The NSX-T data source in Aria Operations for Networks is displaying invalid credentials.
Article ID: 378233
Updated On:
Products
Issue/Introduction
-
The NSX-T data source shows an "invalid credentials" error in Aria Operations for Networks, as illustrated in the screenshot below.
-
This data source is integrated with an LDAP user who is a member of an AD group that has been assigned the Enterprise Admin role.
- A basic GET API call can be utilized to validate credentials, as illustrated below and HTTP/1.1 200 OK Indicates that credentials are accurate.
Replace <UserID> with the service account that the NSX Data Source is utilizing, and <NSXMgrIPAddress> with the FQDN or IP address of the configured NSX Manager for the Data Source.
support@aria-networks-collector:~$ curl -ik --user <UserID> --request GET https://<NSXMgrIPAddress>/api/v1/logical-routers
Enter host password for user '<UserID>':
HTTP/1.1 200 OK
- Despite the credentials being accurate, the error (invalid credentials) persists.
- Upon log review of collector appliance in the file latest.log located at location
/var/log/arkin/collector/indicates insufficient privileges for several API calls, as shown below:
Example:
, DPTaskStatus
{
taskId='com.vnera.dataproviders.core.impl.vmware.nsxt.tasks.NSXTConfigTask_CONFIG_scheduled'
collectedDataType=CONFIG
taskExecType=SCHEDULED
isSuccess=false
timestamp=1726527241157
errorCode='INVALID_CREDENTIALS'
errorMessage='com.vnera.dataproviders.core.common.impl.dataprovider.utils.exceptions.HttpException: Could not get response for /api/v1/cluster/api-virtual-ip, status 403
- Another API call which ls failing with insufficient privileges appears in the logs:
, DPTaskStatus
{
taskId='com.vnera.dataproviders.core.impl.vmware.nsxt.tasks.NSXTAuditPollingTask_AuditLog_CONFIG'
collectedDataType=CONFIG
taskExecType=SCHEDULED
isSuccess=false
timestamp=1726527378620
errorCode='INVALID_CREDENTIALS'
errorMessage='com.vnera.dataproviders.core.common.impl.dataprovider.utils.exceptions.HttpException: Could not get response for /api/v1/administration/audit-logs, status 403 - Executing the same API call to the NSX-T manager externally results in the same error, as demonstrated below:
- Replace
<UserID>with the service account that the NSX Data Source is utilizing, and<NSXMgrIPAddress>with the FQDN or IP address of the configured NSX Manager for the Data Source.
support@aria-networks-collector:~$ curl -ik --user <UserID> --request GET https://<NSXMgrIPAddress>/api/v1/cluster/api-virtual-ip
Enter host password for user '<UserID>:
HTTP/1.1 403 Forbidden
content-type: application/json
content-length: 205
date: Wed, 18 Sep 2024 07:14:07 GMT
{
"error_code": 401,
"error_message": "User is not authorized to perform this operation on the application. Please contact the system administrator to get access.",
"module_name": "common-services"
Environment
Aria Operations for Networks 6.12
Aria Operations for Networks 6.12.1
Aria Operations for Networks 6.13
Aria Operations for Networks 6.14
Cause
The enterprise user utilized for integration in Aria Operations for Networks does not possess the required privileges to perform specific API calls, leading to an "invalid credentials" error in Aria Operations for Networks.
This is a known issue in NSX-T versions 4.2.0 and 4.2.0.2.
Resolution
The issue has been resolved in version NSX 4.2.1 and higher.
Please refer to the knowledge base KB 378717 After upgrading to NSX 4.2.0, LDAP users are unable to view the VIP in NSX Manager for instructions on applying the workaround from NSX.
**A workaround is also possible through Aria Operations for Networks:
- You can use a local user/admin account to integrate NSX-T with Aria Operations for Networks.
Feedback
