Component Configuration Validation: Troubleshooting 404 and 401 errors within vRealize Automation 6.x / 7.x
search cancel

Component Configuration Validation: Troubleshooting 404 and 401 errors within vRealize Automation 6.x / 7.x

book

Article ID: 326044

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

This article provides a guided list of validation steps used for resolving most 404 and 401 reported errors within VMware vRealize Automation appliances, servers, and their web pages. This article can also be used to verify if an environment is configured correctly post installation.

Environment

VMware vRealize Automation 7.x
VMware vRealize Automation 6.2.x

Resolution

Follow these steps to verify that the VMware vRealize Automation components are configured correctly:

Validate Overall Configuration:

Verify that all services are properly REGISTERED in the vRealize Automation appliance(s) management web page.

  1. Verify that all Windows IaaS server services are running and that all IIS Application Pools related to vRealize Automation are running.
  2. Verify that the vRealize Orchestrator appliances or servers' services are running.
  3. Confirm that all vRealize Automation appliances and servers are in time sync and that they are using the same time server to maintain that sync.
  4. Verify that DNS forward and reverse look up is working and configured to resolve the correct machines. If performing an installation, ensure to take this step ahead of installing.
  5. If using a load balancer, ensure that your monitoring rules are correct and the proper servers are reachable through the load balancer.
  6. If using a distributed architecture for your IaaS Windows servers, ensure that you have disabled or modified Microsoft LoopBack protection.

    For more information, see:
     
    1. Appendix D: Configure IIS to Allow Load Balancer FQDN for Loopback
       
  7. Examine and verify the accuracy of all assigned vRealize Automation certificates for:
     
    • Expiration Dates
    • Host names, common names, wild cards, Subject Alternate Names (SAN)
    • Trust must exist between vRealize Automation components and the SQL server
    • The entire certificate chain and URL must be reachable by all related vRealize Automation components to validate trust


Validate vRealize Automation appliance configuration:

For every Virtual Appliance, log in to https://hostname:5480 using the root user account.

  1. Navigate to the Services tab and ensure that all services that are expected to be registered show as REGISTERED.
  2. Services that may not show REGISTERED include:
     
    1. IaaS service if IaaS is not installed, the IaaS server(s) are offline, or the vCloud Automation Center Service, DEM Orchestrator, and/or DEM Worker services are not running. For troubleshooting this, see the Validating IaaS configuration section.
    2. Application services if the Application Services server is not running, Application services have not been registered to vRealize Automation, or communication or certificates have failed.
  3. If any services that are expected are showing a status other than REGISTERED, you must address this issue first.

    1. To look for causes of problems with service registration, log in to the same appliance using: https://vRA- FQDN/component-registry/services/status/current. Search the resulting XML file for the service and look for a one line cause of failure.
    2. To look further for causes of problems with service registration, review this log file on the vRealize Automation appliance: /var/log/vmware/vcac/catalina.out.
  4. Navigate to vRealize Automation Settings > Host Settings tab.
     

    1. Verify that the tab displays no errors or warnings.
    2. Verify the certificate expiration dates.
    3. If the vRealize Automation appliance is load balanced, ensure that the host name is of the load balancer and not the local host name.
       
  5. Navigate to vRealize Automation Settings > SSO tab.
     

    1. Verify that SSO is connected and reports no errors.
    2. Verify the SSO host name.
       
  6. Navigate to vRealize Automation Settings > Database tab.
     

    1. Verify that the database Connection Status shows CONNECTED.
    2. Verify that the Database is correctly configured to point to:
       
      1. Localhost for standalone installations.
      2. External Postgres Server for load balanced or HA installations.
         
  7. Navigate to vRealize Automation Settings > Licensing tab.

    Verify that the correct license is applied and it has not expired.

  8. Navigate to vRealize Automation Settings > Cluster tab.
     

    1. If using a standalone vRealize Automation installation, verify that Clustering is not enabled.

    2. If using a load balanced installation, verify that the Status shows:
      Current node in cluster mode.

    3. If deploying additional appliances, ensure to add them to the cluster directly after deployment and configuring time sync without configuring additional settings such as SSO, Database.


