Changing migrated default org's name in VCFA 9.x breaks VCFA UI and CSP API login
search cancel

Changing migrated default org's name in VCFA 9.x breaks VCFA UI and CSP API login

book

Article ID: 433492

calendar_today

Updated On:

Products

VCF Operations/Automation (formerly VMware Aria Suite)

Issue/Introduction

After renaming the migrated (from vRA 8x) default organization in VCFA 9.x via the Tenant Manager UI, two things break:

  • VCFA UI login is broken - The oAuth client in vIDM for the migrated tenant still references the old org name in its redirect URI, so the UI authentication flow fails.
  • CSP API login is broken - The identity-service internally caches the default org name that was set during the 8.x to 9.x upgrade. After the org is renamed, the identity-service still uses the old name, so CSP API login requests (/csp/gateway/am/api/login) that rely on default tenant resolution fail.

Environment

VCF Automation 9.0+

Cause

The default org name is read from Tenant Manager and passed to the identity-service only at deploy or upgrade time. Renaming the org through the TM UI does not automatically propagate the new name to running services.

Resolution

Currently, there is no in-product resolution. Follow the workaround steps below to update the organization name.

Workaround

Step 1: Update the vIDM OAuth Client Redirect URI

Update the redirect URI of the OAuth client in vIDM used by the migrated TM organization to reflect the new organization name.

  1. Navigate to vIDM > Catalog > Settings > Remote App Access.
  2. Locate and Edit the relevant client_id.
  3. In the Redirect URL field, update the organization name at the end of the string.
    Note: The host name does not need to be modified for this specific process.

Step 2: Trigger a Services Restart

  1. (Optional) Take a backup of VCFA. While this is a recommended general precaution, this workaround only triggers a standard services redeployment and may be skipped if necessary.
  2. Log into one of the VCFA virtual machines:
    1. ssh vmware-system-user@<VCFA-Platform-FQDN>
    2. sudo -i
  3. Execute the following command to trigger a services redeployment: 
    vmsp pkg configure -n prelude vcfa-bundle --set "vcfa.debug.rollme=$(uuidgen)"

    This process picks up the updated default organization name from Tenant Manager.

  4. Monitor the redeployment progress by running: 
    kubectl get pd -n prelude

    Wait until the vcfa-bundle PackageDeployment displays Successful in the PHASE column. This may take several minutes.

  5. Once the deployment is Successful, verify the changes in the identity-service: 
    kubectl get deployment -n prelude identity-service-app -o yaml | grep default.soft.tenant

    Confirm that the output value matches the new organization name.

Powered by Wolken Software