Upgrading to Cloud Director 10.3 can fail for some LDAP SSL Configurations at Provider and/or Tenant levels
Article ID: 321471
Updated On:
Products
VMware Cloud Director
Issue/Introduction
Symptoms:
- Attempting to upgrade Cloud Director from a previous version to the 10.3 release.
- During the database upgrade step, the '/opt/vmware/vcloud-director/bin/upgrade' command fails with an error similar to the following:
Examining database at URL: jdbc:postgresql://vcloud.example.com:5432/vcloud?socketTimeout=90&ssl=true
Found an organization with an LDAP configuration that bypasses SSL certificate verification.
Organization name: ExampleOrganization
Organization Id: <ORGANIZATION_UUID>
Found an organization with an LDAP configuration that bypasses SSL certificate verification.
Organization name: System
Organization Id: <ORGANIZATION_UUID>
Found one or more organizations with an LDAP configuration that bypasses SSL certificate verification.
This version of VMware Cloud Director cannot support such configurations. Ensure that each of the above organizations reconfigures
their LDAP settings to import the certificate of their LDAP server, if necessary, and turns off “Accept All SSL Certificates”.
Found an organization with an LDAP configuration that bypasses SSL certificate verification.
Organization name: ExampleOrganization
Organization Id: <ORGANIZATION_UUID>
Found an organization with an LDAP configuration that bypasses SSL certificate verification.
Organization name: System
Organization Id: <ORGANIZATION_UUID>
Found one or more organizations with an LDAP configuration that bypasses SSL certificate verification.
This version of VMware Cloud Director cannot support such configurations. Ensure that each of the above organizations reconfigures
their LDAP settings to import the certificate of their LDAP server, if necessary, and turns off “Accept All SSL Certificates”.
Environment
VMware Cloud Director 10.x
Cause
If Providers and/or Tenants are using LDAP; but have set 'Accept all certificates' to 'true'; database upgrade will be aborted until these settings are cleared. Note that this setting could be set to 'true' even when SSL is NOT in use.
Resolution
To allow the upgrade to complete the LDAP settings in the affected Organizations must be changed such that Accept all certificates is set to false (disabled).
Example steps to perform this would be as follows:
- Before proceeding ensure that a current backup of the Cloud Director database has been taken, this should already have been done as part of the upgrade process.
For a Cloud Director Appliance the backup can be taken on the Primary Cell as root as per the documentation here, Back up the VMware Cloud Director Appliance Embedded Database.
For an external PostgreSQL database for a Linux Cell based environment please take a backup using the process provided by the database vendor.
- Log into the Cloud Director database to run queries against it.
If this is a Cloud Director Appliance based environment the steps to log in would be as follows:- Log into the Primary Cell as root.
- Switch to the postgres user:
root@vcd [ ~ ]# su - postgres
- Log into the Cloud Director database:
postgres [ ~ ]$ psql vcloud
- While logged into the Cloud Director database run the following to disable the Accept all certificates option for all Organizations which do not use SSL with LDAP:
UPDATE ldap_provider SET ssl_accept_all = false WHERE ssl = false;
- While still logged into the Cloud Director database run the following to count if there are any Organizations which will still block the upgrade:
SELECT count(*) FROM ldap_provider WHERE ssl_accept_all = true;
If there are no Organizations which will block the upgrade the count should return as '0':
vcloud=# SELECT count(*) FROM ldap_provider WHERE ssl_accept_all = true;
count
-------
0
(1 row)
count
-------
0
(1 row)
- If the count returned is '1' or higher continue straight to step 6. below.
Otherwise if the count returned is '0' we can exit the Cloud Director database and proceed with the upgrade attempt:- Logout from the Cloud Director database and return to the root level:
vcloud=# \q
postgres [ ~ ]$ exit
postgres [ ~ ]$ exit
- Retry the database upgrade command which was previously failing as root on the Primary Appliance:
/opt/vmware/vcloud-director/bin/upgrade
- If the upgrade proceeds the steps from 6. below are NOT required.
- If the count returned a value of '1' or higher we must identify which Organizations are using SSL for LDAP and have the Accept all certificates option enabled.
- Log into the Primary Cell as root.
- Switch to the postgres user:
root@vcd [ ~ ]# su - postgres
- Log into the Cloud Director database:
postgres [ ~ ]$ psql vcloud
- List the Organizations which will continue to block the upgrade:
SELECT oms.org_id, o.name
FROM org_member_source oms,
member_source ms,
organization o
WHERE
o.org_id = oms.org_id AND
oms.member_source_id = ms.id AND
ms.provider_type = 2 AND
(oms.org_id = 'a93c9db9-7471-3192-8d09-a8f7eeda85f9' OR
member_source_id NOT IN
(SELECT member_source_id FROM org_member_source WHERE org_id = 'a93c9db9-7471-3192-8d09-a8f7eeda85f9'));
FROM org_member_source oms,
member_source ms,
organization o
WHERE
o.org_id = oms.org_id AND
oms.member_source_id = ms.id AND
ms.provider_type = 2 AND
(oms.org_id = 'a93c9db9-7471-3192-8d09-a8f7eeda85f9' OR
member_source_id NOT IN
(SELECT member_source_id FROM org_member_source WHERE org_id = 'a93c9db9-7471-3192-8d09-a8f7eeda85f9'));
- The output would be similar to the following:
org_id | name
--------------------------------------+---------------------
<ORGANIZATION_UUID> | System
<ORGANIZATION_UUID> | ExampleOrganization
(2 rows)
--------------------------------------+---------------------
<ORGANIZATION_UUID> | System
<ORGANIZATION_UUID> | ExampleOrganization
(2 rows)
- If there are '1' or more Organizations listed then the Cloud Director instance will have to be reverted to its pre-upgrade state and Cloud Director's services started.
The LDAP settings in the affected Organizations will need Accept All Certificates set to false (disabled) by their respective Administrators. - If 'System' is listed in the 'name' column then the System Administrators must verify that Accept All certificates is set to false (disabled):
- Log into Cloud Director's Provider UI as a System Administrator, navigate to Administration > Identity Providers > LDAP > Custom LDAP, and click Edit.
- Set Accept all certificates to disabled and save the changes.
WARNING: As Accept all certificates will now be disabled, custom certificates may need to be trusted if using self-signed certificates on the LDAP server. If Cloud Director cannot trust the certificate presented by the LDAP server log ins may fail.
- If Tenant Organizations are listed in the 'name' column they are NOT using the System LDAP service the same changes need to be applied for their Custom LDAP service.
WARNING: This step must be performed by respective Tenant Administrators and CANNOT be performed by System Administrators. When making the changes the Tenant Administrator must ensure that LDAP connectivity continues to work after making the changes and LDAP users continue to function as expected.- The Tenant Administrator must navigate to their Tenant UI and open Administration > Identity Providers > LDAP > Custom LDAP and click Edit.
- Set Accept all certificates to disabled and save the changes.
WARNING: As Accept all certificates will now be disabled, custom certificates may need to be trusted if using self-signed certificates on the LDAP server. If Cloud Director cannot trust the certificate presented by the LDAP server log ins may fail.
- Once all Organizations have been updated with Accept All Certificates set to false (disabled) the upgrade can be retried.
Feedback
Yes
No
Powered by
