Attempting to configure Entra within VCF operations manager yields the error "xml metadata is invalid! Reason: Failed to validate SAML metadata: Internal Server error, cause unknown."

If certificates have been replaced on the vidb interface prior to vcf 9.0.1 there is a chance that the new root certificate chain may not be published into the vcf operations trusted root store. This may also happen if the root chain used in VIDB contains a certificate with a sha1 hash. 

If you check /storage/log/vcops/log/collector.log on the vcf operations manager appliance after seeing the sso error in the UI you should see the following errors: "Failed to get tenant admin token from Vidb appliance" and "javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

Using the following two commands on the vcf operations manager to verify if the root and intermediate certificate used to sign the vidb cert is stored in vcf operations: 

Obtain Token: 

curl --request POST \  --url https://<VCF OPS>/suite-api/api/auth/token/acquire \  --header 'accept: application/json' \  --header 'content-type: application/json' \  --data '{  "username": "<admin user>",  "password": "<Admin password>"}'

Get list of certs using token from prior command: 

curl --request GET \  --url https://<VCF OPS>/suite-api/internal/vidb/vmsp/vidbs \  --header 'accept: application/json' \  --header 'authorization: vRealizeOpsToken <TOKEN from above step>' \  --header 'content-type: application/json' \  --header 'x-ops-api-use-unsupported: true' 

If the root certificate for VIDB is missing from vcf operations it must be imported using APIs. 

1. Snapshot vcf operations manager vm

2. Generate a token: 

curl --request POST \
--url https://<VCF_OPS>/suite-api/api/auth/token/acquire \
--header 'content-type: application/json' \
--data '
{ "username": "<ADMIN_USERNAME>", "password": "<ADMIN_PASSWORD>" }' 

3. Use the following API call to  retrieve the current External VIDB configuration, which will include the trustedRootCertPem stored in vROps, and the <External_VIDB_ID> and <EXTERNAL_VIDB_RESOURCE_ID>: 

curl --request GET \
--url https://<OPS FQDN>/suite-api/internal/vidb/vmsp/vidbs \
--header 'authorization: vRealizeOpsToken <OPS_TOKEN>' \
--header 'content-type: application/json' \
--header 'x-vrealizeops-api-use-unsupported: true'

4. Convert the certificate file being imported to vcf operations into single, JSON-safe string with newlines explicitly replaced by \n using the following command: awk 'BEGIN {ORS="n"} {print}' filename.cer (Ensure the filename.cer is encoded for Linux carriage return or the awk may not correctly create the json string)

5. Inject the newly formed certificate string into vcf operations manager using the following api: 

curl --request PATCH \
--url https://<VCF_OPS>/suite-api/internal/vidb/vmsp/<External_VIDB_ID> \
--header 'authorization: vRealizeOpsToken <OPS_TOKEN>' \
--header 'content-type: application/json' \
--header 'x-vrealizeops-api-use-unsupported: true' \
--data '
{ "id": "<External_VIDB_ID>", "vidbResourceId": "<EXTERNAL_VIDB_RESOURCE_ID>", "trustedRootCertPem": "<Trusted_root_with_New_line_as_\n>" }'