Password Rotation of administrator@vsphere.local fails with "Unable to update password for vrops primary nodes"
search cancel

Password Rotation of [email protected] fails with "Unable to update password for vrops primary nodes"

book

Article ID: 313143

calendar_today

Updated On:

Products

VMware Aria Suite VMware Cloud Foundation VMware Aria Operations 8.x

Issue/Introduction

  • Rotating the [email protected] password for the VC/PSC fails with the errors "Unable to update password for vROps primary nodes" and "Unable to update SSO with vROps primary nodes" after upgrading VMware Aria Operations to version 8.14 or later in VMware Cloud Foundation (VCF).
  • Additionally, you cannot update adapter instance credentials at the adapter level in the Aria Operations UI interface, as the Edit button is grayed out, as shown in the screenshot below.




  • The VCF logs report the following: 

    DEBUG [vcf_om,2085b6240c83d243,4861] [c.v.v.p.helper.VropsConnection,om-exec-30] Setting vrops-vra adapter password for USER : [email protected]

    ERROR [vcf_om,2085b6240c83d243,4861] [c.v.v.p.helper.VropsConnection,om-exec-30] Error updating vRops

    com.vmware.ops.api.client.exceptions.AuthException: Current user does not have permission for current action

        at com.vmware.ops.api.client.internal.ResponseHandlerImpl.handleResponse(ResponseHandlerImpl.java:97)

        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:223)

        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:165)

        at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:140)

        at com.vmware.ops.api.client.internal.RestClientProxy.execute(RestClientProxy.java:489)

        at com.vmware.ops.api.client.internal.RestClientProxy.invoke(RestClientProxy.java:264)

        at com.vmware.ops.api.client.internal.DefaultClient$InvocationHandlerWrapper.invoke(DefaultClient.java:308)

        at com.sun.proxy.$Proxy529.updateCredential(Unknown Source)

        at com.vmware.vcf.passwordmanager.helper.VropsConnection.updateCredentialOnAdapter(VropsConnection.java:206)

        at com.vmware.vcf.passwordmanager.helper.VropsConnection.lambda$updateSsoCredentials$2(VropsConnection.java:136)

        at com.vmware.vcf.passwordmanager.helper.VropsConnection.updateCredentials(VropsConnection.java:156)

        at com.vmware.vcf.passwordmanager.helper.VropsConnection.updateSsoCredentials(VropsConnection.java:114)

        at com.vmware.vcf.passwordmanager.helper.VrealizeAdapterManager.updateVropsSsoCredentials(VrealizeAdapterManager.java:217)

        at com.vmware.vcf.passwordmanager.update.dependents.VropsSsoUpdater.update(VropsSsoUpdater.java:79)

        at com.vmware.vcf.passwordmanager.update.changers.AbstractPasswordChanger.doUpdaters(AbstractPasswordChanger.java:993)

        at com.vmware.vcf.passwordmanager.update.changers.AbstractPasswordChanger.updateAsync(AbstractPasswordChanger.java:595)

        at com.vmware.vcf.passwordmanager.update.changers.AbstractPasswordChanger.doUpdate(AbstractPasswordChanger.java:199)

        at com.vmware.vcf.passwordmanager.rotate.AbstractPasswordTransactionExecutor$1.call(AbstractPasswordTransactionExecutor.java:100)

        at com.vmware.vcf.passwordmanager.rotate.AbstractPasswordTransactionExecutor$1.call(AbstractPasswordTransactionExecutor.java:88)

        at org.springframework.cloud.sleuth.instrument.async.TraceCallable.call(TraceCallable.java:67)

        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)

        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)

        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)

Environment

VMware Aria Operations: 8.14.x and later
VMware Cloud Foundation: 4.x and later

Cause

  • The issue arises after upgrading VMware Aria Operations to version 8.14 or later. These versions introduce a new feature that allows different users within Aria Operations to own specific credentials.
  • In previous versions, all credentials were owned by the admin user by default. Post-upgrade, all credentials must be explicitly assigned to a user. Credentials without an assigned user will appear on the Orphaned and Unassigned page. For security purposes, it is strongly recommended to assign all credentials to a user before use.

Resolution

Follow the below resolution steps to resolve this issue 

  • Log in to the Aria Operations UI using the admin account.

    For Aria Operations 8.14.x to 8.17.x Versions:

  • Navigate to Administration from the menu.
  • In the left pane, select Management > Orphaned and Unassigned.

    For Aria Operations 8.18.x Versions:

  • Go to Administration > Control Panel in the menu.
  • Click the Orphaned and Unassigned tile.

    Reassign Credentials:

  • Select the credential from the list.
  • Open the Actions dropdown and select Take Ownership as an Admin



  • Once the credentials are reassigned, return to the adapter instance and attempt to edit the credential or retry the password rotation from the VMware Cloud Foundation (VCF).

    Important Note: Only admin users should perform these actions. VMware Cloud Foundation relies on the admin user for vCenter password updates on Aria Operations nodes through APIs.
    For further details, refer to the documentation on Managing Orphaned and Unassigned Content.