• vidm_recovery.py assumes that vIDM has already been changed and the deploy script has failed.  The recovery script will:
  • Remove the old vIDM entry from the identity_organization table.
  • Switch the organization ID of the old vIDM and set it to the new vIDM.
  • Set the old organization owner role to the new user id of the organization owner, which would enable the organization owner to login and modify the user roles of the rest of the users. After user roles have been restored the users will be able to view their content.

• The VMware Identity Manager (vIDM) that a VMware Aria Automation 8.x instance is using was changed with vracli vidm set
• Attempts to start the application with /opt/scripts/deploy.sh fails with:

  500 Internal server error

• The vIDM appliance has changed, but the FQDN has remained the same
• Attempts to start the application with /opt/scripts/deploy.sh succeeds but the configuration admin user generates a 403 error on attempted log in.

VMware is aware of this issue. Please see the workaround for further details.

Workaround:

Prerequisites

• You have backups of the VMware Aria Automation 8.x appliance(s)
  • You must back up all VMware Aria Automation appliances, at the same time - simultaneously for all nodes.
  • If you are making the snapshots manually, you must start the snapshots of the second and the third node not more than 40 seconds after you start the snapshots for the first node.
  • When you back up the VMware Aria Automation appliance, disable in-memory snapshots and enable quiescing (quiescing is a requirement only for version 8.9 and newer).

Procedure

1. Validate the Default Configurator Admin Username, in the global environment on VMware Aria Suite Lifecycle 8.x.
2. SSH to one of the VMware Aria Automation 8.x nodes.
3. Run the following command, considering:

   vracli vidm set https://ID1 admin ID2

   Notes:

• Replace ID2 with the user found in step 1.
• Replace ID1 with the Load Balancer VIP for vIDM cluster, in case of 1 node vIDM use the first node FQDN.
• After running this command the prompt will show you the vIDM certificate SHA256, validate this is the right certificate, and then accept it by typing “yes”. 
• Then you will ask to type a password, this is the vIDM admin password.
• This is an example as a reference.

5. Restart the services

For VMware vRealize Automation 8.4 and later run

vracli vidm apply

kubectl get pods -n prelude -w | grep identity-service

For 8.3 and older versions

/opt/scripts/deploy.sh

/opt/scripts/vidm_recovery.py --vidm-url-new https://ID3

/opt/scripts/deploy.sh

1. In case the vIDM hostname has not changed and you need updated information included in the output of vracli vidm. Run the following command

/opt/scripts/vidm_recovery.py --vidm-url-new https://ID4 --same-hostname --vidm-admin admin --vra-configuration-admin ID5 --no-verify

• For vIDM cluster replace ID4 with the FQDN of the first node 
• For vIDM 1 node, replace ID4 with the vIDM FQDN 
• Replace ID5 with the Default Configurator

2. Then restart the services.

/opt/scripts/deploy.sh

Note:

• It is expected that this script updates the vIDM information, you must have 3 UPDATEs. 
• After running the vidm_recovery.py  script, it is required to run the deploy.sh script, and not just vracli vidm apply.

Validation

1. After updating the vIDM information in the VMware Aria Automation 8.x Database with the vidm_recovery.py  script, clear the cookies of your browser or create a new incognito or in private mode window, and log in to VMware Aria Automation 8.x using the Default Configurator Admin Username.
2. Assign the services roles and organization roles to Groups and Users following Administering Users and Groups in vRealize Automation

Important! The contents of this article are intended for unexpected failover scenarios only.  For Site Recovery Manager failovers, utilize the supported steps defined here.

Associating a new vIDM to VMware Aria Automation 8.x will reset the Organization and Services Roles assigned to Active User and Enterprise Groups on VMware Aria Automation 8.x, after running this kb will be required to login using the Default Local Admin Configurator to VMware Aria Automation 8.x and then assign the roles.