Introduction
NSX Federation enables admins to manage multiple local NSX-T Managers from a single pane of glass, though the use of a global NSX-T Management cluster. NSX-T Federation is available since NSX-T version 3.0 (production-ready since 3.1) and it’s available through a manual guide for VMware Cloud Foundation version 4.2 and later.
One of the problems occurs after the local NSX-T Manager configuration has been imported into the global NSX-T Manager and the admin password is changed afterwards on the local NSX-T Manager. The admin account will become lock-out.
This can be prevented by adjusting the “lockout_immune_addresses” parameter on the LOCAL NSX-T Manager.
VMware has written a guide to change this, but DON’T USE THIS! It will break your security configuration as it completely rewrites the security configuration in a wrong manner.
This blog provides a better way of setting the parameter.
Procedure
- Log on to a jump-host that has access to your NSX-T Managers
- Retrieve the current security configuration from your local NSX-T Manager using the Postman GET method.
- Start the Postman application and log in.
- On the Authorization tab, enter the following settings and click Update Request.
Type – Basic Auth
User Name – Admin
Password – nsx-t_admin_password - On the Headers tab, add a key by using the following details.
Key – Content-Type
Key Value – application/json - On the request pane at the top, send the following HTTP request
HTTP request method – GET
URL – https://<nsx-t_manader_FQDN>/api/vi/cluster/api-service (change the FQDN to your local NSX Manager FQDN)
- After a successful response (“status: 200 OK”), copy the returned JSON-formatted body response from the Body tab to your favorite code-/text-editor.
- Add the “lockout_immune_addresses” information to the JSON response:
- Search for the “lockout_immune_addresses”-line in the JSON response -or- when the line cannot be found in the JSON response, add a new line with “lockout_immune_addresses”.
be aware that a “,” must be added to end of the previous line
- add the IP addresses of all global NSX Managers (including the VIP addresses) between the brackets in the following format:
“lockout_immune_addresses”:[ “172.16.11.95”, “172.16.11.96”, “172.16.11.97”, “172.16.11.98” ]
leave the quotes intact!
- Search for the “lockout_immune_addresses”-line in the JSON response -or- when the line cannot be found in the JSON response, add a new line with “lockout_immune_addresses”.
- Send the new security configuration to the local manager using the Postman PUT method
- Take the previous Postman HTTP request and change the HTTP request method from GET to PUT.
- on the Body tab, paste the new JSON formatted security configuration from you code-/text editor.
- Send the new HTTP request and confirm a successful respone (“status: 200 OK”)
- Execute step 2 to 4 for all local NSX-T managers