vSphere 6.5 – vCSA Update Root Password Expiry

This post is applicable to customers using VMware vCenter Server Appliance 6.5.

Problem:

  1. You update your vCSA 6.5 instance to 6.5 U1a.
  2. After the update is completed successfully, the root Password Expiry Policy is enabled with 365 days, when it was previously disabled.
  3. This introduces operational risk to your environment where you could be locked out of the root account after a year has elapsed.

Update: VMware has informed me that this is a known issue to be corrected in a future update.

Solution:

  1. Login to the vCSA VAMI on Port 5480.
  2. Select the Administration object on the left and verify that the Password Expiration Settings policy is Enabled with a period of 365 days.
  3. Set the “Root Password Expires” to “No” and press Submit.
  4. Note: if you have an Information Security Policy that requires password expiry, then make sure the “Email for expiration warning” is configured with a monitored account.

Background:

I noticed this after I updated from vCSA 6.5 U1 to U1a. I also verified this behaviour updating from vCSA 6.5 GA to U1a. I have not had time to check if every vCSA 6.5 update behaves this way.

2 thoughts on “vSphere 6.5 – vCSA Update Root Password Expiry

  1. Hey there. Thank you for your post.

    FYI: I have seen this also with the 6.0 VCSA (various patch levels.) This appears to be a weird regression bug that VMware don’t seem to have closed.

  2. Pingback: vSphere 6.5 – vCSA Update Root Password Expiry after updating to 6.5 U1a – vBish

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s