Solved: Cannot Access https://vcac-va-hostname/shell-ui-ap...

bobdhenderson · ‎01-08-2014

Folks, I'm possibly doing something unbelievably daft but at my second attempt to install VCAC as a minimal footprint bur I'm running into the same problem again.

SSO, AD, NTP etc all going through without error then I've got as far as the license installing on the VCAC appliance in the order specified in the install guide and find that I can't open the https//vcac-ca.domain.name/shell-ui-app. I get http status 404 - requested resource not available.

Using the troubleshooting guide leaves me a little confused (I'm not a linux admin)

"You can also check the status of the services under the SSO tab in the vCloud Automation Center console or log in to the appliance and run

tail -f /var/vcac/log/catalina"

I'm assuming these are typos on the online docs as I have found /var/log/vcac/catalina.out. Not sure what I'm looking for in here to determine problems. All the services within the admin console display as REGISTERED.

Could someone point me in the right direction please?Thanks

.

bobdhenderson · ‎01-10-2014

This particular error is resolved. VMware support got back to me very quickly and ran through the configs page by page until we found the problem. Embarrassingly user error on my part on the second install :smileyblush:

I've subsequently checked through my build diary for each step - on the first attempt which failed (and there weren't 18 services registered, SSL errors etc amongst others dooming it to failure) I had been sure to append :7444 to the hostname in the virtual identirty appliance host settings. The port addition wasn't present in my current config and my notes suggested I failed to add it on the second attempt. Different problems on each attempt and the second was avoidable.

As the vCAC appliance had connected successfully to the virtual appliance with SSO status connected during that stage of the config I'd incorrectly assumed SSO config was ok and didn't properly retrace my steps. Adding the port and rebooting both, the shell-ui-app page is available after 15 minutes. Very prompt turn around of an SR from VMware support (Thanks Sandra)

View solution in original post

MyWorkOne · ‎01-08-2014

When you login to the vCAC Appliance how many services are you seeing as installed? I had a few issues where I was only seeing about 10 services installed for what ever reason. I found that there really needs to be 18 installed. Especially the "SHELL-UI-APP" one for your web page etc to work. I went through a reinstall a couple of times and eventually it worked.

Bottom line - how many services are started and does it look something like this?

bobdhenderson · ‎01-09-2014

Thanks for taking time to post MyWorkOne. I do have the same services listed, all registered except for sts-service like your attached image. Interesting that yours lists 19 as registered and mine is 18. I have the 18 your image lists - where's #19?

I've tried IE and Firefox, error trying to access shell-ui-app page is "VMware vFabric tc Runtime -Error Report The requested resource is not available".

My initial install also only seemed to register 10 services (amongst other problems) so maybe I'll have to try for third time lucky.

bobdhenderson · ‎01-10-2014

This particular error is resolved. VMware support got back to me very quickly and ran through the configs page by page until we found the problem. Embarrassingly user error on my part on the second install :smileyblush:

I've subsequently checked through my build diary for each step - on the first attempt which failed (and there weren't 18 services registered, SSL errors etc amongst others dooming it to failure) I had been sure to append :7444 to the hostname in the virtual identirty appliance host settings. The port addition wasn't present in my current config and my notes suggested I failed to add it on the second attempt. Different problems on each attempt and the second was avoidable.

As the vCAC appliance had connected successfully to the virtual appliance with SSO status connected during that stage of the config I'd incorrectly assumed SSO config was ok and didn't properly retrace my steps. Adding the port and rebooting both, the shell-ui-app page is available after 15 minutes. Very prompt turn around of an SR from VMware support (Thanks Sandra)

Aristizabal · ‎04-28-2014

Thank you for posting this, I was having the exact problem.

DDmytriyev · ‎06-19-2014

hi all! I have almost the same problem.

All services works fine.

When I open shell-ui-app page - it redirects me to vCloud Identity appliance site with the address: https://vcac-identity.vmware.vcloud/websso/SAML2/SSO/vsphere.local?SAMLRequest=zVVdb9MwFP0r

Why does it redirect?

Any suggestions?

