Configuring OKTA as an External Identity Provider fails with error 'Could not create indirect identity provider'.
search cancel

Configuring OKTA as an External Identity Provider fails with error 'Could not create indirect identity provider'.

book

Article ID: 429908

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

  • Configuring OKTA as an External Identity Provider on the vCenter Server fails with error message: "Could not create indirect identity provider."
  • /var/log/vmware/vc-ws1a-broker/federation-service.log on the vCenter Server reports TLS handshake failures 
    YYYY-MM-DDTHH:MM:SSZ,622 WARN  vcenter.example.com:federation (ForkJoinPool-2-worker-###) [CUSTOMER;########-####-####-####-############;127.0.0.1;########-####-####-####-############;-;-] com.vmware.vidm.federation.broker.BrokerIdentityProvidersServiceImpl - An error occurred while in Broker Create IdP API. Attempting rollback if needed com.vmware.vidm.federation.oidc.OidcIdpConfigurationException: oidc.config.api.validation.error
        at com.vmware.vidm.federation.oidc.OidcIdpConfigurationException.anOidIdpConfigurationException(OidcIdpConfigurationException.java:28)
        at com.vmware.vidm.federation.oidc.OidcConfigurationService.lambda$fetchOidcConfiguration$2(OidcConfigurationService.java:84)        
Caused by: javax.net.ssl.SSLHandshakeException: Failed to create SSL connection
        at io.vertx.core.net.impl.ChannelProvider$1.userEventTriggered(ChannelProvider.java:127)
        at io.netty.channel.AbstractChannelHandlerContext.invokeUserEventTriggered(AbstractChannelHandlerContext.java:398)         
Caused by: javax.net.ssl.SSLException: org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)
        at org.bouncycastle.jsse.provider.ProvSSLEngine.unwrap(ProvSSLEngine.java:505)   
        ... 26 more
Caused by: org.bouncycastle.tls.TlsFatalAlert: certificate_unknown(46)
        at org.bouncycastle.jsse.provider.ProvSSLEngine.checkServerTrusted(ProvSSLEngine.java:154)
        at org.bouncycastle.jsse.provider.ProvTlsClient$1.notifyServerCertificate(ProvTlsClient.java:382)    
Caused by: java.security.cert.CertificateException: Unable to construct a valid chain
        at org.bouncycastle.jsse.provider.ProvX509TrustManager.validateChain(ProvX509TrustManager.java:317)    
        ... 40 more
Caused by: java.security.cert.CertPathBuilderException: No issuer certificate for certificate in certification path found.
        at org.bouncycastle.jcajce.provider.PKIXCertPathBuilderSpi_8.engineBuild(Unknown Source)       
        ... 43 more
  • /var/log/vmware/trustmanagement/trustmanagement-svcs.log reports below error stack 
    YYYY-MM-DDTHH:MM:SSZ.453Z [tomcat-exec-22 [] INFO  com.vmware.vcenter.trustmanagement.authbroker.BrokerClient  opId=] Created directory example-okta for tenant customer
YYYY-MM-DDTHH:MM:SSZ.453Z [tomcat-exec-22 [] INFO  com.vmware.vcenter.trustmanagement.impl.AuthBrokerIdp  opId=] Created directory with ID ########-####-####-####-############
YYYY-MM-DDTHH:MM:SSZ.454Z [tomcat-exec-22 [] DEBUG com.vmware.vcenter.trustmanagement.authbroker.BrokerClient  opId=] Wrote the following request content for API request CREATE_IDENTITY_PROVIDER and url http://localhost:1080/external-vecs/http1/vcenter.example.com/443/federation/t/customer/broker/identity-providers: {"directory_list":[{"id":"########-####-####-####-############"}],"idp_name":"Okta","oidc_pr
ofile":{"configuration_url":"https:\/\/Okta.example.com\/oauth2\/####################\/.well-known\/openid-configuration","open_id_user_identifier_attribute":"sub","internal_user_identifier_attribute":"ExternalId","pass_through_claims":null,"client_secret":"####################-g","client_id":"####################"},"idp_type":"OIDC"}
YYYY-MM-DDTHH:MM:SSZ.623Z [tomcat-exec-22 [] INFO  com.vmware.vcenter.trustmanagement.authbroker.BrokerClient  opId=] API request CREATE_IDENTITY_PROVIDER to url http://localhost:1080/external-vecs/http1/vcenter.example.com/443/federation/t/customer/broker/identity-providers returned unexpected response code 400 and the following error information: {"errors":[{"code":"oidc.config.api.validation.error","mess
age":"Failed to retrieve OIDC endpoints from configuration url: https://Okta.example.com/oauth2/####################/.well-known/openid-configuration.","parameters":{"configUrl":"https://Okta.example.com/oauth2/####################/.well-known/openid-configuration"}}]}
YYYY-MM-DDTHH:MM:SSZ.623Z [tomcat-exec-22 [] ERROR com.vmware.vcenter.trustmanagement.authbroker.BrokerClient  opId=] Failed to create identity provider with IDP name Okta for tenant customer on host vcenter.example.com
YYYY-MM-DDTHH:MM:SSZ.623Z [tomcat-exec-22 [] ERROR com.vmware.vcenter.trustmanagement.impl.AuthBrokerIdp  opId=] Rolling back 1 operations after error creating IDP: Failed to create identity provider with IDP name Okta for tenant customer on host vcenter.example.com
YYYY-MM-DDTHH:MM:SSZ.717Z [tomcat-exec-22 [] INFO  com.vmware.vcenter.trustmanagement.authbroker.BrokerClient  opId=] Deleted directory with ID ########-####-####-####-############ for tenant customer
YYYY-MM-DDTHH:MM:SSZ.718Z [tomcat-exec-22 [] ERROR com.vmware.vcenter.trustmanagement.migration.IdpReplacer  opId=] Failed to create Auth Broker IDP
com.vmware.vcenter.trustmanagement.authbroker.BrokerException: Failed to create identity provider with IDP name Okta for tenant customer on host vcenter.example.com

