SDDC Manager UI fails to load with error, "Unable to obtain Security Token Service from SSO" OR "IDENTITY_INTERNAL_SERVER_ERROR"
search cancel

SDDC Manager UI fails to load with error, "Unable to obtain Security Token Service from SSO" OR "IDENTITY_INTERNAL_SERVER_ERROR"

book

Article ID: 409643

calendar_today

Updated On:

Products

VMware SDDC Manager

Issue/Introduction

  • /var/log/vmware/vcf/commonsvcs/vcf-commonsvcs.log
    YYYY-MM-DDThh:mm:ss.587+0000 ERROR [common,xxxxxxxxxx,xxxx] [c.v.e.s.i.r.a.c.v.IdentityProviderController,http-nio-127.0.0.1-7100-exec-7] Unable to get sddc manager oidc information due to Identity Internal Server Error
    YYYY-MM-DDThh:mm:ss.587+0000 ERROR [common,xxxxxxxxxx,xxxx] [c.v.e.s.e.h.LocalizableRuntimeExceptionHandler,http-nio-127.0.0.1-7100-exec-7] [BJOOLL] SDDCMANAGER_GET_OIDC_INFO_FAILED 
    com.vmware.evo.sddc.identity.rest.api.error.IdentityRestServiceException: 
            at com.vmware.evo.sddc.identity.rest.api.controller.v1.IdentityProviderController.getSddcWs1bOidcInfo(IdentityProviderController.java:410)
    Caused by: com.vmware.evo.sddc.common.services.psc.exception.PscException: Unable to obtain Security Token Service from SSO 'mgmtvcenterfqdn'
            at com.vmware.evo.sddc.common.util.SSOEntityService.getSamlToken(SSOEntityService.java:320)
            at com.vmware.evo.sddc.common.util.SSOEntityService.createAdminClient(SSOEntityService.java:367)
            at com.vmware.evo.sddc.common.util.SSOEntityService.createNewAdminClient(SSOEntityService.java:332)
            at com.vmware.evo.sddc.identity.sso.services.PscServiceImpl.getAdminClient(PscServiceImpl.java:415)
            ... 160 common frames omitted
    Caused by: java.lang.IllegalArgumentException: Expected one or more trusted certificates, but got null
            at com.vmware.vim.sso.client.impl.X509TrustChainKeySelector.checkCtorArgsNotNull(X509TrustChainKeySelector.java:242)
            at com.vmware.vim.sso.client.impl.X509TrustChainKeySelector.<init>(X509TrustChainKeySelector.java:73)
            at com.vmware.vim.sso.client.DefaultTokenFactory.parseToken(DefaultTokenFactory.java:36)
            at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl.acquireToken(SecurityTokenServiceImpl.java:126)
            at com.vmware.evo.sddc.common.util.SSOEntityService.getSamlToken(SSOEntityService.java:309)
  • /var/log/vmware/vcf/commonsvcs/vcf-commonsvcs.log
    [c.v.e.s.a.u.CertificateRetrustJwtHelper,http-nio-127.0.0.1-7100-exec-5] Fetching the signed JWT token
    YYYY-MM-DDThh:mm:ss.248+0000 INFO  [common,xxxxxxxxxx,xxxx] [c.v.e.s.a.u.u.ApplianceManagerUtils,http-nio-127.0.0.1-7100-exec-5] Reading from file /opt/vmware/vcf/commonsvcs/etc/signed_jwt_token.jwt ...
    YYYY-MM-DDThh:mm:ss.248+0000 ERROR [common,xxxxxxxxxx,xxxx] [c.v.e.s.a.u.u.ApplianceManagerUtils,http-nio-127.0.0.1-7100-exec-5] Reading from the file path failed
    java.nio.file.NoSuchFileException: /opt/vmware/vcf/commonsvcs/etc/signed_jwt_token.jwt
            at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
            at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
            at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
            at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:218)
            at java.base/java.nio.file.Files.newByteChannel(Files.java:380)
            at java.base/java.nio.file.Files.newByteChannel(Files.java:432)
            at 
  • The /var/log/vmware/vcf/commonsvcs/vcf-commonsvcs.log 
    ERROR [common,9b73587bba4741e8,38a7] [c.v.e.s.i.s.services.PscServiceImpl,http-nio-127.0.0.1-7100-exec-3] Unable to fetch user & groups from saml token
    java.lang.RuntimeException: The SAML token signature validation failed!
            at com.vmware.evo.sddc.identity.sso.services.PscServiceImpl.validateSamlToken(PscServiceImpl.java:481)
            at com.vmware.evo.sddc.identity.sso.services.PscServiceImpl.getSamlMetaData(PscServiceImpl.java:440)
            at com.vmware.evo.sddc.identity.services.IdentityServiceImpl.getTokenPair(IdentityServiceImpl.java:115)
            at com.vmware.evo.sddc.identity.rest.api.controller.v1.TokenController.createToken(TokenController.java:72)
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

[common,685de16d58f7c91c3f18c683e35e61a8,9813] [o.b.jsse.provider.PropertyUtils,http-nio-127.0.0.1-7100-exec-8] Found string system property [java.home]: /usr/lib/jvm/openjdk-java17-headless.x86_64
YYYY-MM-DDThh:mm:ss.625+0000 INFO  [common,685de16d58f7c91c3f18c683e35e61a8,9813] [o.b.jsse.provider.PropertyUtils,http-nio-127.0.0.1-7100-exec-8] Found string system property [java.home]: /usr/lib/jvm/openjdk-java17-headless.x86_64
YYYY-MM-DDThh:mm:ss.631+0000 INFO  [common,685de16daeefdb1509d7f3930c9b5c55,1a2b] [c.v.v.s.c.i.X509TrustChainKeySelector,http-nio-127.0.0.1-7100-exec-1] Failed to find trusted path to signing certificate <CN=ssoserverSign>
java.security.cert.CertPathBuilderException: Unable to find certificate chain.
        at org.bouncycastle.jcajce.provider.PKIXCertPathBuilderSpi.engineBuild(Unknown Source)

Environment

  • VCF 5.x
  • VCF 9.x

Cause

This error can be caused by the following:

  • There is a stale STS chain in the vCenter SSO.
  • SDDC manager does not trust the STS signing certificate
  • The STS certificate has expired.

Resolution

Ensure SDDC Manager trusts the STS signing certificate. Depending current certificate's status, take the appropriate action below:

  1. If the STS certificate is VMCA-signed: Follow the steps in the KB article, "How to add/delete Custom CA Certificates to SDDC Manager and Common Services trust stores".

  2. If the STS certificate is expired or has a stale chain: Replace it by following the instructions in the "vCert - expired certificate replacement script".

Powered by Wolken Software