This KB is designed to assist in clearing the disconnected state of the vRSLCM root password.

Symptoms:

• The vRSLCM root password is in a disconnected state in the under Password Management in the SDDC UI.
• The VCF version in use is 4.x or 5.0.x.
• The vRSLCM version is 8.14.x.
• Remediation of the account fails consistently with error "Failed to establish SSH session to <vRSLCM_FQDN>"
• The vRSLCM root password is valid and properly stored in the SDDC Manager.
• SSH from the SDDC to the vRSLCM appliance succeeds.

• /var/log/vmware/vcf/operationsmanager/operationsmanager.log show entries similar to:

YYYY-MM-DDTHH:MM:SS.222+0000 DEBUG [vcf_om,xxxxxxxxxxxxxxxx,f4d5] [c.v.v.s.c.s.SecurityConfigurationServiceImpl,om-exec-26] Security config retrieved {"certi
ficateValidationEnabled":true,"fipsMode":false}
YYYY-MM-DDTHH:MM:SS.227+0000 DEBUG [vcf_om,xxxxxxxxxxxxxxxx,e060] [c.v.v.s.t.DynamicTrustManager,om-exec-3] Checking validity of certificate chain EMAILADDRE
SS=null, CN=xxxxxxxxxxxxxxxx, OU=VMware Engineering, O=VMware, L=Palo Alto, ST=California, C=US,OU=VMware Engineering, O=VMWARE,
ST=California, C=US, DC=local, DC=vsphere, CN=CA
YYYY-MM-DDTHH:MM:SS.227+0000 DEBUG [vcf_om,xxxxxxxxxxxxxxxx,e060] [c.v.v.s.t.DynamicTrustManager,om-exec-3] Certificate chain EMAILADDRESS=null, CN=xxxxxxxxxxxxxxxx, OU=VMware Engineering, O=VMware, L=Palo Alto, ST=California, C=US,OU=VMware Engineering, O=VMWARE, ST=California, C=US,
DC=local, DC=vsphere, CN=CA is valid
YYYY-MM-DDTHH:MM:SS.258+0000 ERROR [vcf_om,xxxxxxxxxxxxxxxx,f4d5] [c.v.evo.sddc.common.util.SshUtil,om-exec-26] Unable to create jsch CLI session:

com.jcraft.jsch.JSchException: Algorithm negotiation fail

        at com.jcraft.jsch.Session.receive_kexinit(Session.java:590)
        at com.jcraft.jsch.Session.connect(Session.java:320)
        at com.vmware.evo.sddc.common.util.SshUtil.getSession(SshUtil.java:678)
        at com.vmware.evo.sddc.common.util.SshUtil.getSession(SshUtil.java:626)
        at com.vmware.evo.sddc.common.util.command.SshCommandExecuter.<init>(SshCommandExecuter.java:46)
        at com.vmware.evo.sddc.common.util.command.SshCommandExecuterFactory.createSshCommandExecuter(SshCommandExecuterFactory.java:71)
        at com.vmware.evo.sddc.common.util.command.SshCommandExecuterFactory.createSshCommandExecuter(SshCommandExecuterFactory.java:42)
        at com.vmware.evo.sddc.common.util.command.SshCommandExecuterFactory$$FastClassBySpringCGLIB$$8ecab67d.invoke(<generated>)
        at org.springframework.cglib.proxy.MethodProxy.invoke(MethodProxy.java:218)
        at org.springframework.aop.framework.CglibAopProxy$CglibMethodInvocation.invokeJoinpoint(CglibAopProxy.j

VMware Cloud Foundation 4.x

VMware Cloud Foundation 5.x

Issue is fixed in vRSLCM 8.16+ and VCF 5.1.1 (which is expected to contain vRLSCM 8.16)

Workaround:

1. Snapshot the vRSLCM appliance as per component documentation
2. SSH to the vRSLCM appliance as root user
3. Backup sshd_config
   • cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
4. Edit sshd_config file on the vRSLCM appliance
   • vi /etc/ssh/sshd_config
5. Add the following key hash algorithms on the 'MACs' line:
   • hmac-sha2-512,hmac-sha2-256
   • e.g.

     # Example of overriding settings on a per-user basis
     #Match User anoncvs
     #       X11Forwarding no
     #       AllowTcpForwarding no
     Ciphers [email protected],[email protected],aes256-ctr,aes192-ctr,aes128-ctr
     MACs [email protected],[email protected],hmac-sha2-512,hmac-sha2-256
     AllowGroups wheel
     #       PermitTTY no
     #       ForceCommand cvs server
     UsePrivilegeSeparation yes
     RhostsRSAAuthentication no
     DenyGroups cap_vami_users

6. Restart the sshd service
   • systemctl restart sshd.service 

Note: In case the issue still persists please reach out to the VMware by Broadcom Support Team.