1. Ensure the vCenter is added to NSX-T manager as a Compute Manager and that it is Up and Registered:
- Log into NSX Manager GUI, click on System -> Fabric -> Compute Managers
- If the vCenter on which WCP is being enabled isn't added, add it.
- If the vCenter on which WCP is being enabled is added but shows either Registration Status or Connection Status as Not Registered or Down, correct the problem.
- It is also possible that the connection shows Up and Registered, but the certificate has changed or there is a stale entry. We can try to manually update the credentials with the following steps:
- Click the Checkbox next to the Compute Manager
- Select EDIT
- To the right of "FQDN or IP Address", select EDIT
- Re-enter the vCenter "[email protected]" username and password, then SAVE.
2. Ensure the "NSX Administrator" role is present on vCenter, if not, recreate it:
- From vSphere Web Client, select Menu -> Administration
- Under Access Control, select Roles
- Search for NSX Administrator, if the role is not present, recreate it:
- Connect to vCenter via SSH
- Create a /usr/lib/vmware-wcp/py-modules/roles.py file and import config using the following command (ensure you copy the entire text from cat to the last EOF line):
# cat <<EOF >>/usr/lib/vmware-wcp/py-modules/roles.py
import featureState
from roles_groups_users_utils import Authz
if __name__ == "__main__":
authz_patch = Authz()
authz_patch.ensure_roles_exist('/usr/lib/vmware-wcp/roles.xml')
EOF
- Set the Python path with the following command:
# export PYTHONPATH="${PYTHONPATH}:/usr/lib/vmware/site-packages"
- Run the python script to recreate roles using the following command:
# python /usr/lib/vmware-wcp/py-modules/roles.py
Example Output:
# python /usr/lib/vmware-wcp/py-modules/roles.py
2023-01-10T18:09:54.288Z Role id 1004, name WorkloadStorageManagement - already exists
2023-01-10T18:09:54.293Z Role id 1005, name vSphereKubernetesManager - already exists
2023-01-10T18:09:54.296Z Role id 1007, name SupervisorServiceCluster - already exists
2023-01-10T18:09:54.299Z Role id 1008, name SupervisorServiceRootFolder - already exists
2023-01-10T18:09:54.302Z Role id 1009, name SupervisorServiceGlobal - already exists
2023-01-10T18:09:54.306Z Role id 1021, name VMOperatorController - already exists
2023-01-10T18:09:54.308Z Role id 1022, name VMOperatorControllerGlobal - already exists
2023-01-10T18:09:54.311Z Role id 0, name VMServicesAdministrator - already exists
2023-01-10T18:09:54.314Z Role id 0, name NsxAuditor - already exists
2023-01-10T18:09:54.316Z Role id 0, name NsxViAdministrator - already exists
2023-01-10T18:09:54.325Z Role id 0, name NsxAdministrator - added
3. Identify if the NsxAdministrators group exists and which users are added to it:
# /usr/lib/vmware-vmafd/bin/dir-cli group list --name NsxAdministratorsEnter password for [email protected]:
CN=wcp-bd2c292a-####-####-####-##########ff,CN=ServicePrincipals,DC=vsphere,DC=local
4. Create group if needed.
# /usr/lib/vmware-vmafd/bin/dir-cli ssogroup create --name NsxAdministrators
5. Add user to group if needed:
- First, gather the "wcp-<vCenterID>" username we will add to the "NsxAdministrators" group:
# /usr/lib/vmware-vmafd/bin/dir-cli service list
Example Output:
# /usr/lib/vmware-vmafd/bin/dir-cli service list
Enter password for [email protected]:
1. machine-bd2c292a-####-####-####-##########ff
2. vsphere-webclient-bd2c292a-####-####-####-##########ff
3. vpxd-bd2c292a-####-####-####-##########ff
4. vpxd-extension-bd2c292a-####-####-####-##########ff
5. hvc-bd2c292a-####-####-####-##########ff
6. wcp-bd2c292a-####-####-####-##########ff
- Next, add the "wcp-<vCenterID>" user to the NsxAdministrators group using the following command:
# /usr/lib/vmware-vmafd/bin/dir-cli group modify --name NsxAdministrators --add <solution_user_name>
Example Command:
# /usr/lib/vmware-vmafd/bin/dir-cli group modify --name NsxAdministrators --add wcp-bd2c292a-####-####-####-##########ff
Example Output:
# /usr/lib/vmware-vmafd/bin/dir-cli group modify --name NsxAdministrators --add wcp-bd2c292a-####-####-####-##########ff
Enter password for [email protected]:
Account [wcp-bd2c292a-####-####-####-##########ff] added to group [NsxAdministrators]
Group member [wcp-bd2c292a-####-####-####-##########ff] added successfully
6. Ensure the "NsxAdministrators" group is added to the "NSX Administrator" Role in vSphere Web Client:
- From vSphere Web Client, select Menu -> Administration
- Under Access Control, select Global Permissions
- Search for VSPHERE.LOCAL\NsxAdministrators, ensure that it has role NSX Administrator assigned. If you don't see the user present, add it:
- Select ADD
- In "Domain" field, select vsphere.local (or the local vmdir domain)
- In the "User/Group" field, select "NsxAdministrators" - ENSURE THERE ARE NO SPACES BEFORE OR AFTER THE NAME
- In the "Role" field, select "NSX Administrator"
- Check the "Propagate to childres" option, then click OK.
7. Ensure the wcp-<vCenterID> user is not added to any groups it shouldn't be added to: