Search the VMware Knowledge Base (KB)
View by Article ID

ESX Agent Manager solution user fails to log in after replacing the vCenter Server certificates in vSphere 6.0 (2112577)

  • 28 Ratings

Symptoms

After replacing certificates on vCenter Server, you experience these symptoms:
  • ESX Agent Manager solution user fails to log in.
  • In the /var/log/vmware/eam/eam.log file or the C:\ProgramData\VMware\vCenterServer\logs\eam\eam.log file for the ESX Agent Manager (EAM), you see entries similar to:
YYYY-MM-DDTHH:MM:SS.MSZ |  INFO | eam-0 | VcConnection.java | 167 | Connecting to vCenter as com.vmware.vim.eam extension
YYYY-MM-DDTHH:MM:SS.MSZ |  INFO | eam-0 | VcConnection.java | 603 | Connecting to https://vCenter_Server_FQDN:8089/sdk/vimService via vCenter proxy http://localhost:80
YYYY-MM-DDTHH:MM:SS.MSZ
 | DEBUG | http-bio-0.0.0.0-15005-exec-1 | AllowAllSamlTokenPolicy.java | 24 | HealtStatus request's token subject name: machine-7502fb4c-3521-48c7-93ed-3d1865e0fff1, subject domain: vsphere.local
YYYY-MM-DDTHH:MM:SS.MSZ
 | ERROR | eam-0 | VcConnection.java | 179 | Failed to login to vCenter as extension. vCenter has probably not loaded the EAM extension.xml yet.: Cannot complete login due to an incorrect user name or password.
YYYY-MM-DDTHH:MM:SS.MSZ |  WARN | eam-0 | VcListener.java | 114 | Trying to recover from error
(vim.fault.InvalidLogin) {
  faultCause = null,
  faultMessage = null
}
 at sun.reflect.GeneratedConstructorAccessor82.newInstance(Unknown Source)
 at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(Unknown Source)
 at java.lang.reflect.Constructor.newInstance(Unknown Source)
 at java.lang.Class.newInstance(Unknown Source)
 at com.vmware.vim.vmomi.core.types.impl.ComplexTypeImpl.newInstance(ComplexTypeImpl.java:173)
 at com.vmware.vim.vmomi.core.types.impl.DefaultDataObjectFactory.newDataObject(DefaultDataObjectFactory.java:26)
 at com.vmware.vim.vmomi.core.soap.impl.unmarshaller.ComplexStackContext.<init>(ComplexStackContext.java:31)
 at com.vmware.vim.vmomi.core.soap.impl.unmarshaller.UnmarshallerImpl$UnmarshallSoapFaultContext.parse(UnmarshallerImpl.java:141)
 at com.vmware.vim.vmomi.core.soap.impl.unmarshaller.UnmarshallerImpl$UnmarshallSoapFaultContext.unmarshall(UnmarshallerImpl.java:102)
 at com.vmware.vim.vmomi.core.soap.impl.unmarshaller.UnmarshallerImpl.unmarshalSoapFault(UnmarshallerImpl.java:89)
 at com.vmware.vim.vmomi.core.soap.impl.unmarshaller.UnmarshallerImpl.unmarshalSoapFault(UnmarshallerImpl.java:84)
 at com.vmware.vim.vmomi.client.common.impl.SoapFaultStackContext.setValue(SoapFaultStackContext.java:41)
 at com.vmware.vim.vmomi.client.common.impl.ResponseUnmarshaller.unmarshal(ResponseUnmarshaller.java:112)
 at com.vmware.vim.vmomi.client.common.impl.ResponseImpl.unmarshalResponse(ResponseImpl.java:273)
 at com.vmware.vim.vmomi.client.common.impl.ResponseImpl.setResponse(ResponseImpl.java:230)
 at com.vmware.vim.vmomi.client.http.impl.HttpExchangeBase.parseResponse(HttpExchangeBase.java:144)
 at com.vmware.vim.vmomi.client.http.impl.HttpExchange.run(HttpExchange.java:51)
 at com.vmware.vim.vmomi.client.http.impl.HttpProtocolBindingBase.executeRunnable(HttpProtocolBindingBase.java:186)
 at com.vmware.vim.vmomi.client.http.impl.HttpProtocolBindingImpl.send(HttpProtocolBindingImpl.java:77)
 at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl$CallExecutor.sendCall(MethodInvocationHandlerImpl.java:581)
 at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl$CallExecutor.executeCall(MethodInvocationHandlerImpl.java:562)
 at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.completeCall(MethodInvocationHandlerImpl.java:348)
 at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.invokeOperation(MethodInvocationHandlerImpl.java:308)
 at com.vmware.vim.vmomi.client.common.impl.MethodInvocationHandlerImpl.invoke(MethodInvocationHandlerImpl.java:182)
 at com.sun.proxy.$Proxy48.loginExtensionByCertificate(Unknown Source)
 at com.vmware.eam.vc.VcConnection.connectEam(VcConnection.java:171)
 at com.vmware.eam.vc.VcListener.login(VcListener.java:149)
 at com.vmware.eam.vc.VcListener.main(VcListener.java:129)
 at com.vmware.eam.vc.VcListener.call(VcListener.java:111)
 at com.vmware.eam.vc.VcListener.call(VcListener.java:60)
 at com.vmware.eam.async.impl.AuditedJob.call(AuditedJob.java:35)
 at com.vmware.eam.async.impl.FutureRunnable.run(FutureRunnable.java:52)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
 at java.lang.Thread.run(Unknown Source)
YYYY-MM-DDTHH:MM:SS.MSZ |  INFO | eam-0 | VcListener.java | 121 | Retrying in 10

