top of page
  • Rajeshkumar M

NSX-T Principle identity creation

Updated: Jan 17, 2023

In my previous article, I used a script to automate load balancer configuration during recovery via script. The script uses principle identity to authenticate with NSX-T.

I have created a principle identity user with Enterprise Admin role in both NSX-T with a certificate so I can use the same certificate to authenticate both NSX-T manager.

First, i have generated a certificate using openssl and this certificate can be used to create principle identity user with Enterprise Admin role in both location NSX-T manager.Please note i wanted to execute this from SRM appliance and i have created this certificate from SRM appliance.

openssl req -newkey rsa:2048 -sha256 -x509 -days 356 -subj "/CN=scriptuser" -extensions usr_cert -nodes -keyout scriptuser.key -out scriptuser.crt

NodeID is a unique ID and copied the content from scriptuser.crt to Certificate PEM section on the new principle identity user page in NSX-T manager.

cat scriptuser.crt 

Fig 1

Fig 1, created a principle identity user in both NSX-T managers with Enterprise Admin role using the certificate I generated .

Now I’m able to access using the certificate

curl --cert ./scriptuser.crt --key ./scriptuser.key -k -X GET https://site-a-nsx/policy/api/v1/infra/b-services

I have converted the crt and key file to PEM file to access with single file instead of separate .crt and .key file.

cat scriptuser.key > scriptuser.pem
cat scriptuser.crt >> scriptuser.pem

Now, i can very the user with below api call

curl --cert ./scriptuser.pem -k -X GET https://site-a-nsx/policy/api/v1/trust-management/principal-identities

86 views0 comments

Recent Posts

See All

vSphere Tags to NSX-T Tags

I created a simple powercli script to copy the vSphere Tags to NSX-T, it helped me to copy the NSX-T tags on the recovery VM's in non-federated/local NSX-T managers. Since SRM retain the vSphere TAG's

vIDM Locl user password reset without email link

When resetting config admin or any local user password in VMware identity manager will trigger an email link, if in case the smtp is not working/configured we can use API call to reset the password. Y


bottom of page