NSX 6.1.3/6.1.4 API Changes and Other Fun Registration Knowledge

NSX

regnow

While working on a project I discovered that previous powershell/curl and various rest client REST requests that would register the NSX manager with vCenter and SSO server were no longer working.

For example, against NSX 6.1.2 the following code worked fine Returning a 200:

curl -k -u admin:VMware1! -H 'Accept:application/xml' \
-H 'Content-Type:application/xml' \
-X PUT https://10.0.0.80/api/2.0/services/vcconfig \
-d '<vcInfo> \
     <ipAddress>10.0.0.30</ipAddress> \
     <userName>administrator@sierlab.local</userName> \
     <password>VMware1!</password> \
     <assignRoleToUser>true</assignRoleToUser> \
    </vcInfo>'

With 6.1.3 and 6.1.4 it would return a 403 error with a cryptic error:

<?xml version="1.0" encoding="UTF-8"?>
<error>
  <details>92:4D:D6:A4:C2:C2:39:EE:81:11:AA:A9:8D:0D:1F:17:D0:33:C2:C1</details>
  <errorCode>226</errorCode>
</error>

With help from @voltmer we were able to figure out that the returned error was the certificate thumbprint of the vCenter server.  Turns out you need to pass the thumbprint along with the rest of the payload starting with version 6.1.3.  With the above example, it would look like this:

curl -k -u admin:VMware1! -H 'Accept:application/xml' \
-H 'Content-Type:application/xml' \
-X PUT https://10.0.0.80/api/2.0/services/vcconfig \
-d '<vcInfo> \
     <ipAddress>10.0.0.30</ipAddress> \
     <userName>administrator@sierlab.local</userName> \
     <password>VMware1!</password> \
     <assignRoleToUser>true</assignRoleToUser> \
     <certificateThumbprint>92:4D:D6:A4:C2:C2:39:EE:81:11:AA:A9:8D:0D:1F:17:D0:33:C2:C1</certificateThumbprint> \
    </vcInfo>'

Looking at the API doc’s for NSX this requirement is not noted but this is being addressed.

While I’m at it, there was a additional step required to fully integrate NSX into the WebClient that I didn’t have to do before.  This would be the step of adding a SSO domain user or group and setting a role in NSX.  In vCenter 6.0 if you’ve installed you know that logging in as root the first time get’s you nowhere special.  The administrator@<the sso domain you created on install> has all the power nowadays.   When you register the NSX manager with the vCenter it does not give the user used to register and kind of role within NSX.  When you login to vCenter after registering with the API you can see the Networking and Security Icon, but are unable to see any NSX managers.  Thankfully this is easily rectified by using an additional NSX API call after SSO and vSphere registration:

curl -k -u admin:VMware1! -H 'Accept:application/xml' \
-H 'Content-Type:application/xml' \
-X POST https://10.0.0.80/api/2.0/services/usermgmt/role/administrator@sierlab.local??isGroup:false \
-d '<accessControlEntry> \
     <role>super_user</role> \
    </accessControlEntry>'<br>

Make sure you logout of the webclient and back in to be able to see the NSX manager inside of the Networking and Security -> NSX Managers menu.

FYI, the curl in this article will most likely need some modifying.. I “adjusted” it so it would read better, but don’t know if it will run as is.  If you need the original drop me a line.

Hope this helps!

Links of thanks:

@voltmer (fyi, he hasn’t been active on twitter for some time)