Configuring Password Expiration and Rotation in VMware Cloud Foundation (VCF) 9.x
search cancel

Configuring Password Expiration and Rotation in VMware Cloud Foundation (VCF) 9.x

book

Article ID: 435599

calendar_today

Updated On:

Products

VMware SDDC Manager / VCF Installer

Issue/Introduction

When managing a VMware Cloud Foundation (VCF) 9.x environment, customers may experience the following:

  • The inability to locate a "Never Expire" or "Disable Expiration" toggle within the SDDC Manager (Fleet) user interface.
  • Concerns regarding the "tombstoning" (permanent lockout or expiration) of critical user or service accounts.
  • A requirement to align infrastructure accounts with specific corporate security policies that discourage frequent rotation.

Environment

VCF 9.x

Cause

VCF 9.x is designed with a secure-by-default architectural posture. This framework enforces periodic password rotation for all managed core components to align with modern security standards.

  • The Password Management subsystem in SDDC Manager is the authoritative source for account lifecycles.
  • The internal schema does not support a null or zero (0) value for expiration timers.
  • "Never Expire" is not a supported architectural state for core SDDC components within the automated lifecycle management engine

Resolution

To prevent account "tombstoning" and ensure operational continuity, VMware recommends utilizing the Automatic Rotation feature rather than attempting to disable expiration.

Table of Contents

 

1. Configure Automatic Rotation

Automating rotations ensures that credentials are refreshed before they can expire or become "tombstoned."

  1. Log in to the SDDC Manager UI.
  2. Navigate to Administration > Password Management.
  3. Select the Settings tab.
  4. Configure the Rotation Interval for the following core components:
    • vCenter Server (Root and Admin)
    • ESXi Hosts (Root)
    • NSX Manager (Root and Admin)
    • SDDC Manager (Root and Admin)

2. Manage Fleet Components

Certain Fleet Management components may currently sit outside the scope of the automated rotation engine.

  • For these accounts, manual lifecycle management is required.
  • Users must adhere to the default security policies of the underlying appliances.
    • Fleet Management
    • VCF Operations
    • VCF Operations for logs
    • VCF Operations for networks
    • VIDB

3. Manual CLI Configuration (Workaround)

If a "Never Expire" state is strictly required for specific local accounts (e.g., Audit or Admin) and cannot be managed via SDDC Manager:

  • Warning: Modifying account properties directly via the command line (CLI) on components like NSX or vCenter may result in compliance drifts during SDDC Manager inventory syncs or Lifecycle Management (LCM) operations.
  • Consult the specific product documentation for the chage or passwd command syntax applicable to the photon-based appliances.

Additional Information

Powered by Wolken Software