HW-134096 - VMware Identity Manager Connector may fail to communicate due to config-state.json corruption

Products

VMware Aria Suite

Issue/Introduction

VMware Identity Manager Connector may fail to communicate with the tenant nodes. This issue is observed when the config-state.json file gets corrupted. An error message similar to com.vmware.horizon.connector.utils.ServiceUtils - Failed to check service health: invalid MOL url is seen in the /opt/vmware/horizon/workspace/logs/connector.log and/or /opt/vmware/horizon/workspace/logs/horizon.log
Connector Failed to load Auth Adapters | Auth Adapters are missing from vIDM Node as per kb
LCM shows VIDM environment as healthy
Connector sync issue reported when checking VIDM health in VIDM
Sync connector fails with error - "Failed to parse response received from connector".
Corrupted config.json file also results in AD login failures
The UI will not load and the URL will be redirected to https://<vIDMFQDN>/hc/error where it may show an error similar to Error: You do not have permission to access this page: /hc/3104/authenticate/ or Error : See logs for details

Environment

VMware Identity Manager 3.3.x

Cause

This may occur when the disk space is full .

Resolution

Broadcom Product team has been notified and is working to address this issue in a timely manner. Please subscribe to this article to receive updates when they are available.

Workaround:

Before following the steps below:

Take a snapshot of the virtual Identity Manager Appliance(s)
If the UI will not load and you are receiving the /hc/error as shown in the screenshot above in the Introduction section, verify the Bind User/Password of the directory are correct.
- If a service account is being used in the configuration its password may have expired.
- Browse to https://vIDM_NODE_FQDN/SAAS/login/0
- Test and Save the directory configuration once the password has been reset.
- Skip ahead to step 8 below after receiving a successful Test and Save.

Note that if there are multiple directories in vIDM there will be a directory for each <WORKER_ID> in the <TENANT_NAME> directory. In this case it is necessary to check the config-state.json in every <WORKER_ID> directory and restore the latest stable version for any affected directory .

SSH to VMware Identity Manager Appliance(s) using root credentials. Change the directory to the location of the config-state.json file by running the command:

cd /usr/local/horizon/conf/states/<TENANT_NAME>/<WORKER_ID>

For example cd /usr/local/horizon/conf/states/VSPHERE.LOCAL/3001

Stop the service before doing anything.

service horizon-workspace stop

Back up the current configuration file by running the command:

mv config-state.json config-state.json.1

Copy application backup of the configuration file by running the command:

cp -p config-state.json.backup_<latest-stable-version> config-state.json

Change the owner of the config-state.json to horizon user by running the command:

chown horizon:www /usr/local/horizon/conf/states/<TENANT_NAME>/<WORKER_ID>/config-state.json

Change the permission of the config-state.json file by running the command:

chmod 640 /usr/local/horizon/conf/states/<TENANT_NAME>/<WORKER_ID>/config-state.json

Start vIDM/Workspace service by running the command:

service horizon-workspace start

Go to Directory Setting and for each tab do the save operation by navigating to Identity & Access Management > YOUR DIRECTORY > Sync Settings

Navigate each of the tabs and click on Save.
If the "Groups" page refuses to save due to an error about the Bind DN: come back to the directory settings, enter the Bind DN password, validate & save.
Then come back to save the remaining tabs in Sync Settings.