Modifying/viewing the vCenter Server Appliance local account password policy.
Article ID: 383511
Updated On:
Products
Issue/Introduction
Instruction how to change the password policy for the vCenter server, using GUI and REST API method.
* Instruction on how to modify and query the current local account password policy using REST API/CURL on a bash shell. This method can be used on a remote machine to query/change the vCenter local account password policy.
* Instruction on how to modify and query the current local account password policy using DCLI on the vCenter Server bash shell. This method has to be run on the vCenter server to query/change the vCenter local account password policy.
* Using vCenter server GUI method to update the vCenter server local user password policy.
Environment
vCenter Server Appliance 8x
vCenter Server Appliance 7x
vCenter Server Appliance 6x
Resolution
Using DCLI:
Note: Change [email protected] to a vCenter administrator account and PASSWORD to that accounts password.
1. Log into the VCSA bash shell with SSH (or via console).
2. To query the current local account global password policy:
dcli com vmware appliance localaccounts policy get +username [email protected]+password PASSWORD
Example output:
warn_days: 67
max_days: 300
min_days: 100
3. To change the local account global password policy:
dcli com vmware appliance localaccounts policy set --max-days 333 --min-days 444 --warn-days 3 +username [email protected] +password PASSWORD
If the command was successful then it will return the command prompt with no output.
4. To list local users:
dcli com vmware appliance localaccounts list +username [email protected] +password PASSWORD
5. To query the password policy for a specific user:
dcli com vmware appliance localaccounts get --username test +username [email protected] +password PASSWORD
Change test to the name of the user you want to query.
Example output:
warn_days_before_password_expiration: 12
min_days_between_password_change: 34
roles:
- superAdmin
password_expires_at: YYYY-MM-DDTHH:MM:SS.000Z
fullname: test
inactive_at:
last_password_change: YYYY-MM-DDTHH:MM:SS.000Z
email:
enabled: True
has_password: True
max_days_between_password_change: 1000
6. To change a specific users password policy:
dcli com vmware appliance localaccounts update --username test --min-days-between-password-change 776 --max-days-between-password-change 67 --warn-days-before-password-expiration 67 +username [email protected] +password PASSWORD
Change the numbers to desired values.
Change test to the name of the user you want to update.
If the command was successful then it will return the command prompt with no output.
Other properties available when updating a local user:
--days-after-password-expiration DAYS_AFTER_PASSWORD_EXPIRATION
Number of days after password expiration before the account will be locked (int)
--email EMAIL Email address of the local account (string)
--enabled ENABLED Flag indicating if the account is enabled (bool)
--full-name FULL_NAME
Full name of the user (string)
--inactive-after-password-expiration INACTIVE_AFTER_PASSWORD_EXPIRATION
Flag indicating if the account will be locked after password expiration (bool)
--max-days-between-password-change MAX_DAYS_BETWEEN_PASSWORD_CHANGE
Maximum number of days between password change (int)
--min-days-between-password-change MIN_DAYS_BETWEEN_PASSWORD_CHANGE
Minimum number of days between password change (int)
--old-password [OLD_PASSWORD]
Old password of the user (required in case of the password change, not required if superAdmin user changes the password of the other user)
(secret string)
--password [PASSWORD]
Password (secret string)
--password-expires PASSWORD_EXPIRES
Flag indicating if the account password expires (bool)
--password-expires-at PASSWORD_EXPIRES_AT
Date when the account's password will expire (string)
--roles ROLES User roles (optional list of string)
--warn-days-before-password-expiration WARN_DAYS_BEFORE_PASSWORD_EXPIRATION
Number of days of warning before password expires (int)
--username USERNAME required: User login name (string)
7. To create a new local user:
dcli com vmware appliance localaccounts create --username test21 --roles operator --password "NEW_USER_PASSWORD" +username [email protected] +password PASSWORD
Change test21 to the name of the new local user to be created and NEW_USER_PASSWORD to the password for the new user.
