This KB is created to outline the workflow used when registering a Compute Manager (CM) in VMware NSX-T, not VMware NSX with vSphere.

• As per the documentation, a username with the correct credentials is required to register a CM with NSX, for further details, please review the Installation Guide.
• You can use an existing user with administrator privileges or create a new user with the required privileges, please review the Installation Guide above for details.
• The CM is used to manage resources, such as hosts and virtual machines.
• NSX-T poll's the CM to collect inventory information.

Note: Currently, when we mention a CM, we are referring to vCenter.

VMware NSX-T

• To register a CM with NSX-T, you need a username and password with the correct privileges, this username is only used during registration, to register NSX-T with the CM as an extension in the extension manager.
• NSX-T will then generate a certificate/key pair and register them in the new extension, using the username used to register the CM, this certificate is then used by NSX-T for subsequent logins/operations, not the username used to register the CM.
• During the registration process in NSX-T, the CM will present a thumbprint for the certificate it holds, which you need to accept, this is then used to authenticate the CM with NSX-T.
• After a CM registration is complete, if you edit the CM, you will not see the username which was used to register the CM, this is expected behavior.
  
  

NSX-T manager logs:

• During the registration, in the NSX-T manager logs, we can see the CM username used to register the CM: /var/log/cm-inventory/cm-inventory.log

INFO inventoryTasksScheduler9 CmPluginStateManager 4333 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="cm-inventory"] CM ########-ce5b-4a16-bc48-############ mapped
 to this node and current status is discovered_resource {
 ...
username {
  value: "{username-1}"

• If the username is then subsequently changed to a different username, by editing the CM registration in NSX-T, we can initially see the username in the same logs above:

INFO http-nio-127.0.0.1-7443-exec-3 CmInventoryService 4333 FABRIC [nsx@6876 comp="nsx-manager" level="INFO" reqId="########-e074-4848-8fc0-############" subcomp="cm-inventory" username="{nsx-t-user}"] Received cm connection config validation request, cmId ########-ce5b-4a16-bc48-############ , cm config ComputeManagerConfigData{id='########-ce5b-4a16-bc48-############', externalId='########-ce5b-4a16-bc48-############', displayName='{vCenter Display name}', server='{vCenter FQDN}', reverseProxyHttpsPort='443', reverseProxyHttpPort='80', originType='vCenter', thumbprint='{vCenter thumbprint}', cmCredential='UsernamePasswordLoginCredential{username='{username-2}', thumbprint='{vCenter thumbprint}', super{LoginCredential{credentialType='UsernamePasswordLoginCredential'}}}', additionalConfig='[KeyValuePair{key='is_multi_nsx', value='false'}]', errors='null', cmUserLoginCredential='null', cmRoleId='0', domain='null'}

• Later you can see it revert to the previously configured username:

INFO inventoryTasksScheduler9 CmPluginStateManager 4333 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="cm-inventory"] CM ########-ce5b-4a16-bc48-############ mapped
 to this node and current status is discovered_resource {
 ...
username {
  value: "{username-1}"

vCenter Server logs:

• To see the username which is used to reregister the CM, we can check the vCenter logs: /var/log/vmware/vpxd/vpxd.log

• Unregisters the existing extension first with the new username:

  info vpxd[06101] [Originator@6876 sub=MoExtensionMgr opID=cm-inventory-{nsx-t-manager-ip/fqdn}-bf] Registering unrestricted extension with extensionKey = com.vmware.nsx.management.nsxt by user: VSPHERE.LOCAL\{username-2}

• Acquiring new token:

  info vpxd[04794] [Originator@6876 sub=SsoClient opID=cm-inventory-{nsx-t-manager-ip/fqdn}-6d] Successfully acquired token: SamlToken [subject={Name: {username-2}; Domain:VSPHERE.LOCAL}, groups=[{Name: Administrators; Domain:vsphere.local}, {Name: SystemConfiguration.Administrators; Domain:vsphere.local}, {Name: LicenseService.Administrators; Domain:vsphere.local}, {Name: Everyone; Domain:vsphere.local}], delegationChain=[], startTime={DATE/TIME}, expirationTime={DATE/TIME}, renewable=true, delegable=true, isSolution=false,confirmationType=0]

  info vpxd[04794] [Originator@6876 sub=AuthorizeManager opID=cm-inventory-{nsx-t-manager-ip/fqdn}-6d] [Auth]: User VSPHERE.LOCAL\{username-2}

• Then new registration using the new username:

  info vpxd[06101] [Originator@6876 sub=MoExtensionMgr opID=cm-inventory-{nsx-t-manager-ip/fqdn}-bf] Registering unrestricted extension with extensionKey = com.vmware.nsx.management.nsxt by user: VSPHERE.LOCAL\{username-2}

• Applying the new certificate for the new extention:

  info vpxd[06236] [Originator@6876 sub=vpxLro opID=cm-inventory-{nsx-t-manager-ip/fqdn}-bd] [VpxLRO] -- BEGIN lro-625179 -- ExtensionManager -- vim.ExtensionManager.setCertificate -- ########-f0a7-3a3b-8abf-############(########-5910-d179-8f77-############)

  info vpxd[06236] [Originator@6876 sub=MoExtensionMgr opID=cm-inventory-{nsx-t-manager-ip/fqdn}-bd] Certificate set for extension com.vmware.nsx.management.nsxt. Certificate thumbprint: {Extention-Certificate-Thumbprint}

• New login from nsx using cert:

info vpxd[06593] [Originator@6876 sub=vpxLro opID=vc-access-{nsx-t-manager-ip/fqdn}-8a] [VpxLRO] -- BEGIN lro-625199 -- SessionManager -- vim.SessionManager.loginExtensionByCertificate -- ########-6655-90e1-c3ce-############)

• Then logout:

  info vpxd[06674] [Originator@6876 sub=vpxLro opID=cm-inventory-{nsx-t-manager-ip/fqdn}-89] [VpxLRO] -- BEGIN lro-625214 -- SessionManager -- vim.SessionManager.logout -- ########-654d-f097-db5d-############(########-17cb-b172-1286-############)

Note:

########-ce5b-4a16-bc48-############ is the UUID of the CM being registered.

{username-1} refers to the CM administrative user used to register the CM in NSX-T, initially.

{username-2} refers to the new CM administrative user used to reregister the CM in NSX-T.

{nsx-t-user} refers to the user logged into NSX-T and making the changes.

{vCenter Display name} refers to the display name of the CM.

{vCenter FQDN} refers to the FQDN of the CM.

{vCenter thumbprint} refers to the certificate thumbprint presented to NSX-T by the CM.

{nsx-t-manager-ip/fqdn} refers to the IP address of FQDN of the NSX-T manager which is registering the CM.

{Extension-Certificate-Thumbprint} refers to the thumbprint of the new certificate used by the CM extension.

This issue, where you can not see the new username (when editing the CM registration and changing the username), in the NSX-T cm-inventory.log, is a known issue and will be resolved in a future version.