In this blog, I will guide you all through the steps to Integrate NSX-T with VMware Identity Manager for Role-Based access control. In NSX-T Data Center appliances we have only two built-in users: admin and audit. To add more users for granular control over the accounts and access within NSX, we need to integrate NSX-T with VMware Identity Manager and configure role-based access control (RBAC) for users that vIDM manages.
Pre-Requisites:
- NSX-T Deployed and configured
- vIDM is already Deployed and Integrated with Customer AD
- NSX-T must be Time Synchronized with Valid NTP server & vIDM should sync time with Host that is configured with valid NTP.
- vIDM should be configured to accept SAMAccountName as Username and not UserPrincipalName (UPN)
- Obtain the Certificate Thumbprint from a vIDM (Steps below)
- Register NSX Manager as OAuth Client in vIDM – Make a note of Client ID and Client Secret for configuration
Steps to Obtain the Certificate Thumbprint from a vIDM:
- SSH to the vIDM Node using Root
-
Navigate to Conf folder
Command: cd /usr/local/horizon/conf/
-
Run the following command to get the Certificate Thumbprint
For Self-signed/default certficate: openssl x509 -in nsxtvidm.domain.com_cert.pem -noout -sha256 -fingerprint
For CA Signed Certificates: openssl1 s_client -connect <FQDN of vIDM host>:443 < /dev/null 2> /dev/null | openssl x509 -sha256 -fingerprint -noout -in /dev/stdin
-
Make a note of thumbprint for integration.
Steps to Create OAuth client in vIDM:
- Login to vIDM admin page and Navigate to Catalog – Settings
- Click on Remote App Access and then Create Client
- Select Service Client Token for Access Type. Create a Client ID (I have used NSXT) and make a note of Shared Secret then Click Add.
- Check if the OAuth Client is created Successfully and Visible under Remote App Access.
Steps to Integrate NSX-T with vIDM:
- Login to NSX-T manager with admin credentials
- Navigate to System – Users and Click on Configuration
- Click on Edit
- Enable VMware Identity manager Integration, Update the Values that were captured while creating OAuth client in vIDM and SSL Thumbprint that was captured earlier then click on Save.
- Verify that the Settings are Saved successfully.
-
Now you will be able to assign Multiple Roles to Users that vIDM manages.
As this is a lab deployment, I have added Multiple roles for one user just to show the available Roles after Integration.
Reference Documents:
NSX-T Role-Based Access Control: https://docs.vmware.com/en/VMware-NSX-T-Data-Center/2.4/administration/GUID-26C44DE8-1854-4B06-B6DA-A2FD426CDF44.html
Time Synchronization between NSX Manager, vIDM, and Related Components: https://docs.vmware.com/en/VMware-NSX-T-Data-Center/2.4/administration/GUID-4756E218-860C-4425-87B7-B26E8FA4BD50.html
This completed the Step-by-step integration of NSX-T with vIDM for RBAC.
Hope you find this useful. Thanks for reading, Keep sharing.
It is the wrong way to get the vIDM certificate from path /usr/local/horizon/conf/ read.
This only works as long as you use the self-signed certificate from the initial installation process.
If you install your own certificate in the vIDM, it is written to a certificate store and can no longer be found in the file system. In /usr/local/horizon/conf/ you will still find the old self-signed certificate.
This error in the documentation was corrected in V2.3.x.
In the new variant, a request is made to the vIDM web server port (443) using the openssl command, whereby the currently installed certificate is transferred, and the sha256 hash is calculated from this.
https://docs.vmware.com/en/VMware-NSX-T-Data-Center/2.5/administration/GUID-1A78C603-5351-42A8-AE56-F37327E4F8E7.html
Regards
Hannes
Thanks for the feedback Hannes, I will modify the post based on the NSX-T latest Document for Signed certificate.