top of page
  • Rajeshkumar M

NSX-T Principle identity creation

Updated: Jan 17

In my previous article, I used a script to automate load balancer configuration during recovery via script. The script uses principle identity to authenticate with NSX-T.

I have created a principle identity user with Enterprise Admin role in both NSX-T with a certificate so I can use the same certificate to authenticate both NSX-T manager.

First, i have generated a certificate using openssl and this certificate can be used to create principle identity user with Enterprise Admin role in both location NSX-T manager.Please note i wanted to execute this from SRM appliance and i have created this certificate from SRM appliance.

openssl req -newkey rsa:2048 -sha256 -x509 -days 356 -subj "/CN=scriptuser" -extensions usr_cert -nodes -keyout scriptuser.key -out scriptuser.crt

NodeID is a unique ID and copied the content from scriptuser.crt to Certificate PEM section on the new principle identity user page in NSX-T manager.

cat scriptuser.crt 

Fig 1

Fig 1, created a principle identity user in both NSX-T managers with Enterprise Admin role using the certificate I generated .

Now I’m able to access using the certificate

curl --cert ./scriptuser.crt --key ./scriptuser.key -k -X GET https://site-a-nsx/policy/api/v1/infra/b-services

I have converted the crt and key file to PEM file to access with single file instead of separate .crt and .key file.

cat scriptuser.key > scriptuser.pem
cat scriptuser.crt >> scriptuser.pem

Now, i can very the user with below api call

curl --cert ./scriptuser.pem -k -X GET https://site-a-nsx/policy/api/v1/trust-management/principal-identities

77 views0 comments

Recent Posts

See All

I would like to share how I tested the SaltStack VMware module for NSX-T desired state configuration and issues. First installed python on my Linux machine then installed salt stack with bootstrap scr

NSX-T TAG’s are location specific, if we create any group based on the TAG to apply global distributed firewall rule, the rule will not get applied at recovery site since the recovery site doesn’t hav

bottom of page