Knowledge Base

The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
 
Search the VMware Knowledge Base (KB)   View by Article ID
 

Navigating to the Log Browser after updating vSphere 5.1 Single Sign On Certificates fails with an Unauthorized Access error (2037927)

Symptoms

  • When clicking on the Log Browser after updating the Single Sign On Certificates, you see an error similar to:

    faultCode:Server.Processing faultString:'javax.servlet.ServeletException : java.lang.Exception: https://server.domain.com:port/vmwb/logbrowser: Unauthorized access 'faultDetail:'null'

Cause

When navigating to the vSphere Log Browser service in vSphere 5.1, the STS Certificate chain is validated against the currently active certificates for the service. If the certificate chain cannot be validated, access to the service is denied.

Resolution

To resolve this issue, ensure that the root certificates are trusted. Before you can do this, you must ensure that the PFX keystore has the root certificate encoded within it. The correct syntax to create the PFX file with the root certificate in it is:

openssl pkcs12 -export -in rui.crt -inkey rui.key -certfile carootcert.cer -name "rui" -passout pass:testpassword -out rui.pfx

If this was not done initially, you must replace the current PFX file with the newly created one. This ensures that you are properly able to validate the certificate chain.

Once you are sure that the Certificate Authority root certificate is included in the PFX file, follow these steps to ensure it is added to the trusted SSO STS Certificates:

For a vCenter Server Windows host


  1. Open a command prompt and navigate to:

    C:\Program Files\VMware\Infrastructure\jre\bin\

  2. Run this command:

    keytool -v -importkeystore -srckeystore rui.pfx -srcstoretype pkcs12 -srcstorepass testpassword -srcalias rui -destkeystore rui.jks -deststoretype JKS -deststorepass changeit -destkeypass changeit

    Where rui.pfx is the SSO certificate PFX file.

    Note: changeit must be the destination store and key password; do not change the password.

  3. Copy the rui.jks file to the C:\Program Files\VMware\Infrastructure\SSOServer\Security\ directory.
  4. Log into the vSphere Web Client as a Single Sign On administrator.
  5. Navigate to Administration > Sign-on and Discovery > Configuration, and click the STS Certificate tab.
  6. Click the Edit button.
  7. Click the Browse button.
  8. Click the C:\Program Files\VMware\Infrastructure\SSOServer\security\rui.jks file.
  9. Enter changeit as the password and click OK. The rui key chain is shown in the interface.
  10. Click rui.
  11. Click OK.
  12. When prompted for the password, enter changeit. You now see another chain added, and the certificate is available in the GUI.
  13. Restart these services:

    • vSphere Web Client
    • vCenter Server
    • vCenter Inventory Service
    • VMware Log Browser

    Note: You do not need to restart Single Sign On.

  14. Once complete, the certificate chain is trusted by vCenter SSO and you are able to use the Log Browser.

For a vCenter Server Appliance host


  1. Log into the vSphere Web Client as a Single Sign On administrator.
  2. Use WinSCP to obtain this file from the vCenter Server Appliance:

    /usr/lib/vmware-sso/security/server.jks

  3. Place this file in the local directory of the machine where the Web Client originated.
  4. Navigate to Administration > Sign-on and Discovery > Configuration, and click the STS Certificate tab.
  5. Click the Edit button.
  6. Click the Browse button.
  7. Browse to the directory where you stored the server.jks file from step 3.
  8. Click the server.jks file.
  9. When you are prompted for a password, do not enter anything and proceed to the next step.
  10. Log in to the vCenter Server Appliance as root, vmware is the default password.
  11. Navigate to the /usr/lib/vmware-sso/conf/server.xml file, and open it in a text editor, such as nano or vi.
  12. Search for keystorePass="..." in the file, and make note of the password.
  13. At the prompt from step 8, enter the password you made note of.
  14. Click the newly displayed chain.
  15. Click OK.
  16. When prompted for the password, enter the password again. You now see another chain added, and the certificate is available in the GUI.
  17. Restart these services:

    • vSphere Web Client
    • vCenter Server
    • vCenter Inventory Service
    • VMware Log Browser

    Note: You do not need to restart Single Sign On.

  18. Once complete, the certificate chain is trusted by vCenter SSO and you are able to use the Log Browser.

Update History

03/05/2013 - Added new steps for vCenter Server Appliance.

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 15 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.
What can we do to improve this information? (4000 or fewer characters)
  • 15 Ratings
Actions
KB: