SDDC Manager UI inaccessible with error "502 Bad Gateway" after STIG applied
Article ID: 413640
Updated On:
Products
VMware SDDC Manager
Issue/Introduction
After restarting the SDDC Manager VM, back-end services are stuck in activating state. Postgres instance is running but the services are not able to authenticate with the DB.
Environment
VCF 5.2.1
Cause
journalctl logs show that the db password encryption method is unsupported
Resolution
Validate:
Validate if this is any issue with incorrect password encryption algorithm.
Confirm Postgres version on SDDC Manager is at 15.6
Validate if this is any issue with incorrect password encryption algorithm.
Confirm Postgres version on SDDC Manager is at 15.6
psql --version
Log into postgres DB and check the password encryption method set
psql -U postgres -h localhost
show password_encryption;
If the Postgres version is 15.6 and output shows that it is set to md5 as below, then we need to change it to scram-sha-256.
postgres=# show password_encryption;
password_encryption
---------------------
md5
(1 row)
password_encryption
---------------------
md5
(1 row)
Fix:
Postgres initializes the password encryption method from the postgresql.auto.conf and postgresql.conf file at service restart. Check the postgresql.auto.conf file under folder /data/pgdata to see if password_encyption is set to md5.
root@sddc-manager [ /home/vcf ]# cat /data/pgdata/postgresql.auto.conf
# Do not edit this file manually!
# It will be overwritten by the ALTER SYSTEM command.
password_encryption = 'md5'
log_statement = 'ddl'
...
# Do not edit this file manually!
# It will be overwritten by the ALTER SYSTEM command.
password_encryption = 'md5'
log_statement = 'ddl'
...
If yes then delete the line "password_encryption = 'md5'" and restart the postgresql service.
# Modify file, delete password_encryption line:
vi /data/pgdata/postgresql.auto.conf
vi /data/pgdata/postgresql.auto.conf
# Restart postgres
systemctl restart postgres
systemctl restart postgres
Additional Information
This can only happen for VCF 5.2.1 and above if customer is accidentally using older STIG hardening rules.
Feedback
Yes
No
Powered by
MM DD HH:MM:SS ###.###.### bash[60397]: ERROR: password encryption failed: unsupported