How to Reset the Root Password in VMware Aria Operations (formerly vRealize Operations)

Products

VMware Aria Suite

Issue/Introduction

This article provides steps to reset the Aria Operations (formerly known as vRealize Operations) root password.

If the root password for VMware Aria Operations is forgotten, login attempts with an incorrect password will result in a "Login Incorrect" or "Access Denied" error. This article provides the steps to securely reset the root password.
In Aria Operations, when you log in to the console of the virtual application for the first time, you are forced to set a root password.

Note: The default root password is blank. Simply press the enter key when prompted for the first time.

The Aria Operations console root password can be different than the admin account password that you set when configuring the Aria Operations Primary node.

Environment

VMware vRealize Operations 8.0.x

VMware vRealize Operations 8.1.x
VMware vRealize Operations 8.2.x
VMware vRealize Operations 8.3.x
VMware vRealize Operations 8.4.x
VMware vRealize Operations 8.6.x
VMware vRealize Operations 8.10.x
VMware Aria Operations 8.12.x

VMware Aria Operations 8.14.x

VMware Aria Operations 8.16.x

VMware Aria Operations 8.18.x

Resolution

Process to reset the root password in VMware Aria Operations:

To reset root password in VMware Aria Operations follow the steps below.

Log into the VMware Aria Operations admin UI as the local admin user.
Click Take Offline under Cluster Status.

Notes:

Wait for Cluster Status to show as Offline.
While only the target node needs to be taken offline, to avoid cluster issues it is recommended to take the entire cluster offline instead.

In the vSphere Client, open the console of the desired node.
With the console open, restart or power on the virtual machine.
When the GRUB loader menu appears, immediately press the e key to enter edit mode.

Notes:

Press the up and down arrow keys even if the option appears to already be selected. Otherwise, the machine continues to boot, and you have to start over.
The cursor appears at the end of a line of boot options near the bottom of the display.
If you cannot reach the boot menu before it disappears, enable Force BIOS setup in the Virtual Machine's Settings > VM Options > Boot Options and reboot.

6. Add a space at the end of the line containing elevator=noop, then type rw init=/bin/bash which adds another option to the line.

Press F10 to start virtual appliance in single-user mode.

Then from step 8 follow the steps based on the installed Aria Operations version:

VMware Aria Operations 8.0.x - 8.12.x	VMware Aria Operations 8.14.x - above
8. Type passwd root and follow the prompts to create a new root password Note: If the above command fails, try running sudo passwd root instead.	8. At the prompt type, after successful boot, run the following command to mount the root partition mount -o remount,rw /
9. To unlock the root account, open /etc/pam.d/system-auth in a text editor.	9. Type passwd root and follow the prompts to create a new root password.
10. Comment out the following line by adding a # in front of it: auth required pam_tally2.so onerr=fail deny=3 unlock_time=900 root_unlock_time=900 file=/var/log/tallylog Example: #auth required pam_tally2.so onerr=fail deny=3 unlock_time=900 root_unlock_time=900 file=/var/log/tallylog	10. To unlock the root account run the following command to unlock it /usr/sbin/faillock --user root --reset
11. Save and close the file.	11. Type umount / and press Enter.
12. Type sync and press Enter to flush the data to disk.	12. Type reboot -f and press Enter. Note: If the reboot command fails, restart the Virtual Machine through vSphere.
13. Type umount / and press Enter.
14. Type reboot -f and press Enter. Note: If the reboot command fails, restart the Virtual Machine through vSphere.
15. In the vSphere Client, reopen the console of the desired node and login using root.
16. Run the following command: pam_tally2 --user root --reset Note: This command may need to be run twice.
17. Open /etc/pam.d/system-auth in a text editor.
18. Uncomment the line from step 11 by removing the # in front of it. Example: auth required pam_tally2.so onerr=fail deny=3 unlock_time=900 root_unlock_time=900 file=/var/log/tallylog
19. Save and close the file.

After following above steps please bring the cluster back to Online status following below steps :

1. Log into the VMware Aria Operations admin UI as the local admin user.
2. Click Bring Online under Cluster Status.
Note: Wait for Cluster Status to show as Online.

Additional Information

Password Requirements:

At least 8 characters long
1 Uppercase
1 Lowercase
1 number
1 Special character from this list: !@#$%^&*+=

To check if the root account is locked, complete the following while in single user mode.
Note: Running the passwd command from the steps above will unlock the root account, so this step not required if passwd has already been run.

Type passwd -S root to determine if the root account is locked.

Note: If the account is not locked, you will see PS next to the username. If the account is locked, you will see LK next to the username.

Example:

Unlocked: root PS 01/24/2019 0 365 7 -1
Locked: root LK 01/24/2019 0 365 7 -1

For information on resetting the admin password, see How to Reset the Admin Password in Aria Operations.

VMware Cloud Foundation Installations

If the nodes are connected with SDDC Manager on VMware Cloud Foundation and the root password has been reset outside of SDDC Manager:

Operations nodes are disconnected in SDDC manager.
Password rotation, upgrade, or remediation could not previously be performed from the SDDC.
Password is now known and SSH access is possible.
Root account is not locked (because this KB was followed to reset the password).
Please use the guide to Remediate the password in SDDC Manager: Remediate Passwords