bdamian
Expert
Expert

vRA7 - Identity Stores

How do I need to manage new users on Identity Stores with vRA7?

In vRA6, when I create a users in the Active Directory it became usable automatically in Automation, but with vRA7 I need to "resync" the Identity Store before I can use the new user. Is there any way to set the Active Directory to work as in vRA6?

If I look for the Identity Store using Orchestrator API (to try a forced sync), the Action "getIdentityStoresFromHost" gives me the following error:

Error in (Dynamic Script Module name : getIdentityStoresFromHost#0) Can not perform request to the SSO server. Please contact your System Administrator.

But the SSO server is no longer present in vRA7. How can I force an Active Direcytory sync?

Thanks a lot,

D.

Damián Bacalov
vExpert 2017-2018-2019-2020-2021
https://www.linkedin.com/in/damianbacalov/
twitter @bdamian
Tags (2)
21 Replies
bdamian
Expert
Expert

More information:

If I perform a GET to the following URL (with appropriate credentials):

vraHost/identity/api/tenants/{tenantId}/directories

The API returns the following error:

  "errors": [

    {

      "code": 90132,

      "message": "Can not perform request to the SSO server. Please contact your System Administrator.",

      "systemMessage": "90132-Can not perform request to the SSO server. Please contact your System Administrator.",

      "moreInfoUrl": null

    }

  ]

Is the API outdated?

D.

Damián Bacalov
vExpert 2017-2018-2019-2020-2021
https://www.linkedin.com/in/damianbacalov/
twitter @bdamian
0 Kudos
gradinka
VMware Employee
VMware Employee

Hi there

I think the API should be valid... it's worth looking into the "/var/log/vmware/vcac/catalina.out" file on the vRA appliance and see if there is any error thrown at the time of your request execution.

the 90132 error is quite generic one and it doesn't tell anything specific Smiley Sad

0 Kudos
GrantOrchardVMw
Commander
Commander

It would appear that you can list directories with /api/tenants/{tenantId}/directories, and a PUT to /api/tenants/{tenantId}/directories/connectivity validates connectivity, but I can't see a way to initiate a sync in the documentation.

Grant

Grant http://grantorchard.com
0 Kudos
bdamian
Expert
Expert

Hi Grant,

I see no difference between vRA7 API and vRA6 API. The call to /api/tenants/{tenantId}/directories is for SSO only. Like  I said in a previous message, in vRA7 it gives me the error "cannot connect to SSO server".

I can see that the part of vRA7 that shows the Directories is an Iframe from Identity Manager, and looking the network calls I found the Identity Manager API. This is the URL to see the Directories:

/SAAS/jersey/manager/api/connectormanagement/directoryconfigs/ba7a94d5-5316-4a66-a6c1-56e2958a3302/syncprofile (returns a JSON string)

where "ba7a94d5-5316-4a66-a6c1-56e2958a3302" is the ID of the Directory. But I can not find a way to validate my self into the API to make that call.

Now the question is, how can I log in into the Identity Manager API?

How can I get either the OAuth2 Token (what vRO ask for the HTTP-Rest plugin) or the JWT ({"typ":"JWT","alg":"RS256"}) token that I can see as a cookie in the network call?

I have a fully orchestrated environment and, if I can't sync the directory after a user creation in the Active Directory, vRA7 upgrade becomes inviable.

Thanks a lot,

D.

Damián Bacalov
vExpert 2017-2018-2019-2020-2021
https://www.linkedin.com/in/damianbacalov/
twitter @bdamian
0 Kudos
GrantOrchardVMw
Commander
Commander

Interesting. I can get as far as /api/tenants/vsphere.local but that's it. Let me see if I can get someone a little more useful onto this thread for you Smiley Happy

As a side note, that API call *should* be the same, and we abstract the endpoint away. You should be able to make that call to vRA and have the identity service respond regardless of whether it is SSO under the covers or vIDM.

Grant

Grant http://grantorchard.com
0 Kudos
Alexander_Dimi1
Hot Shot
Hot Shot

If you update an Identity Store via vRA API it will automatically trigger sync of the directory in the background.

Here are the steps to do so.

1. Get vRA token for *tenant administrator*.

POST /api/tokens

{

  "username" : "...",

  "password" : "...",

  "tenant" : "..."

}

This will return you a vRA token in the form of:

{

  "expires" : "...",

  "id" : "...",

  "tenant" : "..."

}

Note: This is not a OAuth2 token so it cannot be used to call vIDM APIs. It can only by used to vRA API calls.

2. Using this token get the directory you are interested in

GET https://{vraHost}/api/tenants/{tenantId}/directories/{id}

The id here is the domain of the directory.

3. Update the same directory without making any changes.

PUT https:// {vraHost}/api/tenants/{tenantId}/directories/{id}, with payload what you received on step 1.

