Changing VMware Aria Automation 8.x's VMware Identity Manager configuration with vracli vidm set
book
Article ID: 322719
calendar_today
Updated On:
Products
VMware Aria Suite
Issue/Introduction
The vidm_recovery.py script follows the below logic and is available on all supported versions of VMware Aria Automation 8.x out of the box:
vidm_recovery.py assumes that vIDM has already been changed and the deploy script has failed. The recovery script will:
Remove the old vIDM entry from the identity_organization table.
Switch the organization ID of the old vIDM and set it to the new vIDM.
Set the old organization owner role to the new user id of the organization owner, which would enable the organization owner to login and modify the user roles of the rest of the users. After user roles have been restored the users will be able to view their content.
Symptoms:
The VMware Identity Manager (vIDM) that a VMware Aria Automation 8.x instance is using was changed with vracli vidm set
Attempts to start the application with /opt/scripts/deploy.sh fails with:
500 Internal server error
OR
The vIDM appliance has changed, but the FQDN has remained the same
Attempts to start the application with /opt/scripts/deploy.sh succeeds but the configuration admin user generates a 403 error on attempted log in.
VMware is aware of this issue. Please see the workaround for further details.
Workaround:
Prerequisites
You have backups of the VMware Aria Automation 8.x appliance(s)
You must back up all VMware Aria Automation appliances, at the same time - simultaneously for all nodes.
If you are making the snapshots manually, you must start the snapshots of the second and the third node not more than 40 seconds after you start the snapshots for the first node.
When you back up the VMware Aria Automation appliance, disable in-memory snapshots and enable quiescing (quiescing is a requirement only for version 8.9 and newer).
Procedure
Validate the Default Configurator Admin Username, in the global environment on VMware Aria Suite Lifecycle 8.x.
SSH to one of the VMware Aria Automation 8.x nodes.
Run the following command, considering:
vracli vidm set https://ID1 admin ID2
Notes:
Replace ID2 with the user found in step 1.
Replace ID1with the Load Balancer VIP for vIDM cluster, in case of 1 node vIDM use the first node FQDN.
After running this command the prompt will show you the vIDM certificate SHA256, validate this is the right certificate, and then accept it by typing “yes”.
Then you will ask to type a password, this is the vIDM admin password.
This is an example as a reference.
Restart the services
For VMware vRealize Automation 8.4 and later run
vracli vidm apply
Monitor the restarting process of the identity services pods, and wait until they are running.
kubectl get pods -n prelude -w | grep identity-service
For 8.3 and older versions
/opt/scripts/deploy.sh
Then execute the vidm_recovery.py script according to the appropriate scenario below.
Recovery Scenario #1: New vIDM appliance hostname
In order to associate a new vIDM appliance with VMware Aria Automation 8.x. Run the following commands,
For vIDM cluster replace ID4with the FQDN of the first node
For vIDM 1 node, replace ID4with the vIDM FQDN
Replace ID5with the Default Configurator
Then restart the services.
/opt/scripts/deploy.sh
Note:
It is expected that this script updates the vIDM information, you must have 3 UPDATEs.
After running the vidm_recovery.py script, it is required to run the deploy.sh script, and not just vracli vidm apply.
Validation
After updating the vIDM information in the VMware Aria Automation 8.x Database with the vidm_recovery.py script, clear the cookies of your browser or create a new incognito or in private mode window, and log in to VMware Aria Automation 8.x using the Default Configurator Admin Username.
Important! The contents of this article are intended for unexpected failover scenarios only. For Site Recovery Manager failovers, utilize the supported steps defined here.
Associating a new vIDM to VMware Aria Automation 8.x will reset the Organization and Services Roles assigned to Active User and Enterprise Groups on VMware Aria Automation 8.x, after running this kb will be required to login using the Default Local Admin Configurator to VMware Aria Automation 8.x and then assign the roles.