0% found this document useful (0 votes)

179 views92 pages

VCF Docoooo

Uploaded by

adungrakoti

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

179 views92 pages

VCF Docoooo

Uploaded by

adungrakoti

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 92

VMware Cloud Foundation

Operations Guide
23 JUL 2024
VMware Cloud Foundation 5.2
VMware Cloud Foundation Operations Guide

You can find the most up-to-date technical documentation on the VMware by Broadcom website at:

https://docs.vmware.com/

VMware by Broadcom
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com

©
Copyright 2021-2024 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc.
and/or its subsidiaries. For more information, go to https://www.broadcom.com. All trademarks, trade
names, service marks, and logos referenced herein belong to their respective companies.

VMware by Broadcom 2
Contents

About VMware Cloud Foundation Operations Guide 6

1 Best Practices for Operating VMware Cloud Foundation 9

Applying Security Policies 9
Monitoring and Alerting 10
Password Operations 11
License Operations 14
Certificate Operations 15
Replace Expired NSX Manager Certificates 18
Replace an Expired vCenter Server Certificate 20
Replace an Expired SDDC Manager Certificate 21
Backup Operations 22
Life Cycle Operations 25

2 Shutdown and Startup of VMware Cloud Foundation 27

Shutting Down VMware Cloud Foundation 27
Shut Down a Virtual Infrastructure Workload Domain 28
Shut Down the NSX Edge Nodes 29
Shut Down the NSX Manager Nodes 30
Shut Down the vSphere Cluster Services Virtual Machines 30
Shut Down vSAN and the ESXi Hosts in a Virtual Infrastructure Workload Domain 31
Shut Down vCenter Server for a Virtual Infrastructure Workload Domain 32
Shut Down a Virtual Infrastructure Workload Domain with vSphere with Tanzu 32
Find Out the Location of the vSphere with Tanzu Virtual Machines on the ESXi Hosts
33
Shut Down the vSphere Cluster Services Virtual Machines 34
Shut Down vCenter Server for a Virtual Infrastructure Workload Domain with vSphere
with Tanzu 35
Shut Down the NSX Edge Nodes for vSphere with Tanzu 36
Shut Down the NSX Manager Nodes 36
Shut Down vSAN and the ESXi Hosts in a Virtual Infrastructure Workload Domain with
vSphere with Tanzu 37
Shut Down the Management Domain 38
Shut Down the Clustered Workspace ONE Access Virtual Machines 39
Shut Down the VMware Aria Suite Lifecycle Virtual Machine 40
Shut Down the NSX Edge Nodes 40
Shut Down the NSX Manager Nodes 40
Shut Down the SDDC Manager Virtual Machine 41
Shut Down vSphere and vSAN for the Management Domain 41

VMware by Broadcom 3
VMware Cloud Foundation Operations Guide

Starting Up VMware Cloud Foundation 42

Start the Management Domain 43
Start the vSphere and vSAN Components for the Management Domain 44
Start the SDDC Manager Virtual Machine 45
Start the NSX Manager Virtual Machines 46
Start the NSX Edge Nodes 46
Start the VMware Aria Suite Lifecycle Virtual Machine 47
Start the Clustered Workspace ONE Access Virtual Machines 47
Start a Virtual Infrastructure Workload Domain 48
Start vCenter Server for a Virtual Infrastructure Workload Domain 49
Start the ESXi Hosts in a Virtual Infrastructure Workload Domain 49
Restart the vSAN Clusters in a Virtual Infrastructure Workload Domain 49
Start the vSphere Cluster Services 50
Start the NSX Manager Virtual Machines 51
Start the NSX Edge Nodes 52
Start a Virtual Infrastructure Workload Domain with vSphere with Tanzu 52
Start vSAN and ESXi Hosts in a Virtual Infrastructure Workload Domain with vSphere with
Tanzu 53
Start vCenter Server for a Virtual Infrastructure Workload Domain with vSphere with
Tanzu 55
Start the vSphere Cluster Services for a Virtual Infrastructure Workload Domain with
vSphere with Tanzu 56
Start the NSX Manager Virtual Machines 57
Start the NSX Edge Nodes 57

3 Password Policy Configuration for VMware Cloud Foundation 58

Configuring Password Expiration Policies in VMware Cloud Foundation 61
Configure the Local User Password Expiration Policy for ESXi 62
Configure the Password Expiration Policy for vCenter Single Sign-On 63
Configure the Global Password Expiration Policy for vCenter Server 64
Configure the root User Password Expiration Policy for vCenter Server 65
Configure the Local User Password Expiration Policy for NSX Manager 66
Configure the Local User Password Expiration Policy for NSX Edge 67
Configure the Local User Password Expiration Policy for SDDC Manager 69
Configuring Password Complexity Policies in VMware Cloud Foundation 70
Configure the Local User Password Complexity Policy for ESXi 72
Configure the Password Complexity Policy for vCenter Single Sign-On 73
Configure the Local User Password Complexity Policy for vCenter Server 75
Configure the Local User Password Complexity Policy for NSX Manager 77
Configure the Local User Password Complexity Policy for NSX Edge 79
Configure the Local User Password Complexity Policy for SDDC Manager 81
Configuring Account Lockout Policies in VMware Cloud Foundation 83

VMware by Broadcom 4
VMware Cloud Foundation Operations Guide

Configure the Local Account Lockout Policy for ESXi 83

Configure the Account Lockout Policy for vCenter Single Sign-On 85
Configure the root User Account Lockout Policy for vCenter Server 86
Configure the Local User Account Lockout Policy for NSX Manager 87
Configure the Local User Account Lockout Policy for NSX Edge 89
Configure the Local User Account Lockout Policy for SDDC Manager 90

VMware by Broadcom 5
About VMware Cloud Foundation
Operations Guide

The VMware Cloud Foundation Operations Guide provides best practices and step-by-step
instructions about operating VMware Cloud Foundation™ including full-stack shutdown and
startup and verifying whether the state of VMware Cloud Foundation is intact after a
maintenance operation.

This guide covers all software products and workload domain types that are supported by
® ®
VMware Cloud Foundation including VMware vSphere with VMware Tanzu and VMware Aria
Suite Lifecycle™.

You can follow industry best practices when performing operations in a VMware Cloud
Foundation deployment. See Chapter 1 Best Practices for Operating VMware Cloud Foundation.

To maintain component integration and avoid operation faults, you follow the specified order
and steps to shut down and then start up the management components in VMware Cloud
Foundation. See Chapter 2 Shutdown and Startup of VMware Cloud Foundation.

To meet the requirements of your organization for security and compliance for your VMware
Cloud Foundation environment including industry compliance standards, you configure manually
the password policies of the individual management components in the environment. See
Chapter 3 Password Policy Configuration for VMware Cloud Foundation.

Intended Audience
The information in VMware Cloud Foundation Operations Guide is intended for data center cloud
administrators and operators who are familiar with:

n Concepts of virtualization and software-defined data centers (SDDCs)

n Networking and concepts such as uplinks, NICs, and IP networks

n Hardware components such as top-of-rack (ToR) switches, inter-rack switches, servers with
direct attached storage, cables, and power supplies

n Methods for setting up physical racks in a data center

®
n Using VMware vSphere to work with virtual machines.

VMware by Broadcom 6
VMware Cloud Foundation Operations Guide

PowerShell Modules for VMware Cloud Foundation

Operations
As an alternative to step-by-step workflows in the product UI, you can perform VMware Cloud
Foundation operations in an automated infrastructure-as-code approach by using open-source
PowerShell modules from VMware.

Table 1-1. PowerShell Modules for VMware Cloud Foundation Operations

Operation Type PowerShell Module or Script More Information

Shutdown and startup of workload VMware.CloudFoundation.P See

domains owerManagement VMware.CloudFoundation.PowerManage
ment open-source project in GitHub.

Password policy configuration of VMware.CloudFoundation.P See

management components asswordManagement VMware.CloudFoundation.PasswordMan
agement open-source project in GitHub.

Additional certificate management VMware.CloudFoundation.C See

ertificateManagement VMware.CloudFoundation.CertificateMan
agement open-source project in Github.

PowerShell based interaction with the PowerVCF PowerVCF open-source project in Github
VMware Cloud Foundation API

Report-based health monitoring of VMware.CloudFoundation.R VMware.CloudFoundation.Reporting

VMware Cloud Foundation eporting open-source project in Github

Automation for VMware Validated PowerValidatedSolutions PowerValidatedSolutions open-source

Solutions project in Github

Automation for SDDC Manager bundle PowerShell Script for VMware Knowledge Base article 94760
management Cloud Foundation Bundle
Management

Related VMware Cloud Foundation Publications

The VMware Cloud Foundation 5.2 Release Notes lists the software components, new features,
compatibility, and known issues in VMware Cloud Foundation.

You can open these documents from the VMware Cloud Foundation Documentation main page:

n The VMware Cloud Foundation Planning and Preparation Workbook contains the
environment specification of your VMware Cloud Foundation deployment. It also provides
dynamic sizing guidance.

n The VMware Cloud Foundation Design Guides explains the design principles of and provides
best practices for the management component configuration in a VMware Cloud Foundation
environment.

n The VMware Cloud Foundation Deployment Guide is intended for data center cloud
administrators who deploy a VMware Cloud Foundation system in their organization's data
center.

VMware by Broadcom 7
VMware Cloud Foundation Operations Guide

n The VMware Cloud Foundation Administration Guide contains detailed information about how
to administer and operate a VMware Cloud Foundation system in your data center.

n The VMware Cloud Foundation Lifecycle Management document describes how to manage
the life cycle of a VMware Cloud Foundation environment.

n VMware Validated Solutions provide technical reference for designing and implementing add-
on configurations on top of VMware Cloud Foundation that solve a business use case, such
as, central identity management, workload provisioning, vSphere with Tanzu configuration,
and others.

Your VMware Cloud Foundation system includes a stack of VMware software products and
components. You can find the documentation for those software products at VMware Docs.

VMware Cloud Foundation Glossary

The VMware Cloud Foundation Glossary defines terms specific to VMware Cloud Foundation.

VMware by Broadcom 8
Best Practices for Operating
VMware Cloud Foundation 1
For flawless and non-disruptive operations, such as password management, backup and restore,
certificate management, and license management, and for optimal performance of your VMware
Cloud Foundation environment, you can follow certain best practices based on industry expertise
and previous successful experiences.

Read the following topics next:

n Applying Security Policies

n Monitoring and Alerting

n Password Operations

n License Operations

n Certificate Operations

n Backup Operations

n Life Cycle Operations

Applying Security Policies

As part of your VMware Cloud Foundation environment deployment and operation, you include
security considerations according to risk assessment, legal requirements, industry best practices,
and the objectives of your organization.

Table 1-1. Example Security Considerations When Operating VMware Cloud Foundation

Area More Information

Telemetry Join the Customer Experience

Improvement Program ("CEIP") to
share technical information with
VMware about the use of VMware
products by your organization. See
Configure CEIP in the VMware Cloud
Foundation Administration Guide.

Passwords n Password complexity See Chapter 3 Password Policy

n Password expiration Configuration for VMware Cloud
Foundation .
n Account lockout

VMware by Broadcom 9
VMware Cloud Foundation Operations Guide

Table 1-1. Example Security Considerations When Operating VMware Cloud Foundation
(continued)

Area More Information

Users and roles n Implement role-based access See Managing Users and Groups
control. in VMware Cloud Foundation in
n Limit the use of local accounts for the VMware Cloud Foundation
both interactive or API access, or Administration Guide.
for solution integration.
n Limit the scope and privileges
for accounts used for both
interactive or API access, or for
solution integration.
n Assign Active Directory security
groups to default or custom
roles, as applicable, for interactive
or API access to solution
components based on your
organization's business and
security requirements.

Certificates n Certificate authority See Managing Certificates in VMware

n Custom certificates Cloud Foundation in VMware Cloud
Foundation Administration Guide.

Backups n Backup configuration See Backup and Restore of VMware

n Backup schedules Cloud Foundation in the VMware

n Backup retention intervals Cloud Foundation Administration

Guide.

Monitoring and Alerting

Monitoring the underlying physical infrastructure, and the management and customer workloads
in VMware Cloud Foundation in real time helps you prevent outages and plan future hardware
needs.

Choose one or more monitoring solutions according to the setup of your environment.

Solution Description

Intelligent Operations Use VMware Aria Operations for proactive management of system failures by reviewing
Management for VMware and acting on events and alerts. Information is collected in the form of structured data
Cloud Foundation (metrics).

PowerShell Module Use the cmdlets in the VMware.CloudFoundation.Reporting PowerShell module to

for VMware Cloud generate insights to the operational state of VMware Cloud Foundation. You can access
Foundation Reporting quickly information from the PowerShell console and generate several types of reports in
HTML format.

VMware by Broadcom 10
VMware Cloud Foundation Operations Guide

Solution Description

Health Reporting and Generate reports in HTML format, and use custom dashboards, alerts, and notifications in
Monitoring for VMware VMware Aria Operations to monitor the health of your environment.
Cloud Foundation

Intelligent Network Use VMware Aria Operations for Networks for network visibility and analytics to improve
Visibility for VMware micro-segmentation security, minimize risk during application migration, optimize network
Cloud Foundation performance and manage and scale NSX and Kubernetes deployments.

Password Operations
Certain measures enhance the security setup of your VMware Cloud Foundation environment.

n Monitoring passwords ensures compliance, access control, and risk mitigation in your
VMware Cloud Foundation environment.

n Password policies, including complexity, expiration, and account lockout, enforce secure
practices.

n Password complexity requirements enhance password strength, expiration prompts regular

updates, and account lockout prevents unauthorized access attempts.

Table 1-2. Best Practices for Password Operations in VMware Cloud Foundation

Operation When or How Often Description

Set or update password n After management domain Configure password policies of the
policies. deployment. management components of VMware Cloud
n After VI workload domain deployment. Foundation manually for each component
or in an automated way by using the
n After adding a vSphere cluster.
VMware.CloudFoundation.PasswordMana
n After expanding a vSphere cluster.
gement PowerShell module. See Chapter 3
n If the password policies of your
Password Policy Configuration for VMware
organization are updated.
Cloud Foundation.
For password policy configuration of
products that are not part of the VMware
Cloud Foundation automation, follow their
product documentation.

Monitor account password Once a week or according to the policy of The SDDC Manager UI shows a notification
expiration. your organization. for account passwords managed by SDDC
Manager that are expiring in the next 14
days.

VMware by Broadcom 11
VMware Cloud Foundation Operations Guide

Table 1-2. Best Practices for Password Operations in VMware Cloud Foundation (continued)

Operation When or How Often Description

To monitor the account passwords

managed by SDDC Manager by using
custom dashboards, alerts, and notifications
in VMware Aria Operations, use the
open-source Python module for VMware
Cloud Foundation health monitoring. See
the Health Reporting and Monitoring
for VMware Cloud Foundation validated
solution.

To generate a point-in-time health

report for your VMware Cloud
Foundation environment, use the open-
source PowerShell module for VMware
Cloud Foundation health reporting. See
Generating a Health Report in the
documentation of the module.

Enable account password n After management domain To enable password auto-rotation for an
auto-rotation (schedule deployment. account in a management component,
rotation). n After VI workload domain deployment. use the SDDC Manager UI. See Rotate
Passwords in theVMware Cloud Foundation
Administration Guide.

To automate enabling auto-rotation for an

account, use the VMware Cloud Foundation
API. See Credentials in the VMware Cloud
Foundation API reference documentation.

You can integrate a third-party or custom

utility that uses the VMware Cloud
Foundation API for password rotation.
See Credentials in the VMware Cloud
Foundation API reference documentation.

Rotate or update an n Before the account password expires. The following options for password rotation
account password. n Over a regular interval. exist:

n Upon an event. n Rotate passwords for accounts in

the components managed by SDDC
n When the policies of your
Manager.
organization are changed.
n When a privileged user is leaving SDDC Manager sets a randomly
the organization. generated password according to the
password complexity it supports.

See Rotate Passwords in the VMware

Cloud Foundation Administration Guide.
n Update the passwords of accounts
in the SDDC Manager appliance and
local account (API) passwords. See
Updating SDDC Manager Passwords
in the VMware Cloud Foundation
Administration Guide.

VMware by Broadcom 12
VMware Cloud Foundation Operations Guide

Table 1-2. Best Practices for Password Operations in VMware Cloud Foundation (continued)

Operation When or How Often Description

To automate the rotation of account

passwords, use the VMware Cloud
Foundation API. See Credentials in the
VMware Cloud Foundation API reference
documentation.

To automate the rotation of account

passwords by using PowerShell, use the
Get-VCFCredential and Set-VCFCredential
cmdlets in the open-source PowerShell
Module for VMware Cloud Foundation.
See PowerShell Module for VMware Cloud
Foundation `.

Remediate an account If a password has expired. To remediate a password, use the SDDC
password. Manager UI. See Remediate Passwords
in the VMware Cloud Foundation
Administration Guide.

Caution If you try to rotate an expired

password, the task might fail. You must
cancel or resolve and retry the failed
password management tasks in the SDDC
Manager UI.

You can automate password remediation

by using the VMware Cloud Foundation
API. See Credentials in the VMware Cloud
Foundation API reference documentation.

To automate password remediation

by using PowerShell, use the Get-
VCFCredential and Set-VCFCredential
cmdlets in the open-source PowerShell
Module for VMware Cloud Foundation.
See PowerShell Module for VMware Cloud
Foundation `.

Look up account If you must log in using an account To look up account credentials manually,
credentials. managed by SDDC Manager. use the lookup_passwords command in the
SDDC Manager appliance. See Look Up
Account Credentials in the VMware Cloud
Foundation Administration Guide.

You can automate password retrieval, by

using the VMware Cloud Foundation API.
See Credentials in the VMware Cloud
Foundation API reference documentation.

VMware by Broadcom 13
VMware Cloud Foundation Operations Guide

Table 1-2. Best Practices for Password Operations in VMware Cloud Foundation (continued)

Operation When or How Often Description

To automate credential retrieval by using

PowerShell, use the Get-VCFCredential
cmdlet in the open-source PowerShell
Module for VMware Cloud Foundation.
See PowerShell Module for VMware Cloud
Foundation `.

