Search the VMware Knowledge Base (KB)
View by Article ID

Repairing or updating the trust between all components within vRealize Automation 6.x environment (2110207)

  • 7 Ratings
Language Editions

Purpose

This article provides instructions on how to rebuild the trust relationship between all components in a VMware vRealize Automation (formerly known as VMware vCloud Automation Center) deployment. In many cases, when updating or replacing certificates in vRealize Automation, a failed step or incorrectly entered value can cause a trust failure that can lead to a loop where you are unable pull in new certificates into the IaaS. This can lead to errors when running the vcac-config.exe RegisterEndpoint command related to SSL/Certificate failures.

This article assumes that these points are accurate:
    • If using signed certificates, the certificate root CA, Intermediate CA, and CRL servers are all reachable by all components.
    • If using signed certificates, the certificate is valid for both date and SAN for all components.
    • If using self-signed certificates, the certificates are valid for both date and common name for all components.
    • If using self-signed certificates, all IaaS servers have the related IaaS Manager and IaaS Web server certificates installed locally to establish trust to the Web and Manager servers.

    Resolution

    To repair Certificate trust between all components:

    1. Back up all VMware vRealize Automation (formerly known as VMware vCloud Automation Center) appliances and related databases.
    2. Update/confirm all certificates and verify that they have the appropriate SANs and all servers can reach the root CA and CRL servers related to the certificates.
    3. SSH or console into each vRealize Automation appliance and run this command:

      /usr/sbin/vcac-config import-certificate --alias websso --url https://SSO_FQDN:7444

    4. Reboot each vRealize Automation appliance.
    5. Register the first vRealize Automation appliance with SSO again and wait for all services except for vRealize Orchestrator and iaas-service to show REGISTERED.
    6. Log in to the IaaS Model Manager Web server as the vRealize Automation service account and open the file using a text editor:

      C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Web\web.config

    7. Search for the string starting with < repository server=.
    8. Make a note of the exact SQL server name and database name and case for the UpdateServerCertificates string.
    9. Log in to the IaaS Model Manager Data server (if different from the Model Manager Web) as the vRealize Automation service account.

      Note: Ensure the vRealize Automation service account has access rights to the vRealize Automation database.

    10. Click Start > Run, type cmd, and click OK. The command prompt window opens.
    11. Run these commands (replace paths where required):

      • cd "C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\Cafe\"
      • rename vcac-config.data vcac-config.old
      • Vcac-Config.exe GetServerCertificates -url https://<vRA Appliance or Load Balancer FQDN> --FileName .\vcac-config.data
      • Vcac-Config.exe RegisterSolutionUser -url https://<vRA Appliance or Load Balancer FQDN> --Tenant vsphere.local -cu administrator@vsphere.local -cp Password --FileName .\Vcac-Config.data -v

        Where, Password is your account password

      • Vcac-Config.exe MoveRegistrationDataToDB -d DB_Name -s Server_name -f .\Vcac-Config.data -v

        Where:

        • DB_Name is the database name noted in Step 8.
        • Server_name is the server name noted in Step 8.

      • Vcac-Config.exe UpdateServerCertificates -d DB_Name -s Server_name -v

        Where:

        • DB_Name is the database name noted in Step 8.
        • Server_name is the server name noted in Step 8.

      • Vcac-Config.exe RegisterEndpoint --EndpointAddress https://<IaaS Web server or Load Balancer FQDN>/vcac --Endpoint ui -v

      • Vcac-Config.exe RegisterEndpoint --EndpointAddress https://<IaaS Web server or Load Balancer FQDN>/Repository --Endpoint repo -v

      • Vcac-Config.exe RegisterEndpoint --EndpointAddress https://<IaaS Web server or Load Balancer FQDN>/WAPI --Endpoint wapi -v

      • Vcac-Config.exe RegisterEndpoint --EndpointAddress https://<IaaS Web server or Load Balancer FQDN>/WAPI/api/status --Endpoint status -v 


        Note: With vRealize Automation 6.0, an additional endpoint needs to be registered using this command, which will overwrite the first command’s designation of vcac to vCAC. If your environment is 6.1 or later, skip this command:

        Vcac-Config.exe RegisterEndpoint --EndpointAddress https://<IaaS Web server or Load Balancer FQDN>/vCAC/SslCallback.aspx --Endpoint ssl -v

      • iisreset
    12. Restart the vCloud Automation Center Server service in IaaS.
    13. Restart each vRealize Automation appliance.
    14. Log in to the vRealize Automation Appliance Management page and verify that all services now show REGISTERED.

     Note: If you are using the vRealize Automation Guest Agents, you may need to import any updated certificates for the IaaS Manager Servers into each of your templates containing the Guest Agent.  For more information, see:

     

    Additional Information

    Note: Do not use the steps described in this article on VMware vRealize Automation 7.X versions.
     
    To be alerted when this article is updated, click Subscribe to Document in the Actions box.

    See Also

    Language Editions

    ja,2150403;zh_cn,2150445

    Request a Product Feature

    To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

    Feedback

    • 7 Ratings

    Did this article help you?
    This article resolved my issue.
    This article did not resolve my issue.
    This article helped but additional information was required to resolve my issue.

    What can we do to improve this information? (4000 or fewer characters)




    Please enter the Captcha code before clicking Submit.
    • 7 Ratings
    Actions
    KB: