Hybrid vCenter Service (HVC) does not start - Error creating bean with name 'authzFilter'
search cancel

Hybrid vCenter Service (HVC) does not start - Error creating bean with name 'authzFilter'

book

Article ID: 396713

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Hybrid VC Service (HVC) service fails to start on vCenter Server.
  • HVC Service logs (/var/log/vmware/hvc/hvc-svcs.log) will show similar to below exception 

YYYY-MM-DDTHH:MM:SS.ZZZ [main [] INFO  com.vmware.sync.interceptors.AuthnUtils  opId=] ******VAPI connection to authZ endpoint http://localhost:10080/invsvc/vapi
YYYY-MM-DDTHH:MM:SS.ZZZ [main [] INFO  com.vmware.vapi.internal.tracing.otel.OtelFeature  opId=] OpenTelemetry is not on the classpath
YYYY-MM-DDTHH:MM:SS.ZZZ [main [] WARN  com.vmware.hvc.synccontroller.Controller  opId=] Privilege already exists: HLM.Create
YYYY-MM-DDTHH:MM:SS.ZZZ [main [] WARN  org.springframework.context.support.ClassPathXmlApplicationContext  opId=] Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'isAccessLogCreated' defined in class path resource [vlsi-server.xml]: Cannot resolve reference to bean 'authzFilter' while setting constructor argument; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'authzFilter' defined in class path resource [vlsi-server.xml]; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.vmware.hvc.synccontroller.Controller]: Constructor threw exception; nested exception is com.vmware.vapi.std.errors.InternalServerError: InternalServerError (com.vmware.vapi.std.errors.internal_server_error) => {
    defaultMessage = Provider method implementation threw unexpected exception: com.vmware.vapi.std.errors.InternalServerError,
    args = [com.vmware.vapi.std.errors.InternalServerError],
}],
    errorType = INTERNAL_SERVER_ERROR
}
YYYY-MM-DDTHH:MM:SS.ZZZ [main [] ERROR com.vmware.hvc.service.Main  opId=] start: Hybrid VC Service failed to start

 

  • vCenter VAMI backup fails with error message "Invalid vCenter Server Status: All required services are not up! Stopped services: 'hvc'."
  • While configuring Entra ID you notice HVC service fails to start with error in the hvc-svcs.log "Error creating bean with name 'authzFilter'" 
  • vpxd-svcs.log and vmdird.log will show similar to below

/var/log/vmware/vpxd-svcs/vpxd-svcs.log:
YYYY-MM-DDTHH:MM:SS.ZZZ [tomcat-exec-148 [] INFO  com.vmware.cis.core.authz.accesscontrol.impl.AuthzServiceBaseImpl  opId=<OpID>] deleteRoleByUser called by user: <Domain Name>\<User Name>
YYYY-MM-DDTHH:MM:SS.ZZZ [tomcat-exec-148 [] INFO  com.vmware.cis.core.authz.accesscontrol.impl.PersistorImpl  opId=<OpID] Deleting Role 1002

/var/log/vmware/vmdird/vmdird.log
YYYY-MM-DDTHH:MM:SS.ZZZ:INFO: Delete Entry (cn=1002,cn=RoleModel,cn=VmwAuthz,cn=services,dc=vsphere,dc=local, EID 7120)

Environment

VMware vCenter Sever 8.x

Cause

vCenter Server will by default have "SyncUsers" Role with RoleID 1002 and this issue is observed if the RoleID 1002 is missing on vCenter Server.

Resolution

Add the missing SyncUsers role by following below steps:

  • SSH to vCenter Server
  • Execute below LDAP command to add the missing Role 1002 (Note: Replace dc=vsphere,dc=local with the correct vSphere domain name)

/opt/likewise/bin/ldapadd -x -D cn=Administrator,cn=Users,dc=vsphere,dc=local -W <<EOF
version: 1
dn: cn=1002,cn=RoleModel,cn=VmwAuthz,cn=Services,dc=vsphere,dc=local
objectClass: vmwAuthzRole
objectClass: top
cn: 1002
vmwAuthzRoleDescription: This role entitles you to perform operations required for sync
vmwAuthzRoleName: SyncUsers
vmwAuthzRolePrivilegeId: System.Anonymous
vmwAuthzRolePrivilegeId: System.Read
vmwAuthzRolePrivilegeId: System.View
vmwAuthzRolePrivilegeId: InventoryService.Tagging.EditTag
vmwAuthzRolePrivilegeId: InventoryService.Tagging.AttachTag
vmwAuthzRolePrivilegeId: InventoryService.Tagging.CreateCategory
vmwAuthzRolePrivilegeId: InventoryService.Tagging.ModifyUsedByForCategory
vmwAuthzRolePrivilegeId: HLM.Manage
vmwAuthzRolePrivilegeId: IntercomNamespace.Read
vmwAuthzRolePrivilegeId: InventoryService.Tagging.CreateTag
vmwAuthzRolePrivilegeId: IntercomNamespace.Write
vmwAuthzRolePrivilegeId: InventoryService.Tagging.DeleteTag
vmwAuthzRolePrivilegeId: SettingsStore.Manage
vmwAuthzRolePrivilegeId: InventoryService.Tagging.EditCategory
vmwAuthzRolePrivilegeId: CertificateManagement.Manage
vmwAuthzRolePrivilegeId: InventoryService.Tagging.DeleteCategory
vmwAuthzRolePrivilegeId: Trust.Manage
vmwAuthzRolePrivilegeId: HLM.Create
vmwAuthzRolePrivilegeId: InventoryService.Tagging.ModifyUsedByForTag
vmwAuthzRoleVersion: 7
EOF

  • Restart all vCenter services.

         service-control --stop --all && service-control --start --all

Additional Information

Powered by Wolken Software