wcp service fails to start due to permission error
search cancel

wcp service fails to start due to permission error

book

Article ID: 319362

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Wcp service fails to start due to permission errors:

Examples of the permission errors can be found in the vCenter - /var/log/vmware/wcp/wcpsvc.log:
 

2022-08-08T10:00:07.807Z error wcp [crypto/cryptography.go:67] Unable to read key from file /etc/vmware/wcp/keyForCryptography.dat. Error: open /etc/vmware/wcp/keyForCryptography.dat: permission denied

2022-08-08T10:00:07.807Z error wcp [ssolib/helper.go:105] Failed executing shell command; cmd: '/usr/lib/vmware-vmafd/bin/vecs-cli', args: [entry getcert --store vpxd-extension --alias vpxd-extension], stdout: ' ', stderr: 'vecs-cli failed. Error 5: Possible errors:

LDAP error: Compare False

Win Error: Operation failed with error ERROR_ACCESS_DENIED (5)

', err: exit status 5    

Environment

vCenter 7

Cause

WCP service is running as user wcp instead of root. If permissions to VECS are removed for this user, the WCP service will fail to verify solution users, leading to service start failures.

Resolution

This issue is resolved in:

vCenter 7.0U3f (build 20051473)

Workaround:

Grant read access for wcp and vpxd-extension users to the VECS wcp store:
  1. Access the vCenter via SSH

  2. Check the current permissions

    /usr/lib/vmware-vmafd/bin/vecs-cli store get-permissions --name wcp

    an example of what the output should look like is as follows:

    PERMISSIONS FOR STORE: [wcp]
    OWNER : root
    USER            ACCESS
    wcp     read
    vpxd    read
    content-library read

  3. Run the following commands to resolve the correct access:

    /usr/lib/vmware-vmafd/bin/vecs-cli store permission --name wcp --user wcp --grant read

    /usr/lib/vmware-vmafd/bin/vecs-cli store permission --name vpxd-extension --user wcp --grant read
Powered by Wolken Software