Unable to access the site recovery UI - Signature Validation failed
search cancel

Unable to access the site recovery UI - Signature Validation failed

book

Article ID: 396816

calendar_today

Updated On:

Products

VMware Live Recovery

Issue/Introduction

Symptoms

  • The Site Recovery Manager (SRM) plugin does not display expected configuration or details within the vSphere Client.
  • Clicking “Launch Site Recovery” results in a failure to load the Disaster Recovery (DR) UI, indicating issues related to authentication or certificate validation..
  • This behaviour is observed after renewing the Security Token Service (STS) certificate on the vCenter Server.

Environment

VMware Live Site Recovery 8.x

VMware Live Site Recovery 9.x

Cause

After the Security Token Service (STS) certificates were renewed on the vCenter Server, the Site Recovery Manager (SRM) appliance was not reconfigured to recognize the updated certificate chain. Consequently, the SRM appliance continued using outdated token information. This caused SAML token signature validation failures during communication with the vCenter’s Single Sign-On (SSO) service, preventing the DR UI from loading properly.

Cause Validation

Log analysis from both the SRM appliance and the vCenter Server confirmed the issue was due to invalid or untrusted tokens resulting from the certificate mismatch.

From /opt/vmware/support/logs/dr-client/dr.log file we can see below events indicating the token is malformed

2025-05-07 07:41:43,820 [dr-config-thread-2840] INFO com. vmware.identity.token.impl.X509TrustChainKeySelector  - Failed to find trusted path to signing certificate <CN=ssoserverSign>
sun.security.provider.certpath. SunCertPathBuilderException: unable to find valid certification path to requested target
2025-05-07 07:41:43, 820 [dr-config-thread-2840] ERROR com. vmware. identity. token. impl. SamlTokenImpl be275231-####-####-####-########e814 - Signature validation failed javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key
2025-05-07 07:41:43, 820 [dr-config-thread-2840] WARN com. vmware. srm.client.topology.impl.utils.RefreshManager be275231-####-####-####-########e814 - Failed to create
product for client com.vmware.srm.client.topology.impl.sso.StsProxyBase$$EnhancerByCGLIB$$f057e10d@3bbd8e8e
com.vmware.vim.sso.client.exception.MalformedTokenException: Signature validation failed

From the vcenter server /var/log/vmware/sso/tokenservice.log file, we can see the below events indicating that the token provided is no longer valid

2025-04-25T05:32:23.030Z ERROR tokenservice [38:tomcat-http--3] [CorId= OpId=] [com.vmware.identity.token.impl.SamlTokenImpl] Signature validation failed javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key
Caused by: com.vmware.vapi.dsig.json.SignatureException: Cannot verify the signature over the provided data
..................
Caused by: com.vmware.vim.sso.client.exception.MalformedTokenException: Signature validation
at com.vmware.identity.token.impl.SamlTokenImpl.validateSignature (SamlTokenImpl. java: 726) ~ [samltoken-7. 0.0.jar: ?]
..................
Caused by: javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key

Resolution

To resolve this issue, Reconfigure the Site Recovery Manager Appliance

During the reconfiguration process, the SRM appliance re-registers with the vCenter Server and retrieves the updated Security Token Service (STS) certificate chain. This updates the trust relationship between the SRM appliance and the vCenter’s SSO service, allowing SAML token validation to succeed. As a result, the authentication issues are resolved, and the DR UI loads successfully.

Note:
May need to Change the Site Recovery Manager Appliance Certificate prior to reconfiguring. 

Powered by Wolken Software