This article provides the steps to remediate a password that was updated outside of VMware Aria Suite Lifecycle. It is part of a group of articles about managing passwords using VMware Aria Suite Lifecycle: Password management with VMware Aria Suite Lifecycle (vRealize Suite Lifecycle Manager) Locker

The passwords managed by Locker may need to be updated outside of VMware Aria Suite Lifecycle for the following reasons:

• The active password is not available.
• The user has forgotten the password.
• The password stored in Locker is not valid.
  • To validate the password stored in Locker follow Validating what passwords are being used per VMware Aria Suite Product in VMware Aria Suite Lifecycle 

In these situations, it is required to follow the steps described in this article in order to add the new password on Locker and to update the Product Environment information using Lifecycle Operations. 

Note: On VCF mode VMware Aria Suite Lifecycle, the passwords are managed by the SDDC manager rotation tool. Therefore:

• It is suggested to follow the Rotate passwords – VMware Cloud Foundation Administration Guide. This document indicates what passwords are managed by SDDC manager.
• If the passwords managed by the SDDC password rotation tool were updated outside of SDDC or this article was followed, it is needed to remediate them following Remediate Passwords – VMware Cloud Foundation Administration Guide

In case of issues problems with the Password Rotation tool or remediating passwords on SDDC Manager, please file a Service Request with the VMware vCloud Foundation team.

The password remediation process the Locker and Lifecycle Operations Applications are involved.

• Locker: creates the password in VMware Aria Suite Lifecycle database and confirms if the password is being used.
• Lifecycle Operations: provides the option to sync the inventory, during the inventory sync the request will fail, each it fails is required to select RETRY and select the new password.

The flow of actions required is the following:

Note: Step 4. The number of failures will depend on the number of service accounts to be validated times the number of nodes. In the case of a cluster, the error will preset each time for a different password.

Note: Some screenshots of this article are from vRealize Suite Lifecycle Manager 8.10, therefore, the old branding will be present. 

Prerequisites

• For instructions on resetting the password following the respective product VMware documentation see below:
  • How do I reset the root password for VMware Aria Automation 
  • How to reset and unlock the local admin account in vRealize Log Insight (87642) 
  • How to Reset the Admin Password in VMware Aria Operations (2078313) 
  • How to Reset the Root Password in VMware Aria Operations (2001476) 
  • How to reset the root password in vRealize Log Insight (53649)
• Reset login failure attempts:​​

pam_tally2 –user=root --reset
pam_tally2 –user=sshuser --reset

 Solution

1. Validate the password is valid in respective the appliance/UI.
   
2. For root and sshuser (vIDM only) validate if there are login attempt failures.
3. Validate that the password is not expired or about to expire.

4. If required restart the number of login attempt failures.

   pam_tally2 -–user=root --reset
   pam_tally2 -–user=sshuser --reset

5. Run the following command to keep the SSH session active in the appliance(s) and monitor the login attempt failures, this will be helpful in case there is an error when the password in Locker is typed.

   watch -n 1 "pam_tally2 –user=root"

6. In VMware Aria Suite Lifecycle navigate to Locker > Passwords > Add.
7. Add the password considering:
   1. The Password Alias and Password are mandatories fields, for Datacenter passwords the User Name is mandatory, then click on ADD
   2. The Password Description is optional.
8. As an example, vIDM sshuser and root are added. The passwords are not in use, since they have not been applied to a Product using the Lifecycle Operations application.
9. Navigate to Lifecycle Operations > Environment, and click on VIEW DETAILS for the product of interest.
10. Trigger an inventory sync.
11. Since the password is updated outside of VMware Aria Suite Lifecycle the request will fail. The number of failures will depend on the number of nodes and number of passwords being updated, for example:

• On vIDM Cluster if only the root password was updated the inventory Sync will fail 3 times.
• On vIDM cluster if the root and sshuser passwords were updated the inventory sync will fail 6 times.
• On vIDM one node, if the sshuser and root passwords were updated the inventory sync will fail 2 times.

12. Each time it fails monitor the username and node that is failing, it should fail only one time per node-username:
13. Click on RETRY
14. Select the new Locker Password Alias, and then click on SUBMIT
15. Repeat steps 10 and 11 as required based on the expected number of failures as explained in step 10.
16. The inventory Sync will now complete. 
17. Results: the new Locker Password Alias should be in use, and the Product environment page should show the new Locker Password Alias.
18. Validate if there are login failure attempts in the appliance(s) and restart them if required

    pam_tally2 -–user=root
    pam_tally2 -–user=root --reset

19. Delete the old password in Locker, by selecting the vertical ellipsis ⋮ in the last column

Main article

• Password management with VMware Aria Suite Lifecycle (vRealize Suite Lifecycle Manager) Locker 

Child articles

• Viewing passwords stored in VMware Aria Suite Lifecycle (vRealize Suite Lifecycle Manager) Locker 

• ​​Validating what passwords are being used per VMware Aria Suite Product in VMware Aria Suite Lifecycle ​​

• Remediating passwords updated outside of VMware Aria Suite Lifecycle

• Resetting the root password in VMware Aria Suite Lifecycle (vRealize Suite Lifecycle Manager)

• Resetting the admin@local password in VMware Aria Suite Lifecycle (vRealize Suite Lifecycle Manager)

Changing password KBs