Skip to main content
Sign Out

Welcome to Dell

My Account
  • Place orders quickly and easily
  • View orders and track your shipping status
  • Enjoy members-only rewards and discounts
  • Create and access a list of your products
Sign In Create an Account Dell Financial Services Premier Sign In Partner Program Sign In
Contact Us

Your Dell.com Carts

Some article numbers may have changed. If this isn't what you're looking for, try searching all articles. Search articles

VCF on VxRail: Replace NSX-T Local-Manager Certificate in VCF Environment

Summary: This article is a guide to replacing the NSX-T Local-Manager self-signed certificate in VCF managed federation environments. Ensure that your system remains secure and compliant.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Note: Only follow this article for VCF managed NSX-T federation environments!


Background:

There are different types of NSX-T certificates as described below:
 
Certificate Name Purpose Replaceable Default Validity
Tomcat This is an API certificate used for external communication with individual NSX Manager nodes through UI or API. Yes 825 days
mp-cluster This is an API certificate used for external communication with the NSX Manager cluster using the cluster VIP, through UI or API. Yes 825 days
LocalManager This is a platform Principal Identity certificate for the Federation. If you are not using Federation, this certificate is not used. Yes 825 days


For VCF solutions:

The Tomcat and mp-cluster are replaced with CA certificates signed by VMCA from vCenter. The mp-cluster and Tomcat certificates may still be there but they are not being used.


NSX-T Manager with VCF:

  • Tomcat - Node1 > not being used
  • mp-cluster - VIP > not being used
Replaced during installation with the below:
  • CA - Node1
  • CA - VIP
If you want to check if the certificate is being used, run the following API on the Postman platform: 
GET https://<nsx-mgr>/api/v1/trust-management/certificates/<certificate-id>

Local-manager certificate is the Principal Identity certificate used to communicate with other sites in the Federation.

An NSX-T Federation environment contains an active and a standby Global Manager cluster and one or more Local Manager clusters.
 
Shows three locations with active and standby Global Manager clusters in Locations 1 and 2 with Local Manager clusters in all three locations.
Figure 1: Shows three locations with active and standby Global Manager clusters in Locations 1 and 2 with Local Manager clusters in all three locations.


How to ascertain the number of Local Manager Clusters:

To check the environment and find out how many Local Manager Clusters there are, follow the below steps and screenshot:

From System > Configuration > Location Manager:
  • At the top of the Local Manager, it shows you which cluster you are logged in on. In this example, we are logged in to a Local Manager Cluster.
  • In the middle of the page, it shows the Global Manager Clusters, and which cluster is Active, and which is Standby.
  • Other Local Manager Clusters are seen at the bottom under Remote Sites.
Local Manager Cluster Environment
Figure 2: Local Manager Cluster Environment


Procedure to replace local-manager self-signed certificates:

  1. Log in to NSX Manager in the Local Manager Cluster.
  2. Collect an NSX-T backup before proceeding. This step is important!
    1. System > Lifecycle Management > Backup and Restore > Start Backup
Collect NSX-T Backup
Figure 3: Collect NSX-T Backup.
  1. Check the certificates and expiry date.
    1. Click System > Settings > Certificates
The example below shows in red the expiring date of local-manager certificates:
Expiring Date of Local-Manager Certificates
Figure 4: Expiring Date of Local-Manager Certificates

There is one certificate per Local Manager cluster regardless of the number of NSX Managers there are within the cluster.
  1. Log in to any NSX Manager on Local Manager cluster 1.
  2. Generate a new CSR.
    1. Click System > Settings > Certificates > CSRs > Generate CSR
Generate New CSR
Figure 5: Generate a New CSR.
  1. Enter the Common Name as local-manager.
  2. Enter the Name as LocalManager.
  3. The rest is user business and location details (This can be copied from an old expiring certificate.)
  4. Click Save.
Enter CSR Names and Locality Information
Figure 6: Enter CSR Names and Locality Information.
  1. Create a Self-Signed Certificate using the Generated CSR.
    1. Click the New CSR check box > Generate CSR > Self-Sign Certificate for CSR.
Create Self-Signed Certificate
Figure 7: Create a Self-Signed Certificate.
  1. Ensure that the Service Certificate is set to No and click Save.
  2. Return to the Certificates tab, locate the New Certificate and Copy Certificate ID.
Copy New Certificate ID
Figure 8: Copy New Certificate ID
  1. Replace the Principal Identity certificate for the Local Manager.
    1. User to install the Postman platform.
    2. In the Authorization tab, select Type > Basic Auth.
    3. Enter NSX-T Manager login details.
Enter NSX-T Manager Login Details
Figure 9: Enter NSX-T Manager Login Details.
  1. In the Headers tab, change "application/xml" to "application/json."
In Postman Change "application/xml" to "application/json"
Figure 10: In Postman, change "application/xml" to "application/json"
  1. In the Body tab, select the POST API command.
    1. Select Raw and then select JSON.
    2. In the box beside POST, enter URL https://<nsx-mgr-IP-local-manager-clusterX>/api/v1/trust-management/certificates?action=set_pi_certificate_for_federation
    3. In the above, the URL is the IP used for any NSX manager within a specific Local Manager Cluster.
    4. In the body section, enter the below in two lines as seen in the screenshot:
{ "cert_id": "<certificate id, copied from step 3>",
"service_type": "LOCAL_MANAGER" }
Enter URL for Any NSX Manager Within a Specific Local Manager Cluster
Figure 11: Enter URL for Any NSX Manager Within a Specific Local Manager Cluster.
  1. Click Send and ensure that you see the result 200 OK.
  1. Repeat Steps 1 through 4 on each Local Manager Cluster 2 and 3.
Once these steps are complete, you have created one new certificate on each Local Manager Cluster and replaced the Principal Identity Certificate on each Local Manager Cluster.

