Removal of clear-text password from the VCF sddc-manager.vmx file
search cancel

Removal of clear-text password from the VCF sddc-manager.vmx file

book

Article ID: 312175

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

This article explains how to remove the clear-text passwords from the sddc-manager.vmx file, as a security hardening measure. If passwords are regularly rotated, the listed clear-text passwords would be obsolete. It is still a good practice to not leave clear-text passwords anywhere on the file system.

Symptoms:
Deployment passwords might be listed in clear text inside the sddc-manager.vmx file.

Environment

VMware Cloud Foundation 2.0.x
VMware Cloud Foundation 4.4.1
VMware Cloud Foundation 3.0.x
VMware Cloud Foundation 4.0.x

Cause

When deploying the SDDC Manager, the initial passwords are provided to the ovftool as properties, which the tool keeps in the respective vmx file.
Those passwords are not needed by the SDDC Manager after the first boot of the appliance.

Resolution

Currently there is no resolution.

Workaround:

The passwords can be removed from the vmx file as they are no longer required after the first boot of the appliance. In order to do that, Follow the below steps:

  1. Shut down the SDDC Manager VM.                                                          

  2. Via SSH, login to one of the ESXi hosts in the Management Cluster, which hosts the SDDC Manager VM. A good candidate is the host where the SDDC Manager has been running prior to being shut down.      
    Note: SSH might need to be enabled on the host prior to that.                                                                       

  3. Locate the sddc-manager.vmx file. It should be present in a location like this:                                                  
    /vmfs/volumes/<vsan-datastore-name>/sddc-manager/sddc-manager.vmx          

  4. Make a backup copy of the sddc-manager.vmx file:                                                                                          
    cp /vmfs/volumes/<vsan-datastore-name>/sddc-manager/sddc-manager.vmx /vmfs/volumes/<vsan-datastore-name>/sddc-manager/sddc-manager.vmx.bak     

  5. Using vi, edit the sddc-manager.vmx, remove the property guestinfo.ovfEnv. It should look similar to the below:                    

    guestinfo.ovfEnv = "<?xml version=|221.0|22 encoding=|22UTF-8|22?>|0A<Environment|0A
    ...
    |0A</Environment>|0A"

  6. Save the file and exit vi.                         

  7. Start SDDC Manager VM again.

  8. Logout from the ESXi host and disable SSH if needed.



Powered by Wolken Software