Re-establishing Trust between Application Services and VMware vRealize Automation
search cancel

Re-establishing Trust between Application Services and VMware vRealize Automation

book

Article ID: 339690

calendar_today

Updated On:

Products

VMware VMware Aria Suite

Issue/Introduction

Symptoms:

If the VMware vRealize Automation appliance certificate is changed after deploying and configuring Application Services, you experience these symptoms:

  • You can no longer log in to Application Services with your Identity Store accounts, such as an AD account.
  • Deploying Application Services catalog items from vRealize Automation fails.
  • In the log file catalina.out, you see errors similar to:

    Oct 09 2015 17:28:02.051 ERROR [localhost-startStop-1] [:SYSTEM] com.vmware.darwin.csp.cafe.registration.CspEndpointInitializerImpl - Error while initializing csp endpoint. Reason: I/O error on GET request for "https://vra.mydomain.local/component-registry/endpoints/types/sso":java.security.cert.CertificateException: Untrusted certificate chain.; nested exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted certificate chain.
    org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://vra.mydomain.local/component-registry/endpoints/types/sso":java.security.cert.CertificateException: Untrusted certificate chain.; nested exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Untrusted certificate chain.

Note: The preceding log excerpts are only examples. Date, time and environmental variables may vary depending on your environment.


Environment

VMware vRealize Automation 6.2.x
VMware vRealize Application Services 6.2.x
VMware vCloud Automation Center for Desktop 6.1.x
VMware vCloud Application Director 6.1.x
VMware vCloud Automation Center for Server 6.1.x

Cause

This issue occurs because, the Application Services appliance is configured to trust a single certificate for vRealize Automation and does not automatically trust a newly deployed certificate.

Resolution

To resolve this issue, update the vRealize Automation registration:

  1. Back up your Application Services Appliance, Application Services database, vRealize Automation Appliance, and vRealize Automation postgres database.
  2. Log in to the Application Services CLI. For more information, see the Start the CLI Remotely section in the VMware vRealize Automation 6.2 Application Services Guide.
  3. To confirm that there is a registration you can update, run this command:

    list-vcac-info

  4. If a registration is listed, run this command:

    register-vcac-server --componentRegistryUrl vCACServerURL --ssoAdministratorUsername UserName --ssoAdministratorPassword Password --update

    where:

vCACServerURL is the URL of the vRealize Automation Server.
Username is the Administrator Username.
Password is the password.

Note: For the registration to succeed, the registration URL must match the existing URL. Ensure to use the --update option. Missing this option or attempting to unregister and reregister your vRealize Automation appliance may damage your installation.

If the issue persists even after performing the preceding procedure or if you do not have any registrations listed when running the list-vcac-info command, delete the existing certificates and restart:

  1. Back up your Application Services Appliance and the Application Services database.
  2. Log in to your Application Services Appliance through console or an SSH session using the darwin_user account.
  3. Stop the Application Services service:

    service vmware-darwin-tcserver stop

  4. Start the psql client:

    psql -U Darwin

  5. Run this SQL statement to retrieve a list of certificates currently in the store:

    select * from certificate_store;

  6. Locate the row that references a name similar to vRA_Appliance_FQDN-component_registry.trust. Usually, there should only be a single item.
  7. Note the number in the ID column for the row.
  8. Enter this SQL statement to verify the records associated with this item.

    select * from certificate_store_entry where certificate_store_id=id;

    where id is the ID noted in Step 7.

    Usually, a single entry is returned. Substitute id with the number recorded from Step 7.

  9. Enter the following command to delete the entry reviewed in the previous step. Substitute id with the number recorded previously:

    delete from certificate_store_entry where certificate_store_id=id;

  10. Enter this command to delete the entry reviewed in step 8. Substitute id with the number recorded previously:

    delete from certificate_store where id=id;

  11. Start the Application Services service:

    service vmware-darwin-tcserver start

  12. Verify the file catalina.out log, you may see similar entries:

    Oct 21 2015 19:24:52.664 INFO [localhost-startStop-1] [:SYSTEM] com.vmware.darwin.csp.cafe.registration.CspEndpointInitializerImpl - 2 of 4 importing component registry ssl certificate

    Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.

  13. After the services start, attempt to log in and confirm functionality.