Reset a password. If a lost account password cannot be See the following documentation:
retrieved from SDDC Manager or other n Resetting SDDC Manager root
secure storage. Password
n Resetting vCenter Server Appliance
root Password

n Resetting a vCenter Single Sign-On

Passwords
n Resetting NSX Manager or NSX Edge
Passwords
If the account password is managed by
SDDC Manager, after the reset operation
is complete, follow the guidelines for
remediating passwords in this table.

Important You cannot reset a lost ESXi

root password. You must remove the ESXi
host from the SDDC Manager inventory and
reinstall ESXi.

Caution If a password management operation in SDDC Manager fails, you see a message on the
Security > Password Management page. Such a failed operation might have a lock that impacts
other operations in SDDC Manager. To release the lock, click Cancel in the message dialog box,
or resolve the issue and click Retry.

License Operations
When deploying management components, VMware Cloud Foundation requires access to valid
license keys. You add license keys to the SDDC Manager inventory so that they can be
consumed at deployment time, but they are not synchronized between SDDC Manager and the
underlying components.

VMware by Broadcom 14
VMware Cloud Foundation Operations Guide

Table 1-3. Best Practices for License Operations in VMware Cloud Foundation

Operation When or How Often Description

Add licenses. Insufficient license capacity for To add license keys manually, use
expanding an environment. the SDDC Manager UI. See Managing
License Keys in the VMware Cloud
Foundation Administration Guide.

You can automate adding license

keys by using the VMware Cloud
Foundation API. See License Keys in
the VMware Cloud Foundation API
reference documentation.

To automate adding license keys

by using PowerShell, use the
open-source PowerShell Module for
VMware Cloud Foundation. See
PowerShell Module for VMware Cloud
Foundation `.

Replace expired licenses. А licenses has expired or is expiring. You must update or delete the
license key. You have the same
management options as when adding
licenses.

Replace existing licenses. You upgrade product licenses to a You must update the license keys.
higher edition. You have the same management
options as when adding licenses.

Monitor licenses. Once a week The SDDC Manager UI shows an alert

if a license is expiring in the next 30
days.
SDDC Manager pulls license
information from managed products
to determine if they are using a
license that is in the SDDC Manager
inventory. SDDC Manager UI shows
license usage on the Administration >
Licensing page.

Certificate Operations
By actively managing certificates in VMware Cloud Foundation, organizations can maintain
secure communication, establish trust, protect sensitive data, meet compliance requirements,
and respond effectively to certificate-related incidents or vulnerabilities.

VMware by Broadcom 15
VMware Cloud Foundation Operations Guide

Table 1-4. Best Practices for Certificate Operations in VMware Cloud Foundation

Operation When or How Often Description

Replace self-signed n After management domain n To manage custom certificates for

certificates. deployment. most management components, use
n After VI workload domain deployment the SDDC Manager UI. See Managing
by using SDDC Manager. Certificates in the VMware Cloud
Foundation Administration Guide.
n You can automate certificate
management by using the VMware
Cloud Foundation API. See Certificates
in the VMware Cloud Foundation API
reference documentation.
n To automate certificate management by
using PowerShell, use the open-source
PowerShell Module for VMware Cloud
Foundation. See PowerShell Module for
VMware Cloud Foundation `.
You can upload custom certificates to ESXi
hosts manually on each host or in an
automated way by using the
VMware.CloudFoundation.CertificateM
anagement PowerShell module. See
#unique_10.

Note
n If you have deployed the management
domain on ESXi hosts with external
certificates, use ESXi hosts with custom
certificates for the whole environment.
n If you have switched to using ESXi
hosts with external certificates in the
management domain, all ESXi hosts
in new workload domains must use
external certificates.
n If you replaced the certificate for a
VMware Cloud Foundation component
outside of SDDC Manager, add the
certificate to the SDDC Manager
trust store. See Managing Certificates
in the VMware Cloud Foundation
Administration Guide.

Replace signed certificates n After management domain Follow the same guidelines as when
from a trusted certificate deployment. replacing self-signed certificates.
authority. n After VI workload domain deployment.
n The key length must be modified.
n A certificate has expired or its
expiration date is close.
n The certificate authority or the private
key has been compromised.
n A certificate has been revoked by the
issuing certificate authority.

VMware by Broadcom 16
VMware Cloud Foundation Operations Guide

Table 1-4. Best Practices for Certificate Operations in VMware Cloud Foundation (continued)

Operation When or How Often Description

Identify expiring At least once a month. The SDDC Manager UI shows an alert if a
certificates. certificate is expiring.

To monitor the expiring certificates

To generate a point-in-time health

Replace expired The certificate of a management For step-by-step information about

certificates. component that is managed by SDDC replacing expired certificates managed by
Manager has expired. SDDC Manager, see below.
For information about replacing expired
certificates of management components
not included in the SDDC Manager
automation, see the relevant product
documentation.

Order of Replacing Expired Certificates for a Workload Domain

If the certificates of multiple management components have expired, replace them in a certain
order.

1 Replace Expired NSX Manager Certificates.

Skip installing CA-signed certificates for NSX Manager by using SDDC Manager.

2 Replace an Expired vCenter Server Certificate

Skip installing a CA-signed certificate for vCenter Server by using SDDC Manager.

3 If you are replacing expired certificates in the management domain, Replace an Expired
SDDC Manager Certificate.

4 After you have all temporary certificates ready to be replaced with CA-signed ones, use
SDDC Manager UI to replace the certificates for NSX Manager and vCenter Server with
CA-signed ones.

VMware by Broadcom 17
VMware Cloud Foundation Operations Guide

Replace Expired NSX Manager Certificates

In VMware Cloud Foundation, you temporarily replace an expired SSL certificate of the NSX
Manager cluster or an individual NSX Manager node for a workload domain with a self-signed
certificate generated by NSX Manager. Then, you add the self-signed certificate to the SDDC
Manager trust store.

1 Log in to NSX Manager cluster at https://<nsx_manager_fqdn>/login.jsp?local=true

as admin.

Add a certificate exception to your Web browser if the certificate of the NSX Manager cluster
FQDN has expired.

2 Identify the expired certificates.

a In the navigation bar, click System.

b In the left pane, under Settings, click Certificates.

c On the Certificates tab, check the Validity column.

3 Generate self-signed certificates for the NSX Manager entities with expired certificates.
a On the Certificates tab, select Generate > Self Signed Certificate.

b Enter the CSR information and click Save.

Option Description

Common Name Enter the fully qualified domain name (FQDN) of the node.
For example, nsx-wld-01.vrack.vsphere.local.

Name Assign a name for the certificate.

For example, nsx-wld-01.vrack.vsphere.local.

Organization Unit Enter the department in your organization that is handling

this certificate.
For example, VMware Engineering.

Organization Name Enter your organization name with applicable suffixes.

For example, VMware.

Locality Add the city in which your organization is located.

For example, Palo Alto.

State Add the state in which your organization is located.

For example, California.

Country/Region Add your organization location.

For example, United States (US).

Algorithm Set the encryption algorithm for your certificate.

For example, RSA.

Key Size Set the key bits size of the encryption algorithm.
For example, 2048.

Service Certificate To use the certificate with an NSX Manager appliance,

toggle to No.

VMware by Broadcom 18
VMware Cloud Foundation Operations Guide

Option Description

Number of days Enter the validity of the certificate starting from today.

Description Enter specific details to help you identify this certificate at a

later date.

c Click Save.

d Repeat the steps for all remaining NSX Manager entities whose certificates have expired.

4 Аpply the self-signed certificates to the NSX Manager entities.

a On the Certificates tab, locate and copy the ID of the certificate for the NSX Manager
entity.

b From a system that supports the curl command and has access to the NSX Manager
nodes, such as the vCenter Server or SDDC Manager appliance, run the following
command to install the self-signed certificate on the NSX Manager cluster or an NSX
Manager node.

You run the command on the cluster or on the individual node.

Use the certificate ID you copied from the NSX Manager UI.

NSX Manager
Entity with
Expired
Certificate Certificate Replacement Command

NSX Manager curl -H 'Accept: application/json' -H 'Content-Type: application/

cluster json' --insecure -u 'admin:<nsx_admin_password>' -X POST 'https://
<nsx_manager_cluster_fqdn>/api/v1/trust-management/certificates/
<certificate-id>?action=apply_certificate&service_type=MGMT_CLUSTER'

NSX Manager curl -H 'Accept: application/json' -H 'Content-Type:

node application/json' --insecure -u 'admin:<nsx_admin_password>'
-X POST 'https://<nsx_manager_node_fqdn>/api/v1/node/services/http?
action=apply_certificate&certificate_id=<certificate_id>'

The curl command completes without an output message.

c Repeat the steps for all remaining NSX Manager nodes with expired certificate.

5 Add the self-signed NSX Manager certificates to the trust store of SDDC Manager.

a Log in to SDDC Manager at https://<sddc_manager_fqdn> as

administrator@vsphere.local.

b In the navigation pane, click Inventory > Workload Domains.

c On the Workload Domains page, click the workload domain the NSX Manager cluster or
nodes are part of.

d On the workload domain summary page, click the Certificates tab.

VMware by Broadcom 19
VMware Cloud Foundation Operations Guide

You see a status message that the certificates of the NSX Manager nodes and cluster are
not trusted.

e For a self-signed certificate, click review in the status message, review the certificate
details and verify that the thumbprint matches the thumbprint of the self-signed
certificate for the node.

f After reviewing a self-signed certificate, click Trust Certificate.

g Review and mark as trusted the remaining self-signed NSX Manager certificates.

6 After all certificates for NSX Manager become active, install CA-signed certificates for all
FQDNs related to NSX Manager.

See Managing Certificates in the VMware Cloud Foundation Administration Guide

7 (Optional) Remove the self-signed certificates from the trust store of SDDC Manager after
you replace them with а CA-signed one.

See Remove Old or Unused Certificates from SDDC Manager in the VMware Cloud
Foundation Administration Guide.
8 Remove the expired and self-signed certificates from NSX Manager after you applied CA-
signed ones.

Replace an Expired vCenter Server Certificate

In VMware Cloud Foundation, you temporarily replace an expired certificate of a workload
domain vCenter Server with a VMCA-signed one by using the vSphere Certificate Manager utility.

1 Log in to vCenter Server as root by using a Secure Shell (SSH) client.

2 To switch to the Bash shell, run the shell command.

3 Start the vSphere Certificate Manager by running the following command.

/usr/lib/vmware-vmca/bin/certificate-manager

4 Select option 3, Replace Machine SSL certificate with VMCA Certificate.

5 Enter the administrator@vsphere.local credentials.

6 If you are replacing the vCenter Server certificate with a new VMCA-signed certificate for
the first time, enter the properties of the VMCA-signed certificate and confirm continuing the
operation.

n Two-letter country code

n Company name

n Organization name

n Organization unit

VMware by Broadcom 20
VMware Cloud Foundation Operations Guide

n State

n Locality

n IP address (optional)

n Email address

n Host name, that is, the fully qualified domain name of the vCenter Server machine on
which you want to replace the certificate. If the host name does not match the FQDN,
certificate replacement does not complete correctly and your workload domain might
end up in an unstable state.

n VMCA name, that is, the fully qualified domain name of the vCenter Server machine on
which the certificate configuration is running.

The VMCA-signed certificate properties are stored in the /usr/lib/vmware-vmca/share/

config/certool.cfg file.

Wait until the operation is complete.

7 If you have previously generated a VMCA-signed certificate on this workload domain vCenter
Server and a certool.cfg file is available, do not reconfigure the certool.cfg file and
confirm continuing the operation.

Wait until the operation is complete.

8 Verify the status of the vCenter Server instance in SDDC Manager.

a Log in to SDDC Manager at https://<sddc_manager_fqdn> with a user assigned the

Admin role.

b In the navigation pane, click Inventory > Workload Domains.

c On the Workload Domains page, click the workload domain that the vCenter Server
instance is part of.

d On the workload domain summary page, click the Certificates tab.

e Verify that the status of the vCenter Server certificate is active.

9 Install a CA-signed for the vCenter Server instance in SDDC Manager.

See Managing Certificates in the VMware Cloud Foundation Administration Guide.

Replace an Expired SDDC Manager Certificate

You replace an expired SDDC Manager certificate by using SDDC Manager.

1 Log in to SDDC Manager at https://<sddc_manager_fqdn> with a user assigned the Admin

role.

Add a certificate exception to your Web browser because the certificate of the SDDC
Manager has expired.

2 In the navigation pane, click Inventory > Workload Domains.

VMware by Broadcom 21
VMware Cloud Foundation Operations Guide

3 On the Workload Domains page, click the management domain.

4 On the workload domain summary page, click the Certificates tab.

5 Replace the SDDC Manager certificate.

See Managing Certificates in the VMware Cloud Foundation Administration Guide.

Backup Operations
Managing backups of the management components of VMware Cloud Foundation regularly
provides data protection, facilitates disaster recovery, enhances security and compliance, and
supports system updates.

Table 1-5. Best Practices for Backup Operations in VMware Cloud Foundation

Operation When or How Often Description

Configure a location and n After management domain See the following information in the
a schedule of an external deployment. VMware Cloud Foundation Administration
backup. n After VI workload domain deployment. Guide:
n After you deploy the management
domain of VMware Cloud Foundation,
Reconfigure SFTP Backups for SDDC
Manager and NSX Manager .
n After you deploy the management
domain or a VI workload domain,
Configure a Backup Schedule for
vCenter Server
For NSX Manager backups, see NSX
Manager Backup Configuration.

You can automate the backup configuration

of the SDDC Manager and NSX Local
Manager by using the VMware Cloud
Foundation API. See Backup and Restore
in the VMware Cloud Foundation API
reference documentation.

To automate configuring the backup

location and schedule of SDDC
Manager and NSX Local Manager
by using PowerShell, use the
Get-VCFBackupConfiguration and Set-
VCFBackupConfiguration cmdlets in the
open-source PowerShell Module for
VMware Cloud Foundation. See PowerShell
Module for VMware Cloud Foundation `

VMware by Broadcom 22
VMware Cloud Foundation Operations Guide

Table 1-5. Best Practices for Backup Operations in VMware Cloud Foundation (continued)

Operation When or How Often Description

Configure NSX Manager n After management domain NSX does not support a native option to
backup retention. deployment. configure a backup retention policy. To
n If the backup retention policy of your manage retention of the backups with a
organization has changed. script, see Remove Old Backups in the NSX
Administration Guide.
The retention of the backups is for
the backup location configured in SDDC
Manager. You configure the script only
once per VMware Cloud Foundation
environment. It is then applied to all NSX
Manager backups.

Run an on-demand n After a successful recovery operation. See Running On-Demand Backups.
backup. n After resolving asynchronously
You can automate an on-demand backup
reported errors in SDDC components.
of SDDC Manager by using the VMware
n After resolving an incomplete
Cloud Foundation API. See Backup and
workflow in SDDC Manager.
Restore in the VMware Cloud Foundation
n After noting the failure of a scheduled API reference documentation.
backup of an SDDC component.
n Before performing a system upgrade. To automate an on-demand backup of
SDDC Manager by using PowerShell, use
the Start-VCFBackup cmdlet in the open-
source PowerShell Module for VMware
Cloud Foundation. See PowerShell Module
for VMware Cloud Foundation `.

VMware by Broadcom 23
VMware Cloud Foundation Operations Guide

Table 1-5. Best Practices for Backup Operations in VMware Cloud Foundation (continued)

Operation When or How Often Description

Verify backups. At least once a week. Manual workflows:

n On the Administration > Backup page
in the SDDC Manager UI, check Last
Backup Status.
n In the vCenter Server Management
Interface at https://<vcenter-
fqdn>:5480/, go to Backup and check
Activity for the date of the last
successful backup.
n In the NSX Manager UI, on the System
tab, go to Backup & Restore and
check Last Backup Status and Backup
History.

To generate a point-in-time health

n Request-VcenterBackupStatus

n Request-NsxtManagerBackupStatus

NSX Manager Backup Configuration

Follow additional guidelines when managing NSX Manager backups in VMware Cloud Foundation.

n NSX does not offer an option to configure a backup retention policy. To manage retention of
the backups with a script, see Remove Old Backups in the NSX Administration Guide.

n NSX Global Managers are not managed by SDDC Manager. You must configure the backup
for the NSX Global Manager manually. See to Configure Backups in theNSX Administration
Guide.
To reuse the same backup retention policy, configure the backups to use the same SFTP
destination as in SDDC Manager .

n When the backup settings are configured in SDDC Manager, all NSX Local Managers are
configured to back up in a common location.

n When the backup settings are configured in SDDC Manager, the NSX Local Managers that
might be deployed when a workload domain is created are configured to back up data in the
location and with the schedule defined in SDDC Manager.

n In the NSX Manager UI, you see backups from different NSX Manager nodes in the Backup
History. This is expected.

VMware by Broadcom 24
VMware Cloud Foundation Operations Guide

n By default, SDDC Manager configures the NSX Local Managers to back up once every
hour. If you want to change the backup schedule or enable automatic backups when the
configuration changes, perform these steps:

a Log in to the NSX Local Manager cluster at https://<nsx_manager_cluster_fqdn>

with a user assigned the Enterprise Administrator role.

b On the System tab, click Backup & Restore and click Edit in Schedule section.

Note If an active backup task is in progress, this option is grayed-out.

c Modify the Frequency setting to match your backup schedule.

d Optional. Turn on Detect NSX configuration change and set the Update Interval to to
check for configuration changes every hour.

e Click Save.

Running On-Demand Backups

Management
Component

SDDC Manager 1 Log in to SDDC Manager at https://<sddc_manager_fqdn> as administrator@vsphere.local.

2 In the navigation pane, click Administration > Backup and click Backup Now.

Wait until the task is complete.

vCenter Server n For full vCenter Server backup, see Manually Back Up vCenter Server in the VMware Cloud
Foundation Administration Guide.
n A vCenter Server backup includes the configuration of the entire vCenter Server instance. To
back up only the configuration of a vSphere Distributed Switch and its distributed port groups,
you export a configuration file that includes the validated network configurations. If you want
to recover only the vSphere Distributed Switch, you can import this configuration file in to the
vCenter Server instance. See Export the Configuration of the vSphere Distributed Switches in
the VMware Cloud Foundation Administration Guide.

