Update/Remediate vRLCM-vIDM authentication in case of Host name change on vIDM/vRLCM
search cancel

Update/Remediate vRLCM-vIDM authentication in case of Host name change on vIDM/vRLCM

book

Article ID: 336724

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

To resolve the Authentication failures caused due to change in Host name of vIDM/vRLCM.

Symptoms:
Authentication failure when logging into vRLCM through SSO or Identity Manager.

Environment

VMware vRealize Automation 8.x

Cause

These failures are due to the break in trust between the Identity provider(vIDM) and product(vRLCM).

Resolution

Before making any changes, please take a no memory snapshot of vRLCM appliance VM.

Scenario 1: Change in vRLCM FQDN

  1. SSH to vRLCM and Check Hostname of vRLCM in /etc/hosts etc.
  2. Login to vRLCM console as admin and Trigger inventory sync of Global Environment.
  3. Check vIDM Hostnames for any change from previous configs.
  4. Login to swagger and check config params using Configuration Parameter APIs getAllconfigs and validate the Hostname entries for vRLCM and vIDM, also check client ID.
  5. Redirect URI and client ID in the login URL, client ID should have the correct redirect URI.
  6. Naviagte to vRLCM cli and run the below command:
    curl -k -X POST “https://currentLcmFQDN/lcm/authzn/api/updlcmhostwithprovider” -H “accept: application/json” -H “Content-Type: application/json” -H 'authorization: Basic <token>=’ -d “{\“lcmHostname\“:\“currentLcmFQDN\“,\“lostHostUri\“:\“http://currentLcmFQDN\“,\“lcmCatalogAppName\“:null}”

Note:

The above solution will not change the catalog app data in vIDM, it does update the vRLCM OAuth client details in vIDM.
The curentLcmFQDN value should be replaced with the current LCM FQDN value.
The authorization: Basic <token>. To form the authorization header user have to do Base64encode(username:password). And here the user name would be admin@local and the password would be the appropriate password that they have set for the admin@local user.


Scenario 2: Change in vIDM FQDN

  1. Check Hostname entries in /usr/local/horizon/conf/flags/sysconfig.hostname, /etc/hosts to reflect the new updated FQDN on all the nodes.
  2. Make sure horizon service on all the nodes was restarted after the update.
  3. Trigger inventory sync in vRLCM and make sure request successful.
  4. Naviagte to vRLCM cli and run the below command:
    curl -X POST "https://vrlcm-hostname/lcm/authzn/api/updproviderhostwithlcm" -H "accept: application/json" -H "Content-Type: application/json" -d "{ \"vidmAdminPassword\": \"password\", \"vidmHostname\": \"vidm-hostname\"}"

Note:

vidm-hostname is the new updated vidm fqdn.
authorization: Basic <token>. To form the authorization header user have to do Base64encode(username:password). And here the user name would be “admin@local” and the password would be the appropriate password that they have set for the “admin@local” user. 
From 8.1 Patch1 remediation to reset authentication provider is available as part of swagger API.

Powered by Wolken Software