VMware Cloud Community
NEXThink
Contributor
Contributor
Jump to solution

Repointing SSO domain to new domain fails on "Authz Data export"

Hello community,

I am trying to simply change the SSO domain of my vCenter 6.7 U3 6.7.45000 without replication partner.

When executing the domain repoint as following :

#cmsso-util domain-repoint -m execute --src-emb-admin Administrator --dest-domain-name vsphere.local

The process fails on export Authz data export.

After checking the logs, I can see in /var/log/vmware/cloudvm/domain_data_export.log the following error :

############ domain_data_export.log #####################

2020-08-31T12:52:17.812Z [main DEBUG com.vmware.vim.sso.client.impl.SoapBindingImpl opId=] Sending SOAP request to the STS server
2020-08-31T12:52:17.860Z [main DEBUG com.vmware.vim.sso.client.impl.ssl.StsSslTrustManager opId=] The SSL certificate of STS service cannot be verified against the list of client-trusted certificates
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:450)
  at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:317)
  at sun.security.validator.Validator.validate(Validator.java:262)
  at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
  at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:235)

.................................

2020-08-31T12:52:17.865Z [main DEBUG com.vmware.vim.sso.client.impl.ssl.StsSslTrustManager opId=] The SSL certificate of STS service cannot be verified against the client-trusted thumbprint
2020-08-31T12:52:17.880Z [main ERROR com.vmware.vim.sso.client.impl.SoapBindingImpl opId=] The SSL certificate of STS service cannot be verified
com.vmware.vim.sso.client.impl.ssl.UntrustedSslCertificateException: The SSL certificate of STS service cannot be verified
  at com.vmware.vim.sso.client.impl.ssl.StsSslTrustManager.validateServerIdentityWithThumbprint(StsSslTrustManager.java:227)
  at com.vmware.vim.sso.client.impl.ssl.StsSslTrustManager.checkServerTrusted(StsSslTrustManager.java:125)

######################################################

This happens with custom certificates and default VMware certificates.

Any idea from the community ?

Thank you

Reply
0 Kudos
1 Solution

Accepted Solutions
msripada
Virtuoso
Virtuoso
Jump to solution

I believe this is due to trust anchor mismatch explained in the KB https://kb.vmware.com/s/article/2121689?lang=en_US

VMware Knowledge Base https://ikb.vmware.com/s/article/2121689

I suggest open a SR and validate the SSL mismatch issues on vCenter server and try the domain repoint

thanks,

MS

View solution in original post

Reply
0 Kudos
3 Replies
msripada
Virtuoso
Virtuoso
Jump to solution

I believe this is due to trust anchor mismatch explained in the KB https://kb.vmware.com/s/article/2121689?lang=en_US

VMware Knowledge Base https://ikb.vmware.com/s/article/2121689

I suggest open a SR and validate the SSL mismatch issues on vCenter server and try the domain repoint

thanks,

MS

Reply
0 Kudos
scott28tt
VMware Employee
VMware Employee
Jump to solution

Moderator: Thread moved to the vCenter Server area.


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
Reply
0 Kudos
NEXThink
Contributor
Contributor
Jump to solution

Thank you, indeed Anchors was the problem.

Thanks a lot for your help, best community ever !!!

Reply
0 Kudos