Password Management Design for Private Cloud Automation for VMware Cloud Foundation

To ensure continued access to the VMware Aria Automation cluster nodes, you must manage the life cycle of the account passwords for the VMware Aria Automation appliances.

In VMware Cloud Foundation, SDDC Manager manages the life cycle of critical accounts used by and integrated within the system. SDDC Manager provides the ability to rotate, update, or remediate component passwords. Unlike the password rotation, which generates a randomized password, the password update allows you to provide the password that you want for the particular account.

If a password expires, you must reset the password in the component. After you reset the password, you must remediate the password. Password remediation updates the new password in the SDDC Manager database.

To resolve any errors that might have occurred during password rotation or updates, you must use password remediation. Password remediation synchronizes the password of the component account stored in VMware Aria Automation with the updated password.

Password Policies for VMware Aria Automation

Within VMware Aria Automation, you can enforce password polices for access through the virtual appliance console and SSH. You can configure these password policies by using the pluggable authentication module (PAM) that is part of the operating system of the virtual appliance. The password policies apply only to local user accounts.

Password Expiration Policy for VMware Aria Automation

You manage the password expiration policy on a per-user basis. You can modify the configuration for a user to refine the settings and adhere to the policies and regulatory standards of your organization. The default configuration is shown in the following table.

Table 1. Default Password Expiration Policy for VMware Aria Automation
Local User	Setting	Default	Description
root	`maxdays`	`365`	Maximum number of days between password change
	`mindays`	`0`	Minimum number of days between password change
	`warndays`	`7`	Number of days of warning before a password expires

Password Complexity Policy for VMware Aria Automation

You manage the password complexity policy by using the /etc/pam.d/system-password file. You can edit the file and add or modify the configuration to refine the settings. The /etc/pam.d/system-password file does not contain default password complexity settings. You must configure the settings according to the following table, using your values to adhere to the policies of your organization and regulatory standards.

Table 2. Password Complexity Policy for VMware Aria Automation
Setting	Sample Value	Description
`dcredit`	`0`	Maximum number of digits that generate a credit
`ucredit`	`0`	Maximum number of uppercase characters that generate a credit
`lcredit`	`0`	Maximum number of lowercase characters that generate a credit
`ocredit`	`0`	Maximum number of other characters that generate a credit
`minlen`	`8`	Minimum password length (number of characters)
`minclass`	`0`	Minimum number of character types that must be used (for example, uppercase, lowercase, digits, and so on)
`difok`	`1`	Minimum number of characters that must be different from the old password
`retry`	`3`	Maximum number of retries
`maxrepeat`	`0`	Maximum number of times a single character can be repeated
`remember`	`10`	Maximum number of passwords the system remembers

Account Lockout Policy for VMware Aria Automation

You manage the account lockout policy by using the /etc/pam.d/system-auth file. You can edit and modify the configuration to refine the settings and adhere to the policies of your organization and regulatory standards. The default configuration is shown in the following table.

Table 3. Default Account Lockout Policy for VMware Aria Automation
Setting	Default	Description
`deny`	`3`	Maximum number of authentication failures before the account is locked
`unlock_time`	`600`	Amount of time in seconds that the account remains locked
`root_unlock_time`	`600`	Amount of time in seconds that the root account remains locked

Table 4. Design Decisions on Password Policies for VMware Aria Automation
Decision ID	Design Decision	Design Justification	Design Implication
PCA-VAA-SEC-016	Configure the password expiration policy for the VMware Aria Automation appliances.	You configure the password expiration policy for the VMware Aria Automationappliances to align with the requirements of your organization which might be based on industry compliance standards. The policy is applicable only to the local VMware Aria Automation users.	You can manage the password expiration policy on the VMware Aria Automation appliances by using the virtual appliance console or a Secure Shell (SSH) client.
PCA-VAA-SEC-017	Configure the password complexity policy for the VMware Aria Automation appliances.	You configure the password complexity policy for VMware Aria Automation appliances to align with the requirements of your organization which might be based on industry compliance standards. The policy is applicable only to the local VMware Aria Automationusers.	You can manage the password complexity policy on the VMware Aria Automation appliances by using the virtual appliance console or a Secure Shell (SSH) client.
PCA-VAA-SEC-018	Configure the account lockout policy for the VMware Aria Automation appliances.	You configure the account lockout policy for VMware Aria Automation appliances to align with the requirements of your organization which might be based on industry compliance standards. The policy is applicable only to the local VMware Aria Automation users.	You can manage the account lockout policy on the VMware Aria Automation appliances by using the virtual appliance console or a Secure Shell (SSH) client.

VMware Aria Automation Password Management

Changing the passwords periodically or when certain events occur, such as an administrator leaving your organization, increases the security posture and health of the system.

For information about the password management for VMware Cloud Foundation, see Password Management.

Table 5. Design Decisions on Password Management for VMware Aria Automation
Decision ID	Design Decision	Design Justification	Design Implication
PCA-VAA-SEC-019	Change the VMware Aria Automationroot password on a recurring or event-initiated schedule by using the SDDC Manager user interface or API.	By default, the password for the VMware Aria Automationroot account expires every 365 days. When VMware Aria Automation is deployed into a VMware Cloud Foundation environment in VMware Aria Suite Lifecycle, the root password is managed from the SDDC Manager user interface or API, not from the vRealize Suite Lifecycle Manager.	By using SDDC Manager, you manage the password change or automate password rotation schedule for the VMware Aria Automationroot account in accordance with your organizational policies and regulatory standards.