Password management is a critical aspect of maintaining a secure and efficient IT infrastructure. The Aria Suite is no exception and password rotation is necessary as part of addressing security policies & compliance requirements.
VMware Aria Suite Lifecycle Manager simplifies this process by providing a centralized endpoint to manage your suite’s configurations and settings both in the UI or via API’s. In this blog post, we’ll take a look at how we can reset passwords for the various components of the Aria Suite, all through the Lifecycle Manager, using the API’s via PowerShell.
Let’s start by taking a look at how we can tackle the admin@local account in Aria Suite Lifecycle Manager itself.
Aria Suite Lifecycle Manager
So the API for we will be using for this is a PUT call to /lcm/authzn/api/v2/users/password.
1$Splat = @{
2 "URI" = "https://alcm-01.tsh.cloud/lcm/authzn/api/v2/users/password"
3 "Headers" = @{
4 'Accept' = "*/*"
5 'Content-Type' = "application/json"
6 "Authorization" = "Basic $([System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("$($username):$($password)")))"
7 }
8 "Method" = "PUT"
9 "body" = @{
10 "password" = "<Password>" #Plain text password but can be in a variable etc.
11 "username" = "admin@local"
12 } | ConvertTo-JSON -Depth 6
13}
14Invoke-RestMethod @Splat -SkipCertificateCheck
This one is fairly simple, we are authenticating via basic auth using a username and password variable and then passing the username and new password for the account we want to update, in this case, admin@local.
You can run this after acquiring a auth cookie using /lcm/authzn/api/login if executing the calls via something like Postman.
Gather Environment Details & Understand the API’s
Now before move on to the rest of the suite, we need to know where to get certain information from to be able to build a successful API call.
There are number of API calls we will use during this blog post:
GET/lcm/lcops/api/v2/environments?status=COMPLETEDAcquire details from the environment that we will need to consume in the URI’s below.POST/lcm/locker/api/v2/passwordsCreate a new password object in the ASLCM Locker that we can consume.PUT/lcm/lcops/api/v2/environments/<EnvironmentId>/products/<ProductID>/nodes/<Node Name>Change therootaccount password on the appliance node.PUT/lcm/lcops/api/v2/environments/globalenvironment/products/vidm/admin-passwordChange the ‘admin’ user account for the application.
Lets start by looking at an example of running the code to get the environment details as we need certain values from this to pass to the other API calls:
1$Splat = @{
2 "URI" = "https://alcm-01.tsh.cloud/lcm/lcops/api/v2/environments?status=COMPLETED"
3 "Headers" = @{
4 'Accept' = "*/*"
5 'Content-Type' = "application/json"
6 "Authorization" = "Basic $([System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("$($username):$($password)")))"
7 }
8 "Method" = "GET"
9 "body" = ""
10}
11$Environments = Invoke-RestMethod @Splat -SkipCertificateCheck
Again we are passing basic authentication credentials and outputting the results into a variable called $Environments. Below we can see and example output and the values we will need later on. You could consume the values from the variable if you wish, but for visibility, I will keep them plain text in this blog.
The first value we need is the environmentID that vIDM belongs to, this is the default global environment in this case:
Next we need some further detail nested in the variable output so lets dig that out:
We have the ProductId and the NodeType, that 3 required pieces of data needed for the API calls later on.
Now before we can start changing passwords we need some final information, the password ID from the ASLCM Locker. I will show you how to find this in the UI but later on will show you how you can also create these new entries and acquire the ID as a result.
Firstly I want to find out the alias of the current password which you can find under the product under Environments. In this case, installerPassword:
Next we want to get the ID for this, so heading over to the Locker, we can select the 3 dots followed by Copy ID:
It will look like this:
1locker:password:a4c58648-46a1-4420-a1d7-696de195ab3d:installerPassword
We will also want to grab the ID of the ’new’ password that you would have created while we are here.
Now that we have the key values we need, lets move onto the first product!
VMware Identity Manager
So lets get into it with VMware Identity Manager (vIDM). There are 2 components we will tackle here, the appliance root account and the application admin account.
