VMware Cloud Community
madmanc
Enthusiast
Enthusiast
‎08-19-2015 09:02 PM

[500] SSO error: Unable to initialize, java.io.IOException: extra data given to DerValue constructor

I am using the VCSA and running the latest 6.0.0b release

Has anyone came across the following server error. This happens after switching the vcenter to a load balanced PSC (behind a netscaler)

I have rebuilt the environment several times with the same error. However it did work several weeks ago.

error500.JPG

I have followed multiple on-line walkthroughs so i know nothing has been missed (i hope)

From the logs the best i could find is the following

CIS DS service failed to retrieve the SSO trusted certificates. Please, check the log and see if the SsoService has initialized successfully and whether it crashed while fetching the certificates.] with root cause com.vmware.cis.data.service.exception.ServiceInitializationException:

I am not 100% sure how to verify the SsoService

Pointing it back to a single PSC does seem to "resolve" the issue. As i said earlier attempts at load-balancing has worked...

Any feedback is greatly appreciated

0 Kudos
6 Replies
JeffStahl78
Contributor
Contributor
‎10-08-2015 09:03 AM

I ran into the exact same error originally with the GM 6.0 (also behind NetScaler).  The problem ended up being a bug in the PSC that added multiple certificates to the vmwLKUPEndpointsSslTrust entries on the Endpoint registrations.  VMware had an internal KB article on it and I was able to manually hack out the extra certs.  It was rather painful but successful. 

I've since upgraded my PSCs and VC to 6.0U1 and I'm now getting the exact same error all over again.  Unfortunately the solution is not the same.  I've currently got a Sev 2 ticket open to VMware right now on the issue.  They're researching the issue, but I'll gladly share the solution once we resolve the issue. 

0 Kudos
simonkf
Contributor
Contributor
‎10-29-2015 02:10 PM

‌Same issue but this time with an F5. Any progress?

Thanks

0 Kudos
jwininger
Enthusiast
Enthusiast
‎10-29-2015 07:43 PM

Same issue with Netscaler...one site works but the other doesn't.  Can't find any differences in load balancer configs.

0 Kudos
madmanc
Enthusiast
Enthusiast
‎03-09-2016 04:23 PM

interesting to see that others have had issues. I am still running a single PSC at this time

I did open a support ticket with VMware and they stated this should have been fixed in update 1 - it did not for me
I havent done any further testing since then but will provide feedback if\when we look at this again

James

0 Kudos
jasoncain_22
Enthusiast
Enthusiast
‎03-13-2016 07:47 PM

I have the same issue when I access vCenter with various web browsers. I have worked with VMware support most of the weekend and awaiting the results of the generated bundles I uploaded to the ticket.

Nothing had changed in the environment (from a VMware perspective) and when I logged in I ran into the same SSO error.

Only difference from you guys that posted:  My PSCs are behind a F5 and my vCenters run on Windows.

I was running vSphere 6.0 (GA) and updated everything to 6Update1b as possible fix. This did not work.

We also looked for the Endpoints with too many certificates but they endpoints could not be found. I will update with any solutions once I get something.

0 Kudos
jasoncain_22
Enthusiast
Enthusiast
‎03-14-2016 11:20 AM

Update to my last post:

I am back up and running after using the internal KB to modify the Endpoints in the SSO domain. Did the search from a vCenter server after I connected to a PSC. (internal KB for this process)

I worked with the VMware engineer to modify the extraneous information listed for each cs.identity Endpoint.

Restarted vCenters and waited for about 10-15 minutes for the replication between PSCs had caught up and then I was able to login via the web client.

0 Kudos