Password Management Design for VMware Aria Operations for Intelligent Operations Management for VMware Cloud Foundation

To ensure continued access to the VMware Aria Operations cluster nodes and the VMware Cloud Proxy appliances, you must manage the life cycle of the accounts passwords for the VMware Aria Operations appliance and VMware Cloud Proxy appliances.

In VMware Cloud Foundation, SDDC Manager manages the life cycle of critical accounts used by and integrated within the system. SDDC Manager provides the ability to rotate, update, or remediate component passwords. Unlike the password rotation, which generates a randomized password, the password update allows you to provide the password that you want for the particular account.

If a password expires, you must reset the password in the component. After you reset the password, you must remediate the password. Password remediation updates the new password in the SDDC Manager database.

To resolve any errors that might have occurred during password rotation or updates, you must use password remediation. Password remediation synchronizes the password of the component account stored in VMware Aria Operations with the updated password.

Password Policies for VMware Aria Operations

Within VMware Aria Operations, you can enforce password polices for access through the virtual appliance console and SSH. You can configure these password policies by using the pluggable authentication module (PAM) that is part of the operating system of the virtual appliance. The password policies apply only to local user accounts.

Password Expiration Policy for VMware Aria Operations

You manage the password expiration policy on a per-user basis. You can modify the configuration for a user to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.

Table 1. Default Password Expiration Policy for VMware Aria Operations
Local User	Setting	Default	Description
root	`maxdays`	`365`	Maximum number of days between password change
	`mindays`	`0`	Minimum number of days between password change
	`warndays`	`7`	Number of days of warning before a password expires

Password Complexity Policy for VMware Aria Operations

You manage the password complexity policy by using the /etc/pam.d/system-password file. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.

Table 2. Password Complexity for VMware Aria Operations
Setting	Default Value	Description
`dcredit`	`-1`	Maximum number of digits that generate a credit
`ucredit`	`-1`	Maximum number of uppercase characters that generate a credit
`lcredit`	`-1`	Maximum number of lowercase characters that generate a credit
`ocredit`	`-1`	Maximum number of other characters that generate a credit
`minlen`	`8`	Minimum password length (number of characters)
`minclass`	`4`	Minimum number of character types that must be used (for example, uppercase, lowercase, digits, and so on)
`difok`	`4`	Minimum number of characters that must be different from the old password
`retry`	`3`	Maximum number of retries
`maxrepeat`	`0`	Maximum number of identical consecutive characters in the new password
`remember`	`5`	Maximum number of passwords the system remembers

Account Lockout Policy for VMware Aria Operations

You manage the account lockout policy by using the /etc/pam.d/system-auth file. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.

Table 3. Default Account Lockout Policy for VMware Aria Operations
Setting	Default	Description
`deny`	`3`	Maximum number of authentication failures before the account is locked
`unlock_time`	`0`	Amount of time in seconds that the account remains locked
`root_unlock_time`	`600`	Amount of time in seconds that the root account remains locked

Table 4. Design Decisions on Password Policies for VMware Aria Operations
Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-SEC-010	Configure the password expiration policy for the VMware Aria Operations appliance and VMware Cloud Proxy appliance.	You configure the password expiration policy for the VMware Aria Operationsappliance and VMware Cloud Proxy appliances to align with the requirements of your organization which might be based on industry compliance standards. The policy is applicable only to the local VMware Aria Operations users.	You can manage the password expiration policy on the VMware Aria Operations appliance and VMware Cloud Proxy appliance by using the virtual appliance console or a Secure Shell (SSH) client.
IOM-VAOPS-SEC-011	Configure the password complexity policy for the VMware Aria Operations appliance and VMware Cloud Proxy appliance.	You configure the password complexity policy for VMware Aria Operations and VMware Cloud Proxy appliances to align with the requirements of your organization which might be based on industry compliance standards. The policy is applicable only to the local VMware Aria Operationsusers.	You can manage the password complexity policy on the VMware Aria Operations appliance and VMware Cloud Proxy appliance by using the virtual appliance console or a Secure Shell (SSH) client.
IOM-VAOPS-SEC-012	Configure the account lockout policy for the VMware Aria Operations appliance and VMware Cloud Proxy appliance.	You configure the account lockout policy for VMware Aria Operations and VMware Cloud Proxy appliances to align with the requirements of your organization which might be based on industry compliance standards. The policy is applicable only to the local VMware Aria Operations users.	You can manage the account lockout policy on the VMware Aria Operations appliance and VMware Cloud Proxy appliance by using the virtual appliance console or a Secure Shell (SSH) client.

VMware Aria Operations Password Management

Changing the passwords periodically or when certain events occur, such as an administrator leaving your organization, increases the security posture and health of the system.

For more information, see the Password Management documentation for VMware Cloud Foundation.

Table 5. Design Decision on Password Management for VMware Aria Operations
Decision ID	Design Decision	Design Justification	Design Implication
IOM-VAOPS-SEC-013	Change the VMware Aria Operations and VMware Cloud Proxy appliance root password on a recurring or event-initiated schedule by using the SDDC Manager user interface or API.	By default, the password for the VMware Aria Operations and VMware Cloud Proxy appliance root account expires every 365 days. When VMware Aria Operations is deployed into a VMware Cloud Foundation environment in VMware Aria Suite Lifecycle, the root password is managed from the SDDC Manager user interface or API, not VMware Aria Suite Lifecycle.	By using SDDC Manager, you manage the password change or automated password rotation schedule for the VMware Aria Operations and VMware Cloud Proxy root account in accordance with your organizational policies and regulatory standards.
IOM-VAOPS-SEC-014	Change the VMware Aria Operations admin account password on a recurring or event-initiated schedule by using the SDDC Manager UI or API.	When VMware Aria Operations is deployed into a VMware Cloud Foundation environment in VMware Aria Suite Lifecycle, the admin password is managed from the SDDC Manager user interface or API, not VMware Aria Suite Lifecycle.	You must routinely perform the password change for the admin account by using the SDDC Manager UI or API.