VPXD.CFG file is not updating solution user with the new SSO domain name
search cancel

VPXD.CFG file is not updating solution user with the new SSO domain name

book

Article ID: 367699

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

During SSO repoint, the vpxd.cfg file within /etc/vmware-vpx/ is not updating the solution user configuration with the new SSO domain name as expected. 

Additionally:

When attempting to upgrade vCenter, the process fails at upgrade precheck stage and cannot continue past this point.
In vpxd log you may see:

2024-07-30T09:38:29.833Z error vpxd[48776] [Originator@6876 sub=MoExtensionMgr opID=7d12209f] Extension with key com.vmware.migrate-connector.127.0.0.1 not found
2024-07-30T09:38:29.845Z info vpxd[48776] [Originator@6876 sub=MoExtensionMgr opID=7d12209f] Registering unrestricted extension with extensionKey = com.vmware.migrate-connector.127.0.0.1 by user: VSPHERE.ENG
GSANDBOX1\vpxd-extension-d739f36b-8ec3-4508-89cc-ed4187c2be60
2024-07-30T09:38:30.165Z warning vpxd[48776] [Originator@6876 sub=vmomi.soapStub[0] opID=7d12209f] SOAP request returned HTTP failure; <SSL(<io_obj p:0x00007f934c2fdd78, h:39, <TCP '127.0.0.1 : 53084'>, <TCP
 '127.0.0.1 : 443'>>), /lookupservice/sdk>, method: create; code: 500(Internal Server Error)
2024-07-30T09:38:30.166Z warning vpxd[48776] [Originator@6876 sub=LSClient opID=7d12209f] Service registration stub privilege error during lookup service RPC: N5Vmomi5Fault13SecurityError9ExceptionE(Fault ca
use: vmodl.fault.SecurityError
--> )
--> [context]zKq7AVECAQAAAG0mVQEbdnB4ZAAA9tg3bGlidm1hY29yZS5zbwAAjXgsAAtsLQAT6TIBnZcYbGlidm1vbWkuc28AAUtyDAF+GhUBbiQVAX66FAGpuhABqLUQAiSPAmxpYmxvb2t1cC10eXBlcy5zbwADhOmDdnB4ZAADKO6DA3QcgIRxUgUBbGlidmltLXR5cG
VzLnNvAIPuyGEBg+nLYAGDKs1gAYNY3GABg7sJYAGDhrNgAQCnSSMANZ8jALRkNwWHfwBsaWJwdGhyZWFkLnNvLjAABi82D2xpYmMuc28uNgA=[/context]
2024-07-30T09:38:30.171Z info vpxd[48776] [Originator@6876 sub=LSClient opID=7d12209f] Refreshing lookup service token
2024-07-30T09:38:30.271Z info vpxd[48776] [Originator@6876 sub=SsoClient opID=7d12209f] Successfully acquired token: SamlToken [subject={Name: vpxd-d739f36b-8ec3-4508-89cc-ed4187c2be60; Domain:vsphere.enggsa
ndbox1}, groups=[{Name: Users; Domain:vsphere.enggsandbox1}, {Name: SolutionUsers; Domain:vsphere.enggsandbox1}, {Name: SystemConfiguration.Administrators; Domain:vsphere.enggsandbox1}, {Name: ComponentManag
er.Administrators; Domain:vsphere.enggsandbox1}, {Name: LicenseService.Administrators; Domain:vsphere.enggsandbox1}, {Name: ActAsUsers; Domain:vsphere.enggsandbox1}, {Name: Everyone; Domain:vsphere.enggsandb
ox1}], delegationChain=[], startTime=2024-07-30 09:38:30.171, expirationTime=2024-07-30 17:38:30.171, renewable=false, delegable=false, isSolution=true,confirmationType=1]
2024-07-30T09:38:30.486Z warning vpxd[48776] [Originator@6876 sub=vmomi.soapStub[0] opID=7d12209f] SOAP request returned HTTP failure; <SSL(<io_obj p:0x00007f9318847228, h:39, <TCP '127.0.0.1 : 34014'>, <TCP
 '127.0.0.1 : 443'>>), /lookupservice/sdk>, method: create; code: 500(Internal Server Error)
2024-07-30T09:38:30.486Z warning vpxd[48776] [Originator@6876 sub=Vmomi opID=7d12209f] VMOMI activation LRO failed; <<529b827a-9d9c-ed92-924d-19f54ab22a45, <TCP '127.0.0.1 : 8085'>, <TCP '127.0.0.1 : 43718'>
>, ExtensionManager, vim.ExtensionManager.registerExtension>, N5Vmomi5Fault13SecurityError9ExceptionE(Fault cause: vmodl.fault.SecurityError
--> )
--> [context]zKq7AVECAQAAAG0mVQEbdnB4ZAAA9tg3bGlidm1hY29yZS5zbwAAjXgsAAtsLQAT6TIBnZcYbGlidm1vbWkuc28AAUtyDAF+GhUBbiQVAX66FAGpuhABqLUQAiSPAmxpYmxvb2t1cC10eXBlcy5zbwADOeyDdnB4ZAADKO6DA3QcgIRxUgUBbGlidmltLXR5cG
VzLnNvAIPuyGEBg+nLYAGDKs1gAYNY3GABg7sJYAGDhrNgAQCnSSMANZ8jALRkNwWHfwBsaWJwdGhyZWFkLnNvLjAABi82D2xpYmMuc28uNgA=[/context]

