vIDM SSL Thumbprint Trouble

For Role Based Access Control (RBAC) in NSX-T we need to configure integration with VMware Identity Manager.

There’s an excellent VMware blog post that explains in detail how to set up vIDM and how to configure the integration in NSX Manager.

The problem

When setting this up myself I ran into a small problem that stopped me from completing the configuration.

When I tried to add the vIDM configuration in NSX Manager I received an error:

“Invalid VMware Identity Manager thumbprint specified.”. That’s very strange as that is the correct thumbprint. I checked it once more from the vIDM CLI:

openssl x509 -in vidm.rainpole.local_cert.pem -noout -sha256 -fingerprint

It definitely is the same thumbprint. What’s going on here?

Troubleshooting

Then it hit me that I had replaced the vIDM’s default self-signed SSL certificate with a CA-signed certificate signed as per the vIDM documentation. Could it be that the “vidm.rainpole.local_cert.pem” file was not replaced during that process and in fact still is the default self-signed certificate? I had a closer look at that PEM file:

openssl x509 -in vidm.rainpole.local_cert.pem -text -noout

Ouch! This is indeed the default self-signed certificate. No wonder NSX Manager doesn’t like the thumbprint. It doesn’t correspond to the active vIDM appliance SSL certificate.

The solution

To get the actual certificate fingerprint I ran the following command from my jump host:

openssl s_client -servername vidm.rainpole.local -connect vidm.rainpole.local:443 | openssl x509 -fingerprint -sha256 -noout

And there it was! I pasted the fingerprint into the NSX Manager’s vIDM configuration, hit Save and the thumbprint was accepted:

Lesson learned

Do not log in to the vIDM appliance CLI to get the SSL certificate thumbprint. Instead let openssl connect to the vIDM web server to fetch the thumbprint of the active SSL certificate and you know you’re good.