This will trigger the sync in the background. It will be an async sync so the PUT will return without waiting the sync to complete.

Now you should use

GET /api/tenants/{tenantId}/directories/{id}/status, to check when the sync has completed. It will return a JSON in the form of:

{

  "syncStatus" : {

    "status" : "COMPLETED",

    "message" : "..."

  }

}

In case you are not able to do

GET https://{vraHost}/api/tenants/{tenantId}/directories/{id}, then please check in the catalina.out what is the exception message.

Let me know if this works of if you have further questions.

bdamian
Expert
Expert

Hi Alexander,

Thanks for your care, but this is not correct. As I said before, I have a new clean installation of vRA7. By default, it uses vIDM. I've configured a Directory pointing to my AD.

The API calls you mention works just fine with my vRA 6.2.1 with SSO. But when I try it against vRA7 with vIDM I get the following error making a GET to the API call "/identity/api/tenants/cliente.l3/directories":

{

  "errors": [

    {

      "code": 90132,

      "message": "Can not perform request to the SSO server. Please contact your System Administrator.",

      "systemMessage": "90132-Can not perform request to the SSO server. Please contact your System Administrator.",

      "moreInfoUrl": null

    }

  ]

}

It clearly said that it cannot request to the SSO. This means that the API is the same as vRA 6.2.1 and do not "talk" with vIDM.

This is what I see in the appliance console, Update TAB:

Update Status

Vendor:    VMware Inc.

Appliance Name:    VMware vRealize Appliance

Appliance Version: 7.0.0.1460 Build 3311738

   

No update is available

Last Check: Tuesday, 2016 January 12 10:40:37 UTC-3

As I said, I need the vIDM documentation. Actually, I only need a way to authenticate my self in the API because I know all calls I need to do.

Thanks for your help.

D.

Damián Bacalov
vExpert 2017-2018-2019-2020-2021
https://www.linkedin.com/in/damianbacalov/
twitter @bdamian
0 Kudos
Alexander_Dimi1
Hot Shot
Hot Shot

GET "/identity/api/tenants/cliente.l3/directories" works in vRA7.0

The error message is something left from 6.2.x days, but it doesn't mean the API is deprecated.

It would be good to understand what is causing the failure. Can you upload or send me a support bundle to take a look at the logs?

The vIDM API that triggers the sync is something like:

POST /SAAS/jersey/manager/api/connectormanagement/directoryconfigs/f4019505-5167-4be4-bac6-6003bc57abc5/syncprofile/sync

but uses the internal UUID identificator for the directory

This UUID is not exposed by vRA API, but I guess it will be possible to fetch from vIDM API.

I will try to fetch vIDM documentation for their APIs.

0 Kudos
bdamian
Expert
Expert

Hi Alexander

I don't understand, I have a clean new installation of vRA7. It is not an upgrade and there is not update available (so it is the last version available). And the call doesn't work in my lab. What can I've possible done wrong to get an error but not in your lab? Are you trying with a newest version?

In my lab, catalina.out shows exactly the same error I mention before:

2016-01-12 13:57:56,683 vcac: [component="cafe:identity" priority="WARN" thread="tomcat-http--29" tenant="vsphere.local" context="" token=""] com.vmware.vcac.platform.service.rest.resolver.RestApplicationExceptionHandlerResolver.logException:189 - Handler execution resulted in exception: 90132-Can not perform request to the SSO server. Please contact your System Administrator.

I can show you screenshots of the Directory configuration, but it is working using the vRA7 interface so I guess that is no the problem.

Please tell me what can I upload for you.

By the way, can you show me the response of a GET "/identity/api/tenants/tenantId/directories" from your lab?

Thanks a lot,

D.

Damián Bacalov
vExpert 2017-2018-2019-2020-2021
https://www.linkedin.com/in/damianbacalov/
twitter @bdamian
0 Kudos
GrantOrchardVMw
Commander
Commander

Have a crack at this...

Follow Alex's steps but use the following for the directory PUT:

https://vra.lab.local/SAAS/jersey/manager/api/connectormanagement/directoryconfigs/f015824c-c8bb-4b7... (the UUID value can be retrieved by clicking on the directory in the config page and looking at the URL that comes up.

