VMware Networking Community
TarunGuptaAccen
Enthusiast
Enthusiast
‎04-04-2019 09:51 AM

Get and Change NSX Edges admin Password via API

Hi team ,

    we are using NSX version 6.3.2 .  I want to  change Edges admin password via API .  I am aware of Edges> Action  > Change Cli Credentials  but i am running into a issue where when i click OK to change password , it takes a lot of time and operation time out .

1.  I can't see the password line in when i get the output of API  of an Edge . 

https:// IP /api/4.0/edges/edge-74

<remoteAccess>true</remoteAccess>

        <userName>admin</userName>

   <password > test  </password >              "  can i add this line  ?"

2 . I was googling  that i can Get NSX edges root passwords from /home/secureall/secureall/sem/WEB-INF/classes/GetSpockEdgePassword.sh   but there is  /GetCliUserEdgePassword.sh   as well which i am not able to find in NSX 6.3.2 . is there any way i can get admin password of the Edges.

Tarun Gupta

9910302342

Reply
3 Replies
SRoland
VMware Employee
VMware Employee
‎04-05-2019 12:22 AM

Hi,

... when i click OK to change password , it takes a lot of time and operation time out ...

This is your real problem. This shows a communication issue between the manager and the ESG(s).

   <password > test  </password >              "  can i add this line  ?"

Use the call:

PUT /api/4.0/edges/{edgeId}/clisettings

Request:

Body: application/xml

<cliSettings>
<userName></userName>
<password></password>
<remoteAccess></remoteAccess>
<passwordExpiry></passwordExpiry>
<sshLoginBannerText></sshLoginBannerText>
</cliSettings>

2 . I was googling  that i can Get NSX edges root passwords from /home/secureall/secureall/sem/WEB-INF/classes/GetSpockEdgePassword.sh   but there is  /GetCliUserEdgePassword.sh   as well which i am not able to find in NSX 6.3.2 . is there any way i can get admin password of the Edges.

Yes, there's other files to achieve the password retrieval but I would strongly advise you against it and do it with GSS supervision. Especially the password change. I would recommend first - again - to check what's with that timeout problem.

Do your hosts show up properly under installation tabs? The RabbitMQ service is running on the manager?

Regards,

Roland

Edit: I noticed - after re-reading - that I was wrong here:

> Yes, there's other files to achieve the password retrieval...

There is no procedure to get the "admin" user password and change it from the manager CLI. Only the Manager UI or the API are the way - I know - to change that.  From the manager CLI and then from the root mode you can  only get the edge "root" user PW.

Sorry.

Reply
0 Kudos
TarunGuptaAccen
Enthusiast
Enthusiast
‎04-05-2019 08:02 AM

Hi Roland,

   Thanks a lot for your reply .

Yes Rabbit MQ service is running on NSX Manager .  I am able to change most of the Edges cli admin password but not all .   I can see 5671  port connection Established in Edge .

Also , vShiled-Statefull-Firewall  service is also running on all the hosts in Edge cluster as well .   One  of the issue  i identified while changing  admin password is " admin account locked "  when i take console on Edge.   I am under the impression that admin accounts gets unlocked after 30 mins or so .. but if that is not the case .. it fails to update password and it will not change the Cli password.

At last , the only optiion i go with is to re-deploy which is becoming a issue since i am working in operations and i have to ask for customer downtime .  I am not aware of any other way to reset admin password if UI does not work or taking a lot of time and operation time out . 

any help here to change password if UI does not work ?

Thanks for posting the Api commands but  these will not hold if some one re-deploy the same edge ..lossing the passowrd again and running into same admin account issue . Any correction here will be appreciated.

Last , thanks for your support. .waiting for reply .

Reply
0 Kudos
sk84
Expert
Expert
‎04-18-2019 11:29 AM

One  of the issue  i identified while changing  admin password is " admin account locked "  when i take console on Edge.   I am under the impression that admin accounts gets unlocked after 30 mins or so .. but if that is not the case .. it fails to update password and it will not change the Cli password.

This is usually the case when SSH is open to the outside. Because bots make permanent login attempts with "root" and "admin" users and the admin account is more or less permanently locked. Sometimes it is also a monitoring system that is responsible for the permanent login attempts.

However, if the problem only occurs with some edge gateways, check if SSH is open for the whole world and block the port for these edge gateways. After 15 minutes the login should work again.

Alternatively, you can also disable SSH, wait 15 minutes, enable it and be very fast before it is locked again.

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
Reply