• Domain repoint fails while registering STS system tenant with VMCA_INVALID_CSR_FIELD exception

• You will see similar entries in domain_consolidator.log file location: /var/log/vmware/cloudvm/
  • 2020-05-02T11:28:42.003Z Getting value for install-parameter: upgrade.import.directory
    2020-05-02T11:28:42.003Z VMware Identity Service bootstrap: importDirectory=/storage/seat/cis-export-folder/sso
    2020-05-02T11:28:42.003Z VMware Identity Service bootstrap: isUgprading=False
    2020-05-02T11:28:42.003Z Getting value for install-parameter: upgrade.import.directory
    2020-05-02T11:28:42.003Z VMware Identity Service bootstrap: importDirectory=/storage/seat/cis-export-folder/sso
    2020-05-02T11:28:42.003Z VMware Identity Service bootstrap: isUgprading=False
    2020-05-01T11:10:36.387Z Running command: ['/usr/java/jre-vmware/bin/java', '-cp', '/opt/vmware/lib64/*:/usr/lib/vmware-sso/commonlib/*:/usr/lib/vmware/common-jars/log4j-core-2.11.2.jar:/usr/lib/vmware/common-jars/log4j-api-2.11.2.jar:/usr/lib/vmware/common-jars/log4j-slf4j-impl-2.11.2.jar:/usr/lib/vmware/common-jars/jcl-over-slf4j-1.7.26.jar:.:*', '-Dvmware.log.dir=/var/log/vmware/sso/', '-XX:ErrorFile=/var/log/vmware/sso/hs_err_stsinstaller_pid%p.log-XX:HeapDumpPath=/var/log/vmware/sso/', 'com.vmware.identity.configure.VMIdentityStandaloneInstaller', '--set-hostname', '--hostname', 'changeme.gsslabs.org', '--hostnametype', 'ipv4']
    2020-05-01T11:10:37.719Z Done running command
    2020-05-01T11:10:37.719Z >>>>stderr:
    2020-05-01T11:10:37.719Z Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
    -Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
    -Dorg.apache.xml.security.ignoreLineBreaks=true
    log4j:WARN No appenders could be found for logger (com.vmware.identity.interop.NativeLibraryPreloader).
    log4j:WARN Please initialize the log4j system properly.
    log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
    2020-05-01T11:10:37.719Z <<<<stderr
    2020-05-01T11:10:37.719Z >>>>stdout:
    2020-05-01T11:10:37.719Z
    2020-05-01T11:10:37.719Z <<<<stdout
    2020-05-01T11:10:37.720Z ===Return code: 0
    2020-05-01T11:10:37.720Z Getting value for install-parameter: upgrade.import.directory
    2020-05-01T11:10:37.720Z VMware Identity Service bootstrap: importDirectory=/storage/seat/cis-export-folder/sso
    2020-05-01T11:10:37.720Z VMware Identity Service bootstrap: isUgprading=False
    2020-05-01T11:10:37.720Z Setting up system tenant.
    2020-05-01T11:10:37.721Z Running command: ['/usr/java/jre-vmware/bin/java', '-cp', '/opt/vmware/lib64/*:/usr/lib/vmware-sso/commonlib/*:/usr/lib/vmware/comm
    on-jars/log4j-core-2.11.2.jar:/usr/lib/vmware/common-jars/log4j-api-2.11.2.jar:/usr/lib/vmware/common-jars/log4j-slf4j-impl-2.11.2.jar:/usr/lib/vmware/common
    -jars/jcl-over-slf4j-1.7.26.jar:.:*', '-Dvmware.log.dir=/var/log/vmware/sso/', '-XX:ErrorFile=/var/log/vmware/sso/hs_err_stsinstaller_pid%p.log-XX:HeapDumpPa
    th=/var/log/vmware/sso/', 'com.vmware.identity.installer.STSInstaller', '--register-system-tenant']
    2020-05-01T11:10:41.219Z Done running command
    2020-05-01T11:10:41.219Z >>>>stderr:
    2020-05-01T11:10:41.219Z Picked up JAVA_TOOL_OPTIONS: -Xms32M -Xmx128M
    -Dcom.sun.org.apache.xml.internal.security.ignoreLineBreaks=true
    -Dorg.apache.xml.security.ignoreLineBreaks=true
    log4j:WARN No appenders could be found for logger (com.vmware.identity.interop.NativeLibraryPreloader).
    log4j:WARN Please initialize the log4j system properly.
    log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
    Failed to register system tenant.
    com.vmware.certificate.VMCAException: VMCA_INVALID_CSR_FIELD
    2020-05-01T11:10:41.219Z <<<<stderr
    2020-05-01T11:10:41.219Z >>>>stdout:
    2020-05-01T11:10:41.219Z Starting system tenant registration...
    Exception occured while registering system tenant.com.vmware.certificate.VMCAException: VMCA_INVALID_CSR_FIELD
    1: In call VMCAJavaGenCert2: Values Setup
    2020-05-01T11:10:41.220Z <<<<stdout
    2020-05-01T11:10:41.220Z ===Return code: 1
    2020-05-01T11:10:41.220Z VMware Identity Service bootstrap failed.
    2020-05-01T11:10:41.221Z Exception: Traceback (most recent call last):
      File "/usr/lib/vmidentity/firstboot/vmidentity-firstboot.py", line 1641, in main
        vmidentityFB.boot()
      File "/usr/lib/vmidentity/firstboot/vmidentity-firstboot.py", line 335, in boot
        self.configureIdentityManager(self.__idmRetryCount, self.__idmRetryInterval)
      File "/usr/lib/vmidentity/firstboot/vmidentity-firstboot.py", line 552, in configureIdentityManager
        self.configureSystemTenant()
      File "/usr/lib/vmidentity/firstboot/vmidentity-firstboot.py", line 480, in configureSystemTenant
        raise Exception('Failed to set up STS system tenant.')
    Exception: Failed to set up STS system tenant.

 Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

PNID change from IP to FQDN, followed by cross domain repoint will always fail with the error VMCA_INVALID_CSR_FIELD, because domain-repoint workflow checks install parameter "system.hostname.type" for CSR creation. Here, FQDNType is ipv4, but hostname/PNID is FQDN, hence GenCSR will have parameter "--IPAddress=<vCenter FQDN>" which is Invalid.

This is due to, PNID change script not updating Hostname Type during IP to FQDN change. Ideally it should modify "system.hostname.type" from 'ipv4' to 'fqdn' as part of PNID workflow if change is from IP->FQDN

To workaround the issue, modify the file below under install-defaults:

From:
cat /etc/vmware/install-defaults/system.hostname.type
ipv4

To:
cat /etc/vmware/install-defaults/system.hostname.type
fqdn