After migrating vCenter Server 6.0 from an Embedded Platform Services Controller to External Platform Services Controller the Performance Chart Service fails with the error: Unable to Initialize servlet

Products

VMware vCenter Server

Issue/Introduction

Symptoms:
After migrating vCenter Server 6.0 from an Embedded Platform Services Controller (PSC) to External Platform Services Controller, you experience these symptoms:

Under the System Configuration UI (Administration > System Configuration), the VMware Performance Chart Service reports this error:

Unable to Initialize servlet
Failed to request health status from URI <FQDN of Embedded Platform Services Controller>
Under the Alarms pane, you see the Performance Charts Service Health Alarm in a Critical status.
In the /var/log/vmware/perfcharts or %ProgramData%\VMware\vCenterServer\logs\perfcharts stats.log file, you see entries similar to:

YYYY-MM-DDT<time>Z [pool-1-thread-1 ERROR com.vmware.vim.sso.client.impl.SoapBindingImpl] Error communicating to the remote server https://embedded_psc.vmware.com/sts/STSService/vsphere.local
com.sun.xml.internal.ws.client.ClientTransportException: The server sent HTTP status code 503: Service Unavailable (Failed to connect to endpoint: [N7Vmacore4Http16LocalServiceSpecE:0x7f014c066a10] _serverNamespace = /sts/STSService _isRedirect = false _port = 7080)
at com.sun.xml.internal.ws.transport.http.client.HttpTransportPipe.checkStatusCode(Unknown Source)
...
YYYY-MM-DDT<time>Z [pool-1-thread-1 ERROR com.vmware.vim.stats.webui.util.ResourceModelClient] Error communicating to the remote server https://embedded_psc.vmware.com/sts/STSService/vsphere.local com.vmware.vim.sso.client.exception.ServerCommunicationException: Error communicating to the remote server https://blr7-7th-dhcp-44-37.eng.vmware.com/sts/STSService/vsphere.local
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor.sendRequest(SecurityTokenServiceImpl.java:781)
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor.executeRoundtrip(SecurityTokenServiceImpl.java:699)
at com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl.acquireTokenByCertificate(SecurityTokenServiceImpl.java:460)
at com.vmware.vim.stats.webui.util.ResourceModelClient.exchangeForActAsToken(Unknown Source)
at com.vmware.vim.stats.webui.util.ResourceModelClient.<init>(Unknown Source)
...
YYYY-MM-DDT<time>Z [pool-1-thread-1 WARN com.vmware.vim.stats.webui.startup.StatsReportInitializer] STATs report initialization failed. Set health status to RED.
</time></time></time>
Note: This log excerpt is an example. Date, time, and environmental variables may vary depending on your environment.

Environment

VMware vCenter Server 6.0.x
VMware vCenter Server Appliance 6.5.x
VMware vCenter Server 6.7.x
VMware vCenter Server Appliance 6.0.x
VMware vCenter Server Appliance 6.7.x
VMware vCenter Server 6.5.x

Cause

This issue occurs when the VMware Performance Chart Service of vCenter Server attempts to connect to the decommissioned Embedded PSC's Secure Token Service (STS) to perform a SAML exchange.

Resolution

To resolve this issue, un-register the old Secure Token Service service registration in the Lookup Service:

For the Platform Services Controller Appliance:

Connect to the External Platform Service Controller Appliance with an SSH session.
Provide the root user user name and password when prompted.
Run this command to enable the Bash shell:

shell.set --enable True
Run this command to access the Bash shell:

shell
Run this command to navigate to the scripts directory:

cd /usr/lib/vmidentity/tools/scripts
Run this command to list the STS service registrations:

./lstool.py list --ep-type com.vmware.cis.cs.identity.sso --no-check-cert --url https://External_PSC_FQDN/lookupservice/sdk 2> /dev/null

For example:

./lstool.py list --ep-type com.vmware.cis.cs.identity.sso --no-check-cert --url https://psc.vmware.com/lookupservice/sdk 2> /dev/null
This should report a minimum of two endpoints. One belonging to the new, external PSC and one belonging to the decommissioned, Embedded PSC.

