Rotating Users Password of Local NSX Manager
search cancel

Rotating Users Password of Local NSX Manager

book

Article ID: 329720

calendar_today

Updated On:

Products

VMware Cloud on AWS

Issue/Introduction

VMware Cloud on AWS supports PCI DSS Compliant SDDCs. 

To enforce PCI DSS compliance for your SDDC, a shared responsibility model (VMware, Customer, AWS) is enforced. You are responsible for enforcing the following PCI compliance requirement: 
  • Password requirement: 8.2.4 Change user passwords/passphrases at least once every 90 days.
PCI DSS Compliant SDDC uses Local NSX Manager UI instead of Network and Security Tab in the VMC Console (vmc.vmware.com). There are 2 accounts that are provided to access the Local NSX Manager:
NSX Admin: cloud_admin
NSX Read Only: cloud_audit

Upon creation the password expiration value is set to the maximum (99999 days). You are responsible for rotating passwords for Local NSX Manager accounts at least once in 90 days.

Cause

Local NSX Manager UI does not provide a way for managing user passwords. Customers should use NSX REST API calls to accomplish the task of changing the password every 90 days.

Resolution

Local NSX Manager supports REST API. The following REST API call should be used to change the user password:

POST /api/v1/node/users?action=reset_own_password 

You can use a REST API client of your choice or curl command line utility to execute the required REST API call. This KB Article describes the use of curl only.

To change the user password the following command-line script can be used. 

Note: The curl syntax provided is validated on Linux OS.

curl -k -H 'Content-Type:application/json' \
-u 'cloud_admin|cloud_audit:current password' \
-X POST https://nsxmanager/api/v1/node/users?action=reset_own_password -d '{
“password”: “Password
}'


You can find the Local NSX Manager FQDN in the VMC Console (vmc.vmware.com): SDDC -- Settings Tab – NSX Information Section (available after you disable Network & Security Tab).

The following password complexity requirements are enforced: 
  • Minimum 15 characters in length;
  • Minimum 1 uppercase character;
  • Minimum 1 lowercase character;
  • Minimum 1 numeric character;
  • Minimum 1 special character;
  • Minimum 5 unique character

You need to execute the same command separately for cloud_admin and cloud_audit. 

Note: VMC console does not update the password value after the password has been changed. VMC Console always shows the initial password.

You cannot change the password if you forget the current password. You are not able to recover lost password. To restore the access, you need to contact VMware Support.

For example

The command below changes the password for the user cloud_admin from the current value ZUDt3cs!P+pDBu8 to the new value ayL!D6dUZvN*fY8 for the NSX Manager with the FQDN nsxmanager.sddc-12-12-112-238.vmwarevmc.com.

curl -k -H 'Content-Type:application/json' \
-u 'cloud_admin:ZUDt3cs!P+pDBu8' \
https://nsxmanager.sddc-12-12-112-238.vmwarevmc.com/api/v1/node/users?action=reset_own_password -d '{
“password”: “ayL!D6dUZvN*fY8”
}'


Note: Password values provided must NOT be used for your SDDC deployment and must be replaced with your own unique values.