无法向 Inventory Service 重新注册 vCenter Server
search cancel

无法向 Inventory Service 重新注册 vCenter Server

book

Article ID: 338785

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

要解决此问题,请更新 register-is.bat 文件,以反映注册解决方案用户所使用的证书。

Symptoms:

免责声明:本文为 Unable to re-register vCenter Server to the Inventory Service (2045422) 的翻译版本。尽管我们会不断努力为本文提供最佳翻译版本,但本地化的内容可能会过时。有关最新内容,请参见英文版本。


使用默认 SSL 证书从 vCenter Server 5.0 升级到 5.x 之后,您会遇到以下症状:

  • C:\ProgramData\VMware\VMware VirtualCenter\SSL 文件夹包含常规的 rui.crt、rui.key rui.pfx 文件,同时还包含 SSO 解决方案用户的文件,例如 sso.crt、sso.key sso.pfx
  • C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg 文件中,您会看到类似以下内容的条目:

<sso>
<solutionUser>
<name>vCenterServer_2013.02.15_020938</name>
<certificate>C:\ProgramData\VMware\VMware VirtualCenter\SSL\sso.crt</certificate>
<privateKey>C:\ProgramData\VMware\VMware VirtualCenter\SSL\sso.key</privateKey>
</solutionUser>
</sso>

  • C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\vcsso.properties 文件中,您会看到类似以下内容的条目:
[solutionUser] name=vCenterServer_2012.11.14_090347
cert=C:\ProgramData\VMware\VMware VirtualCenter\SSL\sso.crt
description=vCenter Server
  • %temp%/vcregtool.log 文件中,您会看到类似以下内容的条目:
[YYYY-MM-DD 13:44:11,563 main INFO com.vmware.vim.dataservices.vcregtool.RegisterVC] vCenter instance config file: C:\ProgramData\VMware\VMware VirtualCenter\instance.cfg
[YYYY-MM-DD 13:44:11,563 main INFO com.vmware.vim.dataservices.vcregtool.RegisterVC] vCenter Server certificate path: C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui.crt [2013-02-14 13:44:11,563 main INFO com.vmware.vim.dataservices.vcregtool.RegisterVC] vCenter Server private key path: C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui.key
  • 在位于 C:\ProgramData\VMware\Infrastructure\Inventory Service\Logs\ds.log 的文件中,您会看到类似以下内容的条目:

    [YYYY-MM-DD 03:41:29,879 http-nio-/0.0.0.0-10443-exec-6 ERROR com.vmware.vim.vcauthenticate.impl.CertificateManager] Failed to verify signature for BDEDFA77-2597-43A3-8FBC-9A66B9F465F7
    [YYYY-MM-DD 13:41:29,879 http-nio-/0.0.0.0-10443-exec-6 INFO com.vmware.vim.vcauthenticate.servlets.AuthenticationServlet] Sending security error because of exception : com.vmware.vim.vcauthenticate.exception.InvalidLoginException: failed to verify signature for BDEDFA77-2597-43A3-8FBC-9A66B9F465F7

