Error: "MQTT: handshake failed ... MQTT: Invalid username and/or password" causes subscribing MQTT client not to receive events after VCD 10.6.1 upgrade
search cancel

Error: "MQTT: handshake failed ... MQTT: Invalid username and/or password" causes subscribing MQTT client not to receive events after VCD 10.6.1 upgrade

book

Article ID: 409470

calendar_today

Updated On:

Products

VMware Cloud Director

Issue/Introduction

  • MQTT events are not published after a VMware Cloud Director (VCD) 10.6.1 upgrade.
  • Events are not visible when subscribing MQTT after 10.6.1 upgrade
  • Connection shows established successfully but no events visible
  • In the /opt/vmware/vcloud-director/logs/vcloud-container-debug.log files, the following error can be seen: :

    2025-09-02 08:58:45,067 | WARN     | pool-jetty-358996         | MqttWebSocket                  | MQTT: handshake failed |
    com.vmware.vcloud.api.rest.handlers.mqtt.MqttException: MQTT: Invalid username and/or password. [PythonMQTT][null]
            at com.vmware.vcloud.api.rest.handlers.mqtt.MqttWebSocket.verifyCredentials(MqttWebSocket.java:199)
            at com.vmware.vcloud.api.rest.handlers.mqtt.MqttWebSocket.verifyCredentials(MqttWebSocket.java:185)

Environment

VMware Cloud Director 10.6.1

Cause

Prior to VCD 10.6.1, only the token was required for login and the username was set to none. 
For example when using the paho-mqtt Python package to subscribe to VCD's MQTT endpoint it may default to none, or be explicitly set to none:

i.e. client.username_pw_set(username=None, password=None)

Since VCD 10.6.1, the change was made that it now needs the username along with the password (token), since Token Validation is expecting username and password, it can't be set to None (null) anymore.

Resolution

In VCD 10.6.1 and later use a username and password with the client connection.

For example when using the paho-mqtt Python package to subscribe to VCD's MQTT endpoint the following could be set where the username is the VCD user and the password is the authorization bearer token for a logged in session:

client.username_pw_set(username='administrator@System', password=f'{TOKEN}')

NOTE: The username need not be administrator@System this is only for illustration. If the token was generated from an Organization user or a different Provider System user login then supply the respective username i.e. <username>@<orgName>.

Powered by Wolken Software