VMware Cloud Community
pfuhli
Enthusiast
Enthusiast

could not connect to management server

Hello,

we are testing BDE 1.0 beta with vSphere 5.5 beta2 and encountered the following problem after a succesfull installation and web client registration:

displayed Error dialogue:Could not connect to vSphere Web Client. Contact your administrator to fix this issue.

We also can't connect from vCenter BDE plugin to Serengeti management server to register the management server with BDE.

We are in an environment where http(s) communication is allowed only through a proxy. Could that raise this issue?

Regards,

daniel

Reply
0 Kudos
21 Replies
pfuhli
Enthusiast
Enthusiast

I tried all suggestions from Cannot connect to Serengeti Server but I'm still not able to register the Serengeti Management Server with vCenter.

See attached Screenshot.

Capture.PNG

Is vCenter Server "localhost" pointing to a problem? Should there be the FQDN of the vcenter server?

We use the appliance.

Reply
0 Kudos
gguanglu
VMware Employee
VMware Employee

How are the IPs acquired for VC server and BDE management server? static or DHCP?

Could you ping both from each other?

Reply
0 Kudos
admin
Immortal
Immortal

The error show that web client encounter a  connection issue when query the information from the VM. Can you verify that whether you will get the same error when view the VM detail information in web client?

Could you provide the vSphere web client log so that we can trace the root cause of this issue? If you use the VCVA, the log location is /usr/lib/vmware-vsphere-client/server/serviceability/logs/vsphere_client_virgo.log

Reply
0 Kudos
pfuhli
Enthusiast
Enthusiast

Both static assigned addresses.

Can ping from Serengeti console to VCVA and also from VCVA to Serengeti.

Nachricht geändert durch Daniel Pfuhl

Reply
0 Kudos
pfuhli
Enthusiast
Enthusiast

If I hover the vApp state the URL is not valid. Any chance to edit that by hand?

vappinfo.png

Found the log file under /storage/log/vmware/vsphere-client/logs/vsphere_client_virgo.log

See it attached.

Best regards,

daniel

Reply
0 Kudos
pfuhli
Enthusiast
Enthusiast

Found that line in vsphere_client_virgo.log

[2013-08-01 16:07:51.714] [ERROR] http-bio-9443-exec-11    o.a.c.core.ContainerBase.[Catalina].[localhost].[/serengeti-ui]   StandardWrapper.Throwable org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 1 in XML document from ServletContext resource [/WEB-INF/spring/bundle-context.xml] is invalid; nested exception is org.xml.sax.SAXParseException; systemId: http://hostnamechangedbydaniel.medizin.uni-leipzig.de/keinproxy.html; lineNumber: 1; columnNumber: 1; Content is not allowed in prolog.

Which is generated when I press the test connection button in the "Connect to a Serengeti Server" dialog.

Where do I find the URL which vCenter is trying to reach with this request? I assume this is a DNS issue because the log line above indicates that our proxy server is involved in the communication. That means that the request can not be resolved internally so it is routed externally.

Any ideas?

Reply
0 Kudos
jessehuvmw
Enthusiast
Enthusiast

Since you use static IP and the snapshot shows something like http://${vami.ip0.management-server},  does you DNS server has correct forward and reverse FQDN/IP resolution configured? This might reduce some problems.

Cheers, Jesse Hu
Reply
0 Kudos
pfuhli
Enthusiast
Enthusiast

forward and reverse lookup are both working now but the error stays the same 😕

Reply
0 Kudos
jessehuvmw
Enthusiast
Enthusiast

If forward and reverse lookup was not working before , could you try restart vCenter Server (and redeploy BDE again) after it works ?

Cheers, Jesse Hu
Reply
0 Kudos
pfuhli
Enthusiast
Enthusiast

- VCSA rebooted

- BDE removed and re-installed

but

no luck 😞

maybe it's worth a notice. the Serengeti Management Extension Service is not reporting Version and status. See attached picture.

Reply
0 Kudos
jessehuvmw
Enthusiast
Enthusiast

Hi Daniel, we're working on resovling your issue. Please wait for our response soon. -Jesse @Serengeti

Cheers, Jesse Hu
Reply
0 Kudos
pfuhli
Enthusiast
Enthusiast

Today we sniffed with Wireshark to track down the issue.