GrantOrchardVMw · ‎06-19-2014

That's part of the SAML spec. You get redirected to the SSO appliance to get a token before being sent back to the vCAC interface. You'll have the same problem as the original poster, since your URL should look like https://vcac-identity.vmware.vcloud:7444/websso/SAML2/SSO/vsphere.local?SAMLRequest=zVVdb9MwFP0r

Login to https://vcac-identity.vmware.vcloud:5480 > hostname and set it to vcac-identity.vmware.vcloud:7444

Now login to your vcac appliance, and reregister against SSO.

Grant

Grant http://grantorchard.com

DDmytriyev · ‎06-19-2014

Thank you a lot! I didn't read the guide carefully.

lepob · ‎07-09-2014

I have the same problem when attempting to connect to the default tenant shell-ui-app interface. Firefox display the following message. Firefox can't establish a connection to the server at tlab-vc-01.testlab.com:7444.

I've checked my SSO config on the vCAC appliance and all looks fine (port :7444 exists and connection has been established). All services are REGISTERED with the exception of STSService, although I'm not sure if that is correct or not as others have displayed the same thing.

/var/log/vmware/vcac/catalina.out shows the following errors

2014-07-09 07:34:05,499 [tomcat-http--29] [authentication] ERROR com.vmware.vcac.platform.rest.client.support.RetriableOperation.call:66 - Exception thrown is unexpected during ret

ry operation.

2014-07-09 07:34:05,503 [tomcat-http--29] [authentication] ERROR com.vmware.vcac.authentication.service.impl.AuthenticationMessageNotificationServiceImpl.loadServiceInfoAndRegister

SolutionUserForTenants:58 - Registered service with serviceInfoId [dce760fa-4ef5-4c3b-9a6e-7e2d7c675ca1] of serviceType [com.vmware.cis.core.sso] can't be registered with existing

tenants.

com.vmware.vim.sso.client.exception.ServerCommunicationException: Error communicating to the remote server https://tlab-vc-01.testlab.com:7444/sts/STSService/vsphere.local

I'm not sure what to make of the "can't be registered with existing tenants." message. Seems to indicate there is a problem with the tenants present, but without being able to login to vCAC I can't check.

abhilashhb · ‎07-09-2014

Error communicating to the remote server https://tlab-vc-01.testlab.com:7444/sts/STSService/vsphere.local

Can you check if the Identity Appliance is working fine?

Abhilash B
LinkedIn : https://www.linkedin.com/in/abhilashhb/

GrantOrchardVMw · ‎07-09-2014

Lepob, are you using the Identity Appliance or vCenter SSO? From your SSO hostname I'm inclined to thing it's vCenter. If it is vCenter 5.5U1 then there is a known issue with the registration.

Are you seeing the following in your logs?

JAXP00010001: The parser has encountered more than "100" entity expansions in this document; this is the limit imposed by the JDK.

Also, is this a new build or are you having problems connecting where before it was working?

Grant

Grant http://grantorchard.com

lepob · ‎07-10-2014

Thanks for your reply.

I'm using vSphere SSO not the identity appliance and yes I think SSO is working. I was seeing me errors in the SSO log so I followed this http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=205879... which solved that problem. I'm now seeing different errors but I don't think they're responsible for the sso communication problem. I noticed the timezone was incorrectly set on vCAC but that hasn't made any difference either. I'm also no longer seeing the "communications failure message"

When I try to login the shell-ui-app url I still get the same message: "Unable to connect - Firefox can't establish a connection to the server at tlab-vc-01.testlab.com:7444." and the logs produce this:

catalina.out

2014-07-10 12:45:22,900 [tomcat-http--57] [shell-ui] INFO com.vmware.identity.websso.client.endpoint.SsoRequestSender.getRequestUrl:158 - Producing redirect url

2014-07-10 12:45:22,917 [tomcat-http--57] [shell-ui] INFO com.vmware.identity.websso.client.endpoint.SsoRequestSender.createRenewable:282 - Added Renewable condition

2014-07-10 12:45:22,918 [tomcat-http--57] [shell-ui] INFO com.vmware.identity.websso.client.endpoint.SsoRequestSender.createDelegable:290 - Added Delegable condition

2014-07-10 12:45:22,920 [tomcat-http--57] [shell-ui] INFO com.vmware.identity.websso.client.endpoint.SsoRequestSender.getRequestUrl:245 - Destination URL: https://tlab-vc-01.testlab.com:7444/websso/SAML2/SSO/vsphere.local

