• Administrators might want to implement Privileged Access Management (PAM) using CyberArk to manage and automatically rotate root passwords for VMware ESXi and vCenter Server.
• Security hardening policies indictate that this credential management must occur without utilizing persistent SSH sessions.
• This article talks on how to integrate PAM tools like CyberArk with VMware ESXi. The CyberArk VMware ESX/i API Plugin can connect directly to ESXi hosts via API rather than SSH.

VMware ESXi

• Configure the CyberArk Central Policy Manager (CPM) to utilize the dedicated CyberArk VMware ESX/i API Plugin. This ensures the platform connects directly to the ESXi hosts via the vSphere API rather than relying on SSH. Contact CyberArk in case further assistance on this is required.
• Assign the Administrator role to the dedicated CyberArk domain user account at the ESXi host level to ensure sufficient privileges for credential rotation.
• If Normal or Strict Lockdown Mode is enabled on the target ESXi hosts, add the designated CyberArk service account to the host's Exception Users list. Failure to define this exception will result in the host blocking the API access. Reference: CyberArk is unable to change ESXi local passwords after enabling lockdown mode. 
• Execute a test of the password rotation workflows in a non-production environment to validate the plugin configuration before applying the policy to production infrastructure.

Note: vCenter Server maintains connectivity and manages ESXi hosts using the internal vpxuser service account. Rotating the local root password on the ESXi host via CyberArk will not disrupt vCenter Server to ESXi communication.

For further information regarding plugin deployment, consult the official CyberArk documentation: https://docs.cyberark.com/pam-self-hosted/latest/en/content/pasimp/psm_virtualization_vsphere_web.htm