Holodeck: Password Management
Module 3: Password Management
Overview
Passwords are initially set in a Cloud Foundation system as part of the bring-up procedure. Following bring up, admin staff will typically update these passwords using the password management functionality in VCF. Passwords are also typically updated periodically or when certain events occur, such as when an administrator leaves your organization, reducing the likelihood of security vulnerabilities.
You can change or rotate passwords for the software components deployed by VMware Cloud Foundation. The process of password rotation generates randomized passwords for the selected accounts. You can change passwords for the following entities:
- ESXi
- vCenter Server
- NSX Manager
- NSX Edges
- vRealize Suite
This module will consist of the following exercises
- Using Password Update
- Using Password Rotate
- Using the Password API
Exercise 1: Using Password Update
Password Update is used to set specific user defined passwords on accounts accessed directly by users.
[Step 1] Enable SSH on host esxi-1
- Open a new tab in the Chrome browser (if necessary)
- Click the Managed bookmarks folder in the bookmark bar then select Mgmt Domain – Mgmt vCenter
- Click Launch vSphere Client if necessary
- Login as user: administrator@vsphere.local with the password: VMware123!
- Click Login
- On the Hosts and Clusters icon, select mgmt-datacenter01 -> mgmt-cluster-01-> esxi-1
- Select Configure -> Services
- Click the SSH radio button then START
- Monitor progress in the task pane
[Step 2] Change password on host esxi-1
- Click the SDDC Manager tab on the browser, or open a new tab
- Click Security
- Click Password Management
- Select the check box next to root user for esxi-01
- Click the three dots next to root, then choose UPDATE
- Change the password to Cloud4321! Then click UPDATE
- Monitor for completion in the task pane
- Open a Putty window and ssh to esxi-1.vcf.sddc.lab
- Click the Accept button to add the certificate to the cahe
- Login as user root and password Cloud4321!
- Successfully logging in validates the password change
Exercise 2: Using Password Rotate
Password rotation is typically used to update accounts used by SDDC Manager for automation operations. These are typically “service” type users
[Step 1] Login to SDDC Manager
- Open a new tab in the Chrome browser (if necessary)
- Click the Managed bookmarks folder in the bookmark bar then select SDDC Manager
- Login as user: administrator@vsphere.local with the password: VMware123!
- Click Login
[Step 2] Rotate password
- Select Security -> Passwords
- Select svc-vcf-esxi-1
- Click Rotate Now
- Confirm by clicking Rotate. This will rotate the password to a randomly generated password that will be stored in the SDDC Manager database.
- Monitor task in progress
Exercise 3: Password Lookup with SSH
[Step 1] Enable/Verify SSH on host esxi-1 (if necessary)
- Open a new tab in the Chrome browser (if necessary)
- Click the Managed bookmarks folder in the bookmark bar then select Mgmt Domain – Mgmt vCenter
- Login as user: administrator@vsphere.local with the password: VMware123!
- Click Login
- On the Hosts and Clusters view, select mgmt-datacenter01 -> mgmt-cluster-01-> esxi-1
- Select Configure
- Select System>Services
- Verify SSH is running. If not, click the radio button for SSH and then Start
[Step 2] Lookup password for esxi-1
- Open a PuTTY window
- Connect to sddc-manager.vcf.sddc.lab (or 10.0.0.4)
- Accept the Putty security warning
- Login as user vcf password VMware123!
- Enter the command lookup_passwords
- Enter ESXi
- Press Enter for page number to bypass
- Press Enter for page size to accept default
- Enter user name administrator@vsphere.local password VMware123!
- Results (scroll back up)
- Notice the password you set earlier
Exercise 4: Password lookup using API
[Step 1] Login to SDDC Manager
- Open a new tab in the Chrome browser (if necessary)
- Click the Managed bookmarks folder in the bookmark bar then select SDDC Manager
- Login as user: administrator@vsphere.local with the password: VMware123!
- Click Login
[Step 2] Lookup password
- On the left navigation click Developer Center
- Click API Explorer
- Expand APIs for managing Credentials
- Expand GET /v1/credentials
- Type esxi-1.vcf.sddc.lab in the resourceName field
- Scroll to bottom and hit EXECUTE
- Click on PageOfCredentials
- Click on the Credential (GUID) lines to expand the User and Service account information (The order of user and service credentials may vary, so open both)
- User account example
- Service account example