Activating Security Intelligence after upgrading from NSX Application Platform version 4.1.1 to 4.2.0 fails.
Problem
Cause
With the NSX Application Platform 4.2.0 release, first-class support for private CA certificates was introduced, which requires NSX to be upgraded to version 4.2.0.
Due to the changes in private CA certificate support between NSX Application Platform releases, the certificate in NSX Manager is not propagated to all components of the NSX Application Platform.
The Upgrade Coordinator does not load the host certificates, making the certificates added to the Kubernetes cluster unavailable, causing the Security Intelligence activation to fail after the NSX Application Platform upgrade.
Solution
- If NSX is not upgraded to the 4.2.0 version, configure the cluster-api pod to resolve the problem.
- Execute the following deployment command on the NSX Manager.
napp-k edit deployment cluster-api
- Add the following to the volumes section in the cluster-api deployment YAML file.
volumes: - hostPath: path: /etc/ssl/certs type: "" name: host-ssl-certs - Add the following to the volumeMounts section in the cluster-api deployment YAML file.
volumeMounts: - mountPath: /etc/ssl/certs name: host-ssl-certs - Wait for the cluster API to restart and proceed to activate the Security Intelligence.
- Execute the following deployment command on the NSX Manager.
- If NSX is upgraded to the 4.2.0 version, reactivate the private CA certificate support from the UI.
- From your browser, log in with Enterprise Admin privileges to an NSX Manager at https://<nsx-manager-ip-address>.
- Select .
- Upload the Harbor certificate.
- Select .
- Click Edit to select the newly uploaded Harbor certificate name from the drop-down menu.
- Click Save.
- Proceed to activate the Security Intelligence.
