VCF 4.5.x

How To Reset an NSX-T API Local Account Password and Make the Account Active

Pradeep AdapaLeave a comment

In this post, let us see how to reset a password and make the account active in NSX-T.

Remember that this account was created using API as you can’t create local accounts using NSX-T UI. My NSX-T version is 3.2.2.x.x

Back Story: one of the local accounts which I created for skyline collector in our NSX-T environment password was expired. Hence, I had to use the API to Update the User account password and status to make the account ACTIVE again.

Use an API Editor like Postman to get the required data as shown in the screenshot below:

Your Image

In the GET field, you will be providing the following code.

https://<nsx-t hostname/IP-address>/api/v1/node/users/<user-id>

You can get the user-id pretty easily by going to System and User Management in NSX-T UI and get the user-id. In the above example my user-id is 10003. Then go to the Authorization tab and provide the username and password of the NSX-T Manager where you want to make these changes. Then click on Send option to get the required info.

you will get the data as the below screenshot.

You will observe that the last password has been changed 95 days ago, password change frequency is every 90 days, status is password expired and the actual username (in this case its labprdsky_nsxt)

you will have to change the body of this into the below values

{
    "full_name": "Guest User1",
    "last_password_change": 1,
    "password_change_frequency": 999,
	"old_password": "<old_password>",
	"password": "<new_password>",
    "password_reset_required": false,
    "status": "ACTIVE",
    "userid": 10003,
    "username": "labprdsky_nsxt"
}

You can change the password_change_frequency from 0 to 9999, you will have to provide the old password which is expired and the new password for this account and change the status to ACTIVE.

We will copy the above code into the body of the next PUT statement as shown below

Change the GET to PUT and insert the above code with the changed values in the body as the screenshot shown above and click on Send

The output will be displayed as below

{
    "full_name": "Guest User1",
    "last_password_change": 0,
    "password_change_frequency": 999,
    "password_reset_required": false,
    "status": "ACTIVE",
    "userid": 10003,
    "username": "labprdsky_nsxt"
}

The above output is in code form in case you want to copy it.

Now you can do the above GET command to get the status of the user and you will see that this account shows as active and the password change frequency is now 999 days.

Final output for GET for that user 10003

Hope this writeup helped you to unlock and reset the password of an local user created using API in NSX-T.

An Unexpected Error Occurred When trying to access the settings in Aria Suite Lifecycle Manager (8.12.x)

Pradeep AdapaLeave a comment

Recently, I have patched our Aria Suite Lifecycle Manager from 8.12.0 to 8.12.x Patch 2 from its web UI and encountered a strange issue where we were getting the following error when trying to get into any of the settings like ‘System Patches, System Upgrade, System Settings, DNS, NTP Servers, Binary Mapping’ etc., on the web UI.

Upon closer inspection, I couldn’t find anything wrong with the appliance itself or its services.

I even restarted the appliance with no success

I checked the vpostgres service, vrlcm-server service and they were active.

Resolution:

I stopped and started the vrlcm-service and this resolved the issue. I am not able to get into all the settings on the VRSLCM Web UI.

The above screenshot shows the commands to stop and start the service on the VRSLCM SSH Session.

Hope this helps if you come across this issue.

Enable Certificate Validation in SDDC Manager (VCF 4.5.x)

Pradeep AdapaLeave a comment

Recently, I had to use the Asyncpatch tool in SDDC Manager to Patch our vcenter to 7.0U3o due to the Critical Security patch VMSA-2023-0023 and came across this issue when performing the precheck for Management Domain in SDDC Manager.

If you Expand “Sddc Security Configuration”, the error was on the option “VMware Cloud Foundation certificate validation check”

if you come across this issue, perform the following commands to enable the Certificate Validation Check in SDDC Manager

Review the Certificate Validation Setting

Command --
root@sddcmgr1# curl localhost/appliancemanager/securitySettings

Output --
{"fipsMode":false,"certificateValidationEnabled":false}

Enable the Certification Validation

Command --
root@sddcmgr1# curl 'http://localhost/appliancemanager/securitySettings' -X POST -H 'Content-Type: application/json' -H 'Accept: application/json' -d '{"fipsMode":false,"certificateValidationEnabled":true}'

Check the Certificate Validation Setting after Enabling the Certificate Validation

Command --
root@sddcmgr1# curl localhost/appliancemanager/securitySettings

Output --
{"fipsMode":false,"certificateValidationEnabled":true}

You can observe from the above Output that the certificate validation is enabled as true.

