WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud Foundation
  • VKS
  • Homelab
    • Resources
    • Nested Virtualization
  • VMware Nostalgia
  • Apple
You are here: Home / Automation / Automating default admin password change for NSX Advanced Load Balancer (NSX ALB)

Automating default admin password change for NSX Advanced Load Balancer (NSX ALB)

03.30.2021 by William Lam // 5 Comments

Over the weekend I got a chance to deploy my first vSphere with Tanzu environment using the new NSX Advanced Load Balancer (NSX ALB) which I had shared on Twitter.

๐Ÿฅณ Successfully deployed my ๐Ÿฅ‡ vSphere w/@VMwareTanzu using the new @vmwarensx Advanced Load Balancer (formally @AviNetworks)

๐Ÿ‘‰https://t.co/Mqb9Ja0rtV was extremely helpful, a MUST read IMHO! ๐Ÿ‘๐Ÿค™ @CormacJHogan

Visuals is NSX ALB is nice! Looks like I need more resources! pic.twitter.com/C6E36zIl7X

— William Lam (@lamw.bsky.social | @*protected email*) (@lamw) March 28, 2021

This was also my first time getting exposed to NSX ALB (formally AVI Networks) and this detailed blog post from my buddy Cormac Hogan was instrumental in helping me quickly get started and get into the specific configurations needed for a two network design with vSphere with Tanzu. For me personally, there were just too many different configuration pages a user needed to navigate to and context switching between them made it non-intuitive for a new user like myself. After going through this once, I knew Automation was the next step for me and this was also an opportunity to try out the NSX ALB API, which I also have never used before.

One of the very first challenge that I needed to figure out was how to initially login to the API. During the initial UI step, the user is prompted to provide a password which will be used to create a new admin account. This is actually miss-leading because you are not actually creating a new account but rather you are changing the default password for the admin user that already exists.


This actually took me some time to figure out and I eventually came across a note mentioning that the default password can be found in the download portal where you had downloaded the NSX ALB OVA! In addition to the default password, the NSX ALB API requires that you pass a Cross-Site Request Forgery (CSRF) token along with referrer ID which is then used to authenticate subsequent requests. This did make the initial automation more complicated, especially since basic authentication is disabled by default.

Here is a quick PowerShell snippet using the NSX ALB REST API to initially login and then changing the default admin password:

$nsxAdvLBIPAddress = "192.168.30.171"
$NSXAdvLBAdminPassword = "VMware1!"

$headers = @{
    "Content-Type"="application/json"
    "Accept"="application/json"
}

$payload = @{
    username="admin";
    password="58NFaGDJm(PJH0G";
}

$defaultPasswordBody = $payload | ConvertTo-Json

$response = Invoke-WebRequest -Uri https://${nsxAdvLBIPAddress}/login -Body $defaultPasswordBody -Method POST -Headers $headers -SessionVariable WebSession -SkipCertificateCheck
$cookies = $WebSession.Cookies.GetCookies("https://${nsxAdvLBIPAddress}/login")
$csrf = $cookies["csrftoken"].value

$payload = @{
    old_password = "58NFaGDJm(PJH0G";
    password = $NSXAdvLBAdminPassword;
    username = "admin"
}

$newPasswordBody = $payload | ConvertTo-Json

$headers = @{
    "Content-Type"="application/json"
    "Accept"="application/json"
    "x-avi-version"="20.1.4"
    "x-csrftoken"=$csrf
    "referer"="https://${nsxAdvLBIPAddress}/login"
}

Invoke-WebRequest -Uri https://${nsxAdvLBIPAddress}/api/useraccount -Body $newPasswordBody -Method PUT -Headers $headers -WebSession $WebSession -SkipCertificateCheck

Once you have changed the default admin password, you can then login to NSX ALB UI to apply other configuration changes. If you wish to enable basic authentication, you can navigate to Administration->Settings->Access Settings and then click on the pencil to edit and check the Allow Basic Authentication box.

