If you prefer to automate DNE Key Manager installation, you can use the VMware OVF Tool, which is a command-line utility.

About this task

By default, nsx_isSSHEnabled and nsx_allowSSHRootLogin are both disabled for security reasons. When they are disabled, you cannot SSH or log in to the DNE Key Manager command line. If you enable nsx_isSSHEnabled but not nsx_allowSSHRootLogin, you can SSH to DNE Key Manager but you cannot log in as root.

Prerequisites

  • Verify that the system requirements are met. See System Requirements.

  • Verify that the required ports are open. See Ports and Protocols.

  • Most deployments place NSX-T appliances on a management VM network. You can also create a new VM port group for the DNE Key Manager appliance.

    If you have multiple management networks, you can add static routes to the other networks from the NSX-T appliance.

  • Plan your IPv4 IP address scheme. In this release of NSX-T, IPv6 is not supported.

  • Verify that you have adequate privileges to deploy an OVF template on the ESXi host.

  • Verify that hostnames do not include underscores. Otherwise, the hostname is set to localhost.

  • OVF Tool version 4.0 or later.

  • For the nsx_hostname=nsx-keymanager property, enclose the root password (<password>) in single quotes.

    For example: vi://root:'my_root_password'@10.112.202.150.

Procedure

  • For a standalone host, run the ovftool command with the appropriate parameters.
    C:\Users\Administrator\Downloads>ovftool
    --name=nsx-keymanager
    --X:injectOvfEnv
    --X:logFile=ovftool.log
    --allowExtraConfig
    --datastore=ds1
    --network="management"
    --acceptAllEulas
    --noSSLVerify
    --diskMode=thin
    --powerOn
    --prop:nsx_ip_0=192.168.110.210
    --prop:nsx_netmask_0=255.255.255.0
    --prop:nsx_gateway_0=192.168.110.1
    --prop:nsx_dns1_0=192.168.110.10
    --prop:nsx_domain_0=corp.local
    --prop:nsx_ntp_0=192.168.110.10
    --prop:nsx_isSSHEnabled=<True|False>
    --prop:nsx_allowSSHRootLogin=<True|False>
    --prop:nsx_passwd_0=<password>
    --prop:nsx_cli_passwd_0=<password>
    --prop:nsx_cli_audit_passwd_0=<password>
    --prop:nsx_hostname=nsx-keymanager
    <path/url to nsx component ova> vi://root:<password>@192.168.110.51
    
    Opening OVA source: nsx-<component>.ova
    The manifest validates
    Source is signed and the certificate validates
    Opening VI target: vi://root@192.168.110.24
    Deploying to VI: vi://root@192.168.110.24
    Transfer Completed
    Powering on VM: nsx-edge-1
    Task Completed
    Completed successfully
    
    
  • For a host managed by vCenter Server, run the ovftool command with the appropriate parameters.
    C:\Users\Administrator\Downloads>ovftool
    --name=nsx-keymanager
    --X:injectOvfEnv
    --X:logFile=ovftool.log
    --allowExtraConfig
    --datastore=ds1
    --network="management"
    --acceptAllEulas
    --noSSLVerify
    --diskMode=thin
    --powerOn
    --prop:nsx_ip_0=192.168.110.210
    --prop:nsx_netmask_0=255.255.255.0
    --prop:nsx_gateway_0=192.168.110.1
    --prop:nsx_dns1_0=192.168.110.10
    --prop:nsx_domain_0=corp.local
    --prop:nsx_ntp_0=192.168.110.10
    --prop:nsx_isSSHEnabled=<True|False>
    --prop:nsx_allowSSHRootLogin=<True|False>
    --prop:nsx_passwd_0=<password>
    --prop:nsx_cli_passwd_0=<password>
    --prop:nsx_cli_audit_passwd_0=<password>
    --prop:nsx_hostname=nsx-keymanager
    <path/url to nsx component ova> vi://administrator@vsphere.local:<password>@192.168.110.24/?ip=192.168.110.51
    
    Opening OVA source: nsx-<component>.ova
    The manifest validates
    Source is signed and the certificate validates
    Opening VI target: vi://administrator@vsphere.local@192.168.110.24:443/
    Deploying to VI: vi://administrator@vsphere.local@192.168.110.24:443/
    Transfer Completed
    Powering on VM: nsx-edge-1
    Task Completed
    Completed successfully
    
    
  • (Optional) : For optimal performance, reserve memory for the NSX-T component.

    A memory reservation is a guaranteed lower bound on the amount of physical memory that the host reserves for a virtual machine, even when memory is overcommitted. Set the reservation to a level that ensures the NSX-T component has sufficient memory to run efficiently. See System Requirements.

  • Open the console of the NSX Edge to track the boot process.
  • After the DNE Key Manager is completely booted, log in to the CLI as root and run the ifconfig command.

    For example, run ifconfig eth0 or the interface you use to connect to the management switch to verify that the IP address was applied as expected.

  • Verify that the NSX Edge appliance has the required connectivity.

    If you enabled SSH, make sure that you can SSH to your NSX Edge.

    • You can ping your NSX Edge.

    • NSX Edge can ping its default gateway.

    • NSX Edge can ping the hypervisor hosts that are in the same network as the NSX Edge.

    • NSX Edge can ping its DNS server and its NTP server.

What to do next

Join the DNE Key Manager with the management plane. See Join DNE Key Manager with the Management Plane.