NSX Manager 1 Log in to the NSX Local Manager cluster at https://<nsx_manager_cluster_fqdn> with a
user assigned the Enterprise Administrator role.
2 On the System tab, click Backup & Restore and click Start Backup

Wait until the task is complete.

Life Cycle Operations

By updating to a later VMware Cloud Foundation version or applying a patch release, you
have fixes of important security issues or new features in your environment. Efficient bundle
management also reduces the time and number of errors during the upgrade process.

VMware by Broadcom 25
VMware Cloud Foundation Operations Guide

Table 1-6. Best Practices for Life Cycle Operations in VMware Cloud Foundation

Operation When or How Often Description

Upgrade or update n The later version contains important As a best practice, you run the latest
issue fixes. software version to get latest bug fixes and
n The later version introduces a new security patches or more features.
feature that you want to explore. Before upgrading, check if all third-party
n The version that you are running will integrations are compatible with the Bill
be out of support soon. of Materials (BoM) of the target version.
For more information about upgrading
VMware Cloud Foundation, see VMware
Cloud Foundation Lifecycle Management .
You can use the following options for
managing upgrade bundles:
n To manage upgrade bundles for
VMware Cloud Foundation step-by-
step, use the SDDC Manager UI. See
Managing Installation and Upgrade
Bundles in VMware Cloud Foundation
in the VMware Cloud Foundation
Administration Guide.
n You can automate upgrade bundle
management by using the VMware
Cloud Foundation API. See Bundles
n To automate bundle management by
using a PowerShell-based script, see
VMware knowledge base article 94760.
n To delete bundles that are obsolete or
that you do not need anymore, use
the Bundle Cleanup Utility. See VMware
knowledge base aritcle 75050.

Apply patches n A VMware Security Advisory on a n To apply critical patches to specific

security volnureability in the VMware products, such as NSX Manager,
Cloud Foundation version that you are vCenter Server, or ESXi, independently
using is published of VMware Cloud Foundation releases,
n An issue that has been reported use the Async Patch Tool. See the
to VMware Support is fixed and Async Patch Tool documentation.
distributed as a patch release n The VMware Security Advisories
(VMSA) document contains remediation
for security vulnerabilities that are
reported in VMware products. Sign up
for updates from VMSA and review new
or changed advisories for issues that
could affect your environment.

VMware by Broadcom 26
Shutdown and Startup of VMware
Cloud Foundation 2
Shutting down VMware Cloud Foundation, for example, during hardware or power maintenance,
and then starting it up must be done in a way that prevents data loss or appliance malfunction,
and supports collection of troubleshooting data.

You follow a strict order and steps for shutdown and startup of the VMware Cloud Foundation
management components.

Shutting Down and Starting Up VMware Cloud Foundation

by Using PowerShell
Instead of the default step-by-step approach by using product user interface, you can shut down
the management domain or a VI workload domain in an automated way by running a PowerShell
script.

To shut down or start up the management domain or a VI workload domain, you run sample
PowerShell scripts that come with the VMware.CloudFoundation.PowerManagement module in
PowerShell Gallery. The scripts follow the order for manual shutdown and startup of VMware
Cloud Foundation. You can complete the workflow manually at any point. You can also run the
scripts multiple times.

To read the documentation, provide feedback, report an issue with automation,

or contribute to the VMware.CloudFoundation.PowerManagement module, go to the
VMware.CloudFoundation.PowerManagement open-source project in GitHub.

Read the following topics next:

n Shutting Down VMware Cloud Foundation

n Starting Up VMware Cloud Foundation

Shutting Down VMware Cloud Foundation

To avoid data loss and maintain the SDDC components operational, you follow a specifc order
when shutting down the management virtual machines in VMware Cloud Foundation.

You shut down the customer workloads and the management components for the VI workload
domains before you shut down the components for the management domain.

VMware by Broadcom 27
VMware Cloud Foundation Operations Guide

® ®
If the VMware NSX Manager™ cluster and VMware NSX Edge™ cluster are shared with other
VI workload domains, shut down the NSX Manager and NSX Edge clusters as part of the
shutdown of the first VI workload domain.

Prerequisites

n Verify that you have complete backups of all management components.

n Verify that the management virtual machines are not running on snapshots.

n If a vSphere Storage APIs for Data Protection (VADP) based backup solution is running on
the management clusters, verify that the solution is properly shut down by following the
vendor guidance.

n To reduce the startup time before you shut down the management virtual machines, migrate
®
the VMware vCenter Server instance for the management domain to the first VMware
ESXi™ host in the default management cluster in the management domain.

n Shut Down a Virtual Infrastructure Workload Domain

You shut down the components of a VI workload domain that runs virtualized workloads
in VMware Cloud Foundation in a specific order to keep components operational by
maintaining the necessary infrastructure, networking, and management services as long as
possible before shutdown.

n Shut Down a Virtual Infrastructure Workload Domain with vSphere with Tanzu
You shut down the components of a VI workload domain that runs containerized workloads
in VMware Cloud Foundation in a specific order to keep components operational by
maintaining the necessary infrastructure, networking, and management services as long as
possible before shutdown.

n Shut Down the Management Domain

You shut down the components of the management domain in VMware Cloud Foundation
in a specific order to keep components operational by maintaining the necessary
infrastructure, networking, and management services as long as possible before shutdown.

Shut Down a Virtual Infrastructure Workload Domain

You shut down the components of a VI workload domain that runs virtualized workloads in
VMware Cloud Foundation in a specific order to keep components operational by maintaining
the necessary infrastructure, networking, and management services as long as possible before
shutdown.

You shut down the management components for the VI workload domains before you shut down
the components for the management domain.

VMware by Broadcom 28
VMware Cloud Foundation Operations Guide

If the NSX Manager cluster and NSX Edge cluster are shared with other VI workload domains,
follow this general order:

1 Shut down the customer workloads in all VI workload domains that share the VMware
®
NSX instance. Otherwise, all NSX networking services in the customer workloads will be
interrupted when you shut down NSX.

2 Shut down the VI workload domain that runs the shared NSX Edge nodes.

3 Shut down the other VI workload domains.

Shutdown Order for a VI Workload Domain

Table 2-1. Shutdown Order for a VI Workload Domain

Shutdown Order SDDC Component

1 Virtualized customer workloads

2 Site Recovery Manager for the VI workload domain

3 vSphere Replication for the VI workload domain

4 NSX Edge nodes for the VI workload domain *

5 NSX Manager nodes for the VI workload domain *

6 vSphere Cluster Services virtual machines in the VI

workload domain *

7 ESXi hosts and VMware vSAN™ in the VI workload

domain *

8 vCenter Server for the VI workload domain *

* For information on the shutdown steps, see below.

Shut Down the NSX Edge Nodes

You begin shutting down the NSX infrastructure in the management domain or in a VI workload
domain in VMware Cloud Foundation by shutting down the NSX Edge nodes that provide north-
south traffic connectivity between the physical data center networks and the NSX SDN networks

Procedure

1 Log in to vCenter Server for the management or VI workload domain at https://

<vcenter_server_fqdn>/ui as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the tree of workload domain vCenter Server and
expand data center for the workload domain.

3 Right-click an NSX Edge virtual machine for the management domain or VI workload domain
and select Power > Shut down Guest OS.

VMware by Broadcom 29
VMware Cloud Foundation Operations Guide

4 In the confirmation dialog box, click Yes.

This operation takes several minutes to complete.

5 Repeat the steps for the remaining NSX Edge nodes for the domain.

Shut Down the NSX Manager Nodes

You continue shutting down the NSX infrastructure for the management domain or for a VI
workload domain by shutting down the three-node NSX Manager cluster by using the vSphere
Client.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Right-click the primary NSX manager virtual machine and select Power > Shut down Guest
OS.

4 In the confirmation dialog box, click Yes.

This operation takes several minutes to complete.

5 Repeat the steps for the remaining NSX Manager virtual machines.

Shut Down the vSphere Cluster Services Virtual Machines

To shut down the vSphere Cluster Services (vCLS) virtual machines in a cluster in a VI workload
domain in VMware Cloud Foundation, you put the cluster in retreat mode. The retreat mode
triggers clean-up of the vCLS virtual machines.

Procedure

1 Log in to the VI workload domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the Hosts and clusters inventory, expand the tree of the VI workload domain vCenter
Server and expand the data center for the VI workload domain.

3 Select the cluster on which vCLS must be shut down.

4 Copy the cluster domain ID domain-c(cluster_domain_id) from the URL of the browser.

When you navigate to a cluster in the vSphere client, the URL is similar to this one:

https://<fqdn-of-vCenter-server>/ui/app/cluster;nav=h/
urn:vmomi:ClusterComputeResource:domain-c8:eef257af-fa50-455a-af7a-6899324fabe6/summary

You copy only domain-c8.

VMware by Broadcom 30
VMware Cloud Foundation Operations Guide

5 In the Host and Clusters inventory, select the vCenter Server instance and click the Configure
tab.

6 Under Advanced Settings, click the Edit Settings button.

7 Locate the config.vcls.clusters.domain-c(number).enabled property for the domain

cluster ID from Step 4 and set it to false.

If the property is not present, add it. The entry for the cluster cannot be deleted from the
vSphere Client then. However, keeping this entry is not an issue.

8 Click Save.

Results

The vCLS monitoring service initiates the clean-up of vCLS VMs. If vSphere DRS is activated for
the cluster, it stops working and you see an additional warning in the cluster summary. vSphere
DRS remains deactivated until vCLS is re-activated on this cluster.

Shut Down vSAN and the ESXi Hosts in a Virtual Infrastructure Workload
Domain
You use the vSAN shutdown cluster wizard in the vSphere Client to shut down gracefully the
vSAN clusters in a VI workload domain in VMware Cloud Foundation. The wizard shuts down the
vSAN storage and the ESXi hosts added to the cluster.

You perform this operation on all vSAN clusters in all VI workload domains.

Procedure

1 Log in to the VI workload domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the Hosts and clusters inventory, expand the tree of the VI workload domain vCenter
Server and expand the data center for the VI workload domain.

3 For a vSAN cluster, verify the vSAN health and resynchronization status.

a Select the cluster and click the Monitor tab.

b In the left pane, navigate to vSAN > Skyline health and verify the status of each vSAN
health check category.

c In the left pane, under vSAN > Resyncing objects, verify that all synchronization tasks are
complete.

4 If any member host is in lockdown mode, add the host's root account to the Exception Users
list.

a Select the host in the inventory and click the Configure tab.

b In the left pane, select System > Security Profile.

c In the Lockdown Mode pane, click the Edit button.

VMware by Broadcom 31
VMware Cloud Foundation Operations Guide

d On the Exception Users page, enter root and click Add User.

e Click OK.

5 Shut down the vSAN cluster.

a In the inventory, right-click the vSAN cluster and select vSAN > Shutdown cluster.

b In the Shutdown Cluster wizard, verify that all pre-checks are green and click Next.

c Review the vCenter Server notice and click Next.

d Enter a reason for performing the shutdown, and click Shutdown.

6 Repeat Step 3 to Step 5 for other vSAN clusters in the workload domain.

Shut Down vCenter Server for a Virtual Infrastructure Workload Domain

To shut down the vCenter Server instance for a VI workload domain in VMware Cloud
Foundation, you use the vSphere Client.

Prerequisites

n Verify that all ESXi hosts in all clusters are stopped and are disconnected.

n Verify that a Perform cluster power off action task is not running in vCenter Server.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Shut down vCenter Server.

a Locate the vCenter Server virtual machine for the VI workload domain.

b Right-click the virtual machine and select Power > Shut down Guest OS.

c In the confirmation dialog box, click Yes.

This operation takes several minutes to complete.

Shut Down a Virtual Infrastructure Workload Domain with vSphere

with Tanzu
You shut down the components of a VI workload domain that runs containerized workloads in
VMware Cloud Foundation in a specific order to keep components operational by maintaining
the necessary infrastructure, networking, and management services as long as possible before
shutdown.

You shut down the management components for the VI workload domains that run vSphere with
Tanzu and containers or that run virtualized workloads before you shut down the components for
the management domain.

VMware by Broadcom 32
VMware Cloud Foundation Operations Guide

If the NSX Manager cluster and NSX Edge cluster are shared with other VI workload domains,
follow this general order:

1 Shut down the customer workloads in all VI workload domains that share the NSX instance.
Otherwise, all NSX networking services in the customer workloads will be interrupted when
you shut down NSX.

2 Shut down the VI workload domain that runs the shared NSX Edge nodes.

3 Shut down the other VI workload domains.

Shutdown Order for a VI Workload Domain with vSphere with Tanzu

Table 2-2. Shutdown Order for a VI Workload Domain with vSphere with Tanzu

Shutdown Order SDDC Component

1 Containerized customer workloads

2 Find out the location of the vSphere with Tanzu virtual

machines *

3 vSphere Cluster Services virtual machines in the VI

workload domain *

4 vCenter Server for the VI workload domain *

5 Supervisor Cluster Control Plane virtual machines

6 Tanzu Kubernetes cluster control plane virtual machines

7 Tanzu Kubernetes cluster worker virtual machines

8 Harbor virtual machines

9 NSX Edge nodes in the VI workload domain *

10 NSX Manager nodes for the VI workload domain *

11 vSAN and ESXi hosts in the VI workload domain *

* For information on the shutdown steps, see below.

Find Out the Location of the vSphere with Tanzu Virtual Machines on the ESXi
Hosts
Before you begin shutting down a VI workload domain with vSphere with Tanzu, you get a
mapping between virtual machines in the workload domain and the ESXi hosts on which they
are deployed. You later use this mapping to log in to specific ESXi hosts and shut down specific
management virtual machines.

Procedure

1 Start PowerShell.

VMware by Broadcom 33
VMware Cloud Foundation Operations Guide

2 Connect to the VI workload domain vCenter Server by running the command.

Connect-VIServer -Server <workload_domain_vCenter_server_fqdn> -User

administrator@vsphere.local -Password vsphere_admin_password

3 Generate the virtual machine to host mapping in a C:\VMToHostMapping.csv file on the

Windows machine by running the command.

Get-VM | Select Name,VMHost | Export-Csv -Path C:\VMToHostMapping.csv -NoTypeInformation

Shut Down the vSphere Cluster Services Virtual Machines

Procedure

1 Log in to the VI workload domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the Hosts and clusters inventory, expand the tree of the VI workload domain vCenter
Server and expand the data center for the VI workload domain.

3 Select the cluster on which vCLS must be shut down.

4 Copy the cluster domain ID domain-c(cluster_domain_id) from the URL of the browser.

When you navigate to a cluster in the vSphere client, the URL is similar to this one:

https://<fqdn-of-vCenter-server>/ui/app/cluster;nav=h/
urn:vmomi:ClusterComputeResource:domain-c8:eef257af-fa50-455a-af7a-6899324fabe6/summary

You copy only domain-c8.

5 In the Host and Clusters inventory, select the vCenter Server instance and click the Configure
tab.

6 Under Advanced Settings, click the Edit Settings button.

7 Locate the config.vcls.clusters.domain-c(number).enabled property for the domain

cluster ID from Step 4 and set it to false.

If the property is not present, add it. The entry for the cluster cannot be deleted from the
vSphere Client then. However, keeping this entry is not an issue.

8 Click Save.

Results

VMware by Broadcom 34
VMware Cloud Foundation Operations Guide

Shut Down vCenter Server for a Virtual Infrastructure Workload Domain with
vSphere with Tanzu
To shut down the vCenter Server instance for a VI workload domain with vSphere with Tanzu in
VMware Cloud Foundation, you use the vSphere Client. You stop the Kubernetes services and
check the vSAN health status.

Procedure

1 Shut down the Kubernetes services on the workload domain vCenter Server.

a Log in to vCenter Server as root by using a Secure Shell (SSH) client.

b To switch to the Bash shell, run the shell command.

c Stop the Kubernetes services by running the command.

vmon-cli -k wcp

d Verify the Kubernetes services status by running the command.

vmon-cli -s wcp

The output must contain RunState: STOPPED.

2 Log in to the VI workload domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

3 Verify the vSAN health and resynchronization status.

a Select the vSAN cluster and click the Monitor tab.

b In the left pane, navigate to vSAN > Skyline health, and verify the status of each vSAN
health check category under Health findings and that the cluster health score is 100%.

c In the left pane, under vSAN > Resyncing objects, verify that all synchronization tasks are
complete.

4 If a vSAN cluster in the workload domain has vSphere HA turned on, stop vSphere HA to
avoid vSphere HA initiated migrations of virtual machines after vSAN is partitioned during the
shutdown process.

a Select the vSAN cluster and click the Configure tab.

b In the left pane, select Services > vSphere Availability and click the Edit button.

c In the Edit Cluster Settings dialog box, turn off vSphere HA and click OK.

This operation takes several minutes to complete.

5 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

6 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

VMware by Broadcom 35
VMware Cloud Foundation Operations Guide

7 Shut down vCenter Server.

a Locate the vCenter Server virtual machine for the VI workload domain.

b Right-click the virtual machine and select Power > Shut down Guest OS.

c In the confirmation dialog box, click Yes.

This operation takes several minutes to complete.

Shut Down the NSX Edge Nodes for vSphere with Tanzu
You begin shutting down the NSX infrastructure in a VI workload domain with vSphere with
Tanzu by shutting down the NSX Edge nodes that provide north-south traffic connectivity
between the physical data center networks and the NSX SDN networks.

Because the vCenter Server instance for the domain is already down, you shut down the NSX
Edge nodes from the ESXi hosts where they are running.

Procedure

1 Log in to the ESXi host that runs the first NSX Edge node as root by using the VMware Host
Client.

2 In the navigation pane, click Virtual machines.

3 Right-click an NSX Edge virtual machine, and select Guest OS > Shut down

4 In the confirmation dialog box, click Yes.

5 Repeat these steps to shut down the remaining NSX Edge nodes for the VI workload domain
with vSphere with Tanzu.

Shut Down the NSX Manager Nodes

You continue shutting down the NSX infrastructure for the management domain or for a VI
workload domain by shutting down the three-node NSX Manager cluster by using the vSphere
Client.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Right-click the primary NSX manager virtual machine and select Power > Shut down Guest
OS.

4 In the confirmation dialog box, click Yes.

This operation takes several minutes to complete.

