Resolving NSX-T and VMware Identity Manager (vIDM) Connectivity Issues due to SSL Thumbprint Mismatch
search cancel

Resolving NSX-T and VMware Identity Manager (vIDM) Connectivity Issues due to SSL Thumbprint Mismatch

book

Article ID: 381832

calendar_today

Updated On:

Products

VMware

Issue/Introduction

  • NSX-T was unable to communicate with the VMware Identity Manager (vIDM) 3.3.7 environment, leading to failed authentication attempts for users. Attempts to log in to NSX-T through vIDM displayed the below error:

    • Workspace ONE Access is not accessible. CLICK HERE to log in to NSX Manager using your local user account.

  • Despite confirming that vIDM services were running and healthy in both vIDM SSh and the vIDM UI, NSX-T’s VMware Identity Manager Connection status showed as "Down."

  • Upon logging into NSX-T with admin credentials and navigating to System > Settings > User Management > VMware Identity Manager > Edit, it was observed that the attempts to save the settings resulted in the following error:

    • Error: Invalid VMware Identity Manager thumbprint specified. (Error code: 36520)

  • vIDM health in LCM may show as Critical in some scenarios.

Environment

  • VMware Identity Manager 3.3.x

Cause

  • The primary cause of the issue is an outdated vIDM thumbprint configured in NSX-T. 

  • The vIDM thumbprint is a cryptographic hash of the server's SSL certificate. When the certificate changes (e.g., due to renewal or re-issuance), the thumbprint also changes. An outdated thumbprint prevents NSX-T from establishing a secure connection with vIDM, leading to authentication failures.

Resolution

  • Verify Health of vIDM Services:

    • Log in to vIDM ui and verify and confirm that the health status of all the components is in Green by clicking on the top right Health icon.

 

  • SSH into vIDM nodes to check that opensearch and horizon-workspace services are active using:

    • service opensearch status

    • service horizon-workspace status

 

  • Run Inventory Sync in LCM:

    • Run Inventory Sync for vIDM/Global Environment from LCM to refresh the health status in LCM. Typically Inventory Sync runs successfully as viDM would be in a Healthy state and if there are any errors during sync then please troubleshoot sync issues using the LCM error code.

    • Confirm that vIDM health status changes to Healthy (Green) in LCM after Inventory Sync.

 

  • Attempt Connection Verification in NSX-T:

    • Log in to NSX-T using admin credentials.

    • Navigate to System > Settings > User Management > VMware Identity Manager, where the VMware Identity Manager Connection would be marked as "Down" (as shown in Issue/Introduction section in this Article)

    • Click Edit and attempt to save the configuration and upon saving the following error will be encountered: (as shown in Issue/Introduction section in this Article)

      • Error: Invalid VMware Identity Manager thumbprint specified. (Error code: 36520)

 

  • Retrieve the Latest vIDM SSL Thumbprint: (This is Step 4)

    • SSH into the vIDM host and run the following command to obtain the updated SSL thumbprint:

      • openssl s_client -connect <FQDN of vIDM host>:443 < /dev/null 2> /dev/null | openssl x509 -sha256 -fingerprint -noout -in /dev/stdin

 

  • Update the SSL Thumbprint in NSX-T:

    • Login to NSX-T using local admin credentials.

    • Go to System > Settings > User Management > VMware Identity Manager > Edit.

    • Edit the SSL Thumbprint field and paste the latest SSL thumbprint obtained in Step 4.

    • Save the changes to update the thumbprint, confirming there are no errors.

Note: A change in certificate of the vIDM would not alter the OAuth Client ID ( used while registering vIDM as an identity source in NSX-T), as this would pertains to the ID created ( Application level specific and not Appliance specific) when the NSX-T is registered as a Web App integration in vIDM and thus would not need to changed in case of an event of certificate change. 

  • Verify Connectivity:

    • Confirm that NSX-T shows a successful connection to vIDM and that authentication via Workspace ONE Access is restored.

Additional Information

  • This issue can occur even if the vIDM health appears green in LCM or vIDM itself.

  • For additional reference, see:

  • By following these steps and understanding the cause, you can resolve the invalid thumbprint error and re-establish successful authentication between NSX-T and vIDM.

  • Note: Change in the certificate on the LB / nodes, is an instance / appliance level associated change and not a change associated to the identity service as a functionality and thus unless a change in the NSX registration to the vIDM, the Secret used for the integration on NSX for vIDM, would remain unaffected.