For example:

Service Product: com.vmware.cis
Service Type: cs.identity
Service ID: 8b002037-d8df-456c-b2e6-2bb8e35aac8a
Site ID: site11
Owner ID: [email protected]
Version: 2.0
Endpoints:
Type: com.vmware.cis.cs.identity.admin
Protocol: wsTrust
URL: https://external_psc.vmware.com/sts/STSService/vsphere.local
SSL trust: <SSL Certificate>

--------------------------------------------------

Service Product: com.vmware.cis
Service Type: cs.identity
Service ID: b4295d0b-659a-4b70-8100-36b124f6fb44
Site ID: site11
Owner ID: [email protected]
Version: 2.0
Endpoints:
Type: com.vmware.cis.cs.identity.admin
Protocol: wsTrust
URL: https://embedded_psc.vmware.com/sts/STSService/vsphere.local
SSL trust: <SSL Certificate>
Run this command to un-register the old STS service registration:

./lstool.py unregister --user "[email protected]" --password "administrator password" --id <Embedded PSC Service ID From above> --no-check-cert --url https://External_PSC_FQDN/lookupservice/sdk

For example:

./lstool.py unregister --user [email protected] --password --id b4295d0b-659a-4b70-8100-36b124f6fb44 --no-check-cert --url https://psc.vmware.com/lookupservice/sdk
On the affected vCenter Server, restart the VMware Performance Chart Service by running these commands:

service-control --stop vmware-perfcharts

service-control --start vmware-perfcharts

For the Platform Services Controller for Windows:

Remote Desktop into the Windows Server.
Open an elevated command prompt.
Run this command to navigate to the scripts directory:

cd "C:\Program Files\VMware\vCenter Server\VMware Identity Services\lstool\scripts"
Run this command to list the STS service registrations:

"%VMWARE_PYTHON_BIN%" lstool.py list --ep-type com.vmware.cis.cs.identity.sso --no-check-cert --url https://External_PSC_FQDN/lookupservice/sdk

For example:

"%VMWARE_PYTHON_BIN%" lstool.py list --ep-type com.vmware.cis.cs.identity.sso --no-check-cert --url https://psc.vmware.com/lookupservice/sdk
This should report a minimum of two endpoints. One belonging to the new, external PSC and one belonging to the decommissioned, Embedded PSC.

For example:

Service Product: com.vmware.cis
Service Type: cs.identity
Service ID: 8b002037-d8df-456c-b2e6-2bb8e35aac8a
Site ID: site11
Owner ID: [email protected]
Version: 2.0
Endpoints:
Type: com.vmware.cis.cs.identity.admin
Protocol: wsTrust
URL: https://external_psc.vmware.com/sts/STSService/vsphere.local
SSL trust: <SSL Certificate>

--------------------------------------------------

Service Product: com.vmware.cis
Service Type: cs.identity
Service ID: b4295d0b-659a-4b70-8100-36b124f6fb44
Site ID: site11
Owner ID: [email protected]
Version: 2.0
Endpoints:
Type: com.vmware.cis.cs.identity.admin
Protocol: wsTrust
URL: https://embedded_psc.vmware.com/sts/STSService/vsphere.local
SSL trust: <SSL Certificate>
Run this command to un-register the old STS service registration:

"%VMWARE_PYTHON_BIN%" lstool.py unregister --user "[email protected]" --password "administrator password" --id <Embedded PSC Service ID From above> --no-check-cert --url https://External_PSC_FQDN/lookupservice/sdk

For example:

"%VMWARE_PYTHON_BIN%" lstool.py unregister --user [email protected] --password --id b4295d0b-659a-4b70-8100-36b124f6fb44 --no-check-cert --url https://psc.vmware.com/lookupservice/sdk
On the affected vCenter Server, restart the VMware Performance Chart Service by running these commands:

service-control --stop vmware-perfcharts

service-control --start vmware-perfcharts

Additional Information

To be alerted when this document is updated, click the Subscribe to Article link in the Actions box.
503 Service Unavailable Failed to connect to endpoint XXXXXX" error in vCenter Server (60822)
将 vCenter Server 6.0 从嵌入式 Platform Services Controller 迁移到外部 Platform Services Controller 后，性能图表服务失败，并显示以下错误：无法初始化 servlet
vCenter Server 6.0 を埋め込み Platform Services Controller から外部 Platform Services Controller に移行すると Performance Chart Service が次のエラーで失敗する：サーブレットを初期化できません