Untrusted SSL certificate loops when attempting to connect to vRealize Identity Manager from vRealize Log Insight
Article ID: 315925
Updated On:
Products
VMware Aria Suite
Issue/Introduction
Symptoms:
- Untrusted SSL certificate loops after going to Configuration > Authentication > Authentication Configuration and attempting to connect to the vIDM server.
- The /storage/var/loginsight/runtime.log file shows errors similar to:
[2019-05-29 15:57:29.232+0000] ["https-jsse-nio-443-exec-5"/XXX.XXX.XXX.30 INFO] [com.vmware.loginsight.web.stripesext.RestCsrfPreventionFilter] [A modifying HTTP request without a valid token was rejected. Me
thod=POST, Reason=Missing session cookie, URL=https://***FQDN***/admin/auth, X-CSRF-Token=#######
fY-B14=]
[2019-05-29 16:11:24.303+0000] ["https-jsse-nio-443-exec-10"/XXX.XXX.XXX..30 INFO] [com.vmware.loginsight.web.actions.settings.AuthConfigurationActionBean] [Unable to login to VMware Identity Manager]
com.vmware.loginsight.aaa.vidm.exception.LoginException: Unexpected HTTP response from VMware Identity Manager instance. :: null Received unexpected response from VMware Identity Manager instance. Domain : #####
lebxxpidm01.
at com.vmware.loginsight.aaa.vidm.VIDMConnector.vIDMLogin(VIDMConnector.java:87)
at com.vmware.loginsight.web.actions.settings.AuthConfigurationActionBean.mergeVIDMValues(AuthConfigurationActionBean.java:415)
at com.vmware.loginsight.web.actions.settings.AuthConfigurationActionBean.validateVIDM(AuthConfigurationActionBean.java:619)
at com.vmware.loginsight.web.actions.settings.AuthConfigurationActionBean.testVIDM(AuthConfigurationActionBean.java:360)
at sun.reflect.GeneratedMethodAccessor179.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at net.sourceforge.stripes.controller.DispatcherHelper$6.intercept(DispatcherHelper.java:456)
at net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:158)
at org.stripesstuff.plugin.security.SecurityInterceptor.interceptEventHandling(SecurityInterceptor.java:188)
at org.stripesstuff.plugin.security.SecurityInterceptor.intercept(SecurityInterceptor.java:120)
at net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
at net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
at net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
at net.sourceforge.stripes.controller.ExecutionContext.wrap(ExecutionContext.java:74)
at net.sourceforge.stripes.controller.DispatcherHelper.invokeEventHandler(DispatcherHelper.java:454)
at net.sourceforge.stripes.controller.DispatcherServlet.invokeEventHandler(DispatcherServlet.java:278)
at net.sourceforge.stripes.controller.DispatcherServlet.service(DispatcherServlet.java:160)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
at net.sourceforge.stripes.controller.DynamicMappingFilter$2.doFilter(DynamicMappingFilter.java:453)
at net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:260)
at net.sourceforge.stripes.controller.DynamicMappingFilter.doFilter(DynamicMappingFilter.java:440)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.displaytag.filter.ResponseOverrideFilter.doFilter(ResponseOverrideFilter.java:125)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.vmware.loginsight.web.stripesext.RestCsrfPreventionFilter.doFilter(RestCsrfPreventionFilter.java:177)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.vmware.loginsight.web.utilities.UTF8EncodingFilter.doFilter(UTF8EncodingFilter.java:24)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:240)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
thod=POST, Reason=Missing session cookie, URL=https://***FQDN***/admin/auth, X-CSRF-Token=#######
fY-B14=]
[2019-05-29 16:11:24.303+0000] ["https-jsse-nio-443-exec-10"/XXX.XXX.XXX..30 INFO] [com.vmware.loginsight.web.actions.settings.AuthConfigurationActionBean] [Unable to login to VMware Identity Manager]
com.vmware.loginsight.aaa.vidm.exception.LoginException: Unexpected HTTP response from VMware Identity Manager instance. :: null Received unexpected response from VMware Identity Manager instance. Domain : #####
lebxxpidm01.
at com.vmware.loginsight.aaa.vidm.VIDMConnector.vIDMLogin(VIDMConnector.java:87)
at com.vmware.loginsight.web.actions.settings.AuthConfigurationActionBean.mergeVIDMValues(AuthConfigurationActionBean.java:415)
at com.vmware.loginsight.web.actions.settings.AuthConfigurationActionBean.validateVIDM(AuthConfigurationActionBean.java:619)
at com.vmware.loginsight.web.actions.settings.AuthConfigurationActionBean.testVIDM(AuthConfigurationActionBean.java:360)
at sun.reflect.GeneratedMethodAccessor179.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at net.sourceforge.stripes.controller.DispatcherHelper$6.intercept(DispatcherHelper.java:456)
at net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:158)
at org.stripesstuff.plugin.security.SecurityInterceptor.interceptEventHandling(SecurityInterceptor.java:188)
at org.stripesstuff.plugin.security.SecurityInterceptor.intercept(SecurityInterceptor.java:120)
at net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
at net.sourceforge.stripes.controller.BeforeAfterMethodInterceptor.intercept(BeforeAfterMethodInterceptor.java:113)
at net.sourceforge.stripes.controller.ExecutionContext.proceed(ExecutionContext.java:155)
at net.sourceforge.stripes.controller.ExecutionContext.wrap(ExecutionContext.java:74)
at net.sourceforge.stripes.controller.DispatcherHelper.invokeEventHandler(DispatcherHelper.java:454)
at net.sourceforge.stripes.controller.DispatcherServlet.invokeEventHandler(DispatcherServlet.java:278)
at net.sourceforge.stripes.controller.DispatcherServlet.service(DispatcherServlet.java:160)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742)
at net.sourceforge.stripes.controller.DynamicMappingFilter$2.doFilter(DynamicMappingFilter.java:453)
at net.sourceforge.stripes.controller.StripesFilter.doFilter(StripesFilter.java:260)
at net.sourceforge.stripes.controller.DynamicMappingFilter.doFilter(DynamicMappingFilter.java:440)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.displaytag.filter.ResponseOverrideFilter.doFilter(ResponseOverrideFilter.java:125)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.vmware.loginsight.web.stripesext.RestCsrfPreventionFilter.doFilter(RestCsrfPreventionFilter.java:177)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at com.vmware.loginsight.web.utilities.UTF8EncodingFilter.doFilter(UTF8EncodingFilter.java:24)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:199)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:610)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650)
at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:240)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:800)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:806)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1498)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
Environment
VMware vRealize Log Insight 4.x
Resolution
To resolve this issue, import the vIDM certificate into the vRealize Log Insight truststore.
Workaround:
If the vIDM certificate is not able to be imported into the truststore, the following workaround can be used.
- Navigate to vIDM in a web browser and export the certificate from the browser as vidmcert.crt.
- Copy the certificate file to the /tmp directory on each vRealize Log Insight node using an SCP Utility.
- Log into the vRealize Log Insight Primary node as root via SSH or Console, pressing ALT+F1 in a Console to log in.
- Import the certificate into the truststore:
/usr/java/default/bin/keytool -import -alias VIDMCertificate -file /tmp/vidmcert.crt -keystore /usr/java/default/lib/security/cacerts -storepass changeit -noprompt
- Repeat steps 3 and 4 on all nodes in the vRealize Log Insight cluster.
- In the vRealize Log Insight UI, navigate to Configuration > Authentication > Authentication Configuration, then test and save the vIDM integration.
Workaround:
If the vIDM certificate is not able to be imported into the truststore, the following workaround can be used.
- Download the cacerts file attached to this article.
- Copy cacerts to the /usr/java/default/lib/security/ directory on each node in the vRealize Log Insight cluster, overwriting the existing file, using an SCP Utility.
- Log into the vRealize Log Insight Primary node as root via SSH or Console, pressing ALT+F1 in a Console to log in.
- Run the following command to log into the Cassandra database by running this command:
CASSANDRAUSER="$(/usr/lib/loginsight/application/lib/apache-cassandra-3.11.2/bin/credentials-look-up| grep "user value=" | awk -F'"' '{print $2}')"; CASSANDRAPASSWORD="$(/usr/lib/loginsight/application/lib/apache-cassandra-3.11.2/bin/credentials-look-up| grep "password value=" | awk -F '"' '{print $2}')"; /usr/lib/loginsight/application/lib/apache-cassandra-3.11.2/bin/cqlsh -u $CASSANDRAUSER -p $CASSANDRAPASSWORD
- Run the following command to truncate the logdb.ca_certs_v3 table:
truncate logdb.ca_certs_v3;
- Exit Cassandra by running the following:
exit
- Restart the loginsight service:
service loginsight restart
- Repeat steps 3-8 on all nodes in the vRealize Log Insight cluster.
- In the vRealize Log Insight UI, navigate to Configuration > Authentication > Authentication Configuration, then test and save the vIDM integration.
Feedback
Yes
No
Powered by
