"Unidentifiable C++ exception" while enabling VSAN encryption
Article ID: 326506
Updated On: 12-02-2024
Products
Issue/Introduction
Symptoms:
-
When trying to enable encryption in the web client, the interface shows an error "unidentifiable C++ exception".
-
In the vCenter, the vmware-vsan-health-service.log located in /var/log/vmware/vsan-health/ shows the error:
2019-04-05T13:26:31.155Z ERROR vsan-mgmt[Thread-43] [SoapHandler::_InvokeMethod opID=b6d3dc64-57d8-11e9] Traceback (most recent call last):
File "/usr/lib/vmware-vpx/pyJack/SoapHandler.py", line 1367, in _InvokeMethod value = method.f(method.info, mo, **msg.params)
File "/usr/lib/vmware/site-packages/pyVmomi/VmomiSupport.py", line 363, in _InvokeMethod return self._stub.InvokeMethod(self, info, args)
File "/usr/lib/vmware-vpx/pyJack/SoapHandler.py", line 228, in InvokeMethod validator.validateMethodCall(context, info, mo, params)
File "/usr/lib/vmware-vpx/vsan-health/VsanMgmtAuthorizer.py", line 394, in validateMethodCall methodInfo, params)
File "/usr/lib/vmware-vpx/vsan-health/VsanMgmtAuthorizer.py", line 288, in CheckPrivileges cls._CheckDynamicPrivileges(vsanSession, mo, mi, params)
File "/usr/lib/vmware-vpx/vsan-health/VsanMgmtAuthorizer.py", line 270, in _CheckDynamicPrivileges privChecks = cb(mo, mi, params)
File "/usr/lib/vmware-vpx/vsan-health/pyMoVsan/VsanVcClusterConfigSystemImpl.py", line 3570, in GetMethodCallPermissions extraPrivs, _ = configFlow.EagerPreCheck(cluster, vsanReconfigSpec)
File "/usr/lib/vmware-vpx/vsan-health/pyMoVsan/VsanVcClusterConfigSystemImpl.py", line 3153, in EagerPreCheck error = operation.EagerPreCheck(cluster, spec)
File "/usr/lib/vmware-vpx/vsan-health/pyMoVsan/VsanVcClusterConfigSystemImpl.py", line 1501, in EagerPreCheck with VsanEncryptionUtil(conn) as encUtil:
File "/usr/lib/vmware-vpx/vsan-health/pyMoVsan/VsanVcEncryption.py", line 60, in __enter__ self.allAliases = list(self.keyStore.aliases())
File "/usr/lib/vmware/site-packages/identity/vmkeystore.py", line 50, in aliases self.enum_context = self._client.BeginEnumAliases(self._store_context, 10)
RuntimeError: unidentifiable C++ exception
- In the vmafdd-syslog.log located in /var/log/vmware/vmafd/ the error is listed as:
2019-04-05T13:24:02.957876-06:00 err vmafdd t@139756943955712: [Error - 5, ../../../server/vmafd/authutil.c:519]
2019-04-05T13:24:02.958294-06:00 err vmafdd t@139756943955712: [Error - 5, ../../../server/vmafd/authservice.c:218
Environment
VMware vSAN 6.x
VMware vSAN 7.x
Cause
The error is returning [5] reported in the vmafdd.log means "Access denied". Which means there is a permission issue in the KMS_ENCRYPTION store in the VECS.
At the time of user configuring the KMS from vSphere UI, it will create a VECS DB to save all the config/credentials. It is expected to grant read permission to vsan-health user so that vSAN can also access the KMS configurations.
Resolution
The issue was observed in vSAN 6.7 and not on the latest versions. Below workaround can be used to enable the READ permissions manually.
Workaround:
- To check the permissions in the VECS and make sure the vSAN health has access run the below command in vCenter. Where KMS_ENCRYPTION is the name of the KMS server.
PERMISSIONS FOR STORE: [KMS_ENCRYPTION]
OWNER : root
USER ACCESS
vsan-health read
-
It should be listed as stated above, where the vsan-health shows READ access.
-
If the vsan-health is not listed under the KMS_ENCRYPTION store then you can add it by running the command.
- Once the "read" access is granted to the vsan-health, the problem should not happen again.
Additional Information
Impact/Risks:
There is no impact in taking the steps stated in the KB
Feedback
