This error notification occurs when the customer goes into the NSX Manager UI to try to enable TLS Inspection on a Tier1 router. Initially, when the toggle is changed to "On" the change will seem to be accepted.

However, an error can appear saying the following:

<Date:Time>: Error: Principal '<user_account>' with role '[enterprise_admin]' attempts to delete or modify an object of type nsx$SecurityFeatureToggle it doesn't own. (createUser=pks-nsx-t-superuser, allowOverwrite=null) (Error code: 289)

NSX 3.2 and above

In TKGi infrastructure is provisioned automatically in NSX to support the Kubernetes components. Therefore, the T1 Routers are automatically created and owned by the TKGi pks-nsx-t-superuser account affecting the ability of admin or enterprise_admin accounts to modify the router's TLS settings in the NSX Manager UI.

Enable TLS config on Tier1Gateway by changing "enable" from false to true in the example below

API : PATCH : https://<<manager_ip>>/policy/api/v1/infra/tier-1s/{tier-1-id}/security-config

Payload: body

{
    "features": [
        {
            "feature": "TLS",
            "enable": true 
        }
    ],
    "resource_type": "SecurityFeatures"
}

Note: The effect that TLS Inspection can have on a platform depends directly on how it has been configured. To avoid unexpected errors after enabling TLS inspection is important to read carefully the documentation. Also, it is necessary to create TLS Decryption Action Profiles. 

Below you will find the documentation related to both topics:

Creating TLS Decryption Action Profiles: https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/administration-guide/security/gateway-firewall/tls-inspection/creating-tls-decryption-action-profiles.html

TLS Inspection: https://techdocs.broadcom.com/us/en/vmware-cis/nsx/vmware-nsx/4-2/administration-guide/security/gateway-firewall/tls-inspection.html