InvalidKeySpecException: key spec not recognized error when upgrading Aria Automation, Aria Operations for Logs and Aria Operations for Network with Aria Suite Lifecycle 8.14 Patch 1 and later
search cancel

InvalidKeySpecException: key spec not recognized error when upgrading Aria Automation, Aria Operations for Logs and Aria Operations for Network with Aria Suite Lifecycle 8.14 Patch 1 and later

book

Article ID: 314898

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

  • Upgrading Aria Automation 8.12 and later  environments with Aria Suite Lifecycle 8.14 Patch 1 and later, you receive the error:

Error Code: LCMVRACONFIG50008 Check VMware Aria Automation hostname is resolvable and reachable. Check VMware Aria Automation hostname is resolvable and reachable. com.vmware.vrealize.lcm.common.exception.userinput.vra.VraVamiHostNameInvalidException: Unable to run command + vracli upgrade status --json . Ensure the VMware Aria Automation VA host <Hostname> is reachable. at com.vmware.vrealize.lcm.drivers.vra80.helpers.VraPreludeInstallHelper.checkUpgradeStatus(VraPreludeInstallHelper.java:495)

  • Upgrading Aria Operations for Logs 8.12 and later with Aria Suite Lifecycle 8.14 Patch 1 and later, you receive the error:

Error Code: LCMVRACONFIG40004 Invalid hostname provided for VMware Aria Operations for Logs. Invalid hostname provided for VMware Aria Operations for Logs. com.vmware.vrealize.lcm.vrli.plugin.VrliImportEnvironmentTask.exception.VrliInvalidHostException: Cannot execute ssh commands. Exception encountered : Session.connect: java.security.spec.InvalidKeySpecException: key spec not recognized
        at com.vmware.vrealize.lcm.plugin.vrli.VrliImportEnvironmentTask.execute(VrliImportEnvironmentTask.java:342) [vmlcm-vrliplugin-core-8.12.0-SNAPSHOT.jar!/:?]
        at com.vmware.vrealize.lcm.automata.core.TaskThread.run(TaskThread.java:63) [vmlcm-engineservice-core-8.12.0-SNAPSHOT.jar!/:?]
        at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source) [?:?]
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source) [?:?]
        at java.lang.Thread.run(Unknown Source) [?:?] 

  • The /var/log/vrlcm/vmware_vrlcm.log contains an InvalidKeySpecException similar to:
ERROR [pool-3-thread-18] c.v.v.l.u.SessionHolder -  -- SessionHolder.newSession Exception encountered
com.jcraft.jsch.JSchException: Session.connect: java.security.spec.InvalidKeySpecException: key spec not recognized
        at com.jcraft.jsch.Session.connect(Session.java:550) ~[jsch-0.2.13.jar!/:0.2.13]
        at com.vmware.vrealize.lcm.util.SessionHolder.newSession(SessionHolder.java:53) [lcm-util-8.16.0-SNAPSHOT.jar!/:?]
  • The Upgrade request may fail at early initialization stages with ERROR: "UNKNOWN_LCM_ERROR"

Environment

VMware Aria Suite Lifecycle 8.14 Patch 1 and later releases

VMware Aria Automation 8.12 and later 

VMware Aria Operations for Logs 8.12 and later 

VMware Aria Operations for Network 6.x

Cause

  • The above logs state, that the Aria Suite Lifecycle fails to establish an SSH connection with the product, due to a mismatch of cipher algorithms used at both the ends.
  • This is due to removal of weak cipher algorithms post 8.14 Patch 1 release of Aria Suite Lifecycle, to remediate reported security vulnerabilities. 
  • Thus, the earlier releases of the other Aria Suite Products (Prior release 8.14 Patch 1 Aria Suite Lifecycle), may be impacted, as they still utilize weak cipher algorithms. 

Resolution

Address the weak ciphers on the Products

  1. The weak ciphers can manually be removed from the Aria Suite of Products. For details click here
  2. Once removed, Trigger an Inventory Sync from Aria Suite Lifecycle to the product and validate that is completes successfully. 
  3. Initiate a New Upgrade Request for the Product.

Workaround:
To workaround the issue either of the below options can be followed:

  1. Manual Upgrade of the Product
    1. Manual Upgrade of the product proceeds successfully.
    2. Once completed a retry issued on the failed upgrade request in Aria Suite Lifecycle will mark the upgrade as successful.
    3. If not for a retry, an Inventory Sync Post manual upgrade, should also update the inventory with the new version against the product details. 

  2. Enable FIPS
    Note: VMware Aria Suite Lifecycle restarts when you activate or deactivate FIPS Mode Compliance. 
    1. From My Service dashboard, select Lifecycle Operations and then select Settings.
    2. On the System Administration page, click System Details.
    3. Activate or deactivate the FIPS Mode Compliance check box and then click UPDATE.
    4. Once the UI is up, Trigger an Inventory Sync from Aria Suite Lifecycle to the product and validate that is completes successfully. 
    5. Initiate a New Upgrade Request for the Product.
Powered by Wolken Software