WilliamLam.com

  • About
    • About
    • Privacy
  • VMware Cloud
  • Tanzu
    • Application Modernization
    • Tanzu services
    • Tanzu Community Edition
    • Tanzu Kubernetes Grid
    • vSphere with Tanzu
  • Home Lab
  • Nested Virtualization
  • Apple
You are here: Home / Automation / Automating default admin password change for NSX Advanced Load Balancer (NSX ALB)

Automating default admin password change for NSX Advanced Load Balancer (NSX ALB)

03.30.2021 by William Lam // 5 Comments

Over the weekend I got a chance to deploy my first vSphere with Tanzu environment using the new NSX Advanced Load Balancer (NSX ALB) which I had shared on Twitter.

πŸ₯³ Successfully deployed my πŸ₯‡ vSphere w/@VMwareTanzu using the new @vmwarensx Advanced Load Balancer (formally @AviNetworks)

πŸ‘‰https://t.co/Mqb9Ja0rtV was extremely helpful, a MUST read IMHO! πŸ‘πŸ€™ @CormacJHogan

Visuals is NSX ALB is nice! Looks like I need more resources! pic.twitter.com/C6E36zIl7X

— William Lam (@lamw) March 28, 2021

This was also my first time getting exposed to NSX ALB (formally AVI Networks) and this detailed blog post from my buddy Cormac Hogan was instrumental in helping me quickly get started and get into the specific configurations needed for a two network design with vSphere with Tanzu. For me personally, there were just too many different configuration pages a user needed to navigate to and context switching between them made it non-intuitive for a new user like myself. After going through this once, I knew Automation was the next step for me and this was also an opportunity to try out the NSX ALB API, which I also have never used before.

One of the very first challenge that I needed to figure out was how to initially login to the API. During the initial UI step, the user is prompted to provide a password which will be used to create a new admin account. This is actually miss-leading because you are not actually creating a new account but rather you are changing the default password for the admin user that already exists.


This actually took me some time to figure out and I eventually came across a note mentioning that the default password can be found in the download portal where you had downloaded the NSX ALB OVA! In addition to the default password, the NSX ALB API requires that you pass a Cross-Site Request Forgery (CSRF) token along with referrer ID which is then used to authenticate subsequent requests. This did make the initial automation more complicated, especially since basic authentication is disabled by default.

Here is a quick PowerShell snippet using the NSX ALB REST API to initially login and then changing the default admin password:

$nsxAdvLBIPAddress = "192.168.30.171"
$NSXAdvLBAdminPassword = "VMware1!"

$headers = @{
    "Content-Type"="application/json"
    "Accept"="application/json"
}

$payload = @{
    username="admin";
    password="58NFaGDJm(PJH0G";
}

$defaultPasswordBody = $payload | ConvertTo-Json

$response = Invoke-WebRequest -Uri https://${nsxAdvLBIPAddress}/login -Body $defaultPasswordBody -Method POST -Headers $headers -SessionVariable WebSession -SkipCertificateCheck
$cookies = $WebSession.Cookies.GetCookies("https://${nsxAdvLBIPAddress}/login")
$csrf = $cookies["csrftoken"].value

$payload = @{
    old_password = "58NFaGDJm(PJH0G";
    password = $NSXAdvLBAdminPassword;
    username = "admin"
}

$newPasswordBody = $payload | ConvertTo-Json

$headers = @{
    "Content-Type"="application/json"
    "Accept"="application/json"
    "x-avi-version"="20.1.4"
    "x-csrftoken"=$csrf
    "referer"="https://${nsxAdvLBIPAddress}/login"
}

Invoke-WebRequest -Uri https://${nsxAdvLBIPAddress}/api/useraccount -Body $newPasswordBody -Method PUT -Headers $headers -WebSession $WebSession -SkipCertificateCheck

Once you have changed the default admin password, you can then login to NSX ALB UI to apply other configuration changes. If you wish to enable basic authentication, you can navigate to Administration->Settings->Access Settings and then click on the pencil to edit and check the Allow Basic Authentication box.

