VCF ON VXRAIL – NSX-T PASSWORD MANAGEMENT

By default NSX-T user passwords (NSX-T Manager: root & admin | NSX-T Edge: root, admin & audit) expire after 90 days. In a VCF On VxRail environment it is good practice to rotate passwords every 80 days to proactively prevent any passwords from expiring.

NSX-T manager will post warnings once the password expiration windows hit <30 days:

NSX-T Managers <30 days password expiry notification
 NSX Manager local accounts ‘admin & root
NSX-T Edge user accounts expiry warning

While there are various options in terms of how to manage passwords for NSX-T user accounts, it is important to note SDDC Manager should be the preferred method. The reasoning behind SDDC Manager being the preferred driver for password rotation is that SDDC Manager stores these user passwords in a database which in turn get leveraged by associated SDDC workflows such as LCM. If for some reason (such as password has already expired) you need to reset the password on the component itself, then you will need to leverage the ‘Remediate’ workflow in SDDC Manager to update the SDDC database with the new password set natively on the component.

1. SDDC Manager

From the navigation pane, select Administration > Security > Password Management. Select NSX-T Manager/Edge from the drop down list and select the users you wish to update:

NSX-T Manager users: admin & root
NSX-T Edge users: root, admin & audit

If you selected the ‘Rotate’ option then you can view the newly generated passwords by connecting via SSH to the SDDC Manager VM using the vcf user account and obtain the account credentials list by typing the command /usr/bin/lookup_passwords.

2. NSX-T VM Console

This method should only be used if the password(s) have already expired. To update the password run the command: set user <username> password :

You may also chose to set an expiration time window:

set user <username> password-expiration <number of days>

Or disable password expiration altogether:

clear user <username> password-expiration

Post updating the user password(s) natively on the NSX-T Manager/Edge console; execute the SDDC Manager ‘Remediate’ workflow to update the SDDC database with the new password(s):

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s