Configuring SRM fails with error "N7Vmacore9ExceptionE com.vmware.vapi.std.errors.internal_server_error"
search cancel

Configuring SRM fails with error "N7Vmacore9ExceptionE com.vmware.vapi.std.errors.internal_server_error"

book

Article ID: 405040

calendar_today

Updated On:

Products

VMware Live Recovery

Issue/Introduction

Symptoms:

  • Reconfiguring SRM fails with the error:

    N7Vmacore9ExceptionE com.vmware.vapi.std.errors.internal_server_error

Environment

VMware Site Recovery Manager 8.x
VMware Site Recovery Manager 9.x

Cause

The Solution Users will be missing from the required groups for SRM configuration, resulting in missing necessary permissions to complete the SRM configuration.

Cause Validation:

  • /opt/vmware/support/logs/dr-client/drconfig.log file indicates that "solution user unable to create service account since it could not validate the permission information"

    YYYY-MM-DDTHH:MM.SSSZ error drconfig[01013] [SRM@6876 sub=ServiceAccountDomain opID=f7716536-5e1a-4852-9803-4c424cfb042b-configure:b66e] 'Create service account' error:
    --> {
    -->     "ERROR": {
    -->         "com.vmware.vapi.std.errors.internal_server_error": {
    -->             "data": {
    -->                 "OPTIONAL": null
    -->             },
    -->             "error_type": {
    -->                 "OPTIONAL": "INTERNAL_SERVER_ERROR"
    -->             },
    -->             "messages": [
    -->                 {
    -->                     "STRUCTURE": {
    -->                         "com.vmware.vapi.std.localizable_message": {
    -->                             "args": [
    -->                                 "com.vmware.vcenter.svcaccountmgmt.service_account.create"
    -->                             ],
    -->                             "default_message": "Could not validate permission information for operation com.vmware.vcenter.svcaccountmgmt.service_account.create invocation.",
    -->                             "id": "com.vmware.vapi.authorization.permission.error",
    -->                             "localized": {
    -->                                 "OPTIONAL": null
    -->                             },
    -->                             "params": {
    -->                                 "OPTIONAL": null
    -->                             }
    -->                         }
    -->                     }
    -->                 }
    -->             ]
    -->         }
    -->     }
    --> }

  • In the /var/log/vmware/sso/svcaccountmgmt.log, following errors are seen:

    YYYY-MM-DDTHH:MM.SSSZ ERROR svcaccountmgmt[82:tomcat-http--36] [CorId=########-####-####-####-############ OpId=] [com.vmware.vapi.authz.impl.AuthorizationFilter] Could not validate permission information for operation com.vmware.vcenter.svcaccountmgmt.service_account.create invocation.
    com.vmware.vim.binding.vmodl.fault.SecurityError: null

  • In the /var/log/vmware/vpxd-svcs/vpxd-svcs.log, following errors are seen:
    YYYY-MM-DDTHH:MM.SSSZ [authz-service-6 [] WARN  com.vmware.cis.authorization.impl.AclPrivilegeValidator  opId=d625802d-064a-4459-a3f4-23b94e905b52 IS] User VSPHERE.LOCAL\serviceaccountmgmt-########-####-####-####-############ does not have privileges [System.View] on object urn%3Aacl%3Aglobal%3Apermissions
    YYYY-MM-DDTHH:MM.SSSZ [authz-service-6 [] WARN  com.vmware.cis.core.authz.accesscontrol.impl.CheckPrivilegesRouterRiseImpl  opId=d625802d-064a-4459-a3f4-23b94e905b52 IS] User VSPHERE.LOCAL\serviceaccountmgmt-########-####-####-####-############ does not have privileges [System.View] on object urn%3Aacl%3Aglobal%3Apermissions
  • The output of below mentioned command confirms that user is missing from multiple groups.
    python solution_users_fixer.py --check
    Checking group memberships for sps-########-####-####-####-############
      sps-########-####-####-####-############ is MISSING from groups:  {'cn=actasusers,dc=vsphere,dc=local', 'cn=solutionusers,dc=vsphere,dc=local'}
    Checking group memberships for vsphere-ui-########-####-####-####-############
      vsphere-ui-########-####-####-####-############ is MISSING from groups:  {'cn=solutionusers,dc=vsphere,dc=local'}
      cms-########-####-####-####-############ is MISSING from groups:  {'cn=actasusers,dc=vsphere,dc=local', 'cn=caadmins,cn=builtin,dc=vsphere,dc=local', 'cn=solutionusers,dc=vsphere,dc=local', 'cn=serviceproviderusers,dc=vsphere,dc=local'}
    Checking group memberships for vsphere-webclient-########-####-####-####-############
    Checking group memberships for machine-########-####-####-####-############
    Checking group memberships for vpxd-svc-acct-########-####-####-####-############
      vpxd-svc-acct-########-####-####-####-############ is MISSING from groups:  {'cn=actasusers,dc=vsphere,dc=local', 'cn=solutionusers,dc=vsphere,dc=local', 'cn=users,cn=builtin,dc=vsphere,dc=local', 'cn=systemconfiguration.administrators,dc=vsphere,dc=local', 'cn=licenseservice.administrators,dc=vsphere,dc=local', 'cn=serviceproviderusers,dc=vsphere,dc=local', 'cn=componentmanager.administrators,dc=vsphere,dc=local'}
    Checking group memberships for vmware-vsm-########-####-####-####-############
      vmware-vsm-########-####-####-####-############ is MISSING from groups:  {'cn=actasusers,dc=vsphere,dc=local', 'cn=readonlyusers,dc=vsphere,dc=local', 'cn=solutionusers,dc=vsphere,dc=local', 'cn=serviceproviderusers,dc=vsphere,dc=local'}

 

Resolution

  • Fix the solution user permission related issues by running the below command.
    python solution_users_fixer.py --fix
  • Reconfigure the SRM.

Additional Information

Attachments

0685G00001FxCTyQAN__solution_users_fixer(81623).sh get_app
solution_users_fixer.py get_app
Powered by Wolken Software