Log in to Admin and Product UI as admin fails in vRealize/Aria Operations
search cancel

Log in to Admin and Product UI as admin fails in vRealize/Aria Operations

book

Article ID: 326396

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

The purpose of this article is to assist user with resetting admin account lockout for Aria Operations (formerly vRealize Operations).

 

This article does not apply to other products with Aria Operations in the name such as:

  • Aria Operations for Logs
  • Aria Operations for Networks.



Symptoms:

  • Logging in to the Admin and/or Product UI of vRealize/Aria Operations fails with the error:
Incorrect User name/Password
  • The credentials are correct and logging into the nodes directly as admin is successful.
  • The /storage/vcops/log/analytics-id.log may show error similar to:
2021-06-10 04:00:54,275 ERROR [ServerConnection on port 10000 Thread 13594 ] [TfdVMiEzxqkl4sVzfycK6wkqY4ajbvqW] com.vmware.vcops.auth.server.authN.LocalAuthNStrategy.au
thenticateLocalUser - Super admin user locked out. Cannot login currently
2021-06-10 03:26:12,335 ERROR [ServerConnection on port 10000 Thread 13282 ] [uaDSNvXTPmRDg5pc1rnJZHuTLc2h4zMH] com.vmware.vcops.platform.gemfire.GemfireFunction.execut
e - Exception occurred when executing function - topFunction - com.vmware.vcops.platform.gemfire.GemfireFunction$MethodInvocationException: AccountLockedException: Admin user account locked

 
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.



Environment

VMware vRealize Operations 8.x
VMware vRealize Operations Manager 7.x
VMware Aria Operations 8.x

Cause

Some adapters or other application integrations ask for the vRealize/Aria Operations admin credentials in the configuration, such as vRealize Log Insight integration.

This issue can occur when an adapter instance, or integrated application has the incorrect vRealize/Aria Operations admin password saved.
The adapter instance or other integrated application continually attempts a login, causing the account to become locked due to too many failed login attempts.

Resolution

Product UI admin account lockout:
After updating the admin credentials on any sources, admin account may be locked out. To resolve this issue in vRealize/Aria Operations, reset the failed login attempts on each Analytics node in the vRealize/Aria Operations cluster.

Method 1 (Preferred):
  1. Log into the Primary node as root via SSH or Console, pressing ENTER in a Console to log in.
  2. Issue the following commands to reset admin account lockout:
$VMWARE_PYTHON_BIN $VCOPS_BASE/../vmware-vcopssuite/utilities/sliceConfiguration/bin/vcopsSetAdminPassword.py --unlock
$VMWARE_PYTHON_BIN $VCOPS_BASE/../vmware-vcopssuite/utilities/sliceConfiguration/bin/vcopsSetAdminPassword.py --sync

The first command will unlock the admin account by setting failed_attempts to 0 in adminuser.properties, the second command will synchronize that change with the other nodes in the cluster. If single node deployment, the sync command is not required.
 
Method 2 (Manual):
  1. Log into the Primary node as root via SSH or Console, pressing ENTER in a Console to log in.
  2. Open /storage/vcops/user/conf/adminuser.properties using a text editor:
vi /storage/vcops/user/conf/adminuser.properties
  1. Delete the failed_attempts=x line.
  2. Save and close the file:
:wq!
  1. Repeat steps 1-4 on all Primary Replica (if applicable) and Data nodes (if applicable) in the cluster.

OS admin account lockout:
The OS admin account may be locked out, but not for the same reasons as above, as it's only used internally, or by logging in through SSH or Console. Lockout for the OS account is handled though the OS internal lockout procedure.

Run this command for the local OS version of the admin account:
 
pam_tally2 --user admin --reset

           
Starting from Aria Operations 8.14 please use below command instead:
 
/usr/sbin/faillock --user admin --reset
 

The OS account for admin is in some ways separate from the Product UI admin account, changes made to the OS account, such as setting the password using passwd command, or resetting lockout using pam_tally2 or faillock command, will not be reflected on the Product UI account.
However, if password is changed for the Product UI account from Admin UI, that change is automatically propagated to the OS account.


Additional Information

For information on resetting the Admin password, see How to reset the admin password in vRealize Operations (2078313).
For information on identifying source of lockout, see vRealize Operations admin account getting locked even after password reset (89599) .

VMware recommends you create a local vRealize/Aria Operations service account for adapter instances or other application authentication and integration.
Quick Links:  

Create a local service account

To create a local service account user for adapter configurations and integrations, follow the steps below.
  1. Log into the vRealize/Aria Operations Product UI as the local admin user.
  2. Navigate to Administration > Access > Access Control.
  3. Click Add, to add a new local user.
  4. Enter the required information for the user, and click Next.
  5. Click the Objects tab, set the Select Role drop box to Administrator and check the Assign the role to the user box.
  6. Check the Allow access to all objects in the system box, and click Finish.  Click Yes if prompted.
 

Update adapter credentials

To use the newly created credentials on any required adapter instances, follow the steps below.
  1. Navigate to Administration > Solutions > Other Accounts.
  2. Next to the adapter instance you want to change the credentials on, click the vertical ellipsis, then click Edit.
  3. For vRealize/Aria Operations credentials, click Add New (plus icon) to create new Credentials.
Note: This does not apply for credentials used to connect to a destination.
  1. Enter the newly created local user information.
  2. Click OK, then click Save to save the adapter instance.


Impact/Risks:
If the failed login attempts have been caused by an adapter, integrated application or other external source, the credentials must be updated on those sources before following these steps to stop the failed login attempts from growing.
Failure to do so will result in the admin account getting locked out again.  It is recommended to switch any of these sources to service accounts; see the Related Information section for more information.

Note: If the failed login attempts are caused by an adapter running in vRealize/Aria Operations, and you are not able to log into the Product UI as another administrative user to update saved credentials in the adapter configuration, you may follow the steps below and quickly log into the vRealize/Aria Operations Product UI as the local admin user to update the adapter's saved credentials, then repeat the steps to clear any additional failed login attempts.