REST API calls using a vIDM user fail in NSX-T
search cancel

REST API calls using a vIDM user fail in NSX-T

book

Article ID: 319104

calendar_today

Updated On:

Products

VMware VMware NSX

Issue/Introduction

Symptoms:

  • With NSX-T it is possible to use vIDM for authentication the NSX-T manager.
  • When you try to use a vIDM user with the correct permissions to run REST API calls these may fail.
  • You are able to successfully log into the NSX-T manager with the same user you are using for REST API calls and make changes.
  • The NSX-T manager is configured to use vIDM, the vIDM setup is configured with a connector and a vIDM server.


Below is a sample REST API query and the results you may see:

# curl  --header "Authorization: Remote bnN4YWRtaW5AY#################==" --insecure -s --request GET https://<nsx-mgr>/api/v1/logical-ports

{

    "module_name" : "common-services",

    "error_message" : "The credentials were incorrect or the account specified has been locked.",

    "error_code" : "403"

}



Environment

VMware NSX

Cause

This happens when there is a separate connector server and a vIDM server configured.
The vIDM server does not trust the CA certificate of the connector server.

Resolution

To work around this issue you will need to make the vIDM server trust the CA from the connector server.

Workaround:
Enable Outbound Mode for the Connector, this means the you will not need to trust the connector certificate.
Details on how to achieve this can be found in the following official documentation:

VMware Identity Manager Documentation




If this still having issues after setting Enable Outbound Mode for the Connector, you may need to manually trust the connector certificate in vIDM:
Run the following commands from a Linux shell: 
openssl s_client -connect your-connector-ip:443

Where your-connector-ip is either your connector IP address or resolvable hostname. 
This should return a long output which includes the certificate. 
Select everything between the below lines, include the BEGIN and END lines of the certificate and copy to your clipboard: 
-----BEGIN CERTIFICATE-----
MIIG....XdvA0
-----END CERTIFICATE-----

To install this certificate on vIDM:
  • In the vIDM server, login to the Admin Portal
  • Then go to Appliance Settings
  • Click on Manage configuration
  • Enter your vIDM system admin password
  • Select the Install SSL Certificates option on the left side bar
  • Select the Trusted CAs tab
  • Paste the connector certificate copied to the clipboard earlier in the Root or Intermediate Certificate text box
  • Then click Add.
  • Your will be presented with a warning:
    • Note: THIS OPERATION WILL RESTART YOUR VIDM SERVER SO MAY AFFECT CURRENT LOGGED IN USERS !
  • Click Ok.
  • Once the service restart is complete, the spinning wheel on the page should go away.
Please retry NSX-T API again.

Additional Information

Another possible cause for this behavior is if the NSX Manager date is behind the vIDM date.
Check /var/log/proxy/reverse-proxy.log on the NSX Manager at time of failed authentication. 

Example logging if NSX date is behind vIDM date:

2022-05-10T17:00:00.688Z  INFO https-jsse-nio-<IP>-443-exec-2 VidmTokenServices 30035 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Fetch information from vIDM Discovery Endpoint https://{vIDM hostname}/SAAS/auth/.well-known/openid-configuration
2022-05-10T17:00:00.778Z  INFO https-jsse-nio-<IP>-443-exec-2 NsxTrustManager 30035 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Trust thumbprint of CN=##########,OU=######,O=### Inc.,C=##
2022-05-10T17:00:00.862Z  INFO https-jsse-nio-<IP>-443-exec-2 VidmTokenServices 30035 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Fetch public key from https://{vIDM hostname}/SAAS/API/1.0/REST/auth/token?attribute=publicKey&format=pem
2022-05-10T17:00:00.904Z  INFO https-jsse-nio-<IP>-443-exec-2 VidmTokenServices 30035 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Validate access token locally: <token info>
2022-05-10T17:00:00.905Z  WARN https-jsse-nio-<IP>-443-exec-2 CustomOidcAuthorizationCodeAuthenticationProvider 30035 - [nsx@6876 comp="nsx-manager" level="WARNING" subcomp="http"] password grant flow authentication failed
2022-05-10T17:00:00.905Z ERROR https-jsse-nio-<IP>-443-exec-2 NsxBasicAuthenticationFilter 30035 - [nsx@6876 comp="nsx-manager" errorCode="MP60204" level="ERROR" subcomp="http"] error
org.springframework.security.authentication.BadCredentialsException: Could not obtain user details from token


Caused by: org.springframework.security.oauth2.common.exceptions.InvalidTokenException: Token has been issued in the future: <UNIX timestamp>

Powered by Wolken Software