VxRail: How to Query or Update the Management Account In VxRail Version 7.0.x and 8.0.x

Starting from VxRail version 7.0.010, the vCenter and ESXi host management accounts are stored in a lockbox microservice.
The method to query or update the management account has changed from previous versions.

The passwords as accessed below are base64 encoded and not in plain text.

Prerequisites

1. SSH to the VxRail Manager using the 'mystic' administrator user
2. Switch to the root user. 

su -

Querying existing saved credentials:

Querying vCenter management account:

Command to run:

curl --unix-socket /var/lib/vxrail/nginx/socket/nginx.sock -X GET 'http://localhost/rest/vxm/internal/lockbox/v1/credentials?lockbox_name=SYSTEM&credential_names=management_account_vc'|jq

Example output:

{
  "items": [
    {
      "connection_type": "OK",
      "credential_name": "management_account_vc",
      "is_found": true,
      "password": "xxxxxxxxxxx",
      "username": "management@localos"
    }
  ]
}

In this example, the vCenter management account username is management@localos, and the encoded password is xxxxxxxxxxx.

To decode the password, use the following command.

echo -n 'xxxxxxxxxxx' | base64 -d

 Query ESXi host management account:

1. In order to access the account, you must know the PowerEdge Service Tag (ST) - seven character serial such as AB1CDE2 - to access the specific credential. 
Replace any section that has <host-SN> with the Service Tag.
For example, you can use the following section of the VxRail plug-in to view serials and the hostname:

 

2. Use the following command to gather the VxRail host credentials, replacing <host-SN> with the server's Service Tag.

curl --unix-socket /var/lib/vxrail/nginx/socket/nginx.sock -X GET 'http://localhost/rest/vxm/internal/lockbox/v1/credentials?lockbox_name=SYSTEM&credential_names=management_account_esxi__<host-SN>'| jq

Using the previous example Service Tag:

curl --unix-socket /var/lib/vxrail/nginx/socket/nginx.sock -X GET 'http://localhost/rest/vxm/internal/lockbox/v1/credentials?lockbox_name=SYSTEM&credential_names=management_account_esxi__AB1CDE2'| jq

Output:

{
  "items": [
    {
      "credential_name": "management_account_esxi__V015001",
      "is_found": true,
      "password": "XXXXXXXX",
      "username": "management"
    }
  ]
}

In this example, ESXi host management account username is management. The encoded password is XXXXXXXX.

To decode, use the following command:

echo -n 'XXXXXXXX' | base64 -d

Updating saved credentials:

Update vCenter management account:

1. Stop vmware-marvin service:

systemctl stop vmware-marvin

2. To encode the password, run the command below substituting your password: 

echo -n 'Password123!' | base64
UGFzc3dvcmQxMjMh

The -n is necessary to avoid inserting a new line character; this would otherwise be a different password than intended.

3. Query the current vCenter management account username. If you do not know the vCenter management account username, see the above section "Query vCenter management account" to query the username.

4. To update vCenter management account, run below command and replace VC_MGMT_USER_NAME and ENCODED_PASSWD_FROM_STEP_1:

curl -X PUT --unix-socket /var/lib/vxrail/nginx/socket/nginx.sock -H "accept: application/json" -H "Content-Type: application/json" -d '{"lockbox_name":"SYSTEM","credentials":[{"credential_name":"management_account_vc","username":"VC_MGMT_USER_NAME","password":"ENCODED_PASSWD_FROM_STEP_1"}]}' 'http://localhost/rest/vxm/internal/lockbox/v1/credentials'

Example:

curl -X PUT --unix-socket /var/lib/vxrail/nginx/socket/nginx.sock -H "accept: application/json" -H "Content-Type: application/json" -d '{"lockbox_name":"SYSTEM","credentials":[{"credential_name":"management_account_vc","username":"vxrm@localos","password":"UGFzc3dvcmQxMjMh"}]}' 'http://localhost/rest/vxm/internal/lockbox/v1/credentials'

5. Update management account password from vCenter, navigate to vSphere>Hamburger Menu>Administration>Users and Groups>filter by domain that vCenter management account exists in, Edit the account, and set the new plaintext password.

6. Start vmware-marvin service:

systemctl start vmware-marvin

Update ESXi host management account

1. To encode the password, run the command as in the example below:
Example:

echo -n 'Password123!' | base64
UGFzc3dvcmQxMjMh

2. You should know the ESXi host Serial Number (SN) or Service Tag.
3. You should know the ESXi host management account username (note: Management account users and the serial numbers are listed in the VxVerify output file: vxverify_tests.json)

4. Stop vmware-marvin service:

systemctl stop vmware-marvin

5. To update ESXi host management account, run the below command and replace ESX_MGMT_USER_NAME and ENCODED_PASSWD_FROM_STEP_1 and <host-SN>:

curl -X PUT --unix-socket /var/lib/vxrail/nginx/socket/nginx.sock -H "Accept: application/json" -H "Content-Type: application/json" -d '{"lockbox_name":"SYSTEM","credentials":[{"credential_name":"management_account_esxi__<host-SN>","username":"ESXI_MGMT_USER_NAME","password":"ENCODED_PASSWD_FROM_STEP_1"}]}' 'http://localhost/rest/vxm/internal/lockbox/v1/credentials'

Example:

curl -X PUT --unix-socket /var/lib/vxrail/nginx/socket/nginx.sock -H "Accept: application/json" -H "Content-Type: application/json" -d '{"lockbox_name":"SYSTEM","credentials":[{"credential_name":"management_account_esxi__V010101","username":"esxmgmt","password":"UGFzc3dvcmQxMjMh"}]}' 'http://localhost/rest/vxm/internal/lockbox/v1/credentials'

How to decrypt the password:

echo -n "VnhsYWJSQGlsMSE=" | base64 -d
VxlabR@il1!

6. Please navigate to https://ESXiIPAddress and login as root. Click Manage>Users and Groups>Edit the ESXi management user>set the new plaintext password.

7. Start vmware-marvin service:

systemctl start vmware-marvin

After Making a change to the password: 

1. Enable Health Monitoring either from the VxRail UI > Health Monitoring > Health Monitoring Status > Enable or using CLI.

curl -X PUT --unix-socket /var/lib/vxrail/nginx/socket/nginx.sock -H "Accept: application/json" -H "Content-Type: application/json" http://127.0.0.1/rest/vxm/internal/configservice/v1/configuration/keys/state_cluster_suppressed -d '{"value": "false"}'

2. Restart the vmware-marvin service. 

systemctl restart vmware-marvin

The credentials can be tested by running VxVerify, see article: VxRail: How to run the VxRail Verify tool.