NSX Local Manager configuration import is unavailable due to an unknown Principal Identity
search cancel

NSX Local Manager configuration import is unavailable due to an unknown Principal Identity

book

Article ID: 375343

calendar_today

Updated On:

Products

VMware NSX VMware NSX Networking

Issue/Introduction

  • In an NSX Federation environment, Local Manager configuration import is unavailable due to the error

Unknown Principal identity PRINCIPAL_IDENTITY-wcp-<UUID> found on Local Manager at site <LM NAME>

  • On the Global Manager, /var/log/gmanager/gmanager.log has an error similar to this example

    <Date>T<Time>  INFO http-nio-127.0.0.1-64440-exec-6 GmOnboardingConverter 70046 POLICY [nsx@6876 comp="global-manager" level="INFO"  subcomp="global-manager"] toConfigOnboardingStatusDto: ConfigOnboardingStatus : ConfigOnboardingStatus ....... errors=[com.vmware.nsx.management.gm.onboarding.exceptions.ConfigOnboardingException: Unknown Principal identity PRINCIPAL_IDENTITY-wcp<UUID> found on Local Manager at site <LM site name>.]]

Cause

A prerequisite for Local Manager (LM) configuration import is that any Principal Identity(PI) that exists on LM must exist on GM.
After site registration, an automatic check validates if there is any missing PI on GM. 
By design, an error message is displayed on UI if a PI is present on the LM but no the GM.

Resolution

To resolve this issue, create a PI on the GM to match exactly the PI present on the LM using API

POST https://<global-nsx-mgr>/api/v1/trust-management/token-principal-identities
{
    "name": "PRINCIPAL_IDENTITY-wcp-<UUID>",
    "node_id": "node-2",
    "is_protected": "true"
}

Powered by Wolken Software