Admin UI inaccessible or HTTP server failing to start after changes to Apache configuration
search cancel

Admin UI inaccessible or HTTP server failing to start after changes to Apache configuration

book

Article ID: 379543

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

You may observe the following symptoms after modifications to /usr/lib/vmware-vcopssuite/utilities/conf/vcops-apache.conf as per Secure Configuration Guide or changing Apache configuration as instructed by your security team:

  • Admin and product UI is not accessible
  • Upgrade fails with no UI

 

Logs reports the following messages:

  • /storage/log/vcops/log/analytics-<UUID>.log
    2024-10-06T17:30:47,839+0000 ERROR [Analytics Main Thread]  com.vmware.vcops.analytics.cluster.ClusterCoordinatorImpl.retrieveClusterInfoFromCaSA - Failed to get cluster config:
javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version
        at sun.security.ssl.Alert.createSSLException(Unknown Source) ~[?:?]
        at sun.security.ssl.Alert.createSSLException(Unknown Source) ~[?:?]
        at sun.security.ssl.TransportContext.fatal(Unknown Source) ~[?:?]
...


  • /storage/log/vcops/log/analytics-wrapper.log
    2024/10/06 17:30:47 | INFO   | jvm 1    | WARNING: An illegal reflective access operation has occurred
2024/10/06 17:30:47 | INFO   | jvm 1    | WARNING: Illegal reflective access by com.vmware.vcops.casarest.client.HttpRequesterURLConnectionImpl (file:/usr/lib/vmware-vcops/common/lib/casa-rest-client-1.0-SNAPSHOT.jar) to field java.lang.reflect.Field.modifiers
2024/10/06 17:30:47 | INFO   | jvm 1    | WARNING: Please consider reporting this to the maintainers of com.vmware.vcops.casarest.client.HttpRequesterURLConnectionImpl
2024/10/06 17:30:47 | INFO   | jvm 1    | WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
2024/10/06 17:30:47 | INFO   | jvm 1    | WARNING: All illegal access operations will be denied in a future release
2024/10/06 17:30:47 | INFO   | jvm 1    | >>> AnalyticsMain.run failed with error: IllegalStateException: Failed to get cluster config:


  • /storage/log/vcops/log/casa/admin-ui.log
    2024-10-06T17:30:21,525+0000  WARN [pool-9-thread-1] [Vr000006] casa.suiteapi.SuiteApiTokenService:266 - Failed to get auth token, Request Id null: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://localhost/suite-api/api/auth/token/acquire":
Received fatal alert: protocol_version; nested exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version
2024-10-06T17:30:21,525+0000 ERROR [pool-9-thread-1] [Vr000006] casa.suiteapi.SuiteApiInternalService:452 - Exception calling suite API GET collectorgroups/archaenabled/secrets; Request Id null: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https:/
/localhost/suite-api/internal/collectorgroups/archaenabled/secrets": Received fatal alert: protocol_version; nested exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version
2024-10-06T17:30:21,525+0000  INFO [pool-9-thread-1] [Vr000006] casa.suiteapi.SuiteApiTokenService:307 - Clearing token
2024-10-06T17:30:21,526+0000 ERROR [pool-9-thread-1] [Vr000006] proxy.collectorgroup.ARCCollectorGroupHACasaService:92 - Error Calling suite-api
com.vmware.vcops.casa.exception.CasaSuiteApiException: Error Calling suite-api
        at com.vmware.vcops.casa.suiteapi.SuiteApiInternalService.doSuiteApiCallWithResponse(SuiteApiInternalService.java:454) ~[classes/:?]
...
        at java.lang.Thread.run(Unknown Source) ~[?:?]
Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://localhost/suite-api/internal/collectorgroups/archaenabled/secrets": Received fatal alert: protocol_version; nested exception is javax.net.ssl.SSLHandshakeException: Received fatal ale
rt: protocol_version


  • /storage/log/vcops/log/casa/casa.log

    2024-10-06T17:29:18,711+0000 ERROR [pool-2-thread-1] com.vmware.vcops.util.admin.CaSAClientRequester:95 - CasaClientRequester IOException Received fatal alert: protocol_version
javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version
        at sun.security.ssl.Alert.createSSLException(Unknown Source) ~[?:?]
        at sun.security.ssl.Alert.createSSLException(Unknown Source) ~[?:?]
        at sun.security.ssl.TransportContext.fatal(Unknown Source) ~[?:?]
...

Environment

Aria Operations 8.x
vRealize Operations 8.x

Cause

Incorrect changes to SSLProtocol in /usr/lib/vmware-vcopssuite/utilities/conf/vcops-apache.conf will lead to problems starting and connecting to HTTP server.

Example line from vcops-apache.conf:

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Note: Different versions may have different values. The line above was taken from 8.16 

 

For example: The -SSLv2 entry disables SSLv2, and the -TLSv1.1 disables TLSv1.1. Effectively the line instructs the Apache server to enabled ALL, and disabled all protocols that starts with the minus (-) character. In the above example we disable SSLv2, SSLv3, TLSv1, and TLSv1.1. Older protocols are not included with the Apache configuration, and cannot be disabled, as they are not present.

Resolution

Please ensure that you take snapshots before following procedure below.

 

To verify the configuration, ensure that all analytics nodes (Primary, Replica, Data) all have the same values for line starting with SSLProtocol. Use command below on all analytics nodes to ensure that the configuration is identical:

cat /usr/lib/vmware-vcopssuite/utilities/conf/vcops-apache.conf |grep SSLProtocol

 

If they are not identical, change the line  on all nodes to read:

SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

This is a known good configuration on current releases of Aria/vRealize Operations, verified up to 8.18.1

 

Then  restart the Apache service on all nodes with command:

service httpd restart
Powered by Wolken Software