    注意:上述日志摘录仅为示例。日期、时间和环境变量可能会因环境而有所不同。

  • 尝试将 vCenter Server 重新指向 Inventory Service(例如,重置 Inventory Service 数据库之后)失败,并显示以下错误:
The SSL certificate of STS service was successfully verified against the list of client-trusted certificates
SOAP fault
javax.xml.ws.soap.SOAPFaultException: Authentication failed
at com.sun.xml.internal.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:178)
at com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:111)
at com.sun.xml.internal.ws.client.dispatch.DispatchImpl.doInvoke(DispatchImpl.java:176)
at com.sun.xml.internal.ws.client.dispatch.DispatchImpl.invoke(DispatchImpl.java:195)
at com.vmware.vim.sso.client.impl.SoapBindingImpl.sendMessage(SoapBindingImpl.java:131)
at com.vmware.vim.sso.client.impl.SoapBindingImpl.sendMessage(SoapBindingImpl.java:82)
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor.sendRequest(SecurityTokenServiceImpl.java:672)
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor.executeRoundtrip(SecurityTokenServiceImpl.java:606)
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl.acquireTokenByCertificate(SecurityTokenServiceImpl.java:372)
at com.vmware.vim.dataservices.vcregtool.RegisterVC.acquireSamlToken(RegisterVC.java:635)
at com.vmware.vim.dataservices.vcregtool.RegisterVC.register(RegisterVC.java:211)
at com.vmware.vim.dataservices.vcregtool.RegisterVC.doRegistration(RegisterVC.java:1253)
at com.vmware.vim.dataservices.vcregtool.RegisterVC.main(RegisterVC.java:1332)
Creating SoapFault
Processing fault: ns0:FailedAuthentication: Authentication failed
Provided credentials are not valid.
opId=554d97df-2ad5-4a50-a883-ef87723d3296 END operation
Token request rejected by STS Service
com.vmware.vim.sso.client.exception.AuthenticationFailedException: Provided credentials are not valid.
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor.handleFaultCondition(SecurityTokenServiceImpl.java:728)
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor.sendRequest(SecurityTokenServiceImpl.java:677)
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor.executeRoundtrip(SecurityTokenServiceImpl.java:606)
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl.acquireTokenByCertificate(SecurityTokenServiceImpl.java:372)
at com.vmware.vim.dataservices.vcregtool.RegisterVC.acquireSamlToken(RegisterVC.java:635)
at com.vmware.vim.dataservices.vcregtool.RegisterVC.register(RegisterVC.java:211)
at com.vmware.vim.dataservices.vcregtool.RegisterVC.doRegistration(RegisterVC.java:1253)
at com.vmware.vim.dataservices.vcregtool.RegisterVC.main(RegisterVC.java:1332)
Removing Client@1712365710 reference from CompiledHttpConfiguration@1228257582, 0 active clients left.
Shutting down CompiledHttpConfiguration@1228257582 as there are no more clients.
Removing Client@945948553 reference from CompiledHttpConfiguration@1602331819, 0 active clients left.
Shutting down CompiledHttpConfiguration@1602331819 as there are no more clients.
Client was disposed successfully
Failed to perform register action
com.vmware.vim.dataservices.vcregtool.exception.RegistrationException
at com.vmware.vim.dataservices.vcregtool.RegisterVC.acquireSamlToken(RegisterVC.java:640)
at com.vmware.vim.dataservices.vcregtool.RegisterVC.register(RegisterVC.java:211)
at com.vmware.vim.dataservices.vcregtool.RegisterVC.doRegistration(RegisterVC.java:1253)
at com.vmware.vim.dataservices.vcregtool.RegisterVC.main(RegisterVC.java:1332)

...

Processing fault: ns0:FailedAuthentication: Invalid Credentials


Environment

VMware vCenter Server 5.5.x
VMware vCenter Server 5.1.x

Cause

如果使用 rui.crt 而非 sso.crt 向 SSO 注册解决方案用户,则会出现此问题。

Resolution

该已知问题会影响 vCenter Server 5.1 和 5.5。

当前,没有解决办法。

要解决此问题,请更新 register-is.bat 文件,以反映注册解决方案用户所使用的证书:

注意:请确保在继续之前先备份 register-is.bat 文件。
  1. 以管理员身份登录到 vCenter Server。
  2. 列出 C:\ProgramData\VMware\VMware VirtualCenter\SSL 的内容。如果此目录包含 rui.crt rui.key,请跳至步骤 5。如果此文件夹包含 sso.crt sso.key,请继续执行步骤 3。
  3. 使用文本编辑器打开 C:\Program Files\VMware\Infrastructure\VirtualCenter Server\isregtool directory\register-is.bat 文件。
  4. 找到以下条目:

    set COMMAND="%~dp0vcregtool.bat" -action register -vcurl %1 -isurl %2 -lookupserviceurl %3 -vccert "%DATA_DIR%\SSL\rui.crt" -vcprivkey "%DATA_DIR%\SSL\rui.key" -vcinstancecfg "%DATA_DIR%\instance.cfg" -vcendpointsdir "%PROGRAM_DIR%\endpoints" -vcextensionsdir "%PROGRAM_DIR%\extensions" -vcforceregister true

  5. 将该条目更改为:

    set COMMAND="%~dp0vcregtool.bat" -action register -vcurl %1 -isurl %2 -lookupserviceurl %3 -vccert "%DATA_DIR%\SSL\sso.crt" -vcprivkey "%DATA_DIR%\SSL\sso.key" -vcinstancecfg "%DATA_DIR%\instance.cfg" -vcendpointsdir "%PROGRAM_DIR%\endpoints" -vcextensionsdir "%PROGRAM_DIR%\extensions" -vcforceregister true

  6. 向 Inventory Service 重新注册 vCenter Server。有关详细信息,请参见 Repointing and reregistering VMware vCenter Server 5.1 / 5.5 and components (2033620)
  7. 要测试 Inventory Service,请在 vSphere Client 或 vSphere Web Client 中搜索清单对象。


Additional Information

要在更新本文时收到提醒,请在“Actions”框中单击 Subscribe to Article。

Powered by Wolken Software