Unable to generate CSR from SDDC manager to renew vCenter Certificates due to Insufficient privileges
search cancel

Unable to generate CSR from SDDC manager to renew vCenter Certificates due to Insufficient privileges

book

Article ID: 316107

calendar_today

Updated On:

Products

VMware Cloud Foundation VMware vCenter Server

Issue/Introduction

This article provides the steps to restore SSO administrator account permissions by removing the bad entry with the wrong Role ID from the administrator user.

Symptoms:
  • Attempt to generate a CSR from SDDC manager for the vCenter fails with the following error:
"Failed to generate CSR for vcsa.domain.com due to: 403 Forbidden: "{"type":"com.vmware.vapi.std.errors.unauthorized","value":{"error_type":"UNAUTHORIZED","messages":[{"args":[],"default_message":"Insufficient privileges. Contact the Administrator to get the required privileges.","id":"com.vmware.vapi.authorization.permission.denied"}]}}"."
 
 
  • SDDC logs contains errors similar to the excerpt below:

/var/log/vmware/vcf/operationsmanager/operationsmanager.log

YYYY-MM-DD HH:MM:SS ERROR [vcf_om,xxxxxxxxxxxxxxxx,xxxx] [c.v.v.c.vc.VCenterCertificatePlugin,om-exec-28] Unable to generate csr for resource: vcsa.domain.com
YYYY-MM-DD HH:MM:SS DEBUG [vcf_om,xxxxxxxxxxxxxxxx,xxxx] [c.v.v.c.s.f.i.CertificateOperationsFacadeImpl,http-nio-127.0.0.1-7300-exec-4] DomainCertificateOperation: {"workflowId":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","domainName":"xxx-xxx","operationType":"GENERATE_CSR","operationStatus":"FAILED","resourceCertificateOperations":[{"resource":{"hostName":"vcsa.domain.com","resourceType":"vcenter","master":false},"result":{"status":"FAILED","message":"{\"code\":\"CERTIFICATE_CSR_GEN_FAILED\",\"args\":[\"*****\",\"403 Forbidden: \\\"{\\\"type\\\":\\\"com.vmware.vapi.std.errors.unauthorized\\\",\\\"value\\\":{\\\"error_type\\\":\\\"UNAUTHORIZED\\\",\\\"messages\\\":[{\\\"args\\\":[],\\\"default_message\\\":\\\"Insufficient privileges. Contact the Administrator to get the required privileges.\\\",\\\"id\\\":\\\"com.vmware.vapi.authorization.permission.denied\\\"}]}}\\\"\"]}"},"creationTimestamp":1711623667082,"updateTimestamp":1711623669538}],"retryOperation":false}"

 

  • vCenter logs contain errors similar to the excerpt below:
/var/log/vmware/certificatemanagement/certificatemanagement-svcs.log

YYYY-MM-DD HH:MM:SS [tomcat-exec-6 [] ERROR com.vmware.certificatemanagement.vapi.impl.setup.AuthzPermissionValidator opId=]

User VSPHERE.LOCAL\Administrator who belongs to groups

[vsphere.local\CAAdmins, vsphere.local\Everyone, vsphere.local\SystemConfiguration.SupportUsers, vsphere.local\Users, vsphere.local\Administrators, vsphere.local\SystemConfiguration.Administrators, vsphere.local\SystemConfiguration.ReadOnly, vsphere.local\LicenseService.Administrators, vsphere.local\SystemConfiguration.BashShellAdministrators]

has no required privileges [CertificateManagement.Manage, CertificateManagement.Administer] to invoke API com.vmware.vcenter.certificate_management.vcenter.tls_csr.create"

Environment

VMware Cloud Foundation 4.x
VMware Cloud Foundation 5.x
VMware vCenter Server 7.x
VMware vCenter Server 8.x

Cause

The vmdir information shows Administrator has taken an Role ID belonging to Content Library Administrator:
Note: To retrieve an LDIF file: How to export vmdir information from vSphere
 
