Listing Directory Group entities fails

Products

VMware NSX

Issue/Introduction

Symptoms:

From the vSphere Web Client (NSX plugin):

Listing Directory Group entities fails when creating or editing a Security Group with an error: Internal server error has occurred

In the NSX Manager logs (using show log manager), you see entries similar to:

2018-01-25 15:02:24.774 GMT WARN http-nio-127.0.0.1-7441-exec-3 RemoteInvocationTraceInterceptor:87 - Processing of VsmHttpInvokerServiceExporter remote call resulted in fatal exception: com.vmware.vshield.vsm.securitygroup.service.SecurityGroupFacade.getApplicableMembersByType
java.lang.NullPointerException
	at com.vmware.vshield.blueprint.useridentity.service.ADMemberProvider.setDomainScope(ADMemberProvider.java:185)
	at com.vmware.vshield.blueprint.useridentity.service.ADMemberProvider.getMembersByType(ADMemberProvider.java:105)
	at com.vmware.vshield.vsm.securitygroup.service.SecurityGroupServiceImpl.getApplicableMembersByType_aroundBody116(SecurityGroupServiceImpl.java:823)
	at com.vmware.vshield.vsm.securitygroup.service.SecurityGroupServiceImpl$AjcClosure117.run(SecurityGroupServiceImpl.java:1)
	at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
	at com.vmware.vshield.vsm.aspects.security.VsmSecuredAspect.secureCheck(VsmSecuredAspect.java:126)
[...]
2018-01-25 15:02:24.780 GMT DEBUG http-nio-127.0.0.1-7441-exec-3 RemoteInvocationBasedExporter:94 - Target method failed for RemoteInvocation: method name 'getApplicableMembersByType'; parameter types [java.lang.String, java.lang.String, java.util.Map, java.lang.String]
	java.lang.NullPointerException
	at com.vmware.vshield.blueprint.useridentity.service.ADMemberProvider.setDomainScope(ADMemberProvider.java:185)
	at com.vmware.vshield.blueprint.useridentity.service.ADMemberProvider.getMembersByType(ADMemberProvider.java:105)
	at com.vmware.vshield.vsm.securitygroup.service.SecurityGroupServiceImpl.getApplicableMembersByType_aroundBody116(SecurityGroupServiceImpl.java:823)
	at com.vmware.vshield.vsm.securitygroup.service.SecurityGroupServiceImpl$AjcClosure117.run(SecurityGroupServiceImpl.java:1)
	at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149)
	at com.vmware.vshield.vsm.aspects.security.VsmSecuredAspect.secureCheck(VsmSecuredAspect.java:126)
[...]

In the vCenter virgo logs (vsphere-client/logs/vsphere_client_virgo.log), you see entries similar to:

[2018-01-25T15:02:24.875Z] [WARN ] http-bio-9090-exec-99         org.springframework.flex.core.DefaultExceptionLogger              The following exception occurred during request pr
ocessing by the BlazeDS MessageBroker and will be serialized back to the client:  flex.messaging.MessageException: com.vmware.vshield.vsm.remoting.server.exceptions.RemoteBaseExcept
ion : Internal server error has occurred.
	at flex.messaging.services.remoting.adapters.JavaAdapter.invoke(JavaAdapter.java:444)
	at com.vmware.vise.messaging.remoting.JavaAdapterEx.invoke(JavaAdapterEx.java:50)
	at flex.messaging.services.RemotingService.serviceMessage(RemotingService.java:183)
	at flex.messaging.MessageBroker.routeMessageToService(MessageBroker.java:1400)
	at flex.messaging.endpoints.AbstractEndpoint.serviceMessage(AbstractEndpoint.java:1011)
	at flex.messaging.endpoints.AbstractEndpoint$$FastClassByCGLIB$$1a3ef066.invoke(<generated>)
[...]

From REST API (GET /api/3.0/ai/directorygroup):

The NSX Manager returns: HTTP 500 Internal Server Error
The response body is: <error><errorCode>100</errorCode></error>

In the NSX Manager logs (using show log manager), you see entries similar to:

2018-05-25 10:38:58.930 CEST ERROR http-nio-127.0.0.1-7441-exec-166 BaseRestController:518 - - [nsxv@6876 comp="nsx-manager" subcomp="manager"] REST API failed : 'null'
java.lang.NullPointerException: null
    at com.vmware.vshield.blueprint.ai.reports.facade.EntityServiceFacadeImpl.fromDo(EntityServiceFacadeImpl.java:288) ~[blueprint-1.0.jar:?]
    at com.vmware.vshield.blueprint.ai.reports.facade.EntityServiceFacadeImpl.getDirectoryGroups_aroundBody4(EntityServiceFacadeImpl.java:129) ~[blueprint-1.0.jar:?]
    at com.vmware.vshield.blueprint.ai.reports.facade.EntityServiceFacadeImpl$AjcClosure5.run(EntityServiceFacadeImpl.java:1) ~[blueprint-1.0.jar:?]
    at org.aspectj.runtime.reflect.JoinPointImpl.proceed(JoinPointImpl.java:149) ~[aspectjweaver-1.8.9.jar:1.8.9]
    at com.vmware.vshield.vsm.aspects.security.VsmSecuredAspect.secureFeatureCheck(VsmSecuredAspect.java:162) ~[vsm-core-1.0.jar:?]
    at com.vmware.vshield.vsm.aspects.security.VsmSecuredAspect.ajc$inlineAccessMethod$com_vmware_vshield_vsm_aspects_security_VsmSecuredAspect$com_vmware_vshield_vsm_aspects_security_VsmSecuredAspect$secureFeatureCheck(VsmSecuredAspect.java:1) ~[vsm-core-1.0.jar:?]
    [...]

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.3.x

Cause

This issue occurs when some metadata is missing on the NSX Manager for a Directory Group object.

Resolution

This issue is resolved in:
VMware NSX for vSphere 6.4.2,
VMware NSX for vSphere 6.3.7

Note: Upgrading an affected NSX Manager to 6.4.2 or 6.3.7 will resolve the issue.

Workaround:
To work around this issue if you do not want to upgrade, contact Broadcom Support and quote this Knowledge Base article ID (325131) in the problem description.

Additional Information

Impact/Risks:
There is no impact to this issue. However, automation may not work due to the REST API call failing, and creating/editing Security Groups containing Directory Group entities from NSX Plugin for vSphere may not be possible.