5 Repeat the steps for the remaining NSX Manager virtual machines.

VMware by Broadcom 36
VMware Cloud Foundation Operations Guide

Shut Down vSAN and the ESXi Hosts in a Virtual Infrastructure Workload
Domain with vSphere with Tanzu
You shut down vSAN and the ESXi hosts in a VI workload domain with vSphere with Tanzu
by preparing the vSAN cluster for shutdown, placing each ESXi host in maintenance mode to
prevent any virtual machines being deployed to or starting up on the host, and shutting down the
host.

In a VI workload domain with vSphere with Tanzu, the vCenter Server instance for the domain
is already down. Hence, you perform the shutdown operation on the ESXi hosts by using the
VMware Host Client.

Procedure

1 Turn on SSH on the ESXi hosts in the workload domain by using the SoS utility of the SDDC
Manager appliance.

a Log in to the SDDC Manager appliance by using a Secure Shell (SSH) client as vcf.

b Switch to the root user by running the su command and entering the root password.

c Run this command.

/opt/vmware/sddc-support/sos --enable-ssh-esxi --domain domain-name

2 Log in to the first ESXi host in the workload domain cluster by using a Secure Shell (SSH)
client as root.

3 For a vSAN cluster, deactivate vSAN cluster member updates by running the command.

esxcfg-advcfg -s 1 /VSAN/IgnoreClusterMemberListUpdates

The command returns Value of IgnoreClusterMemberListUpdates is 1

4 Repeat Step 2 and Step 3 on the remaining hosts in the cluster.

5 On the first ESXi host per vSAN cluster, prepare the vSAN cluster for shutdown by running
the command.

python /usr/lib/vmware/vsan/bin/reboot_helper.py prepare

The command returns Cluster preparation is done!

6 Place the ESXi host in maintenance mode by running the command.

esxcli system maintenanceMode set -e true -m noAction

Ensure the prompt comes back after the command is complete.

7 Verify that the host is in maintenance mode.

esxcli system maintenanceMode get

8 Repeat Step 6 and Step 7 on the remaining hosts in the workload domain cluster.

VMware by Broadcom 37
VMware Cloud Foundation Operations Guide

9 Shut down the ESXi hosts in the workload domain cluster.

a Log in to the first ESXi host for the cluster at https://<esxi_host_fqdn>/ui as root.

b In the navigation pane, right-click Host and, from the drop-down menu, select Shut down.

c In the confirmation dialog box, click Shut down.

d Repeat the steps for the remaining hosts in the cluster.

Shut Down the Management Domain

You shut down the components of the management domain in VMware Cloud Foundation in
a specific order to keep components operational by maintaining the necessary infrastructure,
networking, and management services as long as possible before shutdown.

After you shut down the components in all VI workload domains, you begin shutting down the
management domain.

Shutdown Order for the Management Domain

Note If your VMware Cloud Foundation instance is deployed with the consolidated architecture,
shut down any customer workloads or additional virtual machines in the management domain
before you proceed with the shutdown order of the management components.

You shut down Site Recovery Manager and vSphere Replication after you shut down the
management components that can be failed over between the VMware Cloud Foundation
instances. You also shut Site Recovery Manager and vSphere Replication down as late as
possible to have the management virtual machines protected as long as possible if a disaster
event occurs. The virtual machines in the paired VMware Cloud Foundation instance become
unprotected after you shut down Site Recovery Manager and vSphere Replication in the current
VMware Cloud Foundation instance.

You shut down VMware Aria Operations for Logs as late as possible to collect as much as log
®
data for potential troubleshooting. You shut down the Workspace ONE Access™ instances after
the management components they provide identity and access management services for.

Table 2-3. Shutdown Order for the Management Domain

Shutdown Order SDDC Component

1 VMware Aria Automation cluster

2 VMware Aria Operations cluster and remote collectors

3 Clustered Workspace ONE Access *

4 VMware Aria Suite Lifecycle™

5 Site Recovery Manager for the management domain

6 vSphere Replication for the management domain

7 VMware Aria Operations for Logs cluster

VMware by Broadcom 38
VMware Cloud Foundation Operations Guide

Table 2-3. Shutdown Order for the Management Domain (continued)

Shutdown Order SDDC Component

8 NSX Edge nodes for the management domain *

9 NSX Manager nodes for the management domain *

10 SDDC Manager *

11 vSphere Cluster Services, vCenter Server for the

management domain, management ESXi hosts and vSAN
*

* For information on the shutdown steps, see below.

Save the Credentials for the ESXi Hosts and vCenter Server for the Management
Domain
Before you shut down the management domain, get the credentials for the management domain
hosts and vCenter Server from SDDC Manager and save them. You need these credentials to
shut down the ESXi hosts and then to start them and vCenter Server back up. Because SDDC
Manager is down during each of these operations, you must save the credentials in advance.

To get the credentials, log in to the SDDC Manager appliance by using a Secure Shell (SSH) client
as vcf and run the lookup_passwords command.

Shutting Down a Management Domain with Infrastructure Services VMs

If the management domain contains virtual machines that are running infrastructure services like
Active Directory, NTP, DNS and DHCP servers, follow the shutdown order for VMware Cloud
Foundation 4.4.

Shut Down the Clustered Workspace ONE Access Virtual Machines

Use the VMware Aria Suite Lifecycle user interface to shut down the Workspace ONE Access
three-node cluster that provides identity and access management services to management
components that are available across VMware Cloud Foundation instances .

Procedure

1 Log in to VMware Aria Suite Lifecycle at https://<aria_suite_lifecycle_fqdn> as

vcfadmin@local.

2 On the My services page, click Lifecycle operations.

3 In the navigation pane, click Environments.

4 On the Environments page, on the globalenvironment card, click View details.

5 In the VMware Identity Manager section, click the horizontal ellipsis icon and select Power
off.

6 In the Power off VMware Identity Manager dialog box, click Submit.

VMware by Broadcom 39
VMware Cloud Foundation Operations Guide

7 On the Requests page, ensure that the request completes successfully.

Shut Down the VMware Aria Suite Lifecycle Virtual Machine

Shut down the VMware Aria Suite Lifecycle virtual machine in the management domain of
VMware Cloud Foundation from the vSphere Client.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Right-click the VMware Aria Suite Lifecycle virtual machine and select Power > Shut down
Guest OS.

4 In the confirmation dialog box, click Yes.

Shut Down the NSX Edge Nodes

Procedure

1 Log in to vCenter Server for the management or VI workload domain at https://

<vcenter_server_fqdn>/ui as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the tree of workload domain vCenter Server and
expand data center for the workload domain.

3 Right-click an NSX Edge virtual machine for the management domain or VI workload domain
and select Power > Shut down Guest OS.

4 In the confirmation dialog box, click Yes.

This operation takes several minutes to complete.

5 Repeat the steps for the remaining NSX Edge nodes for the domain.

Shut Down the NSX Manager Nodes

You continue shutting down the NSX infrastructure for the management domain or for a VI
workload domain by shutting down the three-node NSX Manager cluster by using the vSphere
Client.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

VMware by Broadcom 40
VMware Cloud Foundation Operations Guide

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Right-click the primary NSX manager virtual machine and select Power > Shut down Guest
OS.

4 In the confirmation dialog box, click Yes.

This operation takes several minutes to complete.

5 Repeat the steps for the remaining NSX Manager virtual machines.

Shut Down the SDDC Manager Virtual Machine

Shut down the SDDC Manager virtual machine in the management domain by using the vSphere
Client.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Expand the Management VMs folder.

4 Right-click the SDDC Manager virtual machine and click Power > Shut down Guest OS.

5 In the confirmation dialog box, click Yes.

This operation takes several minutes to complete.

Shut Down vSphere and vSAN for the Management Domain

After you check the vSAN cluster health, you use the vSAN shutdown cluster wizard in the
vSphere Client. The wizard shuts down vSphere Cluster Services, vCenter Server, the vSAN
storage, and the ESXi hosts added to the default management cluster in VMware Cloud
Foundation.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the Hosts and clusters inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 If the management domain vCenter Server is not running on the first ESXi host in the default
management cluster, migrate it there.

VMware by Broadcom 41
VMware Cloud Foundation Operations Guide

4 Verify the vSAN health and resynchronization status.

a Select the default management cluster and click the Monitor tab.

b In the left pane, under vSAN > Resyncing objects, verify that all synchronization tasks are
complete.

c Under vSAN > Skyline health, verify that the cluster health score is 100%.

5 If any member host is in lockdown mode, add the host's root account to the Exception Users
list.

a Select the host in the inventory and click the Configure tab.

b In the left pane, select System > Security Profile.

c In the Lockdown Mode pane, click the Edit button.

d On the Exception Users page, enter root and click Add User.

e Click OK.

6 Shut down the vSAN cluster.

a In the inventory, right-click the vSAN cluster and select vSAN > Shutdown cluster.

b In the Shutdown Cluster wizard, verify that all pre-checks are green and click Next.

c Review the vCenter Server notice and click Next.

d Enter a reason for performing the shutdown, and click Shutdown.

Results

Connection to vCenter Server is lost because the vSAN shutdown cluster wizard shuts down
vCenter Server.

The shutdown operation is complete after all ESXi hosts are stopped.

Starting Up VMware Cloud Foundation

To maintain the components integration and avoid operation faults, you follow a specified order
to start up the management virtual machines in VMware Cloud Foundation.

You start the management components for the management domain first. Then, you start the
management components for the VI workload domains and the customer workloads.

If the NSX Manager cluster and NSX Edge cluster are shared with other VI workload domains,
start the other VI workload domains first. Start up NSX Manager and NSX Edge nodes as part of
the startup of the last workload domain.

Prerequisites

n Verify that external services such as Active Directory, DNS, NTP, SMTP, and FTP or SFTP are
available.

VMware by Broadcom 42
VMware Cloud Foundation Operations Guide

n If a vSphere Storage APIs for Data Protection (VADP) based backup solution is deployed on
the default management cluster, verify that the solution is properly started and operational
according to the vendor guidance.

n Start the Management Domain

You start the management components for the management domain in a specific order
to provide the necessary infrastructure, networking, and management services before
powering on the components for cloud management.

n Start a Virtual Infrastructure Workload Domain

You start the management components for a VI workload domain in a specific order
to provide the necessary infrastructure, networking, and management services to the
components you start next.

n Start a Virtual Infrastructure Workload Domain with vSphere with Tanzu

You start the management components for a VI workload domain with vSphere with Tanzu
in a specific order to provide the necessary infrastructure, networking, and management
services before powering on the components for containerized workload management.

Start the Management Domain

You start the management components for the management domain in a specific order to
provide the necessary infrastructure, networking, and management services before powering
on the components for cloud management.

You start the management components for the management domain first. Then, you start the
management components for the VI workload domains and the customer workloads.

Startup Order for the Management Domain

You start the virtual infrastructure of the management domain first. Then, you start the
components providing identity and access management and life cycle management to the
relevant cloud management components.

You start VMware Aria Operations for Logs as early as possible to collect log data that helps
troubleshooting potential issues. You also start Site Recovery Manager and vSphere Replication
as early as possible to protect the management virtual machines if a disaster event occurs.

Table 2-4. Startup Order for the Management Domain

Startup Order SDDC Component

1 Management ESXi hosts, vCenter Server, vSphere Cluster

Services, and vSAN *

2 SDDC Manager *

3 NSX Manager nodes for the management domain *

4 NSX Edge nodes for the management domain *

5 VMware Aria Operations for Logs cluster

VMware by Broadcom 43
VMware Cloud Foundation Operations Guide

Table 2-4. Startup Order for the Management Domain (continued)

Startup Order SDDC Component

6 vSphere Replication for the management domain

7 Site Recovery Manager for the management domain

8 VMware Aria Suite Lifecycle *

9 Clustered Workspace ONE Access *

10 VMware Aria Operations cluster and remote collectors

11 VMware Aria Automation cluster

* For information on the startup steps, see below.

Verify the Operational State of the Management Domain

After you start up the management domain, verify that the main functionality of the management
components is working according to the requirements. See the following documentation:

n Identity and Access Management for VMware Cloud Foundation

n Intelligent Logging and Analytics for VMware Clod Foundation

n Intelligent Operations Management for VMware Cloud Foundation

n Private Cloud Automation for VMware Cloud Foundation

n Site Protection and Disaster Recovery for VMware Cloud Foundation

Starting a Management Domain with Infrastructure Service VMs

If the management domain contains virtual machines that are running infrastructure services
like Active Directory, NTP, DNS and DHCP servers, follow the startup order for VMware Cloud
Foundation 4.4.

Start the vSphere and vSAN Components for the Management Domain
You start the management ESXi hosts using an out-of-band management interface, such as, ILO
or iDRAC to connect to the hosts and power them on. Then, restarting the vSAN cluster starts
automatically vSphere Cluster Services, vCenter Server and vSAN.

Procedure

1 Power on the first ESXi host in the management domain.

a Log in to the first ESXi host in the management domain by using the out-of-band
management interface.

b Power on the ESXi host according to the hardware vendor guide.

2 Repeat the previous step to start all the remaining ESXi hosts in the management domain.

This operation takes several minutes to complete.

VMware by Broadcom 44
VMware Cloud Foundation Operations Guide

vCenter Server is started automatically. Wait until vCenter Server is running and the vSphere
Client is available again.

3 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

4 Restart the vSAN cluster.

a Right-click the vSAN cluster and select vSAN > Restart cluster.

b In the Restart dialog box, click Restart.

The vSAN Services page on the Configure tab changes to display information about the
restart process.

5 After the cluster has restarted, check the vSAN health service and resynchronization status,
and resolve any outstanding issues.

a Select the cluster and click the Monitor tab.

b In the left pane, under vSAN > Resyncing objects, verify that all synchronization tasks are
complete.

c In the left pane, navigate to vSAN > Skyline health and verify that the cluster health score
is 100%.

6 If you have added the root user of the ESXi hosts to the Exception Users list for lockdown
mode during shutdown, remove the user from the list on each host.

a Select the host in the inventory and click the Configure tab.

b In the left pane, select System > Security Profile.

c In the Lockdown Mode pane, click the Edit button.

d On the Exception Users page, from the vertical ellipsis menu in front of the root user,
select Remove User and click OK.

Start the SDDC Manager Virtual Machine

Start the SDDC Manager virtual machine by using the vSphere Client.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Expand the Management VMs folder.

4 Right-click the SDDC Manager virtual machine and click Power > Power on.

This operation takes several minutes to complete.

VMware by Broadcom 45
VMware Cloud Foundation Operations Guide

Start the NSX Manager Virtual Machines

You begin powering on the NSX infrastructure in the management domain or in a VI workload
domain by starting the three-node NSX Manager cluster by using the vSphere Client.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Power on the NSX Manager nodes for the management domain or the VI workload domain.

a Right-click the primary NSX Manager node and select Power > Power on.

b Repeat the steps to power on the remaining NSX Manager nodes.

This operation takes several minutes to complete until the NSX Manager cluster becomes
fully operational again and its user interface - accessible.

4 Log in to NSX Manager for the management domain or VI workload domain at https://
<nsxt_manager_cluster_fqdn> as admin.

5 Verify the system status of NSX Manager cluster.

a On the main navigation bar, click System.

b In the left pane, navigate to Configuration > Appliances.

c On the Appliances page, verify that the NSX Manager cluster has a Stable status and all
NSX Manager nodes are available.

Start the NSX Edge Nodes

You continue powering on the NSX infrastructure in the management domain or in a VI workload
domain by starting the NSX Edge nodes by using the vSphere Client.

Procedure

1 Log in to vCenter Server for the management or VI workload domain at https://

<vcenter_server_fqdn>/ui as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the tree of workload domain vCenter Server and
expand data center for the workload domain.

3 Right-click an NSX Edge virtual machine from the edge cluster and select Power > Power on.

This operations takes several minutes to complete.

4 Repeat these steps to power on the remaining NSX Edge nodes.

VMware by Broadcom 46
VMware Cloud Foundation Operations Guide

Start the VMware Aria Suite Lifecycle Virtual Machine

Start the VMware Aria Suite Lifecycle virtual machine in the management domain by using the
vSphere Client.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Right-click the VMware Aria Suite Lifecycle virtual machine and select Power > Power on.

Start the Clustered Workspace ONE Access Virtual Machines

You start the three-node Workspace ONE Access cluster by using the VMware Aria Suite
Lifecycle user interface.

Procedure

1 Log in to VMware Aria Suite Lifecycle at https://<aria_suite_lifecycle_fqdn> as

vcfadmin@local.

2 Power on the Workspace ONE Access cluster and verify its status.

a On the My services page, click Lifecycle operations.

b In the navigation pane, click Environments.

c On the Environments page, in the globalenvironment card, click View details.

d In the VMware Identity Manager section, click the horizontal ellipsis icon and select
Power on.

e In the Power on VMware Identity Manager dialog box, click Submit.

f On the Requests page, ensure that the request completes successfully.

3 Configure the domain and domain search parameters on the Workspace ONE Access
appliances.

a Log in to the first appliances of the Workspace ONE Access cluster by using a Secure
Shell (SSH) client as sshuser.

b Switch to the super user by running the su command.

c Open the /etc/resolv.conf file for editing.

vi /etc/resolv.conf

VMware by Broadcom 47
VMware Cloud Foundation Operations Guide

d Add the following entries to the end of the file and save the changes.

Domain <domain_name>
search <space_separated_list_of_domains_to_search>

e Repeat this step to configure the domain and domain search parameters on the remaining
Workspace ONE Access appliances.

4 In the VMware Aria Suite Lifecycle user interface, check the health of the Workspace ONE
Access cluster.

a In the navigation pane, click Environments.

b On the Environments page, in the globalenvironment card, click View details.

c In the VMware Identity Manager section, click the horizontal ellipsis icon and select
Trigger cluster health.

d In the Trigger health collection dialog box, click Submit.

e On the Requests page, ensure that the request completes successfully.

Start a Virtual Infrastructure Workload Domain

You start the management components for a VI workload domain in a specific order to provide
the necessary infrastructure, networking, and management services to the components you start
next.

You start the management components for the management domain first. Then, you start the
management components for the VI workload domains and the customer workloads.

