Deployment environment:
NSX Manager API by default includes a self-signed certificate, the certificate subject and issuer host names. Ops Manager certificate validation demanding and requires a self-signed certificate user and issuer is the IP address or FQDN NSX Manager of. Therefore, we need to use the subject and issuer fields NSX Manager of fqdn regenerate the self-signed certificate, and then use the certificate to the registration NSX API NSX Manager.
After completion (OVA introduced) in OPS Mamagerp deployment, deployment into the PKS, and the first step is to complete the configuration of vCenter and NSX-T.
In the configuration NSX-T to enter the certificate NSX Manager API.
- Select to access the OPS-Man Linux host, this time using CentOS 7.6.
Create a file nsx-cert.cnf, NSX-MANAGER- COMMONNAME and NSX-MANAGER-IP-ADDRESS replaced fqdn and ip NSX Manager, as follows.
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
prompt = no
[ req_distinguished_name ]
countryName = CN
stateOrProvinceName = SHA
localityName = SHA
organizationName = NSX
commonName = NSX-MANAGER-COMMONNAME
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = NSX-MANAGER-COMMONNAME,NSX-MANAGER-IP-ADDRESS
- Set the environment variable
used in this experiment NSX MANGER address 192.168.1.41; fqdn: nsxmgr-01a.vmlab.local
$ export NSX_MANAGER_IP_ADDRESS=192.168.1.41
$ export NSX_MANAGER_COMMONNAME=nsxmgr-01a.vmlab.local
- Use OpenSSL to create a certificate, reference nsx-cert.cnf file created in Step 1 to generate nsx.crt and nsx.key
$ openssl req -newkey rsa:2048 -x509 -nodes \
-keyout nsx.key -new -out nsx.crt -subj /CN=$NSX_MANAGER_COMMONNAME \
-reqexts SAN -extensions SAN -config <(cat ./nsx-cert.cnf \
<(printf "[SAN]\nsubjectAltName=DNS:$NSX_MANAGER_COMMONNAME,IP:$NSX_MANAGER_IP_ADDRESS")) -sha256 -days 365
- Verification certificate
$ openssl x509 -in nsx.crt -text -noout
-
Import Certificate Manager to NSX
A. Login NSX manager UI, find the system> Trust> certificate, click Import> Import Certificate. (Note that not import the CA certificate)
b. Enter the name of the certificate, import certificates and private keys Step 3 content (nsx.crt and nsx.key) generated, click Import.
c. After the completion of the process, refresh the browser session NSX Manager and to view the new certificate, record their ID. As shown below
-
NSX Manager with the following command to the registration certificate, CERTIFICATE-ID is recorded in step 5 c.
export NSX_MANAGER_IP_ADDRESS=NSX-MANAGER-IP-ADDRESS
export CERTIFICATE_ID="CERTIFICATE-ID"
curl --insecure -u admin:'ADMIN-PASSWORD' -X \
POST "https://$NSX_MANAGER_IP_ADDRESS/api/v1/node/services/http?action=apply_certificate&certificate_id=$CERTIFICATE_ID"
- Back to the Linux host, use the following command to get API certificate, ----- BEGIN CERTIFICATE ----- ----- END CERTIFICATE ----- and intermediate content.
openssl s_client -host nsxmgr-01a.vmlab.local -port 443 -prexit -showcerts
[yizhao@localhost nsxcrt]$ openssl s_client -host nsxmgr-01a.vmlab.local -port 443 -prexit -showcerts
CONNECTED(00000003)
depth=0 C = CN, ST = SHA, L = SHA, O = NSX, CN = nsxmgr-01a.vmlab.local
verify error:num=18:self signed certificate
verify return:1
depth=0 C = CN, ST = SHA, L = SHA, O = NSX, CN = nsxmgr-01a.vmlab.local
verify return:1
---
Certificate chain
0 s:/C=CN/ST=SHA/L=SHA/O=NSX/CN=nsxmgr-01a.vmlab.local
i:/C=CN/ST=SHA/L=SHA/O=NSX/CN=nsxmgr-01a.vmlab.local
-----BEGIN CERTIFICATE-----
MIIDXjCCAkagAwIBAgIJAIR4NwK4TcoQMA0GCSqGSIb3DQEBCwUAMFgxCzAJBgNV
BAYTAkNOMQwwCgYDVQQIDANTSEExDDAKBgNVBAcMA1NIQTEMMAoGA1UECgwDTlNY
MR8wHQYDVQQDDBZuc3htZ3ItMDFhLnZtbGFiLmxvY2FsMB4XDTE5MDYyODAzNTgz
MVoXDTIwMDYyNzAzNTgzMVowWDELMAkGA1UEBhMCQ04xDDAKBgNVBAgMA1NIQTEM
MAoGA1UEBwwDU0hBMQwwCgYDVQQKDANOU1gxHzAdBgNVBAMMFm5zeG1nci0wMWEu
dm1sYWIubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzHL7i
/FH2Ws55kNG9iS8Ywyi7BTlobEy9ZCRXxyaFPyGTm4s/eLmDC1YdEDkRi3P1Nzsz
KOfoGIW7FSt4XiKbLaeV0PNxqFtjCW0a1wsYzMr8bEpYvTKOyZ/ICRg5/19sZbEF
7dAETFUJUN4k2b6uznkda/QqekKxcgudF/8cHvbQEMNYuCXgPph9oNx/vxvRRQ5G
43z7GlGMFO/gzYDejDS8LQyZHSv5q7yzxPx3Y1Nvy9s0BKQyvipcQcF1Remg4ZvC
RRwI2q+pv1LlmmX1bs2JyCqWjWhtf/K+7PTbQ4V23DW0rgV86IdXqfmWMXTsp67L
APEXq68/5xz81yERAgMBAAGjKzApMCcGA1UdEQQgMB6CFm5zeG1nci0wMWEudm1s
YWIubG9jYWyHBMCoASkwDQYJKoZIhvcNAQELBQADggEBAEDIcPkW2O3LSfkVPepK
jd135Flsm98PVXmGRea1Yy+ROn+JD6SQGodTQVIH+cxbGqlkSrsQdEL6mCPMgpp6
YVi/9K8NUalo8dQqKG50tTs/vi6vtDm8BU/7/0CeXpUiSkUfBH8AxlxPVd5JernO
6zVSlJBeWi/LPwGnZ0bN8DoVdqm59MohtboZ0jVoAt+kdRxL+4tkKw2eR6n75dFX
r5GoHgC9iQ5aApRD8NWlu6UYupGmpOR/Jow9HriF22iCKsUPx4OMEKI9GhaCL675
Mpj60pZftOmFwh436QGM7H55oOvQX/xR8Vc3Hr/nNN0UezttY2M9klgfoIPHrcr2
KSI=
-----END CERTIFICATE-----
Reference documents:
https://docs.pivotal.io/runtimes/pks/1-2/generate-nsx-ca-cert.html#generate-self-signed-certificate
#Pivotal official documents
https://github.com/CNA-Tech/PKS-Ninja/tree/master/LabGuides/PksInstallPhase1-IN3138
#VMware Github experimental data