Now, of course you could have also automated both the admin password change and enablement of basic auth (hint see /systemconfiguration) and then switch to basic auth login for all subsequent API requests. Once I had figured out how to coordinate the initial automation, then it was digging into the NSX ALB API and using my favorite tool, Chrome Developer to understand which NSX ALB APIs were being used. Now it on to the task of trial/error and heavily leveraging vSphere Snapshots and as you can see from the Tweet below, where I am fully headed πŸ˜€

https://twitter.com/lamw/status/1376373045569314818?s=20

More from my site

  • Disabling vSphere with Tanzu does not delete NSX Advanced Load Balancer (NSX ALB) Service Engine (SE) VMs
  • Quick Tip - How to deploy NSX Advanced Load Balancer (NSX-ALB) with a single Service Engine
  • Configuring NSX Advanced Load Balancer with Tanzu Kubernetes Grid (TKG) on VMware Cloud on AWS
  • Automated Lab Deployment Script for vSphere with Tanzu using NSX Advanced Load Balancer (NSX ALB)
  • Really cool updates with OVFTool 4.4 and support for vSphere 7

Categories // Automation, NSX Tags // AVI, NSX Advanced Load Balancer

Comments

  1. Roberto Casula says

    03/31/2021 at 12:56 am

    Hi William! If you like PowerShell I wrote a wrapper around the Avi API to handle some of the boring stuff like session management.

    https://www.github.com/avinetworks/devops/tree/master/powershell

    Reply
    • William Lam says

      03/31/2021 at 11:55 am

      Hey Roberto,

      Funny enough, I did come across your PS module before getting started, but I found that it didn't work for me and I believe it has to do with not being able to support/ignore self-sign TLS certificate. Perhaps this was before PowerShell Core added support for -SkipCertificateCheck using Invoke-WebRequest/RestMethod. I also noticed the repo hadn't been updated for a few years and that it had moved, that perhaps it wasn't kept up to date as the version of the API was several releases back

      Reply
      • Roberto Casula says

        03/31/2021 at 12:04 pm

        Interesting. I've used it as recently as a couple of weeks ago with no issues. Did you use the Disable-AviCertificateWarnings scriptlet first? This installs a custom certificate validation function (that always returns true) and should be invoked for any WebRequest...I only haven't updated it because it's generally agnostic to the version of Avi and continues to work when I try it from time to time. If Disable-AviCertificateWarnings doesn't work for you, I'd like to get to the bottom of it. Ping me with your setup details (OS, PS version etc.) and I can try and take a look.

        Reply
        • Roberto Casula says

          03/31/2021 at 12:19 pm

          Ah yes - I think it is due to differences in PS Core and certificate validation. Will look into it.

          Reply
          • William Lam says

            03/31/2021 at 2:49 pm

            Yup. I've tried the Disable-* function and ran into error which I've normally solved by using the -SkipCertificateCheck parameter. For my usage, I think what I've got is working anyhow, I've already figured the APIs I needed but it did take a bit more time using Chrome Developer πŸ™‚

Thanks for the comment! Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search

Author

William Lam is a Senior Staff Solution Architect working in the VMware Cloud team within the Cloud Infrastructure Business Group (CIBG) at VMware. He focuses on Cloud Native technologies, Automation, Integration and Operation for the VMware Cloud based Software Defined Datacenters (SDDC)

Connect

  • Email
  • GitHub
  • LinkedIn
  • RSS
  • Twitter
  • Vimeo

Recent

  • Self-Contained & Automated VMware Cloud Foundation (VCF) deployment using new VLC Holodeck Toolkit 03/29/2023
  • ESXi configstorecli enhancement in vSphere 8.0 Update 1 03/28/2023
  • ESXi on Intel NUC 13 Pro (Arena Canyon) 03/27/2023
  • Quick Tip - Enabling ESXi Coredumps to be stored on USB 03/26/2023
  • How to disable the Efficiency Cores (E-cores) on an Intel NUC? 03/24/2023

Advertisment

Privacy & Cookies: This site uses cookies. By continuing to use this website, you agree to their use.
To find out more, including how to control cookies, see here: Cookie Policy

Copyright WilliamLam.com © 2023

 

Loading Comments...