Configuring PingFederate Identity Provider on the vCenter Server fails with error "Could not create indirect identity provider".

Products

VMware vCenter Server

Issue/Introduction

Issue encountered while configuring the PingFederate identity provider fails with an error "Could not create indirect identity provider".

federation-service.log - /var/log/vmware/vc-ws1a-broker/federation-service.log

2025-04-23T11:27:31,067 INFO vc_fqdn:federation (vert.x-eventloop-thread-3) [-;-;-;-;-;-] org.bouncycastle.jsse
.provider.ProvTlsClient - [client #2 @1d5b9eea] opening connection to pingfederateserver:443
2025-04-23T11:27:31,101 INFO TestVC.ac.lp.acml.com:federation (vert.x-eventloop-thread-3) [-;-;-;-;-;-] org.bouncycastle.jsse
.provider.ProvTlsClient - [client #2 @1d5b9eea] established connection with pingfederateserver :443
2025-04-23T11:27:37,111 ERROR TestVC.ac.lp.acml.com:federation (vert.x-eventloop-thread-3) [-;-;-;-;-;-] io.vertx.core.net.imp
l.ConnectionBase - Connection reset
2025-04-23T11:27:37,111 WARN TestVC.ac.lp.acml.com:federation (vert.x-eventloop-thread-3) [-;-;-;-;-;-] com.vmware.vidm.commo
n.async.RetryCompletableFuture - Failed after max retries: 0 java.util.concurrent.CompletionException: java.net.SocketException: Connection reset

2025-04-23T11:27:37,111 INFO TestVC.ac.lp.acml.com:federation (vert.x-eventloop-thread-3) [-;-;-;-;-;-] org.bouncycastle.jsse
.provider.ProvTlsClient - [client #2 @1d5b9eea] disconnected from pingfederateserver:443
2025-04-23T11:27:37,112 WARN TestVC.ac.lp.acml.com:federation (ForkJoinPool-2-worker-6) [CUSTOMER;312f2a71-249d-4a5d-8e24-a5e7ffbd8d51;127.0.0.1;1806c893-44ed-4b17-8593-d6b8698a3315;-;-] com.vmware.vidm.common.resiliency.circuitbreaker.CircuitBreakers - Exception during execution inside circuit breaker pingfederateserver java.util.concurrent.CompletionException: java.net.SocketException: Connection reset
at com.vmware.vidm.common.http.client.vertx.VertxHttpClient.handleException(VertxHttpClient.java:224)
at com.vmware.vidm.common.http.client.vertx.VertxHttpClient.lambda$execute$0(VertxHttpClient.java:82)
at java.base/java.util.concurrent.CompletableFuture.uniHandle(Unknown Source)
at java.base/java.util.concurrent.CompletableFuture$UniHandle.tryFire(Unknown Source)
at java.base/java.util.concurrent.CompletableFuture$Completion.run(Unknown Source)
at com.vmware.vidm.common.async.ContextPassingExecutor.lambda$wrap$0(ContextPassingExecutor.java:48)
at java.base/java.util.concurrent.ForkJoinTask$RunnableExecuteAction.exec(Unknown Source)
at java.base/java.util.concurrent.ForkJoinTask.doExec(Unknown Source)
at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(Unknown Source)
at java.base/java.util.concurrent.ForkJoinPool.scan(Unknown Source)
at java.base/java.util.concurrent.ForkJoinPool.runWorker(Unknown Source)
at java.base/java.util.concurrent.ForkJoinWorkerThread.run(Unknown Source)
Caused by: java.net.SocketException: Connection reset

or

2025-04-16T09:31:06,695 WARN vc_fqdn: federation (ForkJoinPool-2-worker-796) [CUSTOMER; 312f2a71-249d-4a5d-8e24-a5e7ffbd8d51;127.0.0.1;e292a530-25f6-4a4a-903e-
2899ae4051c ;-;- ] com. vmware. vidm. common. resiliency.circuitbreaker.CircuitBreakers - Exception during execution inside circuit breaker pingfederateserver java.util.concurr
nt.CompletionException: javax.net. ssl.SSLHandshakeException: Failed to create SSL connection
at com. vmware.vidm. common.http.client.vertx.VertxHttpClient.handleException (VertxHttpClient.java:224)
at com. vmware.vidm. common.http.client.vertx. Vertx#ttpClient. lambdaSexecute$0(VertxHttpClient.java: 82)
at java.base/java.util.concurrent.CompletableFuture. uniHandle (Unknown Source)
at java.base/java.util.concurrent.CompletableFuture$UniHandle.tryFire (Unknown Source)
at java.base/java. util.concurrent. CompletableFuture$Completion. run (Unknown Source)
at com. vmware. vidm. common. async.ContextPassingExecutor. lambdaSwrap$0(ContextPassingExecutor. java: 48)
at java.base/java. util.concurrent. ForkJoinTask$RunnableExecuteAction.exec (Unknown Source)
at java.base/java. util.concurrent. ForkJoinTask.doExec (Unknown Source)
at java.base/java. util.concurrent. ForkJoinPool$WorkQueue. topLevelExec (Unknown Source)
at java.base/java.util.concurrent. ForkJoinPool.scan (Unknown Source)
at java.base/java. util.concurrent. ForkJoinPool.runWorker (Unknown Source)
at java.base/java. util. concurrent. ForkJoinWorkerThread. run (Unknown Source)
Caused by: javax.net.ssl. SSLHandshakeException: Failed to create SSL connection
at io.vertx.core.net.impl. ChannelProvider$1. userEventTriggered (ChannelProvider. java: 127)
at io.netty.channel.AbstractchannelHandlercontext. invokeUserEventTriggered (AbstractChannelHandlerContext. java : 400)
at io.netty. channel.AbstractChannelHandlerContext. invokeUserEventTriggered (AbstractChannellandlerContext. java : 376)
at io.netty. channel.AbstractChannelHandlerContext. fireUserEventTriggered (AbstractChannelHandlerContext. java: 368)
at io.netty.handler.ssl.SslHandler.handleUnwrapThrowable (SslHandler.java: 1358)

Environment

VMware vCenter Server 7.x

VMware vCenter Server 8.x

Cause

The issue is encountered due to an abrupt connection reset from the PingFederate Server to the vCenter.

or
The issue is also encountered due to the expired SSL certificate of the PingFederate Server.

Resolution

In case of abrupt connection reset - Check on the PingFederate server end to isolate the cause of the abrupt reset.
In case of an expired SSL certificate- Renew the certificate of the PingFederate Server.

Additional Information

Make sure to follow the certificate requirements as per the document - Configuring vCenter Server Identity Provider for PingFederate