Redirection to the VMware Identity Manager login page from vRealize Automation 8.0 returns "Bad Gateway"
Article ID: 325818
Updated On:
Products
VMware Aria Suite
Issue/Introduction
Symptoms:
This article is applicable when you observe the following symptoms:
This article is applicable when you observe the following symptoms:
- After clicking on the GO TO LOGIN PAGE button on the homepage of your vRealize Automation 8.0 instance, the vRealize Automation appliance attempts to redirect to the vIDM login, but instead displays a blank page with the words Bad Gateway.
- The certificate for VMware Identity Manager (vIDM) was updated after vRealize Automation 8.0 was deployed, either through Lifecycle Manager, or from the vIDM management interface.
- Run the following command to get the pod name
kubectl get pods -n prelude | grep identity-service-app
- Run the following command to get the logs from the pod (specific pod name will be different)
kubectl logs identity-service-app-7fd98994ff-6z4n4 -n prelude
- You may see entries similar to these (where [vIDM_FQDN] and [vIDM_IP] are the FQDN and IP address of your vIDM instance):
2019-11-29 22:58:18.681+0000 WARN 29 --- [ctor-http-nio-2] r.netty.http.client.HttpClientConnect : [id: 0x1676876c, L:/10.244.0.57:46894 ! R:[vIDM_FQDN]/[vIDM_IP]:443] The connection observed an error
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_221]
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetEnvironment
VMware vRealize Automation 8.x
Cause
This is due to the identity-service-app pod having the old vIDM certificate in its Java keystore. Connections to the vIDM must be trusted explicitly by the vIDM certificate, and not by the issuing Certificate Authorities.
Resolution
We can use the vracli command to update the vIDM certificate information.
- Log into the vRA appliance via SSH
- Find the SHA256 thumbprint of the current vIDM appliance certificate with the following command (where [vIDM_FQDN] is the FQDN of your vIDM instance)
echo | openssl s_client -connect [vIDM_FQDN]:443 2>/dev/null | openssl x509 -fingerprint -sha256 -noout | awk -F'=' '{print $2}' | tr -d ':' | awk '{print tolower($0)}'
- See the current vIDM settings (take note of the user attribute):
vracli vidm
- Create a temporary file that contains the administrator password (easiest way to avoid having to escape special characters):
vi /tmp/admin-password.txt
- Update the vIDM settings (where [vIDM_FQDN] is the FQDN of your vIDM instance, [user] is the value of the user attribute from the vracli vidm command in Step 3, and [sha256_thumbprint] is the output of the command in Step 2):
vracli vidm set https://[vIDM_FQDN] admin /tmp/admin-password.txt [user] -f [sha256_thumbprint]
- Redeploy the application stack:
/opt/scripts/deploy.sh
- Delete the admin password file:
rm /tmp/admin-password.txtAdditional Information
The vRA portal will also report a Bad Gateway message if you try to connect to the vRA portal when the VA restart procedure is started as per Starting and stopping vRealize Automation (vmware.com)
Feedback
Yes
No
Powered by
