[fusion_builder_container hundred_percent=”no” equal_height_columns=”no” menu_anchor=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” background_color=”” background_image=”” background_position=”center center” background_repeat=”no-repeat” fade=”no” background_parallax=”none” parallax_speed=”0.3″ video_mp4=”” video_webm=”” video_ogv=”” video_url=”” video_aspect_ratio=”16:9″ video_loop=”yes” video_mute=”yes” overlay_color=”” video_preview_image=”” border_size=”” border_color=”” border_style=”solid” padding_top=”” padding_bottom=”” padding_left=”” padding_right=””][fusion_builder_row][fusion_builder_column type=”1_1″ layout=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” border_position=”all” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding_top=”” padding_right=”” padding_bottom=”” padding_left=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” center_content=”no” last=”no” min_height=”” hover_type=”none” link=””][fusion_text]
NSX-T integrates with VMware Identity Manager (vIDM) to provide remote user authentication and role based access control (RBAC).
A customer recently required clarification on how to configure AD accounts in Postman or Curl that are provisioned with NSX-T role based access control through vIDM.
Steve Fanders provided excellent examples on how to deploy and configure vIDM and then how to add an AD directory to vIDM. Angel Villar Garea has provided excellent detail on using RBAC with NSX-T.
But once the NSX-T to vIDM and the vIDM to Windows AD integrations have been completed, how can you use AD accounts to administer NSX-T?
The key is understanding that authorization is type Basic for NSX-T local accounts, and authorization is type Remote for vIDM accounts synced with Windows AD. It is also important to note that the username:password credentials are passed in a Base64 encoded format.
In my NSX-T / vIDM integrated lab, NSX-T Manager is setup with the following two administrative accounts granted with NSX-T Enterprise Admin rights:
- NSX-T account admin, with password VMware1!VMware1!
- vIDM account administrator@core.hypervizor.com, with password VMware1!
The first step is encoding these into Base64 format.
This can be performed at https://www.base64encode.org/, but most users won’t be comfortable passing AD domain credentials to an Internet based web site. Notice here that “admin:VMware1!VMware1!” base64 encodes to “YWRtaW46Vk13YXJlMSFWTXdhcmUxIQ==”
An alternate solution is to base64 encode username:password with Chrome’s JavaScript Console Developer’s tool.
Users will be more comfortable Base64 encoding with a local browser.
- use the Java function btoa to Base64 encode the username:password: > btoa("admin:VMware1!VMware1!"); // output: < "YWRtaW46Vk13YXJlMSFWTXdhcmUxIQ==" - as a sanity check, use the Java function atob to Base64 decode this result, to make sure the clear text username:password is as expected: > atob("YWRtaW46Vk13YXJlMSFWTXdhcmUxIQ=="); // output: < "admin:VMware1!VMware1!" ---- - remember to use "\." so that btoa is able to properly interpret "." in administrator@core.hypervizor.com: > btoa("administrator@core\.hypervizor\.com:VMware1!"); // output: < "YWRtaW5pc3RyYXRvckBjb3JlLmh5cGVydml6b3IuY29tOlZNd2FyZTEh" - as a sanity check, use the Java function atob to Base64 decode this result, to make sure the clear text username:password is as expected: > atob("YWRtaW5pc3RyYXRvckBjb3JlLmh5cGVydml6b3IuY29tOlZNd2FyZTEh"); // output: < "administrator@core.hypervizor.com:VMware1!"
The solution for Curl:
So now that Base64 encoded strings have been collected, here is the resulting syntax for the local NSX-T Basic authentication account. Notice that Authorization is type Basic:
[root@ansible ~]# curl -k -H "Authorization: Basic YWRtaW46Vk13YXJlMSFWTXdhcmUxIQ==" https://nsxtmgr.core.hypervizor.com/api/v1/dhcp/relays
{
"results" : [ {
"dhcp_relay_profile_id" : "e7f6bb7c-2ba2-4a41-be3a-7679c0c1e6ca",
"resource_type" : "DhcpRelayService",
"id" : "9cc82672-a9f3-4b3d-adf1-83deb5fc2804",
"display_name" : "dhcp-relay-service",
"_create_user" : "admin",
"_create_time" : 1560705082903,
"_last_modified_user" : "admin",
"_last_modified_time" : 1560705082903,
"_system_owned" : false,
"_protection" : "NOT_PROTECTED",
"_revision" : 0
} ],
"result_count" : 1
Here is the resulting syntax for the vIDM Remote authentication account. Notice that Authorization is type Remote:
}[root@ansible ~]# curl -k -H "Authorization: Remote YWRtaW5pc3RyYXRvckBjb3JlLmh5cGVydml6b3IuY29tOlZNd2FyZTEh" https://nsxtmgr.core.hypervizor.com/api/v1/dhcp/relays
{
"results" : [ {
"dhcp_relay_profile_id" : "e7f6bb7c-2ba2-4a41-be3a-7679c0c1e6ca",
"resource_type" : "DhcpRelayService",
"id" : "9cc82672-a9f3-4b3d-adf1-83deb5fc2804",
"display_name" : "dhcp-relay-service",
"_create_user" : "admin",
"_create_time" : 1560705082903,
"_last_modified_user" : "admin",
"_last_modified_time" : 1560705082903,
"_system_owned" : false,
"_protection" : "NOT_PROTECTED",
"_revision" : 0
} ],
"result_count" : 1
}[root@ansible ~]#
The Solution for Postman:
When you specify Basic Authentication, Postman automatically creates the Base64 encoded Authorization key, where the Value starts with “Basic”:
In Postman, set Authorization Type to No Auth:
Then create an Authorization Key with a value of: Remote YWRtaW5pc3RyYXRvckBjb3JlLmh5cGVydml6b3IuY29tOlZNd2FyZTEh
That does it, this should help managing NSX-T with Curl and Postman with non-local accounts.
[/fusion_text][/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]
Great insight. Thanks Gary for posting this!!
Thanks for your support!