After configuring the Platform Services Controller for Smart Card authentication, the Secure Token Service will not start, or partially starts on vCenter Server 6.5/6.7/7.0
search cancel

After configuring the Platform Services Controller for Smart Card authentication, the Secure Token Service will not start, or partially starts on vCenter Server 6.5/6.7/7.0

book

Article ID: 320014

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
After performing the steps in the vCenter 7.0 documentation to enable Smart Card authentication on the Platform Services Controller in vCenter 6.5/6.7/7.0, the following symptoms are observed:

  • the Secure Token Service (vmware-stsd/VMwareSTS) either fails to start, or starts but does not listen on port 7080
  • several other services do not start, due to their inability to connect to the Lookup Service
  • Logging will appear similarly to the following in the Catalina logs located in:
    • Appliance: /var/log/vmware/sso
    • Windows: "%VMWARE_RUNTIME_DATA_DIR%"\VMwareSTSService\logs

DD-MM-YYYY HH:MM:SS.610 SEVERE [main] org.apache.tomcat.util.digester.Digester.endElement End event threw exception
 java.lang.reflect.InvocationTargetException
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:377)
        at org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145)
        at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:1017)
        at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.endElement(AbstractSAXParser.java:609)
        at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanEndElement(XMLDocumentFragmentScannerImpl.java:1782)
        at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl$FragmentContentDriver.next(XMLDocumentFragmentScannerImpl.java:2967)
        at com.sun.org.apache.xerces.internal.impl.XMLDocumentScannerImpl.next(XMLDocumentScannerImpl.java:602)
        at com.sun.org.apache.xerces.internal.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:505)
        at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:842)
        at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:771)
        at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
        at com.sun.org.apache.xerces.internal.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1213)
        at com.sun.org.apache.xerces.internal.jaxp.SAXParserImpl$JAXPSAXParser.parse(SAXParserImpl.java:643)
        at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1518)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:610)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:661)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
        at org.apache.catalina.startup.Bootstrap.init(Bootstrap.java:339)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.commons.daemon.support.DaemonLoader.load(DaemonLoader.java:210)
Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig elements were provided for the host name [_default_]. Host names must be unique.
        at org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:266)
        at org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:221)
        at org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:477)
        at org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:860)

Environment

VMware vCenter Server 6.7.x
VMware vCenter Server 7.0.x
VMware vCenter Server 6.5.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server Appliance 6.7.x

Cause

As the backend Tomcat service is no longer configured to prompt for Smart Cards in vCenter 6.5/6.7/7.0 ( instead reverse proxy now performs the configuration), the -set_tc_cert_authn option with the sso-config.[sh|bat] script, as it sets options within the Tomcat server's configuration file that are incompatible with the version of Tomcat in vCenter 6.5/6.7/7.0.

Resolution

If snapshots are available, please roll back to resolve the issue.

If a snapshot is not present, restore the Tomcat server's configuration file at the following locations:
  • Appliance: /usr/lib/vmware-sso/vmware-sts/conf
  • Windows: "%VMWARE_RUNTIME_DATA_DIR%"\VMwareSTSService\conf
The sso-config.[sh|bat] script creates a backup of this file in the same directory called server.xml.orig when it runs. Restoring this file to server.xml will allow the Secure Token Service to start correctly.

Note that if the sso-config.[sh|bat] script was run multiple times, then there may not be a working copy of the server.xml file available on the node, in which case a new vCenter will need to be deployed (do not join it to an existing SSO domain) and its server.xml file can be copied to the damaged node (there is no system-specific data in the configuration file).

Powered by Wolken Software