By default NSX-T user passwords (NSX-T Manager: root & admin | NSX-T Edge: root, admin & audit) expire after 90 days. In a VCF On VxRail environment it is good […]
By default NSX-T user passwords (NSX-T Manager: root & admin | NSX-T Edge: root, admin & audit) expire after 90 days. In a VCF On VxRail environment it is good practice to rotate passwords every 80 days to proactively prevent any passwords from expiring.
NSX-T manager will post warnings once the password expiration windows hit <30 days:
While there are various options in terms of how to manage passwords for NSX-T user accounts, it is important to note SDDC Manager should be the preferred method. The reasoning behind SDDC Manager being the preferred driver for password rotation is that SDDC Manager stores these user passwords in a database which in turn get leveraged by associated SDDC workflows such as LCM. If for some reason (such as password has already expired) you need to reset the password on the component itself, then you will need to leverage the ‘Remediate’ workflow in SDDC Manager to update the SDDC database with the new password set natively on the component.
1. SDDC Manager
From the navigation pane, select Administration > Security > Password Management. Select NSX-T Manager/Edge from the drop down list and select the users you wish to update:
If you selected the ‘Rotate’ option then you can view the newly generated passwords by connecting via SSH to the SDDC Manager VM using the vcf user account and obtain the account credentials list by typing the command
2. NSX-T VM Console
This method should only be used if the password(s) have already expired. To update the password run the command:
set user <username> password :
You may also chose to set an expiration time window:
set user <username> password-expiration <number of days>
Or disable password expiration altogether:
clear user <username> password-expiration
Post updating the user password(s) natively on the NSX-T Manager/Edge console; execute the SDDC Manager ‘Remediate’ workflow to update the SDDC database with the new password(s):