NSX-T Principle identity creation
Updated: Jan 17
In my previous article, I used a script to automate load balancer configuration during recovery via script. The script uses principle identity to authenticate with NSX-T.
I have created a principle identity user with Enterprise Admin role in both NSX-T with a certificate so I can use the same certificate to authenticate both NSX-T manager.
First, i have generated a certificate using openssl and this certificate can be used to create principle identity user with Enterprise Admin role in both location NSX-T manager.Please note i wanted to execute this from SRM appliance and i have created this certificate from SRM appliance.
openssl req -newkey rsa:2048 -sha256 -x509 -days 356 -subj "/CN=scriptuser" -extensions usr_cert -nodes -keyout scriptuser.key -out scriptuser.crt
NodeID is a unique ID and copied the content from scriptuser.crt to Certificate PEM section on the new principle identity user page in NSX-T manager.
Fig 1, created a principle identity user in both NSX-T managers with Enterprise Admin role using the certificate I generated .
Now I’m able to access using the certificate
curl --cert ./scriptuser.crt --key ./scriptuser.key -k -X GET https://site-a-nsx/policy/api/v1/infra/b-services
I have converted the crt and key file to PEM file to access with single file instead of separate .crt and .key file.
cat scriptuser.key > scriptuser.pem cat scriptuser.crt >> scriptuser.pem
Now, i can very the user with below api call
curl --cert ./scriptuser.pem -k -X GET https://site-a-nsx/policy/api/v1/trust-management/principal-identities