Changing VMware Aria Automation 8.x's VMware Identity Manager configuration with vracli vidm set
search cancel

Changing VMware Aria Automation 8.x's VMware Identity Manager configuration with vracli vidm set

book

Article ID: 322719

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

The vidm_recovery.py script follows the below logic and is available on all supported versions of VMware Aria Automation 8.x out of the box:
  • vidm_recovery.py assumes that vIDM has already been changed and the deploy script has failed.  The recovery script will:
    • Remove the old vIDM entry from the identity_organization table.
    • Switch the organization ID of the old vIDM and set it to the new vIDM.
    • Set the old organization owner role to the new user id of the organization owner, which would enable the organization owner to login and modify the user roles of the rest of the users. After user roles have been restored the users will be able to view their content.


Symptoms:
  • The VMware Identity Manager (vIDM) that a VMware Aria Automation 8.x instance is using was changed with vracli vidm set
  • Attempts to start the application with /opt/scripts/deploy.sh fails with: 
    500 Internal server error
OR
  • The vIDM appliance has changed, but the FQDN has remained the same
  • Attempts to start the application with /opt/scripts/deploy.sh succeeds but the configuration admin user generates a 403 error on attempted log in.
  • You observe the error message on LCM related to performing a Re-Trust Day 2 action with IDM


Environment

VMware Aria Automation 8.x
VMware Identity Manager 3.3.x

Resolution

VMware is aware of this issue. Please see the workaround for further details.

Workaround:

Prerequisites

  • You have backups of the VMware Aria Automation 8.x appliance(s)
    • You must back up all VMware Aria Automation appliances, at the same time - simultaneously for all nodes.
    • If you are making the snapshots manually, you must start the snapshots of the second and the third node not more than 40 seconds after you start the snapshots for the first node.
    • When you back up the VMware Aria Automation appliance, disable in-memory snapshots and enable quiescing (quiescing is a requirement only for version 8.9 and newer).

Procedure

  1. Validate the Default Configurator Admin Username, in the global environment on VMware Aria Suite Lifecycle 8.x.
  2. SSH to one of the VMware Aria Automation 8.x nodes.
  3. Run the following command, considering: 
    vracli vidm set https://ID1 admin ID2
    Notes:
  • Replace ID2 with the user found in step 1.
  • Replace ID1 with the Load Balancer VIP for vIDM cluster, in case of 1 node vIDM use the first node FQDN.
  • After running this command the prompt will show you the vIDM certificate SHA256, validate this is the right certificate, and then accept it by typing “yes”. 
  • Then you will ask to type a password, this is the vIDM admin password.
  • This is an example as a reference.
  1. Restart the services

For VMware vRealize Automation 8.4 and later run

vracli vidm apply
Monitor the restarting process of the identity services pods, and wait until they are running.
kubectl get pods -n prelude -w | grep identity-service

For 8.3 and older versions

/opt/scripts/deploy.sh
  1. Then execute the vidm_recovery.py script according to the appropriate scenario below.

Recovery Scenario #1: New vIDM appliance hostname

  1. In order to associate a new vIDM appliance with VMware Aria Automation 8.x. Run the following commands,
/opt/scripts/vidm_recovery.py --vidm-url-new https://ID3
  • For vIDM cluster replace ID3 with the FQDN of the first node 
  • For vIDM 1 node, replace ID3 with the vIDM FQDN
  1. Then restart the services using the following command
/opt/scripts/deploy.sh

Recovery Scenario #2: Same vIDM appliance hostname

  1. In case the vIDM hostname has not changed and you need updated information included in the output of vracli vidm. Run the following command
/opt/scripts/vidm_recovery.py --vidm-url-new https://ID4 --same-hostname --vidm-admin admin --vra-configuration-admin ID5 --no-verify
  • For vIDM cluster replace ID4 with the FQDN of the first node 
  • For vIDM 1 node, replace ID4 with the vIDM FQDN 
  • Replace ID5 with the Default Configurator
  1. Then restart the services.
/opt/scripts/deploy.sh

Note:

  • It is expected that this script updates the vIDM information, you must have 3 UPDATEs. 
  • After running the vidm_recovery.py  script, it is required to run the deploy.sh script, and not just vracli vidm apply.

Validation

  1. After updating the vIDM information in the VMware Aria Automation 8.x Database with the vidm_recovery.py  script, clear the cookies of your browser or create a new incognito or in private mode window, and log in to VMware Aria Automation 8.x using the Default Configurator Admin Username.
  2. Assign the services roles and organization roles to Groups and Users following Administering Users and Groups in Aria Automation



Additional Information

Impact/Risks:

Important! The contents of this article are intended for unexpected failover scenarios only.  For Site Recovery Manager failovers, utilize the supported steps defined here.

Associating a new vIDM to VMware Aria Automation 8.x will reset the Organization and Services Roles assigned to Active User and Enterprise Groups on VMware Aria Automation 8.x, after running this kb will be required to login using the Default Local Admin Configurator to VMware Aria Automation 8.x and then assign the roles. 

Attachments

vidm_recovery.py get_app
Powered by Wolken Software