As every good administrator knows, from the security point of view rotating password on all of your infrastructure components is mandatory on a regular basis. VMware Could Foundation (VCF) is not an exception. VCF consists of many components like SDDC Manager, NSX Manager, vCenter Server(s) etc. so changing all passwords for every component will become a lengthy task. Luckily, there is a build-in tool in the SDDC Manager that will change the password on all VCF components at once. So, let’s have a look on how to rotate passwords on VCF.
As a best practice, rotating the passwords on VCF should be your day 2 operation right after the bring-up process.
Rotate passwords on VCF
According to the documentation, the passwords of the following accounts will be changed:
- Accounts used for service consoles (i.e. ESXi root account).
- Single sign-on administrator account.
- Default administrative user account used by virtual appliances.
- Cumulus account used by switches running Cumulus Linux (i.e. Management Switch).
- Network admin roles used by switches not running Cumulus Linux.
- Internal database service accounts (i.e. JDBC account).
- SDDC Manager Utility VM.
Note that the tool will NOT change the password of the SDDC Manager. This needs to be done manually. Also, to rotate passwords on VCF the user logged in must have the Admin-privileges.
- Login to your SDDC Manager with your VCF admin account.
- Navigate to Dashboard –> Settings -> Password Rotation.
- Click Password Rotation button at the bottom of the page and wait for the results.
- Once completed successfully, the passwords are changed on all components listed in the results pane.
The passwords are hidden by default. In order to see the passwords you have to SSH to the SDDC Manager and look it up.
- Once logged in on the SDDC Manager type:
- A list of all passwords will be displayed as depicted below.
If you are looking for one particular password, let’s say for the vCenter Server you can leverage the grep command to filter out the results. For example:
# /home/vrack/bin/lookup-passwords | grep –B 1 –A 7 “vCenter”
The last password that you should change at this point is the VCF administrator password that is used to log in to the SDDC Manager.