"Authentication required" error when pairing cloud sites in vCloud Availability 3.x
Article ID: 314986
Updated On:
Products
VMware Cloud Director
Issue/Introduction
Symptoms:
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
- When you pair cloud sites in the vCloud Availability Provider Portal, the task fails and you see the following error:
Authentication required.
- When you repair cloud sites in the vCloud Availability Provider Portal, the task fails and you see the following error on the remote site entry:
Certificate differs from the expected one.
- In /opt/vmware/h4/cloud/log/cloud.log on the vCloud Availability vApp Replication Manager, you may see similar messages:
2019-08-26 14:37:09.484 DEBUG - [UI__2766ee5a-8f91-45d8-b913-2fa4c162b973_Dn_p2] [job-59] com.vmware.h4.jobengine.JobExecution : Task 702be530-5758-44f0-8a7c-39fe9599508c (WorkflowInfo{type='pair', resourceType='site', resourceId='Provider-Site', isPrivate=false, resourceName='Service Provider Site'}) completed with result VcloudSiteInfo{apiPublicUrl='null', isLocal=false, state=PeerState{incomingCommError=null, outgoingCommError=ApiError{code='RemoteAuthenticationFailure', msg='Authentication failure.', args=[], stacktrace='com.vmware.h4.cloud.api.exceptions.RemoteAuthenticationFailureException: Authentication failure.
at com.vmware.h4.cloud.peer.client.PeerCloudFactory.lambda$initErrorDeserializer$0(PeerCloudFactory.java:59)
at com.vmware.rest.client.AbstractRestClient.convert(AbstractRestClient.java:208)
at com.vmware.rest.client.json.RestClient.exchange(RestClient.java:103)
...
2019-08-26 14:47:34.011 ERROR - [UI__6049e825-796f-40ed-ac02-e63733894733_Ez] [https-jsse-nio-8443-exec-10] c.v.h.c.c.error.ExceptionAdvisorBase : A GET request from root[172.17.195.110] to /vm-replications/summary?sourceSiteType=vcloud&destinationSiteType=vcloud&site=Tenant-Site failed.
com.vmware.exception.CertificateMismatchException: java.security.cert.CertificateException: Certificate seen on the network differs from the certificate we expected
at com.vmware.exception.converter.ClientExceptionConverter.convertException(ClientExceptionConverter.java:50)
at com.vmware.rest.client.AbstractRestClient.genericExchange(AbstractRestClient.java:146)
at com.vmware.rest.client.json.RestClient.exchange(RestClient.java:96)
...
at com.vmware.h4.cloud.peer.client.PeerCloudFactory.lambda$initErrorDeserializer$0(PeerCloudFactory.java:59)
at com.vmware.rest.client.AbstractRestClient.convert(AbstractRestClient.java:208)
at com.vmware.rest.client.json.RestClient.exchange(RestClient.java:103)
...
2019-08-26 14:47:34.011 ERROR - [UI__6049e825-796f-40ed-ac02-e63733894733_Ez] [https-jsse-nio-8443-exec-10] c.v.h.c.c.error.ExceptionAdvisorBase : A GET request from root[172.17.195.110] to /vm-replications/summary?sourceSiteType=vcloud&destinationSiteType=vcloud&site=Tenant-Site failed.
com.vmware.exception.CertificateMismatchException: java.security.cert.CertificateException: Certificate seen on the network differs from the certificate we expected
at com.vmware.exception.converter.ClientExceptionConverter.convertException(ClientExceptionConverter.java:50)
at com.vmware.rest.client.AbstractRestClient.genericExchange(AbstractRestClient.java:146)
at com.vmware.rest.client.json.RestClient.exchange(RestClient.java:96)
...
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware vCloud Availability 3.0.x
Cause
This issue can occur when the administrative API session that is used to pair the sites is unable to authenticate because the source IP is not trusted. This can happen because administrative API access is restricted by default from vCloud Availability 3.0.1 onwards.
Resolution
To resolve this issue, you can temporarily disable administrative API session restrictions based on source IP in vCloud Availability.
For each vCloud Availability site, perform the following steps:
For each vCloud Availability site, perform the following steps:
- Log in to the vCloud Availability Provider Portal.
- In the left pane, click Configuration.
- Under Security settings, next to Restrict Admin APIs by source IP click Edit.
- In the Restrict Admin APIs by source IP window, select Allow admin access from anywhere and click Apply.
- In one site, log into the vCloud Availability Provider Portal.
- In the left pane, click Sites.
- On the Cloud sites page, click New Pairing.
- In the New Pairing window, configure the connection to the cloud site, and click Pair.
- To complete the pair process, accept the remote vCloud Availability vApp Replication Manager SSL certificate.
Additional Information
- For more information on how to pair sites, see the Pair Cloud Sites section of the vCloud Availability documentation.
- For more information on restricting admin APIs by source IP, see the Restrict Public Administrative Access to vCloud Availability section of the vCloud Availability documentation.
Feedback
Yes
No
Powered by