We have everything we need to change the first password, lets build the first URI to cahnge the appliance root password:
1https://<fqdn>/lcm/lcops/api/v2/environments/<environmentID>/products/<ProductID>/nodes/<NodeType>
2https://alcm-01.tsh.cloud/lcm/lcops/api/v2/environments/globalenvironment/products/vidm/nodes/vidm-primary
Change root Password
1$Splat = @{
2 "URI" = "https://alcm-01.tsh.cloud/lcm/lcops/api/v2/environments/globalenvironment/products/vidm/nodes/vidm-primary"
3 "Headers" = @{
4 'Accept' = "*/*"
5 'Content-Type' = "application/json"
6 "Authorization" = "Basic $([System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("$($username):$($password)")))"
7 }
8 "Method" = "PUT"
9 "body" = @{
10 "hostName" = "vidm-01.tsh.cloud"
11 "currentPassword" = "locker:password:a4c58648-46a1-4420-a1d7-696de195ab3d:installerPassword" # Existing Password object
12 "newPassword" = "locker:password:eda6ed6f-b8db-4718-8386-5799d611225d:vidmnew" # New Password object to be set
13 "userNameToUpdate" = "root"
14 } | ConvertTo-JSON -Depth 6
15}
16Invoke-RestMethod @Splat -SkipCertificateCheck
The current password is populated with the ID for installerPassword ID that we acquired earlier and after creating a new password object, I have provided that ID as the newPassword.
Once ran, you will be able to track the request in the UI under ‘Requests’ and confirm once complete!
Now lets follow a similar approach for the admin application account but using the other URI:
1https://<fqdn>/lcm/lcops/api/v2/environments/<environmentID>/products/<ProductID>/admin-password
2https://alcm-01.tsh.cloud/lcm/lcops/api/v2/environments/globalenvironment/products/vidm/admin-password
Change Product Password
1$Splat = @{
2 "URI" = "https://alcm-01.tsh.cloud/lcm/lcops/api/v2/environments/globalenvironment/products/vidm/admin-password"
3 "Headers" = @{
4 'Accept' = "*/*"
5 'Content-Type' = "application/json"
6 "Authorization" = "Basic $([System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("$($username):$($password)")))"
7 }
8 "Method" = "PUT"
9 "body" = @{
10 "adminPassword" = "locker:password:913e4ee9-4d23-43f7-875d-4f18d1290b6d:installerPassword" # New Password object to be set
11 "currentAdminPassword" = "locker:password:eda6ed6f-b8db-4718-8386-5799d611225d:vidmnew1" # Existing Password object
12 } | ConvertTo-JSON -Depth 6
13}
14Invoke-RestMethod @Splat -SkipCertificateCheck
This time using the /lcm/lcops/api/v2/environments/globalenvironment/products/vidm/admin-password URI and only the currenAdminPassword and adminPassword request body values, again the same as in the last example.
And there you have it! Lets move onto some of the other Aria products!
Aria Automation
Now we can take the same approach for the Aria Automation Appliance root accounts, this time taking the values needed from the environment that contains the Aria Automation deployment:
Change Product Password
1
2$Splat = @{
3 "URI" = "https://alcm-01.tsh.cloud/lcm/lcops/api/v2/environments/d92a8c01-f257-41c6-9e36-2a808c224c53/products/vra/nodes/vrava-primary"
4 "Headers" = @{
5 'Accept' = "*/*"
6 'Content-Type' = "application/json"
7 "Authorization" = "Basic $([System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("$($username):$($password)")))"
8 }
9 "Method" = "PUT"
10 "body" = @{
11 "hostName" = "aa-01.tsh.cloud"
12 "currentPassword" = "locker:password:a4c58648-46a1-4420-a1d7-696de195ab3d:installerPassword" # Existing Password object
13 "newPassword" = "locker:password:859d908d-21d8-41d0-9100-082c546850d4:auto24" # New Password object to be set
14 "userNameToUpdate" = "root"
15 } | ConvertTo-JSON -Depth 6
16}
17Invoke-RestMethod @Splat -SkipCertificateCheck
Aria Operations
The same process applies to Aria Operations root accounts, the same URI’s is needed, with the applicable values added for, environmentID, ProductID & NodeType
Change root Password
1
2$Splat = @{
3 "URI" = "https://alcm-01.tsh.cloud/lcm/lcops/api/v2/environments/d92a8c01-f257-41c6-9e36-2a808c224c53/products/vrops/nodes/master"
4 "Headers" = @{
5 'Accept' = "*/*"
6 'Content-Type' = "application/json"