It is now time to delete the old expiring certificates from each of the three Local Manager Clusters.
  1. Check that the certificate is no longer in use.
    1. Copy Certificate ID
    2. Open Postman
    3. Select GET API instead of POST.
    4. Enter URL https://<nsx-mgr-IP-local-manager-clusterX>/api/v1/trust-management/certificates/<certificate-id>
    5. Look for "used_by" and confirm it has empty brackets.
    "used_by" : [ ],
    "resource_type" : "certificate_self_signed",
    "id" : "9cd133ca-32fc-48a2-898b-7acd928512a5",
    "display_name" : "local-manager",
    "description" : "",
    "tags" : [ ],
    "_create_user" : "admin",
    "_create_time" : 1677468138846,
    "_last_modified_user" : "admin",
    "_last_modified_time" : 1677468138846,
    "_system_owned" : false,
    "_protection" : "NOT_PROTECTED",
    "_revision" : 0
  }
  1. Go to System > Settings > Certificates and select the required certificate.
Select the Required Certificate
Figure 12: Select the Required Certificate.
  1. Click Delete > Delete.
Delete Certificate
Figure 13: Delete Certificate.
  1. Confirm that Principal Identity is working and using the new certificates:
    1. Open Postman
    2. Select GET.
    3. Run URL https://<nsx-mgr-IP-local-manager-clusterX>/api/v1/trust-management/principal-identitie.
    4. Output should be similar to the below, "certificate_id" should show the newly created certificate ID.
Certificate ID Shows the New Certificate ID
Figure 14: Certificate ID Shows the New Certificate ID.

Additional Information

Replacing Global-manager certificates:

To replace the Global Manager Certificate, follow the same process but change "LOCAL_MANAGER" to "GLOBAL_MANAGER" and perform the procedure from the Global Manager Cluster.


Other related articles:

See these related Broadcom VMware articles for more information:

Affected Products

VMWare Cloud on Dell EMC VxRail E560F, VMWare Cloud on Dell EMC VxRail E560N, VxRail Appliance Family, VxRail Appliance Series, VxRail D Series Nodes, VxRail D560, VxRail D560F, VxRail E Series Nodes, VxRail E460, VxRail E560

Products

VxRail G410, VxRail G Series Nodes, VxRail E560 VCF, VxRail E560F, VxRail E560F VCF, VxRail E560N, VxRail E560N VCF, VxRail E660, VxRail E660F, VxRail E660N, VxRail E665, VxRail E665F, VxRail E665N, VxRail G560, VxRail G560 VCF, VxRail G560F , VxRail G560F VCF, VxRail Gen2 Hardware, VxRail P Series Nodes, VxRail P470, VxRail P570, VxRail P570 VCF, VxRail P570F, VxRail P570F VCF, VxRail P580N, VxRail P580N VCF, VXRAIL P670F, VxRail P670N, VxRail P675F, VxRail P675N, VxRail S Series Nodes, VxRail S470, VxRail S570, VxRail S570 VCF, VxRail S670, VxRail Software, VxRail V Series Nodes, VxRail V470, VxRail V570, VxRail V570 VCF, VxRail V570F, VxRail V570F VCF, VXRAIL V670F, VxRail VD-4000R, VxRail VD-4000W, VxRail VD-4000Z, VxRail VD-4510C, VxRail VD-4520C, VxRail VD Series Nodes ...
Article Properties
Article Number: 000210329
Article Type: How To
Last Modified: 15 Aug 2024
Version:  3
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.