To work around this issue, update the
register-is.bat
file to reflect the certificate that the solution user is registered.
Symptoms:
After upgrading from vCenter Server 5.0 to 5.x using the default SSL certificates, you experience these symptoms:
- The C:\ProgramData\VMware\VMware VirtualCenter\SSL folder contains the usual rui.crt, rui.key, and rui.pfx files and also the files for the SSO solution user, such as sso.crt, sso.key, and sso.pfx
- In the C:\ProgramData\VMware\VMware VirtualCenter\vpxd.cfg file, you see entries similar to:
<sso>
<solutionUser>
<name>vCenterServer_2013.02.15_020938</name>
<certificate>C:\ProgramData\VMware\VMware VirtualCenter\SSL\sso.crt</certificate>
<privateKey>C:\ProgramData\VMware\VMware VirtualCenter\SSL\sso.key</privateKey>
</solutionUser>
</sso>
- In the C:\Program Files\VMware\Infrastructure\VirtualCenter Server\ssoregtool\vcsso.properties file, you see entries similar to:
[solutionUser] name=vCenterServer_2012.11.14_090347
cert=C:\ProgramData\VMware\VMware VirtualCenter\SSL\sso.crt
description=vCenter Server
- In the %temp%/vcregtool.log file, you see entries similar to:
[YYYY-MM-DD 13:44:11,563 main INFO com.vmware.vim.dataservices.vcregtool.RegisterVC] vCenter instance config file: C:\ProgramData\VMware\VMware VirtualCenter\instance.cfg
[YYYY-MM-DD 13:44:11,563 main INFO com.vmware.vim.dataservices.vcregtool.RegisterVC] vCenter Server certificate path: C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui.crt [2013-02-14 13:44:11,563 main INFO com.vmware.vim.dataservices.vcregtool.RegisterVC] vCenter Server private key path: C:\ProgramData\VMware\VMware VirtualCenter\SSL\rui.key
- In the located at C:\ProgramData\VMware\Infrastructure\Inventory Service\Logs\ds.log file, you see entries similar to:
[YYYY-MM-DD 03:41:29,879 http-nio-/0.0.0.0-10443-exec-6 ERROR com.vmware.vim.vcauthenticate.impl.CertificateManager] Failed to verify signature for BDEDFA77-2597-43A3-8FBC-9A66B9F465F7
[YYYY-MM-DD 13:41:29,879 http-nio-/0.0.0.0-10443-exec-6 INFO com.vmware.vim.vcauthenticate.servlets.AuthenticationServlet] Sending security error because of exception : com.vmware.vim.vcauthenticate.exception.InvalidLoginException: failed to verify signature for BDEDFA77-2597-43A3-8FBC-9A66B9F465F7
Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
- Trying to repoint vCenter Server to the Inventory Service (for example, after resetting the Inventory Service database) fails with the error:
The SSL certificate of STS service was successfully verified against the list of client-trusted certificates
SOAP fault
javax.xml.ws.soap.SOAPFaultException: Authentication failed
at com.sun.xml.internal.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:178)
at com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:111)
at com.sun.xml.internal.ws.client.dispatch.DispatchImpl.doInvoke(DispatchImpl.java:176)
at com.sun.xml.internal.ws.client.dispatch.DispatchImpl.invoke(DispatchImpl.java:195)
at com.vmware.vim.sso.client.impl.SoapBindingImpl.sendMessage(SoapBindingImpl.java:131)
at com.vmware.vim.sso.client.impl.SoapBindingImpl.sendMessage(SoapBindingImpl.java:82)
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor.sendRequest(SecurityTokenServiceImpl.java:672)
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor.executeRoundtrip(SecurityTokenServiceImpl.java:606)
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl.acquireTokenByCertificate(SecurityTokenServiceImpl.java:372)
at com.vmware.vim.dataservices.vcregtool.RegisterVC.acquireSamlToken(RegisterVC.java:635)
at com.vmware.vim.dataservices.vcregtool.RegisterVC.register(RegisterVC.java:211)
at com.vmware.vim.dataservices.vcregtool.RegisterVC.doRegistration(RegisterVC.java:1253)
at com.vmware.vim.dataservices.vcregtool.RegisterVC.main(RegisterVC.java:1332)
Creating SoapFault
Processing fault: ns0:FailedAuthentication: Authentication failed
Provided credentials are not valid.
opId=554d97df-2ad5-4a50-a883-ef87723d3296 END operation
Token request rejected by STS Service
com.vmware.vim.sso.client.exception.AuthenticationFailedException: Provided credentials are not valid.
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor.handleFaultCondition(SecurityTokenServiceImpl.java:728)
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor.sendRequest(SecurityTokenServiceImpl.java:677)
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor.executeRoundtrip(SecurityTokenServiceImpl.java:606)
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl.acquireTokenByCertificate(SecurityTokenServiceImpl.java:372)
at com.vmware.vim.dataservices.vcregtool.RegisterVC.acquireSamlToken(RegisterVC.java:635)
at com.vmware.vim.dataservices.vcregtool.RegisterVC.register(RegisterVC.java:211)
at com.vmware.vim.dataservices.vcregtool.RegisterVC.doRegistration(RegisterVC.java:1253)
at com.vmware.vim.dataservices.vcregtool.RegisterVC.main(RegisterVC.java:1332)
Removing Client@1712365710 reference from CompiledHttpConfiguration@1228257582, 0 active clients left.
Shutting down CompiledHttpConfiguration@1228257582 as there are no more clients.
Removing Client@945948553 reference from CompiledHttpConfiguration@1602331819, 0 active clients left.
Shutting down CompiledHttpConfiguration@1602331819 as there are no more clients.
Client was disposed successfully
Failed to perform register action
com.vmware.vim.dataservices.vcregtool.exception.RegistrationException
at com.vmware.vim.dataservices.vcregtool.RegisterVC.acquireSamlToken(RegisterVC.java:640)
at com.vmware.vim.dataservices.vcregtool.RegisterVC.register(RegisterVC.java:211)
at com.vmware.vim.dataservices.vcregtool.RegisterVC.doRegistration(RegisterVC.java:1253)
at com.vmware.vim.dataservices.vcregtool.RegisterVC.main(RegisterVC.java:1332)
...
Processing fault: ns0:FailedAuthentication: Invalid Credentials