Erratic behavior when making calls using a principal identity in NSX-T
Article ID: 321157
Updated On:
Products
VMware NSX
Issue/Introduction
Symptoms:
Erratic behavior when making calls using a Principal Identity in NSX-T.
Erratic behavior when making calls using a Principal Identity in NSX-T.
Environment
VMware NSX-T Data Center 2.x
VMware NSX-T Data Center
VMware NSX-T Data Center
Cause
Principal Identities are uniquely identified by name and node_id. However, Principal Identities with the same name are actually considered to be one and the same identity. So Principal Identities with the same name (but different node_id) should not have a different role, permission_group or protected value. As of VMware NSX-T Data Center 2.0.0, it is no longer possible to create this situation. However, if this erroneous situation was already created prior to this version, unpredictable behavior might ensue when migrating. (The state was already erroneous prior to migration, but incidentally the customer may not have noticed until migrating.)
Resolution
To resolve this issue, If erroneous behavior is detected, get a list of the Principal Identities. In case there are any present that have the same name but different values for role, permission_group, or protected, then the following action needs to be taken:
- See which one of the identities with a given name has the right values for those fields.
- Delete all the Principal Identities with the same name (but different node_id).
- Create again the Principal Identities that were just deleted, using the same certificate_id as it had originally for the given node_id. This time make sure they have the same role (or permission_group) and protected fields as the correct one.
These steps can be performed before or after migration. Before migration the role field does not exist and only the permission_group and protected fields need to be taken care of. After migration, only the role field and the protected field need to be taken care of.
Feedback
Yes
No
Powered by
