The system creates certificates required for communication between NSX Federation appliances as well as for external communication.
By default, the Global Manager uses self-signed certificates for communicating with internal components and registered Local Managers, as well as for authentication for NSX Manager UI or APIs.
You can view the external (UI/API) and inter-site certificates in NSX Manager. The internal certificates are not viewable or editable.
Certificates for Global Manager and Local Managers
After you add a Local Manager into the Global Manager, all certificates that authenticate the Local Manager for external and internal communication are copied into the Global Manager and trust is established between the two systems. These certificates are also copied into each of the sites registered with the Global Manager.
See the following table for a list of all the certificates created for each appliance using NSX Federation, and the certificates these appliances exchange with each other:
Naming Convention in the Global Manager or Local Manager | Purpose | Replaceable? | Default Validity |
---|---|---|---|
The following are certificates specific to each NSX Federation appliance. | |||
APH-AR certificate |
|
No | 10 years |
GlobalManager |
|
Yes. See Replace Certificates. | 825 days |
mp-cluster certificate |
|
||
tomcat certificate |
|
||
LocalManager |
|
||
The following are certificates exchanged between NSX Federation appliances. | |||
Naming Convention in the Global Manager or Local Manager | Purpose | Replaceable? | Default Validity |
Hashed code, for example, 1729f966-67b7-4c17-bdf5-325affb79f4f |
|
Not Applicable |
|
Site certificate CN=<>,O |
|
Principal Identity (PI) Users for NSX Federation
NSX Federation Appliance | PI Username | PI User Role |
---|---|---|
Global Manager | LocalManagerIdentity One for each Local Manager registered with this Global Manager. |
auditor |
Local Manager | GlobalManagerIdentity | Enterprise Admin |
LocalManagerIdentity
One for each Local Manager registered with the same Global Manager. Use the following API to get a list of all the Local Manager PI users because they are not visible in the UI:
GET https://<local-mgr>/api/v1/trust-management/principal-identities |
auditor |