2014-07-10 12:45:22,927 [tomcat-http--57] [shell-ui] INFO com.vmware.identity.websso.client.endpoint.SsoRequestSender.createRequestString:361 - Message to be signed: SAMLRequest=zVVdb9owFP0ryO%2BJkzSUYjVUHaxapXZlhU3TXibjXIolx858nYT%2B%2BzkhdIh2FdrTHkmuzz1fMZdX20INarAojc5IHEZkAFqYXOqnjHxd3gQX5GpyibxQJbuu3EY%2Fwq8K0A38OY2se5GRympmOEpkmheAzAm2uL6%2FY0kYsdIaZ4RRZHCNCNb5RVOjsSrALsDWUsCtzmGbEb965pGl5q4js3GuREapU3wV1CKI4tD59%2F5XKEzBRmma0gZWiIa2yxK6WDzQGssNWAiVEdyvvDFWQMc7I2uuEMjgdpaRn3k%2BHsNoNF7H5%2BcX8YWIRR4nZ3G6GqZrMUyHfgznHFHW8OcgYuW5ouPaZSSJ4jSIRkEcLeOYpUOWJOE4jn%2BQwbwX%2FEHqnY3vubPaDSH7tFzOg%2FnDYtkB1DIH%2B9lPZ6SXz48NOJb6bR%2BihyX7yDrO9vSw%2BD4iMjmy%2F%2FV%2B3IBSQSUDXpa0xd6nUYDjOXf8kh6S2FFKStbKup3NjZLi%2BYBZcnqPlDLN1AJ3rT22gi7ngrv3AdonMg%2FW3SgrW7vQgXZksJi3nL5UXMm1BPuqev%2BgndBeL%2FNlz2VrKR6KPTmGY5QepPZHdjw9zbpouC9CR0xsoOBIuXM26ICpb2pCo5R%2B3Hq1bUWQ9CBblC8YTdOEzVlo7JM%2FEMX0%2B%2F3dosMKZFd54V3288w9l971dj17BA0NXylY%2BmdvCP6PqM5AwdMhVXoczks9%2BwsO8u7a8AMOtu6fejo1RcmtxPajhC0Xrk%2BTHSJPlQ%2F7EdYHG07uxrtjgokW2j9uL7LG2Ly9mEB4ZUvLNZbGup0Nb%2FLZW%2FQXQyb7j%2FvwT2HyGw%3D%3D&RelayState=aHR0cHM6Ly90bGFiLXZjYWMtMDEudGVzdGxhYi5jb20vc2hlbGwtdWktYXBwLw%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256

2014-07-10 12:45:22,943 [tomcat-http--57] [shell-ui] INFO com.vmware.identity.websso.client.endpoint.SsoRequestSender.getRequestUrl:256 - Redirect URL: https://tlab-vc-01.testlab.com:7444/websso/SAML2/SSO/vsphere.local?SAMLRequest=zVVdb9owFP0ryO%2BJkzS...

2014-07-10 12:45:22,944 [tomcat-http--57] [shell-ui] INFO com.vmware.identity.websso.client.MessageStoreImpl.add:221 - New MessageStore entry added:%s , store size: %s

^C

messages

2014-07-10T12:45:22.911818+01:00 tlab-vcac-01 cafe-shell: 2014-07-10 12:45:22,900 [tomcat-http--57] INFO com.vmware.identity.websso.client.endpoint.SsoRequestSender.getRequestUrl:158 - Producing redirect url

2014-07-10T12:45:22.918550+01:00 tlab-vcac-01 cafe-shell: 2014-07-10 12:45:22,917 [tomcat-http--57] INFO com.vmware.identity.websso.client.endpoint.SsoRequestSender.createRenewable:282 - Added Renewable condition

2014-07-10T12:45:22.919895+01:00 tlab-vcac-01 cafe-shell: 2014-07-10 12:45:22,918 [tomcat-http--57] INFO com.vmware.identity.websso.client.endpoint.SsoRequestSender.createDelegable:290 - Added Delegable condition

2014-07-10T12:45:22.920724+01:00 tlab-vcac-01 cafe-shell: 2014-07-10 12:45:22,920 [tomcat-http--57] INFO com.vmware.identity.websso.client.endpoint.SsoRequestSender.getRequestUrl:245 - Destination URL: https://tlab-vc-01.testlab.com:7444/websso/SAML2/SSO/vsphere.local

