We recommend, on a regular cadence, that you rotate secrets that are contained in the switches, HLH, and iDRACs, for example, passwords, certificates, or string keys. At the end of the deployment period, Dell Technologies assists the operator, if required, to set up accounts and remove any well-known user names and passwords.
For more information about guidance on secrets in use and how to use the available tools, see Rotate secrets in Azure Stack Hub on the Microsoft website.
The following table lists the supported Azure Stack Hub rotation matrix.
Certificate installed | Rotate certificate to | Supported | Azure Stack Hub release |
Self-Signed | Enterprise | Not supported | N/A |
Self-Signed | Public | Supported | 1803 and later |
Self-Signed | Self-Signed | Not supported | N/A |
Enterprise | Public | Supported | 1803 and later |
Enterprise | Self-Signed | Not supported | N/A |
Enterprise | Enterprise | This is supported in 1803 if customers use the same enterprise CA that is used at deployment | 1803 and later |
Public | Self-Signed | Not supported | N/A |
Public | Enterprise | Not Supported | N/A |
Public | Public | Supported | 1803 and later |
By default, Windows Server 2019 account passwords on the HLH host and Management VM are set to expire after 30 days. This default includes the Administrator accounts and any other operator accounts that are created during deployment. These operating system account passwords can be changed through the system settings in Windows Server 2019.
If the passwords are allowed to expire, then you must open a console session to perform a reset; RDP connections are unable to connect if the password has expired. For the Management VM, you can open the console session from the Hyper-V manager on the HLH host. For the HLH host, you must use a physical console or iDRAC virtual console.