Logging in to the NSX Manager Command Line Interface (CLI) as admin fails after upgrade
search cancel

Logging in to the NSX Manager Command Line Interface (CLI) as admin fails after upgrade

book

Article ID: 345655

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

Symptoms:

  • Logging in as admin to the NSX Manager Command Line Interface (CLI) after upgrading from VMware vCloud Networking and Security 5.x to NSX for vSphere 6.x fails
  • Invoking a REST API using admin credential fails
  • Running the show log command on the NSX Manager console reports entries similar to:

    2015-05-06 16:56:23.155 UTC INFO http-nio-127.0.0.1-7441-exec-1 SecurityTokenServiceImpl$RequestResponseProcessor:742 - Provided credentials are not valid.
    2015-05-06 16:56:23.171 UTC INFO http-nio-127.0.0.1-7441-exec-1 VcAuthenticationProvider:140 - There are no SSO Groups with role on vSM
    2015-05-06 16:56:23.188 UTC INFO http-nio-127.0.0.1-7441-exec-1 AuditingServiceImpl:143 - [AuditLog] UserName:'System', ModuleName:'ACCESS_CONTROL', Operation:'LOGIN', Resource:'admin', Time:'Wed May 06 16:56:23.184 UTC 2015'


    For more information, see Collecting diagnostic information for VMware NSX for vSphere 6.x (2074678).

    Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware NSX for vSphere 6.1.x
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.0.x
VMware NSX for vSphere 6.2.x

Cause

VMware NSX for vSphere 6.x introduces a behavior change with the administrator accounts.

The vShield Manager in VMware vCloud Networking and Security supports two admin user accounts:
  • An admin account to provide command-line access to vShield Manager. Authentication is performed from the Command Line Interface (CLI) / filesystem.
  • An admin account to provide access to the Web-based User Interface (UI). Authentication is performed from the vShield Manager database.
In VMware NSX for vSphere 6.x, the admin database user is removed, and a single admin user account provides access to both the CLI and the Web-based User Interface. New installations of NSX for vSphere 6.x uses the single account approach. To help maintain backwards compatibility, when NSX Manager is upgraded from vShield Manager, NSX honors both admin accounts.

Note: On the appliance management, the admin with CLI credentials can log in, whereas the REST APIs would require a user to use the database admin credentials and not the CLI credentials.

Resolution

Starting with VMware NSX for vSphere 6.1.3 and later, NSX Manager authenticates using CLI credentials on the appliance management User Interface (UI) whereas the REST APIs requires a database user credentials.

Note: If you want to use the same credentials as the CLI, open a support request with Broadcom Support and quote this Knowledge Base article (345655) in the description.

Additional Information