Remediating passwords updated outside of VMware Aria Suite Lifecycle

Products

VMware Aria Suite

Issue/Introduction

This article provides the steps to remediate a password that was updated outside of VMware Aria Suite Lifecycle. It is part of a group of articles about managing passwords using VMware Aria Suite Lifecycle: Password management with VMware Aria Suite Lifecycle (vRealize Suite Lifecycle Manager) Locker

The passwords managed by Locker may need to be updated outside of VMware Aria Suite Lifecycle for the following reasons:

The active password is not available.
The user has forgotten the password.
The password stored in Locker is not valid.
- To validate the password stored in Locker follow Validating what passwords are being used per VMware Aria Suite Product in VMware Aria Suite Lifecycle

In these situations, it is required to follow the steps described in this article in order to add the new password on Locker and to update the Product Environment information using Lifecycle Operations.

Note: On VCF mode VMware Aria Suite Lifecycle, the passwords are managed by the SDDC manager rotation tool. Therefore:

It is suggested to follow the Rotate passwords – VMware Cloud Foundation Administration Guide. This document indicates what passwords are managed by SDDC manager.
If the passwords managed by the SDDC password rotation tool were updated outside of SDDC or this article was followed, it is needed to remediate them following Remediate Passwords – VMware Cloud Foundation Administration Guide

In case of issues problems with the Password Rotation tool or remediating passwords on SDDC Manager, please file a Service Request with the VMware vCloud Foundation team.

The password remediation process the Locker and Lifecycle Operations Applications are involved.

Locker: creates the password in VMware Aria Suite Lifecycle database and confirms if the password is being used.
Lifecycle Operations: provides the option to sync the inventory, during the inventory sync the request will fail, each it fails is required to select RETRY and select the new password.

The flow of actions required is the following:

Note: Step 4. The number of failures will depend on the number of service accounts to be validated times the number of nodes. In the case of a cluster, the error will preset each time for a different password.

Note: Some screenshots of this article are from vRealize Suite Lifecycle Manager 8.10, therefore, the old branding will be present.

Resolution

Prerequisites

For instructions on resetting the password following the respective product VMware documentation see below:
Reset login failure attempts:

pam_tally2 –user=root --reset
pam_tally2 –user=sshuser --reset

Solution

Validate the password is valid in respective the appliance/UI.
For root and sshuser (vIDM only) validate if there are login attempt failures.
Validate that the password is not expired or about to expire.

If required restart the number of login attempt failures.

pam_tally2 -–user=root --reset
pam_tally2 -–user=sshuser --reset

Run the following command to keep the SSH session active in the appliance(s) and monitor the login attempt failures, this will be helpful in case there is an error when the password in Locker is typed.
```
watch -n 1 "pam_tally2 –user=root"
```
In VMware Aria Suite Lifecycle navigate to Locker > Passwords > Add.
Add the password considering:
1. The Password Alias and Password are mandatories fields, for Datacenter passwords the User Name is mandatory, then click on ADD
2. The Password Description is optional.
As an example, vIDM sshuser and root are added. The passwords are not in use, since they have not been applied to a Product using the Lifecycle Operations application.
Navigate to Lifecycle Operations > Environment, and click on VIEW DETAILS for the product of interest.
Trigger an inventory sync.
Since the password is updated outside of VMware Aria Suite Lifecycle the request will fail. The number of failures will depend on the number of nodes and number of passwords being updated, for example:

On vIDM Cluster if only the root password was updated the inventory Sync will fail 3 times.
On vIDM cluster if the root and sshuser passwords were updated the inventory sync will fail 6 times.
On vIDM one node, if the sshuser and root passwords were updated the inventory sync will fail 2 times.

Each time it fails monitor the username and node that is failing, it should fail only one time per node-username:
Click on RETRY
Select the new Locker Password Alias, and then click on SUBMIT
Repeat steps 10 and 11 as required based on the expected number of failures as explained in step 10.
The inventory Sync will now complete
Results: the new Locker Password Alias should be in use, and the Product environment page should show the new Locker Password Alias.
Validate if there are login failure attempts in the appliance(s) and restart them if required
```
pam_tally2 -–user=root
pam_tally2 -–user=root --reset
```
Delete the old password in Locker, by selecting the vertical ellipsis ⋮ in the last column

Additional Information

Main article

Password management with VMware Aria Suite Lifecycle (vRealize Suite Lifecycle Manager) Locker

Child articles

Changing password KBs

Product	User / Password	KB Link
VMware Aria Automation VMware Aria Automation Config VMware Aria Automation Orchestrator	root	KB 92254
VMware Aria Operations	root admin	KB 92255
VMware Aria Operations for Logs	root admin	KB 92256
VMware Aria Operations for Networks	admin support console user	KB 92257
Aria Suite Lifecycle appliance	root admin@local	KB 92245
Workspace ONE Access	root admin admin (8443)	KB 92258