Error: "pak_manager.pakfile.signed_untrusted_certificate" when activating the CIS Management Pack (or other Management Packs) in Aria Operations

search cancel

Error: "pak_manager.pakfile.signed_untrusted_certificate" when activating the CIS Management Pack (or other Management Packs) in Aria Operations

book

Article ID: 409626

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite) VCF Operations

Issue/Introduction

When attempting to activate the CIS Management Pack in Aria Operations under Integrations -> Repository, the operation fails and returns the below error message:

pak_manager.pakfile.signed_untrusted_certificate

When navigating to the Integrations page in Aria Operations, the message “Installing management pack” continues to be displayed.

In the /storage/vcops/log/casa/casa.log you see the below error:

YYYY-MM-DDTHH:MM:SS,697+0000 ERROR [ajp-nio-127.0.0.1-8011-exec-5] [KZ000nAF] upgrade.pak.PakService:4913 -
com.vmware.vcops.casa.exception.CasaLocalizableException: CasaLocalizableException: key=pak_manager.pakfile.signed_untrusted_certificate; args=vRealizeOperationsCompliancePackforCIS-818424871765.pak,PAK file was not signed by any expected certificate; cause=
at com.vmware.vcops.casa.upgrade.pak.PakService.uploadLocal(PakService.java:487) ~[classes/:?]
at com.vmware.vcops.casa.upgrade.pak.PakService.upload(PakService.java:358) ~[classes/:?]
at com.vmware.vcops.casa.upgrade.pak.PakService.uploadToMaster(PakService.java:4904) ~[classes/:?]

Environment

VMware Aria Operations 8.18.4

VCF Operations 9.x

Cause

This is a known issue in Aria Operations & VCF Operations

Resolution

Follow the workaround below to resolve the issue:

Workaround:

Navigate to Integrations->Repository page:
- If the installation task is stuck (see the screenshot below), execute the following commands.
- If it is not stuck, proceed directly to Step 2.
- Stop CASA service
  Run the following command on each node:
```
service vmware-casa stop
```
  • For HA clusters: stop in this order → Data nodes → Replica node → Primary node.
  • For CA clusters: stop in this order → All Data nodes → Replica node → Primary node.
- Start CASA service
  Run the following command on each node:
```
service vmware-casa start
```
  • For HA clusters: start in this order → Primary node → Primary Replica → Data nodes.
  • For CA clusters: start in this order → Primary node → Primary Replica → Data nodes.
  
  ⚠️ After starting each node, make sure the service is fully up before moving to the next one. You can verify this with:
```
service vmware-casa status
```
SSH to the Aria Operations primary node and navigate to /storage/db/casa/pak/dist_pak_files/{PLATFORM}, where the .pak files are stored.
Copy the vRealizeOperationsCompliancePackforCIS-818424871765.pak file to your local environment.
Open the Admin UI and go to Software Update.
Click INSTALL A SOFTWARE UPDATE, then BROWSE to select the copied .pak file.
Check both checkboxes:
- Install the PAK file even if it is already installed
- Ignore PAK file signature (does not apply to VMware Aria Operations PAK file)

Note: In VCF operations 9.x, by default, ignoring the PAK file signature is disabled; you must enable it in the Admin UI. Go to https://youroperationsfqdn/admin - Administrator Settings - Security Settings and enable it.

7. Click the upload button

8. And then follow the steps that the Wizard will suggest.

Feedback

thumb_up Yes

thumb_down No