I know what you're doing. I've had to do the same to satisfy the security team and their STIGs. I wish I had the script I used to post but unfortunately, it is on the system of a previous job. I can give you the basic outline though.
I never had to remove and re-add a host for this. As someone mentioned below, once it's connected, the VCSA deals with the secure comms on it's own. I've also had to use this to change service accounts on all the hosts (looking at you ACAS). I kept all our secure passwords in a special KeePass vault to begin with and then I moved to a BitWarden vault. Luckily, there are PowerShell modules for both available in the Gallery and they work great. My big trick was encrypting the credentials to access the vault but it's doable. I used a generated encryption key but you can easily just feed it creds. Another gotcha is to create the entries with the hostnames. Here is the basic outline.
- Get credentials to access the password vault
- Connect to the vault
- Connect to vCenter
- Pull all powered on hosts
- For each host, look up the host in the vault
- If you do not find an entry, make one with the name of the host. You'll then update the vault as you change passwords
- If you find a host, pull the password for the user and update the notes field with the old password. I did this just to keep a running history of changes
- Tell KeePass or BitWarden to generate a new password according to your complexity. You can also do it in PS
- Use the new password with esxcli commands to update the user's password on the host
- Update the entry in your vault
- Rinse and repeat till you've cycled through all the hosts
- Save the new vault
- Disconnect from everything
You can of course use a host profile to change passwords. You can even use PS to create a host profile for each host and apply it so you've still have different root passwords and export the new creds someplace for recording. We used the script I wrote instead of host profiles because we expanded it and used it to cycle passwords on most of our systems. We used it for ESXi hosts as well as Linux and Windows machines. We had a mix of separated environments and systems that were not domain joined. This basic idea was used to streamline password rotations on almost everything I could get my grubby little hands on.
Good luck with this. Be sure to wave your hat when you have it working
Original Message:
Sent: Jul 19, 2024 02:58 AM
From: Christoph Reeber
Subject: VCenter attached ESX hosts root password rotation
Hi together,
I am using cluster in Vcenters and have to change the root passwords of the attached ESX hosts regularly.
Each ESX hosts must have an own password, best random generated based on some rules.
I saw some existing script changing passwords.
Additionally, I will document the password change in a report file
But, my question,how to reconnect the host with the new password?
Did someone did something similar?
Thanks in advance for any hint.
Kind regards,
Christoph