Now, you can go ahead and retry the precheck and it will go through.

The final precheck which is green is shown in the screenshot below

How to Change the admin@local account password in VCF 4.5.x (UNOFFICIAL)

Pradeep AdapaLeave a comment

You might have come across an issue where the VCF REST API User account admin@local password is either lost or need to reset the password of this account.

NOTE: This is NOT an official way to do it according to VMware and is meant to be done under the supervision of VMware Support.

Login into the SDDC Manager as vcf and go to the root user prompt

sddcmanager#

type the following commands to reset the password of admin@local account on the sddc manager

mkdir -p /etc/security/local
chown root:vcf_services /etc/security/local
chmod 650 /etc/security/local
echo -n "" > /etc/security/local/.localuserpasswd
chown root:vcf_services /etc/security/local/.localuserpasswd
chmod 660 /etc/security/local/.localuserpasswd

type the following command to set a new password -  in this example it is NewP@SSW0rd010

echo -n 'NewP@SSW0rd010' | openssl dgst -sha512 -binary | openssl enc -base64 | tr -d '\n' > /etc/security/local/.localuserpasswd

Once you have changed the password, I would recommend to restart the sddc manager services using the following command

/opt/vmware/vcf/operationsmanager/scripts/cli/sddcmanager_restart_services.sh

Once the services are restarted, you can verify if the password for admin@local has been successfully changed by going to lookup_passwords

in lookup_passwords, use the admin@local to check if it can pull the passwords from the SDDC Password Manger.

Failed to get tasks data. Something went wrong. SDDC Manager 4.5 Password Management shows Error Message on its UI

Pradeep AdapaLeave a comment

Recently, after upgrading our SDDC Manager from 3.11.1 to 4.5, I came across an UI message on the SDDC Password Management tab as follows:

Issue Description: The error message shown in the screenshot above is “Failed to get tasks data. Something went wrong. Please retry or contact the service provider and provide the reference token.

Root Cause: As I was digging deeper into this, I found that the functionality of the password manager itself was fine, but it was somehow not able to get the complete task list data and hence throwing this error out.

after looking at the operationsmanager log at

/var/log/vmware/vcf/operationsmanager/operationsmanager.log

we found the following error in the log

2023-08-08T16:02:57.768+0000 ERROR [vcf_om,0000000000000000,0000] [o.a.c.c.C.[.[.[.[dispatcherServlet],http-nio-127.0.0.1-7300-exec-6] Servlet.service() for servlet [dispatcherServlet] in context wit
h path [/operationsmanager] threw exception [Request processing failed; nested exception is java.lang.IllegalArgumentException: No enum constant com.vmware.vcf.passwordmanager.exception.PasswordManag
erErrorCode.PASSWORD_MANAGER_VRA_ENDPOINT_FAILED] with root cause
java.lang.IllegalArgumentException: No enum constant com.vmware.vcf.passwordmanager.exception.PasswordManagerErrorCode.PASSWORD_MANAGER_VRA_ENDPOINT_FAILED

This means that after the SDDC Manager Upgrade, it was not able to determine the error with “PASSWORD_MANAGER_VRA_ENDPOINT_FAILED” in its internal database

Solution: After consulting with VMware Engineering, the issue was resolved by going into the operationsmanager db on the sddc manager and executing the following command to replace the message with something which the SDDC Manager could understand.

Disclaimer: Do this at your own risk, I would highly recommend to contact VMware GSS if you have the same issue to get an official resolution.

operationsmanager=# update passwordmanager.master_password_transaction set diagnostic_message = replace (diagnostic_message, 'PASSWORD_MANAGER_VRA_ENDPOINT_FAILED','PASSWORD_UPDATE_VRA_ENDPOINT_FAILED');

Once this is executed, you will get an message of UPDATE XX (where XX is the update number if it has been updated successfully)

Conclusion: Now, you can refresh the SDDC Manager UI and you will not see the error message on the UI in Password Management as before.

Hope this helps if you see similar message after your VCF Upgrade from 3.11.x to 4.5