As you know sometimes we need to change the root passwords for security reasons. In this article, I would like to share what kind of problem I faced last week while we were handing over a new customer to our current client pool.
I had experienced a similar problem in the past but I didn’t write anything about it. Last week when I saw the communication problem I recalled my previous experience and wanted to share it on my blog.
First of all, this article may help you before getting action if you want to change your vCenter password or ESXi root password not only for HPE SimpliVity it is also for 3rd softwares.
In our case, we had 2 nodes HPE SimpliVity and we wanted to change ESXi password and vCenter password. You may change vCenter password by clicking on the top right of the page where you see your username and clicking on the change password option and filling out all of the necessary blanks in the form and clicking OK. Somehow this is not enough you should also change the SSO account password following the path which is given below.
Administration > Users and Groups > Chose your domain in the domain field under the Users tab > Select your account and click on Edit > Fill out Password and Confirm Password section in the form and click SAVE.
Let’s change the ESXi password now. Please follow the path given below.
Click on the top right of the page where you see [email protected] and click on the change password option and fill out all of the necessary blanks in the form and click Change password.
So far we changed the root password of ESXi and vCenter SSO account password. If you are using HPE SimpliVity you should read till the end.
Around 5 minutes after changing the password, I saw a warning on the 2 HPE SimpliVity nodes and it says given warning below.
Remote access for ESXi local user account 'root' has been locked for 900 seconds after 1014 failed login attempts.
According the warning our esxi root accounts are locked because we didn’t inform the OmniStackVC servers that we changed the esxi root and vcenter password. First of all, If your root account is locked please follow the given prosuders below, If you didn’t see this warning on your vcenter, then skip this part and log in your OmniStackVC using your vcenter account or svtcli account.
- Access ESXi console with remote or direct KVM
- Login to ESXi console (F2) with root account (it won’t be locked at this level)
- Navigate to Troubleshooting Options
- In first line you should see either Disable or Enable ESXi Shell. If its Enable, hit enter once.
- Then use combination Alt+F1 to switch to ESXi shell
- Login with root account (it won’t be locked at this level)
- Run following command. This will show number of failed login attempts
pam_tally2 –user root (If you see only 1 hypen in the command, add one more. Each time you have to use 2 hyphens like in the picture below) - To reset the failures, run following command
pam_tally2 –user root –reset (If you see only 1 hypen in the command, add one more. Each time you have to use 2 hyphens)
Okay, now you can access your esxi using the lately change root password.
Before appliying the commands on your OmniStackVC, do not forget to migrate the all vms to another host. If you already migrate your all vms to another server then you can apply commands because after applying command we have to restart the OmniStackVC. Neccessary steps and outputs are given below. Your output will be same when you are done.
login as: svtcli
[email protected]'s password:
Welcome to SimpliVity OmniCube 4.1.0.266
svtcli@omnicube-ip13-4:~$ sudo su
root@omnicube-ip13-4:/home/svtcli# source /var/tmp/build/bin/appsetup
root@omnicube-ip13-4:/home/svtcli# dsv-digitalvault-init --hmsuser "[email protected]" --hmspassword vcenterpasswordhere --hostip 10.10.10.10 --hostuser root --hostpassword esxipasswordhere
This will delete any existing digital vault records and reinitiate new ones, are you sure you want to proceed.
Proceed? (y/n): y
2022-12-19 07:48:50Z Updating the postgres user mgmt_usr with new password
2022-12-19 07:48:50Z Updating the postgres user svtaggregator with new password
2022-12-19 07:48:50Z Initializing Digital Vault with postgres user mgmt_usr svtaggregator
Successfully reinitialized DigitalVault.
root@omnicube-ip13-4:/home/svtcli# reboot
Waiting for the virtual machines that are managed by this OmniCube Controller to achieve HA compliance. This may take some time. Do NOT exit from the command. If you wish to cancel this operation, issue the command dsv-shutdown-cancel from another shell.After restarting OmniStackVC, you will see warnings on all the vms, do not panic that is ok because one of your OmniStackVC now is not reachable. It will be up soon. When OmniStackVC is up and all vms synced, all warning will be gone. Just use the refresh button on the top right of the page. Around 15 minutes later all warnings on vms and the node that you ran the command will be gone. Now we should do vice versa. Move the all vms to another host and follow the same prosedure and wait 15 more minutes. At the end, your OmniStackVC machines will know that we changed the esxi root and vcenter password.
If you changed the vcenter password;
dsv-update-vcenter --server vCenter_Server_IP_address --username vCenter_user_name --password vCenter_passwordIf you changed the root password of esxi use the following command, after entering the command you will be asked root password and vcenter password.
dsv-digitalvault-init --hmsuser <hms-username> --hostip <host-ipaddress> --hostuser <host-username>Or you can use both credentials at the same time like me in the output above.
dsv-digitalvault-init --hmsuser "<hms-username>" --hmspassword <hms-password> --hostip <host-ipaddress> --hostuser <host-username> --hostpassword <host-password>hmsuser : your vcenter username
hostip : esxi host ip address
hostuser : esxi host root account or
hostpassword : esxi host root password
What about svtcli password? then you can follow the below article shared by HPE
Thanks for your time reading.
Regars,
Hasan
Thank you very much for your article on changing esx password on simplivity. it helped me a lot.
Best wishes