How to change the NSX-T password for Neutron in VMware Integrated OpenStack using the WebUI or the CLI


Disclaimer: the following is most likely a bug of the combination of the usage of VMware Integrated OpenStack 7.0.x and NSX-T 3.1.x

If you are using VMware Integrated OpenStack (VIO in short) with NXS-T network backend, then this might come handy for you in the future.

Changing the password in the WebUI

Here is how you are supposed to change the password using the web user interface – called the Integrated OpenStack Manager:

  1. Login as admin
  2. Choose your OpenStack deployment
  3. Go to Manage tab on the top
  4. Go to NSX Policy Credentials subtab on the left (ignore that “Status” and “NSX Resources” columns just keep loading)
  5. Choose the NSX Manager node where you want to modify the credentials
  6. Choose the “Edit” button
  7. Enter the password twice and press ok
  8. Stare forever for the never ending “Validating” screen.

Last step is no joke. The validation really doesn’t end at all. If you hit refresh in the browser then you loose the popup window and will have no clue if the change was actually accepted or not –> it is not.

Here are the same steps with screenshots.

Step #2: choose your deployment
Steps #3 - #6
Steps #7
Steps #8

Changing the password from CLI on the vio-manager VM

To actually change the password you need the following steps:

  1. Login to the vio-manager VM.
  2. Generate yaml output of the neutron-etc secret with command:
osctl get secret neutron-etc -oyaml > neutron-secrets.yaml
  1. Get the base64 encoded configuration of the nsx.ini file and decode it to a separate file with this magic:
grep nsx.ini neutron-secrets.yaml | cut -d " " -f4 | base64 -d > nsx.ini
  1. Search and change the nsx_api_password parameter under the [nsx_p] section according to your needs. Then save the file.
  2. Generate a back to base64 format:
cat nsx.ini | base64 -w0
  1. Copy and paste the value back to the nsx.ini parameter in the neutron-etc secret:
osctl edit secret neutron-etc
  1. Force redeployment of the neutron pods either with:
viocli stop service neutron
viocli start service neutron


for i in $(osctl get pods | grep neutron-server | awk '{ print $1}' ; do 
  osctl delete pods $i --force --grace-period=0

With screenshots:

Steps #2 - #3 – Generating the human readable nsx.ini config file
Step #4 – Changing the nxs_api_password parameter
Step #5 – Generating the config back to base64 encoded version
Step #6 – Editing the neutron-etc secret with the base64 encoded data