Complete the configuration procedure on NSX so that CVX can be added as an enforcement point in NSX and NSX can interact with CVX.

Prerequisites

Obtain the virtual IP address for the Arista CVX cluster.

Procedure

  1. Log in to NSX Manager as a root user and run the following command to retrieve the thumbprint for CVX:
    openssl s_client -connect <virtual IP address of CVX cluster> | openssl x509 -noout -fingerprint -sha256
    Sample output:
    depth=0 CN = self.signed
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 CN = self.signed
    verify return:1
    SHA256 Fingerprint=35:C1:42:BC:7A:2A:57:46:E8:72:F4:C8:B8:31:E3:13:5F:41:95:EF:D8:1E:E9:3D:F0:CC:3B:09:A2:FE:22:DE
  2. Edit the retrieved thumbprint to use only lower case characters and exclude any colons in the thumbprint.
    Sample of edited thumbprint for CVX:
    35c142bc7a2a5746e872f4c8b831e3135f4195efd81ee93df0cc3b09a2fe22de
  3. Call the PATCH /policy/api/v1/infra/sites/default/enforcement-points API and use the CVX thumbprint to create an enforcement endpoint for CVX. For example:
    PATCH https://<nsx-manager>/policy/api/v1/infra/sites/default/enforcement-points/cvx-default-ep
    {
    "auto_enforce": "false",
    "connection_info": {
    "enforcement_point_address": "<IP address of CVX>",
    "resource_type": "CvxConnectionInfo",
    "username": "cvpadmin",
    "password": "1q2w3e4rT",
    "thumbprint": "65a9785e88b784f54269e908175ada662be55f156a2dc5f3a1b0c339cea5e343"
    }
    }
    
  4. Call the GET /policy/api/v1/infra/sites/default/enforcement-points API to retrieve the endpoint information. For example:
    https://<nsx-manager>/policy/api/v1/infra/sites/default/enforcement-points/cvx-default-ep
    {
    "auto_enforce": "false",
    "connection_info": {
    "enforcement_point_address": "<IP address of CVX>",
    "resource_type": "CvxConnectionInfo",
    "username": "admin",
    "password": "1q2w3e4rT",
    "thumbprint": "35c142bc7a2a5746e872f4c8b831e3135f4195efd81ee93df0cc3b09a2fe22de"
    }
    }
    Sample output:
    {
      "connection_info": {
        "thumbprint": "35c142bc7a2a5746e872f4c8b831e3135f4195efd81ee93df0cc3b09a2fe22de",
        "enforcement_point_address": "192.168.2.198",
        "resource_type": "CvxConnectionInfo"
      },
      "auto_enforce": false,
      "resource_type": "EnforcementPoint",
      "id": "cvx-default-ep",
      "display_name": "cvx-default-ep",
      "path": "/infra/sites/default/enforcement-points/cvx-default-ep",
      "relative_path": "cvx-default-ep",
      "parent_path": "/infra/sites/default",
      "marked_for_delete": false,
      "_system_owned": false,
      "_create_user": "admin",
      "_create_time": 1564036461953,
      "_last_modified_user": "admin",
      "_last_modified_time": 1564036461953,
      "_protection": "NOT_PROTECTED",
      "_revision": 0
    } 
  5. Call the POST /api/v1/notification-watchers/ API and use the CVX thumbprint to create a notification ID. For example:
    POST https://<nsx-manager>/api/v1/notification-watchers/
    {
    "server": "<virtual IP address of CVX cluster>",
    "method": "POST",
    "uri": "/pcs/v1/nsgroup/notification",
    "use_https": true,
    "certificate_sha256_thumbprint": "35c142bc7a2a5746e872f4c8b831e3135f4195efd81ee93df0cc3b09a2fe22de",
    "authentication_scheme": {
    "scheme_name":"BASIC_AUTH",
    "username":"cvpadmin",
    "password":"1q2w3e4rT"
    }
    }
    
  6. Call the GET /api/v1/notification-watchers/ to retrieve the notification ID.
    Sample output:
    {
      "id": "a0286cb6-de4d-41de-99a0-294465345b80",
      "server": "192.168.2.198",
      "port": 443,
      "use_https": true,
      "certificate_sha256_thumbprint": "35c142bc7a2a5746e872f4c8b831e3135f4195efd81ee93df0cc3b09a2fe22de",
      "method": "POST",
      "uri": "/pcs/v1/nsgroup/notification",
      "authentication_scheme": {
        "scheme_name": "BASIC_AUTH",
        "username": "cvpadmin"
      },
      "send_timeout": 30,
      "max_send_uri_count": 5000,
      "resource_type": "NotificationWatcher",
      "display_name": "a0286cb6-de4d-41de-99a0-294465345b80",
      "_create_user": "admin",
      "_create_time": 1564038044780,
      "_last_modified_user": "admin",
      "_last_modified_time": 1564038044780,
      "_system_owned": false,
      "_protection": "NOT_PROTECTED",
      "_revision": 0
    }
  7. Call the PATCH /policy/api/v1/infra/domains/default/domain-deployment-maps/cvx-default-dmap API to create a CVX domain deployment map. For example:
    PATCH https://<nsx-manager>/policy/api/v1/infra/domains/default/domain-deployment-maps/cvx-default-dmap
    {
    
    "display_name": "cvx-deployment-map",
    
    "id": "cvx-default-dmap",
    
    "enforcement_point_path": "/infra/sites/default/enforcement-points/cvx-default-ep"
    
    }
    
  8. Call the GET /policy/api/v1/infra/domains/default/domain-deployment-maps API to retrieve the deployment map information.