Obviously use your FQDN Smiley Happy

Grant

Grant http://grantorchard.com
0 Kudos
GrantOrchardVMw
Commander
Commander

Also, a GET against that URL (minus the UUID) brings back this:

{"items":[{"type":"ACTIVE_DIRECTORY_LDAP","name":"melb.vmware.local","directoryId":"f015824c-c8bb-4b75-9a2b-2d9c75f856cd"

,"userstoreId":"8b28f7e3-b420-4ecb-aec6-dc0f3ab8076b","countDomains":1,"deleteInProgress":false,"syncConfigurationEnabled"

:true,"_links":{"hw-sync":{"href":"/SAAS/jersey/manager/api/connectormanagement/directoryconfigs/f015824c-c8bb-4b75-9a2b-2d9c75f856cd

/syncprofile/sync"},"hw-dir-sync-executions":{"href":"/SAAS/jersey/manager/api/connectormanagement/directoryconfigs

/f015824c-c8bb-4b75-9a2b-2d9c75f856cd/syncexecutions"},"self":{"href":"/SAAS/jersey/manager/api/connectormanagement

/directoryconfigs/f015824c-c8bb-4b75-9a2b-2d9c75f856cd"}}}],"_links":{"self":{"href":"/SAAS/jersey/manager

/api/connectormanagement/directoryconfigs"}}}

Grant

Grant http://grantorchard.com
0 Kudos
Alexander_Dimi1
Hot Shot
Hot Shot

Hi,

Here is the response from my lab:

GET https://vcac/identity/api/tenants/dev/directories

Headers

Authorization:Bearer XXXX

Accept:application/json

{

  "links": [],

  "content": [

    {

      "@type": "IdentityStore",

      "domain": "mydomain.local",

      "name": "ESO AD",

      "description": "ESO AD",

      "alias": "",

      "type": "AD",

      "userNameDn": "cn=demoadmin,ou=demo,dc=mydomain,dc=local",

      "password": null,

      "url": "ldap://10.141.66.89:389",

      "groupBaseSearchDn": "ou=demo,dc=mydomain,dc=local",

      "userBaseSearchDn": "ou=demo,dc=mydomain,dc=local",

      "subdomains": [],

      "groupBaseSearchDns": [

        "ou=demo,dc=mydomain,dc=local"

      ],

      "userBaseSearchDns": [

        "ou=demo,dc=mydomain,dc=local"

      ],

      "domainAdminUsername": null,

      "domainAdminPassword": null,

      "certificate": null,

      "trustAll": true,

      "useGlobalCatalog": false,

      "new": false

    },

],

  "metadata": {

    "size": 20,

    "totalElements": 1,

    "totalPages": 1,

    "number": 1,

    "offset": 0

  }

}

So it is working and it would be helpful to understand why it doesn't work in your lab.

If in catalina.out there is no much useful information I would check /var/log/vmware/horizon/access_log.txt to see which call to vIDM has failed.

Then I would dig into /var/log/vmware/horizon/horizon.log or /var/log/vmware/horizon/connector.log

The full bundle is best since the research could span other files as well.

I won't recommend to go directly to vIDM API since:

1. I couldn't find any documentation about it.

2. It is an internally used API that can change from version to version

3. Uses internal directory IDs (UUIDs)

Despite that if you want to get an OAuth2 token and go directly to the vIDM sync API you should do the following:

POST https://{vra}/SAAS/t/{tenant_name}/auth/oauthtoken?grant_type=password

Headers:

Accept:application/json

Content-Type:application/x-www-form-urlencoded

username={username}&password={password}&client_id={client_id}&domain={userdomain}

where the client_id can be retrieved from /etc/vcac/solution-user.properties under the key: cafe_cli

Hope this helps.

bdamian
Expert
Expert

Hi Alexander,

What you said about get an OAuth2 token is what I was looking for as a workaround. I'm working now in how to do all the needed stuff because every call asks for different headers and cookies. I will replay this discussion with the steps when I finish. THANKS a lot of that, it was impossible for me to figured this out.

But concerning the API call https://vcac/identity/api/tenants/tenantId/directories, it's still not working in my vRA7 lab, but, in my vRA6 lab (using SSO) I get this response:

{

  "links": [],

  "content": [

    {

      "@type": "IdentityStore",

      "domain": "mydomain.local",

      "name": "AD Wetcom",

      "description": null,

      "alias": null,

      "type": "AD",

      "userNameDn": "CN=demoadmin,OU=applications,DC=mydomain,DC=local",

      "password": null,

      "url": "ldap://wetcom.net:389",

      "groupBaseSearchDn": "DC=mydomain,DC=local",

      "userBaseSearchDn": "DC=mydomain,DC=local",

      "new": false

    }

  ],

  "metadata": {

    "size": 20,

    "totalElements": 1,

    "totalPages": 1,

    "number": 1,

    "offset": 0

  }

}

Which is almost the same as you showed to me. This makes me wonder if your lab doesn't have SSO configured...

Thanks a lot! Hopefully I will be posting the results today to keep it documented.

D.

Damián Bacalov
vExpert 2017-2018-2019-2020-2021
https://www.linkedin.com/in/damianbacalov/
twitter @bdamian
0 Kudos
Alexander_Dimi1
Hot Shot
Hot Shot

Mine env is with the embedded vIDM.

Another way to try this is to deploy a new vRA 7.0, don't add any directory, just add a local user, get a token for him and call list directories API.

