Patch installation fails with “Exception occurred in postInstallHook” when generating certificate for WCP solution user
search cancel

Patch installation fails with “Exception occurred in postInstallHook” when generating certificate for WCP solution user

book

Article ID: 301540

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Patch installation fails with error message:

Exception occurred in postInstallHook

  • Certificate issues for wcp, /var/log/vmware/applmgmt/Patchrunner.log : 
    YYYY-MM-DD HH:MM:SS wcp:Patch INFO root Generating certificate for user "wcp"
YYYY-MM-DD HH:MM:SS wcp:Patch ERROR root Failed to update solution user wcp.
  • Authorization issues in /var/log/vmware/vmcad/vmcad.log : 
    YYYY-MM-DD HH:MM:SS [vmcad][INFO] [OPID :RPC] Entering RpcVMCAGetSignedCertificate
YYYY-MM-DD HH:MM:SS [vmcad][INFO] Checking upn: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local against CA admin group: ####@vsphere.local 
YYYY-MM-DD HH:MM:SS [vmcad][INFO] Checking user's group: cn=DCAdmins,cn=Builtin,dc=vsphere,dc=local against CA admin group: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local 
YYYY-MM-DD HH:MM:SS [vmcad][WARNING] [../../service/auth.c:VMCALdapAccessCheck:92] error code: 0x00000005
YYYY-MM-DD HH:MM:SS [vmcad][INFO] VMCACheckAccessKrb: Access denied as user is not administrator
YYYY-MM-DD HH:MM:SS [vmcad][WARNING] [../../service/rpcserv.c:VMCACheckAccess:103] error code: 0x00000005
YYYY-MM-DD HH:MM:SS [vmcad][WARNING] [../../service/rpcserv.c:RpcVMCAGetSignedCertificate:364] error code: 0x00000005
YYYY-MM-DD HH:MM:SS [vmcad][INFO] [RPC] Exiting RpcVMCAGetSignedCertificate, Status = 5

Environment

VMware vCenter Server 7.0.x

Cause

DCAdmins SSO group was accidentally removed from the CAAdmins group.
 
vCenter machine account <vCenter_PNID>@vsphere.local is a member in DCAdmins, while CAAdmins membership is required in order to generate certificates.

Resolution

Add the DCAdmins group to CAAdmins, either using JXplorer, or if preferrable by using the ldapadd CLI command:
  1. Connect to VCSA per SSH
  2. Login with the root account
  3. In BASH, create a new file: 
    # vi test.ldif
  4. Populate the file with the following content: 
    dn: cn=CAAdmins,cn=Builtin,dc=vsphere,dc=local
changetype: modify
add: member
member: cn=DCAdmins,cn=Builtin,dc=vsphere,dc=local
  5. Save the file and exit the VI editor (\wq)
  6. Run the following command to update the content of the file to the VMDir database, thus updating the group membership: 
    # /opt/likewise/bin/ldapadd -h localhost -x -D "cn=administrator,cn=users,dc=vsphere,dc=local" -w '<password for user Administrator>' -f test.ldif
  7. Retry the update
 

Additional Information



Powered by Wolken Software