Registering Dell EMC Unity 500 or 600 vSphere API for Storage Awareness (VASA) provider to a vCenter Server 7.0 update 2 fails
Article ID: 325037
Updated On:
Products
Issue/Introduction
Attempts to register a Dell EMC Unity 500 or 600 VASA provider to a vCenter Server 7.0 update 2 from Configure > Security > Storage Providers persistently fail with an error. In the vSphere Client, you see the message "A problem was encountered while provisioning a VMware Certificate Authority (VMCA) signed certificate for the provider." The issue occurs in both fresh installations and upgraded environments.
/var/log/vmware/vmware-sps/sps.log:
2021-07-09T12:49:26.079-04:00 [pool-29-thread-1] ERROR opId=kqtltzbv-4726-auto-3nb-h5:70001754 com.vmware.vim.sms.provider.vasa.VasaProviderImpl - Error provisioning a VMCA signed cert!com.vmware.vim.sms.fault.VasaServiceException at com.vmware.vim.sms.client.VasaClientImpl.setContext(VasaClientImpl.java:189) at com.vmware.vim.sms.client.VasaClientImpl.resetContext(VasaClientImpl.java:249) at com.vmware.vim.sms.client.VasaClientMethodInvoker.retryForInvalidSession(VasaClientMethodInvoker.java:78) at com.vmware.vim.sms.client.VasaClientMethodInvoker.invokeMethod(VasaClientMethodInvoker.java:56) at com.vmware.vim.sms.client.VasaClientMethodInvoker.invoke(VasaClientMethodInvoker.java:35) at com.vmware.vim.sms.client.VasaClientHandler.invoke(VasaClientHandler.java:27) at com.sun.proxy.$Proxy111.requestCSR(Unknown Source) at com.vmware.vim.sms.provider.vasa.VasaProviderImpl.provisionCertificate(VasaProviderImpl.java:487) at com.vmware.vim.sms.provider.vasa.version.Version3Strategy.provisionCASignedCertificate(Version3Strategy.java:108) at com.vmware.vim.sms.provider.vasa.VasaProviderImpl.init(VasaProviderImpl.java:1024)
2021-07-09T12:50:13.020-04:00 [pool-29-thread-2] WARN opId=kqtltzbv-4741-auto-3nq-h5:70001760 com.vmware.vim.sms.util.CustomSslSocketFactory - Socket was null!!
2021-07-09T12:50:13.020-04:00 [pool-29-thread-2] ERROR opId=kqtltzbv-4741-auto-3nq-h5:70001760 com.vmware.vim.sms.client.VasaClientImpl - SetContext() has failed, disconnecting...
java.util.concurrent.ExecutionException: com.vmware.vim.vasa.InvalidSession: com.vmware.vim.vasa._3_0.InvalidSession: InvalidSession
at java.util.concurrent.FutureTask.report(FutureTask.java:122)
at java.util.concurrent.FutureTask.get(FutureTask.java:206)
at com.vmware.vim.sms.client.VasaClientImpl.executeWithTimeout(VasaClientImpl.java:229)
at com.vmware.vim.sms.client.VasaClientImpl.setContext(VasaClientImpl.java:185)
at com.vmware.vim.sms.client.VasaClientImpl.resetContext(VasaClientImpl.java:249)
at com.vmware.vim.sms.client.VasaClientMethodInvoker.retryForInvalidSession(VasaClientMethodInvoker.java:78)
at com.vmware.vim.sms.client.VasaClientMethodInvoker.invokeMethod(VasaClientMethodInvoker.java:56)
at com.vmware.vim.sms.client.VasaClientMethodInvoker.invoke(VasaClientMethodInvoker.java:35)
at com.vmware.vim.sms.client.VasaClientHandler.invoke(VasaClientHandler.java:27)
at com.sun.proxy.$Proxy111.requestCSR(Unknown Source)
at com.vmware.vim.sms.provider.vasa.VasaProviderImpl.provisionCertificate(VasaProviderImpl.java:487)
at com.vmware.vim.sms.provider.vasa.version.Version3Strategy.provisionCASignedCertificate(Version3Strategy.java:108)
at com.vmware.vim.sms.provider.vasa.VasaProviderImpl.init(VasaProviderImpl.java:1024)
at com.vmware.vim.sms.provider.ProviderFactory.createVasaProvider(ProviderFactory.java:221)
at com.vmware.vim.sms.provider.ProviderFactory.createProvider(ProviderFactory.java:166)
at com.vmware.vim.sms.StorageManagerImpl.registerProviderInt(StorageManagerImpl.java:461)
Environment
Cause
This issue occurs if X509KeyManager on the client side is not able to choose the client alias when the server has a self-signed certificate
Resolution
This is a known issue affecting vCenter server 7.0 update 2 and is fixed in 7.0 U2c release.
https://techdocs.broadcom.com/content/dam/broadcom/techdocs/us/en/pdf/vmware/vsphere/vsphere/vSphere-Release-Notes/vsphere-vcenter-server-702-release-notes.pdf
Workaround:
Try registering the VP 2 times, which will have the footprint of 2 CA root, delete the first caroot and try registering the VP again, it works !