Note: The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
  • Unable to deploy VIBs to your ESXi hosts from NSX for vSphere or vCloud Networking and Security.
  • vCenter Server experiences high CPU usage.

Cause

After replacing the solution user certificates on vCenter Server, the EAM service is not aware of the new certificate and is unable to log in.

Resolution

This issue is resolved in vCenter Server 6.0 Update 1b, available at VMware Downloads.  For more information, see VMware vCenter Server 6.0 Update 1b Release Notes.

To work around this issue in previous versions, update the extension's certificate with vCenter Server.

To update the extension's certificate:

On vCenter Server for Windows:
  1. Connect to vCenter Server through a Console or Remote desktop session.
  2. Open an elevated command prompt.
  3. Create a temporary directory named c:\certificate.
  4. Run this command to retrieve the vpxd-extension solution user certificate and key:

    "%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getcert --store vpxd-extension --alias vpxd-extension --output c:\certificate\vpxd-extension.crt

    "%VMWARE_CIS_HOME%"\vmafdd\vecs-cli entry getkey --store vpxd-extension --alias vpxd-extension --output c:\certificate\vpxd-extension.key


  5. Navigate to C:\Program Files\VMware\vCenter Server\vpxd\scripts:

    cd C:\Program Files\VMware\vCenter Server\vpxd\scripts

    Note: The path listed is for a default install of vCenter Server. If you have customized the install location of vCenter Server, change the directory accordingly.

  6. Run this command to update the extension's certificate with vCenter Server:

    "%VMWARE_PYTHON_BIN%" updateExtensionCertInVC.py -e com.vmware.vim.eam -c C:\Certificate\vpxd-extension.crt -k C:\Certificate\vpxd-extension.key -s localhost -u Administrator@domain.local

    Note: The default user and domain is Administrator@vsphere.local. If this was changed during configuration, change the domain to match your environment.

  7. When prompted, enter the Administrator@domain.local password.
  8. Navigate to the C:\Program Files\VMware\vCenter Server\bin folder:

    cd C:\Program Files\VMware\vCenter Server\bin

  9. Restart the VMware ESX Manager service with these commands:

    • service-control --stop EsxAgentManager
    • service-control --start EsxAgentManager


    For more information on managing service in the vCenter Server Appliance, see Stopping, starting, or restarting VMware vCenter Server Appliance 6.0 services (2109887).

On the vCenter Server Appliance:
  1. Log in to the vCenter Server Appliance using SSH.
  2. Run this command to enable access the Bash shell:

    shell.set --enabled true

  3. Type shell and press Enter.
  4. Run this command to retrieve the vpxd-extension solution user certificate and key:

    mkdir /certificate

    /usr/lib/vmware-vmafd/bin/vecs-cli entry getcert --store vpxd-extension --alias vpxd-extension --output /certificate/vpxd-extension.crt

    /usr/lib/vmware-vmafd/bin/vecs-cli entry getkey --store vpxd-extension --alias vpxd-extension --output /certificate/vpxd-extension.key


  5. Run this command to update the extension's certificate with vCenter Server.

    python /usr/lib/vmware-vpx/scripts/updateExtensionCertInVC.py -e com.vmware.vim.eam -c /certificate/vpxd-extension.crt -k /certificate/vpxd-extension.key -s localhost -u Administrator@domain.local

    Note: The default user and domain is Administrator@vsphere.local. If this was changed during configuration, change the domain to match your environment. When prompted, type in the Administrator@domain.local password.

  6. Restart the VMware ESX Manager service with these commands:

    • service-control --stop vmware-eam
    • service-control --start vmware-eam

    For more information on managing service in the vCenter Server, see Stopping, starting, or restarting VMware vCenter Server 6.0 services (2109881).

Tags

SSL, NSX, EAM

See Also

Request a Product Feature

To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.

Feedback

  • 28 Ratings

Did this article help you?
This article resolved my issue.
This article did not resolve my issue.
This article helped but additional information was required to resolve my issue.

What can we do to improve this information? (4000 or fewer characters)




Please enter the Captcha code before clicking Submit.
  • 28 Ratings
Actions
KB: