Steps to recover passwords in SDDC Manager using local accounts when all certificates are expired and VC is not accessible.
search cancel

Steps to recover passwords in SDDC Manager using local accounts when all certificates are expired and VC is not accessible.

book

Article ID: 316096

calendar_today

Updated On:

Products

VMware Cloud Foundation VMware SDDC Manager

Issue/Introduction

  • The steps are applicable only in cases when the local account is not yet setup and user cannot generate a token using the regular SSO credentials. For all the other use cases refer to the official VMware Cloud Foundation Documentation.
  • No option to retrieve the SSO password for the case where vCenter certificates are expired or any such cases.

 

Environment

VMware Cloud Foundation 4.x

VMware Cloud Foundation 5.x

Cause

Since vCenter certificates are expired, lookup_password will not be working & will fail during token creation internally. The user customers won't be able to use PUBLIC API to retrieve credentials.

Resolution

The following steps are applicable only in cases when the local account has not yet been set up and user cannot generate a token using the regular SSO credentials. For all the other use cases refer to the official VMware Cloud Foundation documentation.

  1. SSH to SDDC Manager using vcf credentials and then switch to root account, and run the below commands 
    mkdir -p /etc/security/local
chown root:vcf_services /etc/security/local
chmod 650 /etc/security/local
echo -n "" > /etc/security/local/.localuserpasswd
chown root:vcf_services /etc/security/local/.localuserpasswd
chmod 660 /etc/security/local/.localuserpasswd

# Set the password
echo -n "ChangeP@ssw0rd" | openssl dgst -sha512 -binary | openssl enc -base64 | tr -d '\n' > /etc/security/local/.localuserpasswd
  2. Once the local account is set up, generate the token using the local account (use the same password as set in Step #1). 
    TOKEN=$(curl -d '{"username" : "admin@local", "password" : "ChangeP@ssw0rd"}' -H "Content-Type: application/json" -X POST https://<sddc_fqdn>/v1/tokens -k | jq -r '.accessToken')

    Sample output

    root@sddc-manager [ ~ ]# TOKEN=$(curl -d '{"username" : "admin@local", "password" : "ChangeP@ssw0rd"}' -H "Content-Type: application/json" -X POST https://<Sddc_fqdn>/v1/tokens -k | jq -r '.accessToken')
 % Total % Received % Xferd Average Speed Time Time Time Current
 Dload Upload Total Spent Left Speed
100 1834 0 1775 100 59 8414 279 --:--:-- --:--:-- --:--:-- 8733

     

  3. Confirm the Token generation

    echo $TOKEN

  4. Retrieve passwords

    curl https://sddc-manager.example.com/v1/credentials -H “Authorization: Bearer $TOKEN” -H “Content-Type: application/json” | jq

 

Note: If there is a need to change the local account password once the environment is recovered (for instance, after fetching credentials), you can do so by following the steps mentioned in VMware Cloud Foundation documentation.

Powered by Wolken Software