Redirection to the VMware Identity Manager login page from Aria Automation 8.x returns "Bad Gateway"

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

Symptoms

This article is applicable when you observe the following symptoms:

After clicking on the GO TO LOGIN PAGE button on the homepage of your Aria Automation 8.x instance, the Aria Automation appliance attempts to redirect to the vIDM login, but instead displays a blank page with the words Bad Gateway.
The certificate for VMware Identity Manager (vIDM) was updated after Aria Automation 8.x was deployed, either through Aria Suite Lifecycle, or from the vIDM management interface.
Re-trusting vIDM certificate in Aria Automation from Aria Suite Lifecycle fails with the error code LCMVRAVACONFIG590008 when the vIDM LB certificate is expired.

To view the logs for the identity-service-app pod on the vRealize Automation appliance:

Run the following command to get the pod name:

kubectl get pods -n prelude | grep identity-service-app

Run the following command to get the logs from the pod (specific pod name will be different):
```
kubectl logs identity-service-app-#########-##### -n prelude
```

You may see entries similar to these (where [vIDM_FQDN] and [vIDM_IP] are the FQDN and IP address of your vIDM instance):

YYYY-MM-DD HH:MM:SS.xxx+0000  WARN  29 --- [ctor-http-nio-2]    r.netty.http.client.HttpClientConnect : [id: 0x1676876c, L:/<INTERNAL_IP>.:46894 ! R:[vIDM_FQDN]/[vIDM_IP]:443] The connection observed an error

io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
        at java.lang.Thread.run(Thread.java:748) [na:1.8.0_221]
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Environment

VMware Aria Automation 8.x

Cause

This is due to the identity-service-app pod having the old vIDM certificate in its Java keystore.

Resolution

Note: Before proceeding with the below procedure, ensure that the vIDM LB certificate is valid and not in an expired state. For replacing the vIDM LB certificate follow KB 372708.

Procedure

Log into the Aria Automation appliance via SSH.

Find the SHA256 thumbprint of the current vIDM appliance certificate with the following command (where [vIDM_FQDN] is the FQDN of your vIDM instance):

echo | openssl s_client -connect [vIDM_FQDN]:443 2>/dev/null | openssl x509 -fingerprint -sha256 -noout | awk -F'=' '{print $2}' | tr -d ':' | awk '{print tolower($0)}'

See the current vIDM settings (take note of the user attribute):
```
vracli vidm
```
Create a temporary file that contains the administrator password (easiest way to avoid having to escape special characters):
```
vi /tmp/admin-password.txt
```
Update the vIDM settings (where [vIDM_FQDN] is the FQDN of your vIDM instance, [user] is the value of the user attribute from the vracli vidm command in Step 3, and [sha256_thumbprint] is the output of the command in Step 2):
```
vracli vidm set https://[vIDM_FQDN] admin /tmp/admin-password.txt [user] -f [sha256_thumbprint]
```
Redeploy the application stack:
```
/opt/scripts/deploy.sh
```
Delete the admin password file:
```
rm /tmp/admin-password.txt
```

Additional Information

The Aria Automation portal will also report a Bad Gateway message if you try to connect to the Aria Automation portal when the VA restart procedure is started as per Starting and stopping vRealize Automation.