Other properties available when creating a new local user:
--days-after-password-expiration DAYS_AFTER_PASSWORD_EXPIRATION
Number of days after password expiration before the account will be locked (int)
--email EMAIL Email address of the local account (string)
--enabled ENABLED Flag indicating if the account is enabled (bool)
--full-name FULL_NAME
Full name of the user (string)
--inactive-after-password-expiration INACTIVE_AFTER_PASSWORD_EXPIRATION
Flag indicating if the account will be locked after password expiration (bool)
--max-days-between-password-change MAX_DAYS_BETWEEN_PASSWORD_CHANGE
Maximum number of days between password change (int)
--min-days-between-password-change MIN_DAYS_BETWEEN_PASSWORD_CHANGE
Minimum number of days between password change (int)
--old-password [OLD_PASSWORD]
Old password of the user (required in case of the password change, not required if superAdmin user changes the password of the other user)
(secret string)
--password [PASSWORD]
required: Password (secret string)
--password-expires PASSWORD_EXPIRES
Flag indicating if the account password expires (bool)
--password-expires-at PASSWORD_EXPIRES_AT
Date when the account's password will expire (string)
--roles ROLES User roles (list of string)
--warn-days-before-password-expiration WARN_DAYS_BEFORE_PASSWORD_EXPIRATION
Number of days of warning before password expires (int)
--username USERNAME required: User login name (string)
7. To delete a local user:
dcli com vmware appliance localaccounts delete --username test21 +username [email protected]+password PASSWORD
Change test21 to the name of the local user to be deleted.
Using CURL:
NOTE: There is a script attached to this KB to automate this process, this script needs to be run on the vCenter Server.
1. Log into the VCSA bash shell with SSH (or via console). You can also run these commands remotely. Change "localhost" in the URLs to the FQDN/IP of your vCenter Server.
2. You will need to obtain a session ID:
curl -ks -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' --header 'vmware-use-header-authn: test' --header 'vmware-api-session-id: null' -u "[email protected]:PASSWORD_HERE" 'https://localhost/rest/com/vmware/cis/session' | cut -d : -f 2 | cut -d } -f 1 | sed 's/"//g'
NOTE: Change [email protected] to your SSO administrator name and PASSWORD_HERE to the SSO administrator password. You can also use a vCenter Server administrator account.
The output of this command will display the session ID. Take note of this, as it will be needed for subsequent commands.
######db5575770c8223772######### <<<< This is the session ID used for this example.
3. To query the current local account global password policy:
curl -ks -H "vmware-api-session-id:9f59e7db5575770c8223772363######" https://localhost/rest/appliance/local-accounts/global-policy | jq
Example output:
{
"value": {
"warn_days": 7,
"max_days": 887,
"min_days": 1
}
}
4. To query the password policy for a specific user:
curl -ks -H "vmware-api-session-id:9f59e7db5575770c8223772363######" https://localhost/rest/appliance/local-accounts/USERNAME | jq
Change USERNAME to the local account name you want to query.
Example output:
{
"value": {
"warn_days_before_password_expiration": 6,
"min_days_between_password_change": 1,
"roles": [
"operator"
],
"password_expires_at": "YYYY-MM-DDTHH:MM:SS.000Z",
"fullname": "test3",
"last_password_change": "YYYY-MM-DDTHH:MM:SS.000Z",
"enabled": true,
"has_password": true,
"max_days_between_password_change": 887
}
}
5. To change the local account global password policy:
curl -X PUT -k -H "vmware-api-session-id:####7db5575770c8223772363######" -H "Content-Type: application/json" https://localhost/rest/appliance/local-accounts/global-policy -d '{ "policy": { "max_days": 300, "min_days": 100, "warn_days": 67 } }'
If the command was successful then it will return the command prompt with no output.
Query the local password global policy again to verify if has been updated:
curl -ks -H "vmware-api-session-id:9f59e7db5575770c8223772#########" https://localhost/rest/appliance/local-accounts/global-policy | jq
6. To change a specific users password policy:
curl -X PATCH -k -H "vmware-api-session-id:9f59e7db5575770c822377#########" -H "Content-Type: application/json" https://localhost/rest/appliance/local-accounts/USERNAME -d '{"config":{"max_days_between_password_change":"1000", "min_days_between_password_change":"34", "warn_days_before_password_expiration":"12"}}'
Change USERNAME to the local account name you want to change.
If the command was successful then it will return the command prompt with no output.
This method can be used to change other local user properties such as password and roles:
Update Username Local Accounts | vSphere Automation API
The script attached to this KB will not change passwords or roles. It can only modify max_days, min_days and warn_days.
Additional Information
When using the CURL method the session ID may expire, in this case you must generate a new session ID (step 2) and use this for the commands.
It is important to note that updating the local global password policy will not change the policy for existing local users. It will only change it for users created after the policy has been changed.
PowerCLI can also be used to query/modify local accounts, examples:
LocalAccounts APIs | vSphere Automation API
Attachments
Feedback
