unable to login using RSA authentication on Enhanced Linked Mode (ELM) vCenters
search cancel

unable to login using RSA authentication on Enhanced Linked Mode (ELM) vCenters

book

Article ID: 386076

calendar_today

Updated On:

Products

VMware vCenter Server 7.0 VMware vCenter Server 6.0 VMware vCenter Server 8.0

Issue/Introduction

  • After configuration of RSA on vCenter's, Unable to login with RSA passcode
  • /var/log/vmware/sso/rsa_securid.log

[2024-12-24 11:36:32,900] ERROR tomcat-http--43 - Exception processing configuration data Exception processing configuration data Agent (vCenter name) is not registered on the server
[2024-12-24 11:36:38,621] FATAL tomcat-http--25 - RSA Authentication API for Java v8.6.0.0.0[75] started
[2024-12-24 11:36:38,621] INFO tomcat-http--25 - sdopts.rec doesn't exist
[2024-12-24 11:36:38,622] INFO tomcat-http--25 - securid doesn't exist
[2024-12-24 11:36:38,623] DEBUG tomcat-http--25 - ACEServerDataObject.getData error: /storage/log/vmware/vmon/securid (No such file or directory)
[2024-12-24 11:36:38,624] DEBUG tomcat-http--25 - Can't get nodeSecret

Environment

VMware vCenter Server 6.x
VMware vCenter Server 7.x
VMware vCenter Server 8.x

Cause

Enhanced Linked Mode (ELM) vCenters have a shared vmdird database , The database replicate to other vCenters in linked mode.

Resolution

  1. Take an offline snapshot of all vCenters in Enhanced Linked Mode
  2. Remove the existing configuration on both vCenter:

    1. Connect to the vCenter node via JXplorer
    2. Navigate to local -> Services -> Identitymanager -> Tenants-> <SSO Domain>
    3. Delete "RSAAgentConfigurations" under the SSO domain (Perform on any one vCenter the changes will replicate to other nodes)
    4. Log into each vCenter via SSH and delete "vsphere.local"  (SSO domain name) under "/etc/vmware-sso/"
    5. Reboot vCenter servers

  3. Configure RSA on any one of the linked vCenters

    1. /opt/vmware/bin/sso-config.sh -t <SSO Domain> -set_authn_policy -securIDAuthn true
    2. /opt/vmware/bin/sso-config.sh -set_rsa_config -t <SSO Domain> -logLevel DEBUG
    3. /opt/vmware/bin/sso-config.sh -set_rsa_site -t <SSO Domain> -agentName <PSC FQDN> -sdConfFile /root/sdconf.rec -sdOptsFile /root/sdopts.rec
    4. /opt/vmware/bin/sso-config.sh -set_rsa_userid_attr_map -t <SSO Domain> -idsName <Domain name> -ldapAttr sAMAccountName
    5. After configuration the below files are created and replicated to other vCenters in ELM

      rsa_api.properties
      sdconf.rec 



Powered by Wolken Software