One of the first post-deployment tasks after installing VMware Cloud Foundation (VCF) 9.1 is configuring a password policy to ensure compliance with your organization’s security standards.

While the password policy is successfully applied to most managed accounts, you may notice that the root accounts of the VCF Operations appliance and the VCF Proxy appliance do not follow the configured password expiration policy.
As a result, the expiration date shown in VCF Management remains unchanged, even though a password policy has been configured.
Symptoms
You may observe one or more of the following:
• A password policy is configured successfully in VCF Management.
• Compliance checks complete without errors.
• The root account of the VCF Operations appliance still shows an incorrect or outdated password expiration date.
• The same behavior occurs on the VCF Proxy appliance.
This can be confusing because the password policy appears to be configured correctly, but it is not enforced for these Linux root accounts.
Why Does This Happen?
The password policy configured in VCF does not automatically update the Linux root account password aging settings on the VCF Operations and Proxy appliances.
Instead, these appliances continue to rely on the Linux ‘chage’ configuration to determine when the root password expires.
VMware has documented this behavior and provided a straightforward workaround.
https://knowledge.broadcom.com/external/article/441344/configured-password-policy-is-not-being.html
Resolution
Before making any changes, enable SSH access on the VCF Operations appliance if it is currently disabled.
https://knowledge.broadcom.com/external/article/315976/enabling-ssh-access-in-aria-operations.html
Step 1 – Connect to the VCF Operations Appliance
SSH to the VCF Operations appliance using an administrative account.
ssh admin@<vcf-operations-appliance>
Step 2 – Verify the Current Password Expiration
Run:
sudo chage -l root
Step 3 – Configure the Password Expiration
Configure a 365-day password lifetime:
sudo chage -M 365 root
Step 4 – Verify the Change
Run:
chage -l root
Step 5 – Repeat for the VCF Proxy Appliance
Repeat the same commands on the VCF Proxy appliance, either through SSH (if enabled) or via the VMware console.
Wait for VCF to Update
Notes
The updated password expiration date is not reflected immediately in the VCF Management interface.
VCF periodically refreshes password information, so it may take 10–30 minutes (or longer depending on your environment) before the new expiration date appears.
• This change only affects the Linux root account.
• Verify the setting after appliance upgrades.
• Adjust the password lifetime (90, 180, 365 days, etc.) according to your security policy.
Conclusion
Although VCF 9.1 allows administrators to centrally configure password policies, the Linux root accounts on the VCF Operations and VCF Proxy appliances continue to rely on the local Linux password aging configuration.
Updating the password expiration with the chage command ensures that the root account complies with your organization’s password policy. Once VCF completes its next inventory synchronization, the correct expiration date is displayed in the VCF Management interface.

You must be logged in to post a comment.