2023-02-01T12:04:00.894Z INFO vco [host='vco-app-989xxxxxx-xxxxx' thread='CustomThreadPool's Thread-1' user='' org='' trace=''] {} com.vmware.identity.token.impl.X509TrustChainKeySelector - Failed to find trusted path to signing certificate <OU=VMware Engineering,O=VMware,L=Palo Alto,ST=California,C=US,CN=CA>
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[?:?]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[?:?]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) ~[?:?]
2023-02-01T12:04:00.897Z ERROR vco [host='vco-app-989xxxxxx-xxxxx' thread='CustomThreadPool's Thread-1' user='' org='' trace=''] {} com.vmware.identity.token.impl.SamlTokenImpl - Signature validation failed
javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key
at org.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:559) ~[java.xml.crypto:?]
2023-02-01T12:04:00.929Z ERROR vco [host='vco-app-989xxxxxx-xxxxx' thread='CustomThreadPool's Thread-1' user='' org='' trace=''] {} com.vmware.o11n.security.session.ManagedTokenRegistryImpl - Unable to convert token with id 8a74xxxx7c2axxxx017fxxxxxxxx15af
com.vmware.vcac.authentication.http.SamlAuthenticationException: Signature validation failed
at com.vmware.o11n.authentication.http.SamlTokenExtractor.extractToken(SamlTokenExtractor.java:164) ~[o11n-cafe-sdk-sso-8.9.1.jar:?]
The certificate validation that is failing is performed using the signing certificate used for the registration of the Orchestrator Service as a solution user in vCenter.
The issue occurs as the token stored for the scheduled task references the previous signing certificate.
To workaround the issue update the token stored for the scheduled task.
1. Login to the vRealize Orchestrator client with a user other than the current executing user. If you login with the same user the token will not be updated.
2. Navigate to the scheduled workflow and select Edit -> Use Current User option to update the certificate stored against the token.
3. (Optional) perform steps 1 & 2 again if you wish to have the scheduled run executed again as the desired original user.