Error: "Error obtaining hok token - Request signature is not valid. Check if the confirmation certificate matches the given private key" whilst using VRO plugin
search cancel

Error: "Error obtaining hok token - Request signature is not valid. Check if the confirmation certificate matches the given private key" whilst using VRO plugin

book

Article ID: 380020

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

When trying to execute a workflow via the Orchestrator plugin in Cloud Director you observe errors similar to

  • "Error obtaining hok token - Request signature is not valid. Check if the confirmation certificate matches the given private key."
  • "Unable to perform this action. Contact your cloud admninistrator"
  • "Invalid VRO request params"
  • "Some data cannot be retrieved. If the problem persists, contact your system administrator. Failed request com.a1.form/<workflowName>"

Within the Cloud Director log file /opt/vmware/vcloud-director/logs/vcloud-container-debug.log you observe errors similar to:

2024-10-01 15:53:24,380 | ERROR    | pool-jetty-129610         | SoapBindingImpl                | SOAP fault | requestId=<request-id>,request=GET https://cloud.example.com/cloudapi/workflows/forms/urn:vcloud:serviceItem:<service-item-id>/evaluationContext,requestTime=1727790804132,remoteAddress=<remote-ip>:41183,userAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ...,accept=*;version 38.1
com.sun.xml.ws.fault.ServerSOAPFaultException: Client received SOAP Fault from server: Signature is invalid. Please see the server log to find more detail regarding exact cause of the failure.
        at com.sun.xml.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:193)
 
2024-10-01 15:53:24,382 | WARN     | pool-jetty-129610         | VroServiceImpl                 | Unable to secure connection to VRO server vrovip.example.com using VC <vc-id> | requestId=<request-id>,request=GET https://cloud.example.com/cloudapi/workflows/forms/urn:vcloud:serviceItem:<service-item-id>/evaluationContext,requestTime=1727790804132,remoteAddress=<remote-ip>:41183,userAgent=Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 ...,accept=*;version 38.1
com.vmware.vcloud.vro.client.exception.VroSsoAuthenticationException: Error obtaining hok token
        at com.vmware.vcloud.vro.client.connection.VroSsoAuthenticationManager.getHoKTokenFromSecurityTokenService(VroSsoAuthenticationManager.java:208)
        at com.vmware.vcloud.vro.client.connection.VroSsoAuthenticationManager.fetchHoKToken(VroSsoAuthenticationManager.java:166)
        at com.vmware.vcloud.vro.client.connection.VroSsoAuthenticationManager.regenerateAuthentication(VroSsoAuthenticationManager.java:150)
        at com.vmware.vcloud.vro.client.connection.VroSsoAuthenticationManager.lambda$getSsoAuthentication$0(VroSsoAuthenticationManager.java:140)
        at java.base/java.util.concurrent.atomic.AtomicReference.accumulateAndGet(AtomicReference.java:263)
 
Caused by: com.vmware.vim.sso.client.exception.AuthenticationFailedException: Request signature is not valid. Check if the confirmation certificate matches the given private key.
        at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor.handleFaultCondition(SecurityTokenServiceImpl.java:1140

Environment

Cloud Director 10.x

Cause

This issue occurs when the VRO plugin is unable to authenticate successfully to the VRO server using the user account set in the Service Management page of Cloud Director. As Cloud Director attempts to acquire an authentication token with the stored username and password it fails.

Resolution

To resolve this matter:

1) Login to the Cloud Director provider portal as a system administrator

2) Navigate to "Libraries -> Service Management".

3) Review the VRO registration details and identify which user account has been used to authenticate to VRO. 

4) Edit the VRO connection point and type the user password again to ensure it's set correctly. Save and then test if the matter is resolved.

5) If issues persist, create a new user account which can be used for the VRO registration. Replace the old account with this new account in the VRO registration page .