Configured Password Policy Is Not Being Enforced for the VCF Operations 9.1 Root Account
search cancel

Configured Password Policy Is Not Being Enforced for the VCF Operations 9.1 Root Account

book

Article ID: 441344

calendar_today

Updated On:

Products

VCF Operations

Issue/Introduction

  • A new password policy was created with the password expiration period set to 'x' years and applied at the Fleet level.
  • The policy was successfully applied to all VCF components, and remediation completed with a “Compliant” status, including for VCF Operations.
  • However, upon navigating to the Passwords section under Fleet Management (VCF Operations ➔ ManageFleet ManagementPasswords), the VCF Operations root account did not inherit the configured policy settings. The password expiration for the root account is still displayed as 3 months instead of the expected 'x' years configured in the password policy.

Environment

  • Fleet Lifecycle 9.1.x
  • VCF Operations 9.1.x

Cause

The VCF Operations root account does not follow the password expiry settings defined in the applied password policy. As a result, the root account password expiry remains unset (or retains its previous value) regardless of the policy configuration.

Resolution

This is a known limitation in VCF Operations 9.1. Broadcom Engineering is aware of this issue and is working on fixing the issue in upcoming releases of VCF Operations.
To manually set the password expiry for the root account on a VCF Operations node, please use the below workaround:
 
Steps:
  1. SSH into the VCF Operations node using the root account: 
    ssh root@<vcfops-node-hostname-or-ip>
  2. Execute the following command to set the password expiry for the root account. Replace 365 with the desired number of days: 
    sudo chage -M 365 root
  3. To verify the change was applied successfully: 
    chage -l root
Confirm that the "Maximum number of days between password change" field reflects the value set in step (2).
 
NOTE: Repeat above steps on each VCF Operations node in the cluster.

Additional Information

Risk / Impact:
  • Password expiry enforcement for the root account on VCF Operations nodes must be managed manually.
  • Compliance checks relying on the password policy applied via VCF Operations may report incorrect status for the root account.
Powered by Wolken Software