 

Environment

  • vCenter Server Appliance 6.7.x
  • vCenter Server Appliance 7.0.x
  • vCenter Server Appliance 8.0.x

Cause

Root cause: during the repoint process, this parameter is never updated with the new SSO domain name as part of the repoint workflow.

Resolution

This is fixed as part of the upcoming 8.0U3 release.
 
Workaround: 
 
The section within the vpxd.cfg file must me updated manually and services must be restarted.  
 
1. SSH to the VCSA using root credentials
 
2. Backup the vpxd.cfg file:
cp /etc/vmware-vpx/vpxd.cfg /storage/core/vpxd.cfg.bck
 
3. Edit the vpxd.cfg file using vi
vi /etc/vmware-vpx/vpxd.cfg
 
4. Edit the SSO domain within the "solutionUser" > "name" section accordingly:
 
Example: 
      <groupcheck>
        <uri>https://VC_FQDN/sso-adminserver/sdk/vsphere-farm.local</uri>
      </groupcheck>
      <solutionUser>
        <certificate>/etc/vmware-vpx/ssl/vcsoluser.crt</certificate>
        <name>vpxd-587dca5f-2804-4400-bac8-d25432614a1b@vsphere.local</name>     <--- Change vsphere.local accordingly
        <privateKey>/etc/vmware-vpx/ssl/vcsoluser.key</privateKey>
      </solutionUser>
      <sts>
        <uri>https://VC_FQDN/sts/STSService/vsphere-farm.local</uri>
 
After fixing:
 
      <groupcheck>
        <uri>https://VC_FQDN/sso-adminserver/sdk/vsphere-farm.local</uri>
      </groupcheck>
      <solutionUser>
        <certificate>/etc/vmware-vpx/ssl/vcsoluser.crt</certificate>
        <name>vpxd-587dca5f-2804-4400-bac8-d25432614a1b@vsphere-farm.local</name>     <--- Fixed 
        <privateKey>/etc/vmware-vpx/ssl/vcsoluser.key</privateKey>
      </solutionUser>
      <sts>
        <uri>https://VC_FQDN/sts/STSService/vsphere-farm.local</uri>
 
In the example above, we changed the SSO domain name from "vsphere.local" to "vsphere-farm.local" for the vpxd solution user.
 
5. Save the file and restart all services for the local vCenter Server:
service-control --stop --all && service-control --start --all
Powered by Wolken Software