2014-07-10T12:45:22.928088+01:00 tlab-vcac-01 cafe-shell: 2014-07-10 12:45:22,927 [tomcat-http--57] INFO com.vmware.identity.websso.client.endpoint.SsoRequestSender.createRequestString:361 - Message to be signed: SAMLRequest=zVVdb9owFP0ryO%2BJkzSUYjVUHaxapXZlhU3TXibjXIolx858nYT%2B%2BzkhdIh2FdrTHkmuzz1fMZdX20INarAojc5IHEZkAFqYXOqnjHxd3gQX5GpyibxQJbuu3EY%2Fwq8K0A38OY2se5GRympmOEpkmheAzAm2uL6%2FY0kYsdIaZ4RRZHCNCNb5RVOjsSrALsDWUsCtzmGbEb965pGl5q4js3GuREapU3wV1CKI4tD59%2F5XKEzBRmma0gZWiIa2yxK6WDzQGssNWAiVEdyvvDFWQMc7I2uuEMjgdpaRn3k%2BHsNoNF7H5%2BcX8YWIRR4nZ3G6GqZrMUyHfgznHFHW8OcgYuW5ouPaZSSJ4jSIRkEcLeOYpUOWJOE4jn%2BQwbwX%2FEHqnY3vubPaDSH7tFzOg%2FnDYtkB1DIH%2B9...

2014-07-10T12:45:22.928167+01:00 tlab-vcac-01 ...lPZ6SXz48NOJb6bR%2BihyX7yDrO9vSw%2BD4iMjmy%2F%2FV%2B3IBSQSUDXpa0xd6nUYDjOXf8kh6S2FFKStbKup3NjZLi%2BYBZcnqPlDLN1AJ3rT22gi7ngrv3AdonMg%2FW3SgrW7vQgXZksJi3nL5UXMm1BPuqev%2BgndBeL%2FNlz2VrKR6KPTmGY5QepPZHdjw9zbpouC9CR0xsoOBIuXM26ICpb2pCo5R%2B3Hq1bUWQ9CBblC8YTdOEzVlo7JM%2FEMX0%2B%2F3dosMKZFd54V3288w9l971dj17BA0NXylY%2BmdvCP6PqM5AwdMhVXoczks9%2BwsO8u7a8AMOtu6fejo1RcmtxPajhC0Xrk%2BTHSJPlQ%2F7EdYHG07uxrtjgokW2j9uL7LG2Ly9mEB4ZUvLNZbGup0Nb%2FLZW%2FQXQyb7j%2FvwT2HyGw%3D%3D&RelayState=aHR0cHM6Ly90bGFiLXZjYWMtMDEud GVzdGxhYi5jb20vc2hlbGwtdWktYXBwLw%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256

2014-07-10T12:45:22.944440+01:00 tlab-vcac-01 cafe-shell: 2014-07-10 12:45:22,943 [tomcat-http--57] INFO com.vmware.identity.websso.client.endpoint.SsoRequestSender.getRequestUrl:256 - Redirect URL: https://tlab-vc-01.testlab.com:7444/websso/SAML2/SSO/vsphere.local?SAMLRequest=zVVdb9owFP0ryO%2BJkzS......

2014-07-10T12:45:22.944582+01:00 tlab-vcac-01 ...Mm1BPuqev%2BgndBeL%2FNlz2VrKR6KPTmGY5QepPZHdjw9zbpouC9CR0xsoOBIuXM26ICpb2pCo5R%2B3Hq1bUWQ9CBblC8YTdOEzVlo7JM%2FEMX0%2B%2F3dosMKZFd54V3288w9l971dj17BA0NXylY%2BmdvCP6PqM5AwdMhVXoczks9%2BwsO8u7a8AMOtu6fejo1RcmtxPajhC0Xrk%2BTHSJPlQ%2F7EdYHG07uxrtjgokW2j9uL7LG2Ly9mEB4ZUvLNZbGup0Nb%2FLZW%2FQXQyb7j%2FvwT2HyGw%3D%3D&RelayState=aHR0cHM6Ly90bGFiLXZjYWMtMDEudGVzdGxhYi5jb20vc2hlbGwtdWktYXBwLw%3D%3D&SigAlg=http%3A%2F%2Fwww.w3.org%2F2001%2F04%2Fxmldsig-more%23rsa-sha256&Signature=PaBj191Vkbv5r5ssxrsHaEKHDQjNin6OnI1t JnJWb3y7zUW6EninurdVeZsWGwZOt0RulWg0JKdQQzNXQ8gvPg2lgeF0pyDrfIIueRncgwGtPuU2WzFBEAKvqZy8IpUvFJY6Isqme3fvUh8VJvg6S7duNpgeuHVt7XfM8ljs3jzi59jww8l8VSMz2Vt3dOjk%2FWhFnkisD8qN5hZFCW2YnbikCvCPQSuZIBaZ6Xra2LE5aLeMJ3hBt09YUX62YHVedfRXwdGUFvM6zbPoq5d%2FIelwbnCKWYyR0%2BnUonUpJTPSU0FU2onTq9gAaTeGMyAwYE1j4F2DXlQMqY%2BjTqPAvg%3D%3D

