Changing esxi and vcenter password for Simplivity

As you know sometimes we need to change the root passwords for security reasons. In this article, I would like to share what kind of problem I faced last week while we were handing over a new customer to our current client pool.

I had experienced a similar problem in the past but I didn’t write anything about it. Last week when I saw the communication problem I recalled my previous experience and wanted to share it on my blog.

First of all, this article may help you before getting action if you want to change your vCenter password or ESXi root password not only for Simplivity it is also for 3rd softwares.

In our case, we had 2 nodes Simplivity and we wanted to change ESXi password and vCenter password. You may change vCenter password by clicking on the top right of the page where you see your username and clicking on the change password option and filling out all of the necessary blanks in the form and clicking OK. Somehow this is not enough you should also change the SSO account password following the path which is given below.

Administration > Users and Groups > Chose your domain in the domain field under the Users tab > Select your account and click on Edit > Fill out Password and Confirm Password section in the form and click SAVE.

Let’s change the ESXi password now. Please follow the path given below.

Click on the top right of the page where you see [email protected] and click on the change password option and fill out all of the necessary blanks in the form and click Change password.

So far we changed the root password of ESXi and vCenter SSO account password. If you are using Simplivity you should read till the end.

Around 5 minutes after changing the password, I saw a warning on the 2 Simplivity nodes and it says given warning below.

Remote access for ESXi local user account 'root' has been locked for 900 seconds after 1014 failed login attempts.

According the warning our esxi root accounts are locked because we didn’t inform the OVC servers that we changed the esxi root and vcenter password. First of all, If your root account is locked please follow the given prosuders below, If you didn’t see this warning on your vcenter, then skip this part and log in your ovc using your vcenter account or svtcli account.

  1. Access ESXi console with remote or direct KVM 
  2. Login to ESXi console (F2) with root account (it won’t be locked at this level)
  3. Navigate to Troubleshooting Options
  4. In first line you should see either Disable or Enable ESXi Shell. If its Enable, hit enter once. 
  5. Then use combination Alt+F1 to switch to ESXi shell
  6. Login with root account (it won’t be locked at this level)
  7. Run following command. This will show number of failed login attempts 
    pam_tally2 –user root 
  8. To reset the failures, run following command 
    pam_tally2 –user root –reset 

Okay, now you can access your esxi using the lately change root password.

Before appliying the commands on your OVC, do not forget to migrate the all vms to another host. If you already migrate your all vms to another server then you can apply commands because after applying command we have to restart the OVC. Neccessary steps and outputs are given below. Your output will be same when you are done.

login as: svtcli
[email protected]'s password:

Welcome to SimpliVity OmniCube

[email protected]:~$ sudo su
[email protected]:/home/svtcli# source /var/tmp/build/bin/appsetup
[email protected]:/home/svtcli# dsv-digitalvault-init --hmsuser "[email protected]" --hmspassword vcenterpasswordhere --hostip --hostuser root --hostpassword esxipasswordhere

This will delete any existing digital vault records and reinitiate new ones, are you sure you want to proceed.
Proceed? (y/n): y

2022-12-19 07:48:50Z     Updating the postgres user mgmt_usr with new password
2022-12-19 07:48:50Z     Updating the postgres user svtaggregator with new password
2022-12-19 07:48:50Z     Initializing Digital Vault with postgres user mgmt_usr svtaggregator
Successfully reinitialized DigitalVault.
[email protected]:/home/svtcli# reboot
Waiting for the virtual machines that are managed by this OmniCube Controller to achieve HA compliance.  This may take some time.  Do NOT exit from the command. If you wish to cancel this operation, issue the command dsv-shutdown-cancel from another shell.

After restarting OVC, you will see warnings on all the vms, do not panic that is ok because one of your ovc now is not reachable. It will be up soon. When OVC is up and all vms synced, all warning will be gone. Just use the refresh button on the top right of the page. Around 15 minutes later all warnings on vms and the node that you ran the command will be gone. Now we should do vice versa. Move the all vms to another host and follow the same prosedure and wait 15 more minutes. At the end, your ovc machines will know that we changed the esxi root and vcenter password.

If you changed the vcenter password;

dsv-update-vcenter --server vCenter_Server_IP_address --username vCenter_user_name --password vCenter_password

If you changed the root password of esxi use the following command, after entering the command you will be asked root password and vcenter password.

dsv-digitalvault-init --hmsuser <hms-username> --hostip <host-ipaddress> --hostuser <host-username>

Or you can use both credentials at the same time like me in the output above.

dsv-digitalvault-init --hmsuser "<hms-username>" --hmspassword <hms-password>  --hostip <host-ipaddress> --hostuser <host-username> --hostpassword <host-password>

hmsuser : your vcenter username
hostip : esxi host ip address
hostuser : esxi host root account or
hostpassword : esxi host root password

What about svtcli password? then you can follow the below article shared by HPE

Thanks for your time reading.


Published by Hasan Altin

I don't see any difference between the one who doesn't share its knowledge or the one who doesn't share its bread.

Leave a Reply

Your email address will not be published. Required fields are marked *