Symptoms:
This article is applicable when you observe the following symptoms:

• After clicking on the GO TO LOGIN PAGE button on the homepage of your Aria Automation 8.x instance, the Aria Automation appliance attempts to redirect to the vIDM login, but instead displays a blank page with the words Bad Gateway.
• The certificate for VMware Identity Manager (vIDM) was updated after Aria Automation 8.x was deployed, either through Aria Suite Lifecycle, or from the vIDM management interface.
• Re-trusting vIDM certificate in Aria Automation from Aria Suite Lifecycle fails with the error code LCMVRAVACONFIG590008  when the vIDM LB certificate is expired.

To view the logs for the identity-service-app pod on the vRealize Automation appliance:

1. Run the following command to get the pod name

kubectl get pods -n prelude | grep identity-service-app

2. Run the following command to get the logs from the pod (specific pod name will be different)

kubectl logs identity-service-app-#########-##### -n prelude

• You may see entries similar to these (where [vIDM_FQDN] and [vIDM_IP] are the FQDN and IP address of your vIDM instance):

YYYY-MM-DD HH:MM:SS.xxx+0000  WARN  29 --- [ctor-http-nio-2]    r.netty.http.client.HttpClientConnect : [id: 0x1676876c, L:/<INTERNAL_IP>.:46894 ! R:[vIDM_FQDN]/[vIDM_IP]:443] The connection observed an error

io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
        at java.lang.Thread.run(Thread.java:748) [na:1.8.0_221]
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

VMware Aria Automation 8.x

This is due to the identity-service-app pod having the old vIDM certificate in its Java keystore. Connections to the vIDM must be trusted explicitly by the vIDM certificate, and not by the issuing Certificate Authorities.

NOTE : Before proceeding with the below procedure, ensure that the vIDM LB certificate is valid and not in an expired state. For replacing the vIDM LB certificate follow KB 372708 .

We can use the vracli command to update the vIDM certificate information.

1. Log into the Aria Automation appliance via SSH
2. Find the SHA256 thumbprint of the current vIDM appliance certificate with the following command (where [vIDM_FQDN] is the FQDN of your vIDM instance)

echo | openssl s_client -connect [vIDM_FQDN]:443 2>/dev/null | openssl x509 -fingerprint -sha256 -noout | awk -F'=' '{print $2}' | tr -d ':' | awk '{print tolower($0)}'

3. See the current vIDM settings (take note of the user attribute):

vracli vidm

4. Create a temporary file that contains the administrator password (easiest way to avoid having to escape special characters):

vi /tmp/admin-password.txt

5. Update the vIDM settings (where [vIDM_FQDN] is the FQDN of your vIDM instance, [user] is the value of the user attribute from the vracli vidm command in Step 3, and [sha256_thumbprint] is the output of the command in Step 2):

vracli vidm set https://[vIDM_FQDN] admin /tmp/admin-password.txt [user] -f [sha256_thumbprint]

6. Redeploy the application stack:

/opt/scripts/deploy.sh

7. Delete the admin password file:

rm /tmp/admin-password.txt

The Aria Automation portal will also report a Bad Gateway message if you try to connect to the  Aria Automation portal when the VA restart procedure is started as per Starting and stopping vRealize Automation