Opensearch Service fails to start with 'Authentication token is no longer valid' message.
search cancel

Opensearch Service fails to start with 'Authentication token is no longer valid' message.

book

Article ID: 384900

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

  • The OpenSearch service across the cluster is in a non-running state.
  • When attempting to start the OpenSearch service, it fails with the following event:

horizon-workspace service is running
Waiting for IDM:  Ok.
Number of nodes in cluster is : 3
Configuring /opt/vmware/opensearch/config/opensearch.yml file
Starting opensearch: vm.max_map_count = 262144
You are required to change your password immediately (password expired)
su: Authentication token is no longer valid; new one required
(Ignored)
future versions of OpenSearch will require Java 11; your Java version from [/usr/java/jre-vmware] does not meet this requirement
done.
    opensearch logs: /opt/vmware/opensearch/logs
    opensearch data: /db/opensearch

Environment

VMware Identity Manager (vIDM/WSA) 3.3.7

Cause

The issue occurred because the Postgres account password had expired.

Resolution

  1. Modify the Password Aging and Expiration Settings for the postgres User.

    • Log into all the Identity Manager nodes as root via SSH or console.
    • Disabled password expiration for the postgres user by running:

# chage -m 0 -M 99999 -I -1 -E -1 postgres

    • Explanation of the Command Options - Values can be adjusted according to your organization's business requirements.

      • -m 0: Sets the minimum number of days between password changes to 0. This means the password can be changed at any time without restriction.

      • -M 99999: Sets the maximum number of days the password is valid to 99999. This essentially disables password expiration by allowing the password to remain valid for a very long time (almost unlimited).

      • -I -1: Disables the account inactivity period. This means the account will not be locked due to inactivity after the password expires (if it were set to expire).

      • -E -1: Disables the account expiration date. This ensures the account does not expire.

    • Apply the same command to root and sshuser accounts if their passwords are expired.

  2. Restart the Opensearch Service:

    • Execute the command:
# /etc/init.d/opensearch start

Additional Information

  • There are instances where the OpenSearch service starts only on the master node, while the other nodes continue to fail.
  • This is typically caused by RabbitMQ not being in sync.
  • Please follow the KB article below to resolve the RabbitMQ issue.
Powered by Wolken Software