See example below:
 

dn: cn=VSPHERE.LOCAL%5CAdministrator@false@urn%3Aacl%3Aglobal%3Apermissions,cn=AclModel,cn=VmwAuthz,cn=services,dc=vsphere,dc=local
vmwAuthzPermissionPropagate: TRUE
objectClass: top
objectClass: vmwAuthzAclMap
cn: VSPHERE.LOCAL%5CAdministrator@false@urn%3Aacl%3Aglobal%3Apermissions
nTSecurityDescriptor:: AQAHhBQAAAA0AAAAAAAAAFQAAAABBgAAAAAABxUAAACiJWNDkcJltlrGR9gfqxUZ9AEAAAEGAAAAAAAHFQAAAKIlY0ORwmW2WsZH2B+rFRkgAgAAAgDAAAUAAAAAEygAMwAGIAEGAAAAAAAHFQAAAKIlY0ORwmW2WsZH2B+rFRn0AQAAABMoADMABiABBgAAAAAABxUAAACiJWNDkcJltlrGR9gfqxUZIAIAAAATKAAzAAYgAQYAAAAAAAcVAAAAoiVjQ5HCZbZaxkfYH6sVGQACAAAAEygAMwAGAAEGAAAAAAAHFQAAAKIlY0ORwmW2WsZH2B+rFRkDAgAAABMYADAAAAABAgAAAAAAByAAAACaAgAA
vmwAuthzPermissionRoleId: 1988801850 # <== The ID role attributed to the Administrator
vmwAuthzPrincipalGroup: FALSE
vmwAuthzPrincipalName: VSPHERE.LOCAL\Administrator
vmwAuthzDocUri: urn:acl:global:permissions
vmwAuthzPermissionVersion: 0


vmwAuthzRoleDescription: Administrator user for Content Library
objectClass: top
objectClass: vmwAuthzRole
cn: 1988801850   # <== The ID role of the Content Library administrator


Note: This ID might be different depending on the environment

Resolution

To resolve the issue remove from the administrator user the wrong entry containing the Content Library Administrator role .


Caution: Before applying the steps below, please take a backup or an offline-snapshot (in powered-off state) of all the vCenter Server Appliances in Linked Mode.


Method 1: Using ldapmodify
 

  1. SSH to vCenter as the root user and access the bash mode.

  2. Execute the following command to remove the bad entry:

    /opt/likewise/bin/ldapmodify -h localhost -D "cn=administrator,cn=users,dc=vsphere,dc=local" -W
    << EOF
    dn:
    cn=VSPHERE.LOCAL%5CAdministrator@false@urn%3Aacl%3Aglobal%3Apermissions,
    cn=AclModel,cn=VmwAuthz,cn=Services,dc=vsphere,dc=local
    changetype: delete
    EOF
  3. Restart the vCenter services: Stopping, Starting or Restarting VMware vCenter Server Appliance 6.x & above services

 

Method 2: Using JXplorer

  1. Install JXplorer using JXplorer download page.
Disclaimer: VMware is not responsible for the reliability of any data, opinions, advice, or statements made on third-party websites. Inclusion of such links does not imply that VMware endorses, recommends, or accepts any responsibility for the content of such sites.
  1. Open the JXplorer utility.
  2. Click on File > Connect and enter the following information:
Host: FQDN_of_SSO_Server
Protocol: LDAP v3
Base DN: dc=vsphere,dc=local
Security Level: User + Password
Security User DN: cn=administrator,cn=users,dc=vsphere,dc=local
Security Password: administrator password for the identity or SSO server
Note: The example above assumes that your SSO domain is called vsphere.local. If you are using a different domain name for the SSO domain, please ensure to alter the Base DN and the Security User DN accordingly.

 

  1. Expand Services > VmwAuthz > AclModel and search for this specific entry:
    VSPHERE.LOCAL%5CAdministrator@false@urn%3Aacl%3Aglobal%3Apermissions
Note: Alternatively, you can directly filter the CN entry in the search box at the top of the application:

 

  1. Select the entry and press CTRL-D or Right-Click and Delete.
  2.  Restart the vCenter services: Stopping, Starting or Restarting VMware vCenter Server Appliance 6.x & above services



Additional Information

Impact/Risks:
  • vCenter certificate replacement workflow through SDDC manager fails due to insufficient permissions.
  • SSO Administrator account is restricted to read-only permissions.
  • From the vSphere client you cannot perform certain administrative tasks.


Powered by Wolken Software