Password Complexity for VMware Aria Operations
Setting	Default	Description
`dcredit`	`-1`	Minimum number of numerical characters required.
`ucredit`	`-1`	Minimum number of uppercase characters required.
`lcredit`	`-1`	Minimum number of lowercase characters required.
`ocredit`	`-1`	Minimum number of special characters required.
`minlen`	`8`	Minimum total number of characters required.
`minclass`	`4`	Minimum number of character classes required (e.g., uppercase, lowercase, numerical, special.)
`difok`	`8`	Minimum number of unique characters different from the previous password.
`retry`	`3`	Maximum number of retries allowed.
`maxrepeat`	`0`	Maximum number of sequential characters allowed.
`remember`	`5`	Maximum number of previous passwords remembered.

UI Procedure

Log in to the primary VMware Aria Operations node by using a Secure Shell (SSH) client at <aria_operations_primary_node_fqdn> as root.

Back up the /etc/security/pwquality.conf file for the appliance.

cp -p /etc/security/pwquality.conf /etc/security/pwquality.conf-`date +%F_%H:%M:%S`.back

Configure the settings according to the requirements of your organization.

sed -i -E 's/dcredit = [-]?[0-9]+$/dcredit = <your_value>/g' /etc/security/pwquality.conf
sed -i -E 's/ucredit = [-]?[0-9]+$/ucredit = <your_value>/g' /etc/security/pwquality.conf
sed -i -E 's/lcredit = [-]?[0-9]+$/lcredit = <your_value>/g' /etc/security/pwquality.conf
sed -i -E 's/ocredit = [-]?[0-9]+$/ocredit = <your_value>/g' /etc/security/pwquality.conf
sed -i -E 's/minlen = [-]?[0-9]+$/minlen = <your_value>/g' /etc/security/pwquality.conf
sed -i -E 's/minclass = [-]?[0-9]+$/minclass = <your_value>/g' /etc/security/pwquality.conf
sed -i -E 's/difok = [-]?[0-9]+$/difok = <your_value>/g' /etc/security/pwquality.conf
sed -i 's/^\s*#*\s*maxrepeat\s*=\s*[0-9]\+/maxrepeat = <your_value>/g' /etc/security/pwquality.conf
sed -i 's/^\s*#*\s*retry\s*=\s*[0-9]\+/retry = <your_value>/g' /etc/security/pwquality.conf

Back up the /etc/security/pwhistory.conf file for the appliance.

cp -p /etc/security/pwhistory.conf /etc/security/pwhistory.conf-`date +%F_%H:%M:%S`.back

Enable it for the root user, and update the remember settings, using values that meet the requirements of your organization.

sed -i 's/^# enforce_for_root/enforce_for_root/' /etc/security/pwhistory.conf
sed -i -E 's/remember = [-]?[0-9]+$/remember = <your_value>/g' /etc/security/pwhistory.conf

Verify the values.

cat /etc/security/pwquality.conf
cat /etc/security/pwhistory.conf

Repeat the procedure for the remaining VMware Aria Operations appliances and the VMware Cloud Proxy appliances.

PowerShell Procedure

Start PowerShell.

Replace the values in the sample code and run the commands.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io" 
$sddcManagerUser = "[email protected]" 
$sddcManagerPass = "VMw@re1!" 

$minNumerical = "1" 
$minUppercase = "1" 
$minLowercase = "1" 
$minSpecial = "1" 
$minLength = "15" 
$minClass = "3" 
$minUnique = "5" 
$maxRetry = "3"
$maxSequence = "1"
$history = "10"

To get the current configuration, run the command.

Request-AriaLocalUserPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -product vrops

To configure the local user password complexity policy, run the command.

Update-AriaLocalUserPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -product vrops -numerical $minNumerical -uppercase $minUppercase -lowercase $minLowercase -special $minSpecial -minLength $minLength -unique $minUnique -class $minClass -retry $maxRetry -sequence $maxSequence -history $history

Run the command in Step 3 to get the updated configuration.