API authentication fails in Aria Automation with 'invalid_grant' error after VMware Identity Manager certificate replacement
search cancel

API authentication fails in Aria Automation with 'invalid_grant' error after VMware Identity Manager certificate replacement

book

Article ID: 411179

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

In a VMware Aria Automation environment that uses an integrated VMware Identity Manager 3.3.7 (vIDM) for authentication, API calls to Aria Automation fail after you replace the certificate for the vIDM cluster of appliances.

Attempts to obtain an API token result in a 400 BAD_REQUEST response with the following error payload:

{
  "error": "invalid_grant",
  "error_description": "Invalid username or password"
}

Despite this API failure, direct user login to the Aria Automation and VMware Identity Manager UIs continues to function correctly.

Environment

VMware Aria Automation 8.x

VMware Identity Manager 3.3.x

VMware Aria Suite Lifecycle 8.x

Cause

This issue occurs because the VMware Aria Suite Lifecycle workflow fails to update the certificate on the VMware Identity Manager appliance due to incorrect file system permissions.

The certificate replacement process is executed by the horizon-workspace service, which runs as the horizon user on the Workspace ONE Access appliance. If the target file, /opt/vmware/horizon/workspace/webapps/ROOT/lb_rootca.pem, is owned by a different user (e.g., root), the horizon user is denied write access. This file update failure prevents the new certificate from being correctly replaced, which breaks the API trust chain between Aria Automation and VMware Identity Manager.

Resolution

To resolve this issue, you must correct the file ownership and permissions on all VMware Identity Manager appliances in the cluster and then re-run the certificate replacement task from Aria Suite Lifecycle.

  1. Open an SSH session to each VMware Identity Manager appliance.

  2. Navigate to the target directory:

    cd /opt/vmware/horizon/workspace/webapps/ROOT

  3. Verify the current ownership and permissions of the lb_rootca.pem file.

    ls -la lb_rootca.pem

  4. To fix this, execute the following commands to set the correct ownership (horizon:www) and permissions (640):

    chown horizon:www lb_rootca.pem
chmod 640 lb_rootca.pem

  5. After applying these changes to all VMware Identity Manager nodes, return to the VMware Aria Suite Lifecycle UI.

  6. Retry the failed certificate replacement request for the Workspace ONE Access environment.

Note: When running the certificate replacement wizard, it is highly recommended that you select the Opt-in for Snapshot checkbox to ensure a safe rollback point.

Powered by Wolken Software