• Cannot lookup Active Directory groups on NSX via vIDM.
• Adding User Role via vIDM times out.
• VMware NSX 4.1.x is installed.
• You may see similar messages on the NSX Manager in /var/log/proton/nsxapi.log
  

  INFO http-nio-127.0.0.1-7440-exec-182 VidmServiceImpl 82634 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" reqId="########-####-####-####-############" subcomp="manager" username="admin"] Error connecting to vidm org.springframework.security.oauth2.client.resource.OAuth2AccessDeniedException: Error requesting access token. Caused by: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://vidm-server.local/SAAS/auth/oauthtoken": Received fatal alert: handshake_failure; nested exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure . . INFO http-nio-127.0.0.1-7440-exec-182 NsxBaseRestController 82634 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Error in API /nsxapi/api/v1/aaa/vidm/search?search_string=Windows_Group caused by exception com.vmware.nsx.management.common.exceptions.InvalidArgumentException: {"moduleName":"AAA","errorCode":71008,"errorMessage":"Error connecting to VMware Identity Manager."} . . INFO http-nio-127.0.0.1-7440-exec-182 NsxBaseRestController 82634 SYSTEM [nsx@6876 audit="true" comp="nsx-manager" level="INFO" subcomp="manager"] UserName:'admin' ModuleName:'AAA' Operation:'POST@/api/v1/aaa/vidm/search' Operation status: 'failure' Error: Error connecting to VMware Identity Manager.

VMware NSX 4.x
VMware NSX-T Data Center 3.x

• In VMware NSX version 4.1.x,only the following ciphers are supported for NSX manager outgoing connections

• The vIDM load balancer is configured with RSA certificate and default balanced client ssl profile which does not include the previous cipher; Hence we need to use the High security SSL profiles not the default SSL profiles for NSX LB VIP.
• In addition, Since the VIP is configured with the RSA certificate, it would select the cipher suit with RSA algorithm during the Openssl handshake.
• So even though the client SSL profile includes the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  cipher suit, which is also included in the outgoing connections. This cipher suit would not be selected by LB, since it is not consistent with the LB RSA certificate.

This is a known issue impacting VMware NSX.

Workaround

• Use "default-high-security-client-ssl-profile" or create a custom profile to include the required ciphers and apply this profile to the Virtual Server.

• Steps to create a customer client profile

1. From the NSX User Interface, go to the Networking tab, select Load balancing and select Profiles.
2. Change the drop down menu "Select Profile Type" to SSL
3. Click the "ADD SSL PROFILE" button and select "Client SSL Profile"
4. Assign an name and change the SSL Suite option from "Balanced (recommended)" to "Custom"
5. Under the "Supported SSL Ciphers", add TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
6. Click Save

• Apply the Profile

1. From the Networking tab, select Load balancing and select Virtual Servers.
2. Edit the virtual server used for vIDM which uses port 443.
3. Click the "Configure" link for SSL Configuration
4. Change the "Client SSL Profile" to the new one just created.
5. Click Save and Save again on the Virtual Server screen.
6. Refresh until the status is Success and verify if vIDM is connecting now.