7 "Authorization" = "Basic $([System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("$($username):$($password)")))"
8 }
9 "Method" = "PUT"
10 "body" = @{
11 "hostName" = "ao-01.tsh.cloud"
12 "currentPassword" = "locker:password:a4c58648-46a1-4420-a1d7-696de195ab3d:installerPassword" # Existing Password object
13 "newPassword" = "locker:password:d21bad28-b82a-4506-8ba6-a9fd82d7bd36:ops24" # New Password object to be set
14 "userNameToUpdate" = "root"
15 } | ConvertTo-JSON -Depth 6
16}
17Invoke-RestMethod @Splat -SkipCertificateCheck
And again for the application admin account…
Change Product Password
1
2$Splat = @{
3 "URI" = "https://alcm-01.tsh.cloud/lcm/lcops/api/v2/environments/d92a8c01-f257-41c6-9e36-2a808c224c53/products/vrops/admin-password"
4 "Headers" = @{
5 'Accept' = "*/*"
6 'Content-Type' = "application/json"
7 "Authorization" = "Basic $([System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("$($username):$($password)")))"
8 }
9 "Method" = "PUT"
10 "body" = @{
11 "adminPassword" = "locker:password:d21bad28-b82a-4506-8ba6-a9fd82d7bd36:ops24" # New Password object to be set
12 "currentAdminPassword" = "locker:password:a4c58648-46a1-4420-a1d7-696de195ab3d:installerPassword" # Existing Password object
13 } | ConvertTo-JSON -Depth 6
14}
15Invoke-RestMethod @Splat -SkipCertificateCheck
Aria Operations for Logs
Finally, for Aria Operations for Logs, rinse and repeat the same process again just adding the appropriate values obtained from the environment fetch API call discussed earlier.
Change root Password
1$Splat = @{
2 "URI" = "https://alcm-01.tsh.cloud/lcm/lcops/api/v2/environments/d92a8c01-f257-41c6-9e36-2a808c224c53/products/vrli/nodes/vrli-master"
3 "Headers" = @{
4 'Accept' = "*/*"
5 'Content-Type' = "application/json"
6 "Authorization" = "Basic $([System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("$($username):$($password)")))"
7 }
8 "Method" = "PUT"
9 "body" = @{
10 "hostName" = "aol-01"
11 "currentPassword" = "locker:password:a4c58648-46a1-4420-a1d7-696de195ab3d:installerPassword" # Existing Password object
12 "newPassword" = "locker:password:d21bad28-b82a-4506-8ba6-a9fd82d7bd36:ops24" # New Password object to be set
13 "userNameToUpdate" = "root"
14 } | ConvertTo-JSON -Depth 6
15}
16Invoke-RestMethod @Splat -SkipCertificateCheck
Change Product Password
1$Splat = @{
2 "URI" = "https://alcm-01.tsh.cloud/lcm/lcops/api/v2/environments/d92a8c01-f257-41c6-9e36-2a808c224c53/products/vrops/admin-password"
3 "Headers" = @{
4 'Accept' = "*/*"
5 'Content-Type' = "application/json"
6 "Authorization" = "Basic $([System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("$($username):$($password)")))"
7 }
8 "Method" = "PUT"
9 "body" = @{
10 "adminPassword" = "locker:password:d21bad28-b82a-4506-8ba6-a9fd82d7bd36:ops24" # New Password object to be set
11 "currentAdminPassword" = "locker:password:a4c58648-46a1-4420-a1d7-696de195ab3d:installerPassword" # Existing Password object
12 } | ConvertTo-JSON -Depth 6
13}
14Invoke-RestMethod @Splat -SkipCertificateCheck
Creating Locker Passwords for Consumption
Now as mentioned earlier, we can also use an API to create and then consume Locker Passwords using an API. Below is an example of creating a new Locker Password object and then how you could consume the output as part of a string.
1$Splat = @{
2 "URI" = "https://alcm-01.tsh.cloud/lcm/locker/api/v2/passwords"
3 "Headers" = @{
4 'Accept' = "*/*"
5 'Content-Type' = "application/json"
6 "Authorization" = "Basic $([System.Convert]::ToBase64String([System.Text.Encoding]::ASCII.GetBytes("$($username):$($password)")))"
7 }
8 "Method" = "POST"
9 "body" = @{
10 "alias" = "<Alias/Friendly Name>"
11 "password" = "<Password>"
12 "passwordDescription" = "<Description>"
13 "userName" = "<Username>"
14 } | ConvertTo-JSON -Depth 6
15}
16$newcred = Invoke-RestMethod @Splat -SkipCertificateCheck
17
18$newcred.vmid
19$newcred.alias
Example dynamic string
1<#Example String#> "locker:password:$($newcred.vmid):$($newcred.alias)"
Hope this helps!
As always, thanks for reading!
If you like my content, consider following me on Twitter so you don’t miss out!