Now, of course you could have also automated both the admin password change and enablement of basic auth (hint see /systemconfiguration) and then switch to basic auth login for all subsequent API requests. Once I had figured out how to coordinate the initial automation, then it was digging into the NSX ALB API and using my favorite tool, Chrome Developer to understand which NSX ALB APIs were being used. Now it on to the task of trial/error and heavily leveraging vSphere Snapshots and as you can see from the Tweet below, where I am fully headed ๐Ÿ˜€

Not too bad, almost 1 minute flat to automate all of these @vmwarensx Advanced Load Balancer settings ๐Ÿคฉ

First time using the NSX ALB (API) APIs too! Just have the DNS IPAM configuration to tackle tomorrow and then some testing pic.twitter.com/B7otLLukKh

— William Lam (@lamw.bsky.social | @*protected email*) (@lamw) March 29, 2021

More from my site

  • Disabling vSphere with Tanzu does not delete NSX Advanced Load Balancer (NSX ALB) Service Engine (SE) VMs
  • Quick Tip - How to deploy NSX Advanced Load Balancer (NSX-ALB) with a single Service Engine
  • Configuring NSX Advanced Load Balancer with Tanzu Kubernetes Grid (TKG) on VMware Cloud on AWS
  • Automated Lab Deployment Script for vSphere with Tanzu using NSX Advanced Load Balancer (NSX ALB)
  • How to remove stale targets from vMA

Categories // Automation, NSX Tags // AVI, NSX Advanced Load Balancer

Comments

  1. *protectedRoberto Casula says

    03/31/2021 at 12:56 am

    Hi William! If you like PowerShell I wrote a wrapper around the Avi API to handle some of the boring stuff like session management.

    https://www.github.com/avinetworks/devops/tree/master/powershell

    Reply
    • William Lam says

      03/31/2021 at 11:55 am

      Hey Roberto,

      Funny enough, I did come across your PS module before getting started, but I found that it didn't work for me and I believe it has to do with not being able to support/ignore self-sign TLS certificate. Perhaps this was before PowerShell Core added support for -SkipCertificateCheck using Invoke-WebRequest/RestMethod. I also noticed the repo hadn't been updated for a few years and that it had moved, that perhaps it wasn't kept up to date as the version of the API was several releases back

      Reply
      • *protectedRoberto Casula says

        03/31/2021 at 12:04 pm

        Interesting. I've used it as recently as a couple of weeks ago with no issues. Did you use the Disable-AviCertificateWarnings scriptlet first? This installs a custom certificate validation function (that always returns true) and should be invoked for any WebRequest...I only haven't updated it because it's generally agnostic to the version of Avi and continues to work when I try it from time to time. If Disable-AviCertificateWarnings doesn't work for you, I'd like to get to the bottom of it. Ping me with your setup details (OS, PS version etc.) and I can try and take a look.

        Reply
        • *protectedRoberto Casula says

          03/31/2021 at 12:19 pm

          Ah yes - I think it is due to differences in PS Core and certificate validation. Will look into it.

          Reply
          • William Lam says

            03/31/2021 at 2:49 pm

            Yup. I've tried the Disable-* function and ran into error which I've normally solved by using the -SkipCertificateCheck parameter. For my usage, I think what I've got is working anyhow, I've already figured the APIs I needed but it did take a bit more time using Chrome Developer ๐Ÿ™‚

Thanks for the comment!Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Thank Author

Author

William is Distinguished Platform Engineering Architect in the VMware Cloud Foundation (VCF) Division at Broadcom. His primary focus is helping customers and partners build, run and operate a modern Private Cloud using the VMware Cloud Foundation (VCF) platform.

Connect

  • Bluesky
  • Email
  • GitHub
  • LinkedIn
  • Mastodon
  • Reddit
  • RSS
  • Twitter
  • Vimeo

Recent

  • Programmatically accessing the Broadcom Compatibility Guide (BCG) 05/06/2025
  • Quick Tip - Validating Broadcom Download Tokenย  05/01/2025
  • Supported chipsets for the USB Network Native Driver for ESXi Fling 04/23/2025
  • vCenter Identity Federation with Authelia 04/16/2025
  • vCenter Server Identity Federation with Kanidm 04/10/2025

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2025

 

Loading Comments...