Checking vapi-endpoint service in the VAMI reports the health status with warning "Failed to register with SCA"
search cancel

Checking vapi-endpoint service in the VAMI reports the health status with warning "Failed to register with SCA"

book

Article ID: 338898

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • vapi-endpoint service successfully starts but is marked as unhealthy, displaying the following error
  • /var/log/vmware/vapi/endpoint/endpoint.log

YYYY-MM-DDTHH:MM:SS | INFO  | state-manager1            | DefaultStateManager            | Invoking rebuild sca-registration-builder
YYYY-MM-DDTHH:MM:SS | ERROR | state-manager1            | ScaRegistrationBuilder         | Cannot register vAPI Endpoint properties to SCA!
com.vmware.vim.binding.vmodl.fault.SecurityError: Principal vsphere-webclient-serviceID@<sso domain> does not have required privilege SystemConfiguration.Administrators
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) ~[?:1.8.0_345]
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) ~[?:1.8.0_345]
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) ~[?:1.8.0_345]
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423) ~[?:1.8.0_345]
        at java.lang.Class.newInstance(Class.java:442) ~[?:1.8.0_345]
        at com.vmware.vim.vmomi.core.types.impl.ComplexTypeImpl.newIns

  • Checking the health status using the vAPI url https://<vCenterFQDN>/vapiendpoint/health

    <healthStatus xmlns="http://www.vmware.com/cis/cm/common/jaxb/healthstatus" schemaVersion="1.0">
    <status>YELLOW</status>
    <message messageKey="com.vmware.vapi.endpoint.failedToRegisterWithSca" defaultMessage="Failed to register with SCA."/>
    <message messageKey="com.vmware.vapi.endpoint.healthStatusProducedTimes" defaultMessage="Configuration health status is created between YYYY-MM-DDTHH:MM:SS and YYYY-MM-DDTHH:MM:SS.">
    <param xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">xxxx-xx-xxTxx:xx:xxEDT</param>
    <param xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">xxxx-xx-xxTxx:xx:xxEDT</param>
    </message>
    </healthStatus>



Environment

VMware vCenter Server 7.0.x

Cause

This issue is seen if the vsphere-webclient solution user is not included in the SystemConfiguration.Administrators group in vCenter. 

Resolution

Ensure to take a snapshot of the vCenter before proceeding with the next steps.

In order to resolve the issue refer to the steps below:

  • Get the machine ID of the vCenter server:
/usr/lib/vmware-vmafd/bin/vmafd-cli get-machine-id --server-name localhost      
  • Delete the web-client solution user with the following command:
/usr/lib/vmware-vmafd/bin/dir-cli service delete --name vsphere-webclient-<machine ID string from step 1> --login administrator@<sso domain>
  • Export the Certificate for the new web-client solution user with this command:
 /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store vsphere-webclient --alias vsphere-webclient --output /etc/certs/vsphere-webclient/vsphere-webclient.crt
  • Create the new solution user with the correct group's ownerships with the following command: 
/usr/lib/vmware-vmafd/bin/dir-cli service create --name vsphere-webclient-<machine ID from step1> --cert /etc/certs/vsphere-webclient/vsphere-webclient.crt --ssogroups ComponentManager.Administrators,SystemConfiguration.Administrators,LicenseService.Administrators --ssoadminrole Administrator --wstrustrole ActAsUser --login administrator@<sso domain>
 
  • Restart the vapi-endpoint service with command:
 service-control --restart vapi-endpoint

Additional Information



Powered by Wolken Software