2014-07-10T12:45:22.945763+01:00 tlab-vcac-01 cafe-shell: 2014-07-10 12:45:22,944 [tomcat-http--57] INFO com.vmware.identity.websso.client.MessageStoreImpl.add:221 - New MessageStore entry added:%s , store size: %s

^C

vmware-sts-idmd.log

2014-07-10 12:40:38,428 INFO [IdentityManager] Authentication succeeded for user [administrator@TESTLAB] in tenant [vs

phere.local] in [104] milliseconds

2014-07-10 12:40:38,935 INFO [IdentityManager] Authentication succeeded for user [administrator@TESTLAB] in tenant [vs

phere.local] in [98] milliseconds

2014-07-10 12:41:09,608 INFO [IdentityManager] Authentication succeeded for user [administrator@testlab.com] in tenant

[vsphere.local] in [100] milliseconds

2014-07-10 12:41:39,446 INFO [IdentityManager] Authentication succeeded for user [administrator@TESTLAB] in tenant [vs

phere.local] in [112] milliseconds

2014-07-10 12:41:39,998 INFO [IdentityManager] Authentication succeeded for user [administrator@TESTLAB] in tenant [vs

phere.local] in [96] milliseconds

2014-07-10 12:42:40,568 INFO [IdentityManager] Authentication succeeded for user [administrator@TESTLAB] in tenant [vs

phere.local] in [235] milliseconds

2014-07-10 12:42:41,085 INFO [IdentityManager] Authentication succeeded for user [administrator@TESTLAB] in tenant [vs

phere.local] in [150] milliseconds

2014-07-10 12:43:41,519 INFO [IdentityManager] Authentication succeeded for user [administrator@TESTLAB] in tenant [vs

phere.local] in [123] milliseconds

I've attached /var/log/messages and /var/log/vcac/catalina.out and C:\ProgramData\VMware\CIS\logs\vmware-sso\vmware-sts-idmd.log

lepob · ‎07-10-2014

Thanks for your reply. You are quite right I am using the VC SSO instead of the appliance. vCenter is also at 5.5 U1. Which logs are you referring to? I don't see anything like that in /var/log/vcac/catalina.out

It is a new build but it has been working. I installed it following Kendrick Coleman's excellent guide (http://www.kendrickcoleman.com/index.php/Tech-Blog/how-to-install-vcloud-automation-center-vcac-60-p...) and it worked a treat. The only thing I would say is that the IIS server seemed a little flaky. I would get the odd "page not displayed" messages (or something along those lines) on some frames on the vcac ui. A restart of IIS on the IaaS server would sort that out. It just stopped working and I haven't been login since.

GrantOrchardVMware wrote:

Lepob, are you using the Identity Appliance or vCenter SSO? From your SSO hostname I'm inclined to thing it's vCenter. If it is vCenter 5.5U1 then there is a known issue with the registration.

Are you seeing the following in your logs?

JAXP00010001: The parser has encountered more than "100" entity expansions in this document; this is the limit imposed by the JDK.

Also, is this a new build or are you having problems connecting where before it was working?

Grant

lepob · ‎07-10-2014

vCAC is working fine. I deployed the identity appliance and when I couldn't connect to that I realised it was my desktop that couldn't connect to the SSO, not vcac. Turns out my friendly internal support people had switched my view desktop to a different vlan - one that did not have port 7444 open in the firewall to the testlab! Oh hum - there goes 2 days work down the swannee.

All

Cannot Access https://vcac-va-hostname/shell-ui-app