• When attempting to manage passwords within SDDC Manager, you may encounter the following symptoms regarding Workspace ONE Access / VIDM accounts:
  
  
  • Account Status: User accounts such as root, admin, and audit show a status of Disconnected in the SDDC Manager password management dashboard.
  • SSH Access: You are able to manually log in to the vIDM appliance via SSH using the current password; the password is valid and not expired.
    
    
• Error in /var/log/vmware/vcf/operationsmanager/operationsmanager.log

  DEBUG [vcf_om,696.............] [c.v.v.p.u.c.AbstractPasswordChanger,om-exec-18] Error Message : Failed to execute command, error : SSH: Failed to establish
  SSH session to vidm1.example.com, Error Token : #####, Error Cause : {}

   

  ERROR [vcf_om,696.........] [c.v.v.p.u.c.AbstractPasswordChanger,om-exec-18] Failed to execute command, error : SSH: Failed to establish SSH session to vidm1.example.com
  com.vmware.vcf.passwordmanager.exception.PasswordUpdateException: Failed to execute command, error : SSH: Failed to establish SSH session to vidm1.example.com
          at com.vmware.vcf.passwordmanager.update.changers.SshPasswordChanger.doSSHTest(SshPasswordChanger.java:79)

   

  Caused by: com.vmware.evo.sddc.common.util.command.CommandExecuterException: SSH: Failed to establish SSH session to vidm1.example.com

   

  Caused by: com.jcraft.jsch.JSchException: Algorithm negotiation fail

• VMware Cloud Foundation
• WorkspaceOne

This issue occurs due to a mismatch in the supported SSH algorithms between SDDC Manager and the vIDM appliance.

Specifically, the legacy JSch library used by SDDC Manager for password operations may fail to negotiate a connection if the target appliance prioritizes or exclusively enables specific host keys (like RSA) while disabling others (like ED25519) that the client expects, or vice versa, within the /etc/ssh/sshd_config file.

In this scenario:

• HostKey /etc/ssh/ssh_host_rsa_key is currently enabled.
• HostKey /etc/ssh/ssh_host_ed25519_key is currently disabled.

Modify the SSH daemon configuration on the Workspaceone / vIDM appliance to prioritize the correct host keys and algorithms.

Steps to follow:

1. Edit SSH Configuration
   1. Log in to the vIDM appliance via SSH as the root user.
   2. Open the SSH configuration file for editing

      vi /etc/ssh/sshd_config

       

   3. Locate the HostKey entries. Modify the file to comment out the RSA key and ensure the ECDSA and ED25519 keys are active.
   4. Ensure the HostkeyAlgorithms parameter explicitly disables ssh-rsa if required by your security policy, or matches the configuration below.

      #HostKey /etc/ssh/ssh_host_rsa_key
      HostKey /etc/ssh/ssh_host_ecdsa_key
      HostKey /etc/ssh/ssh_host_ed25519_key

       

2. Restart SSH Service

   systemctl restart sshd

    

3. Update SSH Host Keys: Because the Host Keys have changed, SDDC Manager must be updated to trust the new keys. Follow the Steps in How to update the SSH host keys on the SDDC Manager
4. Retry Remediation
   1. Return to the SDDC Manager UI.
   2. Navigate to the Password Management section.
   3. Retry the password remediation or rotation workflow for the Workspace ONE / vIDM resource.