It should give you an empty list but no error.

If this is the case it might be some problem with the directory configuration you have, but without the logs those are just speculations.

0 Kudos
bdamian
Expert
Expert

Hi Alexander,

I have all calls solved, but I have problems with the authentication. I'm using vRO to make the tests.

If I call to https://vra07/SAAS/t/{tenantId}/auth/oauthtoken?grant_type=password I get a response like the following:

{

  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.{I cut a part}uQLi4ASaJiuCREAEYg2dvfeAZ91HZB4leZYl9_18Hs7vRDw6457O2nXFlgGU",

  "token_type": "Bearer",

  "expires_in": 28799,

  "scope": "user"

}

Then I'm doing the following REST call:

GET https://vra07/SAAS/jersey/manager/api/connectormanagement/directoryconfigs

Header 1: Accept = application/vnd.vmware.horizon.manager.connector.management.directory.list+json

Header 2: Authorization = Bearer + access_token

If I use the access_token from the previous request, I get this error

{

  "errors": [

    {

      "code": "FORBIDDEN",

      "message": "User is not authorized to perform the task.",

      "parameters": null

    }

  ]

}

But, If I log in in vRA console with the same user and pass and use the value of the HZN cookie in the Authorization header, then the API call works perfectly.

I can't understand the difference.

Any ideas?

Thanks a lot,

D.

Damián Bacalov
vExpert 2017-2018-2019-2020-2021
https://www.linkedin.com/in/damianbacalov/
twitter @bdamian
0 Kudos
bdamian
Expert
Expert

As an update, I found the following.

I've seen that vRA7 portal, to log in, redirect the user to an URL which has "client_id=csp-admin-V5eAOfh03w". This client_id is also in the solution-users.properties file. But if I use this client_id, the API gives me the following error:

{

  "error": "invalid_client",

  "error_description": "Client secret is required but not provided."

}

The Client secret is also in the solution-users.properties file, but if I update the request with "&client_secret=xxxxxx", the API keeps telling me that "Client secret is required but not provided."

Dead end for now. Need your help in order to do this. As I said before, I can do all the request needed to sync the Directory, but I can't obtain a "token" with access rights.

D.

Damián Bacalov
vExpert 2017-2018-2019-2020-2021
https://www.linkedin.com/in/damianbacalov/
twitter @bdamian
0 Kudos
GrantOrchardVMw
Commander
Commander

As an update to this, I'm successfully getting the required responses back. I think I was using the administrator@vsphere.local account yesterday which is a bad habit I got into with 6.2.

Using a tenant admin account is giving me the behaviour that I was expecting.

{

  "domain": "lab.local",

  "name": "lab.local",

  "description": "lab.local",

  "alias": "",

  "type": "NATIVE_AD",

  "userNameDn": "svc_vra@lab.local",

  "password": null,

  "url": null,

  "groupBaseSearchDn": "cn=users,dc=lab,dc=local",

  "userBaseSearchDn": "cn=users,dc=lab,dc=local",

  "subdomains": [],

  "groupBaseSearchDns": [

    "cn=users,dc=lab,dc=local"

  ],

  "userBaseSearchDns": [

    "cn=users,dc=lab,dc=local"

  ],

  "domainAdminUsername": "administrator",

  "domainAdminPassword": null,

  "certificate": null,

  "trustAll": true,

  "useGlobalCatalog": false,

  "new": false

}

The thing about this is that you need to pass back all of the relevant information in the PUT which has been nulled.

Still working on it...

Grant

Grant http://grantorchard.com
0 Kudos
CFormage
Enthusiast
Enthusiast

Hi Alexander,

The  PUT is not accepting the JSON payload given from the GET .

This is because the PUT is expecting the field keys to be in a different case to what they are sent as in the GET payload.

Also password field is mandatory and I don't think it should be mandatory just to trigger directory sync especially since its not given in GET request but it is mandatory in PUT.

For example GET gives "Username" : "admin"

If it take that directly and use it in the PUT I will get an error like "Username is a mandatory field:"

If I modify the PUT payload so its "username" :"admin" then it works.

There are a few fields that have this problem and I have not seen such behavior before, it sounds unhealthy, this is in 7.0.1. do you know if that is fixed in future ?

Blog: www.dcinfrastructure.blogspot.com
0 Kudos
Tocano
Enthusiast
Enthusiast

This is kind of ridiculous. It's been a year and I've just spent multiple days still fighting this same issue running into exactly the same problems as the other posters.

Is it that difficult to just add a:

GET https://{vraHost}/api/tenants/{tenantId}/directories/{id}/sync

That executes the 'Sync Now' function on the directory indicated?

That would seem to avoid the problems with trying to perform a PUT on the directory to "auto trigger" the sync, as well as discourage the use of the internal vIDM API to try to work around this limitation.

0 Kudos