I’m starting to update all my 6.x vCenters and vROPS, pending patches being released. You should be doing this, too, since they’re vulnerable to the Apache Struts 2 critical security holes. One thing I noted in my testing is that after patching the 6.5 appliances, their root password expiration settings go back to the defaults. In this case I’d set them to not expire, but it’s clearly not that way anymore:
Depending on your security requirements this might not be what you want. It’s bad form on VMware’s part, changing something that had been explicitly set. I also didn’t test to see if it resets the actual password age, or just the expiry. You might have far less than 365 days before it expires.
While it’s a good idea to rotate passwords, I also hate being locked out of my infrastructure, especially since I usually discover it in the middle of another problem… But to each their own. Good luck!
Hey Bob.
Thanks for a great article on this “gotcha.” I also had the same issue with a VCSA 6.0 Update 2 to 6.0 Update 3 upgrade. In this case, the password expiry reset to “yes” however the expiry date was 365 days from when the VCSA was built, not from the upgrade itself.
Thanks again.
Precisely. Though it isn’t really that hard to reset the password and unlock the account, we never discover these problems until we’re amidst some other nasty issue, and it’s another obstacle, another hour of our lives gone because of someone’s inattention to detail.