Remediating passwords updated outside of VMware Aria Suite Lifecycle
search cancel

Remediating passwords updated outside of VMware Aria Suite Lifecycle

book

Article ID: 302049

calendar_today

Updated On:

Products

VMware

Issue/Introduction

This article provides the steps to remediate a password that was updated outside of VMware Aria Suite Lifecycle. It is part of a group of articles about managing passwords using VMware Aria Suite Lifecycle: Password management with VMware Aria Suite Lifecycle (vRealize Suite Lifecycle Manager) Locker

The passwords managed by Locker may need to be updated outside of VMware Aria Suite Lifecycle for the following reasons:

In these situations, it is required to follow the steps described in this article in order to add the new password on Locker and to update the Product Environment information using Lifecycle Operations. 

Note: On VCF mode VMware Aria Suite Lifecycle, the passwords are managed by the SDDC manager rotation tool. Therefore: In case of issues problems with the Password Rotation tool or remediating passwords on SDDC Manager, please file a Service Request with the VMware vCloud Foundation team.

The password remediation process the Locker and Lifecycle Operations Applications are involved.
  • Locker: creates the password in VMware Aria Suite Lifecycle database and confirms if the password is being used.
  • Lifecycle Operations: provides the option to sync the inventory, during the inventory sync the request will fail, each it fails is required to select RETRY and select the new password.
The flow of actions required is the following:
Diagram  Description automatically generated
Note: Step 4. The number of failures will depend on the number of service accounts to be validated times the number of nodes. In the case of a cluster, the error will preset each time for a different password.

Note: Some screenshots of this article are from vRealize Suite Lifecycle Manager 8.10, therefore, the old branding will be present. 
 


Resolution

Prerequisites

pam_tally2 –user=root --reset
pam_tally2 –user=sshuser --reset

 Solution

  1. Validate the password is valid in respective the appliance/UI.
    image.png
  2. For root and sshuser (vIDM only) validate if there are login attempt failures.
  3. Validate that the password is not expired or about to expire.

image.png

  1. If required restart the number of login attempt failures.
    pam_tally2 -–user=root --reset
    pam_tally2 -–user=sshuser --reset
  1. Run the following command to keep the SSH session active in the appliance(s) and monitor the login attempt failures, this will be helpful in case there is an error when the password in Locker is typed.
    watch -n 1 "pam_tally2 –user=root"
  2. In VMware Aria Suite Lifecycle navigate to Locker > Passwords > Add.image.png
  3. Add the password considering:
    1. The Password Alias and Password are mandatories fields, for Datacenter passwords the User Name is mandatory, then click on ADD
    2. The Password Description is optional.
  4. As an example, vIDM sshuser and root are added. The passwords are not in use, since they have not been applied to a Product using the Lifecycle Operations application.image.png
  5. Navigate to Lifecycle Operations > Environment, and click on VIEW DETAILS for the product of interest.image.png
  6. Trigger an inventory sync.image.png
  7. Since the password is updated outside of VMware Aria Suite Lifecycle the request will fail. The number of failures will depend on the number of nodes and number of passwords being updated, for example:
  • On vIDM Cluster if only the root password was updated the inventory Sync will fail 3 times.
  • On vIDM cluster if the root and sshuser passwords were updated the inventory sync will fail 6 times.
  • On vIDM one node, if the sshuser and root passwords were updated the inventory sync will fail 2 times.
  1. Each time it fails monitor the username and node that is failing, it should fail only one time per node-username:image.png
  2. Click on RETRYimage.png
  3. Select the new Locker Password Alias, and then click on SUBMITimage.png
  4. Repeat steps 10 and 11 as required based on the expected number of failures as explained in step 10.
  5. The inventory Sync will be completed.image.png
  6. Results: the new Locker Password Alias should be in use, and the Product environment page should show the new Locker Password Alias.
  7. Validate if there are login failure attempts in the appliance(s) and restart them if required
    pam_tally2 -–user=root
    pam_tally2 -–user=root --reset
  8. Delete the old password in Locker, by selecting the vertical ellipsis  in the last columnimage.png

Additional Information

Main article

Child articles

Changing password KBs

Product
User / Password
KB Link

VMware Aria Automation
VMware Aria Automation Config
VMware Aria Automation Orchestrator

root

 VMware Aria Operations

root
admin

KB 92255
 

VMware Aria Operations for Logs

root
admin

VMware Aria Operations for Networks

admin
support
console user

Aria Suite Lifecycle appliance

root
admin@local
Step 5 on KB 92245

Workspace ONE Access

root
admin
admin (8443)