If the NSX Manager cluster and NSX Edge cluster are shared with other VI workload domains,
follow this general order:

1 Start the other VI workload domains.

2 Start the VI workload domain that runs the shared NSX Edge nodes.

3 Start the customer workloads that rely on NSX services.

Startup Order for a VI Workload Domain

Table 2-5. Startup Order for a VI Workload Domain

Startup Order SDDC Component

1 vCenter Server for the VI workload domain *

2 ESXi hosts for the VI workload domain *

3 vSAN for the VI workload domain *

4 vSphere Cluster Services (vCLS) virtual machines in the VI

workload domain *

5 NSX Manager nodes for the VI workload domain *

VMware by Broadcom 48
VMware Cloud Foundation Operations Guide

Table 2-5. Startup Order for a VI Workload Domain (continued)

Startup Order SDDC Component

6 NSX Edge nodes for the VI workload domain *

7 vSphere Replication for the VI workload domain

8 Site Recovery Manager for the VI workload domain

9 Virtualized customer workloads

* For information on the startup steps, see below.

Start vCenter Server for a Virtual Infrastructure Workload Domain

Use the vSphere Client to power on the vCenter Server appliance in the management domain.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Start vCenter Server.

a Locate the vCenter Server virtual machine for the VI workload domain.

b Right-click the virtual machine and select Power > Power on.

The startup of the virtual machine and the vSphere services takes some time to complete.

Start the ESXi Hosts in a Virtual Infrastructure Workload Domain

You start the ESXi hosts using an out-of-band management interface, such as, ILO or iDRAC to
connect to the hosts and power them on.

Procedure

1 Power on the first ESXi host in the workload domain.

a Log in to the first ESXi host in the workload domain by using the out-of-band
management interface.

b Power on the ESXi host according to the hardware vendor guide.

2 Repeat the previous step to start all the remaining ESXi hosts in the workload domain.

This operation takes several minutes to complete.

Restart the vSAN Clusters in a Virtual Infrastructure Workload Domain

You start vSAN in a VI workload domain by restarting the vSAN cluster.

You perform this operation on all vSAN clusters in all VI workload domains.

VMware by Broadcom 49
VMware Cloud Foundation Operations Guide

Prerequisites

Verify that all ESXi hosts in the cluster are connected to the workload domain vCenter Server.

Procedure

1 Log in to the VI workload domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the Hosts and clusters inventory, expand the tree of the VI workload domain vCenter
Server and expand the data center for the VI workload domain.

3 Restart the vSAN cluster.

a Right-click the vSAN cluster and select vSAN > Restart cluster.

b In the Restart Cluster dialog box, click Restart.

The vSAN Services page on the Configure tab changes to display information about the
restart process.

4 After the cluster has restarted, check the vSAN health service and resynchronization status,
and resolve any outstanding issues.

a Select the cluster and click the Monitor tab.

b In the left pane, navigate to vSAN > Skyline health and verify the status of each vSAN
health check category.

c In the left pane, under vSAN > Resyncing objects, verify that all synchronization tasks are
complete.

5 If you have added the root user of the ESXi hosts to the Exception Users list for lockdown
mode during shutdown, remove the user from the list on each host.

a Select the host in the inventory and click the Configure tab.

b In the left pane, select System > Security Profile.

c In the Lockdown Mode pane, click the Edit button.

d On the Exception Users page, from the vertical ellipsis menu in front of the root user,
select Remove User and click OK.

Start the vSphere Cluster Services

You start the vSphere Cluster Services (vCLS) virtual machines in a VI workload domain by
deactivating the retreat mode on the target cluster. Starting the vCLS virtual machines makes
vSphere DRS and vSphere HA available to the workloads running on the clusters in the workload
domain again.

Procedure

1 Log in to the VI workload domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

VMware by Broadcom 50
VMware Cloud Foundation Operations Guide

2 In the Hosts and clusters inventory, expand the tree of the VI workload domain vCenter
Server and expand the data center for the VI workload domain.

3 Select the cluster on which vCLS must be started.

4 Copy the cluster domain ID domain-c(cluster_domain_id) from the URL of the browser.

When you navigate to a cluster in the vSphere Client, the URL is similar to this one:

https://<fqdn-of-vCenter-server>/ui/app/cluster;nav=h/
urn:vmomi:ClusterComputeResource:domain-c8:eef257af-fa50-455a-af7a-6899324fabe6/summary

You copy only domain-c8.

5 In the Host and Clusters inventory, select the vCenter Server instance for the VI workload
domain and click the Configure tab.

6 Under Advanced Settings, click the Edit Settings button.

7 Locate the config.vcls.clusters.domain-c(number).enabled property for the domain

cluster ID from Step 4 and set it to true.

8 Click Save

9 Repeat the procedure on all clusters in the other workload domains.

Start the NSX Manager Virtual Machines

You begin powering on the NSX infrastructure in the management domain or in a VI workload
domain by starting the three-node NSX Manager cluster by using the vSphere Client.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Power on the NSX Manager nodes for the management domain or the VI workload domain.

a Right-click the primary NSX Manager node and select Power > Power on.

b Repeat the steps to power on the remaining NSX Manager nodes.

This operation takes several minutes to complete until the NSX Manager cluster becomes
fully operational again and its user interface - accessible.

4 Log in to NSX Manager for the management domain or VI workload domain at https://
<nsxt_manager_cluster_fqdn> as admin.

VMware by Broadcom 51
VMware Cloud Foundation Operations Guide

5 Verify the system status of NSX Manager cluster.

a On the main navigation bar, click System.

b In the left pane, navigate to Configuration > Appliances.

c On the Appliances page, verify that the NSX Manager cluster has a Stable status and all
NSX Manager nodes are available.

Start the NSX Edge Nodes

You continue powering on the NSX infrastructure in the management domain or in a VI workload
domain by starting the NSX Edge nodes by using the vSphere Client.

Procedure

1 Log in to vCenter Server for the management or VI workload domain at https://

<vcenter_server_fqdn>/ui as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the tree of workload domain vCenter Server and
expand data center for the workload domain.

3 Right-click an NSX Edge virtual machine from the edge cluster and select Power > Power on.

This operations takes several minutes to complete.

4 Repeat these steps to power on the remaining NSX Edge nodes.

Start a Virtual Infrastructure Workload Domain with vSphere with

Tanzu
You start the management components for a VI workload domain with vSphere with Tanzu in
a specific order to provide the necessary infrastructure, networking, and management services
before powering on the components for containerized workload management.

You start the management components for the management domain first. Then, you start the
management components for the VI workload domains and the customer workloads.

If the NSX Manager cluster and NSX Edge cluster are shared with other VI workload domains,
follow this general order:

1 Start the other VI workload domains.

2 Start the VI workload domain that runs the shared NSX Edge nodes.

3 Start the customer workloads that rely on NSX services.

VMware by Broadcom 52
VMware Cloud Foundation Operations Guide

Startup Order for a VI Workload Domain with vSphere with Tanzu

Table 2-6. Startup Order for a VI Workload Domain with vSphere with Tanzu

Startup Order SDDC Component

1 ESXi hosts and vSAN for the VI workload domain

2 vCenter Server for the VI workload domain

3 vCLS virtual machines

4 NSX Manager nodes for the VI workload domain

5 NSX Edge nodes for the VI workload domain

6 Started automatically after you start vCenter Server and

vCLS, and NSX for the VI workload domain.
n Supervisor Control Plane virtual machines
n Tanzu Kubernetes Cluster control plane virtual
machines
n Tanzu Kubernetes Cluster worker virtual machines
n Harbor registry virtual machines

7 Containerized customer workloads

For information on the startup steps, see below.

Start vSAN and ESXi Hosts in a Virtual Infrastructure Workload Domain with
vSphere with Tanzu
You start the ESXi hosts using an out-of-band management interface, such as, ILO or iDRAC to
connect to the hosts and power them on. You then exit maintenance mode for the ESXi hosts
and prepare the vSAN cluster for startup.

Procedure

1 Power on the first ESXi host in the VI workload domain.

a Log in to the first ESXi host in the workload domain by using the out-of-band
management interface.

b Power on the ESXi host according to the hardware vendor guide.

2 Repeat the previous step to start all the remaining ESXi hosts in the workload domain.

This operation takes several minutes to complete.

3 If your VMware Cloud Foundation environment has several VI workload domains with
vSphere with Tanzu, start all ESXi hosts in all these workload domains to save time because
the vSAN scan operation which takes place at ESXi startup requires some time to complete.

VMware by Broadcom 53
VMware Cloud Foundation Operations Guide

4 Turn on SSH on all hosts in the domain by using the SoS utility of the SDDC Manager
appliance.

a Log in to the SDDC Manager appliance by using a Secure Shell (SSH) client as vcf.

b Switch to the root user by running the su command and entering the root password.

c Run this command.

/opt/vmware/sddc-support/sos --enable-ssh-esxi --domain domain-name

5 Log in to the first ESXi host in the domain as root by using a Secure Shell (SSH) client.

6 Take the ESXi host out of maintenance mode by running the command.

esxcli system maintenanceMode set -e false

7 Repeat Step 5 and Step 6 on all the remaining ESXi hosts in the domain.

8 On the first ESXi host in each vSAN cluster, run the command to prepare the vSAN cluster for
starting.

python /usr/lib/vmware/vsan/bin/reboot_helper.py recover

The command returns Cluster reboot/poweron is completed successfully!

9 Verify that all hosts in the vSAN cluster are available by running the command.

esxcli vsan cluster get

Look for the following strings in the output:

n Local Node Type: NORMAL

n Local Node Health State: HEALTHY

10 Turn on vSAN cluster member updates by running the command.

esxcfg-advcfg -s 0 /VSAN/IgnoreClusterMemberListUpdates

The command returns Value of IgnoreClusterMemberListUpdates is 0.

11 Repeat Step 9 and Step 10 for the remaining ESXi hosts in the workload domain.

12 Deactivate SSH on the ESXi hosts in the domain from the SDDC Manager appliance.

a Log in to the SDDC Manager appliance by using a Secure Shell (SSH) client as vcf.

b Switch to the root user by running the su command and entering the root password.

c Run this command.

/opt/vmware/sddc-support/sos --disable-ssh-esxi --domain domain-name

VMware by Broadcom 54
VMware Cloud Foundation Operations Guide

Start vCenter Server for a Virtual Infrastructure Workload Domain with vSphere
with Tanzu
Use the vSphere Client to power on the vCenter Server appliance in the VI workload domain. If
the workload domain contains a vSAN cluster, check its health status too.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Start vCenter Server.

a Locate the vCenter Server virtual machine for the VI workload domain.

b Right-click the virtual machine and select Power > Power on.

The startup of the virtual machine and the vSphere services takes some time to complete.

4 Log in to the VI workload domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

5 In the Hosts and clusters inventory, expand the tree of the VI workload domain vCenter
Server and expand the data center for the VI workload domain.

6 Verify the vSAN health and resynchronization status.

a Select the vSAN cluster in the VI workload domain and click the Monitor tab.

b In the left pane, navigate to vSAN > Skyline health and verify the status of each vSAN
health check category.

c In the left pane, navigate to vSAN > Resyncing objects and verify that all synchronization
tasks are complete.

7 If a vSAN cluster has vSphere HA turned on by design, start vSphere HA.

a Select the vSAN cluster and click the Configuretab.

b In the left pane, select Services > vSphere Availability and click the Edit button.

c In the Edit Cluster Settings dialog box, turn on vSphere HA and click OK.

VMware by Broadcom 55
VMware Cloud Foundation Operations Guide

8 Verify that the Kubernetes services are started.

a Log in to the VI workload domain vCenter Server by using a Secure Shell (SSH) client as
root.

b To switch to the Bash shell, run the shell command.

c Run the command.

vmon-cli -s wcp

The command returns RunState: STARTED

Start the vSphere Cluster Services for a Virtual Infrastructure Workload Domain
with vSphere with Tanzu
You start the vSphere Cluster Services (vCLS) virtual machines in a VI workload domain with
vSphere with Tanzu by deactivating the retreat mode on the target cluster. Starting the vCLS
virtual machines makes vSphere DRS and vSphere HA available to the workloads running on the
clusters in the workload domain again.

Perform this operation on all vSAN clusters in the other workload domains with vSphere with
Tanzu.

Procedure

1 Log in to the VI workload domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the Hosts and clusters inventory, expand the tree of the VI workload domain vCenter
Server and expand the data center for the VI workload domain.

3 Select the cluster on which vCLS must be started.

4 Copy the cluster domain ID domain-c(cluster_domain_id) from the URL of the browser.

When you navigate to a cluster in the vSphere Client, the URL is similar to this one:

https://<fqdn-of-vCenter-server>/ui/app/cluster;nav=h/
urn:vmomi:ClusterComputeResource:domain-c8:eef257af-fa50-455a-af7a-6899324fabe6/summary

You copy only domain-c8.

5 In the Host and Clustersinventory, select the vCenter Server instance for the management
domain or the VI workload domain and click the Configure tab.

6 Under Advanced Settings, click the Edit Settings button.

7 Locate the config.vcls.clusters.domain-c(number).enabled property for the domain

cluster ID from Step 4and set it to true.

8 Click Save

VMware by Broadcom 56
VMware Cloud Foundation Operations Guide

Start the NSX Manager Virtual Machines

You begin powering on the NSX infrastructure in the management domain or in a VI workload
domain by starting the three-node NSX Manager cluster by using the vSphere Client.

Procedure

1 Log in to the management domain vCenter Server at https://<vcenter_server_fqdn>/ui

as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Power on the NSX Manager nodes for the management domain or the VI workload domain.

a Right-click the primary NSX Manager node and select Power > Power on.

b Repeat the steps to power on the remaining NSX Manager nodes.

This operation takes several minutes to complete until the NSX Manager cluster becomes
fully operational again and its user interface - accessible.

4 Log in to NSX Manager for the management domain or VI workload domain at https://
<nsxt_manager_cluster_fqdn> as admin.

5 Verify the system status of NSX Manager cluster.

a On the main navigation bar, click System.

b In the left pane, navigate to Configuration > Appliances.

c On the Appliances page, verify that the NSX Manager cluster has a Stable status and all
NSX Manager nodes are available.

Start the NSX Edge Nodes

You continue powering on the NSX infrastructure in the management domain or in a VI workload
domain by starting the NSX Edge nodes by using the vSphere Client.

Procedure

1 Log in to vCenter Server for the management or VI workload domain at https://

<vcenter_server_fqdn>/ui as administrator@vsphere.local.

2 In the VMs and templates inventory, expand the tree of workload domain vCenter Server and
expand data center for the workload domain.

3 Right-click an NSX Edge virtual machine from the edge cluster and select Power > Power on.

This operations takes several minutes to complete.

4 Repeat these steps to power on the remaining NSX Edge nodes.

VMware by Broadcom 57
Password Policy Configuration for
VMware Cloud Foundation 3
Configuring password policies includes the configuration of password expiration, complexity and
account lockout policies according to the requirements of your organization which might be
based on industry compliance standards. In VMware Cloud Foundation, this activity is performed
manually.

Password Policy Configuration and Password Management

VMware Cloud Foundation does not prescribe or automate the process of configuring
a password policy across the system. However, your organization might have specific
requirements defined either by the organization itself or through an industry compliance
standard that prescribes the changes that you must make to the default policy configuration.

After you configure the password policy, you can use SDDC Manager to rotate or manually
update the passwords of the management components in VMware Cloud Foundation by using
automation. See Password Management in VMware Cloud Foundation Administration Guide.

For information about password policy design including the details and justification for
the configuration of password expiration, complexity and account lockout policies, see the
Information Security and Access Control Design for VMware Cloud Foundation in the Identity
and Access Management for VMware Cloud Foundation validated solution.

VMware by Broadcom 58
VMware Cloud Foundation Operations Guide

Table 3-1. Password Policies Support in the Management Components of VMware Cloud
Foundation

Password Policy Support by Management Component

Password expiration n ESXi

n vCenter Single Sign-On
n vCenter Server
n NSX Manager
n NSX Edge
n SDDC Manager

Password complexity n ESXi

n vCenter Single Sign-On
n vCenter Server
n NSX Manager
n NSX Edge
n SDDC Manager

Account lockout n ESXi

n vCenter Single Sign-On
n vCenter Server
n NSX Manager
n NSX Edge
n SDDC Manager

Manual and Automated Password Policy Configuration

To configure password policies in VMware Cloud Foundation, you can follow a step-by-step
approach by using product user interface or an automated approach by running PowerShell
commands that are available in the VMware.CloudFoundation.PasswordManagement module in
PowerShell Gallery.

If you want to learn more details about, provide feedback, report an issue with automation,
or contribute to the VMware.CloudFoundation.PasswordManagement module, go to the
VMware.CloudFoundation.PasswordManagement open-source project in GitHub.

Approaches to Password Policy Configuration

For initial configuration of the password policy in VMware Cloud Foundation, you usually
configure all password policies on a management component and then proceed with the next
one. You can also configure a specific property in a password policy across several management
components.

VMware by Broadcom 59
VMware Cloud Foundation Operations Guide

Table 3-2. Password Policy Configuration by Management Component

Management Component

ESXi n Configure the Local User Password Expiration Policy

for ESXi
n Configure the Local User Password Complexity Policy
for ESXi
n Configure the Local Account Lockout Policy for ESXi

vCenter Single Sign-on n Configure the Password Expiration Policy for vCenter
Single Sign-On
n Configure the Password Complexity Policy for vCenter
Single Sign-On
n Configure the Account Lockout Policy for vCenter
Single Sign-On

vCenter Server n Password expiration policy

n Configure the Global Password Expiration Policy
for vCenter Server
n Configure the root User Password Expiration
Policy for vCenter Server
n Configure the Local User Password Complexity Policy
for vCenter Server
n Configure the root User Account Lockout Policy for
vCenter Server

NSX Manager n Configure the Local User Password Expiration Policy

for NSX Manager
n Configure the Local User Password Complexity Policy
for NSX Manager
n Configure the Local User Account Lockout Policy for
NSX Manager

NSX Edge n Configure the Local User Password Expiration Policy

for NSX Edge
n Configure the Local User Password Complexity Policy
for NSX Edge
n Configure the Local User Account Lockout Policy for
NSX Edge

SDDC Manager n Configure the Local User Password Expiration Policy

for SDDC Manager
n Configure the Local User Password Complexity Policy
for SDDC Manager
n Configure the Local User Account Lockout Policy for
SDDC Manager

Prerequisites
To perform the configuration associated with password policy configuration, verify that your
system fulfills the following prerequisites.