Environment

VMware vCenter Server 8.X

Cause

  • vCenter Server includes a service known as VIDB (vc-ws1a-broker), which is responsible for communication with OKTA.
  • When SSL inspection is enabled on the proxy, the proxy presents a certificate signed by its own internal CA. Since VIDB service does not automatically trust this CA, certificate chain validation fails, resulting in OKTA authentication errors.

Resolution

  • To resolve the issue, add the proxy server’s CA certificate(s) to the keystore used by the vCenter VIDB (vc-ws1a-broker) service following the steps mentioned in the below KB article.

         Prerequisite:  VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice

1: Identify the VIDB Keystore Location

VIDB service runs inside a container and uses its own JRE keystore. As a result, it does not rely on VECS or the system-wide trust store.

Note:

<HASH> directory name is unique to each deployment.

JRE version (for example, jre-17.0.10) may vary depending on the vCenter Server version.

Typical keystore location: 

/storage/containers/vc-ws1a-broker/<HASH>/rootfs/usr/local/jre-17.0.10/lib/security/cacerts

2: Create a Complete Certificate Chain

If the proxy uses an intermediate CA, ensure the full certificate chain is imported. Concatenate the certificates in the correct order: 

cat domain.der intermediate.der root.der >> chain.crt

3: Import the Proxy CA Certificate(s)

keytool -noprompt -storepass changeit -import -trustcacerts -file "<location to cert file on disk>"  -alias <some alias> -keystore "path to the store from Step 1"

4: Restart the VIDB Service 

service-control --restart vc-ws1a-broker

Additional Information

vCenter Server Entra ID Domain User Login Failure After Enabling SSL Inspection

Powered by Wolken Software