• Patching the vIDM postgres cluster as part of applying CSP-102547 fails with the error LCMVIDM74076 in Aria Suite Lifecycle 8.18.0

• The log file vmware_vrlcm.log contains the following errors, indicating an UnknownHostException for the VMware Identity Manager (vIDM) hostname :

  YYYY-MM-DDTHH:MM:SS.###Z ERROR vrlcm[1218] [pool-3-thread-20] [c.v.v.l.u.CertificateUtil]  -- IOException :
  java.net.UnknownHostException: <vIDM Hostname>
  ...
  YYYY-MM-DDTHH:MM:SS.###Z ERROR vrlcm[1218] [pool-3-thread-20] [c.v.v.l.v.r.c.u.VidmCommonUtil]  -- Unable to get the vIDM certificate on the host <vIDM Hostname>
  YYYY-MM-DDTHH:MM:SS.###Z ERROR vrlcm[1218] [pool-3-thread-20] [c.v.v.l.v.c.t.p.VidmPgpoolPostPatchConfigurationTask]  -- Failed to perform post-patch configurations on vIDM pgpool-cluster. On the host: <vIDM Host IP>
  YYYY-MM-DDTHH:MM:SS.###Z INFO vrlcm[1218] [pool-3-thread-20] [c.v.v.l.p.a.s.Task]  -- Injecting task failure event. Error Code : 'LCMVIDM74076', Retry : 'true', Causing Properties : '{ CAUSE :: skipTask === hostName ===  }'
  com.vmware.vrealize.lcm.common.exception.LcmException: Failed to perform post-patch configurations on vIDM pgpool-cluster. On the host:  <vIDM Host IP>

• Running nslookup <vIDM Hostname> from the Aria Suite Lifecycle appliance returns a communication timeout pointing to an old DNS server, and checking /etc/resolv.conf shows the presence of this outdated DNS server.

• DNS resolution issue is resolved,  but the Postgres cluster patching still fails with error:

  Error Code: LCMVIDM74076
  Error in post-patch configuration of pgpool-cluster on VMware Identity Manager.
  Failed to perform post-patch configurations on vIDM pgppol-cluster. On the host: <Primary node IP>

VMware Aria Suite Lifecycle 8.18.0

VMware Identity Manager 3.3.7

This issue typically occurs due to one of the following reasons:

1. DNS Resolution Failure: The VMware Aria Suite Lifecycle appliance is configured with an outdated or unreachable DNS server. This prevents successful name resolution for the VMware Identity Manager hostname, which ultimately causes the post-patch configuration task to fail.

2. Unsupported Load Balancer Configuration: The VMware Identity Manager Load Balancer is configured to use the SSL Passthrough option. This configuration is not recommended (SSL Termination should be used instead) and interferes with the patching process.

Scenario 1: Resolving DNS Configuration Issues

If the failure is caused by an incorrect or unreachable DNS configuration on the VMware Aria Suite Lifecycle appliance, update it with valid DNS servers:

1. SSH into the VMware Aria Suite Lifecycle appliance as root.

2. Update the DNS servers by executing the following command. (Note: Ensure you replace <NEW_DNS_Server_1> and <NEW_DNS_Server_2> with active DNS IP addresses):

   /opt/vmware/share/vami/vami_set_dns <NEW_DNS_Server_1> <NEW_DNS_Server_2>

3. Restart the systemd-resolved service to apply the changes:

   systemctl restart systemd-resolved

4. Return to the VMware Aria Suite Lifecycle UI and retry the failed vIDM patch request.

Scenario 2: Addressing SSL Passthrough Configuration

• If the DNS configuration is valid, check if the vIDM Load Balancer is configured with the SSL Passthrough option (SSL Termination is the recommended practice).
• If the Load Balancer is configured with SSL Passthrough, retry the failed Postgres patching task by replacing the VIP FQDN with the Primary node FQDN.

Once the vIDM patching task is complete, you must ensure the DNS changes persist across reboots. Follow the steps outlined in KB 424990 to permanently update the DNS settings (Note: This procedure requires powering off the VMware Aria Suite Lifecycle appliance).