Highlighted
Enthusiast
Enthusiast

Installing Trusted Root Certificates on the IDM Connector fails

I'm having a problem installing Trusted Root Certificates on the IDM Connector version 19.03.

When copy/paste the Root CA in the text box it's Processing 4-5 minutes and after this is completed we see the error:

"Not able to connect to VMware Identity Manager service. Something failed and we cannot load the screen you were about to view. You can check the logs for possible causes"

We tried:

- Rebooting the IDM connector server

- Installing a different Root CA (different format)

- Looked at the "configurator" and "connector" logs - I don't see errors that relates to this message.

We have verified that:

- The VMware Identity Manager service is running with a domain service account

- This service account is part of the local administrator group of the IDM connector server and has the logon as service permission

I think it is indeed something related to the service, but we cannot figure out what's the problem just yet.

Appreciate if someone can point me into the right direction!

img_5cbb3c3c1eb7c.png

2019-06-20 18_25_04-Zoom.png

Blog: https://arnomeijroos.com/ Twitter: @ACMeijroos
Labels (2)
0 Kudos
6 Replies
Highlighted
Contributor
Contributor

I'm having a similar problem where I've installed the connector and when I try to configure configure it with the activation string and it's asking for a "Trusted Root CA" but we don't know what certificate it's asking for.

0 Kudos
Highlighted
VMware Employee
VMware Employee

When you create a Connector Activation Code Access (Identity Manager) adds the configured FQDN as the traget for the Connector to connect to. (The Activation Code is simply Base64 encoded, you can view it using any online Base64 Decoder.)

Now when you add the Activation Code to the Connector it tries to connect to that FQDN. But the error message indicates the certificate it is being passed from the FQDN is from an untrusted source. This happens most of the time if you try to connect to the Access node FQDN. But can happen if your load balancer is not using a well know CA.

You must collect the ROOT CA Certificate and upload it into the Connector, in a PEM, Base64 format. If you are connecting directly to Access you need to go to the Appliance settings and in Certificate you click self signed to see the download link for the selfsigned certificate.. Alternatively you can retrive it from your web borwser when accessing Access..

Highlighted
Contributor
Contributor

Which certificate though? The IDM certificate or the connector certificate (I assume the IDM)? If it is the IDM we've already exported it's certificate via the browser and imported it to the connector system but it was exported as a DER and it was added to the trusted root CA and rebooted the connector system. 

0 Kudos
Highlighted
VMware Employee
VMware Employee

The VMware Identity Manager certificate should be added into the field in Connector where it asks for the ROOT CA. It comes up directly after the Activation Code fails. You should not reboot the Connector. You might have imported the certificate wrongly.. I just did this two hours ago in my home lab, and it is instantaneous.

What FQDN is in the Activation Code? Use an online Base64 decoder to read it..

Highlighted
VMware Employee
VMware Employee

Here's a print screen from where you can download the self-signed certificate from VMware Identity Manager/Access..

If you don't see it click on the Auto Generate Certificate radio button, download cert and don't save.

Screenshot 2019-12-17 at 14.06.17.png

Highlighted
Contributor
Contributor

Thank you for that your instructions about copying and pasting the certificate details into the Trusted Root CA dialog is what I needed.

0 Kudos