Your Browser is Out of Date

Nytro.ai uses technology that works best in other browsers.
For a full experience use one of the browsers below
Tech Book—Dell Integrated System for Microsoft Azure Stack Hub
Executive summary Solution Overview Prerequisites Hardware Infrastructure Networking and Cabling Operations and Management Software Security
Security
Security overview
Least-privilege authority
Secrets rotation
Maintaining the Solution Backup and Recovery Conclusion License Retrieval Dell Technologies Support and Consulting Offerings

Secrets rotation

Secrets rotation


  • Overview

    We recommend, on a regular cadence, that you rotate secrets that are contained in the switches, HLH, and iDRACs, for example, passwords, certificates, or string keys. At the end of the deployment period, Dell Technologies assists the operator, if required, to set up accounts and remove any well-known user names and passwords.

    For more information about guidance on secrets in use and how to use the available tools, see Rotate secrets in Azure Stack Hub on the Microsoft website.

    The following table lists the supported Azure Stack Hub rotation matrix.

    Table 39. Microsoft Azure Stack Hub supported rotation
    Certificate installed Rotate certificate to Supported Azure Stack Hub release
    Self-Signed Enterprise Not supported N/A
    Self-Signed Public Supported 1803 and later
    Self-Signed Self-Signed Not supported N/A
    Enterprise Public Supported 1803 and later
    Enterprise Self-Signed Not supported N/A
    Enterprise Enterprise This is supported in 1803 if customers use the same enterprise CA that is used at deployment 1803 and later
    Public Self-Signed Not supported N/A
    Public Enterprise Not Supported N/A
    Public Public Supported 1803 and later
    Important: We do not recommend using well-known user names such as ADMIN, admin, root, Administrator, USERID, and so on, or weak passwords, such as Password, Password1!, P@ssW0rd, Welcome, 1234567, Winter10, Calvin, and so on.

    HLH-related password changes

    By default, Windows Server 2019 account passwords on the HLH host and Management VM are set to expire after 30 days. This default includes the Administrator accounts and any other operator accounts that are created during deployment. These operating system account passwords can be changed through the system settings in Windows Server 2019.

    If the passwords are allowed to expire, then you must open a console session to perform a reset; RDP connections are unable to connect if the password has expired. For the Management VM, you can open the console session from the Hyper-V manager on the HLH host. For the HLH host, you must use a physical console or iDRAC virtual console.

    Note: We recommend that you create strong passwords that include at least one each of uppercase and lowercase letters, numerals, and special characters.