VxRail: VxRM health-check fails for test 'vc_pw_char'
Summary: The health-check 'vc_pw_char' verifies that the password matches VMware rules, if the credentials cannot log in to vCenter.
Symptoms
VxVerify on VxRail Manager can run multiple tests which require vCenter credentials.
The health-check 'vc_pw_char' verifies that the password matches VMware rules, if the credentials cannot log in to vCenter.
| Test Result | Result code | Result Interpretation |
| Pass | 0 |
Login credentials worked successfully. |
| Warning | 1 | The password has more than 20 characters. |
| Failure | 2 | Escape characters found in the password, such as # |
| Critical | 3 | This test has no critical result. |
Every test that passes is not listed in the summary report, for ease of reading.
An example of the health-check output is shown below:
#========================#======#=========#====================================================================#==============# | Hostname / Category |Status Dell_KB | Warnings or Failures, unless tests Passed ; Product S.N. | #========================#======#=========#====================================================================#==============# | VxRM | Warning 224236 | vc_pw_char: vSphere passwords cannot be more than 20 characters long |
Cause
Password Length
vCenter passwords should be within 8 to 20 characters long.
Refer to: VMware: vCenter Password Requirements and Lockout Behavior
Password Characters
vCenter allows a wider variety of special characters than the Linux Shell can support. Therefore, it is possible that some special characters in the passwords can cause upgrades to fail. For example, using " or ' in an Application Programming Interface
(API), command could cause an error, because the quotes should be at the start and end of the password string.
Some of these special characters can also break search strings, so to verify the characters, the ASCII decimal codes are used. Bad ASCII characters also include null characters, which are ASCII codes from 0 to 31.
VxVerify will only analyze passwords for special characters, if the saved vCenter or node management passwords are unable to successfully log in.
The following table is a list of good and bad special characters (this excludes 0-9, a-z and A-Z), from the ASCII range 32 to 126:
| Good | Bad | Bad | Dubious | ||||
| D Char | Ascii | <4.7.510 | Ascii | 4.7.510+ | Ascii | Any | Ascii |
| + | 43 | Space | 32 | $ | 36 | " | 34 |
| , | 44 | " | 34 | \ | 92 | ' | 39 |
| - | 45 | # | 35 | ` | 96 | ||
| . | 46 | $ | 36 | ||||
| : | 58 | % | 37 | ||||
| @ | 64 | * | 38 | ||||
| ] | 93 | ' | 39 | ||||
| _ | 95 | ( | 40 | ||||
| { | 123 | ) | 41 | ||||
| } | 125 | & | 42 | ||||
| / | 47 | ||||||
| ; | 59 | ||||||
| > | 60 | ||||||
| = | 61 | ||||||
| < | 62 | ||||||
| ? | 63 | ||||||
| [ | 91 | ||||||
| \ | 92 | ||||||
| ^ | 94 | ||||||
| ` | 96 | ||||||
| | | 124 | ||||||
| ~ | 126 |
The quotation mark characters are listed as dubious, because their use can be mitigated in Shell commands by substituting a \ in front of them, but not all scripts have that workaround, so it is advisable to not include these in passwords.
The ! character (ascii 33), always works correctly as the last character, but in any other position, it can cause scripts to fail, prior to VxRail 4.7.510.
VxRail 4.7.510 fixed the issues caused by most of the special characters, but there are still some (such as \), that cause issues for the vCenter API, so the VxVerify test flags these as a problem.
Resolution
Additional Information
Further details about any test warnings or failures are found in the VxVerify log:
- /tmp/vxv/vxv.log