NSX Local Manager configuration import is unavailable on the Global manager due to an "unknown Principal Identity"
search cancel

NSX Local Manager configuration import is unavailable on the Global manager due to an "unknown Principal Identity"

book

Article ID: 375343

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • In an NSX Federation environment, Local Manager configuration import on the Global manager UI, is unavailable due to the error:

Unknown Principal identity PRINCIPAL_IDENTITY-wcp-<UUID> found on Local Manager at site <LM NAME>

Or

Unable to import due to these unsupported features: Principal Identity

  • On the Global Manager, /var/log/gmanager/gmanager.log has an error similar to this example

    <Date>T<Time>  INFO http-nio-127.0.0.1-64440-exec-6 GmOnboardingConverter 70046 POLICY [nsx@6876 comp="global-manager" level="INFO"  subcomp="global-manager"] toConfigOnboardingStatusDto: ConfigOnboardingStatus : ConfigOnboardingStatus ....... errors=[com.vmware.nsx.management.gm.onboarding.exceptions.ConfigOnboardingException: Unknown Principal identity PRINCIPAL_IDENTITY-wcp<UUID> found on Local Manager at site <LM site name>.]]Please create this principal identity <Principal-identity-name> on GM to proceed with config onboarding

Cause

A prerequisite for Local Manager (LM) configuration import is that any Principal Identity(PI) that exists on LM must exist on GM.
After site registration, an automatic check validates if there is any missing PI on GM. 
By design, an error message is displayed on UI if a PI is present on the LM but no the GM.

Resolution

To resolve this issue, create a PI on the GM to match exactly the PI present on the LM using API, note there may be more than one and the error repeats until they are all gone.

Workaround:

1. Identify the PI on the LM using the API call:

api/v1/trust-management/principal-identities 

2. Find the one in the list which there error is complaining about, then use the details for the below POST API on the global manager:

POST https://<global-nsx-mgr>/api/v1/trust-management/token-principal-identities
{
    "name": "PRINCIPAL_IDENTITY-wcp-<UUID>",
    "node_id": "node-2",
    "is_protected": "true"
}

Repeat steps 1 and 2 for each instance of PI that the GM import complains about.

Powered by Wolken Software