Prior to NSX 6.x series, the user admin was a local database user. Starting in NSX 6.0, the user admin became a CLI user. For backward compatibility, there are steps you can take to migrate the admin user.

About this task

For vCloud Networking and Security 5.x series, the admin user in the CLI and the admin user in the UI (VSM) were two different users. The CLI user admin's password was managed by the OS, and the VSM user's password was managed by the local database of users. When you changed the password for the CLI admin user, the change did not affect the VSM admin user's password. Likewise, when you changed the VSM admin user's password, the change did not affect the CLI admin password.

For NSX 6.x series, the VSM user database is deprecated. The CLI user can log in to the NSX Manager directly.

In an upgrade scenario, for backward compatibility, the admin user is present in both the CLI and Web UI databases. In this case, if the password of the CLI user is changed, the change does not get reflected in the UI or in REST API calls. Prior to NSX 6.x series, the CLI user could not log in to the UI or to the REST API.

In fresh (green field) deployments of NSX 6.x series, the CLI user and the NSX Manager (UI or REST) are the same, and the credentials are the same.

If you want your upgraded NSX deployment to behave like a fresh deployment of NSX 6.x, you have two options.

  • Option 1---Change the password for the admin database user.

    You can use the following REST API to change the password. This option requires you to know the old password.

    PUT URI /api/2.0/services/usermgmt/user/local/<userId>

    <userInfo>
          <userId></userId>
          <password></password>
          <fullname></fullname>
          <email></email>
          <accessControlEntry>
             <role></role>
             <resource>
                 <resourceId></resourceId>
                 ...
             </resource>
          </accessControlEntry>
    </userInfo>

    For example, using curl:

    curl -k -H 'authorization: Basic YWRtaW46ZGVmYXVsdA==' -H 'Content-Type: application/xml' -X PUT https://<vsm-ip>/api/2.0/services/usermgmt/user/local/admin -d '<userInfo><userId>admin</userId><password>123</password><fullname>admin</fullname><email>admin@company.com</email><accessControlEntry><role>security_admin</role><resource><resourceId>datacenter-312</resourceId></resource></accessControlEntry></userInfo>'

    The API can be used to update a local user account including the password. If a password is not provided, the existing password is retained. The userId variable in the URI should be the same as the one specified in XML.

  • Option 2---Instead of keeping the Web UI admin user, you can remove it and add a role to the CLI admin user. After this change, you can log in to NSX Manager using the CLI user credentials, and a password change for the CLI admin user is reflected on the NSX Manager admin user.

    Because the Web UI admin user is the super_user, you need to add another user with super_user privileges before you can delete the Web UI admin user.

    • Add a new user tempadmin with the super_user role.

      For example, using curl:

      curl -k -H 'authorization: Basic YWRtaW46ZGVmYXVsdA==' -H 'Content-Type: application/xml' -X PUT https://<vsm-ip>/api/2.0/services/usermgmt/user/local/admin -d '<userInfo><userId>tempadmin</userId><password>123</password><fullname>tempadmin</fullname><email>tempadmin@company.com</email><accessControlEntry><role>super_user</role><resource><resourceId>datacenter-312</resourceId></resource></accessControlEntry></userInfo>'
    • Use tempadmin to delete the Web UI user admin.

      For example, using curl:

      curl -k -H 'authorization: Basic YWRtaW46ZGVmYXVsdA==' -H 'Content-Type: application/xml' -X DELETE https://<vsm-ip>/api/2.0/services/usermgmt/user/admin

    • Add the super_user role to the CLI user admin.

      For example, using curl:

      curl -k -H 'authorization: Basic YWRtaW46ZGVmYXVsdA==' -H 'Content-Type: application/xml' -X POST https://<nsx-ip>/api/2.0/services/usermgmt/role/admin?isCli=true -d '<accessControlEntry><role>super_user</role></accessControlEntry>'