Manual steps to register a shared NSX Manager instance to Workspace ONE Access after deleting the isolated VI workload domain that created the shared NSX Manager
search cancel

Manual steps to register a shared NSX Manager instance to Workspace ONE Access after deleting the isolated VI workload domain that created the shared NSX Manager

book

Article ID: 313203

calendar_today

Updated On:

Products

VMware Cloud Foundation

Issue/Introduction

In an environment where there are multiple isolated VI workload domains using a shared NSX Manager instance, if you delete the VI workload domain that created the NSX Manager instance, then you need to register the NSX Manager instance with another isolated VI workload domain's Workspace ONE Access.

 


Symptoms:

When two isolated VI workload domains share an NSX Manager instance and you delete the VI workload domain that created the NSX manager instance, the SDDC Manager UI displays the following message:

"Please follow manual guidance instructions to re-register existing NSX as relying party to an isolated WLD that is already connected to an NSX."


Environment

VMware Cloud Foundation 5.2

Cause

The warning message is displayed after you delete the VI workload domain that created the shared NSX Manager instance.

Resolution

Pre-requisites:

The following information will be required for the shared NSX Manager:

  • NSX Manager cluster FQDN

  • NSX Manager admin login credentials

The following information for the vCenter Server of one of the remaining VI workload domains that shared the NSX Manager instance will be required:

  • vCenter Server FQDN

  • vCenter Server root certificate in PEM encoded format

NOTE: The following procedure uses "WLD2" as an example.

Instructions:

  1. Generate the API token needed to register NSX Manager as a relying party to WLD2:

  • Generate a session id, using the administrator SSO account credentials for the vCenter Server:

curl -k --request POST --url https://<WLD2_VC_FQDN>/rest/com/vmware/cis/session -u '<sso admin username for vCenter>:<password for sso admin username>'
  • Generate a token using the session ID generated in the previous step:

curl -k --location --request GET 'https://<WLD2_VC_FQDN>/api/vcenter/identity/broker/tenants/CUSTOMER/admin-client' --header 'vmware-api-session-id: <session id>'
  1. Fill out the following template and save it to a json file:

{
  "certificate_chain": "<vCenter Server root certificate>",
  "api_token": "<API Token from step 1>",
  "nsx_fqdn": "<NSX Manager cluster FQDN>",
  "oidc_uri": "https://<WLD2_VC_FQDN>/acs/t/customer/.well-known/openid-configuration"
}
  1. Run the following curl command for NSX Manager registration as root user from the SDDC Manager Virtual Machine:

curl -k -i -X POST https://<NSX Manager cluster FQDN>/api/v1/trust-management/oidc-uris/action/configure-ws1b-oidc-endpoint -u '<NSX Manager admin username>:<NSX Manager admin password>' -H "Content-Type: application/json" -d @<json file name from step 2> --insecure
  1. To verify the shared NSX Manager is now registered to the new domain, run the following command:

curl -k -X GET "https://<NSX Manager cluster FQDN>/api/v1/trust-management/oidc-uris" -u '<NSX Manager admin username>:<NSX Manager admin password>' -H 'content-type: application/json'
  • Verify that there is one entry for vcenter-idp-federation, and the oidc_uri contains the vCenter Server FQDN.

  • Sample output from command:

{
"results" : [ {
  "name" : "vcenter-idp-federation",
  "oidc_uri" : "https://<WLD2_VC_FQDN>/...",
...
}]
}