VMware by Broadcom 60
VMware Cloud Foundation Operations Guide

Category Prerequisite

Environment n Verify that your VMware Cloud Foundation instance is

healthy and fully operational.

Infrastructure-as-code To use the infrastructure-as-code method for password

policy configuration, verify that your system fulfills the
prerequisites, described in the documentation of the
VMware.CloudFoundation.PasswordManagement open-source
project in GitHub.

Read the following topics next:

n Configuring Password Expiration Policies in VMware Cloud Foundation

n Configuring Password Complexity Policies in VMware Cloud Foundation

n Configuring Account Lockout Policies in VMware Cloud Foundation

Configuring Password Expiration Policies in VMware Cloud

Foundation
A password expiration policy defines the period of time an account’s password can be used
before the system enforces a password change. According to the management component of
the VMware Cloud Foundation instance, you define this policy at the global level or at a local user
level.

Management Component Password Expiration Settings Scope

ESXi Password expiration interval (days) Local users

vCenter Single Sign-On Password expiration interval (days) Global

vCenter Server n Password expiration interval n Global

(days) n Local users
n Password expiration reminder
(days)
n Expiry notification email address

NSX Manager Password expiration interval (days) Local users

NSX Edge Password expiration interval (days) Local users

SDDC Manager n Password expiration interval Local users

(days)
n Password expiration reminder
(days)

Prerequisites
See Prerequisites.

VMware by Broadcom 61
VMware Cloud Foundation Operations Guide

Configure the Local User Password Expiration Policy for ESXi

Define the interval of time before the password of a local user on an ESXi host in VMware Cloud
Foundation expires and a change is enforced.

Setting Default Value

Security.PasswordMaxDays 99999

Prerequisites
If you plan to reduce the expiration period of a local account's password, rotate the password of
the account by using SDDC Manager. See Rotate Passwords.

The password expiration date is determined by adding the password expiration period to the
date of the last password change. If the time since the last password change is greater than the
new expiration period, the password expires immediately.

UI Procedure
1 Log in to the vCenter Server instance for the workload domain at https://
<vcenter_server-fqdn>/ui by using an account with Administrator privileges.

2 In the Hosts and clusters inventory, navigate to and expand the first vSphere cluster.

3 Select the first ESXi host and click the Configure tab.

4 In the System section, click Advanced system settings.

5 On the Advanced system settings page, click Edit.

6 In the key filter text box, enter Security.PasswordMaxDays, enter a value for the setting
according to the requirements of your organization, and click OK.

7 Repeat this procedure on the remaining hosts in the cluster.

8 Repeat this procedure on all remaining clusters in the workload domain.

9 Repeat this procedure for all clusters in the remaining workload domains.

PowerShell Procedure
1 Start PowerShell.

2 Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"
$cluster = "sfo-m01-cl01"

$maxDays = "99999"

VMware by Broadcom 62
VMware Cloud Foundation Operations Guide

3 Perform the configuration by running the command in the PowerShell console.

Update-EsxiPasswordExpiration -server $sddcManagerFqdn -user $sddcManagerUser -pass

$sddcManagerPass -domain $sddcDomainName -cluster $cluster -maxDays $maxDays

4 Repeat this procedure for all remaining clusters in the $sddcDomainName workload domain.

5 Repeat this procedure for all clusters in the remaining workload domains.

Configure the Password Expiration Policy for vCenter Single Sign-On

Define the interval of time before the password of a user account in the vsphere.local domain in
VMware Cloud Foundation expires and a change is enforced.

The password expiration policy applies only to the user accounts in the vsphere.local domain for
the vCenter Single Sign-On built-in identity provider. The policy does not apply to local system
accounts and administrator@vsphere.local.

Note SDDC Manager creates dedicated service accounts within the vCenter Single Sign-On
built-in identity provider. Changing the password expiration policy affects these service accounts
too.

Setting Default Value

Maximum lifetime 90

UI Procedure
1 Log in to the vCenter Server instance for the workload domain at https://
<vcenter_server-fqdn>/ui by using an account with Administrator privileges.

2 From the vSphere Client Menu, select Administration.

3 In the Single sign on section, click Configuration.

4 On the Configuration page, click the Local accounts tab.

5 In the Password policy section, click Edit

6 Enter a value for the Maximum lifetime setting according to the requirements of your
organization and click Save.

PowerShell Procedure
1 Start PowerShell.

2 Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

VMware by Broadcom 63
VMware Cloud Foundation Operations Guide

$sddcDomainName = "sfo-m01"

$maxDays = "90"

3 Perform the configuration by running the command in the PowerShell console.

Update-SsoPasswordExpiration -server $sddcManagerFqdn -user $sddcManagerUser -pass

$sddcManagerPass -domain $sddcDomainName -maxDays $maxDays

Configure the Global Password Expiration Policy for vCenter Server

Define globally the interval of time before the passwords of the local user accounts on a vCenter
Server appliance in VMware Cloud Foundation expire and a change is enforced.

Setting Default Value

Maximum number of days between password change 90

Minimum number of days between password change 0

Number of days of warning before password expires 7

You can configure the global password expiration policy for vCenter Server only by using the
API.

PowerShell Procedure
1 Start PowerShell.

2 Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$maxDays = "90"
$minDays = "0"
$warningDays = "7"

3 Perform the configuration by running the command in the PowerShell console.

Update-VcenterPasswordExpiration -server $sddcManagerFqdn -user $sddcManagerUser -pass

$sddcManagerPass -domain $sddcDomainName -maxDays $maxDays -minDays $minDays -warnDays
$warningDays

4 Repeat this procedures for the remaining workload domains.

VMware by Broadcom 64
VMware Cloud Foundation Operations Guide

Configure the root User Password Expiration Policy for vCenter

Server
Define the interval of time before the password of the root account of the vCenter Server
appliances in VMware Cloud Foundation expires and a change is enforced.

Setting Default Value

Password validity (days) 90

Email for expiration warning -

Number of days of warning before password expires 7

Prerequisites
Configure the target vCenter Server instance with a sending email account under Settings
General on the Configure tab in the vSphere Client.

UI Procedure
1 Log in to the vCenter Server Management Interface at https://
<vcenter_server_fqdn>:5480 as root.

2 In the navigation pane, click Administration.

3 In the Password expiration settings section, click Edit.

4 Configure the settings according to the requirements of your organization and click Save.

5 Log in to the vCenter Server appliance console using SSH as root.

6 Enable shell access.

shell

7 Change the number of days of warning before password expires value using the following
command.

chage --warndays <your_value> root

8 Repeat this procedure for all remaining workload domains.

PowerShell Procedure
1 Start PowerShell.

2 Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

VMware by Broadcom 65
VMware Cloud Foundation Operations Guide

$email = "admin@rainpole.io"
$maxDays = "90"
$warningDays = "7"

3 Perform the configuration by running the command in the PowerShell console.

Update-VcenterRootPasswordExpiration -server $sddcManagerFqdn -user $sddcManagerUser -pass

$sddcManagerPass -domain $sddcDomainName -email $email -maxDays $maxDays -warnDays
$warningdays

4 Repeat this procedure for all remaining workload domains.

Configure the Local User Password Expiration Policy for NSX

Manager
Configure the password expiration policy for NSX Manager local users in VMware Cloud
Foundation. You configure the policy on a per-user basis for the built-in NSX accounts.

User Setting Default Value

root Maximum number of days between password change 90

admin Maximum number of days between password change 90

audit Maximum number of days between password change 90

guestuser1 Maximum number of days between password change 90

guestuser2 Maximum number of days between password change 90

UI Procedure
1 Log in to the management domain vCenter Server at https://
<management_vcenter_server_fqdn>/ui by using an account with Administrator
privileges.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Expand the VM folder containing the NSX Manager cluster for the management domain.

4 Select the first node of the NSX Manager cluster and click Launch web console.

5 Log in to the NSX Manager node as admin.

6 Change the maximum number of days between password change using the following
command.

set user root password-expiration <your_value>

The change is replicated to the other nodes in the NSX Manager cluster.

7 Repeat this procedure for the remaining local accounts.

VMware by Broadcom 66
VMware Cloud Foundation Operations Guide

8 Repeat this procedure on the NSX Local Manager clusters for all VI workload domains.

9 Repeat this procedure on all NSX Global Manager clusters.

PowerShell Procedure
1 Start PowerShell.

2 Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$maxDays = "90"

3 Perform the configuration by running the command in the PowerShell console.

Update-NsxtManagerPasswordExpiration -server $sddcManagerFqdn -user $sddcManagerUser -pass

$sddcManagerPass -domain $sddcDomainName -maxdays $maxDays

4 Repeat this procedure for the NSX Local Manager clusters for all VI workload domains.

5 Configure the password expiration policies on all NSX Global Manager clusters manually in the
appliance console of the first node of each cluster.

Configure the Local User Password Expiration Policy for NSX Edge
Configure password expiration for NSX Edge local users in VMware Cloud Foundation. You
configure it on a per-user basis for the built-in NSX accounts.

User Setting Default Value

root Maximum number of days between 90

password change

admin Maximum number of days between 90

password change

audit Maximum number of days between 90

password change

guestuser1 Maximum number of days between 90

password change

guestuser2 Maximum number of days between 90

password change

VMware by Broadcom 67
VMware Cloud Foundation Operations Guide

UI Procedure
1 If you are configuring an NSX Edge virtual appliance, open the appliance console by using the
Web console in the vSphere Client.

a Log in to the vCenter Server instance for the workload domain at https://
<vcenter_server-fqdn>/ui by using an account with Administrator privileges.

b In the VMs and templates inventory, navigate to and expand the VM folder containing the
NSX Edge nodes for the workload domain.

c Select the first node of the NSX Edge cluster and click Launch web console.

2 If you are configuring a bare-metal NSX Edge appliance, open the appliance console by using
an out-of-band management interface, such as iLO or iDRAC.

3 Log in to the NSX Edge node as admin.

4 Change the maximum number of days between password change using the following
command.

set user root password-expiration <your_value>

5 Repeat this procedure for the remaining local accounts.

6 Repeat this procedure on the remaining NSX Edge nodes in the cluster of the workload
domain.

7 Repeat this procedure on all NSX Edge clusters in the remaining workload domains.

PowerShell Procedure
You can use the PowerShell command for configuring the password expiration policies only on
the NSX Edge nodes in VMware Cloud Foundation that are deployed by using SDDC Manager.
For NSX Edge virtual appliances that are deployed manually and for bare-metal NSX Edge
appliances, configure the policies manually according to the NSX documentation.

1 Start PowerShell.

2 Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$maxDays = "90"

3 Perform the configuration by running the command in the PowerShell console.

Update-NsxtEdgePasswordExpiration -server $sddcManagerFqdn -user $sddcManagerUser -pass

$sddcManagerPass -domain $sddcDomainName -maxdays $maxDays

4 Repeat this procedure for all NSX Edge clusters in the remaining workload domains.

VMware by Broadcom 68
VMware Cloud Foundation Operations Guide

Configure the Local User Password Expiration Policy for SDDC

Manager
Configure password expiration for SDDC Manager on a per-user basis for local users.

User Setting Default Value

root Maximum number of days between 90

password change

Minimum number of days between 0

password change

Number of days of warning before 7

password expires

vcf Maximum number of days between 90

password change

Minimum number of days between 0

password change

Number of days of warning before 7

password expires

backup Maximum number of days between 90

password change

Minimum number of days between 0

password change

Number of days of warning before 7

password expires

UI Procedure
1 Log in to the SDDC Manager appliance using SSH as vcf.

2 Change to the root user.

su -

3 Change the maximum number of days between password change using the following
command.

chage --maxdays <your_value> root

4 Change the minimum number of days between password change using the following
command.

chage --mindays <your_value> root

5 Change the number of days of warning before password expires using the following
command.

chage --warndays <your_value> root

VMware by Broadcom 69
VMware Cloud Foundation Operations Guide

6 Repeat this procedure for the remaining local accounts.

PowerShell Procedure
1 Start PowerShell.

2 Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

# Replace with the name of your management domain

$sddcDomainName = "sfo-m01"

$vmName = "sfo-vcf01"
$guestuser = "root"
$guestPassword = "VMw@re1!”
$localUsers = @("root","vcf","backup")

$maxDays = "90"
$minDays = "0"
$warningDays = "7"

3 Perform the configuration by running the command in the PowerShell console.

Update-LocalUserPasswordExpiration -server $sddcManagerFqdn -user $sddcManagerUser

-pass $sddcManagerPass -domain $sddcDomainName -vmName $vmName -guestUser $guestUser
-guestPassword $guestPassword -localUser $localUsers -minDays $minDays -maxDays $maxDays
-warnDays $warningDays

Configuring Password Complexity Policies in VMware Cloud

Foundation
A password complexity policy defines the minimum requirements for the definition of an
account’s password. The settings are different according to the account type and component
of the VMware Cloud Foundation instance.

VMware by Broadcom 70
VMware Cloud Foundation Operations Guide

Management Component Password Complexity Settings Scope

ESXi n Minimum length Local user

n Minimum lowercase characters
n Minimum uppercase characters
n Minimum numeric characters
n Minimum special characters
n Minimum unique passwords
before reuse

vCenter Single Sign-On n Minimum length vCenter Single Sign-On domain

n Maximum length
n Minimum alphabetic characters
n Minimum lowercase characters
n Minimum uppercase characters
n Minimum numeric characters
n Minimum special characters
n Maximum consecutive identical
characters
n Minimum unique passwords
before reuse

vCenter Server n Minimum length Local user

n Minimum lowercase characters
n Minimum uppercase characters
n Minimum numeric characters
n Minimum special characters
n Minimum unique passwords
before reuse

NSX Manager n Minimum length Local user

n Minimum lowercase characters
n Minimum uppercase characters
n Minimum numeric characters
n Minimum special characters
n Minimum characters different
from the old password

VMware by Broadcom 71
VMware Cloud Foundation Operations Guide

Management Component Password Complexity Settings Scope

NSX Edge n Minimum length Local user

n Minimum lowercase characters
n Minimum uppercase characters
n Minimum numeric characters
n Minimum special characters
n Minimum characters different
from the old password

SDDC Manager n Minimum length Local user

n Minimum lowercase characters
n Minimum uppercase characters
n Minimum numeric characters
n Minimum special characters
n Minimum characters different
from the old password
n Minimum unique passwords
before reuse

Prerequisites
See Prerequisites.

Configure the Local User Password Complexity Policy for ESXi

Define the requirements for local user passwords for the ESXi hosts in VMware Cloud Foundation
including required password length, character class requirements, or allowing passphrases.

Setting Default Value

Security.PasswordHistory 0

Security.PasswordQualityControl retry=3 min=disabled,disabled,disabled,7,7

For information about the format of the Security.PasswordQualityControl settings, see ESXi
Passwords and Account Lockout in the vSphere Security documentation.

UI Procedure
1 Log in to the vCenter Server instance for the workload domain at https://
<vcenter_server-fqdn>/ui by using an account with Administrator privileges.

2 In the Hosts and clusters inventory, navigate to and expand the first vSphere cluster.

3 Select the first ESXi host and click the Configure tab.

4 In the System section, click Advanced system settings.

5 On the Advanced system settings page, click Edit.

VMware by Broadcom 72
VMware Cloud Foundation Operations Guide

6 In the key filter text box, enter Security.PasswordHistory, configure the settings
according to the requirements of your organization.

7 In the key filter text box, enter Security.PasswordQualityControl, enter values for the
settings according to the requirements of your organization, and click OK.

8 Repeat this procedure on all remaining hosts in the cluster.

9 Repeat this procedure on all remaining clusters in the workload domain.

10 Repeat this procedure for all the other workload domains and their clusters.

PowerShell Procedure
1 Start PowerShell.

2 Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"
$cluster = "sfo-m01-cl01"

$policy = "retry=3 min=disabled,disabled,disabled,7,7”

$history = "3"

3 Perform the configuration by running the command in the PowerShell console.

Update-EsxiPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass

$sddcManagerPass -domain $sddcDomainName -cluster $cluster -policy $policy -history
$history

4 Repeat this procedure on all remaining clusters in the $sddcDomainName workload domain.

5 Repeat this procedure for all clusters in the remaining workload domains.

Configure the Password Complexity Policy for vCenter Single Sign-

On
Define the password format requirements for the vCenter Single Sign-On built-in identity provider
for VMware Cloud Foundation.

The password complexity policy applies only to user accounts in the vsphere.local domain of
the vCenter Single Sign-On built-in identity provider. The policy does not apply to local system
accounts and administrator@vsphere.local.

Setting Default Value

Restrict reuse 5

Maximum length 20

VMware by Broadcom 73
VMware Cloud Foundation Operations Guide

Setting Default Value

Minimum length 8

Special characters 1

Alphabetic characters 2

Uppercase characters 1

Lowercase characters 1

Numeric characters 1

Identical adjacent characters 1

UI Procedure
1 Log in to the vCenter Server instance for the workload domain at https://
<vcenter_server-fqdn>/ui by using an account with Administrator privileges.

2 From the vSphere Client Menu, select Administration.

3 In the Single Sign On section, click Configuration.

4 On the Configuration page, click the Local accounts tab.

5 In the Password policy section, click Edit.

6 Modify the settings according to the requirements of your organization and click Save.

PowerShell Procedure
1 Start PowerShell.

2 Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$minLength = "8"
$maxLength = "20"
$minAlphabetic = "2"
$minLowercase = "1"
$minUppercase = "1"
$minNumerical = "1"
$minSpecial = "1"
$maxIdenticalAdjacent = "1"
$history = "5"

VMware by Broadcom 74
VMware Cloud Foundation Operations Guide

3 Perform the configuration by running the command in the PowerShell console.

Update-SsoPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser

-pass $sddcManagerPass -domain $sddcDomainName -minLength $minLength -maxLength
$maxLength -minAlphabetic $minAlphabetic -minLowercase $minLowercase -minUppercase
$minUppercase -minNumeric $minNumerical -minSpecial $minSpecial -maxIdenticalAdjacent
$maxIdenticalAdjacent -history $history

Configure the Local User Password Complexity Policy for vCenter

Server
Define the password format requirements for the local users of the vCenter Server appliances in
VMware Cloud Foundation, such as the root account.

