The sos --password-health in VMware Cloud Foundation is in RED status after setting the password expiration date for the root account on the vCenter & PSC to "Never Expired"

search cancel

The sos --password-health in VMware Cloud Foundation is in RED status after setting the password expiration date for the root account on the vCenter & PSC to "Never Expired"

book

Article ID: 316921

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

Symptoms:

After setting the root password expiration date on the VC & PSCs to never expired, the /opt/vmware/sddc-support/sos --password-health command will report that the Password Expired status is RED, and the vCenter and PSC Password Expiry state value will show as "Failed to get details".

You see messages similar to the following in the /var/tmp//healthcheck-<date>/sos.log on the SDDC Manager Controller VM.

2018-07-05T21:00:33.351Z [DEBUG commandutils.py::run_cmds_over_ssh::379::get_passsword_expirationThread0] server: 192.168.16.22 --- stderr:
2018-07-05T21:00:33.351Z [INFO util.py::get_passsword_expiration::2304::get_passsword_expirationThread0] Failed to get password expiration information for user root on : psc-1.vcf.corp.local
2018-07-05T21:00:33.351Z [ERROR util.py::get_passsword_expiration::2308::get_passsword_expirationThread0] 'never' is not in list
2018-07-05T21:00:33.352Z [ERROR util.py::get_passsword_expiration::2309::get_passsword_expirationThread0] Traceback (most recent call last):
File "utils/util.py", line 2273, in get_passsword_expiration
ValueError: 'never' is not in list

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware Cloud Foundation 2.3.x

Resolution

This is a known issue affecting VMware Cloud Foundation 2.3.2. There is currently no resolution.

Workaround:

vCenter Single Sign-On passwords expire after 90 days by default. The vSphere Web Client reminds you when your password is about to expire.
For security reasons, VMware recommends changing the passwords for the built-in accounts that are used by your Cloud Foundation system. Changing these passwords periodically or when certain events occur, such as an administrator leaving your organization, reduces the likelihood of security vulnerabilities occurring.

Additional Information

Set the vCenter & PSC Single Sign-On passwords password expiration policy from "Never Expired" to expires after a particular number of days of your choice. See Edit the vCenter Single Sign-On Password Policy.

Set the vCenter & PSC root password expiration policy from "Never Expired" to expires after a particular number of days of your choice.

ssh to the target vCenter/PSC virtual appliance as the root user.
Issue the shell command.

Note: If you are asked to reset the password, set it to the same one as returned by the /home/vrack/bin/lookup-passwords command on the SDDC Manager Controller VM.

Use the chage -M command to change the password expiration policy, per the following example:

chage -M 90 root

Note: This example sets the password expiration to 90 days. Setting this value to 10000 is the same as setting it to never expire.

Issue the chage -l root command to validate the change.

Note: You will see output similar to the following:

Last password change : Jan 10, 2019
Password expires : Apr 10, 2019
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7

Issue the following commands to restart the applmgmt service:

service-control --start applmgmt
service-control --stop applmgmt

Issue the /opt/vmware/sddc-support/sos --password-health command to validate that there are no further issues.

Change the Password of the Root User

Impact/Risks:

Feedback

thumb_up Yes

thumb_down No