NSX Manager root password is expired and needs to be reset
search cancel

NSX Manager root password is expired and needs to be reset

book

Article ID: 408091

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • The root password for NSX manager appliance has expired.
    • Resetting root/admin password for Management Domains NSX Cluster.
    • Expired passwords for root and admin account for the Management Domains NSX.
    • Updating through SDDC isn't working as expected.
  • Direct SSH connections request a new password be set.

               

  • When trying to switch from admin to root shell the following message may appear.

nsx-mngr-01> st en
% Cannot enter the root shell if the root user's password has expired, invoke the following command to change root's password:
set user root password

Environment

VMware NSX 
VMware NSX-T Data Center

Cause

Password expiration (90 day by default) was introduced in NSX-T 2.4.0, because of security requirements.

By default, password expiration is configured for 90 days.
Since 2.4.0 Password Policy Enhancements: Enforces minimum password length of 12 characters for default passwords. Introduces ability to set password expiration times and generates alarms when password is about to expire.

For more details regarding password expiry please see (Modifying the Default Admin Password Expiration)

Resolution

  • The password for root can be set from the admin shell by using "set user <username> password [<password> [old-password <old-password>]" if the admin login is accessible and the root password is known.
  • If the admin login is unavailable but the root password is known, direct connection (SSH) to the manager as root will trigger a reset where password can be reset.
  • If the root password and admin password are unknown then to reset the root password of NSX manager, you need to follow the steps described in the document below, you can reset it by editing the GRUB boot menu after rebooting NSX manager appliance.
  • Root password expiry can also be changed from nsxcli via the below command. To have password expire to a maximum of 9999 days. Example below:
             nsx-mngr-01> set user root password-expiration
               <password-expiration> Number of days password valid after change (1 - 9999)
            nsx-mngr-01> set user root password-expiration 9999
  • To reset the password on one manager node and have that change synchronized globally to the remaining two managers in the cluster rather than performing the task manually on each node, follow the steps below:

    1. Log in to one NSX Manager node via SSH or Console as root.

    2. Enter your current password and then it prompts for new password, once completed the root password is changed successfully

    3. To replicate to other servers, stop the Management Plane API service: /etc/init.d/nsx-mp-api-server stop

    4. Global Sync Step: Create the trigger file to propagate the change: touch /var/vmware/nsx/reset_cluster_credentials

    5. Restart the API service: /etc/init.d/nsx-mp-api-server start

    6. Log into other 2 managers with root and with the same root password that is set on 1st manager


Note: Execute "start search resync all" on the master node with admin account to resync new password on all 3 manager nodes, in case the root password doesn't sync across other manager nodes. Refer KB 317192 

Additional Information

Reference doc: Resetting the passwords of an Appliance

Powered by Wolken Software