Setting Default Value Description

minlen 6 Minimum password length

lcredit -1 Maximum number of lowercase characters that will generate a credit

ucredit -1 Maximum number of uppercase characters that will generate a credit

dcredit -1 Maximum number of digits that will generate a credit

ocredit -1 Maximum number of other characters that will generate a credit

difok 4 Minimum number of characters that must be different from the old password

remember 5 Maximum number of passwords the system remembers

UI Procedure
1 Log in to the vCenter Server appliance for a workload domain using SSH as root.

2 Enable shell access.

shell

3 Back up the password requirements for the appliance by using the following command.

cp -p /etc/pam.d/system-password /etc/pam.d/system-password-`date +%F_%H:%M:%S`.back

4 Verify that all settings for configuring password requirements for vCenter Server local users
are added in the /etc/pam.d/system-password file.

# Begin /etc/pam.d/system-password

# use sha512 hash for encryption, use shadow, and try to use any previously
# defined authentication token (chosen password) set by any prior module
password requisite pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1

VMware by Broadcom 75
VMware Cloud Foundation Operations Guide

minlen=6 difok=4 enforce_for_root

password required pam_pwhistory.so remember=5 retry=3 enforce_for_root use_authtok
password required pam_unix.so sha512 use_authtok shadow try_first_pass
# End /etc/pam.d/system-password

5 If some settings are missing in the /etc/pam.d/system-password file, add them manually.

6 After all required settings are added in the /etc/pam.d/system-password file, set their
values according to the requirements of your organization using the following commands.

sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/system-password

sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/system-passwords
sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/remember=[-]?[0-9]+/remember=<your_value>/g' /etc/pam.d/system-password

7 Repeat this procedure on the vCenter Server instances for the remaining workload domains.

PowerShell Procedure
1 Start Windows PowerShell.

2 Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$minLength = "6"
$minLowercase = "-1"
$minUppercase = "-1"
$minNumeric = "-1"
$minSpecial = "-1"
$minUnique = "4"
$history = "5"

3 Perform the configuration by running the command in the PowerShell console.

Update-VcenterPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass

$sddcManagerPass -domain $sddcDomainName -minLength $minLength -minLowercase $minLowercase
-minUppercase $minUppercase -minNumerical $minNumeric -minSpecial $minSpecial -minUnique
$minUnique -history $history

4 Repeat this procedure for all VI workload domains.

VMware by Broadcom 76
VMware Cloud Foundation Operations Guide

Configure the Local User Password Complexity Policy for NSX

Manager
Define the password format requirements for local users of the NSX Manager appliances in
VMware Cloud Foundation.

Setting Default Value Description

12 Minimum password length

Note If your password policy requires setting the minimum password

length to a value greater than 20, you cannot use password rotation in
minlen SDDC Manager.

lcredit -1 Maximum number of lowercase characters that will generate a credit

ucredit -1 Maximum number of uppercase characters that will generate a credit

dcredit -1 Maximum number of digits that will generate a credit

ocredit -1 Maximum number of other characters that will generate a credit

0 Minimum number of characters that must be different from the old

difok password

MAX_PASSWORD_LEN 128 Maximum Password Length

maxrepeat 0 Maximum number of consecutive characters allowed

maxsequence 0 Maximum number of times a single character may be repeated

remember 0 Maximum number of passwords the system remembers

hash_algorithm sha512 Hash algorithm

UI Procedure
1 Log in to vCenter Server at https://<vcenter_server_fqdn>/ui as
administrator@vsphere.local.

2 Expand the VM folder containing the NSX Manager cluster for the management domain.

3 Select the first node of the NSX Manager cluster and click Launch web console.

4 Log in to the NSX Manager node as admin.

5 Start changing the password complexity policy by running the set password-complexity
command.

6 In the prompt, set interactively the password complexity settings according to the
requirements of your organization.

Minimum password length (leave empty to not change): <your_value>

Maximum password length (leave empty to not change): <your_value>
Lower characters (leave empty to not change): <your_value>
Upper characters (leave empty to not change): <your_value>
Numeric characters (leave empty to not change): <your_value>

VMware by Broadcom 77
VMware Cloud Foundation Operations Guide

Special characters (leave empty to not change): <your_value>

Minimum unique characters (leave empty to not change): <your_value>
Allowed similar consecutives (leave empty to not change): <your_value>
Allowed monotonic sequence (leave empty to not change): <your_value>
Hash algorithm (leave empty to not change): <your_value>
Password remembrance (leave empty to not change): <your_value>

7 Repeat this procedure on the remaining NSX Local Manager nodes for the management
domain.

8 Repeat this procedure on the NSX Local Manager clusters for all VI workload domains.

9 Repeat this procedure on all NSX Global Manager nodes.

PowerShell Procedure
1 Start PowerShell.

2 Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$minLength = "12"
$minLowercase = "-1"
$minUppercase = "-1"
$minNumerical = "-1"
$minSpecial = "-1"
$minUnique = "0"
$maxLength = "128"
$maxRepeats = "0"
$maxSequence = "0"
$history = "0"
$hashAlgorithm = "sha512"

3 Perform the configuration by running the command in the PowerShell console.

Update-NsxtManagerPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass

$sddcManagerPass -domain $sddcDomainName -minLength $minLength -minLowercase $minLowercase
-minUppercase $minUppercase -minNumerical $minNumerical -minSpecial $minSpecial -minUnique
$minUnique -maxLength $maxLenth -maxRepeats $maxRepeats -maxSequence $maxSequence -history
$history -hash_algorithm $hashAlgorithm

4 Repeat this procedure on the NSX Local Manager clusters for all VI workload domains.

5 Configure the password complexity policies on all NSX Global Manager clusters manually in
the appliance console of each node.

VMware by Broadcom 78
VMware Cloud Foundation Operations Guide

Configure the Local User Password Complexity Policy for NSX Edge
Define the password format requirements for local users on the NSX Edge appliance in VMware
Cloud Foundation.

Setting Default Value Description

15 Minimum password length

Note If your password policy requires setting the minimum password length to a value
minlen greater than 20, you cannot use password rotation in SDDC Manager.

lcredit -1 Maximum number of lowercase characters that will generate a credit

ucredit -1 Maximum number of uppercase characters that will generate a credit

dcredit -1 Maximum number of digits that will generate a credit

ocredit -1 Maximum number of other characters that will generate a credit

difok 0 Minimum number of characters that must be different from the old password

retry 3 Maximum number of retries

UI Procedure
1 If you are configuring an NSX Edge virtual appliance, open the appliance console by using the
Web console in the vSphere Client.

a Log in to the vCenter Server instance for the workload domain at https://
<vcenter_server-fqdn>/ui by using an account with Administrator privileges.

b In the VMs and templates inventory, navigate to and expand the VM folder containing the
NSX Edge cluster for the workload domain.

c Select the first node of the NSX Edge cluster and click Launch web console.

2 If you are configuring a bare-metal NSX Edge appliance, open the appliance console by using
an out-of-band management interface, such as iLO or iDRAC.

3 Log in to the NSX Edge node as root.

4 Back up the password requirements for the appliance using the following command.

cp -p /etc/pam.d/common-password /etc/pam.d/common-password-`date +%F_%H:%M:%S`.back

5 Verify that all settings for configuring password requirements for SDDC Manager users are
added in the /etc/pam.d/common-password file.

#
# /etc/pam.d/common-password - password-related modules common to all services
#

# here are the per-package modules (the "Primary" block)

password requisite pam_cracklib.so retry=3 minlen=12 difok=0 lcredit=-1 ucredit=-1

VMware by Broadcom 79
VMware Cloud Foundation Operations Guide

dcredit=-1 ocredit=-1 enforce_for_root

password required pam_pwhistory.so use_authtok enforce_for_root remember=0
password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512
# here's the fallback if no module succeeds
password requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
password required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

6 If some settings are missing in the /etc/pam.d/common-password file, add them manually.

7 Set these settings according to the requirements of your organization using the following
commands.

sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/common-password

sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/common-password
sed -i -E 's/retry=[-]?[0-9]+/retry=<your_value>/g' /etc/pam.d/common-password

8 Repeat this procedure on the remaining NSX Edge cluster nodes in the workload domain.

9 Repeat this procedure on all NSX Edge clusters in the remaining workload domains.

PowerShell Procedure
You can use the PowerShell command for configuring the password complexity policies only on
the NSX Edge nodes in VMware Cloud Foundation that are deployed by using SDDC Manager.
For NSX Edge virtual appliances that are deployed manually and for bare-metal NSX Edge
appliances, configure the policies manually according to the NSX documentation.

1 Start PowerShell.

2 Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$minLength = "15"
$minLowercase = "-1"
$minUppercase = "-1"
$minNumerical = "-1"
$minSpecial = "-1"
$minUnique = "0"
$maxRetry = "3"

VMware by Broadcom 80
VMware Cloud Foundation Operations Guide

3 Perform the configuration by running the command in the PowerShell console.

Update-NsxtEdgePasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass

4 Repeat this procedure for all NSX Edge clusters in the remaining workload domains.

Configure the Local User Password Complexity Policy for SDDC

Manager
Define the password format requirements for local users of the SDDC Manager appliance.

Setting Default Value Description

minlen 15 Minimum password length

lcredit -1 Maximum number of lowercase characters that will generate a credit

ucredit -1 Maximum number of uppercase characters that will generate a credit

dcredit -1 Maximum number of digits that will generate a credit

ocredit -1 Maximum number of other characters that will generate a credit

4 Minimum number of character types that must be used (that is, uppercase, lowercase,
minclass digits, other)

difok 4 Minimum number of characters that must be different from the old password

retry 3 Maximum number of retries

maxsequence 0 Maximum number of times a single character may be repeated

remember 5 Maximum number of passwords the system remembers

UI Procedure
1 Log in to the SDDC Manager appliance using SSH as vcf.

2 Change to the root user.

su -

3 Back the password requirement using the following command.

cp -p /etc/pam.d/system-password /etc/pam.d/system-password-`date +%F_%H:%M:%S`.back

4 Verify that all settings for configuring password requirements for SDDC Manager users are
added in the /etc/pam.d/system-password file.

# Begin /etc/pam.d/system-password

password required pam_pwhistory.so remember=5 retry=5 enforce_for_root use_authtok

VMware by Broadcom 81
VMware Cloud Foundation Operations Guide

password required pam_pwquality.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minlen=7

difok=4 minclass=4 maxsequence=0 enforce_for_root
password required pam_unix.so sha512 shadow use_authtok

# End /etc/pam.d/system-password

5 If some settings are missing in the /etc/pam.d/system-password file, add them manually.

6 After all required settings are added in the /etc/pam.d/system-password file, set their
values according to the requirements of your organization using the following commands.

sed -i -E 's/dcredit=[-]?[0-9]+/dcredit=<your_value>/g' /etc/pam.d/system-password

sed -i -E 's/ucredit=[-]?[0-9]+/ucredit=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/lcredit=[-]?[0-9]+/lcredit=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/ocredit=[-]?[0-9]+/ocredit=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/minlen=[-]?[0-9]+/minlen=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/difok=[-]?[0-9]+/difok=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/retry=[-]?[0-9]+/retry=<your_value>/g' /etc/pam.d/system-password
sed -i -E 's/remember=[-]?[0-9]+/remember=<your_value>/g' /etc/pam.d/system-password

PowerShell Procedure
1 Start PowerShell.

2 Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

# Replace with the name of your management domain

$sddcDomainName = "sfo-m01"

$rootPass = "VMw@re1!"
$minLength = "15"
$minLowercase = "-1"
$minUppercase = "-1"
$minNumerical = "-1"
$minSpecial = "-1"
$minUnique = "4"
$minClass = "4"
$maxSequence = "0"
$history = "5"
$maxRetry = "3"

3 Perform the configuration by running the command in the PowerShell console.

Update-SddcManagerPasswordComplexity -server $sddcManagerFqdn -user $sddcManagerUser -pass

$sddcManagerPass -rootPass $rootPass -minLength $minLength -minLowercase $minLowercase
-minUppercase $minUppercase -minNumerical $minNumerical -minSpecial $minSpecial -minUnique
$minUnique -minClass $minClass -maxSequence $maxSequence -history $history -maxRetry
$maxRetry

VMware by Broadcom 82
VMware Cloud Foundation Operations Guide

Configuring Account Lockout Policies in VMware Cloud

Foundation
An account lockout policy defines the behaviour of the system when incorrect credentials are
used to authenticate to the system. The settings are different according to the account type and
component of the VMware Cloud Foundation instance.

Management Component Account Lockout Settings Scope

ESXi n Maximum failure attempts Local user

n Account lockout duration
(seconds)

vCenter Single Sign-On n Maximum failure attempts vCenter Single Sign-On domain
n Failed attempt interval (seconds)
n Account lockout duration
(seconds)

vCenter Server n Maximum failure attempts Local user

n Account lockout duration
(seconds)
n Root account lockout duration
(seconds)

NSX Manager n Maximum failure attempts Local user

n Account lockout duration
(seconds)
n Account reset duration (seconds)

NSX Edge n Maximum failure attempts Local user

n Account lockout duration
(seconds)

SDDC Manager n Maximum failure attempts Local user

n Account lockout duration
(seconds)
n Root account lockout duration
(seconds)

Prerequisites
See Prerequisites.

Configure the Local Account Lockout Policy for ESXi

Set the maximum number of failed login attempts and the time that must pass before a local
account on an ESXi host in VMware Cloud Foundation is automatically unlocked.

VMware by Broadcom 83
VMware Cloud Foundation Operations Guide

Setting Default Value

Security.AccountLockFailures 5

Security.AccountUnlockTime 900

UI Procedure
1 Log in to the vCenter Server instance for the workload domain at https://
<vcenter_server-fqdn>/ui by using an account with Administrator privileges.

2 In the Hosts and clusters inventory, navigate to and expand the first vSphere cluster.

3 Select the first ESXi host and click the Configure tab.

4 In the System section, click Advanced system settings.

5 On the Advanced system settings page, click Edit.

6 In the key filter text box, enter Security.AccountLockFailures and enter a value
according to the requirements of your organization.

7 In the key filter text box, enter Security.AccountUnlockTime, enter a value according to
the requirements of your organization, and click OK.

8 Repeat this procedure on the remaining hosts in the cluster.

9 Repeat this procedure on the remaining clusters in the workload domain.

10 Repeat this procedure on all clusters in the remaining workload domains.

PowerShell Procedure
1 Start PowerShell.

2 Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"
$cluster = "sfo-m01-cl01"

$maxFailures = "5"
$unlockInterval = "900"

3 Perform the configuration by running the command in the PowerShell console.

Update-EsxiAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass

$sddcManagerPass -domain $sddcDomainName -cluster $cluster -failures $maxFailures
-unlockInterval $unlockInterval

4 Repeat this procedure on all remaining clusters in the $sddcDomainName workload domain.

VMware by Broadcom 84
VMware Cloud Foundation Operations Guide

5 Repeat this procedure on all clusters in the remaining workload domains.

Configure the Account Lockout Policy for vCenter Single Sign-On

Set the maximum number of failed login attempts and the interval of time between failures for
a user account in the vsphere.local domain in VMware Cloud Foundation. Set also the time that
must pass before the account is automatically unlocked.

The lockout policy applies only to user accounts in the vCenter Single Sign-On built-in
identity provider vsphere.local. The policy does not apply to local system accounts and
administrator@vsphere.local.

Setting Default Value

Maximum number of failed login attempts 5

Time interval between failures 180 seconds

Unlock time 900 seconds

UI Procedure
1 Log in to the vCenter Server instance for the workload domain at https://
<vcenter_server-fqdn>/ui by using an account with Administrator privileges.

2 From the vSphere Client Menu, select Administration.

3 In the Single sign on section, click Configuration.

4 On the Configuration page, click the Local accounts tab.

5 In the Lockout policy section, click Edit.

6 Enter values for the settings according to the requirements of your organization and click
Save.

PowerShell Procedure
1 Start PowerShell.

2 Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$maxFailures = "5"
$failureAttemptInterval = "180"
$unlockInterval = "900"

VMware by Broadcom 85
VMware Cloud Foundation Operations Guide

3 Perform the configuration by running the command in the PowerShell console.

Update-SsoAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass

$sddcManagerPass -domain $sddcDomainName -failures $maxFailures -failureInterval
$failureAttemptInterval -unlockInterval $unlockInterval

Configure the root User Account Lockout Policy for vCenter Server
Set the maximum number of failed login attempts and the time that must pass before the
account is automatically unlocked for the root local account in the vCenter Server appliances
in VMware Cloud Foundation.

Setting Default Value

Maximum number of failed login attempts 3

Unlock time for root 300 seconds

Unlock time 900 seconds

UI Procedure
1 Log in to the vCenter Server appliance using SSH as root.

2 Enable shell access.

shell

3 Back up the authentication requirements for the appliance using the following command.

cp -p /etc/security/faillock.conf /etc/security/faillock.conf-`date +%F_%H:%M:%S`.back

4 Verify that all settings for configuring the account lockout policy for the rootuser are added
in the /etc/security/faillock.conf file.

If some properties are missing in the /etc/security/faillock.conf file, add them

manually.

dir = /var/log/faillock
audit
silent
deny = 3
unlock_time = 1200
even_deny_root
root_unlock_time = 300
fail_interval = 900

VMware by Broadcom 86
VMware Cloud Foundation Operations Guide

5 To configure the lockout policy for the root user account, in the /etc/security/
faillock.conf file, set values to the following properties according to the requirements
of your organization and save the file.

Setting Property in /etc/security/faillock.conf

Maximum number of failed attempts deny

Unlock time for the root user account root_unlock_time

Unlock time for all local accounts unlock_time

6 Repeat this procedure for each workload domain vCenter Server.

PowerShell Procedure
1 Start PowerShell.

2 Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$maxFailures = "5"
$rootUnlockInterval = "300"
$unlockInterval = "900"

3 Perform the configuration by running the command in the PowerShell console.

Update-VcenterAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass

$sddcManagerPass -domain $sddcDomainName -failures $maxFailures -unlockInterval
$unlockInterval -rootUnlockInterval $rootUnlockInterval

4 Repeat this procedure for each workload domain vCenter Server.

Configure the Local User Account Lockout Policy for NSX Manager
Set the maximum number of failed login attempts and the time that must pass before an account
is automatically unlocked for the local users of the NSX Manager appliances in VMware Cloud
Foundation.

