## Password Management Capabilities Passwords can be automatically rotated for supported accounts directly inside the SDDC Manager - Accounts that can be rotated - vCenter Server - root - service accounts - NSX Manager - NSX Edge - SDDC Manager - VMware Aria Suite Components - Manual password updates needed for - ESXi root - SDDC Manager root accounts - Password Expiration and Complexity Policies - Enforce global policy for expliration - policy for complexity - lockout - Default Settings can be configured via UI or Powershell ## How to Enable automatic Password rotation 1. login to SDDC Manager UI as Admin 2. go to `Security -> Password Management` 3. Select accounts for password rotation enablement - SDDC Manager now applies randomized passwords for the chosen accounts ## Update SDDC Manager Password manually 1. SSH into SDDC Manager using the vcf user 2. switch to root `su -` 3. update password `passwd root` ## Password Policy for Components - Configure password expiration, complexity and lockout policy for thje following components - ESXi - Local user policies inside the advanced settings - vCenter SSO - Update global expiration and complexity rules - NSX Manager and NSX Edge - Use CLI to set password policies - SDDC Manager - Configure using CLI ## Best Practices 1. Auto rotate passwords to comply with organizational security policies 2. Monitoring, can be done using the SDDC Manager 1. track password expirations 2. check for inconsistencies and complexity 3. Avoid Manual Changes 1. Changing passwords outsite of SDDC Manager can cause inconsistencies accross integrations 4. Backup Credentials 1. Use `lookup_passwords` in SDDC Manager to retrieve account credentials when needed ## 🔗Resources