Unable to register vCenter SSO with HCX
search cancel

Unable to register vCenter SSO with HCX

book

Article ID: 369288

calendar_today

Updated On:

Products

VMware HCX

Issue/Introduction

  • On the HCX admin page 9443, under Configuration -> SSO . The SSO registration failed with the following error:
    "Lookup service is not reachable at https://<FQDN-or-ip>. Please enter a valid SSO url - https://<domain|ip>"



  • vCenter registration is unaffected on the HCX admin 9443 page.
  • The following error is logged in the HCX Manager at /common/logs/appliance-management/appliance-management.log : "Cannot load STS signer certificate." 
    <timestamps> UTC [https-jsse-nio-9443-exec-7, , ] ERROR c.v.h.a.c.LookupServiceConfigValidator- Cannot load STS signer certificate from https://<FQDN-or-ip>:7444/sso-adminserver/sdk/vsphere.local
<timestamps> UTC [https-jsse-nio-9443-exec-7, , ] WARN  c.v.h.a.c.LookupServiceConfigValidator- Cannot access lookup service at https://<FQDN-or-ip>:443/lookupservice/sdk
java.lang.Exception: Cannot load STS signer certificate from https://<FQDN-or-ip>:7444/sso-adminserver/sdk/vsphere.local

  • Accessing the HCX plugin from vCenter, error in vSphere Client:

    Http failure response for https://<FQDN-or-IP>/plugins/com.vmware.hcx.plugin~4.#.#.#####~-####/#.#.#.#-443/vsphere-client/ui/hcx/hcx-ui/rest/hybridity/api/sessions: 401 OK

  • You may find the following error in /common/logs/appliance-management/appliance-management.log if the issue is related to DNS resolution. For more information, please see "Cause 1" and "Resolution 1": 
    <timestamps> UTC [https-jsse-nio-9443-exec-3, , ] ERROR c.v.v.hybridity.LookupServiceAdapter- Error querying SSO server configuration: {"status":"FAILURE","failure":"UnknownHostException","details":"java.net.UnknownHostException: <FQDN-or-ip>: Temporary failure in name resolution\

Environment

VMware HCX
VMware vCenter Server

Cause

  1. A failure in the naming resolution of vCenter may cause issues with vCenter SSO registration.
  2. This issue may be related to vCenter (STS).  It typically occurs due to an SSL trust mismatch or a stale legacy endpoint on the vCenter Server side.

Resolution

  1. Make sure that the HCX server is able to resolve the vCenter FQDN and IP. The command "nslookup" is a great tool to investigate naming resolution issues. 
    If the vCenter FQDN contains a ".local" domain in its name, please refer to the article DNS resolution in HCX Manager will fail when .local domain is used in FQDN

  2. If no issues related to DNS resolution were identified, the issue may be related to SSL mismatch in vCenter. For that, please use the lsdoctor script, available at Using 'lsdoctor' Tool

    Note:     If you cannot connect to vCenter with WinSCP in order to upload lsdoctor-#####.zip, it may require changing the root user shell temporarily via ssh/putty.
    Refer to the solution section of Collecting diagnostic information for VMware vCenter Server 7.x and 8.x

    • chsh -s /bin/bash root   >> Changing the vCenter root shell to bash
    • Connect to vCenter as root with WinSCP and upload lsdoctor
    • chsh -s /bin/appliancesh root   >>  Revert the shell back to vCenter default

  3. Ensure you take backups and snapshots of vCenter before running the lsdoctor.py tool. Offline snapshot is a MUST when using lsdoctor.py tool.
    For more information on vCenter snapshots, visit VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice
    • python lsdoctor.py -l   >>  to check for SSL trust mismatch and stale configurations in vCenter upgraded from 5.x.
    • python lsdoctor.py -t   >>  to fix SSL trust issues

      Note: If you find stale legacy endpoints after running the command python lsdoctor.py -l , then you need to run python lsdoctor.py -s to clean up any stale configurations left over from a vCenter system upgraded from 5.x

  4. After changes are made by lsdoctor, you need to restart vCenter Services. Refer to Stopping, Starting or Restarting VMware vCenter Server Appliance services

    • service-control --stop --all && service-control --start --all

  5. Register SSO again with HCX via the Admin 9443 page.

    Note: If you believe you are experiencing this issue and the steps outlined above did not resolve it, please open a support case with Broadcom Support and refer to this KB article.
    For more information, see Creating and managing Broadcom support cases.

Additional Information

Please get in touch with the vCenter Support Team for any queries or issues on the lsdoctor tool.

Useful links:

Powered by Wolken Software