1. Register the server having self-signed certificate:
1: ID = vasa_http-vc1-servercert-1
Type = Server
Service = VASA_HTTP
Scope =
Certificate ID = vasa_http-vc1-servercert-1
Trust anchor = No
Version = 3
Serial number = 99:70:A8:07:E7:1A:1F:83
Signature algorithm = SHA512WithRSAEncryption
Issuer name = CN=unity-u500-0
Valid from = 2020-03-20 21:35:45
Valid to = 2023-03-20 21:35:45
Subject name = CN=unity-u500-0
Subject alternative name = IP Address:##.##.##.##, DNS:##.##.##.##, DNS:unity-u500-0
Public key algorithm = RSA
Key length = 2048
Thumbprint algorithm = SHA1
Thumbprint = ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
Private key available = Yes
2. The registration fails but the server now has VC root certificate
Storage system address: ##.##.##.##
1: ID = vasa_http-vc1-servercert-1
Type = Server
Service = VASA_HTTP
Scope =
Certificate ID = vasa_http-vc1-servercert-1
Trust anchor = No
Version = 3
Serial number = 99:70:A8:07:E7:1A:1F:83
Signature algorithm = SHA512WithRSAEncryption
Issuer name = CN=unity-u500-0
Valid from = 2020-03-20 21:35:45
Valid to = 2023-03-20 21:35:45
Subject name = CN=unity-u500-0
Subject alternative name = IP Address:##.##.##.##, DNS:##.##.##.##, DNS:unity-u500-0
Public key algorithm = RSA
Key length = 2048
Thumbprint algorithm = SHA1
Thumbprint = ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
Private key available = Yes
2: ID = vasa_http-vc1-cacert-1
Type = CA
Service = VASA_HTTP
Scope =
Certificate ID = vasa_http-vc1-cacert-1
Trust anchor = Yes
Version = 3
Serial number = DD:3B:FE:EF:2E:B3:41:72
Signature algorithm = SHA256WithRSAEncryption
Issuer name = OU=VMware Engineering,O=vcsa.vmware.local,ST=California,C=US,DC=local,DC=vsphere,CN=CA
Valid from = 2021-01-30 02:26:41
Valid to = 2031-01-28 02:26:41
Subject name = OU=VMware Engineering,O=vcsa.vmware.local,ST=California,C=US,DC=local,DC=vsphere,CN=CA
Subject alternative name = email:[email protected], IP Address:127.0.0.1
Public key algorithm = RSA
Key length = 2048
Thumbprint algorithm = SHA1
Thumbprint = ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
Private key available = No
3. Now, try the registration process again, and it fails. Now the server has 2 roots as given below:
Storage system address: ##.##.##.##
1: ID = vasa_http-vc1-servercert-1
Type = Server
Service = VASA_HTTP
Scope =
Certificate ID = vasa_http-vc1-servercert-1
Trust anchor = No
Version = 3
Serial number = 99:70:A8:07:E7:1A:1F:83
Signature algorithm = SHA512WithRSAEncryption
Issuer name = CN=unity-u500-0
Valid from = 2020-03-20 21:35:45
Valid to = 2023-03-20 21:35:45
Subject name = CN=unity-u500-0
Subject alternative name = IP Address:##.##.##.##, DNS:##.##.##.##, DNS:unity-u500-0
Public key algorithm = RSA
Key length = 2048
Thumbprint algorithm = SHA1
Thumbprint = ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
Private key available = Yes
2: ID = vasa_http-vc1-cacert-1
Type = CA
Service = VASA_HTTP
Scope =
Certificate ID = vasa_http-vc1-cacert-1
Trust anchor = Yes
Version = 3
Serial number = DD:3B:FE:EF:2E:B3:41:72
Signature algorithm = SHA256WithRSAEncryption
Issuer name = OU=VMware Engineering,O=vcsa.vmware.local,ST=California,C=US,DC=local,DC=vsphere,CN=CA
Valid from = 2021-01-30 02:26:41
Valid to = 2031-01-28 02:26:41
Subject name = OU=VMware Engineering,O=vcsa.vmware.local,ST=California,C=US,DC=local,DC=vsphere,CN=CA
Subject alternative name = email:[email protected], IP Address:127.0.0.1
Public key algorithm = RSA
