Cannot delete tomcat certificate installed on NSX-T 2.x
search cancel

Cannot delete tomcat certificate installed on NSX-T 2.x

book

Article ID: 325084

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Informational

Symptoms:
NSX-T users cannot delete the self signed certificate which is associated with tomcat. The user was able to associate CA certificate with tomcat.

The users receive following error message:

"Field level validation errors: (value client authentication... or property service_type is not one of the allowed values)"


Environment

VMware NSX Transformers 2.x

Cause

A certificate can only be deleted if it is not in use by any component in the system.  Basically, a Policy creates a principal identity which uses the same certificate as tomcat (Reverse Proxy) on the node. So even though you changed the tomcat (Reverse Proxy) certificate, the old certificate still has a reference left to it due to the Policy.

A user can replace the node tomcat certs, but can't replace the Self Signed Client Authentication certificates as it was auto generated during the build of the first NSX-T node.  When a user retrieves information about the certificate this certificate is listed as 'services_types' "Client Authentication" as shown from the below API call.
 

GET https://$NSXIP/api/v1/trust-management/certificates

Locate following certificate:

    "used_by" : [ {

      "node_id" : "{name: 'nsx_policy',node_id: 'policy_node',certificate_id: 'xxxxxxxx’}",

      "service_types" : [ "Client Authentication" ]

    } ],

    "resource_type" : "certificate_self_signed",

    "id" : "xxxxxxxxx",

    "display_name" : "tomcat certificate for node ‘   ‘ ",

    "tags" : [ ],

    "_create_user" : "system",

    "_create_time" : xxxxx,

    "_last_modified_user" : "node-mgmt",

    "_last_modified_time" : xxxxx5257,

    "_system_owned" : false,

    "_protection" : "NOT_PROTECTED",

    "_revision" : 3

  }, {

Resolution

This issue is resolved in VMware NSX-T Data Center 3.0.