[VMC on AWS] Hybrid Linked Mode: Unable to edit the CloudAdmin groups after vCenter Cloud Gateway re-deployment
search cancel

[VMC on AWS] Hybrid Linked Mode: Unable to edit the CloudAdmin groups after vCenter Cloud Gateway re-deployment

book

Article ID: 312507

calendar_today

Updated On:

Products

VMware Cloud on AWS

Issue/Introduction

To provide the proper curl commands to allow administrators to edit the CloudAdmin group through the vCenter Cloud Gateway.

Symptoms:
The vCenter Cloud Gateway has been re-deployed using the same IP Address or Hostname and administrators are unable to edit the CloudAdmin group. 

Similar errors in the vCenter Cloud Gateway logs are seen:
[tomcat-exec-9  ERROR com.vmware.hvc.vapi.impl.AdministratorsProviderImpl  opId=] Set administrator groups failed with exception:
com.vmware.vapi.std.errors.Unauthenticated: Unauthenticated (com.vmware.vapi.std.errors.unauthenticated)

| ERROR | jetty-default-128542      | SamlTokenExtractor             | Cannot complete login attempt due to runtime SAML parsing error.
com.vmware.vapi.dsig.json.SignatureException: Cannot verify the signature over the provided data

Cause

Re-deploying the vCenter Cloud Gateway with the same IP Address or Hostname causes an invalid trust between the VMware Cloud on AWS vCenter and the vCenter Cloud Gateway.

Resolution

SSH to the vCenter Cloud Gateway using the root credentials set during deployment. 

Run the below curl commands:
1. curl --request POST --url https://VMC_SDDC_ADDRESS/rest/com/vmware/cis/session -u '[email protected]:CLOUDADMIN_PASSWORD' -k -c creds.txt
Returns the SESSION_ID

2. curl -k -X GET --header 'Accept: application/json' --header 'vmware-api-session-id: SESSION_ID' 'https://VMC_SDDC_ADDRESS/rest/vcenter/trust/vc-trusts'

Sample output :
{"value":[{"domain":"DOMAIN_ID","label":"vsphere.local","type":""}]}
Returns the domain the vCenter trusts: DOMAIN_ID

3. curl -k -X GET --header 'Accept: application/json' --header 'vmware-api-session-id: SESSION_ID' 'https://VMC_SDDC_ADDRESS/rest/vcenter/trust/vc-trusts/DOMAIN_ID'
Sample output:
{"value":{"label":"vsphere.local","signing_cert_chains":[{"cert_chain":-----BEGIN CERTIFICATE-----\nMIIEOzCCAy....----END CERTIFICATE-----","-----BEGIN CERTIFICATE-----QpIVy3ivFyYsIqIq3bBb+JRw==\n-----END CERTIFICATE-----"]}],"upn_suffixes":["vsphere.local","bma.local"],"type":"","group_map":GROUP_VALUE_NAME}}
Returns the entire trust object: GROUP_VALUE_NAME (This is the entire string after the semi-colon)

4. curl --insecure  --request  PATCH  -H 'Content-Type:application/json' -X PATCH --header 'vmware-api-session-id: SESSION_ID' --data-ascii  '{"spec": { "group_map":GROUP_VALUE_NAME}}' --url 'https://VMC_SDDC_ADDRESS/rest/vcenter/trust/vc-trusts/DOMAIN_ID'


Once the curl commands have been run successfully, re-boot the vCenter Cloud Gateway.

Powered by Wolken Software