Log in to Admin and Product UI as admin fails in Aria Operations
Article ID: 326396
Updated On:
Products
VMware Aria Suite
Issue/Introduction
The purpose of this article is to assist user with resetting admin account lockout for Aria Operations
This article does not apply to other products with Aria Operations in the name such as:
- Aria Operations for Logs
- Aria Operations for Networks.
Symptoms:
- Logging in to the Admin and/or Product UI of Aria Operations fails with the error:
Incorrect User name/Password- The credentials are correct and logging into the nodes directly as admin is successful.
- The /storage/vcops/log/analytics-id.log may show error similar to:
2021-06-10 04:00:54,275 ERROR [ServerConnection on port 10000 Thread 13594 ] [TfdVMiEzxqkl4sVzfycK6wkqY4ajbvqW] com.vmware.vcops.auth.server.authN.LocalAuthNStrategy.authenticateLocalUser - Super admin user locked out. Cannot login currently
2021-06-10 03:26:12,335 ERROR [ServerConnection on port 10000 Thread 13282 ] [uaDSNvXTPmRDg5pc1rnJZHuTLc2h4zMH] com.vmware.vcops.platform.gemfire.GemfireFunction.execute - Exception occurred when executing function - topFunction - com.vmware.vcops.platform.gemfire.GemfireFunction$MethodInvocationException: AccountLockedException: Admin user account locked
2021-06-10 03:26:12,335 ERROR [ServerConnection on port 10000 Thread 13282 ] [uaDSNvXTPmRDg5pc1rnJZHuTLc2h4zMH] com.vmware.vcops.platform.gemfire.GemfireFunction.execute - Exception occurred when executing function - topFunction - com.vmware.vcops.platform.gemfire.GemfireFunction$MethodInvocationException: AccountLockedException: Admin user account locked
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
Environment
VMware Aria Operations 8.x
Cause
Some adapters or other application integrations ask for the Aria Operations admin credentials in the configuration, such as Aria Log Insight integration.
This issue can occur when an adapter instance, or integrated application has the incorrect Aria Operations admin password saved.
The adapter instance or other integrated application continually attempts a login, causing the account to become locked due to too many failed login attempts.
This issue can occur when an adapter instance, or integrated application has the incorrect Aria Operations admin password saved.
The adapter instance or other integrated application continually attempts a login, causing the account to become locked due to too many failed login attempts.
Resolution
Product UI admin account lockout:
After updating the admin credentials on any sources, admin account may be locked out. To resolve this issue in Aria Operations, reset the failed login attempts on each Analytics node in the Aria Operations cluster.
Method 1 (Preferred):
The first command will unlock the admin account by setting failed_attempts to 0 in adminuser.properties, the second command will synchronize that change with the other nodes in the cluster. If single node deployment, the sync command is not required.
Method 2 (Manual):
OS admin account lockout:
The OS admin account may be locked out, but not for the same reasons as above, as it's only used internally, or by logging in through SSH or Console. Lockout for the OS account is handled though the OS internal lockout procedure.
Run this command for the local OS version of the admin account:
Starting from Aria Operations 8.14 please use below command instead:
After updating the admin credentials on any sources, admin account may be locked out. To resolve this issue in Aria Operations, reset the failed login attempts on each Analytics node in the Aria Operations cluster.
Method 1 (Preferred):
- Log into the Primary node as root via SSH or Console, pressing ENTER in a Console to log in.
- Issue the following commands to reset admin account lockout:
$VMWARE_PYTHON_BIN $VCOPS_BASE/../vmware-vcopssuite/utilities/sliceConfiguration/bin/vcopsSetAdminPassword.py --unlock$VMWARE_PYTHON_BIN $VCOPS_BASE/../vmware-vcopssuite/utilities/sliceConfiguration/bin/vcopsSetAdminPassword.py --syncThe first command will unlock the admin account by setting failed_attempts to 0 in adminuser.properties, the second command will synchronize that change with the other nodes in the cluster. If single node deployment, the sync command is not required.