Validating Load Balancer configuration:

  1. Verify connectivity through the Load Balancer address to the vRealize Automation appliances using the following addresses. In addition, note the certificates assigned to each address to confirm that they are correct. If traffic is being redirected correctly, you should receive an XML output of the appliance service status:
     
    1. Test Load Balancer redirects: https://Load_Balancer_FQDN/component-registry/services/status/current
    2. Test each vRealize Automation appliance directly: https://vRA_appliance_FQDN/component-registry/services/status/current
    3. If you receive 404 errors on any of the preceding sites, try using the IP address instead of FQDN to identify if you have problems with DNS.
    4. If you are able to reach the XML using the vRealize Automation appliance FQDN directly, but not using the Load Balancer FQDN, there is a problem with your Load Balancer configuration that will need to be resolved.
       
  2. Verify connectivity through the Load Balancer to the IaaS Web components by using the following addresses. Note the certificates for each address to confirm they are correct. If traffic is being redirected correctly and your Model Manager website is running and connecting successfully to SQL, you should receive an XML output of the SQL model manager data from the database:

    1. Test Load Balancer redirects: https://Load_Balancer_FQDN/repository/data/managementmodelentities.svc
    2. Test each IaaS Web server directly: https://Iaas_Web_FQDN>/repository/data/managementmodelentities.svc
    3. If you receive 404 errors on any of the preceding sites, try using the IP address instead of FQDN to identify if you have problems with DNS occurring.
    4. If you receive 404 errors using FQDN and IP, log in to the IaaS web server directly and try to connect to https://localhost/repository/data/managementmodelentities.svc
    5. If you are able to reach the XML using the IaaS Web FQDN directly but not using the Load Balancer FQDN, there is a problem with your Load Balancer configuration that needs to be resolved.
    6. If you are unable to reach the XML using the IaaS Web FQDN, IP, and localhost addresses, then there is a problem with the IIS website or connectivity between IaaS Web and SQL that needs to be resolved. See the Validating IaaS configuration section for more direction.
       
  3. Verify connectivity through the Load Balancer to the IaaS Manager Service components by using the following addresses. Note the certificates for each address to confirm they are correct. If traffic is being redirected correctly and your Manager Service is running, you should receive an XML output indicating that it is running.

    1. Only one Manager Service can be active at a time. If you have multiple installed, ensure that only one is running and the other(s) are stopped and set to Manual start.
    2. Test Load Balancer redirects: https://Load_Balancer_FQDN/VMPS2
    3. Test the active Manager Service directly: https://Iaas_Manager_Service_FQDN/VMPS2
    4. If needed, you can stop this Manager Service, redirect the load balancer to a different Manager Service and manually start it to perform the same tests.
    5. If you receive 404 errors on any of the preceding errors, try using the IP address instead of FQDN to identify if you have problems with DNS occurring.
    6. If you receive 404 errors using FQDN and IP, log in to the Manager Service server directly and try to connect to https://localhost/vmps2.
    7. If you are able to reach the XML using the Manager Service FQDN directly but not using the Load Balancer FQDN, there is a problem with your Load Balancer configuration that must be resolved.
    8. If you are unable to reach the XML using the Manager Service FQDN, IP, and localhost addresses, then there is a problem with the Manager Service that must be resolved. See the Validating IaaS configuration section for more direction. 
  4. Verify that all Health Monitors are showing green (up) for connected vRealize Automation components.

  5. If performing a new installation, Health Monitors should also show green (up) prior to install. This may require pointing the monitors to ICMP or other valid source during installation.

  6. If performing a new installation of the IaaS Web server(s), ensure to remove/disable all but one IaaS Web server from the load balancer prior to installing the first (Model Manager Data) server. Subsequent IaaS Web installations can be added/enabled on the load balancer.

Validating IaaS configuration:

  1. Validate the Repository (Model Manager Web) website. All IaaS components require the Repository website to be up and running before any services can successfully start.
     
    1. Log in to the IaaS Web Server (as the vRealize Automation service account).
    2. Using Internet Explorer, test the repository website by using: https://Iaas_Web_FQDN/repository/data/managementmodelentities.svc
    3. Enter the vRealize Automation service account password if prompted and confirm that:
       
      • If IIS is configured correctly and everything is working normally, you should receive an XML page with no certificate warnings. If you receive a certificate warning, the certificate used for the Model Manager Web website is incorrect and must be resolved.
      • If you receive repeated challenges for Authentication ending in a 401 error, you may need to disable loopback protection on the Model Manager Web Server.
    4. If you still receive a 404 error, try using https://localhost/Repository/Data/ManagementModelEntities.svc.
      • If this succeeds, you likely have a DNS problem.
      • If this fails then your IIS repository website is not operational.
    5. If you connect to the site successfully but receive an application error, server error or REPO404 error you must troubleshoot the connectivity between IaaS web and SQL (SQL Server running, network connectivity is valid, DNS look up is successful between SQL and all components, MSDTC, service account has DBO rights on database, etc.).
    6. Additional logging for troubleshooting can be found in the Windows Event Logs and in the repository.log located in the installation directory ( \VMware\vCAC\Server\Model Manager Web\Logs\Repository.log).
  2. Validate the Manager Service (vCloud Automation Center Service). Many components require trusted, secure access to the Manager Service to function properly.

