Resetting vCloud Automation Center 6.x Service Account Passwords

VMware vCloud Automation Center uses Active Directory service accounts to run several internal services and processes. In many environments it is required to reset the passwords for these service accounts at various intervals. As you can imagine, resetting the password for a given service account will cause the associated services to stop functioning until they are updated with the new password. A customer recently pointed out that there is no official documentation that provides guidance for updating the services used by vCAC to prevent a service outage. So, naturally, I figured I’d put this out there until such documentation is provided…

Before proceeding, determine exactly which service accounts are mapped to which services to prevent a misconfiguration. Follow these steps after changing the service account password and during a maintenance window…. 

Tenant Identity Store (account used to connect SSO to Active Directory / LDAP):

• Log into vCAC’s default tenant ([email protected])
• In the Tenants section, click on the appropriate Tenant name to edit
• Select the “Identity Store” tab
• Click the listed Identity Store to edit
• Type the new password of the service account used (entered as a DN) in the Password field
• Test the connection
• Click “Update” to save
• Click “Update” again

IaaS Services

• Optional: Create a snapshot of the IaaS VM
• Log into the vCAC IaaS (Windows) machine
• Open “Services” (e.g. from Administrative Tools)
• Open the following vCAC services and change the account password from the “Log On” tab
  • VMware DEM-Orchestrator – DEO
  • VMware DEM-Worker – DEM
  • VMware vCloud Automation Center Agent – [agent_name]
  • VMware vCloud Automation Center Service
• Once applied, stop ALL vCAC services
• Start the services one at a time (in the above order)

IIS Application Pools

• In the Windows IaaS machine, open IIS Manager
• Expand the Server in the left pane and select “Application Pools”
• Right-click on the “RepositoryAppPool” Application Pool and select “Advanced Settings” from the sub menu
• In Advanced Settings, navigate to “Process Model” -> “Identity”
• Select the “…” next to the service account
• Reenter the service account in DOMusername format then enter/confirm the new password
• Click “OK” to save
• Repeat these steps for the other vCAC Application Pools:
  • vCACAppPool
  • WapiAppPool
• Right-click each pool and select “Start” (if already started, select “Recycle”)

Endpoint Credentials

• In vCAC “Infrastructure” tab, navigate to “Endpoints” -> “Credentials”
• Click the pencil icon next to the Endpoint credential that you want to edit (e.g. the one that was changed)
• Enter and confirm the new service account password
• Click the green check mark icon to save

DB/SQL Server Connection: The service account used to communicate with SQL is Windows Integrated and should not need to be manually changed.

SSO: the SSO Initialization PW ([email protected]) cannot be changed

At this point I prefer to reboot the vCAC IaaS machine to ensure all services stop/start properly. Once these steps are completed, give IaaS services up to 10 minutes to reregister with the vCAC VA before attempting to log in. You may need to close your browser and clear temp files to ensure cached PW’s are passed to a new session. And finally, a thorough test of IaaS services would be a good idea.

You can expect an official KB article from VMware soon, but in the meantime, I hope this helps those of you that have run into this requirement.

Enjoy!

++++
@virtualjad