- Log into the Primary node as root via SSH or Console, pressing ENTER in a Console to log in.
- Open
/storage/vcops/user/conf/adminuser.propertiesusing a text editor:
vi /storage/vcops/user/conf/adminuser.properties- Delete the
failed_attempts=xline. - Save and close the file:
:wq!- Repeat steps 1-4 on all Primary Replica (if applicable) and Data nodes (if applicable) in the cluster.
OS admin account lockout:
The OS admin account may be locked out, but not for the same reasons as above, as it's only used internally, or by logging in through SSH or Console. Lockout for the OS account is handled though the OS internal lockout procedure.
Run this command for the local OS version of the admin account:
pam_tally2 --user admin --resetStarting from Aria Operations 8.14 please use below command instead:
/usr/sbin/faillock --user admin --resetThe OS account for admin is in some ways separate from the Product UI admin account, changes made to the OS account, such as setting the password using passwd command, or resetting lockout using pam_tally2 or faillock command, will not be reflected on the Product UI account.
However, if password is changed for the Product UI account from Admin UI, that change is automatically propagated to the OS account.
Additional Information
For information on resetting the Admin password, see How to reset the admin password in VMware Aria Operations(326391).
For information on identifying source of lockout, see Aria Operations admin account getting locked even after password reset (346009)
VMware recommends you create a local Aria Operations service account for adapter instances or other application authentication and integration.
Quick Links:
Impact/Risks:
If the failed login attempts have been caused by an adapter, integrated application or other external source, the credentials must be updated on those sources before following these steps to stop the failed login attempts from growing.
Failure to do so will result in the admin account getting locked out again. It is recommended to switch any of these sources to service accounts; see the Related Information section for more information.
Note: If the failed login attempts are caused by an adapter running in Aria Operations, and you are not able to log into the Product UI as another administrative user to update saved credentials in the adapter configuration, you may follow the steps below and quickly log into the Aria Operations Product UI as the local admin user to update the adapter's saved credentials, then repeat the steps to clear any additional failed login attempts.
For information on identifying source of lockout, see Aria Operations admin account getting locked even after password reset (346009)
VMware recommends you create a local Aria Operations service account for adapter instances or other application authentication and integration.
Quick Links:
Create a local service account
To create a local service account user for adapter configurations and integrations, follow the steps below.- Log into the vRealize/Aria Operations Product UI as the local admin user.
- Navigate to Administration > Access > Access Control.
- Click Add, to add a new local user.
- Enter the required information for the user, and click Next.
- Click the Objects tab, set the Select Role drop box to Administrator and check the Assign the role to the user box.
- Check the Allow access to all objects in the system box, and click Finish. Click Yes if prompted.
Update adapter credentials
To use the newly created credentials on any required adapter instances, follow the steps below.- Navigate to Administration > Solutions > Other Accounts.
- Next to the adapter instance you want to change the credentials on, click the vertical ellipsis, then click Edit.
- For vRealize/Aria Operations credentials, click Add New (plus icon) to create new Credentials.
Note: This does not apply for credentials used to connect to a destination.
- Enter the newly created local user information.
- Click OK, then click Save to save the adapter instance.
Impact/Risks:
If the failed login attempts have been caused by an adapter, integrated application or other external source, the credentials must be updated on those sources before following these steps to stop the failed login attempts from growing.
Failure to do so will result in the admin account getting locked out again. It is recommended to switch any of these sources to service accounts; see the Related Information section for more information.
Note: If the failed login attempts are caused by an adapter running in Aria Operations, and you are not able to log into the Product UI as another administrative user to update saved credentials in the adapter configuration, you may follow the steps below and quickly log into the Aria Operations Product UI as the local admin user to update the adapter's saved credentials, then repeat the steps to clear any additional failed login attempts.
Feedback
Yes
No
Powered by
