Error when trying to check the status of admin account password in Aria Operations for Logs: FAILED: Unable to get user data. Possible Cassandra is down.
Article ID: 322111
Updated On:
Products
VMware Aria Suite
Issue/Introduction
Symptoms:
- Unable to login Web Interface of Aria Operations for Logs. "Error authenticating user"
- When trying to check the status of admin password, get the following error: FAILED: Unable to get user data. Possible Cassandra is down.
- While resetting the admin credentials, getting following: ERROR: unable to get salt.
Environment
VMware Aria Operations for Logs 8.x
Cause
The "reset admin password" script is failing because it is using cqlsh-no-pass command underneath, which is in-turn failing because of expired certificate.
The internal certificates are expiring, and it can be validated by executing the commands below:
The internal certificates are expiring, and it can be validated by executing the commands below:
- keytool -list --keystore /usr/lib/loginsight/application/etc/truststore
- keytool -list --keystore /usr/lib/loginsight/application/etc/3rd_config/keystore
echo "" | keytool -list -keystore /usr/lib/loginsight/application/etc/3rd_config/keystore -rfc 2> /dev/null | openssl x509 -noout -enddate
Resolution
** Note: Emphasize to secure snapshots of all nodes (primary and worker nodes) before making any changes.
To resolve the issue, follow the steps below to reset admin password:
After the password has been changed and you are able to access the UI, you can replace the expired cert by following the steps mentioned below:
Once the certificate is renewed, revert the changes done in file: /storage/core/loginsight/cidata/cassandra/config/cqlshrc.
To resolve the issue, follow the steps below to reset admin password:
- Edit the following file: /storage/core/loginsight/cidata/cassandra/config/cqlshrc
- In the last line: “validate = true” should be replaced with “validate = false”
- After this change, run the li-reset-admin-passwd.sh script from this KB: Process to reset admin password
After the password has been changed and you are able to access the UI, you can replace the expired cert by following the steps mentioned below:
- Login to primary node UI
- Navigate to configuration
- Click on SSL
- Upload your certificate .pem file
- Validate the expiry date of the external cert from the browser and internal cert using the command: echo "" | keytool -list -keystore /usr/lib/loginsight/application/etc/3rd_config/keystore -rfc 2> /dev/null | openssl x509 -noout -enddate
Once the certificate is renewed, revert the changes done in file: /storage/core/loginsight/cidata/cassandra/config/cqlshrc.
- Edit the following file: /storage/core/loginsight/cidata/cassandra/config/cqlshrc
- In the last line: “validate = false” should be reverted to “validate = true”
Additional Information
-
To check if Cassandra is Up / Normal by running the command on primary node:
-
/usr/lib/loginsight/application/lib/apache-cassandra-*/bin/nodetool-no-pass status
-
-
Guidance to replace certificates:
Feedback
Yes
No
Powered by
