Nutanix Prism Central Secret Template for RPC

Overview

This document briefly discusses using Secret Server Remote Password Changing (RPC) for a Nutanix Prism Central Account. With Remote Password Changing (RPC), secrets can automatically change remote account passwords when a secret expires, either immediately or on a defined schedule. In addition, the new passwords’ strengths and other qualities are completely configurable. See the Password Changer List for a complete list of available password changers.

Nutanix Prism Central is a centralized management platform for Nutanix clusters, providing infrastructure monitoring, policy management, and lifecycle operations from a single console. The Nutanix Prism Central RPC template enables both Remote Password Changing and Heartbeat for Nutanix user accounts, with password operations performed through the Nutanix Prism Central API on port 9440.

Supported Account Types

This template rotates passwords for locally managed Nutanix Prism Central accounts, including:

  • Local user accounts — Standard users created and authenticated within Nutanix Prism Central’s native authentication.

  • Privileged user accounts — Accounts with elevated authorization policies that grant permissions to manage other users.

Accounts authenticated through LDAP, SAML, or other external identity providers are not supported. Manage those passwords through the external identity provider.

Use Cases

  • Heartbeat — Secret Server periodically validates that the stored credentials are still correct against the Nutanix Prism Central API.

  • Password rotation — The privileged account changes the password for a target Nutanix user via the Nutanix Prism Central API.

Prerequisites

Nutanix Prism Central

The following must be in place on the Nutanix Prism Central instance before setup. This section does not cover Nutanix Prism Central installation.

  • Nutanix Prism Central instance — A running, accessible Nutanix Prism Central environment.

  • Console access (port 9440) — The Nutanix Prism Central console (default https://[nutanix-host]:9440) must be reachable from the Secret Server Distributed Engine.

  • Privileged user account — A user account with an elevated authorization policy that grants permission to change other users’ passwords. This account serves as the Privileged Account in Secret Server.

  • SSL certificates — Valid SSL certificates must be installed on the Nutanix Prism Central instance. The certificate chain (server, intermediate, root) must also be imported into the Trusted Root Certification Authorities on the Secret Server or Distributed Engine machine.

Secret Server

  • Remote Password Changing: enabled in your Secret Server instance.

  • Distributed Engine: Configured, online, and with HTTPS network access to the Nutanix Prism Central console at https://[nutanix-host]:9440. If the Nutanix environment requires VPN access, ensure the Distributed Engine has the necessary VPN connectivity.

  • The Nutanix Prism Central Account secret template available in your Secret Server instance.

Configuration

Step 1: Create the Privileged Account Secret

The privileged account secret stores the credentials of the Nutanix account that Secret Server uses to rotate passwords for other users.

  • Navigate to Secrets and click Create secret.

  • Select the Nutanix Prism Central Account template.

  • Enter a Secret name (for example, Nutanix Admin - Privileged).

  • In Host, enter the Nutanix Prism Central URL (for example, https://[nutanix-host]:9440).

  • Enter the Username and Password of the Nutanix privileged account.

  • Click Create secret.

Step 2: Create the Target User Secret

The target user secret stores the credentials of the Nutanix account whose password Secret Server will rotate and monitor.

  • Navigate to Secrets and click Create secret.

  • Select the Nutanix Prism Central Account template.

  • Enter a Secret name (for example, Nutanix - [username]).

  • In Host, enter the Nutanix Prism Central URL (for example, https://[nutanix-host]:9440).

  • Enter the Username and Password of the target Nutanix account.

  • Click Create secret.

  • Select the Remote password changing tab.

  • In RPC / Autochange, click Edit.

  • For Change password using, select Privileged account credentials.

  • Click No Secret Selected and search for the privileged account secret created in Step 1.

  • Click Save.

Step 3: Verify Password Rotation and Heartbeat

After setting up RPC, verify that both password rotation and heartbeat work correctly.

Test Heartbeat

  • On the target user secret’s Overview tab, check Expiration and heartbeat. Verify that Last Heartbeat Status shows a successful result.

Test Password Rotation

  • Trigger a manual password rotation on the target user secret. Confirm the operation completes successfully and the secret’s password value updates.

  • Log in to Nutanix Prism Central with the target account using the new password to confirm the change took effect.

  • After rotation, verify the heartbeat status remains successful.