NSX-T fails to communicate with vIDM via Load balancer with "Error requesting Access Token" "handshake_failure"
search cancel

NSX-T fails to communicate with vIDM via Load balancer with "Error requesting Access Token" "handshake_failure"

book

Article ID: 368710

calendar_today

Updated On:

Products

VMware NSX

Issue/Introduction

  • Seen with NSX-T Version 4.1.x
  • NSX-T is registered successfully with vIDM.
  • Adding a vIDM User Role via vIDM times out (System > User Management > User Role Assignments).
  • You may see similar messages on the NSX Manager in /var/log/proton/nsxapi.log

2023-xx-xx INFO http-nio-127.0.0.1-7440-exec-182 VidmServiceImpl 82634 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" reqId="8f7a12b8-a879-4822-89e8-cd84ddb56ecd" subcomp="manager" username="admin"] Error connecting to vidm
org.springframework.security.oauth2.client.resource.OAuth2AccessDeniedException: Error requesting access token.
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://vidm-server.local/SAAS/auth/oauthtoken": Received fatal alert: handshake_failure; nested exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
2023-xx-xx  INFO http-nio-127.0.0.1-7440-exec-182 NsxBaseRestController 82634 SYSTEM [nsx@6876 comp="nsx-manager" level="INFO" subcomp="manager"] Error in API /nsxapi/api/v1/aaa/vidm/search?search_string=Windows_Group caused by exception com.vmware.nsx.management.common.exceptions.InvalidArgumentException: {"moduleName":"AAA","errorCode":71008,"errorMessage":"Error connecting to VMware Identity Manager."}
2023-xx-xx  INFO http-nio-127.0.0.1-7440-exec-182 NsxBaseRestController 82634 SYSTEM [nsx@6876 audit="true" comp="nsx-manager" level="INFO" subcomp="manager"] UserName:'admin' ModuleName:'AAA' Operation:'POST@/api/v1/aaa/vidm/search' Operation status: 'failure' Error: Error connecting to VMware Identity Manager.

Environment

VMware NSX

Cause

In VMware NSX Version 4.1.x, the following ciphers are supported for NSX manager outbound connections

RSA cipher :        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
ECDSA cipher :   "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"

Resolution

Ensure the destination load balancer supports the following ciphers

RSA cipher :        "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
ECDSA cipher :   "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"

 

For example, if using VMware NSX native load balancer, the following steps could be applied 

  1. From the Networking tab, select Load balancing and select Virtual Servers.
  2. Edit the virtual server used for vIDM which uses port 443.
  3. Click the "Configure" link for SSL Configuration
  4. Change the "Client SSL Profile" to the "Default-high-security-client-ssl-profile"
  5. Change the "Server SSL Profile" to the "Default-high-security-server-ssl-profile"
  6. Click Save and Save again on the Virtual Server screen.
  7. Refresh until the status is Success and verify if vIDM is connecting now.
Powered by Wolken Software