To ensure continued access to the VMware Aria Operations cluster nodes and the VMware Cloud Proxy appliances, you must manage the life cycle of the accounts passwords for the VMware Aria Operations appliance and VMware Cloud Proxy appliances.
In VMware Cloud Foundation, SDDC Manager manages the life cycle of critical accounts used by and integrated within the system. SDDC Manager provides the ability to rotate, update, or remediate component passwords. Unlike the password rotation, which generates a randomized password, the password update allows you to provide the password that you want for the particular account.
If a password expires, you must reset the password in the component. After you reset the password, you must remediate the password. Password remediation updates the new password in the SDDC Manager database.
To resolve any errors that might have occurred during password rotation or updates, you must use password remediation. Password remediation synchronizes the password of the component account stored in VMware Aria Operations with the updated password.
Password Policies for VMware Aria Operations
Within VMware Aria Operations, you can enforce password polices for access through the virtual appliance console and SSH. You can configure these password policies by using the pluggable authentication module (PAM) that is part of the operating system of the virtual appliance. The password policies apply only to local user accounts.
Password Expiration Policy for VMware Aria Operations
Local User |
Setting |
Default |
Description |
---|---|---|---|
root |
|
365 |
Maximum number of days between password change |
|
0 |
Minimum number of days between password change |
|
|
7 |
Number of days of warning before a password expires |
Password Complexity Policy for VMware Aria Operations
Setting | Default |
Description |
---|---|---|
|
-1 |
Minimum number of numerical characters required. |
|
-1 |
Minimum number of uppercase characters required. |
|
-1 |
Minimum number of lowercase characters required. |
|
-1 |
Minimum number of special characters required. |
|
8 |
Minimum total number of characters required. |
|
4 |
Minimum number of character classes required (e.g., uppercase, lowercase, numerical, special.) |
|
8 |
Minimum number of unique characters different from the previous password. |
|
3 |
Maximum number of retries allowed. |
|
0 |
Maximum number of sequential characters allowed. |
|
5 |
Maximum number of previous passwords remembered. |
Account Lockout Policy for VMware Aria Operations
Setting |
Default |
Description |
---|---|---|
|
3 |
Maximum number of authentication failures before the account is locked. |
|
0 |
Amount of time in seconds that the account remains locked. |
|
600 |
Amount of time in seconds that the root account remains locked. |
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IOM-VAOPS-SEC-010 |
Configure the password expiration policy for the VMware Aria Operations appliance and VMware Cloud Proxy appliance. |
|
You can manage the password expiration policy on the VMware Aria Operations appliance and VMware Cloud Proxy appliance by using the virtual appliance console or a Secure Shell (SSH) client. |
IOM-VAOPS-SEC-011 |
Configure the password complexity policy for the VMware Aria Operations appliance and VMware Cloud Proxy appliance. |
|
You can manage the password complexity policy on the VMware Aria Operations appliance and VMware Cloud Proxy appliance by using the virtual appliance console or a Secure Shell (SSH) client. |
IOM-VAOPS-SEC-012 |
Configure the account lockout policy for the VMware Aria Operations appliance and VMware Cloud Proxy appliance. |
|
You can manage the account lockout policy on the VMware Aria Operations appliance and VMware Cloud Proxy appliance by using the virtual appliance console or a Secure Shell (SSH) client. |
VMware Aria Operations Password Management
Changing the passwords periodically or when certain events occur, such as an administrator leaving your organization, increases the security posture and health of the system.
For more information, see the Password Management documentation for VMware Cloud Foundation.
Decision ID |
Design Decision |
Design Justification |
Design Implication |
---|---|---|---|
IOM-VAOPS-SEC-013 |
Change the VMware Aria Operations and VMware Cloud Proxy appliance root password on a recurring or event-initiated schedule by using the SDDC Manager user interface or API. |
|
By using SDDC Manager, you manage the password change or automated password rotation schedule for the VMware Aria Operations and VMware Cloud Proxy root account in accordance with your organizational policies and regulatory standards. |
IOM-VAOPS-SEC-014 |
Change the VMware Aria Operations admin account password on a recurring or event-initiated schedule by using the SDDC Manager UI or API. |
When VMware Aria Operations is deployed into a VMware Cloud Foundation environment in VMware Aria Suite Lifecycle, the admin password is managed from the SDDC Manager user interface or API, not VMware Aria Suite Lifecycle. |
You must routinely perform the password change for the admin account by using the SDDC Manager UI or API. |