NSX-T Principle identity creation

In my previous article, I used a script to automate load balancer configuration during recovery via script. The script uses principle identity to authenticate with NSX-T.

I have created a principle identity user with Enterprise Admin role in both NSX-T with a certificate so I can use the same certificate to authenticate both NSX-T manager.

First, i have generated a certificate using openssl and this certificate can be used to create principle identity user with Enterprise Admin role in both location NSX-T manager.Please note i wanted to execute this from SRM appliance and i have created this certificate from SRM appliance.

openssl req -newkey rsa:2048 -sha256 -x509 -days 356 -subj "/CN=scriptuser" -extensions usr_cert -nodes -keyout scriptuser.key -out scriptuser.crt

NodeID is a unique ID and copied the content from scriptuser.crt to Certificate PEM section on the new principle identity user page in NSX-T manager.

cat scriptuser.crt 

Fig 1

Fig 1, created a principle identity user in both NSX-T managers with Enterprise Admin role using the certificate I generated .

Now I’m able to access using the certificate

curl --cert ./scriptuser.crt --key ./scriptuser.key -k -X GET https://site-a-nsx/policy/api/v1/infra/b-services

I have converted the crt and key file to PEM file to access with single file instead of separate .crt and .key file.

cat scriptuser.key > scriptuser.pem
cat scriptuser.crt >> scriptuser.pem

Now, i can very the user with below api call

curl --cert ./scriptuser.pem -k -X GET https://site-a-nsx/policy/api/v1/trust-management/principal-identities