Resetting the vmware-system-user password for VCF Identity Broker
search cancel

Resetting the vmware-system-user password for VCF Identity Broker

book

Article ID: 424323

calendar_today

Updated On:

Products

VCF Operations

Issue/Introduction

When the vmware-system-user password has been lost or forgotten and the current password cannot be retrieved from the VCF Fleet Manager appliance, the steps in this KB can be used to reset the password.

Environment

  • VCF Operations 9.0.x
  • VCF Identity Broker 9.0.x

Cause

This issue occurs when the vmware-system-user account on the VCF Identity Broker (vIDB) appliance is locked or the password is forgotten, causing a "Disconnected" status in VCF Operations Fleet Management.
Resetting the password at the OS level requires subsequent remediation in the UI to synchronize the VCF Fleet Manager database and Kubernetes secrets.

Resolution

Phase 1: OS-Level Password Reset

  1. Log in to the management domain vCenter Server and open a console to the VCF Identity Broker appliance.

  2. Restart the appliance. When the Photon OS splash screen appears, press 'e' to enter the GNU GRUB edit menu.

  3. Locate the line starting with linux and append the following to the end: rw init=/bin/bash

  4. Press F10 to boot into the bash shell.

  5. (Optional) Unlock the account if locked:
    faillock --user vmware-system-user --reset

  6. Reset the password:
    passwd vmware-system-user

  7. Set the password to never expire to prevent recurrence:
    chage -m 0 -M -1 vmware-system-user

  8. Restart the appliance:
    reboot -f

  9. Repeat steps 1-8 for all remaining Identity Broker nodes in the cluster.

Phase 2: Fleet Management Remediation

  1. Log in to the VCF Operations UI.

  2. Navigate to Fleet Management > Passwords > VCF Management.

  3. Filter for VCF Identity Broker and select the affected appliance.

  4. Click Remediate Password.

  5. Enter the temporary password set in Phase 1 and click Submit.

  6. Repeat for all Identity Broker nodes.

Phase 3: Kubernetes Secret and Inventory Sync

  1. Navigate to Fleet Management > Lifecycle > Components.

  2. Click Manage next to the Identity Broker component.

  3. Click Trigger Inventory Sync and monitor for completion.

  4. To ensure the Kubernetes secrets (used during upgrades/patching) are updated:

    • Return to Fleet Management > Passwords > VCF Management.

    • Select the remediated account and perform an Update Password to rotate the password to a final, permanent value. This triggers the backend workflow to update the sftp-password-secret in the vmsp-platform namespace.

Powered by Wolken Software