Outlining the steps required to remove an old certificate and allow SSO SAML authentication source to be created.

Symptoms:

• Renewing the SSL certificate in vCenter and SSO SAML authentication in VMware Aria Operations no longer works.
• Editing the existing authentication source or deleting and creating a new source, the test connection is successful, but saving aborts with an error similar to the following:

Failed to setup SSO source, reason: Auth Exception occurred : 'Solution user detail' certificate is invalid - certificateException java.security.cert.CertificateExpiredException: NotAfter: Sat Apr 18 10:21:27 GMT 2020

• There are no expired certificates present in the UI.

VMware Aria Operations 8.x

In some circumstances Aria Operations retains an old out of date certificate that prevents SSO SAML from importing an updated SSL certificate.

Currently there is no resolution, but a workaround can be performed.

Note : Please take snapshot of Aria Operations environment by follow this Article

Workaround:

Run the following command on the Aria Operations master node, expected result is the invalid certificate will be identified:

root@vrops [ ~ ]# openssl x509 -in /storage/vcops/user/conf/ssl/cluster_cert.pem -noout -enddate
Output will be similar to: notAfter=Apr 18 10:21:27 2020 GMT

If the output from the above command matches the date in the error message, complete the following steps on the master node.

root@vrops [ ~ ]# mv /storage/vcops/user/conf/ssl/cluster_cert.pem /storage/vcops/user/conf/ssl/cluster_cert.pem.bkup

root@vrops [ ~ ]# mv /storage/vcops/user/conf/ssl/cluster_key.pem /storage/vcops/user/conf/ssl/cluster_key.pem.bkup

root@vrops [ ~ ]# cp -pf /storage/vcops/user/conf/ssl/cacert.pem /storage/vcops/user/conf/ssl/cluster_cert.pem

root@vrops [ ~ ]# cp -pf /storage/vcops/user/conf/ssl/cakey.pem /storage/vcops/user/conf/ssl/cluster_key.pem

root@vrops [ ~ ]# service vmware-casa restart

Return to Aria Operations UI and configure SSO SAML authentication source as normal.