For Role Based Access Control (RBAC) in NSX-T we need to configure integration with VMware Identity Manager.
There’s an excellent VMware blog post that explains in detail how to set up vIDM and how to configure the integration in NSX Manager.
When setting this up myself I ran into a small problem that stopped me from completing the configuration.
When I tried to add the vIDM configuration in NSX Manager I received an error:
“Invalid VMware Identity Manager thumbprint specified.”. That’s very strange as that is the correct thumbprint. I checked it once more from the vIDM CLI:
openssl x509 -in vidm.rainpole.local_cert.pem -noout -sha256 -fingerprint
It definitely is the same thumbprint. What’s going on here?
Then it hit me that I had replaced the vIDM’s default self-signed SSL certificate with a CA-signed certificate signed as per the vIDM documentation. Could it be that the “vidm.rainpole.local_cert.pem” file was not replaced during that process and in fact still is the default self-signed certificate? I had a closer look at that PEM file:
openssl x509 -in vidm.rainpole.local_cert.pem -text -noout
Ouch! This is indeed the default self-signed certificate. No wonder NSX Manager doesn’t like the thumbprint. It doesn’t correspond to the active vIDM appliance SSL certificate.
To get the actual certificate fingerprint I ran the following command from my jump host:
openssl s_client -servername vidm.rainpole.local -connect vidm.rainpole.local:443 | openssl x509 -fingerprint -sha256 -noout
And there it was! I pasted the fingerprint into the NSX Manager’s vIDM configuration, hit Save and the thumbprint was accepted:
Do not log in to the vIDM appliance CLI to get the SSL certificate thumbprint. Instead let openssl connect to the vIDM web server to fetch the thumbprint of the active SSL certificate and you know you’re good.
Thanks for the blog post! unfortunately the
That syntax (openssl s_client -servername vidm.rainpole.local -connect vidm.rainpole.local:443 | openssl x509 -fingerprint -sha256 -noout) didn’t work from me – this however did:
openssl s_client -connect vidm.blah.com:443 | openssl x509 -fingerprint -sha256 -noout
what if our VIDM is behind the balancer? how then to be in this case? because NSX must connect to the balancer address