Method Setting Default Value

API max-auth-failures 5

lockout-reset-period 180 seconds

lockout-period 900 seconds

VMware by Broadcom 87
VMware Cloud Foundation Operations Guide

Method Setting Default Value

CLI max-auth-failures 5

lockout-period 900 seconds

UI Procedure
1 Log in to the management domain vCenter Server at https://
<management_vcenter_server_fqdn>/ui by using an account with Administrator
privileges.

2 In the VMs and templates inventory, expand the management domain vCenter Server tree
and expand the management domain data center.

3 Expand the VM folder containing the NSX Manager cluster.

4 Select the first node of the NSX Manager cluster and click Launch web console.

5 Log in to the NSX Manager node as admin.

6 To configure the account lockout policy for logging in or making an API request to the NSX
Manager UI according to your organization's requirements, run the following commands.

set auth-policy api lockout-period <lockout-period>

set auth-policy api lockout-reset-period <lockout-reset-period>
set auth-policy api max-auth-failures <auth-failures>

7 To configure the account lockout policy for logging in to the NSX CLI according to your
organization's requirements, run the following commands.

set auth-policy cli lockout-period <lockout-period>

set auth-policy cli max-auth-failures <auth-failures>

8 Repeat this procedure on the remaining NSX Local Manager nodes in the management
domain.

9 Repeat this procedure on the NSX Local Manager nodes for all VI workload domains.

10 Repeat this procedure on all NSX Global Manager clusters.

PowerShell Procedure
1 Start PowerShell.

2 Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$cliMaxFailures = "5"

VMware by Broadcom 88
VMware Cloud Foundation Operations Guide

$cliUnlockInterval = "900"
$apiMaxFailures = "5"
$apiUnlockInterval = "900"
$apiFailureInterval = "180"

3 Perform the configuration by running the command in the PowerShell console.

Update-NsxtManagerAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass

$sddcManagerPass -domain $sddcDomainName -cliFailures $cliMaxFailures -cliUnlockInterval
$cliUnlockInterval -apiFailures $apiMaxFailures -apiFailureInterval $apiFailureInterval
-apiUnlockInterval $apiUnlockInterval

4 Repeat this procedure for all NSX Local Manager clusters in the VI workload domains.

5 Configure the account lockout policies on all NSX Global Manager clusters manually in the
appliance console of each node.

Configure the Local User Account Lockout Policy for NSX Edge
Set the maximum number of failed login attempts and the time that must pass before an account
is automatically unlocked for the local users of the NSX Edge appliances in VMware Cloud
Foundation .

Method Setting Default Value

CLI max-auth-failures 5

lockout-period 900 seconds

UI Procedure
1 If you are configuring an NSX Edge virtual appliance, open the appliance console by using the
Web console in the vSphere Client.

a Log in to the vCenter Server instance for the workload domain at https://
<vcenter_server-fqdn>/ui by using an account with Administrator privileges.

b In the VMs and templates inventory, navigate to and expand the VM folder containing the
NSX Edge cluster.

c Select the first node of the NSX Edge cluster and click Launch web console.

2 If you are configuring a bare-metal NSX Edge appliance, open the appliance console by using
an out-of-band management interface, such as iLO or iDRAC.

3 Log in to the NSX Edge node as admin.

4 To configure the account lockout policy for logging in to the NSX CLI according to your
organization's requirements, run the commands.

set auth-policy cli lockout-period <lockout-period>

set auth-policy cli max-auth-failures <auth-failures>

VMware by Broadcom 89
VMware Cloud Foundation Operations Guide

5 Repeat this procedure on the remaining NSX Edge nodes in the workload domain.

6 Repeat this procedure on all NSX Edge nodes in the remaining workload domains.

PowerShell Procedure
You can use the PowerShell command for configuring the account lockup policies only on the
NSX Edge nodes in VMware Cloud Foundation that are deployed by using SDDC Manager.
For NSX Edge virtual appliances that are deployed manually and for bare-metal NSX Edge
appliances, configure the policies manually according to the NSX documentation.

1 Start PowerShell.

2 Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$cliMaxFailures = "5"
$cliUnlockInterval = "900"

3 Perform the configuration by running the command in the PowerShell console.

Update-NsxtEdgeAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser -pass

$sddcManagerPass -domain $sddcDomainName -cliFailures $cliMaxFailures -cliUnlockInterval
$cliUnlockInterval

4 Repeat this procedure for all remaining workload domains.

Configure the Local User Account Lockout Policy for SDDC Manager
Set the maximum number of failed login attempts and the time that must pass before an account
on the SDDC Manager appliance is automatically unlocked.

Setting Default Value

Maximum number of failed login attempts 3

Unlock time for root 300 seconds

Unlock time for all local accounts 86,400 seconds

UI Procedure
1 Log in to the SDDC Manager appliance using SSH as vcf.

2 Change to the root user.

su -

VMware by Broadcom 90
VMware Cloud Foundation Operations Guide

3 Back up the authentication requirements for the appliance using the following command.

cp -p /etc/security/faillock.conf /etc/security/faillock.conf-`date +%F_%H:%M:%S`.back

4 Verify that all properties for configuring account lockout policy for SDDC Manager users are
added in the /etc/security/faillock.conf file.

If some properties are missing in the /etc/security/faillock.conf file, add them

manually.

# Configuration for locking the user after multiple failed

# authentication attempts.
#
# The directory where the user files with the failure records are kept.
# The default is /var/run/faillock.
.
.
.
.
# admin_group = <admin_group_name>
dir = /run/faillock
deny = 3
unlock_time = 86400
even_deny_root
root_unlock_time = 300
dir = /var/log/faillock

Setting Property in /etc/security/faillock.conf

Maximum number of failed attempts deny

Unlock time for the root user account root_unlock_time

Unlock time for all local accounts unlock_time

The configuration is applied to all local user accounts on the SDDC Manager appliance.

PowerShell Procedure
1 Start PowerShell.

2 Replace the values in the sample code and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

# Replace with the name of your management domain

$sddcDomainName = "sfo-m01"

VMware by Broadcom 91
VMware Cloud Foundation Operations Guide

$rootPass = "VMw@re1!"
$maxFailures = "3"
$unlockInterval = "86400"
$rootUnlockInterval = "300"

3 Perform the configuration by running the command in the PowerShell console.

Update-SddcManagerAccountLockout -server $sddcManagerFqdn -user $sddcManagerUser

-pass $sddcManagerPass -rootPass $rootPass -failures $maxFailures -unlockInterval
$unlockInterval -rootUnlockInterval $rootUnlockInterval

VMware by Broadcom 92

VCF 39 Planprep Guide
No ratings yet
VCF 39 Planprep Guide
57 pages
VMware VCD 103 Installation Guide
No ratings yet
VMware VCD 103 Installation Guide
239 pages
NSX 64 Admin
No ratings yet
NSX 64 Admin
456 pages
Vsphere Automation SDK 801 Programming Guide
100% (1)
Vsphere Automation SDK 801 Programming Guide
286 pages
VMware Cloud Foundation On Dell EMC VxRail Admin Guide
No ratings yet
VMware Cloud Foundation On Dell EMC VxRail Admin Guide
104 pages
Partner VCF Cheatsheet (1) (3) SW
No ratings yet
Partner VCF Cheatsheet (1) (3) SW
3 pages
Whats New in VMware Cloud Foundation 9.0 - Automation (HOL-2610-02-VCF-L)
No ratings yet
Whats New in VMware Cloud Foundation 9.0 - Automation (HOL-2610-02-VCF-L)
58 pages
VMW VCP NV Exam Preparation Guide
No ratings yet
VMW VCP NV Exam Preparation Guide
7 pages
VCF 9.0 On VxRail 9.0.010 EKT 1 - Primary Deck A02 30-JUL-2025
No ratings yet
VCF 9.0 On VxRail 9.0.010 EKT 1 - Primary Deck A02 30-JUL-2025
58 pages
HCS VMWare Migration Solution-For Camtel
No ratings yet
HCS VMWare Migration Solution-For Camtel
33 pages
VSFT51 Lecture Volume 3 PDF
No ratings yet
VSFT51 Lecture Volume 3 PDF
266 pages
VMware Optimization Guide: VCF Insights
No ratings yet
VMware Optimization Guide: VCF Insights
12 pages
VMW 2v0 41.20 Exam Prep Guide
No ratings yet
VMW 2v0 41.20 Exam Prep Guide
7 pages
Dell XC630-10 Nutanix On VMware ESXi Reference Architecture
No ratings yet
Dell XC630-10 Nutanix On VMware ESXi Reference Architecture
51 pages
RN Vxrail 8 0
No ratings yet
RN Vxrail 8 0
43 pages
VMW VCF Aria Skyline Ebook
No ratings yet
VMW VCF Aria Skyline Ebook
15 pages
VMware Cloud On AWS - Deploy Configure Manage 2021 Lab Manual
No ratings yet
VMware Cloud On AWS - Deploy Configure Manage 2021 Lab Manual
124 pages
Setup & Configure VMware VSphere Replication With VMware Site Recovery Manager (SRM) 8.6
No ratings yet
Setup & Configure VMware VSphere Replication With VMware Site Recovery Manager (SRM) 8.6
20 pages
VMware vSphere 6.0 Overview
100% (1)
VMware vSphere 6.0 Overview
85 pages
Vmware Learning Paths
No ratings yet
Vmware Learning Paths
38 pages
FortiOS-6.4-VMware ESXi Cookbook PDF
No ratings yet
FortiOS-6.4-VMware ESXi Cookbook PDF
56 pages
VMware 5V0-31.23 Dumps
No ratings yet
VMware 5V0-31.23 Dumps
6 pages
VCF 39 Upgrade
No ratings yet
VCF 39 Upgrade
45 pages
Vmware Vrealize Automation: Install Configure Manage (V7.6) : View Online
No ratings yet
Vmware Vrealize Automation: Install Configure Manage (V7.6) : View Online
5 pages
Open Vswitch and The Intelligent Edge: Justin Pettit Openstack 2014 Atlanta
No ratings yet
Open Vswitch and The Intelligent Edge: Justin Pettit Openstack 2014 Atlanta
27 pages
VMW 2v0 01.19 Exam Prep Guide v1.0
No ratings yet
VMW 2v0 01.19 Exam Prep Guide v1.0
3 pages
Nutanix Reference Architecture VMWare Horizon DaaS 6.1
No ratings yet
Nutanix Reference Architecture VMWare Horizon DaaS 6.1
60 pages
VxRail 8.0.XXX Concepts - Participant Guide
No ratings yet
VxRail 8.0.XXX Concepts - Participant Guide
35 pages
NSXTICM4
No ratings yet
NSXTICM4
156 pages
Vmware Vsan and Vxrail Buyer'S Guide and Reviews September 2019
No ratings yet
Vmware Vsan and Vxrail Buyer'S Guide and Reviews September 2019
13 pages
Reference Architecture: 11 April 2019 Vrealize Automation 7.6
100% (1)
Reference Architecture: 11 April 2019 Vrealize Automation 7.6
41 pages
vSphereInstructorCertificationWorkshop V5x1
No ratings yet
vSphereInstructorCertificationWorkshop V5x1
2 pages
Vmware Product Guide February 2024
No ratings yet
Vmware Product Guide February 2024
115 pages
cr4 2x PDF
No ratings yet
cr4 2x PDF
2,092 pages
Vsphere Administration Guide For Acropolis (Using Vsphere HTML 5 Client)
No ratings yet
Vsphere Administration Guide For Acropolis (Using Vsphere HTML 5 Client)
35 pages
DDN A3i Ai400x2 Nvidia DGX h100 Basepod Reference Architecture
No ratings yet
DDN A3i Ai400x2 Nvidia DGX h100 Basepod Reference Architecture
24 pages
Vmware Vsphere Metro Storage Cluster Recommended Practices
No ratings yet
Vmware Vsphere Metro Storage Cluster Recommended Practices
31 pages
Exam Prep Guide 3V0-623 v1.2
No ratings yet
Exam Prep Guide 3V0-623 v1.2
18 pages
Vmware Vsan Deploy Service: 1. Overview
No ratings yet
Vmware Vsan Deploy Service: 1. Overview
7 pages
Vsphere 8.0 Configuration - Maximums
No ratings yet
Vsphere 8.0 Configuration - Maximums
15 pages
VMware VCenter Site Recovery Manager Cheat Sheet en
No ratings yet
VMware VCenter Site Recovery Manager Cheat Sheet en
4 pages
VMware Vsphere Optimize and Scale Plus Troubleshooting Fast Track V7 U1
100% (1)
VMware Vsphere Optimize and Scale Plus Troubleshooting Fast Track V7 U1
4 pages
Vsphere Esxi Vcenter Server 65 Security Guide
No ratings yet
Vsphere Esxi Vcenter Server 65 Security Guide
234 pages
Edu en Nsxto4 Lec
No ratings yet
Edu en Nsxto4 Lec
676 pages
NexentaConnect VMware VSAN QuickStart InstallGuide 1.0.2 FP2 GA
No ratings yet
NexentaConnect VMware VSAN QuickStart InstallGuide 1.0.2 FP2 GA
15 pages
VMware vSAN Deployment
No ratings yet
VMware vSAN Deployment
13 pages
VMware vSphere 6.5 Configuration Guide
No ratings yet
VMware vSphere 6.5 Configuration Guide
66 pages
PlateSpin Migrate Lab Guide
No ratings yet
PlateSpin Migrate Lab Guide
41 pages
Sangfor Hci Sizing - Quotation Technical Training 20150919 For Emea
No ratings yet
Sangfor Hci Sizing - Quotation Technical Training 20150919 For Emea
15 pages
NSX-T Data Center 3.2.3 Configuration - Maximums
100% (1)
NSX-T Data Center 3.2.3 Configuration - Maximums
19 pages
Hol 2083 91 HBD - PDF - en PDF
No ratings yet
Hol 2083 91 HBD - PDF - en PDF
43 pages
NSX-T 3.1 Federation Presentation-V1.0
No ratings yet
NSX-T 3.1 Federation Presentation-V1.0
34 pages
Unified Computing: Data Center Systems Engineer
No ratings yet
Unified Computing: Data Center Systems Engineer
34 pages
Cisco MDS 9000 Family NX-OS Fundamentals Configuration Guide
No ratings yet
Cisco MDS 9000 Family NX-OS Fundamentals Configuration Guide
244 pages
VCF 51 Administering
No ratings yet
VCF 51 Administering
354 pages
VCF 35 Administering
No ratings yet
VCF 35 Administering
144 pages
VCF Vxrail
No ratings yet
VCF Vxrail
439 pages
VCF 35 Administering PDF
No ratings yet
VCF 35 Administering PDF
150 pages
VCF 52 Administering
No ratings yet
VCF 52 Administering
407 pages
Vmware Validated Design 62 SDDC Shutdown and Startup
No ratings yet
Vmware Validated Design 62 SDDC Shutdown and Startup
63 pages
Microsoft Azure Internship Report
No ratings yet
Microsoft Azure Internship Report
17 pages
Mingle App API Documentation
No ratings yet
Mingle App API Documentation
66 pages
Employee Management System Presentation
No ratings yet
Employee Management System Presentation
14 pages
IoT Smart Airport
No ratings yet
IoT Smart Airport
20 pages
Android Security: Attacks and Defenses: by Abhishek Dubey and Anmol Misra CRC Press. (C) 2013. Copying Prohibited
No ratings yet
Android Security: Attacks and Defenses: by Abhishek Dubey and Anmol Misra CRC Press. (C) 2013. Copying Prohibited
18 pages
Abap MCQ
No ratings yet
Abap MCQ
60 pages
FCO79500399
No ratings yet
FCO79500399
5 pages
CLOUD COMPUTING Notes
No ratings yet
CLOUD COMPUTING Notes
10 pages
Haritha - Java Developer
No ratings yet
Haritha - Java Developer
4 pages
AdSoftware: Integrated Ad Management
100% (1)
AdSoftware: Integrated Ad Management
21 pages
Summer 2020 IDRBT Research Projects
No ratings yet
Summer 2020 IDRBT Research Projects
12 pages
IT's Impact on HR Management
No ratings yet
IT's Impact on HR Management
4 pages
ISF
No ratings yet
ISF
22 pages
Opatch Steps For GI
No ratings yet
Opatch Steps For GI
2 pages
Meshcentral: User 'S Guide
No ratings yet
Meshcentral: User 'S Guide
51 pages
Dcc-Microproject Jay-1
No ratings yet
Dcc-Microproject Jay-1
8 pages
01-08 Configuration File Management Configuration
No ratings yet
01-08 Configuration File Management Configuration
51 pages
Browser Server Communication
No ratings yet
Browser Server Communication
10 pages
Android Developer Portfolio
No ratings yet
Android Developer Portfolio
2 pages
GCP Billing, SDK, APIs & Tools Guide
No ratings yet
GCP Billing, SDK, APIs & Tools Guide
7 pages
The Secret of Hacking 1st Edition
100% (6)
The Secret of Hacking 1st Edition
163 pages
PTN Us 10191616 Anupaankarigari1112
No ratings yet
PTN Us 10191616 Anupaankarigari1112
6 pages
Chapter 12 Case Study Analysis
No ratings yet
Chapter 12 Case Study Analysis
5 pages
TP Debug Info
No ratings yet
TP Debug Info
449 pages
Mf5102 Computer Integrated Manufacturing Systems: For Syllabus, Question Papers, Notes & Many More
No ratings yet
Mf5102 Computer Integrated Manufacturing Systems: For Syllabus, Question Papers, Notes & Many More
2 pages
OBIA 7.9.6.4 - Configuration of DAC, Infa, OBI
No ratings yet
OBIA 7.9.6.4 - Configuration of DAC, Infa, OBI
30 pages
Water Refilling System PDF
0% (1)
Water Refilling System PDF
34 pages
Third-Party Tools As Destinations For OHD
No ratings yet
Third-Party Tools As Destinations For OHD
27 pages
ANSYS Remote Solve Manager Users Guide
No ratings yet
ANSYS Remote Solve Manager Users Guide
210 pages
Comparative Analysis of ERP Vendors
No ratings yet
Comparative Analysis of ERP Vendors
16 pages