In this blog, we are going to reset a lost password for our vCD appliance that has also expired. Typically the vCD root password will by default expire every year and after this happens you won’t be able to SSH into the appliance however the UI will still function.
Blog Series
- Deploy vCloud Director 10.X
- Adding HA to vCD 10.X Configuration
- Switch Standby vCD Node to Primary
- Generate CA-Signed SSL Certificates on vCD 10.X
- Unregister a Failed or Unreachable Standby Node
- vCloud Director User Interface not Accessible
- Reset Lost or forgotten vCD 10.x Root Password
- Upgrade vcD from 10.0 to 10.2
- One Page View of all vCD 10.X commands
Step by step guide to Reset the Root Password in vCD
1 – Snapshot the vCD appliance first
2- Reboot the vCD appliance
3- After rebooting the vCD appliance, we need to get into the GRUB Menu to reset the root password
4- Find the line that opens with the word Linux.
5- Type the below entries to the end of the line
rw init=/bin/bash
6- Press F10 to continue booting. The OS continues to boot and you will be presented with this screen
7 – Run the command pam_tally2 –reset –user root.
8 – Reboot the appliance by running the command: reboot -f
When we change the root password for a VMware Cloud Director appliance, we must also update the appliance certificate Keystore to use the new password and this is done using an application called keytool on the vCD
9- We first will need to know if our cert type is PKCS12 or JCEKS
Run this command to find it
/opt/vmware/vcloud-director/jre/bin/keytool -storetype JCEKS -storepass <passwd> -keystore /opt/vmware/ vcloud-director/certificates.ks -list
Keystore type: JCEKS
Keystore provider: SunJCE
As shown above our certificate is JECKS, In modern editions like 10.3, the default cert type will be PKCS12
10- Backup the current certiifcate to a path
cp /opt/vmware/vcloud-director/certificates.ks /oldcert/certificates.ks
11- To rotate the certificate, browse to /opt/vmware/vcloud-director/jre/bin and run the command
./keytool -importkeystore -srckeystore /opt/vmware/vcloud-director/certificates.ks -srcstoretype JCEKS -srcstorepass <oldpasswd> -destkeystore /opt/vmware/vcloud-director/certificates-new.ks -deststoretype JCEKS -deststorepass <newpasswd> -destkeypass <newpasswd>
12- Run the command to replace the old certificates keystore file with the new one.
mv /opt/vmware/vcloud-director/certificates-new.ks /opt/vmware/vcloud-director/certificates.ks
13- To verify the user and group ownership of the keystore file, run the chown command
chown vcloud.vcloud /opt/vmware/vcloud-director/certificates.ks
14- Update the VMware Cloud Director server configuration
/opt/vmware/vcloud-director/bin/cell-management-tool certificates -j -p –keystore /opt/vmware/vcloud-director/certificates.ks –keystore-password <newpasswd>
15- Reboot vcd services
service vmware-vcd restart
16- Verify Status of vCD Cluster
sudo -i -u postgres /opt/vmware/vpostgres/current/bin/repmgr cluster show
We will need to have the same password on all our vCD appliances and the same certificate.key ( certificates.ks ) we generated earlier will need to be placed into opt/vmware/vcloud-director/ on standy vCD’s as well.