Known Issues after Applying VIDM CSP-97577 Patch

Products

VMware Aria Suite

Issue/Introduction

After applying the VIDM CSP-97577 Patch, the following issues have been observed:

Cloud-init Service Failure

2. Console logs are not shown in the VM console

3. Certificate Authentication Adapter Load Failure

Symptom:

Certificate authentication fails if configured before the patch is applied. The error appears in the /opt/vmware/horizon/workspace/logs/connector.log file as follows:

com.vmware.horizon.connector.restapi.identity.exception.mapper.AbstractExceptionMapper - Exception while handling jersey request.java.lang.NoClassDefFoundError: javax/xml/bind/DatatypeConverter at com.vmware.horizon.cas.CASUtil.calculateVersion(CASUtil.java:45)
~[tomcat-support-1.0.jar:3.3.7.0 Build 24863103]

4. IWA Directory Sync and auth Issue

Symptom: In connector.log/connector-dir-sync.log/workspace.log we see the error

Caused by: javax.naming.AuthenticationNotSupportedException: GSSAPI at java.naming/com.sun.jndi.ldap.sasl.LdapSasl.saslBind(Unknown Source) ~[?:?] at java.naming/com.sun.jndi.ldap.LdapClient.authenticate(Unknown Source) ~[?:?] at  java.naming/com.sun.jndi.ldap.LdapCtx.connect(Unknown Source) ~[?:?]

Symptom: When running directory sync receive the following error in the UI : Connector communication failed because of invalid data: The specified Bind DN and password could not be used to successfully authenticate against the directory. Sync test Response from connector: Failed to complete dry run

5. Kerberos Auth failure Issue

Symptom: In the /opt/vmware/horizon/workspace/logs/workspace.log

2025-08-13T10:44:16,696 INFO : com.vmware.horizon.adapters.kerberosAdapter.KerberosIdpAdapter - Initiating authentication using Kerberos
2025-08-13T10:44:16,707 INFO : com.vmware.horizon.adapters.kerberosAdapter.KerberosIdpAdapter - Kerberos authentication failure: null
2025-08-13T10:44:16,707 INFO : com.vmware.horizon.adapters.kerberosAdapter.KerberosIdpAdapter - Cause: Unsupported mechanism requested: 1.3.6.1.5.5.2

6. connector.log and connector-dir-sync.log missing after patching the upgraded environment from 336 to 337 and CSP-97577 Patch is applied.

Symptom: connector.log and connector-dir-sync.log missing after patching

Environment

VMware Identity Manager 3.3.7

Resolution

Please follow the steps below to fix the respective issue.

Note that a reboot of the vIDM appliances is required after applying the below fixes. You can apply all fixes and then perform the reboot.

Issue 1: Cloud-init Service Failed

Resolution Steps:

On the VIDM machine where the patch was applied, run the following commands:
- systemctl unmask cloud-init-local
- systemctl enable cloud-init-local
- systemctl start cloud-init-local
- systemctl status getty@tty1
- systemctl enable [email protected]
- systemctl start [email protected]

Issue 2: Console Logs Not Displayed in the VM Console

Resolution Steps:

Edit the GRUB configuration file by running:
vim /boot/grub/grub.cfg
Append systemd.show_status=1 to the end of the following line:
linux /$photon_linux root=$rootpartition $photon_cmdline $systemd_cmdline

Example:
linux /$photon_linux root=$rootpartition $photon_cmdline $systemd_cmdline systemd.show_status=1
Save the file.

Issue 3: Certificate Authentication Adapter Load Failure

Resolution Steps:

Transfer the attached JAR file to the VIDM appliance via SCP or WinSCP.
Verify the permissions of the existing JAR by running:
ls -lrth /opt/vmware/horizon/workspace/lib/tomcat-support-1.0.jar

The expected output should be:
-rw-r----- 1 root www 385K /opt/vmware/horizon/workspace/lib/tomcat-support-1.0.jar
Copy the attached JAR from the KB to the required path:
cp tomcat-support-1.0.jar /opt/vmware/horizon/workspace/lib/
Re-verify the JAR file permissions:
ls -lrth /opt/vmware/horizon/workspace/lib/tomcat-support-1.0.jar

Issue 4 & 5: IWA Directory Sync and auth Issue & Kerberos Auth failure Issue

Resolution Steps:

If VIDM is deployed in FIPS mode
1. Check the File Permission
  ls -lrth /opt/vmware/horizon/workspace/conf/idm_fips.security
  Example:
  -r--r----- 1 horizon www 847 Aug 22 09:42 /opt/vmware/horizon/workspace/conf/idm_fips.security
2. Take the backup of the file
  cp /opt/vmware/horizon/workspace/conf/idm_fips.security /opt/vmware/horizon/workspace/conf/idm_fips.security.bak
3. Copy the attached file[idm_fips.security] to vIDM Node/Nodes and replace
  cp [idm_fips.security] /opt/vmware/horizon/workspace/conf/
4. Check the file permission and set as per step 1. a
If VIDM is deployed in Non FIPS mode
1. Check the File Permission
  ls -lrth /opt/vmware/horizon/workspace/conf/idm_non_fips.security
  Example:
  -r--r----- 1 horizon www 847 Aug 22 09:42 /opt/vmware/horizon/workspace/conf/idm_non_fips.security
2. Take the backup of the file
  cp /opt/vmware/horizon/workspace/conf/idm_non_fips.security /opt/vmware/horizon/workspace/conf/idm_non_fips.security.bak
3. Copy the attached file[idm_non_fips.security] to vIDM Node/Nodes and replace
  cp [idm_non_fips.security] /opt/vmware/horizon/workspace/conf/
4. Check the file permission and set as per step 2. a

Issue 6: connector.log and connector-dir-sync.log missing after patching the upgraded environment from 336 to 337 and CSP-97577 Patch is applied.

Resolution Steps:

Copy the attached script to vidm node/nodes.
Add the executable permission
chmod +x update-log4j2-and-restart.sh
Run the attached script
./update-log4j2-and-restart.sh

Note:
After performing all the above resolution steps, reboot the VIDM appliance to apply the changes.

Attachments

update-log4j2-and-restart.sh get_app

idm_non_fips.security get_app

idm_fips.security get_app

tomcat-support-1.0.jar get_app