VMware Support Community
JimKnopf99
Commander
Commander
Jump to solution

Connect to vCenter

Hi all,

i have an issue while connecting to one of our vcenter systems.

I get the following error message:

Couldn't create collection task to test endpoint. -> java.lang.RuntimeException: Couldn't login the client. -> Couldn't login the client. -> Received SSO error -> The SSL certificate of STS service cannot be verified.

The vcenter server was updated and the connection was broken. So i decide to remove an re add the connection. But the issue is still there. Any ideas what could cause this?

Thanks

Frank

If you find this information useful, please award points for "correct" or "helpful".
Reply
0 Kudos
1 Solution

Accepted Solutions
HarishV
Enthusiast
Enthusiast
Jump to solution

Hello Frank,

“When a VC certificate is changed, Skyline won't be able to collect anymore from that VC, that's made on purpose and for security reasons. You will need to delete and add again. In this case it seems that Skyline thinks the STS server (security token service, e.g. the SSO) certificate is invalid. I'm not sure how certificates should be updated on the STS but it should be done automatically when updating the VC certificate and if that's embedded PSC. Maybe the customer did it manually and something's broken. Can you first ask on a vSphere channel because I'm not very familiar with how certificates should be updated on the VC. Maybe from there on we can decide if it's actually a Skyline problem and then debug it.”

So as per Skyline Engineering team the STS server certificate is the problem. There is no need to remove any old entries from the Skyline appliance. Just re-adding should work. We need to contact the vcenter server team again to validate if all the certs are working fine and take it from there.

I would suggest you to raise a case with VMware vcenter server team once and get the certs validated and then try adding vcenter server again.

Marking this question as correct answer due to inactivity. Please respond to this thread if the issue persists.

Sincerely Harish Venkatachalam Skyline Support Moderator

View solution in original post

Reply
0 Kudos
8 Replies
sri_vmware
VMware Employee
VMware Employee
Jump to solution

Hi Frank,

Kindly confirm if we are using external Platform Services Controller or a custom SSO domain?

To check if it is custom SSO

we can run the below command from vCenter appliance

cd /usr/lib/vmware-vmafd/bin ]# ./vmafd-cli get-domain-name --server-name localhost

If we are using an external Platform Services Controller (PSC), Single-Sign On (SSO) provider or have a custom SSO domain, toggle the Use Custom SSO Configuration switch to Yes.

a. Enter the PSC/SSO server or fully-qualified domain name (FQDN) or IP address.

b. If you are using the default PSC/SSO provider configuration, you do not need to complete the Advanced Options (optional) fields.

Complete the SSO Admin URL, SSO STS URL and Lookup Service URL only if you specified a custom configuration during the deployment of PSC or SSO provider.

For additional details regarding your PSC/SSO provider configuration, please see the vCenter Server vpxd.cfg file.

In vCenter Server Appliance 6.x, the vpxd.cfg file is located at /etc/vmware-vpx/.

In Windows Server, the vpxd.cfg file is located at C:\ProgramData\VMware\VMwareVirtualCenter\vpxd.cfg.

In vCenter Server 6.0, the vpxd.cfg file is located at C:\ProgramData\VMware\vCenterServer\cfg\vmware-vpx.

For more details refer to (page 20)

https://docs.vmware.com/en/VMware-Skyline-Collector/2.1.0/VMware%20Skyline%20Collector%20Installatio...

Sincerely
Srikanth HS
Skyline Support Moderator
Reply
0 Kudos
JimKnopf99
Commander
Commander
Jump to solution

Hi,

we are not using an external psc. We are using it all on the vcsa. Its a single instance.

We are using the default sso vsphere.local domain.

Therefor i think i do not have to set the advanced options.

Any other ideas?

Frank

If you find this information useful, please award points for "correct" or "helpful".
Reply
0 Kudos
Aditya2018
VMware Employee
VMware Employee
Jump to solution

Hello Frank,

The issue could also be due to the SSL certificates. If the SSL certificate is issued to the FQDN of the vCenter and you are using an IP address in the configuration page of Collector.

Check the SSL Certificates of the vCenter and use the name/address the SSL certificate has been issued to, you should be able to connect vCenter.

Sincerely, Aditya Gottumukkala Skyline Skyline Moderator VMware Inc
Reply
0 Kudos
JimKnopf99
Commander
Commander
Jump to solution

Hi,

i try to use both. IP and FQDN. But either is not working.

Frank

If you find this information useful, please award points for "correct" or "helpful".
Reply
0 Kudos
sri_vmware
VMware Employee
VMware Employee
Jump to solution

Hi Frank,

Kindly share email address and phone number with us on VMware Skyline Community - Smartsheet.com  so we can connect and address the issue.

Sincerely
Srikanth HS
Skyline Support Moderator
Reply
0 Kudos
JimKnopf99
Commander
Commander
Jump to solution

Sorry for my late response. I have send you the smartsheet.

Thanks

Frank

If you find this information useful, please award points for "correct" or "helpful".
Reply
0 Kudos
HarishV
Enthusiast
Enthusiast
Jump to solution

Hello Frank,

I have sent an email to the email-ID which was updated on the smart sheet.

Sincerely Harish Venkatachalam Skyline Support Moderator
Reply
0 Kudos
HarishV
Enthusiast
Enthusiast
Jump to solution

Hello Frank,

“When a VC certificate is changed, Skyline won't be able to collect anymore from that VC, that's made on purpose and for security reasons. You will need to delete and add again. In this case it seems that Skyline thinks the STS server (security token service, e.g. the SSO) certificate is invalid. I'm not sure how certificates should be updated on the STS but it should be done automatically when updating the VC certificate and if that's embedded PSC. Maybe the customer did it manually and something's broken. Can you first ask on a vSphere channel because I'm not very familiar with how certificates should be updated on the VC. Maybe from there on we can decide if it's actually a Skyline problem and then debug it.”

So as per Skyline Engineering team the STS server certificate is the problem. There is no need to remove any old entries from the Skyline appliance. Just re-adding should work. We need to contact the vcenter server team again to validate if all the certs are working fine and take it from there.

I would suggest you to raise a case with VMware vcenter server team once and get the certs validated and then try adding vcenter server again.

Marking this question as correct answer due to inactivity. Please respond to this thread if the issue persists.

Sincerely Harish Venkatachalam Skyline Support Moderator
Reply
0 Kudos