Dears,
Not sure if my requirement is supported. My environment has 2 separated VCSA 6 (vcsa-01 and vcsa-02, no enhanced link mode).
Now I deployed vRO 7.0:
* use vcsa-01 as authentication provider
* add vcsa-01 instance to vRO
* register vRO to vcsa-01 as extension
Everything works OK. And then I want the vRO can also orchestrate vcsa-02, so I added vcsa-02 instance to the vRO. It also works without issue. And then I want vRO workflow can also be launched from vcsa-02's web client. So I tried to register the vRO to vcsa-02 as extension.
The register workflow finished without error, and I can also see the vRO UI (vRO Servers, Workflows, Scheduled workflows, Wait for interaction, etc) from vcsa-02 web client. But there is 0 entry under "Orchestrator servers". From vcsa-02's log file (/var/log/vmware/vsphere-client/logs/vsphere_client_virgo.log), I can see there are some 500 internal server errors:
[2016-10-20T02:05:35.985Z] [WARN ] data-service-pool-219 70000104 100006 200001 com.vmware.vco.session.impl.VcoServiceFactoryImpl Error creating vCO service on [Configuration [servicePath=/vco/api/, vcoServiceUri=https://10.10.10.10:8281, serviceGuid=55d25bc9-0916-48cf-a5f9-54fdb1d07abf]] org.springframework.web.client.HttpServerErrorException: 500 Internal Server Error
at org.springframework.web.client.DefaultResponseErrorHandler.handleError(DefaultResponseErrorHandler.java:92)
at org.springframework.web.client.RestTemplate.handleResponseError(RestTemplate.java:494)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:451)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:409)
at org.springframework.web.client.RestTemplate.getForEntity(RestTemplate.java:229)
at com.vmware.vco.session.impl.VcoServiceFactoryImpl.authenticateVco(VcoServiceFactoryImpl.java:115)
at com.vmware.vco.session.impl.VcoServiceFactoryImpl.access$000(VcoServiceFactoryImpl.java:44)
at com.vmware.vco.session.impl.VcoServiceFactoryImpl$1.doCall(VcoServiceFactoryImpl.java:100)
at com.vmware.vco.session.impl.VcoServiceFactoryImpl$1.doCall(VcoServiceFactoryImpl.java:95)
at com.vmware.vco.adapter.concurrent.VcoServiceTask.call(VcoServiceTask.java:37)
at com.vmware.vco.adapter.concurrent.VcoExecutorService.executeAndWaitForAnyWithTimeout(VcoExecutorService.java:80)
at com.vmware.vco.session.impl.VcoServiceFactoryImpl.createVcoServices(VcoServiceFactoryImpl.java:109)
at com.vmware.vco.session.impl.VcoServiceFactoryImpl.checkVcoServicesFor(VcoServiceFactoryImpl.java:217)
at com.vmware.vco.session.impl.VcoSessionFactoryImpl.lookupVcoSession(VcoSessionFactoryImpl.java:240)
at com.vmware.vco.session.impl.VcoSessionFactoryImpl.getVcoServicesForVc(VcoSessionFactoryImpl.java:221)
at com.vmware.vco.session.impl.VcoSessionFactoryImpl.getVcoServices(VcoSessionFactoryImpl.java:94)
at com.vmware.vco.adapter.dataservice.RootVcoNodePropertyProvider$1.call(RootVcoNodePropertyProvider.java:61)
at com.vmware.vco.adapter.dataservice.RootVcoNodePropertyProvider$1.call(RootVcoNodePropertyProvider.java:55)
at com.vmware.vco.adapter.util.PropertyProviderUtil.fetchProperty(PropertyProviderUtil.java:16)
at com.vmware.vco.adapter.dataservice.RootVcoNodePropertyProvider.getOwnAdminRights(RootVcoNodePropertyProvider.java:55)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at com.vmware.vise.data.query.impl.ServicePropertyProviderAdapter.invokeMethod(ServicePropertyProviderAdapter.java:285)
at com.vmware.vise.data.query.impl.ServicePropertyProviderAdapter.getProperties(ServicePropertyProviderAdapter.java:127)
at com.vmware.vise.data.query.impl.DataManager.getDataFromPropertyProvider(DataManager.java:1403)
at com.vmware.vise.data.query.impl.DataManager.getResultFromPropertyProvider(DataManager.java:1375)
at com.vmware.vise.data.query.impl.DataManager.access$000(DataManager.java:79)
at com.vmware.vise.data.query.impl.DataManager$1.call(DataManager.java:884)
at com.vmware.vise.data.query.impl.DataManager$1.call(DataManager.java:880)
at com.vmware.vise.util.concurrent.ExecutorUtil$3.call(ExecutorUtil.java:630)
at com.vmware.vise.util.concurrent.ExecutorUtil$ThreadContextPropagatingCallable.call(ExecutorUtil.java:984)
at java.util.concurrent.FutureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
I also tried with enhanced link mode in my lab, but got the same result. Does anyone have experience in this kind of deployment?
Hi,
Could you also check vRO logs around the same time (/var/log/vco/app-server/server.log)? There should be some errors/exceptions corresponding to this 500 internal server error you see at vcsa side.
To your question - yes, vRO can register as extension to multiple vCenters. The problem can appear later, as you already discovered.
So, when you login to vcsa-02's web client, it sees the extension and tries to connect to vRO server the extension is pointing at. The connection is established by calling vRO REST API, and authenticated by passing a SAML token acquired on behalf of the user you used to login to vcsa-02 web client.
Next, when the REST API call reaches vRO server, it fetches the passed SAML token and tries to validate it against the authentication provider the vRO is configured it, in your case vcsa-01's SSO server. So a SAML token issues from vcsa-02's SSO is sent for validation to vcsa-01's SSO server. This validation could either succeed of fail, depending on the trust established between these 2 SSO servers.
There should be some documentation, or KB articles, describing how group of 2 or more SSO servers can be configured in such a way to trust SAML tokens issued by the other servers from this group (for example, the set of token signing certificates should be identical on all the servers). Unfortunately, at the moment I don't have a link to such documentation.
Hi Ilian Iliev
Thanks a lot for your information! It looks you gives the correct direction. When I look into vRO side log, I can see the SAML token validation failed.
But it confused me a bit
* enhanced link mode is used this time, both vcsas belong to the same SSO domain (vsphere.local)
* I am accessing web client with the sso domain administrator (administrator@vsphere.local), and I also set "vsphere.local/Administrators" as vRO's admin group
* time is synchronized
Even in this case, these 2 sso servers still do not trust each other?
/var/log/vco/app-server/server.log:
2016-10-25 10:49:07.342+0800 [http-nio-0.0.0.0-8281-exec-10] ERROR {} [[restServlet]] Servlet.service() for servlet [restServlet] in context with path [/vco] threw exception
com.vmware.vcac.authentication.http.SamlAuthenticationException: Signature validation failed
at com.vmware.vcac.authentication.http.SamlTokenExtractor.extractToken(SamlTokenExtractor.java:144)
at com.vmware.vcac.authentication.http.SamlTokenExtractor.extractToken(SamlTokenExtractor.java:36)
at com.vmware.o11n.security.auth.http.BaseTokenAuthenticationSupport.convertToObject(BaseTokenAuthenticationSupport.java:39)
at com.vmware.o11n.security.auth.http.BaseTokenAuthenticationSupport.extractToken(BaseTokenAuthenticationSupport.java:31)
at com.vmware.o11n.security.auth.sso.SamlTokenAuthenticationSupport.extractToken(SamlTokenAuthenticationSupport.java:66)
at com.vmware.o11n.security.auth.http.TokenAuthenticationSupportProxy.extractToken(TokenAuthenticationSupportProxy.java:30)
at com.vmware.o11n.web.auth.http.TokenAuthenticationFilter.doFilter(TokenAuthenticationFilter.java:63)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:152)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:121)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.vmware.o11n.json.DefaultJsonVersionHeaderFilter.doFilter(DefaultJsonVersionHeaderFilter.java:95)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.vmware.o11n.web.cluster.RestActiveNodeFilter.doFilter(RestActiveNodeFilter.java:63)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:614)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:676)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:521)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: com.vmware.vim.sso.client.exception.MalformedTokenException: Signature validation failed
at com.vmware.identity.token.impl.SamlTokenImpl.validateSignature(SamlTokenImpl.java:659)
at com.vmware.identity.token.impl.SamlTokenImpl.validate(SamlTokenImpl.java:535)
at com.vmware.vim.sso.client.DefaultTokenFactory.parseToken(DefaultTokenFactory.java:46)
at com.vmware.vcac.authentication.http.SamlTokenExtractor.tryParseToken(SamlTokenExtractor.java:187)
at com.vmware.vcac.authentication.http.SamlTokenExtractor.tryParseToken(SamlTokenExtractor.java:193)
at com.vmware.vcac.authentication.http.SamlTokenExtractor.extractToken(SamlTokenExtractor.java:140)
... 56 more
Caused by: javax.xml.crypto.dsig.XMLSignatureException: the keyselector did not find a validation key
at org.jcp.xml.dsig.internal.dom.DOMXMLSignature$DOMSignatureValue.validate(DOMXMLSignature.java:561)
at org.jcp.xml.dsig.internal.dom.DOMXMLSignature.validate(DOMXMLSignature.java:265)
at com.vmware.identity.token.impl.SamlTokenImpl.validateSignature(SamlTokenImpl.java:653)
... 61 more