    1. Log in to the IaaS Manager Service server (as the vRealize Automation service account).
    2. Verify that the VMware vCloud Automation Center Service is running.
    3. If the service is not started or does not remain started after manual start, verify that you can reach the Repository website from the Manager Service server.
       
      1. Locate the address being used in the config file located in the installation directory (\VMware\vCAC\Server\ManagerService.exe.config) after the “<add key="repositoryAddress" value=” entry).
      2. Using Internet Explorer, append this https address with /repository/data/managementmodelentities.svc.
      3. If it is working, you should receive a page of XML in response with no certificate errors. If you receive certificate errors, then your certificate is not trusted. This will need to be resolved before moving forward.
      4. If you are still receiving errors, review the Manager Service logs for further assistance.
         
    4. Using Internet Explorer, test the Manager Service by using https://manager_Service_server_FQDN/VMPS2.
    5. If the Manager Service is configured correctly, you should receive an XML page with no certificate warnings.
    6. If you receive a certificate warning, the certificate used for the Manager Service website is incorrect and must be resolved.
    7. If you still receive a 404 error try using \VMware\vCAC\Server\Logs\All.log).
  3. Validate the DEM Orchestrators and Workers. DEM Orchestrator and Workers require trusted, secure access to the Manager Service and IaaS Web Repository websites.

    1. Verify that if you have multiple DEM Workers, they all have unique names.
    2. Log in to the DEM server (as the vRealize Automation service account).
    3. Verify that the DEM Orchestrator/Worker services are started.
    4. If the services will not start, verify that the DEM services can reach the Repository website and the Manager Service address:
       
      1. Test connectivity to the IaaS Web Server from the DEM server:
      2. Locate the address being used in the config file located in the installation directory (\VMware\Distributed Execution Manager\DEM_NAME\DynamicOps.DEM.exe.config) after the “<add key="repositoryAddress" value=”</FONT> entry).
      3. Using Internet Explorer, append this https address with /repository/data/managementmodelentities.svc.
        • If it is working, you should receive a page of XML in response with no certificate errors. If you receive a certificate warning, the certificate used for the Manager Service website is incorrect and must be resolved.
        • If it is not working, review the review the Windows Event Viewer logs and/or DEM logs (location below) for further assistance.
      4. Test connectivity to the Manager Service from the DEM server:
      5. Locate the address being used in the config file located in the installation directory (\VMware\Distributed Execution Manager\DEM_NAME\DynamicOps.DEM.exe.config) search for the address ending in VMPS.
      6. Using Internet Explorer, try to connect to this address.
        • If it is working, you should receive a page of XML in response with no certificate errors. If you receive a certificate warning, the certificate used for the Manager Service website is incorrect and must be resolved.
        • If it is not working, review the Windows Event Viewer logs and/or DEM logs (location below) for further assistance.
    5. Additional Logging for the DEM Orchestrator and Workers can be found in the installation directory (\VMware\vCAC\Distributed Execution manager\DEM_Name\Logs\DEM_Name.log).

Common issues and solutions:

These are list of common causes and solutions for 404/401 issues that can occur in vRealize Automation 6.x:

  • For help with vRealize Automation Certificate requirements, see Certificate troubleshooting, supportability, and trust requirements for vRealize Automation 6.2 (2106583).
  • After loading windows patches on the IaaS Web server, the Infrastructure tab on the vRealize Automation UI displays REPO 404 errors or the Model Manager certificate store in Certificate Services displays an expired certificate.
     
  • Accessing the Infrastructure tabs in VMware vRealize Automation 6.0 fails with the errors: Invalid Certificate and This Connection is Untrusted. The problem could be that the endpoints are not registered correctly to the appliance.
  • Various 401 and certificate errors after replacing certificates in vRealize Automation.

Additional Information