We saw only request from vCenter to Serengeti Management Server but no answers.

It's furthermore still unclear to us why the vCenter logs indicate that the Firewall/Proxy is serving the "no Proxy configured" page or why a request is getting this direction. We can't see http/https communication between vCenter and the FW or Serengeti Management and the FW.

Reply
0 Kudos
pfuhli
Enthusiast
Enthusiast

Trying to connect via Serengeti CLI via port 8080 I found the following error message in /opt/serengeti/logs/serengeti.log

2013 Aug 06 17:18:21,545+0000 INFO  main| org.springframework.web.servlet.DispatcherServlet: FrameworkServlet 'restapi': initialization completed in 346 ms

2013 Aug 06 17:18:58,083+0000 INFO  http-8080-1| com.vmware.bdd.security.sso.UserAuthenticationProvider: Start to validate by sso authentication.

2013 Aug 06 17:18:59,548+0000 INFO  http-8080-1| com.vmware.vim.sso.client.impl.X509TrustChainKeySelector: Failed to find trusted path to signing certificate <1.2.840.113549.1.9.2=#132a313337353133323137382c66363539396365352c35363464373736313732363532303439366536333265,CN=localhost.localdom,1.2.840.113549.1.9.1=#161b73736c2d63657274696669636174657340766d776172652e636f6d,OU=VMware Single Sign-on,O=VMware\, Inc.,L=Palo Alto,ST=California,C=US>

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:197)

        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255)

        at com.vmware.vim.sso.client.impl.X509TrustChainKeySelector.verifyTrustedPathExists(X509TrustChainKeySelector.java:176)

        at com.vmware.vim.sso.client.impl.X509TrustChainKeySelector.select(X509TrustChainKeySelector.java:110)

        at org.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:522)

        at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:254)

[...]

2013 Aug 06 17:18:59,554+0000 ERROR http-8080-1| com.vmware.vim.sso.client.impl.SamlTokenImpl: Signature validation failed

javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key

After Serengeti roll out I already executed sucessfully EnableSSOAuth at console.

Reply
0 Kudos
jessehuvmw
Enthusiast
Enthusiast

You mentioned that you can ping from Serengeti Management Server to VCVA and also from VCVA to Serengeti. Does the Firewall stand between Serengeti Management Server and VCVA ? Do you set any proxy for VCVA ? It can be found here https://vcva_ip:5480/#network.Proxy

Cheers, Jesse Hu
Reply
0 Kudos
pfuhli
Enthusiast
Enthusiast

No Firewall between VCSA and Serengeti. Both would need to go through the proxy to reach the internet. So currently I'm wondering why they try to go to the internet at this point?!

I have configured the proxy for VCSA.

I must admit that I changed the hostname of VCSA in an early stage and I have not been able to regenerate all certificates to match the right FQDN. See vCSA SSL Certificate regeneration not working

At this point I assume that the problem might come from the broken certificate chain? Could this be possible - I mean are certificates being validated for the communication between VCSA and BDE/Serengeti? Or should the communication between VCSA and BDE/Serengeti also work if certificates won't match the right FQDN hostname?

Reply
0 Kudos
jessehuvmw
Enthusiast
Enthusiast

I think the error you met (routed to proxy server) is more likely related to proxy.  Could you try disable the proxy for VCSA and restart it, then try use BDE ? I'm not sure the FQDN matters, let's disable proxy first then see what error you get.

Cheers, Jesse Hu
Reply
0 Kudos
pfuhli
Enthusiast
Enthusiast

Hi Jesse,

the error stays the same 😕

Regards

daniel

Reply
0 Kudos
jessehuvmw
Enthusiast
Enthusiast

So proxy setting is not the root cuase in your env.  As you mentioned "I must admit that I changed the hostname of VCSA in an early stage and I have not been able to regenerate all certificates to match the right FQDN", is it possible to reinstall a brand new VCSA with correct FQDN ?

Cheers, Jesse Hu
pfuhli
Enthusiast
Enthusiast

Decided to redeploy a new VCVA with the latest SSO refresh code.

After that I was able to connect VCVA with Serengeti Management Server.

Reply
0 Kudos