/var/log/vmware/vmware-updatemgr/vum-server/vmware-vum-server.log
:
error vmware-vum-server[18363] [Originator@6876 sub=EHP] Response from localhost/external-tp/http1/###.###.###.###/443/########################################/api/v1/node/services/install-upgrade: HTTP Status:403 'Forbidden'
error vmware-vum-server[18363] [Originator@6876 sub=EHP] Failed to call NSX-T /external-tp/http1/###.###.###.###/443/########################################
/api/v1/node/services/install-upgrade
error vmware-vum-server[18363] [Originator@6876 sub=EHP] Caught exception while finding Nsxt Upgrade Coordinator: Failed to call NSX-T /external-tp/http1/192.168.200.92/443/775EFE6BEB018CF6A7C2FAA47B3870F8B2D74EC3/api/v1/node/services/install-upgrade
/var/log/proxy/reverse-proxy.log
:INFO grpc-default-executor-219 AuthService 5890 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] check
INFO grpc-default-executor-219 HttpClientUtil 5890 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Making request to http://###.###.###.###:6565/api/v1/node/services/install-upgrade
ERROR Processing request########-####-####-####-############
VcAuthTokenInterceptingFilter 5890 - [nsx@6876 comp="nsx-manager" errorCode="MP403" level="ERROR" subcomp="http"] Unable to find the issuer https://<vCenter Server FQDN>/openidconnect/vSphere.LOCAL in the OIDC Endpoint TrustStore
INFO Processing request########-####-####-####-############
OidcEndPointTrustStoreInMemory 5890 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] ===== OidcEndPointTrustStore contents =====
INFO Processing request########-####-####-####-############
OidcEndPointTrustStoreInMemory 5890 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Issuer https://<vCenter Server FQDN>
/openidconnect/vsphere.local, uri https://<vCenter Server FQDN>/openidconnect/vsphere.local/.well-known/openid-configuration and thumbprint ################################################################
INFO Processing request ########-####-####-####-############ BaseProxyDelegate 5890 - [nsx@6876 comp="nsx-manager" level="INFO" subcomp="http"] Processing request to /api/v1/node/services/install-upgrade with /api/v1/node -> ###.###.###.###:7441:/api/v1/node
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
VMware NSX-T Data Center
VMware NSX
vCenter generated JWT tokens, which have a different issuer than what NSX has discovered as the issuer for vCenter.
Example:
https://<vCenter Server FQDN>/openidconnect/vsphere.local
https://<vCenter Server FQDN>/openidconnect/vSphere.LOCAL
GET /api/v1/trust-management/oidc-uris
{
"results" : [ ]
}
{
"results": [
{
"oidc_uri": "https://<vCenter Server FQDN>/openidconnect/vsphere.local/.well-known/openid-configuration",
"thumbprint": "<thumbprint>",
"oidc_type": "vcenter",
"scim_endpoints": [],
"claim_map": [],
"serviced_domains": [],
"restrict_scim_search": false,
"end_session_endpoint_uri": "https://<vCenter Server FQDN
>
/openidconnect/logout/vsphere.local",
"issuer": "https://<vCenter Server FQDN>
/openidconnect/vsphere.local",
"jwks_uri": "https://<vCenter Server FQDN>
/openidconnect/jwks/vsphere.local",
"token_endpoint": "https://<vCenter Server FQDN>
/openidconnect/token/vsphere.local",
"claims_supported": [],
"override_roles": [],
"csp_config": {
"customer_org_id": "",
"additional_org_ids": []
},
"resource_type": "OidcEndPoint",
"id": "<OidcEndpoint-UUID>",
"display_name": "<OidcEndpoint-UUID>
",
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_create_time": 1726784829169,
"_create_user": "<user>",
"_last_modified_time": 1726784829169,
"_last_modified_user": "<user>",
"_revision": 0
}
]
}
GET /api/v1/trust-management/oidc-uris"
{
"results": [
{
"oidc_uri": "https://<vCenter Server FQDN>
/openidconnect/vsphere.local/.well-known/openid-configuration",
"thumbprint": "<SSL Thumbprint>",
"oidc_type": "vcenter",
"scim_endpoints": [],
"claim_map": [],
"serviced_domains": [],
"restrict_scim_search": false,
"end_session_endpoint_uri": "https://<vCenter Server FQDN>/openidconnect/logout/vsphere.local",
"issuer": "https://<vCenter Server FQDN>/openidconnect/vsphere.local",
"jwks_uri": "https://<vCenter Server FQDN>/openidconnect/jwks/vsphere.local",
"token_endpoint": "https://<vCenter Server FQDN>/openidconnect/token/vsphere.local",
"claims_supported": [],
"override_roles": [],
"resource_type": "OidcEndPoint",
"id": "<SAVE THIS OIDC-URI-ID>",
"display_name": "<SAVE THIS OIDC-URI-ID>
",
"_create_time": 1675162497329,
"_create_user": "<user>",
"_last_modified_time": 1675162497329,
"_last_modified_user": "<user>",
"_system_owned": false,
"_protection": "NOT_PROTECTED",
"_revision": 0
}
]
}
Unable to find the issuer
" value from the NSX-T log seen in the issue description section. (https://<vCenter Server FQDN>
/openidconnect/vSphere.LOCAL
)DELETE /api/v1/trust-management/oidc-uris/<OIDC-URI-ID>
POST /api/v1/trust-management/oidc-uris/
{
"oidc_uri": "https://<vCenter Server FQDN>/openidconnect/vSphere.LOCAL/.well-known/openid-configuration", ============>> collected on Step - 3
"thumbprint": "<thumbprint>",
"oidc_type": "vcenter",
"scim_endpoints": [],
"claim_map": [],
"serviced_domains": [],
"restrict_scim_search": false,
"end_session_endpoint_uri": "https://<vCenter Server FQDN>/openidconnect/logout/vsphere.local",
"issuer": "https://<vCenter Server FQDN>/openidconnect/vsphere.local",
"jwks_uri": "https://<vCenter Server FQDN>/openidconnect/jwks/vsphere.local",
"token_endpoint": "https://<vCenter Server FQDN>/openidconnect/token/vsphere.local",
"claims_supported": [],
"override_roles": [],
"resource_type": "OidcEndPoint",
"id": "<OIDC-URI-ID from Step 1>",
"display_name": "<OIDC-URI-ID from Step 1>"
}
Note: If the compute manager is updated, it will override the OIDC changes and the same workaround has to be applied after the compute manager is updated.
If you believe you have encountered this issue and are unable to implement a workaround, please open a support case with Broadcom Support and refer to this KB article.
For more information, see Creating and managing Broadcom support cases.
Provide:
Handling Log Bundles for offline review with Broadcom support.