Key length = 2048
Thumbprint algorithm = SHA1
Thumbprint = ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
Private key available = No
3: ID = vasa_http-vc1-cacert-2
Type = CA
Service = VASA_HTTP
Scope =
Certificate ID = vasa_http-vc1-cacert-2
Trust anchor = Yes
Version = 3
Serial number = DD:3B:FE:EF:2E:B3:41:72
Signature algorithm = SHA256WithRSAEncryption
Issuer name = OU=VMware Engineering,O=vcsa.vmware.local,ST=California,C=US,DC=local,DC=vsphere,CN=CA
Valid from = 2021-01-30 02:26:41
Valid to = 2031-01-28 02:26:41
Subject name = OU=VMware Engineering,O=vcsa.vmware.local,ST=California,C=US,DC=local,DC=vsphere,CN=CA
Subject alternative name = email:[email protected], IP Address:127.0.0.1
Public key algorithm = RSA
Key length = 2048
Thumbprint algorithm = SHA1
Thumbprint = ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
Private key available = No
4. Now, delete the first cacert from the server side. The resulting certificates on the server is one server's self-signed certificate and one CA root.
uemcli -d <unity500 or 600 host address> -u username -p <password> /sys/cert -id vasa_http-vc1-cacert-1 delete
Operation completed successfully.
5. Now, Register the Unity500, and it works !!
1: ID = vasa_http-vc1-cacert-2
Type = CA
Service = VASA_HTTP
Scope =
Certificate ID = vasa_http-vc1-cacert-2
Trust anchor = Yes
Version = 3
Serial number = DD:3B:FE:EF:2E:B3:41:72
Signature algorithm = SHA256WithRSAEncryption
Issuer name = OU=VMware Engineering,O=vcsa.vmware.local,ST=California,C=US,DC=local,DC=vsphere,CN=CA
Valid from = 2021-01-30 02:26:41
Valid to = 2031-01-28 02:26:41
Subject name = OU=VMware Engineering,O=vcsa.vmware.local,ST=California,C=US,DC=local,DC=vsphere,CN=CA
Subject alternative name = email:[email protected], IP Address:127.0.0.1
Public key algorithm = RSA
Key length = 2048
Thumbprint algorithm = SHA1
Thumbprint = ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
Private key available = No
2: ID = vasa_http-vc1-cacert-3
Type = CA
Service = VASA_HTTP
Scope =
Certificate ID = vasa_http-vc1-cacert-3
Trust anchor = Yes
Version = 3
Serial number = DD:3B:FE:EF:2E:B3:41:72
Signature algorithm = SHA256WithRSAEncryption
Issuer name = OU=VMware Engineering,O=vcsa.vmware.local,ST=California,C=US,DC=local,DC=vsphere,CN=CA
Valid from = 2021-01-30 02:26:41
Valid to = 2031-01-28 02:26:41
Subject name = OU=VMware Engineering,O=vcsa.vmware.local,ST=California,C=US,DC=local,DC=vsphere,CN=CA
Subject alternative name = email:[email protected], IP Address:127.0.0.1
Public key algorithm = RSA
Key length = 2048
Thumbprint algorithm = SHA1
Thumbprint = ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
Private key available = No
3: ID = vasa_http-vc1-servercert-1
Type = Server
Service = VASA_HTTP
Scope =
Certificate ID = vasa_http-vc1-servercert-1
Trust anchor = No
Version = 3
Serial number = 99:70:A8:07:E7:1A:1F:83
Signature algorithm = SHA512WithRSAEncryption
Issuer name = CN=unity-u500-0
Valid from = 2020-03-20 21:35:45
Valid to = 2023-03-20 21:35:45
Subject name = CN=unity-u500-0
Subject alternative name = IP Address:##.##.##.##, DNS:##.##.##.##, DNS:unity-u500-0
Public key algorithm = RSA
Key length = 2048
Thumbprint algorithm = SHA1
Thumbprint = ##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##:##
Private key available = Yes
To Summarise:
1. Register VP, fails
2. Register VP again, fails
3. On the server, remove the first CA root cert
4. Register VP now, it works !
Feedback
