SDDC Manager UI fails to load with error, "Unable to obtain Security Token Service from SSO" OR "IDENTITY_INTERNAL_SERVER

Products

VMware SDDC Manager

Issue/Introduction

/var/log/vmware/vcf/commonsvcs/vcf-commonsvcs.log
======================================================================================
xxxx-xx=xxTxx:xx:08.587+0000 ERROR [common,xxxxxxxxxx,xxxx] [c.v.e.s.i.r.a.c.v.IdentityProviderController,http-nio-127.0.0.1-7100-exec-7] Unable to get sddc manager oidc information due to Identity Internal Server Errorxxxx-xx=xxTxx:xx:08.587+0000 ERROR [common,xxxxxxxxxx,xxxx] [c.v.e.s.e.h.LocalizableRuntimeExceptionHandler,http-nio-127.0.0.1-7100-exec-7] [BJOOLL] SDDCMANAGER_GET_OIDC_INFO_FAILED
com.vmware.evo.sddc.identity.rest.api.error.IdentityRestServiceException:
at com.vmware.evo.sddc.identity.rest.api.controller.v1.IdentityProviderController.getSddcWs1bOidcInfo(IdentityProviderController.java:410)
Caused by: com.vmware.evo.sddc.common.services.psc.exception.PscException: Unable to obtain Security Token Service from SSO 'mgmtvcenterfqdn'
at com.vmware.evo.sddc.common.util.SSOEntityService.getSamlToken(SSOEntityService.java:320)
at com.vmware.evo.sddc.common.util.SSOEntityService.createAdminClient(SSOEntityService.java:367)
at com.vmware.evo.sddc.common.util.SSOEntityService.createNewAdminClient(SSOEntityService.java:332)
at com.vmware.evo.sddc.identity.sso.services.PscServiceImpl.getAdminClient(PscServiceImpl.java:415)
... 160 common frames omitted
Caused by: java.lang.IllegalArgumentException: Expected one or more trusted certificates, but got null
at com.vmware.vim.sso.client.impl.X509TrustChainKeySelector.checkCtorArgsNotNull(X509TrustChainKeySelector.java:242)
at com.vmware.vim.sso.client.impl.X509TrustChainKeySelector.<init>(X509TrustChainKeySelector.java:73)
at com.vmware.vim.sso.client.DefaultTokenFactory.parseToken(DefaultTokenFactory.java:36)
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl.acquireToken(SecurityTokenServiceImpl.java:126)
at com.vmware.evo.sddc.common.util.SSOEntityService.getSamlToken(SSOEntityService.java:309)

/var/log/vmware/vcf/commonsvcs/vcf-commonsvcs.log
======================================================================================
[c.v.e.s.a.u.CertificateRetrustJwtHelper,http-nio-127.0.0.1-7100-exec-5] Fetching the signed JWT token
xxxx-xx=xxTxx:xx:43.248+0000 INFO [common,xxxxxxxxxx,xxxx] [c.v.e.s.a.u.u.ApplianceManagerUtils,http-nio-127.0.0.1-7100-exec-5] Reading from file /opt/vmware/vcf/commonsvcs/etc/signed_jwt_token.jwt ...
xxxx-xx=xxTxx:xx:43.248+0000 ERROR [common,xxxxxxxxxx,xxxx] [c.v.e.s.a.u.u.ApplianceManagerUtils,http-nio-127.0.0.1-7100-exec-5] Reading from the file path failed
java.nio.file.NoSuchFileException: /opt/vmware/vcf/commonsvcs/etc/signed_jwt_token.jwt
at java.base/sun.nio.fs.UnixException.translateToIOException(UnixException.java:92)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:106)
at java.base/sun.nio.fs.UnixException.rethrowAsIOException(UnixException.java:111)
at java.base/sun.nio.fs.UnixFileSystemProvider.newByteChannel(UnixFileSystemProvider.java:218)
at java.base/java.nio.file.Files.newByteChannel(Files.java:380)
at java.base/java.nio.file.Files.newByteChannel(Files.java:432)
at

The /var/log/vmware/vcf/commonsvcs/vcf-commonsvcs.log may show entries similar to:

======================================================================================
ERROR [common,9b73587bba4741e8,38a7] [c.v.e.s.i.s.services.PscServiceImpl,http-nio-127.0.0.1-7100-exec-3] Unable to fetch user & groups from saml token
java.lang.RuntimeException: The SAML token signature validation failed!
at com.vmware.evo.sddc.identity.sso.services.PscServiceImpl.validateSamlToken(PscServiceImpl.java:481)
at com.vmware.evo.sddc.identity.sso.services.PscServiceImpl.getSamlMetaData(PscServiceImpl.java:440)
at com.vmware.evo.sddc.identity.services.IdentityServiceImpl.getTokenPair(IdentityServiceImpl.java:115)
at com.vmware.evo.sddc.identity.rest.api.controller.v1.TokenController.createToken(TokenController.java:72)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

======================================================================================
[common,685de16d58f7c91c3f18c683e35e61a8,9813] [o.b.jsse.provider.PropertyUtils,http-nio-127.0.0.1-7100-exec-8] Found string system property [java.home]: /usr/lib/jvm/openjdk-java17-headless.x86_64
2025-06-27T00:10:21.625+0000 INFO [common,685de16d58f7c91c3f18c683e35e61a8,9813] [o.b.jsse.provider.PropertyUtils,http-nio-127.0.0.1-7100-exec-8] Found string system property [java.home]: /usr/lib/jvm/openjdk-java17-headless.x86_64
2025-06-27T00:10:21.631+0000 INFO [common,685de16daeefdb1509d7f3930c9b5c55,1a2b] [c.v.v.s.c.i.X509TrustChainKeySelector,http-nio-127.0.0.1-7100-exec-1] Failed to find trusted path to signing certificate <CN=ssoserverSign>
java.security.cert.CertPathBuilderException: Unable to find certificate chain.
at org.bouncycastle.jcajce.provider.PKIXCertPathBuilderSpi.engineBuild(Unknown Source)

Environment

VMware Cloud Foundation 5.x
VMware Cloud Foundation 9.x

Cause

This error can be caused by the following:

There is a stale STS chain in the vCenter SSO.
SDDC manager does not trust the STS signing certificate
The STS certificate has expired.

Resolution

Verify the STS signing certificate is trusted by SDDC Manager. If the STS certificate is VMCA signed follow the steps in KB, "How to import the vCenter root certificate into the SDDC manager TrustStore"

If there is a stale STS certificate chain or the STS certificate is expired, follow the steps in vCert to replace the STS certificate, "vCert - expired certificate replacement script"