Change content library password on vCenter via VCDB if lost or forgotten
search cancel

Change content library password on vCenter via VCDB if lost or forgotten

book

Article ID: 375982

calendar_today

Updated On:

Products

VMware vCenter Server VMware vCenter Server 7.0 VMware vCenter Server 8.0

Issue/Introduction

This article provides steps to change the content library password if you have lost or forgotten the existing password when authentication is enabled for a VCSA 7.x and later.

Symptoms:

Environment

VMware vCenter Server 7.0.x

VMware vCenter Server 8.0.x

Cause

In PostgreSQL, SCRAM-SHA-256 and MD5 are both used as password authentication mechanisms. They determine how passwords are stored and verified within the database.

1. MD5 in PostgreSQL:

  • Historical Context: MD5 was the default password hashing mechanism in PostgreSQL before version 10.
  • How it Works:
    • When a user sets a password, PostgreSQL hashes the password using MD5 and stores the hash in the database.
    • During authentication, the client's password is hashed using MD5 (with some additional processing) and compared with the stored hash. If they match, the user is authenticated.
  • Security Concerns:
    • MD5 is now considered weak and vulnerable to various attacks, such as brute force, collision, and precomputed rainbow tables.
    • MD5 does not use strong salting and iteration techniques, making it less secure against modern attacks.

2. SCRAM-SHA-256 in PostgreSQL:

  • Introduced in PostgreSQL 10: SCRAM-SHA-256 became the default password hashing mechanism starting from PostgreSQL version 10.
  • How it Works:
    • SCRAM-SHA-256 uses the SHA-256 hashing algorithm combined with a salt (a random value) and multiple iterations to hash the password.
    • The salt and number of iterations are stored alongside the hashed password in the database.
    • During authentication, the client computes the hash of the password using the provided salt and iterations, and the server verifies the result.
  • Security Benefits:
    • SCRAM-SHA-256 is much more secure than MD5 due to its use of stronger hashing (SHA-256), salting, and iteration.
    • It is designed to resist modern attacks like brute force and rainbow tables.

Is Decryption Possible?

Neither MD5 nor SCRAM-SHA-256 supports decryption in the traditional sense because they are hashing algorithms, not encryption algorithms. Hashing is a one-way function, meaning that the original input (the password) cannot be directly retrieved from the hash.

1. Decryption of MD5:

  • Not Possible: MD5 is a one-way hash function, meaning you cannot decrypt it to recover the original password.
  • Cracking Possible:
    • Due to MD5's vulnerabilities, an attacker could use brute force or rainbow tables to try and "crack" the hash. If the password is weak or common, the attacker may be able to find a matching hash and thus determine the password.
    • The process of cracking does not involve decryption but rather finding a password that produces the same MD5 hash.

2. Decryption of SCRAM-SHA-256:

  • Not Possible: SCRAM-SHA-256 is also a one-way hash function, and you cannot decrypt the hash to retrieve the original password.
  • Cracking Much Harder:
    • Due to its use of salting and multiple iterations, cracking SCRAM-SHA-256 is computationally expensive and infeasible for strong, complex passwords.
    • An attacker would need to guess the password and hash each guess using the same salt and iterations, which is extremely time-consuming and impractical for strong passwords.

Summary:

  • MD5 and SCRAM-SHA-256 are both password hashing mechanisms in PostgreSQL, with MD5 being older and less secure, and SCRAM-SHA-256 being newer and more secure.
  • Decryption is not possible for either MD5 or SCRAM-SHA-256, as they are hashing algorithms, not encryption algorithms.
  • Cracking is theoretically possible for both, but MD5 is much more vulnerable to such attacks, while SCRAM-SHA-256 provides robust security against them, especially when strong passwords are used.

 

Currently, in vCenter, there is no option to change or reset the content library password via the GUI.

However, you can retrieve the content library password from the vCenter database (VCDB), but it will be displayed in an encrypted format.

Here are the steps to view the encrypted content library password using psql queries:

  • Login to PostgreSQL: /opt/vmware/vpostgres/current/bin/psql -d VCDB -U postgres

  • Retrieve the Content Library ID by Name: SELECT id, name FROM cl_library WHERE name = 'Impactedlib';

  • View the Encrypted Publisher Library Password: SELECT publishpassword FROM cl_library WHERE id = 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX';

  • View the Encrypted Subscriber Library Password: SELECT subscriptionpassword FROM cl_library WHERE id = 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX';

  • Example publisher library:

To check the current PostgreSQL encryption method and version, run the following commands:

  • Check Password Encryption Method: /opt/vmware/vpostgres/current/bin/psql -U postgres -A -t -c "SHOW password_encryption;"
  • Check PostgreSQL Version: psql -V
  • Output:

Resolution

Steps to Change the Content Library Password via VCDB

Note: Please take proper snapshots/backups of the vCenter before proceed.

Create a Test Content Library:

  • In vCenter, create a new content library and enable authentication.
  • Enter a password for this test content library. This password will be the new password that you will use to replace the original content library password via VCDB.

 

Retrieve the Encrypted Password for the Test Content Library:

  • Use the following queries to get the encrypted password of the test content library and replace the original content library's encrypted password:

  • Get the ID of the Test Library:
    SELECT id, name FROM cl_library WHERE name = 'test';
                      id                  | name
    --------------------------------------+------
    XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX | test

  • Retrieve the Publisher Password for the Test Library (if it is a Publisher Library):
    SELECT publishpassword FROM cl_library WHERE id = 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX';
                                                                                   publishpassword
    -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------
     xxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxx_xxxxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

    (If you need to change the password for a subscriber library, use the subscriptionpassword column instead of publishpassword.)

  • Copy the Encrypted Password: Copy the encrypted password retrieved in the previous step to a notepad. This will be used to replace the original content library password.

  • Replace the Original Content Library Password:

    • Get the ID of the Original Content Library:  SELECT id, name FROM cl_library WHERE name = 'Impactedlib';
                        id                  |    name
      --------------------------------------+-------------
       XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX | Impactedlib

  • Update the Original Content Library Password:
    • Use the following query to replace the original content library password with the encrypted password from the test content library:  UPDATE cl_library 
      SET publishpassword = 'xxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxx_xxxxxxxxxxxxxxxxxxxxxxxxxxx-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      WHERE id = 'XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX';

  • Restart vCenter Services:

    • After updating the password, restart the vCenter services to apply the changes: service-control --stop --all && service-control --start --all

Powered by Wolken Software